feat: optional HTTPS/TLS support via cert and key env vars (#199)

Add optional HTTPS support controlled by two env vars: HERMES_WEBUI_TLS_CERT=/path/to/cert.pem HERMES_WEBUI_TLS_KEY=/path/to/key.pem - Wraps server socket with ssl.SSLContext (min TLSv1.2) - Dynamic scheme detection for startup messages (http:// vs https://) - Graceful fallback to HTTP if cert loading fails — server never crashes due to bad TLS config, just prints a warning and continues - Auth cookie Secure flag already set when HTTPS is detected via getpeercert - 6 end-to-end tests: config flags, HTTPS handshake, HTTP still works, fallback on bad paths Addresses #191 (HTTPS support issue).
2026-04-09 21:08:29 -04:00
parent 392bc5df6e
commit 011034dc71
3 changed files with 237 additions and 2 deletions
--- a/api/config.py
+++ b/api/config.py
@@ -28,6 +28,11 @@ REPO_ROOT = Path(__file__).parent.parent.resolve()
 HOST = os.getenv('HERMES_WEBUI_HOST', '127.0.0.1')
 PORT = int(os.getenv('HERMES_WEBUI_PORT', '8787'))

+# ── TLS/HTTPS config (optional, env-overridable) ────────────────────────────
+TLS_CERT = os.getenv('HERMES_WEBUI_TLS_CERT', '').strip() or None
+TLS_KEY = os.getenv('HERMES_WEBUI_TLS_KEY', '').strip() or None
+TLS_ENABLED = TLS_CERT is not None and TLS_KEY is not None
+
 # ── State directory (env-overridable, never inside repo) ──────────────────────
 STATE_DIR = Path(os.getenv(
    'HERMES_WEBUI_STATE_DIR',