The memory system is a folder of markdown files. Fine for one user, but it breaks badly with concurrent sessions — and the docs literally document it as expected behavior. The "scheduler" is a daemon that wakes up every 30 minutes to read a HEARTBEAT.md checklist. The MCP integration felt bolted on. And after the CVE batch, I started looking more carefully at the auth story — disabled by default, which is how 40K+ instances ended up on Censys.
I didn't want to patch it. The issues are architectural, not bugs. So a few weeks ago I started a rewrite in Go to see if I could fix the fundamentals:
- Memory: Neo4j graph database (typed relationships, proper queries). File-based fallback for people who don't want to run Neo4j. - Multi-user: Each user on each channel is a first-class entity with isolated history, permissions, and a pairing flow. - Scheduler: Real task runner with cron expressions and ISO 8601 datetimes. - MCP: Streamable HTTP, full OAuth 2.1 flow, per-user permission matrix. - Security: Auth on by default, encrypted secrets backend (OpenBao or file), no plain-text API keys. - Performance: 200ms cold start, 30MB RAM with everything loaded. Runs fine on a Raspberry Pi 3.
It worked better than I expected, so I cleaned it up and published it.
It's still Beta and rough around some edges. GPL-3.0.
github.com/Neirth/OpenLobster Docs: neirth.gitbook.io/openlobster
Happy to answer questions about the architecture or any of the decisions.