Add openclaw-working-memory

[drMurlly]

What this PR does

Adds the openclaw-working-memory integration: an OpenClaw plugin that automatically captures every drafted artifact produced during an OpenClaw agent session and deposits it into DKG V10 Working Memory with status tags, provenance, content-hash deduplication, and secret redaction. Submission for the DKG V10 Bounty Program Round 1 (cfi-dkgv10-r1).

Integration links

• Repo: https://github.com/drMurlly/dkg-openclaw-working-memory
• Commit pinned: 17c09fe7ec03006807be20acfea4577c77b800c8
• Published package: dkg-openclaw-working-memory@1.0.5
• Design brief: https://github.com/drMurlly/dkg-openclaw-working-memory/blob/main/docs/DESIGN_BRIEF.md
• Demo (2m07s): https://github.com/drMurlly/dkg-openclaw-working-memory/releases/download/v1.0.5/dkg-demo-final-v2.mp4

Scope & faithfulness

• Integration uses only the supported public interfaces (HTTP API). It does not import internal DKG packages, patch node source, or write to SPARQL directly (bypassing the assertion lifecycle / Curator).
• memoryLayers correctly reflects which layer(s) the integration touches (WM primary; SWM via explicit promote tool).
• v10PrimitivesUsed correctly reflects which primitives are exercised (ContextGraph, Assertion, UAL, Integration, Curator).
• Terminology matches the v10 vocabulary (Context Graph, Assertion, Knowledge Asset, Curator, Entity, WM/SWM/VM).

Security declarations (Section 8a)

• security.networkEgress is empty — integration only contacts the local DKG node on 127.0.0.1.
• security.writeAuthority lists every DKG write operation. POST /api/assertion/{name}/promote is a Curator-authority op called only on user-confirmed conversational instruction, never automatically.
• security.credentialsHandled is empty — DKG bearer token is handled by the installer.
• The published package has no preinstall/install/postinstall scripts.
• The package is published with build provenance (npm publish --provenance via GitHub Actions OIDC).
• The pinned git SHA is the exact commit the published package was built from.

Contributor attestation

• This integration is my own work and is licensed Apache-2.0.
• It contains no intentional backdoors, malicious logic, or data-exfiltration paths beyond what is declared in security.networkEgress (which is empty).
• I understand that the integration may be delisted for any material misrepresentation in the registry entry.
• I commit to a minimum 6-month maintenance window post-acceptance.

Notes for the committee

Bounty round: Round 1 — tag cfi-dkgv10-r1
TRAC payment network preference: NeuroWeb (alternates: Base, Gnosis)
OriginTrail DKG V10 Terms & Conditions: Accepted.

Differentiation from existing first-party cursor-mcp-dkg: This is OpenClaw-native (agent-plugin install kind) with automatic event-driven capture — the agent_end hook fires on every assistant message, depositing artifacts without any user prompt required. Targets autoresearch / bug-bounty research workflows where knowledge accumulates continuously rather than being pulled on demand. The capture pipeline adds status tagging, content-hash deduplication, and secret redaction that the MCP server does not have.

Credible first user: the maintainer (drMurlly) actively uses OpenClaw for bug bounty research sessions on Immunefi and Code4rena. Every session produces vulnerability findings, research notes, and exploit hypotheses that vanish at session end today. With this plugin loaded, those artifacts persist as queryable Working Memory across sessions.