fix(security): tighten mem0 runtime defaults by JSONbored · Pull Request #73 · JSONbored/mem0-aio

JSONbored · 2026-05-10T01:43:56Z

Summary

Harden mem0-aio runtime, template, Dockerfile, and submodule defaults against the reported exposure and supply-chain findings.

Restore OpenMemory submodule origin to https://github.com/mem0ai/mem0.
Treat LLM_PROVIDER=auto and EMBEDDER_PROVIDER=auto as unset before persisting runtime env.
Default Elasticsearch/OpenSearch TLS certificate verification to true.
Restore HTTPS apt source enforcement before the first apt-get update and seed apt with a verified CA store.
Default the API/MCP service to 127.0.0.1, stop publishing host port 8765 by default, and document the explicit opt-in path.
Update Docker integration tests that intentionally map the direct API port to set MEM0_API_HOST=0.0.0.0.

These changes close the default API/MCP exposure, insecure TLS backend defaults, provider sentinel persistence, HTTP apt transport regression, and OpenMemory fork provenance risk.

/Users/shadowbook/.codex/worktrees/security-2026-05-09/aio-fleet/.venv/bin/python -m pytest -q tests/template -> 11 passed
docker build --progress=plain --platform linux/amd64 -t mem0-aio:pytest . -> passed
/Users/shadowbook/.codex/worktrees/security-2026-05-09/aio-fleet/.venv/bin/python -m pytest -q -> 22 passed
aio-fleet validate-repo --repo mem0-aio against this worktree -> passed

Catalog sync is handled separately in awesome-unraid after this source XML change.

fix(security): tighten mem0 runtime defaults

89d2e9b

JSONbored merged commit 5930331 into main May 10, 2026
3 checks passed

JSONbored deleted the codex/security-hardening-2026-05-09 branch May 10, 2026 01:45