{"skill":{"slug":"neolata-mem","displayName":"Neolata Memory Engine","summary":"Graph-native memory engine for AI agents — hybrid vector+keyword search, biological decay, Zettelkasten linking, trust-gated conflict resolution, explainabil...","description":"---\r\nname: neolata-mem\r\nversion: 0.8.4\r\ndescription: Graph-native memory engine for AI agents — hybrid vector+keyword search, biological decay, Zettelkasten linking, trust-gated conflict resolution, explainability, episodes, compression & consolidation. Zero dependencies. npm install and go.\r\nmetadata:\r\n  openclaw:\r\n    requires:\r\n      bins:\r\n        - node\r\n    optionalEnv:\r\n      - OPENAI_API_KEY           # For OpenAI embeddings/extraction (read by code)\r\n      - OPENCLAW_GATEWAY_TOKEN   # For OpenClaw LLM gateway routing (read by code)\r\n      - NVIDIA_API_KEY           # For NVIDIA NIM embeddings (passed via config)\r\n      - AZURE_API_KEY            # For Azure OpenAI embeddings (passed via config)\r\n      - SUPABASE_URL             # For Supabase storage backend (passed via config)\r\n      - SUPABASE_KEY             # Supabase anon key — prefer over service key (passed via config)\r\n    dataFlow:\r\n      local:\r\n        - \"Default: JSON files in ./neolata-mem-data/ (configurable dir)\"\r\n        - \"In-memory mode: storage.type='memory' — nothing written to disk\"\r\n      remote:\r\n        - \"Supabase: if storage.type='supabase', memories are stored/read from your Supabase project\"\r\n        - \"Embeddings: if configured, text is sent to OpenAI/NVIDIA/Azure/Ollama for vectorization\"\r\n        - \"LLM: if configured, text sent to OpenAI/OpenClaw/Ollama for extraction/compression/evolution\"\r\n        - \"Webhooks: if webhookWritethrough is enabled, each store event POSTs to the configured URL\"\r\n      note: \"No data leaves the host unless you explicitly configure a remote backend, embedding provider, LLM, or webhook. Default config is fully local (JSON storage + no embeddings).\"\r\n    securityNotes:\r\n      - \"Prefer Supabase anon key + RLS over service key — service key bypasses row-level security\"\r\n      - \"Webhook URLs are an explicit exfiltration surface — only configure trusted endpoints\"\r\n      - \"Test with storage.type='memory' first to evaluate without persisting any data\"\r\n      - \"All env vars except OPENAI_API_KEY and OPENCLAW_GATEWAY_TOKEN are passed via config objects, not read from env directly\"\r\n    license: Elastic-2.0\r\n    homepage: https://github.com/Jeremiaheth/neolata-mem\r\n    repository: https://github.com/Jeremiaheth/neolata-mem\r\n---\r\n\r\n# neolata-mem — Agent Memory Engine\r\n\r\nGraph-native memory for AI agents with hybrid search, biological decay, and zero infrastructure.\r\n\r\n**npm package:** `@jeremiaheth/neolata-mem`\r\n**Repository:** [github.com/Jeremiaheth/neolata-mem](https://github.com/Jeremiaheth/neolata-mem)\r\n**License:** Elastic-2.0 | **Tests:** 367/367 passing (34 files) | **Node:** ≥18\r\n\r\n## When to Use This Skill\r\n\r\nUse neolata-mem when you need:\r\n- **Persistent memory across sessions** that survives context compaction\r\n- **Semantic search** over stored facts, decisions, and findings\r\n- **Memory decay** so stale information naturally fades\r\n- **Multi-agent memory** with cross-agent search and graph linking\r\n- **Conflict resolution** — detect and evolve contradictory memories\r\n\r\nDo NOT use if:\r\n- You only need OpenClaw's built-in `memorySearch` (keyword + vector on workspace files)\r\n- You want cloud-hosted memory (use Mem0 instead)\r\n- You need a full knowledge graph database (use Graphiti + Neo4j)\r\n\r\n## Install\r\n\r\n```bash\r\nnpm install @jeremiaheth/neolata-mem\r\n```\r\n\r\nNo Docker. No Python. No Neo4j. No cloud API required.\r\n\r\n> **Supply-chain verification:** This package has zero runtime dependencies and no install scripts. Verify before installing:\r\n> ```bash\r\n> # Check for install scripts (should show only \"test\"):\r\n> npm view @jeremiaheth/neolata-mem scripts\r\n> # Check for runtime deps (should be empty):\r\n> npm view @jeremiaheth/neolata-mem dependencies\r\n> # Audit the tarball contents (15 files, ~40 kB):\r\n> npm pack @jeremiaheth/neolata-mem --dry-run\r\n> ```\r\n> Source is fully auditable at [github.com/Jeremiaheth/neolata-mem](https://github.com/Jeremiaheth/neolata-mem).\r\n\r\n## Security & Data Flow\r\n\r\n**Default configuration is fully local** — JSON files on disk, no network calls, no embeddings, no external services.\r\n\r\nData only leaves the host if you **explicitly configure** one of these:\r\n\r\n| Feature | What leaves | Where it goes | How to avoid |\r\n|---------|------------|---------------|-------------|\r\n| Embeddings (OpenAI/NVIDIA/Azure) | Memory text | Embedding API endpoint | Use `noop` embeddings or Ollama (local) |\r\n| LLM (OpenAI/OpenClaw/Ollama) | Memory text for extraction/compression | LLM API endpoint | Don't configure `llm` option, or use Ollama |\r\n| Supabase storage | All memory data | Your Supabase project | Use `json` or `memory` storage (default) |\r\n| Webhook writethrough | Store/decay event payloads | Your webhook URL | Don't configure `webhookWritethrough` |\r\n\r\n**Key security properties:**\r\n- Only 2 env vars are read directly by code: `OPENAI_API_KEY` and `OPENCLAW_GATEWAY_TOKEN`. All others (Supabase, NVIDIA, Azure) are passed via explicit config objects.\r\n- All provider URLs are validated against SSRF (private IPs blocked, cloud metadata blocked).\r\n- Supabase: prefer anon key + RLS over service key. Service key bypasses row-level security.\r\n- JSON storage uses atomic writes (temp file + rename) to prevent corruption.\r\n- All user content sent to LLMs is XML-fenced with injection guards.\r\n- Test safely with `storage: { type: 'memory' }` — nothing touches disk or network.\r\n\r\nSee `docs/guide.md § Security` for the full security model.\r\n\r\n## Quick Start (Zero Config)\r\n\r\n```javascript\r\nimport { createMemory } from '@jeremiaheth/neolata-mem';\r\n\r\nconst mem = createMemory();\r\nawait mem.store('agent-1', 'User prefers dark mode');\r\nconst results = await mem.search('agent-1', 'UI preferences');\r\n```\r\n\r\nWorks immediately with local JSON storage and keyword search. No API keys needed.\r\n\r\n## With Semantic Search\r\n\r\n```javascript\r\nconst mem = createMemory({\r\n  embeddings: {\r\n    type: 'openai',\r\n    apiKey: process.env.OPENAI_API_KEY,\r\n    model: 'text-embedding-3-small',\r\n  },\r\n});\r\n\r\n// Agent IDs like 'kuro' and 'maki' are just examples — use any string.\r\nawait mem.store('kuro', 'Found XSS in login form', { category: 'finding', importance: 0.9 });\r\nconst results = await mem.search('kuro', 'security vulnerabilities');\r\n```\r\n\r\nSupports **5+ embedding providers**: OpenAI, NVIDIA NIM, Ollama, Azure, Together, or any OpenAI-compatible endpoint.\r\n\r\n## Key Features\r\n\r\n### Hybrid Search (Vector + Keyword Fallback)\r\nUses semantic similarity when embeddings are configured; falls back to tokenized keyword matching when they're not:\r\n```javascript\r\n// With embeddings → vector cosine similarity search\r\n// Without embeddings → normalized keyword matching (stop word removal, lowercase, dedup)\r\nconst results = await mem.search('agent', 'security vulnerabilities');\r\n```\r\n\r\nKeyword search uses an inverted token index for O(1) lookups. When >500 memories exist, vector search pre-filters candidates using token overlap before cosine similarity (candidate narrowing).\r\n\r\n### Biological Decay\r\nMemories fade over time unless reinforced. Old, unaccessed memories naturally lose relevance:\r\n```javascript\r\nawait mem.decay();        // Run maintenance — archive/delete stale memories\r\nawait mem.reinforce(id);  // Boost a memory to resist decay\r\n```\r\n\r\n### Memory Graph (Zettelkasten Linking)\r\nEvery memory is automatically linked to related memories by semantic similarity:\r\n```javascript\r\nconst links = await mem.links(memoryId);     // Direct connections\r\nconst path = await mem.path(idA, idB);       // Shortest path between memories\r\nconst clusters = await mem.clusters();        // Detect topic clusters\r\n```\r\n\r\n### Conflict Resolution & Quarantine\r\nDetect contradictions before storing — with claim-based structural detection or LLM-based semantic detection:\r\n```javascript\r\n// Structural (no LLM needed): claim-based conflict detection\r\nawait mem.store('agent', 'Server uses port 443', {\r\n  claim: { subject: 'server', predicate: 'port', value: '443' },\r\n  provenance: { source: 'user_explicit', trust: 1.0 },\r\n  onConflict: 'quarantine',  // low-trust conflicts quarantined for review\r\n});\r\n\r\n// Semantic (requires LLM): LLM classifies as conflict/update/novel\r\nawait mem.evolve('agent', 'Server now uses port 8080');\r\n\r\n// Review quarantined memories\r\nconst quarantined = await mem.listQuarantined();\r\nawait mem.reviewQuarantine(quarantined[0].id, { action: 'activate' });\r\n```\r\n\r\n### Predicate Schema Registry\r\nDefine per-predicate rules for conflict handling, normalization, and deduplication:\r\n```javascript\r\nconst mem = createMemory({\r\n  predicateSchemas: {\r\n    'preferred_language': { cardinality: 'single', conflictPolicy: 'supersede', normalize: 'lowercase_trim' },\r\n    'spoken_languages':   { cardinality: 'multi', dedupPolicy: 'corroborate' },\r\n    'salary':             { cardinality: 'single', conflictPolicy: 'require_review', normalize: 'currency' },\r\n  },\r\n});\r\n```\r\n\r\nOptions: `cardinality` (single/multi), `conflictPolicy` (supersede/require_review/keep_both), `normalize` (none/trim/lowercase/lowercase_trim/currency), `dedupPolicy` (corroborate/store).\r\n\r\n### Explainability API\r\nUnderstand why search returned or filtered specific memories:\r\n```javascript\r\nconst results = await mem.search('agent', 'query', { explain: true });\r\nconsole.log(results.meta);        // query options, result count\r\nconsole.log(results[0].explain);  // retrieved, rerank, statusFilter details\r\n\r\nconst detail = await mem.explainMemory(memoryId);\r\n// { id, status, trust, confidence, provenance, claimSummary }\r\n```\r\n\r\n### Multi-Agent Support\r\n```javascript\r\nawait mem.store('kuro', 'Vuln found in API gateway');\r\nawait mem.store('maki', 'API gateway deployed to prod');\r\nconst all = await mem.searchAll('API gateway');  // Cross-agent search\r\n```\r\n\r\n### Episodes (Temporal Grouping)\r\nGroup related memories into named episodes:\r\n```javascript\r\nconst ep = await mem.createEpisode('Deploy v2.0', [id1, id2, id3], { tags: ['deploy'] });\r\nconst ep2 = await mem.captureEpisode('kuro', 'Standup', { start: '...', end: '...' });\r\nconst results = await mem.searchEpisode(ep.id, 'database migration');\r\nconst { summary } = await mem.summarizeEpisode(ep.id);  // requires LLM\r\n```\r\n\r\n### Memory Compression & Consolidation\r\nConsolidate redundant memories into digests:\r\n```javascript\r\nawait mem.compress([id1, id2, id3], { method: 'llm', archiveOriginals: true });\r\nawait mem.compressEpisode(episodeId);\r\nawait mem.autoCompress({ minClusterSize: 3, maxDigests: 5 });\r\n\r\n// Full maintenance: dedup → contradictions → corroborate → compress → prune\r\nawait mem.consolidate({ dedupThreshold: 0.95, compressAge: 30, pruneAge: 90 });\r\n```\r\n\r\n### Labeled Clusters\r\nPersistent named groups:\r\n```javascript\r\nawait mem.createCluster('Security findings', [id1, id2]);\r\nawait mem.autoLabelClusters();  // LLM labels unlabeled clusters\r\n```\r\n\r\n### Event Emitter\r\nHook into the memory lifecycle:\r\n```javascript\r\nmem.on('store', ({ agent, content, id }) => { /* ... */ });\r\nmem.on('search', ({ agent, query, results }) => { /* ... */ });\r\nmem.on('decay', ({ archived, deleted, dryRun }) => { /* counts, not arrays */ });\r\n```\r\n\r\n### Batch APIs\r\nAmortize embedding calls and I/O with bulk operations:\r\n```javascript\r\n// Store many memories in one call (single embed batch + single persist)\r\nconst result = await mem.storeMany('agent', [\r\n  { text: 'Fact one', category: 'fact', importance: 0.8 },\r\n  { text: 'Fact two', tags: ['infra'] },\r\n  'Plain string also works',\r\n]);\r\n// { total: 3, stored: 3, results: [{ id, links }, ...] }\r\n\r\n// Search multiple queries in one call (single embed batch)\r\nconst results = await mem.searchMany('agent', ['query one', 'query two']);\r\n// [{ query: 'query one', results: [...] }, { query: 'query two', results: [...] }]\r\n```\r\n\r\nBatch operations include:\r\n- Atomic rollback on persist failure (memories, indexes, backlinks all reverted)\r\n- Cross-linking within the same batch\r\n- Configurable caps: `maxBatchSize` (default 1000), `maxQueryBatchSize` (default 100)\r\n\r\n### Bulk Ingestion with Fact Extraction\r\nExtract atomic facts from text using an LLM, then store each with A-MEM linking:\r\n```javascript\r\nconst mem = createMemory({\r\n  embeddings: { type: 'openai', apiKey: process.env.OPENAI_API_KEY },\r\n  extraction: { type: 'llm', apiKey: process.env.OPENAI_API_KEY },\r\n});\r\n\r\nconst result = await mem.ingest('agent', longText);\r\n// { total: 12, stored: 10, results: [...] }\r\n```\r\n\r\n## CLI\r\n\r\n```bash\r\nnpx neolata-mem store myagent \"Important fact here\"\r\nnpx neolata-mem search myagent \"query\"\r\nnpx neolata-mem decay --dry-run\r\nnpx neolata-mem health\r\nnpx neolata-mem clusters\r\n```\r\n\r\n## OpenClaw Integration\r\n\r\nneolata-mem complements OpenClaw's built-in `memorySearch`:\r\n- **memorySearch** = searches your workspace `.md` files (BM25 + vector)\r\n- **neolata-mem** = structured memory store with graph, decay, evolution, multi-agent\r\n\r\nUse both together: memorySearch for workspace file recall, neolata-mem for agent-managed knowledge.\r\n\r\n### Recommended Setup\r\n\r\nIn your agent's daily cron or heartbeat:\r\n```javascript\r\n// Store important facts from today's session\r\nawait mem.store(agentId, 'Key decision: migrated to Postgres', {\r\n  category: 'decision',\r\n  importance: 0.8,\r\n  tags: ['infrastructure'],\r\n});\r\n\r\n// Run decay maintenance\r\nawait mem.decay();\r\n```\r\n\r\n## Comparison\r\n\r\n| Feature | neolata-mem | Mem0 | OpenClaw memorySearch |\r\n|---------|:-----------:|:----:|:---------------------:|\r\n| Local-first (data stays on machine) | ✅ (default) | ❌ | ✅ |\r\n| Hybrid search (vector + keyword) | ✅ | ❌ | ✅ |\r\n| Memory decay | ✅ | ❌ | ❌ |\r\n| Memory graph / linking | ✅ | ❌ | ❌ |\r\n| Conflict resolution | ✅ | Partial | ❌ |\r\n| Quarantine lane | ✅ | ❌ | ❌ |\r\n| Predicate schemas | ✅ | ❌ | ❌ |\r\n| Explainability API | ✅ | ❌ | ❌ |\r\n| Episodes & compression | ✅ | ❌ | ❌ |\r\n| Labeled clusters | ✅ | ❌ | ❌ |\r\n| Multi-agent | ✅ | ✅ | Per-agent |\r\n| Zero infrastructure | ✅ | ❌ | ✅ |\r\n| Event emitter | ✅ | ❌ | ❌ |\r\n| Batch APIs (storeMany/searchMany) | ✅ | ❌ | ❌ |\r\n| npm package | ✅ | ✅ | Built-in |\r\n\r\n## Security\r\n\r\nneolata-mem includes hardening against common agent memory attack vectors:\r\n\r\n- **Prompt injection mitigation**: XML-fenced user content in all LLM prompts + structural output validation\r\n- **Input validation**: Agent names (alphanumeric, max 64), text length caps (10KB), bounded memory count (50K), batch size caps (1000 store / 100 query)\r\n- **Batch atomicity**: `storeMany` rolls back all memories, indexes, and backlinks on persist failure\r\n- **SSRF protection**: All provider URLs validated via `validateBaseUrl()` — blocks cloud metadata endpoints (`169.254.169.254`), private IP ranges, non-HTTP protocols\r\n- **Supabase hardening**: UUID validation on query params, error text sanitized (strips tokens/keys), upsert-based save (crash-safe), 429 retry with backoff\r\n- **Atomic writes**: Write-to-temp + rename prevents file corruption\r\n- **Path traversal guards**: Storage directories and write-through paths validated with `resolve()` + prefix checks\r\n- **Cryptographic IDs**: `crypto.randomUUID()` — no predictable memory references\r\n- **Retry bounds**: Exponential backoff with max 3 retries on 429s\r\n- **Error surfacing**: Failed conflict detection returns `{ error }` instead of silent fallthrough\r\n\r\n**Supabase key guidance:** Prefer the anon key with Row Level Security (RLS) policies over the service role key. The service key bypasses RLS and grants full access to all stored memories. Only use it for admin/migration tasks.\r\n\r\nSee the [full security section](docs/guide.md#security) for details.\r\n\r\n### Data Residency & External API Usage\r\n\r\n**Local-only mode** (default): Memories are stored as JSON at `./neolata-mem-data/graph.json` (relative to CWD). No data leaves your machine. Keyword search works without any API keys.\r\n\r\n**With embeddings/extraction/LLM**: When you configure an external provider (OpenAI, NIM, Ollama, etc.), your memory text is sent to that provider's API for embedding or extraction. This is opt-in — you must explicitly provide an API key and base URL.\r\n\r\n| Mode | Data sent externally? | Storage location |\r\n|------|:---------------------:|------------------|\r\n| Default (no config) | ❌ No | `./neolata-mem-data/graph.json` |\r\n| Ollama embeddings | ❌ No (local) | `./neolata-mem-data/graph.json` |\r\n| OpenAI/NIM embeddings | ⚠️ Memory text → provider | `./neolata-mem-data/graph.json` |\r\n| Supabase storage | ⚠️ All data → Supabase | Supabase PostgreSQL |\r\n| LLM conflict resolution | ⚠️ Memory text → provider | Storage unchanged |\r\n\r\n**To keep all data local**: Use Ollama for embeddings and JSON storage. No API keys needed for keyword-only search.\r\n\r\n## Links\r\n\r\n- **npm:** [@jeremiaheth/neolata-mem](https://www.npmjs.com/package/@jeremiaheth/neolata-mem)\r\n- **GitHub:** [Jeremiaheth/neolata-mem](https://github.com/Jeremiaheth/neolata-mem)\r\n- **Full docs:** See `docs/guide.md` in the package\r\n","topics":["Agent Memory"],"tags":{"latest":"0.8.5","conflict-resolution":"0.3.1","decay":"0.3.1","embeddings":"0.3.1","graph":"0.3.1","memory":"0.3.1","zettelkasten":"0.3.1"},"stats":{"comments":0,"downloads":1060,"installsAllTime":40,"installsCurrent":1,"stars":0,"versions":12},"createdAt":1771946048401,"updatedAt":1778491628548},"latestVersion":{"version":"0.8.5","createdAt":1772110643720,"changelog":"- Updated skill.","license":null},"metadata":{"setup":[],"os":null,"systems":null},"owner":{"handle":"jeremiaheth","userId":"s174qzmk588xyewqrjzed15hbx856z8r","displayName":"HEIS AGENCY","image":"https://avatars.githubusercontent.com/u/110702855?v=4"},"moderation":null}