hermes-webui

gooneyryan/hermes-webui

Fork 0

mirror of https://github.com/nesquena/hermes-webui.git synced 2026-05-24 18:50:15 +00:00

Commit Graph

Author	SHA1	Message	Date
nesquena-hermes	96ca83bf53	fix(security): drop unsafe-eval + add jsdelivr to CSP, sanitize plugin error Opus stage-339 review SHOULD-FIX items: 1. server.py: drop 'unsafe-eval' from CSP report-only policy. Verified by grepping all production JS — zero matches for eval(), new Function(), or string-form setTimeout/setInterval. Keeping it was a gratuitous privilege. 2. server.py: add https://cdn.jsdelivr.net to script-src + style-src. index.html loads Prism/xterm/katex from this CDN with SRI hashes — without the allowance every page load fires known-good CSP violations that drown out real signal once a collector is wired. 3. api/commands.py: sanitize plugin command error. Previously returned f'Plugin command error: {exc}' which would leak paths/env from FileNotFoundError('/etc/something/secret.key') etc. Now returns only the exception type name; full traceback goes to server log. Test asserts updated to match the new policy shape. Co-authored-by: Opus advisor <opus-advisor@hermes.local>	2026-05-11 17:53:02 +00:00
Philippe Le Rohellec	281a57b60a	support slash commands implemented in hermes plugin	2026-05-11 09:42:40 -07:00
nesquena-hermes	0386dc261a	feat: slash command parity + skill autocomplete — v0.50.91 (PR #711 ) Combines PR #618 (@renheqiang) slash command parity (/retry /undo /stop /title /status /voice) with PR #701 (@franksong2702) skill autocomplete. 1469 tests pass. Closes #460. Co-authored-by: renheqiang <renheqiang@users.noreply.github.com> Co-authored-by: franksong2702 <franksong2702@users.noreply.github.com>	2026-04-19 05:37:44 +00:00

Author

SHA1

Message

Date

nesquena-hermes

96ca83bf53

fix(security): drop unsafe-eval + add jsdelivr to CSP, sanitize plugin error

Opus stage-339 review SHOULD-FIX items:

1. server.py: drop 'unsafe-eval' from CSP report-only policy.
   Verified by grepping all production JS — zero matches for eval(),
   new Function(), or string-form setTimeout/setInterval. Keeping it
   was a gratuitous privilege.

2. server.py: add https://cdn.jsdelivr.net to script-src + style-src.
   index.html loads Prism/xterm/katex from this CDN with SRI hashes —
   without the allowance every page load fires known-good CSP violations
   that drown out real signal once a collector is wired.

3. api/commands.py: sanitize plugin command error. Previously returned
   f'Plugin command error: {exc}' which would leak paths/env from
   FileNotFoundError('/etc/something/secret.key') etc. Now returns only
   the exception type name; full traceback goes to server log.

Test asserts updated to match the new policy shape.

Co-authored-by: Opus advisor <opus-advisor@hermes.local>

2026-05-11 17:53:02 +00:00

Philippe Le Rohellec

281a57b60a

support slash commands implemented in hermes plugin

2026-05-11 09:42:40 -07:00

nesquena-hermes

0386dc261a

feat: slash command parity + skill autocomplete — v0.50.91 (PR #711 )

Combines PR #618 (@renheqiang) slash command parity (/retry /undo /stop /title /status /voice) with PR #701 (@franksong2702) skill autocomplete. 1469 tests pass. Closes #460.

Co-authored-by: renheqiang <renheqiang@users.noreply.github.com>
Co-authored-by: franksong2702 <franksong2702@users.noreply.github.com>

2026-04-19 05:37:44 +00:00

3 Commits