feat: enable bank config API by default (#426)

Change DEFAULT_ENABLE_BANK_CONFIG_API from false to true, update all docs,
error messages, and client docstrings to reflect the new default. Remove
explicit env var overrides in CI and tests that are no longer needed.

Author: nicoloboschi

.github/workflows/test.yml

@@ -1332,7 +1332,6 @@ jobs:
         HINDSIGHT_API_LLM_MODEL=${{ env.HINDSIGHT_API_LLM_MODEL }}
         HINDSIGHT_API_LLM_VERTEXAI_SERVICE_ACCOUNT_KEY=/tmp/gcp-credentials.json
         HINDSIGHT_API_LLM_VERTEXAI_PROJECT_ID=$HINDSIGHT_API_LLM_VERTEXAI_PROJECT_ID
-        HINDSIGHT_API_ENABLE_BANK_CONFIG_API=true
         EOF
 
     - name: Start API server

CLAUDE.md

@@ -323,4 +323,4 @@ Optional (uses local models by default):
 - `HINDSIGHT_API_EMBEDDINGS_PROVIDER`: local (default) or tei
 - `HINDSIGHT_API_RERANKER_PROVIDER`: local (default) or tei
 - `HINDSIGHT_API_DATABASE_URL`: External PostgreSQL (uses embedded pg0 by default)
-- `HINDSIGHT_API_ENABLE_BANK_CONFIG_API`: Enable per-bank config API (default: false, disabled for security)
+- `HINDSIGHT_API_ENABLE_BANK_CONFIG_API`: Enable per-bank config API (default: true)

hindsight-api/hindsight_api/api/http.py

@@ -3563,7 +3563,7 @@ async def api_get_bank_config(bank_id: str, request_context: RequestContext = De
         if not get_config().enable_bank_config_api:
             raise HTTPException(
                 status_code=404,
-                detail="Bank configuration API is disabled. Set HINDSIGHT_API_ENABLE_BANK_CONFIG_API=true to enable.",
+                detail="Bank configuration API is disabled. Set HINDSIGHT_API_ENABLE_BANK_CONFIG_API=true to re-enable.",
             )
         try:
             # Authenticate and set schema context for multi-tenant DB queries
@@ -3601,7 +3601,7 @@ async def api_update_bank_config(
         if not get_config().enable_bank_config_api:
             raise HTTPException(
                 status_code=404,
-                detail="Bank configuration API is disabled. Set HINDSIGHT_API_ENABLE_BANK_CONFIG_API=true to enable.",
+                detail="Bank configuration API is disabled. Set HINDSIGHT_API_ENABLE_BANK_CONFIG_API=true to re-enable.",
             )
         try:
             # Authenticate and set schema context for multi-tenant DB queries
@@ -3641,7 +3641,7 @@ async def api_reset_bank_config(bank_id: str, request_context: RequestContext =
         if not get_config().enable_bank_config_api:
             raise HTTPException(
                 status_code=404,
-                detail="Bank configuration API is disabled. Set HINDSIGHT_API_ENABLE_BANK_CONFIG_API=true to enable.",
+                detail="Bank configuration API is disabled. Set HINDSIGHT_API_ENABLE_BANK_CONFIG_API=true to re-enable.",
             )
         try:
             # Authenticate and set schema context for multi-tenant DB queries

hindsight-api/hindsight_api/config.py

@@ -396,7 +396,7 @@ def normalize_config_dict(config: dict[str, Any]) -> dict[str, Any]:
 DEFAULT_LOG_FORMAT = "text"  # Options: "text", "json"
 DEFAULT_WORKERS = 1
 DEFAULT_MCP_ENABLED = True
-DEFAULT_ENABLE_BANK_CONFIG_API = False  # Disabled by default for security
+DEFAULT_ENABLE_BANK_CONFIG_API = True
 DEFAULT_GRAPH_RETRIEVER = "link_expansion"  # Options: "link_expansion", "mpfp", "bfs"
 DEFAULT_MPFP_TOP_K_NEIGHBORS = 20  # Fan-out limit per node in MPFP graph traversal
 DEFAULT_RECALL_MAX_CONCURRENT = 32  # Max concurrent recall operations per worker

hindsight-api/tests/test_hierarchical_config.py

@@ -15,9 +15,6 @@
 from hindsight_api.extensions.tenant import TenantExtension
 from hindsight_api.models import RequestContext
 
-# Enable bank config API for all tests in this module
-os.environ["HINDSIGHT_API_ENABLE_BANK_CONFIG_API"] = "true"
-
 
 class MockTenantExtension(TenantExtension):
     """Mock tenant extension for testing tenant-level config."""

hindsight-cli/src/errors.rs

@@ -67,7 +67,7 @@ fn format_error_message(err: &anyhow::Error, api_url: &str) -> String {
                 "Bank configuration API is disabled".bright_red().bold(),
                 "API URL:".bright_yellow(),
                 api_url.bright_white(),
-                "This feature is disabled by default for security.".bright_yellow(),
+                "This feature has been disabled on the server.".bright_yellow(),
                 "To enable, set HINDSIGHT_API_ENABLE_BANK_CONFIG_API=true on the API server".bright_white(),
                 "Note:".bright_cyan(),
                 "This allows per-bank LLM configuration overrides via API".bright_white()

hindsight-clients/python/hindsight_client/hindsight_client.py

@@ -1021,7 +1021,7 @@ def get_bank_config(self, bank_id: str) -> dict[str, Any]:
         """
         Get the resolved configuration for a bank, including any bank-level overrides.
 
-        Requires ``HINDSIGHT_API_ENABLE_BANK_CONFIG_API=true`` on the server.
+        Can be disabled on the server by setting ``HINDSIGHT_API_ENABLE_BANK_CONFIG_API=false``.
 
         Args:
             bank_id: The memory bank ID
@@ -1059,7 +1059,7 @@ def update_bank_config(
         """
         Update configuration overrides for a bank.
 
-        Requires ``HINDSIGHT_API_ENABLE_BANK_CONFIG_API=true`` on the server.
+        Can be disabled on the server by setting ``HINDSIGHT_API_ENABLE_BANK_CONFIG_API=false``.
 
         Args:
             bank_id: The memory bank ID
@@ -1111,7 +1111,7 @@ def reset_bank_config(self, bank_id: str) -> dict[str, Any]:
         """
         Reset all bank-level configuration overrides, reverting to server defaults.
 
-        Requires ``HINDSIGHT_API_ENABLE_BANK_CONFIG_API=true`` on the server.
+        Can be disabled on the server by setting ``HINDSIGHT_API_ENABLE_BANK_CONFIG_API=false``.
 
         Args:
             bank_id: The memory bank ID

hindsight-clients/typescript/src/index.ts

@@ -431,7 +431,7 @@ export class HindsightClient {
     /**
      * Get the resolved configuration for a bank, including any bank-level overrides.
      *
-     * Requires `HINDSIGHT_API_ENABLE_BANK_CONFIG_API=true` on the server.
+     * Can be disabled on the server by setting `HINDSIGHT_API_ENABLE_BANK_CONFIG_API=false`.
      */
     async getBankConfig(bankId: string): Promise<BankConfigResponse> {
         const response = await sdk.getBankConfig({
@@ -445,7 +445,7 @@ export class HindsightClient {
     /**
      * Update configuration overrides for a bank.
      *
-     * Requires `HINDSIGHT_API_ENABLE_BANK_CONFIG_API=true` on the server.
+     * Can be disabled on the server by setting `HINDSIGHT_API_ENABLE_BANK_CONFIG_API=false`.
      *
      * @param bankId - The memory bank ID
      * @param options - Fields to override
@@ -493,7 +493,7 @@ export class HindsightClient {
     /**
      * Reset all bank-level configuration overrides, reverting to server defaults.
      *
-     * Requires `HINDSIGHT_API_ENABLE_BANK_CONFIG_API=true` on the server.
+     * Can be disabled on the server by setting `HINDSIGHT_API_ENABLE_BANK_CONFIG_API=false`.
      */
     async resetBankConfig(bankId: string): Promise<BankConfigResponse> {
         const response = await sdk.resetBankConfig({

hindsight-docs/blog/2026-02-13-version-0-4-11.md

@@ -43,7 +43,7 @@ curl -X PATCH http://localhost:8888/v1/default/banks/my-bank/config \
   }'
 ```
 
-Configuration cascades from system defaults (env vars) → tenant overrides → bank-specific settings. The bank config API is disabled by default for security—enable it with `HINDSIGHT_API_ENABLE_BANK_CONFIG_API=true`.
+Configuration cascades from system defaults (env vars) → tenant overrides → bank-specific settings. The bank config API is enabled by default and can be disabled with `HINDSIGHT_API_ENABLE_BANK_CONFIG_API=false`.
 
 Type-safe access prevents accidentally using global defaults when bank overrides exist. See the Configuration Guide for details on hierarchical configuration.
 

hindsight-docs/docs/developer/api/memory-banks.mdx

@@ -158,10 +158,6 @@ Disposition traits and `mission` only affect the `reflect` operation. `retain_mi
 
 Bank configuration fields (retain mission, extraction mode, observations mission, etc.) are managed via a **separate config API**, not the `create_bank` call. This lets you change operational settings independently from the bank's identity and disposition.
 
-:::note
-The bank config API must be enabled on the server with `HINDSIGHT_API_ENABLE_BANK_CONFIG_API=true`.
-:::
-
 ### Setting Configuration Overrides
 
 <Tabs>