fix(security): gate auto-install behind HERMES_WEBUI_AUTO_INSTALL=1 — v0.50.156

Breaking: auto_install_agent_deps() is now disabled by default. Set HERMES_WEBUI_AUTO_INSTALL=1 to re-enable. New _trusted_agent_dir() checks ownership and permission bits. Addresses #842 by @tomaioo.
2026-04-22 13:49:28 -07:00
parent 96cb880a12
commit 3a63fe479e
4 changed files with 111 additions and 29 deletions
--- a/README.md
+++ b/README.md
@@ -291,6 +291,7 @@ If discovery finds everything, nothing else is required.
 export HERMES_WEBUI_AGENT_DIR=/path/to/hermes-agent
 export HERMES_WEBUI_PYTHON=/path/to/python
 export HERMES_WEBUI_PORT=9000
+export HERMES_WEBUI_AUTO_INSTALL=1  # enable auto-install of agent deps (disabled by default)
 ./start.sh
 ```