feat: secure memory queries and implement pgvector semantic search

[ApoorvSaxena0109]

Pull Request

v1.5 review context: Pull requests should preserve ClawKeeper as an OpenClaw-native SMB finance-agent platform with TypeScript-first agents, deterministic policy guardrails, tenant isolation, and auditable financial execution.

Description

This PR secures the database query interface for ClawKeeper's agent memory store and implements true hybrid semantic search utilizing pgvector to fulfill the inline TODO inside searchMemories().

1. SQL Injection Remediation: Replaced raw string concatenation inside getMemories(), searchMemories(), and semanticSearch() with strictly bound parameterized placeholders ($1, $2, etc.), protecting the multi-tenant database layer against SQL Injection.
2. Hybrid pgvector Search: Integrated embedding_service into the primary searchMemories() handler. If query text is provided, we perform a vector similarity search (using corrected parameter-specific ::vector casting) and a keyword fallback search, merging and ranking results based on relevance/similarity scores.
3. Database Test Coverage: Added mock database unit tests verifying all CRUD, filtering, paging, and hybrid search operations.

Fixes # (No associated issue, open-source repository maturity task)

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Code refactoring
• Performance improvement
• Test addition/update

Changes Made

• Modified src/memory/store.ts:
  • Hardened dynamic queries in getMemories, searchMemories, and semanticSearch by using parameterized values instead of template string interpolation.
  • Enabled pgvector hybrid search in searchMemories when search text is specified, supporting sorting by relevance (similarity), importance, and createdAt.
  • Fixed syntax error in pgvector casting by changing (embedding <=> $param)::vector to (embedding <=> $param::vector).
• Modified tests/memory/semantic_search.test.ts:
  • Added unit tests for all MemoryStore CRUD operations using a mocked database client.
  • Covered paging, filtering (types, dates, agents), soft/hard delete, restore, version updates, and hybrid semantic search.
  • Mocked the embedding service to prevent dependency on live network requests or external credentials during local testing.

Testing

Describe the testing you performed:

• Manual testing completed
• Unit tests added/updated
• Integration tests added/updated
• All tests pass locally

Test details:

• Executed bun run test locally. All 139 tests passed successfully (including all 7 new MemoryStore operations tests).
• Verified TypeScript compilation using tsc --noEmit (0 compilation/type errors).
• Verified linter checks via eslint (0 warnings or errors).

Checklist

• My code follows the code style of this project (see CONTRIBUTING.md)
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings or linter errors
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published

Security Considerations

• No sensitive data (API keys, passwords, etc.) included
• Input validation added where necessary (Zod validated schemas utilized)
• Tenant isolation maintained (strict tenant_id filtering parameterized)
• Audit logging implemented (for financial operations)
• No SQL injection vulnerabilities introduced (strictly parameterized all inputs)

Screenshots (if applicable)

N/A (Backend logic change)

Additional Notes

• All parameterized database operations use sql.unsafe() with variable parameters arrays, ensuring complete safety from SQL injection vectors.
• Parameterized placeholders in vector operations (e.g. 1 - (embedding <=> $param::vector)) are correctly cast to avoid runtime syntax exceptions.

Reviewers

@Alexi5000

[qodo-code-review]

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the MemoryStore query building to use parameterized SQL (reducing SQL injection risk) and expands the semantic search tests to cover MemoryStore CRUD and search behavior.

Changes:

• Reworked getMemories, searchMemories, and semanticSearch to use $n placeholders with sql.unsafe(query, values) instead of interpolating user input into SQL.
• Added hybrid semantic+keyword search behavior to searchMemories with embedding-generation fallback.
• Expanded test coverage with a mock DB helper and CRUD/search tests for MemoryStore.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
tests/memory/semantic_search.test.ts	Adds DB mocking + MemoryStore CRUD/search tests, including parameterization assertions and hybrid search coverage.
src/memory/store.ts	Converts dynamic SQL conditions to placeholder-based parameterization and implements hybrid semantic search/fallback logic.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.