feat: Claude Code hooks for automatic memory integration

.env.example

@@ -12,6 +12,19 @@ OM_PORT=8080
 # Leave empty to disable authentication (development only)
 OM_API_KEY=your-secret-api-key-here
 
+# Strict Authentication Mode (Production Safety)
+# When enabled, the server will refuse to start if OM_API_KEY is not set
+# Set to 'true' in production to prevent accidentally running without authentication
+# Default: false (backward compatible - issues warnings but allows unauthenticated access)
+OM_REQUIRE_AUTH=false
+
+# CORS Configuration (Cross-Origin Resource Sharing)
+# Comma-separated list of allowed origins for CORS requests
+# Leave empty to allow all origins with wildcard '*' (development only)
+# Example: OM_CORS_ALLOWED_ORIGINS=https://app.example.com,https://dashboard.example.com
+# Important: Set this in production to prevent unauthorized cross-origin requests
+# OM_CORS_ALLOWED_ORIGINS=
+
 # Rate Limiting
 # Enable rate limiting to prevent abuse
 OM_RATE_LIMIT_ENABLED=true
@@ -46,6 +59,17 @@ OM_PG_SCHEMA=public
 OM_PG_TABLE=openmemory_memories
 OM_PG_SSL=disable # disable | require
 
+# PostgreSQL Connection Pool Settings (Production Tuning)
+# Maximum number of clients in the pool (default: 20)
+# Recommendation: Set to 2-3x expected concurrent queries
+OM_PG_POOL_MAX=20
+# Minimum number of clients to keep in the pool (default: 0)
+OM_PG_POOL_MIN=0
+# Time in milliseconds a client can be idle before being removed (default: 30000 = 30 seconds)
+OM_PG_POOL_IDLE_TIMEOUT=30000
+# Time in milliseconds to wait for a connection from the pool (default: 10000 = 10 seconds)
+OM_PG_POOL_CONNECTION_TIMEOUT=10000
+
 # --------------------------------------------
 # Vector Store Backend
 # --------------------------------------------
@@ -103,6 +127,12 @@ OM_EMBED_DELAY_MS=200
 # Max request body size in bytes (default: 1MB)
 OM_MAX_PAYLOAD_SIZE=1000000
 
+# Webhook Security
+# GitHub Webhook Secret (for validating webhook signatures)
+# Generate with: openssl rand -hex 20
+# Configure this same secret in your GitHub webhook settings
+GITHUB_WEBHOOK_SECRET=your-github-webhook-secret-here
+
 # --------------------------------------------
 # Embedding Provider API Keys
 # --------------------------------------------
@@ -239,3 +269,9 @@ OM_COMPRESSION_ALGORITHM=auto
 OM_LG_NAMESPACE=default
 OM_LG_MAX_CONTEXT=50
 OM_LG_REFLECTIVE=true
+
+# --------------------------------------------
+# Dashboard Settings
+# --------------------------------------------
+# CDN hostname for images (optional)
+# NEXT_PUBLIC_CDN_HOSTNAME=cdn.example.com

.gitea/workflows/build.yaml

@@ -0,0 +1,156 @@
+name: Build OpenMemory images
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - packages/openmemory-js/**
+      - dashboard/**
+      - .gitea/workflows/build.yaml
+
+jobs:
+  build-api:
+    runs-on: self-hosted
+    steps:
+      - name: Setup
+        run: |
+          buildah --version
+          SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
+          echo "SHORT_SHA=${SHORT_SHA}" >> "$GITHUB_ENV"
+
+      - name: Checkout
+        env:
+          DEPLOY_TOKEN: ${{ secrets.DEPLOY_TOKEN }}
+        run: |
+          REPO_URL="${{ github.server_url }}/${{ github.repository }}.git"
+          AUTH_URL=$(echo "$REPO_URL" | sed "s|https://|https://token:${DEPLOY_TOKEN}@|")
+          rm -rf checkout && git clone --depth=1 "$AUTH_URL" checkout
+
+      - name: Login to registry
+        env:
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+        run: |
+          buildah login -u rbrenner -p "${REGISTRY_TOKEN}" git.itsa.house
+
+      - name: Build API image
+        run: |
+          cd checkout/packages/openmemory-js
+          buildah bud --isolation=chroot \
+            -t git.itsa.house/homelab/openmemory-api:latest \
+            -t git.itsa.house/homelab/openmemory-api:${SHORT_SHA} \
+            -f Dockerfile .
+
+      - name: Push API image
+        run: |
+          push_retry() {
+            local img=$1 attempt=0
+            while [ $attempt -lt 3 ]; do
+              attempt=$((attempt + 1))
+              echo "Push attempt $attempt/3: $img"
+              if buildah push "$img"; then return 0; fi
+              echo "Attempt $attempt failed, retrying in 15s..."
+              sleep 15
+            done
+            echo "Push failed after 3 attempts: $img"
+            return 1
+          }
+          push_retry git.itsa.house/homelab/openmemory-api:latest
+          push_retry git.itsa.house/homelab/openmemory-api:${SHORT_SHA}
+
+      - name: Validate API image
+        run: |
+          buildah pull git.itsa.house/homelab/openmemory-api:${SHORT_SHA}
+          buildah inspect git.itsa.house/homelab/openmemory-api:${SHORT_SHA} | jq -r '.OCIv1.config.Entrypoint'
+          echo "VALIDATED: openmemory-api:${SHORT_SHA}"
+
+      - name: Notify success
+        if: success()
+        env:
+          WEBHOOK_URL: ${{ secrets.MATTERMOST_AGENT_WEBHOOK }}
+        run: |
+          curl -sf -X POST "$WEBHOOK_URL" \
+            -H 'Content-Type: application/json' \
+            -d "{\"text\": \"**[ci]** Built openmemory-api :${SHORT_SHA} (buildah)\", \"username\": \"Gitea CI\"}" || true
+
+      - name: Notify failure
+        if: failure()
+        env:
+          WEBHOOK_URL: ${{ secrets.MATTERMOST_ALERTS_WEBHOOK }}
+        run: |
+          curl -sf -X POST "$WEBHOOK_URL" \
+            -H 'Content-Type: application/json' \
+            -d "{\"text\": \"**[ci] FAILED** :rotating_light: openmemory-api build\nRun: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}\", \"username\": \"Gitea CI\"}" || true
+
+  build-dashboard:
+    runs-on: self-hosted
+    steps:
+      - name: Setup
+        run: |
+          buildah --version
+          SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
+          echo "SHORT_SHA=${SHORT_SHA}" >> "$GITHUB_ENV"
+
+      - name: Checkout
+        env:
+          DEPLOY_TOKEN: ${{ secrets.DEPLOY_TOKEN }}
+        run: |
+          REPO_URL="${{ github.server_url }}/${{ github.repository }}.git"
+          AUTH_URL=$(echo "$REPO_URL" | sed "s|https://|https://token:${DEPLOY_TOKEN}@|")
+          rm -rf checkout && git clone --depth=1 "$AUTH_URL" checkout
+
+      - name: Login to registry
+        env:
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+        run: |
+          buildah login -u rbrenner -p "${REGISTRY_TOKEN}" git.itsa.house
+
+      - name: Build dashboard image
+        run: |
+          cd checkout/dashboard
+          buildah bud --isolation=chroot \
+            -t git.itsa.house/homelab/openmemory-dashboard:latest \
+            -t git.itsa.house/homelab/openmemory-dashboard:${SHORT_SHA} \
+            -f Dockerfile .
+
+      - name: Push dashboard image
+        run: |
+          push_retry() {
+            local img=$1 attempt=0
+            while [ $attempt -lt 3 ]; do
+              attempt=$((attempt + 1))
+              echo "Push attempt $attempt/3: $img"
+              if buildah push "$img"; then return 0; fi
+              echo "Attempt $attempt failed, retrying in 15s..."
+              sleep 15
+            done
+            echo "Push failed after 3 attempts: $img"
+            return 1
+          }
+          push_retry git.itsa.house/homelab/openmemory-dashboard:latest
+          push_retry git.itsa.house/homelab/openmemory-dashboard:${SHORT_SHA}
+
+      - name: Validate dashboard image
+        run: |
+          buildah pull git.itsa.house/homelab/openmemory-dashboard:${SHORT_SHA}
+          buildah inspect git.itsa.house/homelab/openmemory-dashboard:${SHORT_SHA} | jq -r '.OCIv1.config.Cmd'
+          echo "VALIDATED: openmemory-dashboard:${SHORT_SHA}"
+
+      - name: Notify success
+        if: success()
+        env:
+          WEBHOOK_URL: ${{ secrets.MATTERMOST_AGENT_WEBHOOK }}
+        run: |
+          curl -sf -X POST "$WEBHOOK_URL" \
+            -H 'Content-Type: application/json' \
+            -d "{\"text\": \"**[ci]** Built openmemory-dashboard :${SHORT_SHA} (buildah)\", \"username\": \"Gitea CI\"}" || true
+
+      - name: Notify failure
+        if: failure()
+        env:
+          WEBHOOK_URL: ${{ secrets.MATTERMOST_ALERTS_WEBHOOK }}
+        run: |
+          curl -sf -X POST "$WEBHOOK_URL" \
+            -H 'Content-Type: application/json' \
+            -d "{\"text\": \"**[ci] FAILED** :rotating_light: openmemory-dashboard build\nRun: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}\", \"username\": \"Gitea CI\"}" || true