Skip to content

feat(cli): add --insecure-chat flag for non-loopback WS chat clients#15736

Open
qpilotwave wants to merge 1 commit into
NousResearch:mainfrom
qpilotwave:feat/insecure-chat
Open

feat(cli): add --insecure-chat flag for non-loopback WS chat clients#15736
qpilotwave wants to merge 1 commit into
NousResearch:mainfrom
qpilotwave:feat/insecure-chat

Conversation

@qpilotwave

@qpilotwave qpilotwave commented Apr 25, 2026
edited
Loading

Copy link
Copy Markdown

What does this PR do?

The embedded TUI Chat tab (hermes dashboard --tui) rejects WebSocket connections from non-loopback IPs to prevent unauthorized remote access to the PTY. This is correct for localhost-only use, but blocks usage over Tailscale, VPNs, or LAN when the dashboard is intentionally bound to a non-loopback address with --insecure.

Add --insecure-chat which, when combined with --tui, skips the ws.client.host loopback check on all chat WebSocket endpoints:

  • /api/pty
  • /api/ws
  • /api/pub
  • /api/events

Update the web-dashboard docs to document the new flag, clarify that the Chat tab only appears when --tui is passed.

Related Issue

#15731

Type of Change

  • ✨ New feature (non-breaking change that adds functionality)

Changes Made

  • Add --insecure-chat flag parsing: hermes_cli/main.py
  • Skip checks when --insecure-chat flag is passed: hermes_cli/web_server.py
  • Document new flag, clarify that --tui flag in hermes dashboard command: website/docs/user-guide/features/web-dashboard.md

How to Test

  1. run hermes dashboard --tui --host 0.0.0.0 --insecure --insecure-chat
  2. go to chat tab in Hermes web dashboard (use non-loopback ip address of the host)
  3. confirm you can chat with the agent

Checklist

Code

  • I've read the Contributing Guide
  • My commit messages follow Conventional Commits (fix(scope):, feat(scope):, etc.)
  • I searched for existing PRs to make sure this isn't a duplicate
  • My PR contains only changes related to this fix/feature (no unrelated commits)
  • I've run pytest tests/ -q and all tests pass
  • I've added tests for my changes (required for bug fixes, strongly encouraged for features)
  • I've tested on my platform: Arch Linux

Documentation & Housekeeping

  • I've updated relevant documentation (README, docs/, docstrings) — or N/A
  • I've updated cli-config.yaml.example if I added/changed config keys — or N/A
  • I've updated CONTRIBUTING.md or AGENTS.md if I changed architecture or workflows — or N/A
  • I've considered cross-platform impact (Windows, macOS) per the compatibility guide — or N/A
  • I've updated tool descriptions/schemas if I changed tool behavior — or N/A

Screenshots / Logs

@alexey-kudryavtsev
feat(cli): add --insecure-chat flag for non-loopback WS chat clients
cb8ab6c 
The embedded TUI Chat tab (hermes dashboard --tui) rejects WebSocket
connections from non-loopback IPs to prevent unauthorized remote access
to the PTY. This is correct for localhost-only use, but blocks usage
over Tailscale, VPNs, or LAN when the dashboard is intentionally bound
to a non-loopback address with --insecure.

Add --insecure-chat which, when combined with --tui, skips the
ws.client.host loopback check on all chat WebSocket endpoints:
- /api/pty
- /api/ws
- /api/pub
- /api/events

Update the web-dashboard docs to document the new flag, clarify that
the Chat tab only appears when --tui is passed, and explain the
security trade-off.
@alt-glitch alt-glitch added type/feature New feature or request P3 Low — cosmetic, nice to have comp/cli CLI entry point, hermes_cli/, setup wizard comp/tui Terminal UI (ui-tui/ + tui_gateway/) labels Apr 25, 2026
@alt-glitch alt-glitch mentioned this pull request Apr 25, 2026
Open
@LukasParke LukasParke mentioned this pull request Jun 2, 2026
Open
19 tasks
@konsisumer konsisumer mentioned this pull request Jun 10, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

comp/cli CLI entry point, hermes_cli/, setup wizard comp/tui Terminal UI (ui-tui/ + tui_gateway/) P3 Low — cosmetic, nice to have type/feature New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@qpilotwave @alt-glitch @alexey-kudryavtsev