fix: restore accidentally deleted websocket close code assertion

The endpoint accepted empty strings, allowing any .env key to be
silently blanked out from the web UI. Add Pydantic validators to
reject empty keys and values.

hermes_cli/web_server.py

@@ -53,7 +53,7 @@ try:
     from fastapi.middleware.cors import CORSMiddleware
     from fastapi.responses import FileResponse, HTMLResponse, JSONResponse
     from fastapi.staticfiles import StaticFiles
-    from pydantic import BaseModel
+    from pydantic import BaseModel, field_validator
 except ImportError:
     raise SystemExit(
         "Web UI requires fastapi and uvicorn.\n"
@@ -425,6 +425,20 @@ class EnvVarUpdate(BaseModel):
     key: str
     value: str
 
+    @field_validator("key")
+    @classmethod
+    def key_must_be_nonempty(cls, v: str) -> str:
+        if not v.strip():
+            raise ValueError("key must not be empty")
+        return v
+
+    @field_validator("value")
+    @classmethod
+    def value_must_be_nonempty(cls, v: str) -> str:
+        if not v.strip():
+            raise ValueError("value must not be empty; use DELETE /api/env to remove a key")
+        return v
+
 
 class EnvVarDelete(BaseModel):
     key: str

tests/hermes_cli/test_web_server.py

@@ -1925,3 +1925,34 @@ class TestPtyWebSocket:
             ):
                 pass
         assert exc.value.code == 4400
+
+
+class TestEnvVarUpdateValidation:
+    """PUT /api/env must reject empty values to prevent .env key destruction."""
+
+    def test_rejects_empty_value(self):
+        from hermes_cli.web_server import EnvVarUpdate
+        import pydantic
+
+        with pytest.raises(pydantic.ValidationError):
+            EnvVarUpdate(key="SOME_KEY", value="")
+
+    def test_rejects_whitespace_only_value(self):
+        from hermes_cli.web_server import EnvVarUpdate
+        import pydantic
+
+        with pytest.raises(pydantic.ValidationError):
+            EnvVarUpdate(key="SOME_KEY", value="   ")
+
+    def test_accepts_nonempty_value(self):
+        from hermes_cli.web_server import EnvVarUpdate
+
+        update = EnvVarUpdate(key="SOME_KEY", value="sk-abc123")
+        assert update.value == "sk-abc123"
+
+    def test_rejects_empty_key(self):
+        from hermes_cli.web_server import EnvVarUpdate
+        import pydantic
+
+        with pytest.raises(pydantic.ValidationError):
+            EnvVarUpdate(key="", value="some-value")