feat: add Maple TEE-encrypted embedding provider for memory_search

AnthonyRonning · AnthonyRonning · commit 818f4f425820 · 2026-01-29T02:40:05.000-06:00
Adds nomic-embed-text embedding support via Maple's TEE-secured API:
- New embeddings-maple.ts provider using customFetch for encrypted requests
- Auto-selects maple when MAPLE_API_KEY is set (before openai/gemini)
- Adds 'maple' to provider/fallback options in config types
- Uses same session/encryption flow as inference requests
diff --git a/src/agents/memory-search.ts b/src/agents/memory-search.ts
@@ -10,7 +10,7 @@ export type ResolvedMemorySearchConfig = {
   enabled: boolean;
   sources: Array<"memory" | "sessions">;
   extraPaths: string[];
-  provider: "openai" | "local" | "gemini" | "auto";
+  provider: "openai" | "local" | "gemini" | "maple" | "auto";
   remote?: {
     baseUrl?: string;
     apiKey?: string;
@@ -26,7 +26,7 @@ export type ResolvedMemorySearchConfig = {
   experimental: {
     sessionMemory: boolean;
   };
-  fallback: "openai" | "gemini" | "local" | "none";
+  fallback: "openai" | "gemini" | "local" | "maple" | "none";
   model: string;
   local: {
     modelPath?: string;
diff --git a/src/config/types.tools.ts b/src/config/types.tools.ts
@@ -233,8 +233,8 @@ export type MemorySearchConfig = {
     /** Enable session transcript indexing (experimental, default: false). */
     sessionMemory?: boolean;
   };
-  /** Embedding provider mode. */
-  provider?: "openai" | "gemini" | "local";
+  /** Embedding provider mode (OpenSecret fork adds "maple" for TEE-encrypted embeddings). */
+  provider?: "openai" | "gemini" | "local" | "maple";
   remote?: {
     baseUrl?: string;
     apiKey?: string;
@@ -252,8 +252,8 @@ export type MemorySearchConfig = {
       timeoutMinutes?: number;
     };
   };
-  /** Fallback behavior when embeddings fail. */
-  fallback?: "openai" | "gemini" | "local" | "none";
+  /** Fallback behavior when embeddings fail (OpenSecret fork adds "maple"). */
+  fallback?: "openai" | "gemini" | "local" | "maple" | "none";
   /** Embedding model id (remote) or alias (local). */
   model?: string;
   /** Local embedding settings (node-llama-cpp). */
diff --git a/src/memory/embeddings-maple.ts b/src/memory/embeddings-maple.ts
@@ -0,0 +1,84 @@
+/**
+ * Maple TEE-encrypted embedding provider using nomic-embed-text
+ */
+import { requireApiKey, resolveApiKeyForProvider } from "../agents/model-auth.js";
+import { createMapleCustomFetch } from "../agents/pi-embedded-runner/maple-fetch.js";
+import { MAPLE_DEFAULT_BASE_URL } from "../agents/models-config.providers.js";
+import type { EmbeddingProvider, EmbeddingProviderOptions } from "./embeddings.js";
+
+export type MapleEmbeddingClient = {
+  baseUrl: string;
+  model: string;
+  customFetch: typeof fetch;
+};
+
+export const DEFAULT_MAPLE_EMBEDDING_MODEL = "nomic-embed-text";
+
+export async function createMapleEmbeddingProvider(
+  options: EmbeddingProviderOptions,
+): Promise<{ provider: EmbeddingProvider; client: MapleEmbeddingClient }> {
+  const client = await resolveMapleEmbeddingClient(options);
+  const url = `${client.baseUrl.replace(/\/$/, "")}/embeddings`;
+
+  const embed = async (input: string[]): Promise<number[][]> => {
+    if (input.length === 0) return [];
+    const res = await client.customFetch(url, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ model: client.model, input }),
+    });
+    if (!res.ok) {
+      const text = await res.text();
+      throw new Error(`maple embeddings failed: ${res.status} ${text}`);
+    }
+    const payload = (await res.json()) as {
+      data?: Array<{ embedding?: number[] }>;
+    };
+    const data = payload.data ?? [];
+    return data.map((entry) => entry.embedding ?? []);
+  };
+
+  return {
+    provider: {
+      id: "maple",
+      model: client.model,
+      embedQuery: async (text) => {
+        const [vec] = await embed([text]);
+        return vec ?? [];
+      },
+      embedBatch: embed,
+    },
+    client,
+  };
+}
+
+export async function resolveMapleEmbeddingClient(
+  options: EmbeddingProviderOptions,
+): Promise<MapleEmbeddingClient> {
+  const remote = options.remote;
+  const remoteApiKey = remote?.apiKey?.trim();
+  const remoteBaseUrl = remote?.baseUrl?.trim();
+
+  const apiKey = remoteApiKey
+    ? remoteApiKey
+    : requireApiKey(
+        await resolveApiKeyForProvider({
+          provider: "maple",
+          cfg: options.config,
+          agentDir: options.agentDir,
+        }),
+        "maple",
+      );
+
+  const providerConfig = options.config.models?.providers?.maple;
+  const baseUrl =
+    remoteBaseUrl ||
+    providerConfig?.baseUrl?.trim() ||
+    process.env.MAPLE_API_URL?.trim() ||
+    MAPLE_DEFAULT_BASE_URL;
+
+  const model = options.model?.trim() || DEFAULT_MAPLE_EMBEDDING_MODEL;
+  const customFetch = createMapleCustomFetch(apiKey);
+
+  return { baseUrl, model, customFetch };
+}
diff --git a/src/memory/embeddings.ts b/src/memory/embeddings.ts
@@ -4,10 +4,12 @@ import type { Llama, LlamaEmbeddingContext, LlamaModel } from "node-llama-cpp";
 import type { MoltbotConfig } from "../config/config.js";
 import { resolveUserPath } from "../utils.js";
 import { createGeminiEmbeddingProvider, type GeminiEmbeddingClient } from "./embeddings-gemini.js";
+import { createMapleEmbeddingProvider, type MapleEmbeddingClient } from "./embeddings-maple.js";
 import { createOpenAiEmbeddingProvider, type OpenAiEmbeddingClient } from "./embeddings-openai.js";
 import { importNodeLlamaCpp } from "./node-llama.js";
 
 export type { GeminiEmbeddingClient } from "./embeddings-gemini.js";
+export type { MapleEmbeddingClient } from "./embeddings-maple.js";
 export type { OpenAiEmbeddingClient } from "./embeddings-openai.js";
 
 export type EmbeddingProvider = {
@@ -19,24 +21,25 @@ export type EmbeddingProvider = {
 
 export type EmbeddingProviderResult = {
   provider: EmbeddingProvider;
-  requestedProvider: "openai" | "local" | "gemini" | "auto";
-  fallbackFrom?: "openai" | "local" | "gemini";
+  requestedProvider: "openai" | "local" | "gemini" | "maple" | "auto";
+  fallbackFrom?: "openai" | "local" | "gemini" | "maple";
   fallbackReason?: string;
   openAi?: OpenAiEmbeddingClient;
   gemini?: GeminiEmbeddingClient;
+  maple?: MapleEmbeddingClient;
 };
 
 export type EmbeddingProviderOptions = {
   config: MoltbotConfig;
   agentDir?: string;
-  provider: "openai" | "local" | "gemini" | "auto";
+  provider: "openai" | "local" | "gemini" | "maple" | "auto";
   remote?: {
     baseUrl?: string;
     apiKey?: string;
     headers?: Record<string, string>;
   };
   model: string;
-  fallback: "openai" | "gemini" | "local" | "none";
+  fallback: "openai" | "gemini" | "local" | "maple" | "none";
   local?: {
     modelPath?: string;
     modelCacheDir?: string;
@@ -116,7 +119,7 @@ export async function createEmbeddingProvider(
   const requestedProvider = options.provider;
   const fallback = options.fallback;
 
-  const createProvider = async (id: "openai" | "local" | "gemini") => {
+  const createProvider = async (id: "openai" | "local" | "gemini" | "maple") => {
     if (id === "local") {
       const provider = await createLocalEmbeddingProvider(options);
       return { provider };
@@ -125,11 +128,15 @@ export async function createEmbeddingProvider(
       const { provider, client } = await createGeminiEmbeddingProvider(options);
       return { provider, gemini: client };
     }
+    if (id === "maple") {
+      const { provider, client } = await createMapleEmbeddingProvider(options);
+      return { provider, maple: client };
+    }
     const { provider, client } = await createOpenAiEmbeddingProvider(options);
     return { provider, openAi: client };
   };
 
-  const formatPrimaryError = (err: unknown, provider: "openai" | "local" | "gemini") =>
+  const formatPrimaryError = (err: unknown, provider: "openai" | "local" | "gemini" | "maple") =>
     provider === "local" ? formatLocalSetupError(err) : formatError(err);
 
   if (requestedProvider === "auto") {
@@ -145,7 +152,8 @@ export async function createEmbeddingProvider(
       }
     }
 
-    for (const provider of ["openai", "gemini"] as const) {
+    // OpenSecret fork: prefer maple when MAPLE_API_KEY is available
+    for (const provider of ["maple", "openai", "gemini"] as const) {
       try {
         const result = await createProvider(provider);
         return { ...result, requestedProvider };
diff --git a/src/memory/manager.ts b/src/memory/manager.ts
@@ -123,8 +123,8 @@ export class MemoryIndexManager {
   private readonly workspaceDir: string;
   private readonly settings: ResolvedMemorySearchConfig;
   private provider: EmbeddingProvider;
-  private readonly requestedProvider: "openai" | "local" | "gemini" | "auto";
-  private fallbackFrom?: "openai" | "local" | "gemini";
+  private readonly requestedProvider: "openai" | "local" | "gemini" | "maple" | "auto";
+  private fallbackFrom?: "openai" | "local" | "gemini" | "maple";
   private fallbackReason?: string;
   private openAi?: OpenAiEmbeddingClient;
   private gemini?: GeminiEmbeddingClient;
