Files
hermes-webui/api
nesquena-hermes c514b32f61 fix(security #3234): cover ALL Hermes roots in /api/media deny-list (Codex review #2)
Under a named profile, process HERMES_HOME is ~/.hermes/profiles/<name> but the
allowlist still grants base ~/.hermes — so the prior deny (anchored only on the
active-profile root + STATE_DIR) left ~/.hermes/state.db and sibling-profile
secrets (~/.hermes/profiles/other/auth.json) reachable. Build deny roots from
every Hermes state root the allowlist accepts: active HERMES_HOME, base ~/.hermes,
api.profiles._DEFAULT_HERMES_HOME, and STATE_DIR; apply the state-subdir dir-denies
under each. Widen the CSP-slice structural test window to match.
2026-05-31 02:45:17 +00:00
..
2026-05-28 13:38:50 -04:00
2026-04-29 19:54:07 -07:00
2026-05-25 00:14:38 +00:00
2026-05-28 17:47:33 +00:00
2026-05-30 11:25:33 +02:00
2026-05-28 08:33:50 -04:00