Skip to content

fix(security): MEM-21 SDK and infrastructure hardening#99

Open
ducnmm wants to merge 2 commits intosec/security_fixfrom
feature/mem-21-sec-sdk-infrastructure-hardening
Open

fix(security): MEM-21 SDK and infrastructure hardening#99
ducnmm wants to merge 2 commits intosec/security_fixfrom
feature/mem-21-sec-sdk-infrastructure-hardening

Conversation

@ducnmm
Copy link
Copy Markdown
Collaborator

@ducnmm ducnmm commented Apr 13, 2026

Resolves MED-14, MED-17, MED-18, MED-22 (Phase 3 Medium severity).

@ducnmm
fix(security): MEM-21 SDK and infrastructure hardening (MED-14, MED-1…
c6062ad 
…7, MED-18, MED-22)

- MED-17: Accept Uint8Array | string for delegate key in MemWalConfig and
  MemWalManualConfig; add destroy() method to zero-fill key material;
  throw on post-destroy requests
- MED-18: Validate serverUrl at construction time in MemWal; throw if
  non-HTTPS and not localhost/127.0.0.1/::1 \u2014 prevents HTTP in production
- MED-14: Pin exact versions for all sidecar dependencies using actual
  installed versions from package-lock.json (seal=1.1.0, sui=2.6.0, walrus=1.0.3)
- MED-22: Add non-root user (appuser:appgroup) to Dockerfile runtime stage;
  chown /app before USER switch for least-privilege container execution
@ducnmm ducnmm requested a review from harrymove-ctrl April 13, 2026 03:30
@ducnmm
clean(mem-21): remove out-of-scope changes; restore MEM-11 CORS/auth;…
08392ab 
… keep SDK HTTPS/destroy/Uint8Array, Dockerfile non-root, pinned versions
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@harrymove-ctrl harrymove-ctrl Awaiting requested review from harrymove-ctrl

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ducnmm