fix: harden web gateway security and fix error swallowing

- Use hmac.compare_digest for timing-safe token comparison (3 endpoints) - Default bind to 127.0.0.1 instead of 0.0.0.0 - Sanitize upload filenames with Path.name to prevent path traversal - Add DOMPurify to sanitize marked.parse() output against XSS - Replace add_static with authenticated media handler - Hide token in group chats for /remote-control command - Use ctypes.util.find_library for Opus instead of hardcoded paths - Add force=True to 5 interrupt _vprint calls for visibility - Log Opus decode errors and voice restart failures instead of swallowing
2026-04-28 06:51:16 +08:00 · 2026-03-13 15:29:18 +03:00
parent d646442692
commit 0ff1b4ade2
8 changed files with 59 additions and 30 deletions
--- a/cli.py
+++ b/cli.py
@@ -3709,8 +3709,8 @@ class HermesCLI:
                        self._voice_start_recording()
                        if hasattr(self, '_app') and self._app:
                            self._app.invalidate()
-                    except Exception:
-                        pass
+                    except Exception as e:
+                        _cprint(f"{_DIM}Voice auto-restart failed: {e}{_RST}")
                threading.Thread(target=_restart_recording, daemon=True).start()

    def _voice_speak_response(self, text: str):