FalkorDB · gkorland · Dec 30, 2025 · Dec 30, 2025 · Jan 4, 2026 · Jan 4, 2026
diff --git a/.env.example b/.env.example
@@ -98,6 +98,14 @@ FALKORDB_URL=redis://localhost:6379/0  # REQUIRED - change to your FalkorDB URL
 # Google Tag Manager ID (optional)
 # GOOGLE_TAG_MANAGER_ID=GTM-XXXXXXX
 
+# -----------------------------
+# Memory TTL (optional)
+# -----------------------------
+# Set a TTL (in seconds) on per-user memory graphs so they auto-expire.
+# When unset, memory graphs persist indefinitely.
+# Example: 604800 = 1 week
+# MEMORY_TTL_SECONDS=604800
+
 # -----------------------------
 # Optional MCP (Model Context Protocol) settings
 # -----------------------------

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -5,6 +5,10 @@
 
 version: 2
 updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
   - package-ecosystem: "pip"
     directory: "/"
     target-branch: "staging"

diff --git a/.github/wordlist.txt b/.github/wordlist.txt
@@ -95,3 +95,4 @@ Sanitization
 JOINs
 subqueries
 subquery
+TTL
diff --git a/Dockerfile b/Dockerfile
@@ -19,6 +19,9 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     netcat-openbsd \
     git \
     build-essential \
+    curl \
+    ca-certificates \
+    gnupg \
     && rm -rf /var/lib/apt/lists/* \
     && ln -sf /usr/local/bin/python3.12 /usr/bin/python3 \
     && ln -sf /usr/local/bin/python3.12 /usr/bin/python
@@ -36,9 +39,15 @@ RUN PIP_BREAK_SYSTEM_PACKAGES=1 pipenv sync --system
 
 # Install Node.js (Node 22) so we can build the frontend inside the image.
 # Use NodeSource setup script to get a recent Node version on Debian-based images.
-RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
-    && apt-get update && apt-get install -y nodejs \
-    && rm -rf /var/lib/apt/lists/*
+# Remove any pre-installed nodejs first to avoid conflicts.
+RUN apt-get update \
+    && apt-get remove -y nodejs || true \
+    && rm -rf /var/lib/apt/lists/* \
+    && curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
+    && apt-get update \
+    && apt-get install -y nodejs \
+    && rm -rf /var/lib/apt/lists/* \
+    && node --version && npm --version
-RUN apt-get update \
-    && apt-get remove -y nodejs || true \
-    && rm -rf /var/lib/apt/lists/* \
-    && curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
-    && apt-get update \
-    && apt-get install -y nodejs \
-    && rm -rf /var/lib/apt/lists/* \
-    && node --version && npm --version
+RUN apt-get update \
+    && (apt-get remove -y nodejs || true) \
+    && rm -rf /var/lib/apt/lists/* \
+    && curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends nodejs \
+    && rm -rf /var/lib/apt/lists/* \
+    && node --version && npm --version
-RUN apt-get update \
-    && apt-get remove -y nodejs || true \
-    && rm -rf /var/lib/apt/lists/* \
-    && curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
-    && apt-get update \
-    && apt-get install -y nodejs \
-    && rm -rf /var/lib/apt/lists/* \
-    && node --version && npm --version
+RUN apt-get update \
+    && (apt-get remove -y nodejs || true) \
+    && rm -rf /var/lib/apt/lists/* \
+    && curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends nodejs \
+    && rm -rf /var/lib/apt/lists/* \
+    && node --version && npm --version
 
 # Copy only frontend package files so Docker can cache npm installs when
 # package.json / package-lock.json don't change.

diff --git a/Pipfile b/Pipfile
@@ -12,7 +12,7 @@ psycopg2-binary = "~=2.9.11"
 pymysql = "~=1.1.0"
 authlib = "~=1.6.4"
 itsdangerous = "~=2.2.0"
-jsonschema = "~=4.25.0"
+jsonschema = "~=4.26.0"
 tqdm = "~=4.67.1"
 python-multipart = "~=0.0.10"
 jinja2 = "~=3.1.4"

diff --git a/Pipfile.lock b/Pipfile.lock
diff --git a/README.md b/README.md
@@ -57,6 +57,17 @@ docker run -p 5000:5000 -it \
 
 > For a full list of configuration options, consult `.env.example`.
 
+## Memory TTL (optional)
+
+QueryWeaver stores per-user conversation memory in FalkorDB. By default these graphs persist indefinitely. Set `MEMORY_TTL_SECONDS` to apply a Redis TTL (in seconds) so idle memory graphs are automatically cleaned up.
+
+```bash
+# Expire memory graphs after 1 week of inactivity
+MEMORY_TTL_SECONDS=604800
+```
+
+The TTL is refreshed on every user interaction, so active users keep their memory.
+
 ## MCP server: host or connect (optional)
 
 QueryWeaver includes optional support for the Model Context Protocol (MCP). You can either have QueryWeaver expose an MCP-compatible HTTP surface (so other services can call QueryWeaver as an MCP server), or configure QueryWeaver to call an external MCP server for model/context services.

diff --git a/api/app_factory.py b/api/app_factory.py
@@ -43,6 +43,14 @@ async def dispatch(self, request: Request, call_next):
                 return JSONResponse(status_code=403, content={"detail": "Forbidden"})
 
         response = await call_next(request)
+
+        # Add HSTS header to prevent man-in-the-middle attacks
+        # max-age=31536000: 1 year in seconds
+        # includeSubDomains: apply to all subdomains
+        # preload: eligible for browser HSTS preload lists
+        hsts_value = "max-age=31536000; includeSubDomains; preload"
+        response.headers["Strict-Transport-Security"] = hsts_value
+
         return response
 
 

diff --git a/api/memory/graphiti_tool.py b/api/memory/graphiti_tool.py
@@ -10,6 +10,8 @@
 from typing import List, Dict, Any, Optional, Tuple
 from datetime import datetime
 
+from redis import RedisError
+
 # Import Azure OpenAI components
 from openai import AsyncAzureOpenAI
 
@@ -47,10 +49,18 @@ def extract_embedding_model_name(full_model_name: str) -> str:
 class MemoryTool:
     """Memory management tool for handling user memories and interactions."""
 
+    # Optional TTL (in seconds) for the memory graph key. Set via MEMORY_TTL_SECONDS
+    # env var to enable automatic expiry (e.g. 604800 for 1 week). Unset = no expiry.
+    MEMORY_TTL_SECONDS: Optional[int] = (
+        int(os.environ["MEMORY_TTL_SECONDS"])
+        if os.environ.get("MEMORY_TTL_SECONDS")
+        else None
+    )
+
     def __init__(self, user_id: str, graph_id: str):
         # Create FalkorDB driver with user-specific database
-        user_memory_db = f"{user_id}-memory"
-        falkor_driver = FalkorDriver(falkor_db=db, database=user_memory_db)
+        self.memory_db_name = f"{user_id}-memory"
+        falkor_driver = FalkorDriver(falkor_db=db, database=self.memory_db_name)
 
 
         # Create Graphiti client with Azure OpenAI configuration
@@ -60,6 +70,13 @@ def __init__(self, user_id: str, graph_id: str):
         self.graph_id = graph_id
 
 
+    async def _refresh_ttl(self) -> None:
+        """Set a TTL on the memory graph key using Redis EXPIRE."""
+        try:
+            await db.execute_command("EXPIRE", self.memory_db_name, self.MEMORY_TTL_SECONDS)
+        except RedisError as e:
+            logging.warning("Failed to refresh TTL for %s: %s", self.memory_db_name, e)
+
     @classmethod
     async def create(cls, user_id: str, graph_id: str, use_direct_entities: bool = True) -> "MemoryTool":
         """Async factory to construct and initialize the tool."""
@@ -72,6 +89,9 @@ async def create(cls, user_id: str, graph_id: str, use_direct_entities: bool = T
         driver = self.graphiti_client.driver
         await driver.execute_query(f"CREATE VECTOR INDEX FOR (p:Query) ON (p.embeddings) OPTIONS {{dimension:{vector_size}, similarityFunction:'euclidean'}}")
 
+        if cls.MEMORY_TTL_SECONDS is not None:
+            await self._refresh_ttl()
+
         return self
 
     async def _ensure_entity_nodes_direct(self, user_id: str, database_name: str) -> bool:
-Original file line number
+Diff line change
@@ Expand Up / @@ -95,3 +95,4 @@ Sanitization @@
     JOINs
     subqueries
     subquery
+    TTL