mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-04-28 01:21:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
hermes-agent/gateway/platforms
History
coffee a04854800f fix(security): require auth for session continuation and warn on missing API key 
Two security hardening changes for the API server:

1. **Startup warning when no API key is configured.**
   When `API_SERVER_KEY` is not set, all endpoints accept unauthenticated
   requests.  This is the default configuration, but operators may not
   realize the security implications.  A prominent warning at startup
   makes the risk visible.

2. **Require authentication for session continuation.**
   The `X-Hermes-Session-Id` header allows callers to load and continue
   any session stored in state.db.  Without authentication, an attacker
   who can reach the API server (e.g. via CORS from a malicious page,
   or on a shared host) could enumerate session IDs and read conversation
   history — which may contain API keys, passwords, code, or other
   sensitive data shared with the agent.

   Session continuation now returns 403 when no API key is configured,
   with a clear error message explaining how to enable the feature.
   When a key IS configured, the existing Bearer token check already
   gates access.

This is defense-in-depth: the API server is intended for local use,
but defense against cross-origin and shared-host attacks is important
since the default binding is 127.0.0.1 which is reachable from
browsers via DNS rebinding or localhost CORS.
2026-04-10 02:58:21 -07:00
..
__init__.py Enhance CLI with multi-platform messaging integration and configuration management 2026-02-02 19:01:51 -08:00
ADDING_A_PLATFORM.md docs: finish cron terminology cleanup 2026-03-14 19:20:58 -07:00
api_server.py fix(security): require auth for session continuation and warn on missing API key 2026-04-10 02:58:21 -07:00
base.py fix: add SOCKS proxy support, DISCORD_PROXY env var, and send_message proxy coverage 2026-04-09 14:19:06 -07:00
bluebubbles.py feat(gateway): add BlueBubbles iMessage platform adapter (#6437) 2026-04-08 23:54:03 -07:00
dingtalk.py fix(dingtalk): requirements check passes with only one credential set 2026-03-17 03:50:45 -07:00
discord.py fix(gateway): bypass text batching when delay is 0 (#6996) 2026-04-09 23:59:20 -07:00
email.py fix(email): close SMTP and IMAP connections on failure (#3804) 2026-03-29 15:38:32 -07:00
feishu.py fix(feishu): add adaptive batch delay for split long messages 2026-04-09 23:25:27 -07:00
homeassistant.py fix(gateway): add request timeouts to HA, Email, Mattermost, SMS adapters (#3258) 2026-03-26 14:36:07 -07:00
matrix.py fix(gateway): bypass text batching when delay is 0 (#6996) 2026-04-09 23:59:20 -07:00
mattermost.py fix(security): consolidated security hardening — SSRF, timing attack, tar traversal, credential leakage (#5944) 2026-04-07 17:28:37 -07:00
signal.py fix: Signal duplicate replies with streaming + per-platform tool_progress (#6348) 2026-04-08 17:39:45 -07:00
slack.py fix(slack): add rate-limit retry and TTL cache to thread context fetching 2026-04-09 14:07:32 -07:00
sms.py fix: store asyncio task references to prevent GC mid-execution (#3267) 2026-03-26 14:36:24 -07:00
telegram.py fix(telegram): adaptive batch delay for split long messages 2026-04-09 23:25:27 -07:00
telegram_network.py feat(gateway): unified proxy support for Discord and Telegram with macOS auto-detection 2026-04-09 14:19:06 -07:00
webhook.py fix(gateway/webhook): don't pop delivery_info on send 2026-04-07 17:27:09 -07:00
wecom.py fix(gateway): bypass text batching when delay is 0 (#6996) 2026-04-09 23:59:20 -07:00
whatsapp.py refactor: codebase-wide lint cleanup — unused imports, dead code, and inefficient patterns (#5821) 2026-04-07 10:25:31 -07:00