[codex] Fix dashboard chat and browser voice over Tailscale

[Julientalbot]

Summary

Fixes the dashboard Chat tab for remote Tailscale usage and adds browser-based voice paths that work from the device running the dashboard, not only from the machine hosting Hermes.

• Allow dashboard WebSocket clients through an explicit HERMES_DASHBOARD_ALLOWED_HOSTS proxy-host allowlist when the dashboard is bound to loopback behind a trusted local HTTPS proxy.
• Add /api/voice/transcribe so the browser can upload recorded microphone audio and reuse the existing server-side STT pipeline.
• Add /api/voice/synthesize so dashboard responses can reuse the configured Hermes TTS provider and play back in the browser.
• Add a one-shot Chat voice button that records with MediaRecorder, sends the transcript into the embedded PTY, and restores terminal focus/layout on failures.
• Add a minimal hands-free Chat mode: browser VAD detects speech, transcribes a turn, sends it to the active agent, waits for message.complete, synthesizes the answer, plays it in the browser, then returns to listening.
• Cover proxy-host handling, WebSocket allowance, upload bounds, auth, cleanup, hallucination filtering, and dashboard TTS failure paths in web server tests.

Root Cause

The dashboard could be served through Tailscale HTTPS while the embedded Chat WebSockets were still treated as non-loopback clients and rejected. Browser microphone APIs also require a secure context, so the old HTTP/Tailscale-IP access path was insufficient for remote voice usage. The classic voice/TTS flow also records and plays audio on the host machine, which breaks the expected dashboard model when the user is on a MacBook, iPhone, or other Tailscale-connected device.

Validation

• npx eslint src/pages/ChatPage.tsx
• /Users/ergonomia_mac_mini/.hermes/hermes-agent/venv/bin/python -m pytest tests/hermes_cli/test_web_server.py -k dashboard_voice
• npm run build
• git diff --check hermes_cli/web_server.py tests/hermes_cli/test_web_server.py web/src/pages/ChatPage.tsx
• Manual Tailscale HTTPS check: /chat loads from https://mac-mini-de-ergonomia-mac-mini.taild069eb.ts.net/chat and classic browser voice works remotely.

CI Note

The Lint (ruff + ty) workflow can report failure on this fork PR because its final GitHub Script step tries to create/update a PR comment with a read-only GITHUB_TOKEN. The actual lint diff summary for commit 678bf8514 reports ruff new issues: none, and ty new issues: none.

Notes

This PR intentionally excludes unrelated local changes in gateway/*, the xAI video tool files, and web/public/voice/*.

[StartupBros]

Hey @Julientalbot — I missed this PR when I did my dashboard-host-allowlist landscape review earlier today (the duplicate-detector bot didn't flag it on the others, so I didn't widen my search like I should have). Apologies for the late notice.

Your Host-validator change is the closest comparator to my #29195 — same env var name (HERMES_DASHBOARD_ALLOWED_HOSTS), same correct placement (extras gated inside the bound_lc in _LOOPBACK_HOST_VALUES branch, so explicit non-loopback binds aren't widened).

Differences worth noting:

• This PR bundles the host-allowlist with browser voice transcription/synthesis endpoints (2050 lines total) — multi-fix.
• feat(dashboard): allow extra hostnames in Host validator via env var #29195 is host-allowlist only (~16 LOC + 7 unit tests in the GHSA-annotated test file).

For the host-allowlist piece specifically the maintainer can pick either — placement logic is equivalent. The voice endpoints are an orthogonal capability nobody else is tackling. If splitting helps land them, the voice piece could be its own PR.