feat(dashboard): stash auth_required flag on app.state

Phase 0, Task 0.3. start_server now computes should_require_auth(host, allow_public) and records it on app.state.auth_required BEFORE the existing legacy SystemExit guard fires. This gives middleware, the SPA token-injection path, and WS endpoints a consistent read source for 'is the gate active'. The flag is set but no one reads it yet — Phase 3 registers the gate middleware. Note: 4 pre-existing test failures in tests/hermes_cli/test_web_server.py (PtyWebSocket) + test_update_hangup_protection.py reproduce on pristine HEAD and are unrelated to this change (starlette TestClient WS regression).
2026-06-03 07:21:54 +00:00 · 2026-05-21 15:05:23 +10:00 · 2026-05-21 15:05:23 +10:00 · 2346711df9
commit 2346711df9
parent 2862085920
2 changed files with 67 additions and 0 deletions
--- a/hermes_cli/web_server.py
+++ b/hermes_cli/web_server.py
@ -4541,6 +4541,12 @@ def start_server(
    global _DASHBOARD_EMBEDDED_CHAT_ENABLED
    _DASHBOARD_EMBEDDED_CHAT_ENABLED = embedded_chat

+    # Phase 0: stash the auth-gate flag on app.state so middleware / SPA-token
+    # injection / WS-auth paths can branch on it consistently.  At Phase 0 the
+    # flag is set but nothing reads it yet — later phases register the gate
+    # middleware and the gated /auth/* routes.
+    app.state.auth_required = should_require_auth(host, allow_public)
+
    _LOCALHOST = ("127.0.0.1", "localhost", "::1")
    if host not in _LOCALHOST and not allow_public:
        raise SystemExit(