What is the 'Neural Link'?

The Neural Link is a bi-directional bridge that connects AI agents (like Gemini or Claude) directly to the Neo.mjs runtime. It allows agents to 'see' the application's Scene Graph, inspect component state, verify event listeners, and even mutate the running application in real-time. This turns the application into a 'glass box' for AI, enabling autonomous debugging and feature development.

Why is Neo.mjs called an 'Application Engine' instead of a framework?

Traditional frameworks are general-purpose libraries (like a Toyota) that help you organize code, but they compile away into ephemeral DOM nodes. Neo.mjs is a precision-engineered runtime (like an F1 car), similar to Unreal Engine for games. It maintains a persistent 'Scene Graph' of objects in a separate worker thread. These objects retain their identity, state, and relationships, allowing for advanced capabilities like multi-window orchestration, runtime permutation, and deep AI introspection that are impossible with 'melted plastic' DOM-based frameworks.

What is 'Context Engineering'?

Context Engineering is the practice of curating the environment and information flow for AI agents to maximize their autonomy. In Neo.mjs, this is implemented via three Model Context Protocol (MCP) servers: a Knowledge Base for semantic code understanding, a Memory Core for learning from past sessions, and a GitHub Workflow server for project management. This ecosystem allows agents to work as fully integrated members of the development team.

What is 'Object Permanence' in the context of Neo.mjs?

In Neo.mjs, UI components are persistent JavaScript objects living in the App Worker, not just transient rendering results. This 'Object Permanence' means a component (like a Dashboard) maintains its state (scroll position, user input, internal logic) even if it is detached from the DOM or moved to a different browser window. This is the 'Lego Technic' approach versus the 'Duplo' approach of traditional frameworks.

What is an 'Agent Operating System'?

Neo.mjs v11 introduced the concept of an Agent OS, where the platform itself provides the tools and interfaces for AI agents to operate. It combines a standalone, type-safe AI SDK for autonomous 'Code Execution' with the Neural Link for runtime control. This enables agents to monitor, debug, and heal the application autonomously, effectively acting as an operating system for synthetic intelligence.

How does Neo.mjs handle multi-window applications?

Neo.mjs uses shared web workers to run a single application instance across multiple browser windows. All windows share the same application state and data in real-time. Components can even move between windows while retaining their JavaScript instances. This enables desktop-class experiences like multi-window IDEs, browser-based email clients, and multi-screen control rooms.

What makes Neo.mjs different from React, Angular, or Vue?

Neo.mjs is fundamentally different in its architecture: (1) It uses True Multithreading via web workers to prevent UI jank, (2) It is an AI-Native Application Engine with built-in bridges for AI collaboration, and (3) It treats components as persistent objects in a Scene Graph, enabling native multi-window support and runtime permutation.

Frontmatter

id	10845
title	Block destructive AI substrate ops on production paths
state	Closed
labels	enhancementaitestingarchitecturemodel-experience
assignees	neo-gpt
createdAt	May 6, 2026, 11:02 PM
updatedAt	May 7, 2026, 9:24 AM
githubUrl	https://github.com/neomjs/neo/issues/10845
author	neo-gpt
commentsCount	5
parentIssue	null
subIssues	10867 Mock Memory Core Chroma collections in Playwright unit tests
subIssuesCompleted	1
subIssuesTotal	1
blockedBy	[]
blocking	[]
closedAt	May 7, 2026, 8:36 AM

Block destructive AI substrate ops on production paths

Name: Neo.mjs Application Engine
Author: Neo.mjs

Closedenhancementaitestingarchitecturemodel-experience

neo-gpt commented on May 6, 2026, 11:02 PM

Context

Neo has several legitimate destructive operations for AI substrate maintenance: dropping Chroma collections, truncating Memory Core graph tables, and replacing imported graph state. Those operations are useful when an operator intentionally resets a disposable test store or runs a controlled substrate maintenance task.

The preventive hardening gap is that destructive call sites currently rely on caller discipline to ensure the active target is disposable. Tests and maintenance scripts should have a shared failsafe that refuses destructive operations unless the resolved storage target is clearly test-local, temporary, or explicitly operator-authorized.

This ticket is preventive operational substrate / MX hardening. It creates a reusable path-discipline primitive for destructive AI-store operations across Memory Core and Knowledge Base surfaces.

The Problem

Test isolation tickets and local tmp-path conventions reduce accidental pollution, but they do not form a universal guard around the destructive operations themselves. If a test, script, or MCP call reaches a destructive method with production-like defaults still active, the destructive method has no final path-aware stop sign.

The dangerous operation classes are narrow and identifiable:

Chroma collection deletion, such as Memory Core CollectionProxy.drop().
Knowledge Base collection deletion through VectorService.deleteCollection().
SQLite graph table truncation or replace-mode import.
Any future mass-delete or drop path added to Memory Core / Knowledge Base services.

The fix belongs at the destructive boundary, not only in individual specs. Every destructive call should prove the target is disposable before it executes.

The Architectural Reality

ai/mcp/server/memory-core/managers/CollectionProxy.mjs:87-105 drops Memory Core Chroma collections through deleteCollection.
ai/mcp/server/memory-core/services/DatabaseService.mjs:229-233 truncates graph tables during replace-mode graph import.
ai/mcp/server/memory-core/services/DatabaseService.mjs:456-504 exposes truncateDatabase() for memories, summaries, and graph.
ai/mcp/server/knowledge-base/services/VectorService.mjs:55-63 deletes the Knowledge Base Chroma collection.
ai/mcp/server/knowledge-base/services/DatabaseService.mjs:249-260 exposes the delete action through manageKnowledgeBase().
ai/mcp/server/memory-core/config.mjs:197-199 defines the default Memory Core graph path under .neo-ai-data/sqlite/.
ai/mcp/server/knowledge-base/config.mjs:114 defines the default Knowledge Base Chroma path under .neo-ai-data/chroma/knowledge-base.
Prior test-isolation work (#9746, #10786) shows that local test path discipline is a recurring substrate concern, but this ticket is a lower-level failsafe around destructive operations themselves.

The Fix

Introduce a shared destructive-operation guard for AI data stores.

The guard should resolve the active target path or storage descriptor before destructive execution and allow the operation only when one of these is true:

The target is explicitly in-memory (:memory:).
The resolved target is under a disposable test root, such as os.tmpdir() or repo-local tmp/.
A legitimate production destructive operation is explicitly authorized by both process.env.NEO_ALLOW_PRODUCTION_DESTRUCTIVE === 'true' and an operator-confirmation mechanism appropriate to the caller surface.

Use the guard at Memory Core and Knowledge Base destructive call sites. Avoid one-off regex checks scattered through specs; the point is a reusable substrate primitive.

Contract Ledger Matrix

Target Surface	Source of Authority	Proposed Behavior	Fallback / Edge Case	Docs	Evidence
Destructive AI-store guard helper	This ticket, prior test-isolation substrate work	Accepts operation metadata and a resolved target descriptor; returns success only for disposable targets or explicitly authorized production operations.	Missing, relative, or unresolved paths fail closed with an operator-actionable error.	JSDoc documents accepted disposable targets and bypass contract.	Unit tests for `:memory:`, temp paths, repo `tmp/`, production defaults, and missing paths.
Memory Core Chroma drop path	`CollectionProxy.drop()`	Calls the guard before deleting memory/session Chroma collections.	Refuses deletion when the active target cannot be proven disposable and no operator bypass is present.	Method docs name the guard and bypass contract.	Targeted test proves production-like collection drop is blocked and tmp-backed drop succeeds.
Memory Core SQLite graph truncation	`DatabaseService.truncateDatabase()` and replace-mode graph import	Calls the guard before `DELETE FROM Nodes` / `DELETE FROM Edges` or equivalent mass-delete paths.	Refuses truncation for default `.neo-ai-data/sqlite/` paths unless operator bypass is present.	DatabaseService docs updated.	Targeted tests for graph truncate allowed under tmp and blocked under production-like path.
Knowledge Base collection deletion	`VectorService.deleteCollection()` / `manageKnowledgeBase({action: 'delete'})`	Calls the guard before deleting the KB Chroma collection.	Refuses deletion for default `.neo-ai-data/chroma/knowledge-base` unless operator bypass is present.	KB deletion docs updated.	Targeted tests for KB delete allowed under tmp and blocked under production-like path.
Production destructive bypass	Operator confirmation contract	Requires `NEO_ALLOW_PRODUCTION_DESTRUCTIVE=true` plus an explicit confirmation mechanism.	Env var alone is insufficient if the caller surface can provide a confirmation prompt/token; noninteractive surfaces must return a clear blocked error unless explicitly designed otherwise.	Operator docs state the exact bypass flow.	Tests prove env-only bypass fails where confirmation is required.

Acceptance Criteria

A shared destructive-operation guard exists for AI data stores; destructive call sites do not implement ad hoc path checks.
The guard permits :memory: targets and resolved disposable test roots.
The guard blocks default .neo-ai-data/ Memory Core / Knowledge Base targets by default.
Memory Core Chroma collection drops call the guard before deleteCollection.
Memory Core SQLite graph truncation and replace-mode graph import call the guard before mass deletion.
Knowledge Base collection deletion calls the guard before deleteCollection.
A production destructive bypass requires NEO_ALLOW_PRODUCTION_DESTRUCTIVE=true plus explicit operator confirmation.
Tests cover allowed disposable targets, blocked production-like targets, and bypass behavior.

Out of Scope

Changing normal read/write Memory Core or Knowledge Base behavior.
Removing legitimate maintenance operations.
Reworking all test path setup. This ticket guards destructive boundaries; individual test cleanup remains separate.
Reactive postmortem framing. This is preventive substrate hardening.

Avoided Traps

Spec-only patching: fixing individual tests does not protect future scripts or MCP paths.
String-only regex discipline: the guard should resolve paths where possible before deciding whether a target is disposable.
Env-only bypass: a single environment flag is too easy to inherit accidentally; production destructive behavior needs an operator confirmation step.

#9746 — local test data isolation under workspace tmp
#10786 — test-isolation bug in harness lifecycle tests
#10822 — config substrate cleanup epic context

Origin Session ID: ab6b2fad-6660-4148-a0c7-474c0131a6bf

Retrieval Hint: query_raw_memories(query="destructive operation production path guard deleteCollection SQLite truncate test isolation")

tobiu referenced in commit c8374a9 - "feat(agentos): guard destructive substrate operations (#10845) (#10873) on May 7, 2026, 8:36 AM

tobiu closed this issue on May 7, 2026, 8:36 AM

tobiu referenced in commit 1dfcec8 - "feat(ai/backup): extend bundle-meta + integrity check + mailbox (#10871) (#10876) on May 7, 2026, 9:21 AM

tobiu referenced in commit 36db57e - "feat(ai/restore): bundle-aware restore orchestrator + npm run ai:restore (#10871) (#10886) on May 7, 2026, 1:12 PM

tobiu referenced in commit fcc4f2b - "feat(ai-restore): preserve-live merge semantics + per-incident filter/targeting/hooks (#11141) (#11143) on May 10, 2026, 9:37 PM