Skip to content

fix: remove unused proxy code (closes #5)#6

Merged
0xRaghu merged 3 commits into
mainfrom
fix/remove-unused-proxy
Apr 9, 2026
Merged

fix: remove unused proxy code (closes #5)#6
0xRaghu merged 3 commits into
mainfrom
fix/remove-unused-proxy

Conversation

@0xRaghu
Copy link
Copy Markdown
Contributor

@0xRaghu 0xRaghu commented Apr 9, 2026

Summary

Removes the unused HTTP proxy code that had a security vulnerability reported in #5.

Problem

The proxy code:

  • Was never wired into the CLI (no mnemo proxy command exists)
  • Is not documented in README.md
  • Had an authentication vulnerability where it read ANTHROPIC_API_KEY from environment and forwarded it with zero authentication
  • Allowed any local process to consume API credits through the unauthenticated endpoint

Solution

Complete removal of the proxy feature. mnemo's current architecture uses:

  • MCP server (mnemo serve) for tool integration
  • Hooks (mnemo inject) for context injection
  • No HTTP interception needed

Changes

  • ✅ Deleted /proxy directory (server.go + server_test.go - 338 lines)
  • ✅ Updated CHANGELOG.md with removal entry
  • ✅ Updated SECURITY.md to remove proxy mention
  • ✅ Updated blocks.go comment to remove outdated proxy reference
  • ✅ Build verified successful

Impact

  • Security: Eliminates the vulnerability entirely
  • Breaking: None - the proxy was never exposed as a CLI command
  • Users: No impact - nobody was using the proxy feature

Closes #5

0xRaghu and others added 3 commits April 9, 2026 12:30
@0xRaghu @claude
fix: remove unused proxy code (closes #5)
f38d2a5 
The HTTP proxy code was experimental and never wired into the CLI.
mnemo's architecture uses MCP server + hooks for context injection,
not HTTP interception. This removal eliminates the security
vulnerability reported in #5.

Changes:
- Removed /proxy directory (server.go + server_test.go)
- Updated CHANGELOG.md with removal entry
- Updated SECURITY.md to remove proxy mention
- Updated blocks.go comment to remove proxy reference

The proxy had an authentication vulnerability where it read
ANTHROPIC_API_KEY from environment and forwarded it with zero
authentication, allowing any local process to consume API credits.
Since the feature was unused and undocumented, removal is the
correct fix.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@0xRaghu @claude
ci: add golangci-lint config with 5m timeout
5880a70 
The GitHub Actions lint job was timing out with the default 1m timeout.
This adds a minimal .golangci.yml config that increases the timeout to 5m.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@0xRaghu @claude
ci: fix golangci-lint timeout with inline args
ffc4a97 
Use --timeout=5m as inline arg instead of config file.
Simpler and avoids version compatibility issues between
golangci-lint v1 (CI) and v2 (local).

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@0xRaghu 0xRaghu force-pushed the fix/remove-unused-proxy branch from 8fd196d to ffc4a97 Compare April 9, 2026 16:43
@0xRaghu 0xRaghu merged commit a581262 into main Apr 9, 2026
7 checks passed
@0xRaghu 0xRaghu deleted the fix/remove-unused-proxy branch April 9, 2026 16:46
@0xRaghu 0xRaghu mentioned this pull request Apr 10, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Unauthenticated API key proxy: any local process can consume Anthropic credits

1 participant

@0xRaghu