superlocalmemory 2.8.2 → 2.8.5

package/ATTRIBUTION.md

@@ -38,7 +38,7 @@ is_valid = QualixarSigner.verify(signed_output)
 
 ### Research Initiative
 
-Qualixar is a research platform for AI agent development tools. SuperLocalMemory is one of several research initiatives under the Qualixar umbrella. For more information, visit qualixar.com.
+Qualixar is a research initiative for AI agent development tools by Varun Pratap Bhardwaj. SuperLocalMemory is one of several research initiatives under the Qualixar umbrella.
 
 ### Third-Party Acknowledgments
 

package/CHANGELOG.md

@@ -16,6 +16,23 @@ SuperLocalMemory V2 - Intelligent local memory system for AI coding assistants.
 
 ---
 
+## [2.8.3] - 2026-03-05
+
+### Fixed
+- Windows installation and cross-platform compatibility
+- Database stability under concurrent usage
+- Forward compatibility with latest Python versions
+
+### Added
+- Full Windows support with PowerShell scripts for all operations
+- `slm attribution` command for license and creator information
+
+### Improved
+- Overall reliability and code quality
+- Dependency management for reproducible installs
+
+---
+
 ## [2.8.2] - 2026-03-04
 
 ### Fixed

package/README.md

@@ -14,6 +14,7 @@
 </p>
 
 <p align="center">
+  <a href="https://arxiv.org/abs/2603.02240"><img src="https://img.shields.io/badge/arXiv-2603.02240-b31b1b?style=for-the-badge&logo=arxiv&logoColor=white" alt="arXiv"/></a>
   <a href="https://zenodo.org/records/18709670"><img src="https://img.shields.io/badge/DOI-10.5281%2Fzenodo.18709670-blue?style=for-the-badge&logo=doi&logoColor=white" alt="DOI"/></a>
   <a href="https://zenodo.org/records/18709670"><img src="https://img.shields.io/badge/Zenodo-Research_Paper-1682D4?style=for-the-badge&logo=zenodo&logoColor=white" alt="Zenodo"/></a>
   <a href="https://www.researchgate.net/publication/400976053"><img src="https://img.shields.io/badge/ResearchGate-Paper-00CCBB?style=for-the-badge&logo=researchgate&logoColor=white" alt="ResearchGate"/></a>
@@ -55,21 +56,22 @@ The paper presents SuperLocalMemory's architecture for defending against OWASP A
 
 | Platform | Link |
 |----------|------|
+| **arXiv** | [arXiv:2603.02240](https://arxiv.org/abs/2603.02240) |
 | **Zenodo** (CERN) | [DOI: 10.5281/zenodo.18709670](https://zenodo.org/records/18709670) |
 | **ResearchGate** | [Publication Page](https://www.researchgate.net/publication/400976053) |
-| **arXiv** | Submission under review |
 | **Research Portfolio** | [superlocalmemory.com/research](https://superlocalmemory.com/research) |
 
 If you use SuperLocalMemory in your research, please cite:
 
 ```bibtex
-@misc{bhardwaj2026superlocalmemory,
+@article{bhardwaj2026superlocalmemory,
   title={SuperLocalMemory: Privacy-Preserving Multi-Agent Memory with Bayesian Trust Defense Against Memory Poisoning},
   author={Bhardwaj, Varun Pratap},
   year={2026},
-  doi={10.5281/zenodo.18709670},
-  url={https://zenodo.org/records/18709670},
-  note={Preprint}
+  eprint={2603.02240},
+  archivePrefix={arXiv},
+  primaryClass={cs.AI},
+  url={https://arxiv.org/abs/2603.02240}
 }
 ```
 

package/api_server.py

@@ -18,6 +18,8 @@ from fastapi.responses import HTMLResponse, JSONResponse
 from pydantic import BaseModel
 import uvicorn
 
+from security_middleware import SecurityHeadersMiddleware
+
 # Import local modules
 import sys
 sys.path.insert(0, str(Path(__file__).parent / "src"))
@@ -37,6 +39,9 @@ app = FastAPI(
     version="2.0.0"
 )
 
+# Security middleware (add first for proper header application)
+app.add_middleware(SecurityHeadersMiddleware)
+
 # Mount static files
 UI_DIR.mkdir(exist_ok=True)
 app.mount("/static", StaticFiles(directory=str(UI_DIR)), name="static")

package/bin/slm

@@ -310,6 +310,38 @@ except Exception as e:
 "
         ;;
 
+    attribution)
+        python3 -c "
+import sys
+sys.path.insert(0, '${SLM_DIR}')
+try:
+    from memory_store_v2 import MemoryStoreV2
+    store = MemoryStoreV2()
+    attr = store.get_attribution()
+    print('SuperLocalMemory — Attribution')
+    print('=' * 45)
+    print(f\"Creator:  {attr.get('creator_name', 'Varun Pratap Bhardwaj')}\")
+    print(f\"Role:     {attr.get('creator_role', 'Solution Architect')}\")
+    print(f\"Platform: {attr.get('platform', 'Qualixar')}\")
+    print(f\"License:  {attr.get('license', 'MIT')}\")
+    print(f\"Website:  {attr.get('website', 'https://superlocalmemory.com')}\")
+    print(f\"Author:   {attr.get('author_website', 'https://varunpratap.com')}\")
+    print('=' * 45)
+    try:
+        from qualixar_attribution import QualixarSigner
+        from qualixar_watermark import encode_watermark
+        print('Layer 1 (Visible):        Active')
+        print('Layer 2 (Cryptographic):  Active')
+        print('Layer 3 (Steganographic): Active')
+    except ImportError:
+        print('Layer 1 (Visible):        Active')
+        print('Layer 2 (Cryptographic):  Not available')
+        print('Layer 3 (Steganographic): Not available')
+except Exception as e:
+    print(f'Error: {e}')
+"
+        ;;
+
     help|--help|-h)
         cat <<EOF
 SuperLocalMemory V2 - Universal CLI
@@ -356,6 +388,9 @@ HTTP SERVER (MCP):
   slm serve [PORT]         Start MCP HTTP server (default port 8417)
                            For ChatGPT/remote: ngrok http PORT
 
+ATTRIBUTION:
+  slm attribution          Show creator attribution and provenance status
+
 ADVANCED:
   slm reset soft           Soft reset (clear memories)
   slm reset hard --confirm Hard reset (nuclear option)

package/bin/slm.bat

@@ -49,7 +49,7 @@ exit /b 1
 
 REM Parse command
 if "%1"=="" (
-    echo SuperLocalMemory V2.1.0 - Universal AI Memory System
+    echo SuperLocalMemory - Universal AI Memory System
     echo.
     echo Usage: slm [command] [options]
     echo.
@@ -145,7 +145,7 @@ if exist "%INSTALL_DIR%\memory-profiles.py" (
 exit /b %ERRORLEVEL%
 
 :show_help
-echo SuperLocalMemory V2.1.0 - Universal AI Memory System
+echo SuperLocalMemory - Universal AI Memory System
 echo.
 echo Usage: slm [command] [options]
 echo.
@@ -188,7 +188,7 @@ echo Report issues: https://github.com/varun369/SuperLocalMemoryV2/issues
 exit /b 0
 
 :show_version
-echo SuperLocalMemory V2.1.0-universal
+echo SuperLocalMemory V2.8.3
 echo Copyright (c) 2026 Varun Pratap Bhardwaj
 echo Licensed under MIT License
 echo Repository: https://github.com/varun369/SuperLocalMemoryV2

package/docs/SECURITY-QUICK-REFERENCE.md

@@ -0,0 +1,214 @@
+# Security Quick Reference — For Developers
+
+**Last Updated:** March 4, 2026
+
+## TL;DR — Safe Coding Patterns
+
+### ✅ DO THIS (Safe)
+
+```javascript
+// Safe: Use textContent for plain text
+element.textContent = userContent;
+
+// Safe: Use escapeHtml() before DOM insertion
+element.innerHTML = escapeHtml(userContent);
+
+// Safe: Create elements programmatically
+const div = document.createElement('div');
+div.textContent = userContent;
+parent.appendChild(div);
+```
+
+### ❌ DON'T DO THIS (Dangerous)
+
+```javascript
+// DANGEROUS: Direct assignment with user content
+element.innerHTML = userContent;  // XSS VULNERABLE
+
+// DANGEROUS: Using code evaluation with user input
+// Never use eval, Function constructor, or similar
+
+// DANGEROUS: Inline event handlers with user content
+element.setAttribute('onclick', userCode);  // XSS VULNERABLE
+```
+
+## Security Checklist — Before Committing
+
+- [ ] No direct innerHTML assignments without escapeHtml()
+- [ ] All user content either uses textContent or is escaped
+- [ ] No code evaluation with user input
+- [ ] No inline event handlers with dynamic content
+- [ ] All API endpoints return explicit Content-Type
+- [ ] SQL queries use parameterized statements (never string concatenation)
+- [ ] No secrets in code or config files
+- [ ] Run security tests: pytest tests/test_security_headers.py -v
+
+## Common Patterns
+
+### Rendering User-Generated Content
+
+**Pattern 1: Plain Text Only**
+```javascript
+const contentDiv = document.getElementById('memory-content');
+contentDiv.textContent = memory.content;  // Automatically safe
+```
+
+**Pattern 2: Mixed Content (HTML Structure + User Text)**
+```javascript
+const html = `
+  <div class="memory-card">
+    <h3>${escapeHtml(memory.title)}</h3>
+    <p>${escapeHtml(memory.content)}</p>
+    <span class="badge">${escapeHtml(memory.category)}</span>
+  </div>
+`;
+container.innerHTML = html;
+```
+
+**Pattern 3: Building DOM Programmatically (Most Secure)**
+```javascript
+const card = document.createElement('div');
+card.className = 'memory-card';
+
+const title = document.createElement('h3');
+title.textContent = memory.title;
+
+const content = document.createElement('p');
+content.textContent = memory.content;
+
+card.appendChild(title);
+card.appendChild(content);
+container.appendChild(card);
+```
+
+### FastAPI Routes
+
+**Safe Pattern:**
+```python
+@router.get("/api/memories")
+async def get_memories():
+    # FastAPI automatically sets Content-Type: application/json
+    return {
+        "memories": memories,  # User content here is safe in JSON
+        "total": len(memories)
+    }
+```
+
+**SQL Queries:**
+```python
+# SAFE: Parameterized query
+cursor.execute("SELECT * FROM memories WHERE id = ?", (memory_id,))
+
+# DANGEROUS: String concatenation (SQL injection)
+# Never use f-strings or concatenation for SQL queries
+```
+
+## Testing XSS Protection
+
+```python
+# Test that XSS payloads are handled safely
+def test_xss_payload():
+    payload = "<script>alert('xss')</script>"
+
+    # This should be safe when:
+    # 1. Returned as JSON with Content-Type: application/json
+    # 2. Rendered with escapeHtml() on client
+    # 3. Protected by CSP headers
+
+    response = client.get(f"/api/memory?content={payload}")
+    assert response.headers["Content-Type"] == "application/json"
+    assert response.headers["X-Content-Type-Options"] == "nosniff"
+```
+
+## Security Headers Reference
+
+All responses include these headers automatically via SecurityHeadersMiddleware:
+
+- X-Content-Type-Options: nosniff
+- X-Frame-Options: DENY
+- X-XSS-Protection: 1; mode=block
+- Content-Security-Policy: (comprehensive policy)
+- Referrer-Policy: strict-origin-when-cross-origin
+- Cache-Control: no-store (API endpoints only)
+
+**Don't override these headers** unless you have a specific security reason and understand the implications.
+
+## CORS Configuration
+
+Current allowed origins:
+- http://localhost:8765
+- http://127.0.0.1:8765
+- http://localhost:8417
+- http://127.0.0.1:8417
+
+**To add a new origin:**
+1. Add to the allow_origins list in ui_server.py
+2. Document why it's needed
+3. Never use wildcard * in production
+
+## When to Update Security
+
+### Add New Route
+- [ ] Verify return type has explicit Content-Type
+- [ ] Test with XSS payloads
+- [ ] Add test case to test_security_headers.py
+
+### Add New JavaScript
+- [ ] Use textContent for plain text
+- [ ] Use escapeHtml() for mixed content
+- [ ] Test rendering with XSS payloads
+
+### Modify Security Headers
+- [ ] Document reason in commit message
+- [ ] Update SECURITY.md
+- [ ] Run full security test suite
+- [ ] Consider security implications
+
+## Resources
+
+- **Full Security Policy:** See SECURITY.md
+- **Security Enhancement Details:** .backup/security-enhancement-2026-03-04.md
+- **Security Tests:** tests/test_security_headers.py
+- **Middleware Source:** security_middleware.py
+- **Client-Side Escaping:** ui/app.js (escapeHtml function)
+
+## Quick Test Commands
+
+```bash
+# Run security tests only
+pytest tests/test_security_headers.py -v
+
+# Run all tests
+pytest tests/ -x -q
+
+# Manual verification (browser)
+python3 ui_server.py
+# Open http://localhost:8765
+# DevTools → Network → Check response headers
+```
+
+## Red Flags — Stop and Review
+
+If you see any of these patterns, STOP and review:
+
+- innerHTML with user content (without escaping)
+- Code evaluation functions anywhere
+- String concatenation in SQL queries
+- CORS with wildcard *
+- User input in event handler attributes
+- Disabling CSP or security headers
+- Secrets or API keys in code
+
+## When in Doubt
+
+**Ask these questions:**
+1. Could a user inject a script tag here?
+2. Is this content escaped before rendering?
+3. Does this SQL query use parameters?
+4. Could this header configuration weaken security?
+
+**If unsure:** Use the safest pattern (textContent or programmatic DOM creation).
+
+---
+
+**Remember:** Defense in depth. We have multiple layers (headers, CSP, escaping). Use all of them.

package/install.ps1

@@ -1,10 +1,18 @@
 # ============================================================================
-# SuperLocalMemory V2.2.0 - Windows Installation Script (PowerShell)
+# SuperLocalMemory V2.8.3 - Windows Installation Script (PowerShell)
 # Copyright (c) 2026 Varun Pratap Bhardwaj
 # Licensed under MIT License
 # Repository: https://github.com/varun369/SuperLocalMemoryV2
 # ============================================================================
 
+# IMPORTANT: param() must be the FIRST executable statement in PowerShell
+param(
+    [switch]$NonInteractive,
+    [switch]$Auto,
+    [switch]$Yes,
+    [switch]$y
+)
+
 $ErrorActionPreference = "Stop"
 
 $INSTALL_DIR = Join-Path $env:USERPROFILE ".claude-memory"
@@ -16,14 +24,6 @@ if (-not [Environment]::UserInteractive) {
     $NON_INTERACTIVE = $true
 }
 
-# Parse command line arguments
-param(
-    [switch]$NonInteractive,
-    [switch]$Auto,
-    [switch]$Yes,
-    [switch]$y
-)
-
 if ($NonInteractive -or $Auto -or $Yes -or $y) {
     $NON_INTERACTIVE = $true
 }
@@ -31,7 +31,7 @@ if ($NonInteractive -or $Auto -or $Yes -or $y) {
 # Print banner
 Write-Host ""
 Write-Host "=================================================================="
-Write-Host "  SuperLocalMemory V2.2.0 - Windows Installation                 "
+Write-Host "  SuperLocalMemory V2.8.3 - Windows Installation                 "
 Write-Host "  by Varun Pratap Bhardwaj                                       "
 Write-Host "  https://github.com/varun369/SuperLocalMemoryV2                 "
 Write-Host "=================================================================="
@@ -552,7 +552,7 @@ Write-Host "=================================================================="
 Write-Host "  Optional Features Available                                    "
 Write-Host "=================================================================="
 Write-Host ""
-Write-Host "SuperLocalMemory V2.2.0 includes optional features:"
+Write-Host "SuperLocalMemory includes optional features:"
 Write-Host ""
 Write-Host "  1) Advanced Search (~1.5GB, 5-10 min)"
 Write-Host "     - Semantic search with sentence transformers"

package/mcp_server.py

@@ -61,6 +61,26 @@ try:
 except ImportError:
     TRUST_AVAILABLE = False
 
+# Qualixar Attribution (v2.8.3 — 3-layer provenance)
+try:
+    from qualixar_attribution import QualixarSigner
+    from qualixar_watermark import encode_watermark
+    _signer = QualixarSigner("superlocalmemory", "2.8.3")
+    ATTRIBUTION_AVAILABLE = True
+except ImportError:
+    _signer = None
+    ATTRIBUTION_AVAILABLE = False
+
+
+def _sign_response(response: dict) -> dict:
+    """Apply Layer 2 cryptographic signing to MCP tool responses."""
+    if _signer and isinstance(response, dict):
+        try:
+            return _signer.sign(response)
+        except Exception:
+            pass
+    return response
+
 # Learning System (v2.7+)
 try:
     sys.path.insert(0, str(Path(__file__).parent / "src"))
@@ -203,7 +223,7 @@ _agent_registry = None
 _provenance_tracker = None
 
 
-def get_agent_registry():
+def get_agent_registry() -> Optional[Any]:
     """Get shared AgentRegistry singleton (v2.5+). Returns None if unavailable."""
     global _agent_registry
     if not PROVENANCE_AVAILABLE:
@@ -213,7 +233,7 @@ def get_agent_registry():
     return _agent_registry
 
 
-def get_provenance_tracker():
+def get_provenance_tracker() -> Optional[Any]:
     """Get shared ProvenanceTracker singleton (v2.5+). Returns None if unavailable."""
     global _provenance_tracker
     if not PROVENANCE_AVAILABLE:
@@ -226,7 +246,7 @@ def get_provenance_tracker():
 _trust_scorer = None
 
 
-def get_trust_scorer():
+def get_trust_scorer() -> Optional[Any]:
     """Get shared TrustScorer singleton (v2.6+). Returns None if unavailable."""
     global _trust_scorer
     if not TRUST_AVAILABLE:
@@ -676,12 +696,12 @@ async def remember(
         # Format response
         preview = content[:100] + "..." if len(content) > 100 else content
 
-        return {
+        return _sign_response({
             "success": True,
             "memory_id": memory_id,
             "message": f"Memory saved with ID {memory_id}",
             "content_preview": preview
-        }
+        })
 
     except Exception as e:
         return {
@@ -805,13 +825,13 @@ async def recall(
             if r.get('score', 0) >= min_score
         ]
 
-        return {
+        return _sign_response({
             "success": True,
             "query": query,
             "results": filtered_results,
             "count": len(filtered_results),
             "total_searched": len(results)
-        }
+        })
 
     except Exception as e:
         return {
@@ -888,10 +908,10 @@ async def get_status() -> dict:
         # Call existing get_stats method
         stats = store.get_stats()
 
-        return {
+        return _sign_response({
             "success": True,
             **stats
-        }
+        })
 
     except Exception as e:
         return {
@@ -1637,6 +1657,54 @@ async def project_context_prompt(project_name: str) -> str:
 # SERVER STARTUP
 # ============================================================================
 
+@mcp.tool(annotations=ToolAnnotations(
+    readOnlyHint=True,
+    destructiveHint=False,
+    openWorldHint=False,
+))
+async def get_attribution() -> dict:
+    """
+    Get creator attribution and provenance verification for SuperLocalMemory.
+
+    Returns creator information, license details, and verification status
+    for the 3-layer Qualixar attribution system.
+
+    Returns:
+        {
+            "creator": str,
+            "license": str,
+            "platform": str,
+            "layers": {
+                "visible": bool,
+                "cryptographic": bool,
+                "steganographic": bool
+            }
+        }
+    """
+    try:
+        store = get_store()
+        attribution = store.get_attribution()
+
+        return _sign_response({
+            "success": True,
+            **attribution,
+            "website": "https://superlocalmemory.com",
+            "author_website": "https://varunpratap.com",
+            "attribution_layers": {
+                "layer1_visible": True,
+                "layer2_cryptographic": ATTRIBUTION_AVAILABLE,
+                "layer3_steganographic": ATTRIBUTION_AVAILABLE,
+            },
+        })
+
+    except Exception as e:
+        return {
+            "success": False,
+            "error": _sanitize_error(e),
+            "message": "Failed to get attribution"
+        }
+
+
 if __name__ == "__main__":
     import argparse
 
@@ -1662,7 +1730,7 @@ if __name__ == "__main__":
     # Print startup message to stderr (stdout is used for MCP protocol)
     print("=" * 60, file=sys.stderr)
     print("SuperLocalMemory V2 - MCP Server", file=sys.stderr)
-    print("Version: 2.7.4", file=sys.stderr)
+    print("Version: 2.8.3", file=sys.stderr)
     print("=" * 60, file=sys.stderr)
     print("Created by: Varun Pratap Bhardwaj (Solution Architect)", file=sys.stderr)
     print("Repository: https://github.com/varun369/SuperLocalMemoryV2", file=sys.stderr)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "superlocalmemory",
-  "version": "2.8.2",
+  "version": "2.8.5",
   "description": "Your AI Finally Remembers You - Local-first intelligent memory system for AI assistants. Works with Claude, Cursor, Windsurf, VS Code/Copilot, Codex, and 17+ AI tools. 100% local, zero cloud dependencies.",
   "keywords": [
     "ai-memory",
@@ -46,7 +46,7 @@
     "superlocalmemory": "./bin/slm-npm"
   },
   "scripts": {
-    "prepack": "find . -type d -name __pycache__ -exec rm -rf {} + 2>/dev/null; find . -name '*.pyc' -delete 2>/dev/null; true",
+    "prepack": "node scripts/prepack.js",
     "postinstall": "node scripts/postinstall.js",
     "preuninstall": "node scripts/preuninstall.js",
     "test": "echo \"Run: npm install -g . && slm status\" && exit 0"

package/requirements-core.txt

@@ -1,24 +1,22 @@
-# SuperLocalMemory V2.2.0 - Core Required Dependencies
+# SuperLocalMemory - Core Feature Dependencies
 # ============================================================================
-# These packages are REQUIRED for core features (graph & patterns)
-# Install automatically during setup for smooth user experience
+# Required for knowledge graph and web dashboard.
+# Core memory operations work without these (stdlib only).
 #
-# Download size: ~50MB
-# Installation time: 1-2 minutes
-#
-# Install with: pip3 install -r requirements-core.txt
+# Download size: ~50MB | Install time: 1-2 minutes
+# Install: pip3 install -r requirements-core.txt
 # ============================================================================
 
-# Knowledge Graph - Required for graph_engine.py
-python-igraph>=0.10.0
-leidenalg>=0.9.0
-scikit-learn>=1.3.0  # Required for TF-IDF vectorization
+# Knowledge Graph
+python-igraph>=0.10.0,<2.0.0
+leidenalg>=0.9.0,<1.0.0
+scikit-learn>=1.3.0,<2.0.0
 
-# Web Dashboard - Required for ui_server.py
-fastapi>=0.109.0
-uvicorn[standard]>=0.27.0
-python-multipart>=0.0.6
+# Web Dashboard
+fastapi>=0.109.0,<1.0.0
+uvicorn[standard]>=0.27.0,<1.0.0
+python-multipart>=0.0.6,<1.0.0
 
-# Performance - JSON and caching
-orjson>=3.9.0
-diskcache>=5.6.0
+# Performance
+orjson>=3.9.0,<4.0.0
+diskcache>=5.6.0,<6.0.0

package/requirements-learning.txt

@@ -1,12 +1,12 @@
-# SuperLocalMemory v2.7 - Learning Dependencies
+# SuperLocalMemory - Learning Dependencies
 # ============================================================================
-# Optional but recommended. Enables intelligent pattern learning and
-# personalized recall ranking.
-#
-# If installation fails, core features work normally (v2.6 behavior).
-# To install: pip3 install -r requirements-learning.txt
+# Optional but recommended. Enables intelligent pattern learning
+# and personalized recall ranking.
 #
+# If installation fails, core features work normally.
+# Install: pip3 install -r requirements-learning.txt
 # Download size: ~30MB
 # ============================================================================
-lightgbm>=4.0.0
-scipy>=1.9.0
+
+lightgbm>=4.0.0,<5.0.0
+scipy>=1.9.0,<2.0.0