diff --git a/hermes-agent-ws-fix.patch b/hermes-agent-ws-fix.patch new file mode 100644 index 0000000..0fb0d80 --- /dev/null +++ b/hermes-agent-ws-fix.patch @@ -0,0 +1,37 @@ +From 3ec3de7a6c481014bd3ded51021a3c62f24df9b9 Mon Sep 17 00:00:00 2001 +From: Andy +Date: Fri, 29 May 2026 02:06:43 +0000 +Subject: [PATCH] fix(dashboard): allow non-loopback WS clients when bound to + 0.0.0.0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When the dashboard is bound to all interfaces with --insecure, +_ws_client_is_allowed was incorrectly rejecting WebSocket upgrades +from non-loopback clients (e.g. browser on LAN). The Host/Origin +guard in _ws_host_origin_is_allowed already handles DNS-rebinding +protection — the client-IP check is redundant for 0.0.0.0 binds. +--- + hermes_cli/web_server.py | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hermes_cli/web_server.py b/hermes_cli/web_server.py +index 872546196..3d0824244 100644 +--- a/hermes_cli/web_server.py ++++ b/hermes_cli/web_server.py +@@ -3390,6 +3390,11 @@ def _ws_client_is_allowed(ws: "WebSocket") -> bool: + """ + if getattr(app.state, "auth_required", False): + return True ++ # Bound to all interfaces (0.0.0.0 / --insecure): accept WS from any peer. ++ # The Host check in _ws_host_origin_is_allowed handles DNS-rebinding. ++ bound_host = getattr(app.state, "bound_host", None) ++ if bound_host in {"0.0.0.0", ""}: ++ return True + client_host = ws.client.host if ws.client else "" + if not client_host: + return True +-- +2.39.5 +