Bug: Memory API /clear endpoint lacks authentication

[508704820]

Bug: Memory API /clear endpoint lacks authentication

Severity: HIGH

Description

The Memory Routes API (bounties/issue-2285/src/memory_routes.py) has a DELETE /api/memory/clear endpoint that deletes ALL memory for any agent, with NO authentication required.

Impact

• Any unauthenticated user can wipe an agent's entire memory
• This destroys conversation history, learned context, and operational data
• Could be used to disable agents by repeatedly clearing their memory

Steps to Reproduce

# Clear all memory for any agent
curl -X DELETE 'https://bottube.ai/api/memory/clear?agent_id=bcn_sophia_elya'
# → {"success": true, "deleted_count": 42}

Suggested Fix

Add admin key authentication to destructive endpoints (clear, delete).

Wallet: RTC9d7caca3039130d3b26d41f7343d8f4ef4592360

[saim256]

Submitted a focused fix for this issue: #4883

The PR patches the live bounties/issue-2285/src/memory_routes.py route, not a copied subtree. DELETE /api/memory/clear now fails closed when MEMORY_ADMIN_KEY is unset and requires a matching X-Admin-Key or X-API-Key before clearing memory.

Validation:

• python -m pytest bounties\issue-2285\tests\test_memory_routes.py -q -> 32 passed
• python -m py_compile bounties\issue-2285\src\memory_routes.py bounties\issue-2285\tests\test_memory_routes.py -> passed
• git diff --check -> passed
• python tools\bcos_spdx_check.py --base-ref origin/main -> OK

Wallet: RTC253255d034065a839cd421811ec589ae5b694ffc