fix: support reverse proxy domains via HERMES_DASHBOARD_EXTRA_HOSTS env var

[Cyrene963]

Problem

When the dashboard is bound to 127.0.0.1 (default), the Host header validation middleware rejects requests from reverse proxy domains (e.g. webui.bz9.me via Cloudflare). This makes the dashboard unusable behind any reverse proxy without using --insecure (which binds to 0.0.0.0).

The user sees a blank page because:

1. HTML loads (200 OK — the SPA fallback serves index.html for any path)
2. JS loads and React mounts
3. API calls fail with 400 (Invalid Host header)
4. React crashes with empty error

Solution

Add HERMES_DASHBOARD_EXTRA_HOSTS environment variable support to _is_accepted_host(). When set (comma-separated list of hostnames), the specified domains are accepted alongside the loopback aliases.

Usage

# CLI
HERMES_DASHBOARD_EXTRA_HOSTS=webui.bz9.me hermes dashboard

# systemd service
Environment=HERMES_DASHBOARD_EXTRA_HOSTS=webui.bz9.me,admin.example.com

Why not --insecure?

--insecure binds to 0.0.0.0, which exposes the dashboard to the entire network. The env var approach keeps the loopback bind while only adding specific trusted hostnames — much safer for users behind Cloudflare, Caddy, or Nginx reverse proxies.

Changes

• hermes_cli/web_server.py: 7 lines added to _is_accepted_host() — reads HERMES_DASHBOARD_EXTRA_HOSTS env var and accepts matching hostnames.

[alt-glitch]

Competing implementation with #20136 which uses config-based dashboard.allowed_hosts. This PR uses env var HERMES_DASHBOARD_EXTRA_HOSTS instead. Also overlaps with #21104.

[Cyrene963]

Re-evaluating closure status for #22437

I closed this after noting competing implementations, but I rechecked the referenced alternatives and do not see a merged replacement yet. Reopening so this small reverse-proxy host support fix remains trackable; if maintainers prefer the config-based shape from another PR, I can adapt this branch accordingly.