feat: add PostgreSQL + pgvector graph database backend

docker/Dockerfile.krolik

@@ -0,0 +1,65 @@
+# MemOS with Krolik Security Extensions
+# 
+# This Dockerfile builds MemOS with authentication, rate limiting, and admin API.
+# It uses the overlay pattern to keep customizations separate from base code.
+
+FROM python:3.11-slim
+
+# Install system dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    gcc \
+    g++ \
+    build-essential \
+    libffi-dev \
+    python3-dev \
+    curl \
+    libpq-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+# Create non-root user
+RUN groupadd -r memos && useradd -r -g memos -u 1000 memos
+
+WORKDIR /app
+
+# Use official Hugging Face
+ENV HF_ENDPOINT=https://huggingface.co
+
+# Copy base MemOS source
+COPY src/ ./src/
+COPY pyproject.toml ./
+
+# Install base dependencies
+RUN pip install --upgrade pip && \
+    pip install --no-cache-dir poetry && \
+    poetry config virtualenvs.create false && \
+    poetry install --no-dev --extras "tree-mem mem-scheduler"
+
+# Install additional dependencies for Krolik
+RUN pip install --no-cache-dir \
+    sentence-transformers \
+    torch \
+    transformers \
+    psycopg2-binary \
+    redis
+
+# Apply Krolik overlay (AFTER base install to allow easy updates)
+COPY overlays/krolik/ ./src/memos/
+
+# Create data directory
+RUN mkdir -p /data/memos && chown -R memos:memos /data/memos
+RUN chown -R memos:memos /app
+
+# Set Python path
+ENV PYTHONPATH=/app/src
+
+# Switch to non-root user
+USER memos
+
+EXPOSE 8000
+
+# Healthcheck
+HEALTHCHECK --interval=30s --timeout=10s --retries=3 --start-period=60s \
+    CMD curl -f http://localhost:8000/health || exit 1
+
+# Use extended entry point with security features
+CMD ["gunicorn", "memos.api.server_api_ext:app", "--preload", "-w", "2", "-k", "uvicorn.workers.UvicornWorker", "--bind", "0.0.0.0:8000", "--timeout", "120"]

overlays/README.md

@@ -0,0 +1,86 @@
+# MemOS Overlays
+
+Overlays are deployment-specific customizations that extend the base MemOS without modifying core files.
+
+## Structure
+
+```
+overlays/
+└── krolik/                 # Deployment name
+    └── api/
+        ├── middleware/
+        │   ├── __init__.py
+        │   ├── auth.py         # API Key authentication
+        │   └── rate_limit.py   # Redis rate limiting
+        ├── routers/
+        │   ├── __init__.py
+        │   └── admin_router.py # API key management
+        ├── utils/
+        │   ├── __init__.py
+        │   └── api_keys.py     # Key generation utilities
+        └── server_api_ext.py   # Extended entry point
+```
+
+## How It Works
+
+1. **Base MemOS** provides core functionality (memory operations, embeddings, etc.)
+2. **Overlays** add deployment-specific features without modifying base files
+3. **Dockerfile** merges overlays on top of base during build
+
+## Dockerfile Usage
+
+```dockerfile
+# Clone base MemOS
+RUN git clone --depth 1 https://github.com/anatolykoptev/MemOS.git /app
+
+# Install base dependencies
+RUN pip install -r /app/requirements.txt
+
+# Apply overlay (copies files into src/memos/)
+RUN cp -r /app/overlays/krolik/* /app/src/memos/
+
+# Use extended entry point
+CMD ["gunicorn", "memos.api.server_api_ext:app", ...]
+```
+
+## Syncing with Upstream
+
+```bash
+# 1. Fetch upstream changes
+git fetch upstream
+
+# 2. Merge upstream into main (preserves overlays)
+git merge upstream/main
+
+# 3. Resolve conflicts if any (usually none in overlays/)
+git status
+
+# 4. Push to fork
+git push origin main
+```
+
+## Adding New Overlays
+
+1. Create directory: `overlays/<deployment-name>/`
+2. Add customizations following the same structure
+3. Create `server_api_ext.py` as entry point
+4. Update Dockerfile to use the new overlay
+
+## Security Features (krolik overlay)
+
+### API Key Authentication
+- SHA-256 hashed keys stored in PostgreSQL
+- Master key for admin operations
+- Scoped permissions (read, write, admin)
+- Internal service bypass for container-to-container
+
+### Rate Limiting
+- Redis-based sliding window algorithm
+- In-memory fallback for development
+- Per-key or per-IP limiting
+- Configurable via environment variables
+
+### Admin API
+- `/admin/keys` - Create, list, revoke API keys
+- `/admin/health` - Auth system status
+- Protected by admin scope or master key

overlays/krolik/api/middleware/__init__.py

@@ -0,0 +1,13 @@
+"""Krolik middleware extensions for MemOS."""
+
+from .auth import verify_api_key, require_scope, require_admin, require_read, require_write
+from .rate_limit import RateLimitMiddleware
+
+__all__ = [
+    "verify_api_key",
+    "require_scope",
+    "require_admin",
+    "require_read",
+    "require_write",
+    "RateLimitMiddleware",
+]