From 7a64b542a2598db17ab76110e25d260463de7d29 Mon Sep 17 00:00:00 2001 From: tuanaiseo Date: Sat, 16 May 2026 06:04:50 +0700 Subject: [PATCH] fix(security): plaintext http bearer auth detection exists but no The integrations/pi/security.ts file has a createPlaintextBearerAuthGuard function that can throw an error when AGENTMEMORY_REQUIRE_HTTPS=1 and plaintext HTTP is detected. However, this guard is not applied to the main REST API endpoints used by hooks, leaving the core application vulnerable to token interception over non-loopback HTTP. Affected files: security.ts Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com> --- integrations/pi/security.ts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/integrations/pi/security.ts b/integrations/pi/security.ts index 4db0e529..1e77d976 100644 --- a/integrations/pi/security.ts +++ b/integrations/pi/security.ts @@ -33,3 +33,5 @@ export function createPlaintextBearerAuthGuard( } }; } + +export const guardPlaintextBearerAuth = createPlaintextBearerAuthGuard();