List view
Biologically-inspired memory retrieval for the SQLite/Lucid backends, based on SynapticRAG (Hou et al., ACL 2025) and complementary research (Synapse, GAAMA, FadeMem). Brings temporal association, knowledge graph activation, and dynamic memory selection to local backends — closing the gap with MuninnDB's cognitive retrieval for users running lightweight deployments. Phases: - Phase 1: Memory access tracking (spike trains for temporal scoring) - Phase 2: Temporal association scoring in hybrid_merge - Phase 3: Stimulus propagation on the knowledge graph (local backends only) - Phase 4: Leaky integrate-and-fire memory selection References: - ADR-005: docs/architecture/adr-005-synaptic-memory-retrieval.md - SynapticRAG: https://arxiv.org/abs/2410.13553 - Synapse (spreading activation): https://arxiv.org/abs/2601.02744 - GAAMA (graph-augmented retrieval): https://arxiv.org/abs/2603.27910 - FadeMem (bio-inspired forgetting): https://arxiv.org/pdf/2601.18642 Due date: Leave open (each phase is a separate PR, Phase 1 is already in review)
No due date•0/5 issues closedIntegrate Hrafn with the Olas autonomous agent marketplace. Covers SDK packaging, EVM wallet (alloy), Mech protocol for AI task fulfillment, and OLAS staking (PoAA). All behind the `olas` feature flag.
No due date•0/13 issues closedMCP client extension for receiving push notifications from Chartgen, alert-to-agent-loop bridge
No due date•3/3 issues closedAutomated trading signal pipeline: grammers-based Telegram user client to listen to 100eyes channel, Claude Vision analysis, and Chartgen MCP integration.
No due date•4/6 issues closedBuild a client-neutral interaction kernel for Hrafn, starting with a Telegram-first UX and extending cleanly to Slack, WhatsApp, Web, and CLI. ## Goal Move from channel-specific message handling toward a shared interaction model: - deterministic action cards - approval and plan flows - per-session interaction state - client capability-based rendering - rich handoff to web / mini app when the channel is constrained ## Deliverables - [ ] Interaction schema with neutral node / action / form model - [ ] Server-side interaction state registry with deterministic action handlers - [ ] Telegram-first renderer with inline button callbacks - [ ] Web handoff / detail view bridge for complex workflows - [ ] Slack renderer using the same interaction kernel - [ ] WhatsApp renderer with constrained action set and web fallback - [ ] Permission / approval flows expressed through the same interaction model ## Acceptance The same backend workflow can render as: - Telegram inline buttons - Slack Block Kit actions - WhatsApp interactive choices - Web detail view - CLI numbered prompts without changing the underlying workflow logic.
No due date•0/7 issues closedFeature-gate all channels, tools, providers. CI matrix for feature combinations. hrafn doctor validates config vs enabled features.
No due date•10/10 issues closed**Production-grade auth and protocol compliance for A2A.** MVP uses bearer tokens only. Production deployments need OAuth, mTLS, and protocol version negotiation. ## Deliverables - [ ] OAuth 2.0 support for A2A endpoints (client credentials flow) - [ ] mTLS option for mutual authentication - [ ] AgentCard: `securitySchemes` and `security` fields per A2A v1.0 spec - [ ] Protocol version negotiation (`supportedProtocolVersions` in AgentCard) - [ ] Rate limiting per peer (not just global) - [ ] `hrafn a2a status` CLI: show connected peers, auth state, task queue ## Non-goals (for now) - gRPC binding (JSON-RPC sufficient for current use cases) - Extension system (evaluate when ecosystem demands it)
No due date**Auto-discover A2A peers without manual config.** Based on Issue zeroclaw-labs/zeroclaw#4643 by @5queezer. ## Deliverables - [ ] Localhost scan: probe port range for `/.well-known/agent-card.json` on startup - [ ] Shared registry: JSON file or SQLite for register/deregister on start/stop - [ ] mDNS: advertise `_a2a._tcp.local` for LAN discovery - [ ] Config: `discovery = "none" | "localhost" | "mdns" | "auto"` - [ ] Peer allowlist: replace blanket `allow_local` with discovered-peer whitelist - [ ] Manual peer config takes precedence over discovered peers - [ ] New instance visible within 30s, stopped instance removed within 60s ## Security Peer allowlist derived from discovery prevents prompt-injected requests to arbitrary local services (SSRF residual from MVP).
No due date**Close the gap to A2A v1.0 spec: streaming and async operations.** MVP (PR #4166) is request-response only. The spec requires SSE streaming for incremental results and webhook push notifications for long-running tasks. ## Deliverables - [ ] SSE streaming on `message/stream` endpoint - [ ] AgentCard: `capabilities.streaming: true` - [ ] Push notifications: webhook config per task - [ ] AgentCard: `capabilities.pushNotifications: true` - [ ] Telegram group notification for inbound A2A results (already drafted in PR #4166 commit dca06fc) - [ ] TaskStore eviction with `task_ttl_secs` (memory safety on Pi Zero 2 W) ## Upstream reference PR #4166 non-goals, now in scope. A2A spec: docs/topics/streaming-and-async.md
No due date**Principles: Show what AI can see. Least privilege by default.** Users know exactly what the agent can access. Access is scoped, time-bound, and minimal. ## Deliverables - [ ] `hrafn status --permissions` shows active tool permissions and credential scopes - [ ] Per-session credential grants (not persistent broad access) - [ ] Time-bound access: credentials expire after session/duration - [ ] Gateway dashboard shows live agent permissions and recent access - [ ] Config: `[agent.permissions]` section with explicit allow/deny per tool - [ ] Default: no tools enabled, user opts in explicitly ## Acceptance Fresh install, no config changes. Agent cannot use any tools. User enables `tool-shell` in config. `hrafn status --permissions` shows exactly: shell (read+write, no network). Nothing else.
No due date•1/1 issues closed**Principle: Every action involving credential access must leave an audit trail.** All credential access, tool executions, and policy decisions are logged in a structured, queryable format. No opaque usage. ## Deliverables - [ ] Structured audit log (JSON lines) for credential access events - [ ] Each entry: timestamp, tool, credential reference (not value), action, result, policy decision - [ ] Audit log separate from runtime trace (security-sensitive, different retention) - [ ] `hrafn audit` CLI command to query and filter audit entries - [ ] Audit log tamper detection (append-only, optional HMAC) ## Acceptance After a session with tool use, `hrafn audit --last-session` shows every credential access with context. No raw secrets in audit output.
No due date**Principle: Authorization must be deterministic, not probabilistic.** LLMs decide *what* to do. Policy decides *whether they're allowed to*. Tool access is governed by allowlists and scoped permissions, not by the model's judgment. ## Deliverables - [ ] `SecurityPolicy` trait enforces tool access rules independent of LLM - [ ] Per-tool permission scopes in config (read, write, network, filesystem) - [ ] Tool execution gated by policy check before dispatch - [ ] Autonomy levels (ReadOnly, Supervised, Full) enforced at policy layer - [ ] Human-in-the-loop confirmation for high-risk tool actions (Supervised mode) - [ ] Policy decisions logged with reason (allowed/denied/escalated) ## Acceptance Agent in Supervised mode tries to use `shell` tool with `rm -rf /`. Policy denies without asking the LLM. Logged as denied.
No due date**Principle: Raw credentials should never enter the LLM context.** The agent loop must never see raw secrets. Credentials are resolved and injected at the tool execution layer, below the LLM context window. ## Deliverables - [ ] `CredentialBroker` trait: resolve credentials by reference, not value - [ ] Tool implementations request credentials via broker, not from config directly - [ ] Agent prompt and tool descriptions contain no raw secrets - [ ] A2A bearer tokens already redacted from tool output (PR #4166) -- verify - [ ] Provider API keys resolved at HTTP call time, not in prompt construction - [ ] Config API masks secret fields in status/debug output (already partial) ## Acceptance `RUST_LOG=trace hrafn agent -m "what tools do you have?"` -- grep output for any API key, bearer token, or password. Zero matches = pass.
No due date•3/3 issues closedRename, README, CONTRIBUTING, logo, cherry-pick A2A + config hot-reload, P0 security fixes
Overdue by 13 day(s)•Due by April 5, 2026•12/15 issues closed