fix: harden website blocklist — default off, TTL cache, fail-open, guarded imports

- Default enabled: false (zero overhead when not configured) - Fast path: cached disabled state skips all work immediately - TTL cache (30s) for parsed policy — avoids re-reading config.yaml on every URL check - Missing shared files warn + skip instead of crashing all web tools - Lazy yaml import — missing PyYAML doesn't break browser toolset - Guarded browser_tool import — fail-open lambda fallback - check_website_access never raises for default path (fail-open with warning log); only raises with explicit config_path (test mode) - Simplified enforcement code in web_tools/browser_tool — no more try/except wrappers since errors are handled internally
2026-03-17 03:11:21 -07:00
parent d132a3dfbb
commit 6fc76ef954
5 changed files with 136 additions and 53 deletions
--- a/hermes_cli/config.py
+++ b/hermes_cli/config.py
@@ -356,7 +356,7 @@ DEFAULT_CONFIG = {
        "tirith_timeout": 5,
        "tirith_fail_open": True,
        "website_blocklist": {
-            "enabled": True,
+            "enabled": False,
            "domains": [],
            "shared_files": [],
        },