From 2c7d7a9b2f75593e7949a8ed64883e6425df9684 Mon Sep 17 00:00:00 2001
From: memosr <mehmet.sr35@gmail.com>
Date: Mon, 4 May 2026 01:10:50 +0300
Subject: [PATCH] fix(security): bind Meet node server to localhost and
 restrict token file to owner read

---
 plugins/google_meet/node/server.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/plugins/google_meet/node/server.py b/plugins/google_meet/node/server.py
index a0d802dfdc..cff01d265f 100644
--- a/plugins/google_meet/node/server.py
+++ b/plugins/google_meet/node/server.py
@@ -43,7 +43,7 @@ class NodeServer:
 
     def __init__(
         self,
-        host: str = "0.0.0.0",
+        host: str = "127.0.0.1",
         port: int = 18789,
         token_path: Optional[Path] = None,
         display_name: str = "hermes-meet-node",
@@ -76,6 +76,13 @@ class NodeServer:
             json.dumps({"token": tok, "generated_at": time.time()}, indent=2),
             encoding="utf-8",
         )
+        # Restrict to owner-read-write only — the token grants full RPC
+        # access to the meet bot (start, transcribe, speak in meetings).
+        try:
+            tmp.chmod(0o600)
+        except (OSError, NotImplementedError):
+            # Best-effort on non-POSIX filesystems; mode is set on POSIX.
+            pass
         tmp.replace(self.token_path)
         self._token = tok
         return tok