Binding to 0.0.0.0 exposes the webhook receiver on all network interfaces, bypassing reverse proxies and firewalls that front the service.

Change DEFAULT_HOST from 0.0.0.0 to 127.0.0.1 and add WEBHOOK_HOST env var for override. 3 new TestBindAddress tests added. SMS adapter same issue is out of scope.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

Constant-time comparison prevents timing attacks where an attacker
could measure response latency to brute-force the API key byte-by-byte.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

Storing plaintext passwords in .env.example normalizes a security risk.
The file is version-controlled and trivially readable, making it
inappropriate for credentials. Safer alternatives are already documented
above this line: passwordless sudo via /etc/sudoers, SSH backend,
or running as root in containers.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

Security hardening for API server authentication:

H1 - Auth bypass when no key configured:
- API server now requires explicit opt-in via API_SERVER_ALLOW_NOAUTH=true
- Without this flag, requests are rejected with 401 when no API key is set
- Added startup warning when host is non-loopback and no key is set
- Hmac.compare_digest already in place for constant-time key comparison

H6 - ResponseStore concurrency protection:
- Added threading.RLock to serialize all SQLite operations
- Protects against race conditions when multiple concurrent requests
  access the response store simultaneously

Co-Authored-By: Claude Opus 4.6 <[email protected]>

Sandboxed code execution must not be able to import hermes-agent
source-tree modules to exfiltrate credentials. Previously, the
_hermes_root was prepended to the child's PYTHONPATH, allowing
sandboxed scripts to 'from hermes_cli.auth import _load_auth_store'
and read OAuth tokens from the auth store.

Fix: only add tmpdir (where hermes_tools.py lives) to PYTHONPATH.
This allows 'from hermes_tools import ...' to work as expected while
blocking access to the full source tree.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

Replaces 11 inline re.sub()/re.compile() calls across _voice_speak_response, _strip_reasoning, and process_loop with module-level pre-compiled pattern constants.

New agent/http_cache.py module provides a thread-safe, TTL-based
in-memory cache for HTTP responses. Applied to web search and extract
functions in tools/web_tools.py:

- _tavily_request: caches POST responses (key: url + params, 5min TTL)
- _parallel_search / _parallel_extract: caches SDK responses (5min TTL)
- _exa_search / _exa_extract: caches SDK responses (5min TTL)

Also added fix to secret-scanner.py hook: FALSE_POSITIVE_VALUES set
and proper break/continue handling to skip known placeholder env var
names without blocking commits.

…ive deps

Add explicit minimum constraints for packages with known CVEs:
- cryptography>=46.0.6 (CVE-2026-34073)
- pillow>=12.1.1 (CVE-2026-25990)
- pygments>=2.20.0 (CVE-2026-4539)
- pypdf>=6.9.2 (DoS/memory/loop CVEs)

Co-Authored-By: Claude Opus 4.6 <[email protected]>