Files
hermes-webui/api
nesquena-hermes 124044dc11 fix(security #3234): do not deny STATE_DIR wholesale — keep STATE_DIR/workspace media (Codex review #7)
The default workspace lives at STATE_DIR/workspace, so denying STATE_DIR itself
403'd legitimate workspace media. STATE_DIR is already in _hermes_roots, so its
sensitive subdirs (STATE_DIR/sessions, /memories, /profiles, etc.) are still
covered by the per-root subdir loop; direct sensitive files are still caught by
the filename denies. Drop the wholesale _state_dir deny. Adds a regression test
proving STATE_DIR/workspace/shot.png serves while STATE_DIR/sessions/*.json 403s.
2026-05-31 03:41:21 +00:00
..
2026-05-28 13:38:50 -04:00
2026-04-29 19:54:07 -07:00
2026-05-25 00:14:38 +00:00
2026-05-28 17:47:33 +00:00
2026-05-30 11:25:33 +02:00
2026-05-28 08:33:50 -04:00