hermes-agent/hermes_cli/proxy
Teknium 8986981df4
security(gateway): set explicit client_max_size on 3 uncapped aiohttp servers (#59180)
Sibling sweep from the #58902 raft review found aiohttp servers still
running on the implicit 1 MiB default with no explicit body cap:

- bluebubbles webhook (127.0.0.1): 1 MiB explicit cap — events are small
  JSON/form payloads; attachments arrive via the REST API
- teams Bot Framework listener (0.0.0.0 bind — most exposed): 1 MiB cap;
  activities are JSON well under that
- hermes proxy server: 10 MB cap mirroring api_server's MAX_REQUEST_BYTES
  (chat-completion payloads can be large, but must stay bounded)

client_max_size bounds every read path including chunked transfer-encoding
requests that carry no Content-Length (#58536/#58902 pattern).

Deliberately excluded: feishu, whatsapp_cloud, sms, line, wecom, msgraph —
open contributor PRs (#54938, #54944, #54620, #54931, #54934, #25296)
already cover those; reviewing them separately preserves their credit.

3 regression tests pin the wiring.
2026-07-05 14:48:28 -07:00
..
adapters fix(auth): honor NOUS_INFERENCE_BASE_URL env override for Nous OAuth sessions (#52270) 2026-06-25 00:11:15 -07:00
__init__.py feat(proxy): local OpenAI-compatible proxy for OAuth providers (#25969) 2026-05-14 15:40:48 -07:00
cli.py docs(auth): replace stale 'hermes login' references with 'hermes auth add' 2026-05-26 15:41:11 -07:00
server.py security(gateway): set explicit client_max_size on 3 uncapped aiohttp servers (#59180) 2026-07-05 14:48:28 -07:00