feat(security): default worker to localhost-only binding

BREAKING: Worker now binds to 127.0.0.1 by default.
Set CLAUDE_MEM_WORKER_HOST=0.0.0.0 for remote access.

src/shared/SettingsDefaultsManager.ts

@@ -15,6 +15,7 @@ export interface SettingsDefaults {
   CLAUDE_MEM_MODEL: string;
   CLAUDE_MEM_CONTEXT_OBSERVATIONS: string;
   CLAUDE_MEM_WORKER_PORT: string;
+  CLAUDE_MEM_WORKER_HOST: string;
   CLAUDE_MEM_SKIP_TOOLS: string;
   // System Configuration
   CLAUDE_MEM_DATA_DIR: string;
@@ -46,6 +47,7 @@ export class SettingsDefaultsManager {
     CLAUDE_MEM_MODEL: 'claude-haiku-4-5',
     CLAUDE_MEM_CONTEXT_OBSERVATIONS: '50',
     CLAUDE_MEM_WORKER_PORT: '37777',
+    CLAUDE_MEM_WORKER_HOST: '127.0.0.1',
     CLAUDE_MEM_SKIP_TOOLS: 'ListMcpResourcesTool,SlashCommand,Skill,TodoWrite,AskUserQuestion',
     // System Configuration
     CLAUDE_MEM_DATA_DIR: join(homedir(), '.claude-mem'),

src/shared/worker-utils.ts

@@ -26,6 +26,16 @@ export function getWorkerPort(): number {
   return parseInt(settings.CLAUDE_MEM_WORKER_PORT, 10);
 }
 
+/**
+ * Get the worker host address
+ * Priority: ~/.claude-mem/settings.json > env var > default (127.0.0.1)
+ */
+export function getWorkerHost(): string {
+  const settingsPath = path.join(homedir(), '.claude-mem', 'settings.json');
+  const settings = SettingsDefaultsManager.loadFromFile(settingsPath);
+  return settings.CLAUDE_MEM_WORKER_HOST;
+}
+
 /**
  * Check if worker is responsive by trying the health endpoint
  */