Security: Plaintext HTTP bearer auth detection exists but not enforced

[tuanaiseo]

Problem

The integrations/pi/security.ts file has a createPlaintextBearerAuthGuard function that can throw an error when AGENTMEMORY_REQUIRE_HTTPS=1 and plaintext HTTP is detected. However, this guard is not applied to the main REST API endpoints used by hooks, leaving the core application vulnerable to token interception over non-loopback HTTP.

Severity: high
File: integrations/pi/security.ts

Solution

Apply the plaintext bearer auth guard to the main REST server initialization. Ensure AGENTMEMORY_REQUIRE_HTTPS=1 forces HTTPS or fails startup when using http:// to non-loopback addresses.

Changes

• integrations/pi/security.ts (modified)

Testing

• Existing tests pass
• Manual review completed
• No new warnings/errors introduced

Summary by CodeRabbit

• New Features
  • Added a preconfigured security guard for plaintext bearer authentication with default behavior settings. This guard can be applied immediately across your integrations without requiring manual configuration or instantiation. By providing a pre-configured option, users can more easily enforce consistent authentication policies across their systems with minimal effort and improved compliance.

[vercel]

@tuanaiseo is attempting to deploy a commit to the rohitg00's projects Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds an exported preconfigured guard constant, guardPlaintextBearerAuth, that instantiates the plaintext-bearer-auth enforcement guard with default parameters, allowing consumers to use it directly without manual instantiation overhead.

Changes

Plaintext bearer-auth guard export

Layer / File(s)	Summary
Preconfigured plaintext-bearer-auth guard export integrations/pi/security.ts	Exports a new constant guardPlaintextBearerAuth initialized with createPlaintextBearerAuthGuard() using default warning behavior, providing a shared reusable guard instance.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• rohitg00/agentmemory#315: Introduced the plaintext-bearer-auth guard factory functions (createPlaintextBearerAuthGuard) that this PR's new export wraps and exposes as a preconfigured constant.

Poem

🐰 A guard stands ready, preconfigured and free,
No instantiation chains, just guardPlaintextBearerAuth to see,
Bearer tokens in plaintext? We warn with care,
Shared across the codebase, a constant to declare! 🔐

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title describes detection existence but not enforcement, while the actual change adds an exported guard for enforcement—these concepts are somewhat contradictory.	Update title to reflect the actual change, such as 'Security: Export preconfigured plaintext HTTP bearer auth guard' or 'Security: Add exported guard for plaintext HTTP bearer auth enforcement'.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@integrations/pi/security.ts`:
- Line 37: The exported constant guardPlaintextBearerAuth created via
createPlaintextBearerAuthGuard() is redundant because a separate local instance
is created and used in index.ts; remove the export (delete the export line and
keep no global exported guard) or, if you intend it to be shared, replace the
local instance in index.ts to import this exported symbol instead—update
references to use guardPlaintextBearerAuth or remove the global export so only
the local instance (the one in index.ts) enforces the guard.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 74e0caaa-971b-46e0-81f4-43170f954f80

📥 Commits

Reviewing files that changed from the base of the PR and between b7e1240 and 7a64b54.

📒 Files selected for processing (1)

• integrations/pi/security.ts

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify that the exported guard is actually wired into startup/runtime paths.

set -euo pipefail

echo "== Definition =="
rg -n -C2 'export const guardPlaintextBearerAuth|createPlaintextBearerAuthGuard\s*\(' --type=ts

echo
echo "== Usages of guardPlaintextBearerAuth (excluding its definition) =="
rg -n -C3 '\bguardPlaintextBearerAuth\s*\(' --type=ts

echo
echo "== Any direct guard factory usage in server/bootstrap code =="
rg -n -C3 'createPlaintextBearerAuthGuard\s*\(' --type=ts

echo
echo "== Heuristic check in likely REST/bootstrap files for invocation =="
rg -n -C3 'AGENTMEMORY_REQUIRE_HTTPS|baseUrl|secret|listen\(|createServer|express\(|fastify\(' --type=ts

Repository: rohitg00/agentmemory

Length of output: 50377

---

🏁 Script executed:

rg -n 'from.*security|import.*guardPlaintextBearerAuth' --type=ts | head -20

Repository: rohitg00/agentmemory

Length of output: 1581

---

🏁 Script executed:

rg -n 'import.*guardPlaintextBearerAuth|from.*security' --type=ts -A 2 | grep -v benchmark

Repository: rohitg00/agentmemory

Length of output: 555

---

🏁 Script executed:

rg -n 'security\.guardPlaintextBearerAuth|from.*security.*guardPlaintextBearerAuth' --type=ts

Repository: rohitg00/agentmemory

Length of output: 46

---

🏁 Script executed:

rg -n 'export.*guardPlaintextBearerAuth' --type=ts

Repository: rohitg00/agentmemory

Length of output: 169

---

🏁 Script executed:

rg -n 'agentmemoryExtension\|export default function' integrations/pi/index.ts -A 10 | head -30

Repository: rohitg00/agentmemory

Length of output: 46

---

🏁 Script executed:

sed -n '115,125p' integrations/pi/index.ts

Repository: rohitg00/agentmemory

Length of output: 486

---

🏁 Script executed:

sed -n '90,105p' integrations/pi/index.ts

Repository: rohitg00/agentmemory

Length of output: 687

---

The exported guard from security.ts is unused; actual enforcement uses a local instance in index.ts.

The export at line 37 serves no purpose — integrations/pi/index.ts defines its own instance (line 33) and invokes it at extension startup (lines 117–120 when AGENTMEMORY_REQUIRE_HTTPS === "1") and on every API request (line 98). Remove the redundant export or document why it exists.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@integrations/pi/security.ts` at line 37, The exported constant
guardPlaintextBearerAuth created via createPlaintextBearerAuthGuard() is
redundant because a separate local instance is created and used in index.ts;
remove the export (delete the export line and keep no global exported guard) or,
if you intend it to be shared, replace the local instance in index.ts to import
this exported symbol instead—update references to use guardPlaintextBearerAuth
or remove the global export so only the local instance (the one in index.ts)
enforces the guard.