MentisDB 0.10.1.46 — Built-in Bearer Token Auth, TLS Cert CLI, and Search-First Discipline
This release is a security and operational milestone: built-in bearer-token authentication for remote MCP servers,
a mentisdb cert CLI for TLS certificate management, and a search-first discipline
baked into the agent skill file. Together these changes make it practical to run MentisDB on a non-loopback interface —
the missing piece for production HTTPS MCP / REST deployments.
Bearer Token Authentication (Headline Feature)
Set MENTISDB_BEARER_TOKEN_ACCESS=true and every Streamable HTTP MCP and legacy HTTP MCP route now requires
Authorization: Bearer <token>. Tokens are stored as SHA-256 hashes only — never plaintext.
This is the prerequisite for any non-loopback deployment of the HTTPS MCP and REST surfaces.
Tokens can be global (access every chain + server-wide tools like mentisdb_list_chains) or
chain-scoped (restricted to an explicit chain set). The new CLI makes issuance explicit:
# Global token
mentisdb bearertoken create --global my-global-token
# Chain-scoped token (one or more chains)
mentisdb bearertoken create --chain chain-a --chain chain-b my-scoped-token
# List / revoke
mentisdb bearertoken list --global
mentisdb bearertoken remove my-global-tokenDashboard: Bearer Tokens Page + Settings Enhancements
A new Bearer Tokens page joins the header navigation (Chains | Agents | Skills | Bearer Tokens | Settings).
It exposes the feature toggle, alias input, Global/Chains radio controls, a multi-chain selector table,
one-time token display with copy-to-clipboard, a token table, and revoke actions.
The Settings page now edits MENTISDB_BEARER_TOKEN_ACCESS and includes a
Restart Daemon button for environment changes that require a restart.
mentisdb cert — TLS Certificate Management
A new subcommand mints self-signed TLS certificates for the HTTPS MCP / REST surfaces and the web dashboard.
It writes MENTISDB_TLS_CERT / MENTISDB_TLS_KEY into the local .env so the next daemon start picks them up automatically.
mentisdb cert # factory-default SAN set
mentisdb cert 192.0.2.10 # add IP SAN
mentisdb cert my.mentisdb.com # add DNS SAN
mentisdb cert --force # regenerate existing
mentisdb cert --reset # delete + fresh factory cert
mentisdb cert --out-dir /custom/path
mentisdb cert --env-file /path/.env
mentisdb cert --no-env-update # print export lines onlyThe standard SAN set (my.mentisdb.com, localhost, 127.0.0.1, every unicast interface IP, plus MENTISDB_BIND_HOST when it's a DNS name) is always included; the user-supplied host is appended.
The command prints the SAN list and SHA-256 fingerprint for openssl x509 -fingerprint -sha256 cross-check and reminds you to restart the daemon.
Library TLS API: ensure_tls_cert_with_sans
The cert logic is now exposed as a library function:
pub fn ensure_tls_cert_with_sans(
cert: &Path,
key: &Path,
extra_sans: Vec<SanType>,
overwrite: bool,
) -> Result<TlsCertArtifacts, String>
pub struct TlsCertArtifacts {
pub cert_path: PathBuf,
pub key_path: PathBuf,
pub sans: Vec<String>, // dns:..., ip:...
pub sha256_fingerprint: String,
}The existing ensure_tls_cert is now a one-line wrapper (overwrite=false, no extra SANs), so no behaviour change for existing callers.
The sans field is extracted from the freshly written cert with x509-parser and rendered in the same dns:<name> / ip:<addr> style.
Comprehensive --help
mentisdb --help now prints both the daemon help AND the full CLI subcommand help in one view.
Subcommand-specific help works as expected: mentisdb cert --help, mentisdb setup --help, mentisdb wizard --help, etc.
Search-First Discipline in MENTISDB_SKILL.md
A prominent 🔎 SEARCH BEFORE YOU WRITE section now sits between MANDATORY STARTUP and WRITE TRIGGERS.
The routine: recent_context → ranked_search → tighten with tags_any / thought_types / concepts_any / since.
Three decisions per append: do I need to write at all? do I need to update a prior lesson? which 1–3 neighbours to link via typed edges?
A new "Blind appends" anti-pattern is documented. Search-first is the upstream half of the dedup discipline: 5–15 seconds of search before write is the single highest-leverage habit for keeping ranked_search useful as chains grow past a few hundred thoughts.
--headless Top-Level Flag + TUI Auto-Headless Fix
mentisdb --headless starts the HTTP/MCP/REST servers without the interactive terminal UI, matching the long-standing --mode http --headless invocation the stdio proxy uses internally.
The daemon now auto-promotes to headless HTTP mode when stdin or stdout is not a TTY. Previously the TUI main loop was entered with an already-EOF stdin; crossterm's event::poll(100ms) returned Ok(false) immediately and the loop re-rendered the full ratatui UI on every iteration — pinning one CPU core at 100% on a 2-core cloud VM. The new tui_can_run() guard in src/tui.rs detects the non-TTY case at startup and delegates to run_headless(). Affects every non-interactive launch: docker run without -t, nohup mentisdb &, systemd without StandardInput=tty, cron, and the SSH-disconnect scenario.
Restore Idempotency + Chain-Scope Safety
- Local
mentisdb-registry.jsonis merged, not replaced - Verified same-chain suffixes are appended
- Divergent same-name chains imported under renamed keys
--overwriteonly allows same-path chain file replacement when a safe suffix merge is not possible
Other Changes
- Token secrets now use
mentisdb_prefix (wasmdb_live_) - Refactored cert CLI: collapsed duplicated
writeln!blocks into named helpers; help text single source of truth - Promoted
default_tls_dirtopubinserver.rs, removed duplicate helper - Docs: new "TLS Certificates" section in README.md with six worked examples, options table,
openssl s_clientcross-check; docs.mentisdb.com updated
Upgrade
cargo install mentisdb --forceLinks
- Changelog: https://github.com/CloudLLM-ai/mentisdb/blob/master/changelog.txt
- Documentation: https://docs.mentisdb.com
- Blog Post: https://mentisdb.com/docs/mentisdb-0.10.1.46.html