290acdb59c
- Secure token file permissions (0o600) in dashboard callback handler - Validate refresh_token presence after code exchange - HTML-escape all dynamic values in callback pages (XSS prevention) - Raise error when only placeholder credentials are available - Fix docstring to match actual behavior (no standalone fallback) - Validate OAuth state parameter in headless mode - Reduce client_id log exposure to 8 chars - Use configurable port for dashboard redirect URI (app.state.bound_port) - Read HERMES_DASHBOARD_PORT env var instead of hardcoding 9119