Timmy_Foundation/hermes-agent
16
0
Fork 0
Code Issues 38 Pull Requests 2 Actions 18 Packages Projects Releases Wiki Activity
Files
cf1afb07f219cb538492e00bd1376a2b988d0167
hermes-agent/gateway
History
Allegro cfcffd38ab
Some checks failed
Supply Chain Audit / Scan PR for supply chain risks (pull_request) Successful in 27s
Details
Tests / test (pull_request) Failing after 24s
Details
Docker Build and Publish / build-and-push (pull_request) Failing after 35s
Details
security: fix auth bypass and CORS misconfiguration (V-008, V-009) 
API Server security hardening:

V-009 (CVSS 8.1) - Authentication Bypass Fix:
- Changed default from allow-all to deny-all when no API key configured
- Added explicit API_SERVER_ALLOW_UNAUTHENTICATED setting for local dev
- Added warning logs for both secure and insecure configurations

V-008 (CVSS 8.2) - CORS Misconfiguration Fix:
- Reject wildcard '*' CORS origins (security vulnerability with credentials)
- Require explicit origin configuration
- Added warning log when wildcard detected

Changes:
- gateway/platforms/api_server.py: Hardened auth and CORS handling

Refs: V-008, V-009 in SECURITY_AUDIT_REPORT.md
CWE-287: Improper Authentication
CWE-942: Permissive Cross-domain Policy
2026-03-30 23:54:58 +00:00
..
builtin_hooks
feat: built-in boot-md hook — run BOOT.md on gateway startup (#3733)
2026-03-29 10:19:54 -07:00
platforms
security: fix auth bypass and CORS misconfiguration (V-008, V-009)
2026-03-30 23:54:58 +00:00
__init__.py
Enhance CLI with multi-platform messaging integration and configuration management
2026-02-02 19:01:51 -08:00
channel_directory.py
chore: remove ~100 unused imports across 55 files (#3016)
2026-03-25 15:02:03 -07:00
config.py
feat(telegram): add group mention gating and regex triggers (#3870)
2026-03-29 21:53:59 -07:00
delivery.py
chore: remove ~100 unused imports across 55 files (#3016)
2026-03-25 15:02:03 -07:00
hooks.py
feat: built-in boot-md hook — run BOOT.md on gateway startup (#3733)
2026-03-29 10:19:54 -07:00
mirror.py
chore: remove ~100 unused imports across 55 files (#3016)
2026-03-25 15:02:03 -07:00
pairing.py
refactor: consolidate ~/.hermes directory layout with backward compat (#3610)
2026-03-28 15:22:19 -07:00
run.py
fix: background task media delivery + vision download timeout (#3919)
2026-03-30 02:59:39 -07:00
session.py
fix: gateway token double-counting — use absolute set instead of increment (#3317)
2026-03-26 19:13:07 -07:00
status.py
refactor: consolidate get_hermes_home() and parse_reasoning_effort() (#3062)
2026-03-25 15:54:28 -07:00
sticker_cache.py
chore: remove ~100 unused imports across 55 files (#3016)
2026-03-25 15:02:03 -07:00
stream_consumer.py
fix: handle message length overflow in streaming mode (#1783)
2026-03-17 11:00:52 -07:00