Ai

Claude Mem v12.3.7 Simplifies Local Worker Security and Context Injection

Claude Mem v12.3.7 Simplifies Local Worker Security and Context Injection

Claude Mem v12.3.7 is a focused infrastructure release that simplifies local single-user deployments by removing unnecessary bearer-token authentication from the worker API, eliminating an unused context injection filter, and introducing a lightweight in-memory rate limiter as a compensating safeguard. The update is less about flashy new features and more about reducing internal friction while keeping the local worker pipeline cleaner and easier to operate.

What Changed

The headline change in v12.3.7 is the removal of bearer-token authentication from the worker API. According to the release notes, the worker already binds to localhost and CORS only permits localhost origins, so the token requirement had become an operational burden for internal clients such as hooks, the CLI, the viewer, and sync scripts without adding meaningful protection in single-user local environments.

To balance that simplification, the release adds a new in-memory rate limiter set to 300 requests per minute. The limiter includes a few implementation details that matter for reliability: it normalises IPv4-mapped IPv6 addresses, returns Retry-After headers on HTTP 429 responses, and uses a size-guarded prune strategy that never runs on localhost.

The update also removes the unused platform_source query-time filter from the /api/context/inject pipeline. This cleanup touches multiple layers including ContextBuilder, ObservationCompiler, SearchRoutes, the context handler, and the transcripts processor. Importantly, the underlying database column remains in place, but the unused WHERE-clause filtering logic and its surrounding plumbing have been removed.

On the cleanup side, the project deleted src/shared/auth-token.ts and related authorization-dependent code across worker utilities, viewer routes, CORS header configuration, and the marketplace sync restart flow. It also stopped tracking .docker-blowout-data/claude-mem.db in version control and added that directory to .gitignore.

Why It Matters

For developers running Claude Mem locally, this release should make internal tooling easier to use and maintain. Removing token handling from a localhost-only worker reduces configuration friction across multiple internal clients and lowers the chances of auth mismatches during development or local automation.

Dropping the unused platform_source filter is also a meaningful maintenance improvement. Even though it does not change the stored schema, it reduces unnecessary complexity in the context injection pipeline, which can make future debugging and refactoring easier.

The addition of rate limiting shows that this is not simply a security rollback. Instead, v12.3.7 appears to be a deliberate shift toward controls that better match the actual deployment model: local-only access, less client overhead, and enough traffic protection to guard against runaway internal requests.

Overall, Claude Mem v12.3.7 is a practical quality-of-life release. It streamlines local API interactions, trims dead query logic, and cleans up source control hygiene around local database artifacts, making the platform easier to run for single-user setups.

Official Source: https://github.com/thedotmack/claude-mem/releases/tag/v12.3.7