feat(memory): harden grounded REM extraction

[mbelinky]

Summary

• Problem: the grounded backfill lane still over-read noisy technical days and kept some multi-fact person lines as bundled memory candidates.
• Why it matters: without stricter extraction, the diary/backfill output stays too loggy to trust as future warm-memory evidence.
• What changed: tightened grounded What Happened selection, suppressed monitoring sludge, split durable subfacts out of multi-fact candidate lines, and made reflections more relationship-aware when that is the real signal.
• What did NOT change (scope boundary): this PR does not change the live promotion lane yet and does not add UI.

Change Type (select all)

• Feature
• Bug fix
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Memory / storage
• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related feat(memory): add grounded REM backfill lane #63273
• This PR fixes a bug or regression

Root Cause / Regression History (if applicable)

• Root cause: the base backfill lane extracted grounded summaries, but it still treated some monitoring/logistics residue and bundled person lines as if they were equally memory-worthy.
• Missing detection / guardrail: the initial lane had no targeted tests for noisy operational days or multi-fact relationship lines.
• Prior context (git blame, prior PR, issue, or refactor if known): follow-up hardening on top of feat(memory): add grounded REM backfill lane #63273.
• Why this regressed now: N/A
• If unknown, what was ruled out: N/A

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: extensions/memory-core/src/cli.test.ts
• Scenario the test should lock in: persistence-shaped fact selection, monitoring-day suppression, and atomic durable-candidate extraction from mixed person lines.
• Why this is the smallest reliable guardrail: the grounded extractor behavior is exercised directly through the CLI preview path.
• Existing test that already covers this (if any): base backfill tests live in feat(memory): add grounded REM backfill lane #63273.
• If no new test is added, why not: N/A

User-visible / Behavior Changes

• What Happened prefers more persistence-shaped grounded facts.
• monitoring-heavy days stop surfacing alert sludge as memory facts.
• Candidates and Possible Lasting Updates can split durable subfacts out of mixed person lines.
• reflections become less generic on relationship-heavy days.

Diagram (if applicable)

Before:
[daily note] -> [grounded backfill] -> [bundled/noisy facts]

After:
[daily note] -> [grounded backfill] -> [durable facts + cleaner candidates + sharper reflections]

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) No
• Data access scope changed? (Yes/No) No
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS: macOS authoring, mb-server for gates
• Runtime/container: Node 22 / Vitest 4
• Model/provider: N/A
• Integration/channel (if any): N/A
• Relevant config (redacted): default memory workspace layout

Steps

1. Run openclaw memory rem-harness --json --grounded --path <history-dir> on noisy and relationship-heavy day files.
2. Inspect What Happened, Reflections, and Candidates.

Expected

• noisy operational days stay sparse
• durable relationship facts survive without dragging transient venue/travel details into memory candidates

Actual

• Matches expected on the focused gate scenarios.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

• Verified scenarios: noisy monitoring day suppression, persistence-weighted fact selection, atomic durable-candidate extraction.
• Edge cases checked: multi-fact relationship lines, ordering-insensitive durable candidate assertions.
• What you did not verify: UI rendering; that remains in a separate stacked PR.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps:

Risks and Mitigations

• Risk: overly strict extraction could under-surface one-off but real facts.
  • Mitigation: this ships as a focused stacked hardening PR on top of the reversible backfill foundation, so we can tune it further before feeding live promotion.

[aisle-research-bot]

🔒 Aisle Security Analysis

We found 4 potential security issue(s) in this PR:

#	Severity	Title
1	🟠 High	Potential secret/credential persistence in REM grounded evidence extraction
2	🟡 Medium	Algorithmic complexity DoS in atomizeClaimText clause splitting
3	🟡 Medium	Unbounded markdown traversal and heavy regex scoring can cause CPU/memory DoS
4	🟡 Medium	PII retention amplification by atomizing person/relationship lines into multiple durable memory candidates

1. 🟠 Potential secret/credential persistence in REM grounded evidence extraction

Property	Value
Severity	High
CWE	CWE-200
Location	extensions/memory-core/src/rem-evidence.ts:491-555

Description

The grounded REM extraction logic can promote and persist lines containing secrets/credentials into durable memory surfaces (e.g., REM backfill diary entries), due to the interaction between the new monitoring-suppression filter and the durable-signal bypass.

Key points:

• REM_MONITORING_SIGNAL_RE matches security-sensitive terms like passkey, credential, and password in bws.
• chooseFactSnippets / chooseCandidateSnippets suppress monitoring-heavy snippets unless isDurableSignalSnippet() returns true.
• isDurableSignalSnippet() returns true for preference/persistence/person signals (e.g., prefers, remember, partner/girlfriend patterns) and does not check for secrets/credentials.
• As a result, a single line mixing a durable signal with a secret (e.g., "prefers using password in bws: ") will pass the monitoring filter and can be included in:
  • renderedMarkdown output, and
  • memory rem-backfill, which converts renderedMarkdown into diary lines and writes them to DREAMS.md (durable storage).
• There is no redaction/sanitization of secrets before rendering or writing (groundedMarkdownToDiaryLines is a simple transform).

Vulnerable code paths:

• Monitoring bypass filter:

.filter(
  (entry) =>
    !REM_MONITORING_SIGNAL_RE.test(`${section.title} ${entry.snippet.text}`) ||
    isDurableSignalSnippet(entry.snippet.text, section.title),
)

• Durable-signal check does not exclude secrets:

return (
  REM_MEMORY_SIGNAL_RE.test(text) ||
  REM_PERSISTENCE_SIGNAL_RE.test(text) ||
  REM_EXPLICIT_PREFERENCE_SIGNAL_RE.test(text) ||
  REM_STABLE_PERSON_SIGNAL_RE.test(`${title} ${text}`) ||
  REM_PERSON_PATTERN_SIGNAL_RE.test(text)
);

• Persistence sink (writes grounded output into backfill diary entries): groundedMarkdownToDiaryLines(file.renderedMarkdown) followed by writeBackfillDiaryEntries(...).

Impact:

• Secrets/credentials embedded in operational logs or preference notes may be unintentionally surfaced in CLI output and persisted into long-term memory artifacts (e.g., DREAMS.md), increasing the blast radius of accidental secret inclusion in markdown notes.

Recommendation

Add explicit secret/credential detection and ensure it is never eligible for promotion or persistence, regardless of "durable" signals.

Recommended changes:

1. Introduce a REM_SECRET_SIGNAL_RE (or integrate with existing secret-scanning utilities) that detects common secret patterns (password assignments, API keys, bearer tokens, private keys, etc.).
2. Apply it as a hard filter before scoring/promotion, and/or redact matched substrings before rendering/writing.
3. Ensure both sinks are protected:
   • renderedMarkdown generation in previewGroundedRemForFile
   • backfill persistence path in runMemoryRemBackfill

Example (hard block):

const REM_SECRET_SIGNAL_RE = /\b(password|passkey|credential|api[_-]?key|bearer\s+[a-z0-9._-]+|secret)\b/i;

function containsSecret(text: string, title: string): boolean {
  return REM_SECRET_SIGNAL_RE.test(`${title} ${text}`);
}

​// In chooseFactSnippets / chooseCandidateSnippets
.filter((entry) => !containsSecret(entry.snippet.text, section.title))

Example (redaction, if you must keep context):

function redactSecrets(value: string): string {
  return value
    .replace(/(bearer\s+)[a-z0-9._-]+/gi, "$1[REDACTED]")
    .replace(/(password\s*[:=]\s*)\S+/gi, "$1[REDACTED]");
}

Also add tests that include lines combining durable signals (e.g., "prefers") with credentials/tokens and assert they are excluded or redacted.

2. 🟡 Algorithmic complexity DoS in atomizeClaimText clause splitting

Property	Value
Severity	Medium
CWE	CWE-400
Location	extensions/memory-core/src/rem-evidence.ts:592-605

Description

The claim atomization logic can exhibit quadratic-time behavior on long, delimiter-heavy input lines.

• splitTopLevelClauses() repeatedly calls findTopLevelDelimiter() on the remaining suffix (rest).
• findTopLevelDelimiter() scans the input string linearly.
• For input containing many top-level delimiters (e.g., thousands of ; characters), the loop becomes O(n^2) (full scan of progressively shorter suffixes), and also performs repeated slice() allocations.
• atomizeClaimText() calls splitTopLevelClauses() on untrusted markdown content (files collected from inputPaths and read fully with fs.readFile()), with no file size / line length / delimiter count limits, enabling a local or synced-note attacker to cause significant CPU and memory consumption when the CLI/agent scans notes.

Vulnerable code:

function splitTopLevelClauses(text: string, delimiter: string): string[] {
  const parts: string[] = [];
  let rest = text;
  while (rest.length > 0) {
    const splitAt = findTopLevelDelimiter(rest, delimiter);
    if (splitAt < 0) {
      parts.push(rest);
      break;
    }
    parts.push(rest.slice(0, splitAt));
    rest = rest.slice(splitAt + 1);
  }
  return parts.map((part) => normalizeWhitespace(part)).filter(Boolean);
}

Recommendation

Avoid repeated rescans of the remaining string.

Option A (single pass): scan once and record delimiter positions at top level, then slice once.

function splitTopLevelClauses(text: string, delimiter: string): string[] {
  const parts: string[] = [];
  let roundDepth = 0;
  let squareDepth = 0;
  let last = 0;

  for (let i = 0; i < text.length; i += 1) {
    const c = text[i];
    if (c === "(") roundDepth += 1;
    else if (c === ")") roundDepth = Math.max(0, roundDepth - 1);
    else if (c === "[") squareDepth += 1;
    else if (c === "]") squareDepth = Math.max(0, squareDepth - 1);
    else if (c === delimiter && roundDepth === 0 && squareDepth === 0) {
      parts.push(text.slice(last, i));
      last = i + 1;
      if (parts.length >= 3) break; // if you only ever use the first few atoms
    }
  }

  if (last <= text.length && parts.length < 3) {
    parts.push(text.slice(last));
  }

  return parts.map((p) => normalizeWhitespace(p)).filter(Boolean);
}

Option B (limits): enforce maximum file size / maximum line length / maximum delimiter splits processed (e.g., stop after N splits or after M characters) before calling atomization.

This prevents a crafted markdown file from causing excessive CPU/memory usage during scanning.

3. 🟡 Unbounded markdown traversal and heavy regex scoring can cause CPU/memory DoS

Property	Value
Severity	Medium
CWE	CWE-400
Location	extensions/memory-core/src/rem-evidence.ts:1018-1055

Description

The previewGroundedRemMarkdown pipeline performs unbounded recursive directory traversal and then loads and analyzes the entire contents of every discovered .md file, applying many regex tests and extra per-snippet work (atomizeClaimText + repeated scoring).

This creates a denial-of-service risk when inputPaths can point at very large directory trees or extremely large markdown files:

• collectMarkdownFiles() recursively walks all directories under each inputPath with no depth, count, or size limits.
• previewGroundedRemMarkdown() reads each file fully into memory via fs.readFile(..., "utf-8").
• previewGroundedRemForFile() then repeatedly runs multiple regexes (including the new long-alternation REM_MONITORING_SIGNAL_RE) across all snippets/sections and expands work by atomizing claims.

Even without catastrophic backtracking, this is enough to cause CLI/UI lockups or high memory usage when processing untrusted or accidentally huge workspaces.

Recommendation

Add explicit resource limits and early exits so large/untrusted inputs cannot exhaust CPU/RAM.

Suggested mitigations (choose appropriate defaults for your environment):

1. Limit traversal

• Maximum directory depth
• Maximum number of files
• Skip common large/irrelevant directories (e.g. node_modules, .git)

2. Limit file size before reading

3. Cap parsing work

• Maximum sections/snippets processed per file
• Short-circuit regex scoring once thresholds are met

Example (size + file-count limits):

const MAX_FILES = 500;
const MAX_BYTES = 1_000_000; // 1MB

if (found.size >= MAX_FILES) return;
...
if (stat.isFile() && resolved.toLowerCase().endsWith('.md')) {
  if (stat.size <= MAX_BYTES) found.add(resolved);
}

If this code can be triggered by remote/untrusted content (e.g., in an extension processing arbitrary workspaces), treat this as a security boundary and enforce conservative limits.

4. 🟡 PII retention amplification by atomizing person/relationship lines into multiple durable memory candidates

Property	Value
Severity	Medium
CWE	CWE-200
Location	extensions/memory-core/src/rem-evidence.ts:720-741

Description

The grounded REM extraction now splits a single line into multiple atomic claims (e.g., "Bex — girlfriend, ..." → "Bex — girlfriend" plus another claim) and emits each claim as its own grounded candidate.

This creates a privacy/PII risk because:

• Inputs are free-form daily notes (YYYY-MM-DD.md) which can contain personal data (names, relationship status, venues, dates).
• The new atomizeClaimText()/splitSubjectLeadClaim() logic increases the number of extracted memory items derived from a single source line.
• Those extracted items are then rendered into grounded markdown and can be persisted into the main workspace via rem-backfill (written into DREAMS/diary entries) and surfaced in CLI output.
• There is no consent boundary, minimization, or redaction for person-identifying information before persistence; instead, the change explicitly prioritizes relationship facts (see tests asserting "Bunji — partner", "Bex — girlfriend" appear).

Vulnerable flow (privacy amplification):

• Input: daily note bullet lines (may contain PII)
• Transformation: atomizeClaimText(snippet.text) produces up to 3 claims
• Sink/surface: claims become grounded candidates and are rendered/persisted via rem-backfill into diary/DREAMS content

Vulnerable code:

return chooseCandidateSnippets(section, snippets).flatMap((snippet) =>
  atomizeClaimText(snippet.text)
    .map((claim) => {
      const score = scoreCandidateSnippet(claim, section.title);
      const text = buildCandidateSnippetText(section.title, claim);
      return {
        text,
        refs: [makeRef(params.relPath, snippet.line)],
        lean: classifyCandidateLeanFromText(claim, section.title),
        score,
      };
    })
    .filter((candidate) => candidate.text.length >= 12 && candidate.score >= 1.8),
);

While this may be intended behavior, it materially increases the likelihood that sensitive relationship facts become durable, independently retrievable memory entries.

Recommendation

Add privacy minimization controls before persisting/surfacing atomized claims, especially for person-identifying content.

Options (can be combined):

1. Gate atomization for person/relationship lines unless user opted in:

const isPersonRelationship = REM_STABLE_PERSON_SIGNAL_RE.test(`${section.title} ${snippet.text}`);
const claims = isPersonRelationship && !opts.allowPersonAtomization
  ? [snippet.text]
  : atomizeClaimText(snippet.text);

2. Redact or downscope relationship labels (partner/girlfriend/etc.) when writing backfill output unless explicitly requested.

3. Add a dedicated PII classifier (names/emails/phones/addresses) and suppress or require explicit allowlisting before writing to durable stores (e.g., DREAMS diary entries).

4. Ensure downstream sinks (CLI JSON, logs, exports) respect a --redact/--no-people-memory flag.

---

Analyzed PR: #63297 at commit e188b7e

_{Last updated on: 2026-04-08T18:27:48Z}

[mbelinky]

Merged via squash.

• Prepared head SHA: e188b7e26dc5c4d1f449d6889605824fce0a8a81
• Merge commit: 078e7a6586f5857a328a19dd30e6020eece78a65

Thanks @mbelinky!

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e188b7e26d

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Limit subject splitting to actual dash separators

Update splitSubjectLeadClaim so it only treats a dash as a subject separator when it appears as a real delimiter (for example, spaced - / —), not any hyphen character. The current pattern matches hyphenated words, so inputs like Use long-term plan, avoid reactive tasks are split into malformed atomic claims (e.g., Use long- term plan), which can then be surfaced in ## Candidates/## Possible Lasting Updates as noisy or corrupted memory candidates.

Useful? React with 👍 / 👎.

[greptile-apps]

Greptile Summary

This PR hardens the grounded REM backfill lane by tightening What Happened fact selection to prefer persistence-shaped signals over operational noise, suppressing monitoring-heavy days from surfacing alert sludge, splitting multi-fact person lines into atomic durable candidates via atomizeClaimText/splitSubjectLeadClaim, and making reflections relationship-aware when multiple person threads appear in the same day. Three new targeted unit tests cover the main scenarios (persistence preference, monitoring suppression, and person-line atomisation).

Confidence Score: 5/5

Safe to merge; all findings are P2 style suggestions that do not affect correctness.

The implementation is well-layered: monitoring suppression, durable-candidate scoring, and atomisation all have explicit score-threshold guards (1.4 / 1.8) that make borderline splits benign in practice. New tests directly exercise the three targeted scenarios. The only concern is the ASCII-hyphen in splitSubjectLeadClaim's regex, which can produce odd split strings, but they're reliably filtered by the downstream score check.

No files require special attention beyond the minor hyphen-regex note in extensions/memory-core/src/rem-evidence.ts.

Vulnerabilities

No security concerns identified. The PR only modifies in-process text scoring/filtering heuristics and adds unit tests; there are no new network calls, no auth changes, and no new surfaces for injection.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: extensions/memory-core/src/rem-evidence.ts
Line: 607-627

Comment:
**Hyphen in dash character class may split compound words**

`(?:—|–|-)` includes a plain ASCII hyphen `-`, so inputs like `"non-trivial claim, worth noting"` or `"self-aware, sometimes unreliable"` will match at the first hyphen: `subject = "non-"`, `rest = "trivial claim, worth noting"`. The `first.length < 3` guard (`"trivial claim"` is well over 3 chars) and `remainder.length < 6` don't block this, so it would return `["non- trivial claim", "non- worth noting"]` — syntactically odd but harmless only because the score filter tends to reject them.

If you want to restrict splitting to semantic dashes only, consider excluding the plain hyphen:

```suggestion
function splitSubjectLeadClaim(text: string): string[] {
  const match = /^(?<subject>.+?(?:—|–))\s*(?<rest>.+)$/u.exec(text);
```

Alternatively, require at least one whitespace around the hyphen when it's an ASCII dash: `(?:—|–|\s+-\s+)`. Either way, the current behaviour is low-risk because of the downstream score threshold, but it's easy to tighten.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "changelog: document grounded diary extra..." | Re-trigger Greptile}

[greptile-apps]

Hyphen in dash character class may split compound words

(?:—|–|-) includes a plain ASCII hyphen -, so inputs like "non-trivial claim, worth noting" or "self-aware, sometimes unreliable" will match at the first hyphen: subject = "non-", rest = "trivial claim, worth noting". The first.length < 3 guard ("trivial claim" is well over 3 chars) and remainder.length < 6 don't block this, so it would return ["non- trivial claim", "non- worth noting"] — syntactically odd but harmless only because the score filter tends to reject them.

If you want to restrict splitting to semantic dashes only, consider excluding the plain hyphen:

Suggested change

	function splitSubjectLeadClaim(text: string): string[] {
	const match = /^(?<subject>.+?(?:—|–|-))\s*(?<rest>.+)$/u.exec(text);
	if (!match?.groups) {
	return [text];
	}
	const subject = normalizeWhitespace(match.groups.subject);
	const rest = normalizeWhitespace(match.groups.rest);
	if (!subject || !rest) {
	return [text];
	}
	const commaIndex = findTopLevelDelimiter(rest, ",");
	if (commaIndex < 0) {
	return [text];
	}
	const first = normalizeWhitespace(rest.slice(0, commaIndex));
	const remainder = normalizeWhitespace(rest.slice(commaIndex + 1));
	if (first.length < 3 || remainder.length < 6) {
	return [text];
	}
	return [`${subject} ${first}`, `${subject} ${remainder}`];
	}
	function splitSubjectLeadClaim(text: string): string[] {
	const match = /^(?<subject>.+?(?:—|–))\s*(?<rest>.+)$/u.exec(text);

Alternatively, require at least one whitespace around the hyphen when it's an ASCII dash: (?:—|–|\s+-\s+). Either way, the current behaviour is low-risk because of the downstream score threshold, but it's easy to tighten.

Prompt To Fix With AI

This is a comment left during a code review.
Path: extensions/memory-core/src/rem-evidence.ts
Line: 607-627

Comment:
**Hyphen in dash character class may split compound words**

`(?:—|–|-)` includes a plain ASCII hyphen `-`, so inputs like `"non-trivial claim, worth noting"` or `"self-aware, sometimes unreliable"` will match at the first hyphen: `subject = "non-"`, `rest = "trivial claim, worth noting"`. The `first.length < 3` guard (`"trivial claim"` is well over 3 chars) and `remainder.length < 6` don't block this, so it would return `["non- trivial claim", "non- worth noting"]` — syntactically odd but harmless only because the score filter tends to reject them.

If you want to restrict splitting to semantic dashes only, consider excluding the plain hyphen:

```suggestion
function splitSubjectLeadClaim(text: string): string[] {
  const match = /^(?<subject>.+?(?:—|–))\s*(?<rest>.+)$/u.exec(text);
```

Alternatively, require at least one whitespace around the hyphen when it's an ASCII dash: `(?:—|–|\s+-\s+)`. Either way, the current behaviour is low-risk because of the downstream score threshold, but it's easy to tighten.

How can I resolve this? If you propose a fix, please make it concise.