mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-04-25 00:51:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
hermes-agent/web
History
Teknium 99bcc2de5b
fix(security): harden dashboard API against unauthenticated access (#9800) 
Addresses responsible disclosure from FuzzMind Security Lab (CVE pending).

The web dashboard API server had 36 endpoints, of which only 5 checked
the session token. The token itself was served from an unauthenticated
GET /api/auth/session-token endpoint, rendering the protection circular.
When bound to 0.0.0.0 (--host flag), all API keys, config, and cron
management were accessible to any machine on the network.

Changes:
- Add auth middleware requiring session token on ALL /api/ routes except
  a small public whitelist (status, config/defaults, config/schema,
  model/info)
- Remove GET /api/auth/session-token endpoint entirely; inject the token
  into index.html via a <script> tag at serve time instead
- Replace all inline token comparisons (!=) with hmac.compare_digest()
  to prevent timing side-channel attacks
- Block non-localhost binding by default; require --insecure flag to
  override (with warning log)
- Update frontend fetchJSON() to send Authorization header on all
  requests using the injected window.__HERMES_SESSION_TOKEN__

Credit: Callum (@0xca1x) and @migraine-sudo at FuzzMind Security Lab
2026-04-14 10:57:56 -07:00
..
public feat: web UI dashboard for managing Hermes Agent (#8756) 2026-04-12 22:26:28 -07:00
src fix(security): harden dashboard API against unauthenticated access (#9800) 2026-04-14 10:57:56 -07:00
eslint.config.js feat: web UI dashboard for managing Hermes Agent (#8756) 2026-04-12 22:26:28 -07:00
index.html feat: web UI dashboard for managing Hermes Agent (#8756) 2026-04-12 22:26:28 -07:00
package-lock.json feat: add internationalization (i18n) to web dashboard — English + Chinese (#9453) 2026-04-13 23:19:13 -07:00
package.json feat: react-router, sidebar layout, sticky header, dropdown component, remove emojis, rounded corners 2026-04-14 00:01:18 -04:00
README.md feat: web UI dashboard for managing Hermes Agent (#8756) 2026-04-12 22:26:28 -07:00
tsconfig.app.json feat: web UI dashboard for managing Hermes Agent (#8756) 2026-04-12 22:26:28 -07:00
tsconfig.json feat: web UI dashboard for managing Hermes Agent (#8756) 2026-04-12 22:26:28 -07:00
tsconfig.node.json feat: web UI dashboard for managing Hermes Agent (#8756) 2026-04-12 22:26:28 -07:00
vite.config.ts feat: web UI dashboard for managing Hermes Agent (#8756) 2026-04-12 22:26:28 -07:00

README.md

Hermes Agent — Web UI

Browser-based dashboard for managing Hermes Agent configuration, API keys, and monitoring active sessions.

Stack

  • Vite + React 19 + TypeScript
  • Tailwind CSS v4 with custom dark theme
  • shadcn/ui-style components (hand-rolled, no CLI dependency)

Development

# Start the backend API server
cd ../
python -m hermes_cli.main web --no-open

# In another terminal, start the Vite dev server (with HMR + API proxy)
cd web/
npm run dev

The Vite dev server proxies /api requests to http://127.0.0.1:9119 (the FastAPI backend).

Build

npm run build

This outputs to ../hermes_cli/web_dist/, which the FastAPI server serves as a static SPA. The built assets are included in the Python package via pyproject.toml package-data.

Structure

src/
├── components/ui/   # Reusable UI primitives (Card, Badge, Button, Input, etc.)
├── lib/
│   ├── api.ts       # API client — typed fetch wrappers for all backend endpoints
│   └── utils.ts     # cn() helper for Tailwind class merging
├── pages/
│   ├── StatusPage   # Agent status, active/recent sessions
│   ├── ConfigPage   # Dynamic config editor (reads schema from backend)
│   └── EnvPage      # API key management with save/clear
├── App.tsx          # Main layout and navigation
├── main.tsx         # React entry point
└── index.css        # Tailwind imports and theme variables