Feature Description
Currently, the hermes dashboard command binds to 127.0.0.1:9119 by default and the CORS allow_origin_regex in hermes_cli/web_server.py is hardcoded to r"^https?://(localhost|127\.0\.0\.1)(:\d+)?$".
This prevents users from accessing the web UI dashboard remotely over a secure VPN like Tailscale, even if they pass the --host 0.0.0.0 flag (the Vite/React frontend loads, but all API calls to the FastAPI backend fail the CORS check).
Proposed Solution
- Add a config-oriented way (in
config.yaml or via an env var like HERMES_DASHBOARD_HOST / HERMES_DASHBOARD_CORS_ORIGINS) to override the hardcoded localhost CORS regex.
- Allow configuring the default bind host/port in
config.yaml under a dashboard: section so it survives upgrades without needing to constantly pass CLI flags.
Reference commit: 247929b (recent dashboard additions).
Feature Description
Currently, the
hermes dashboardcommand binds to127.0.0.1:9119by default and the CORSallow_origin_regexinhermes_cli/web_server.pyis hardcoded tor"^https?://(localhost|127\.0\.0\.1)(:\d+)?$".This prevents users from accessing the web UI dashboard remotely over a secure VPN like Tailscale, even if they pass the
--host 0.0.0.0flag (the Vite/React frontend loads, but all API calls to the FastAPI backend fail the CORS check).Proposed Solution
config.yamlor via an env var likeHERMES_DASHBOARD_HOST/HERMES_DASHBOARD_CORS_ORIGINS) to override the hardcoded localhost CORS regex.config.yamlunder adashboard:section so it survives upgrades without needing to constantly pass CLI flags.Reference commit: 247929b (recent dashboard additions).