fix: HERMES_WEBUI_DEFAULT_WORKSPACE wins over settings.json; trust DEFAULT_WORKSPACE subtree (#610)

Squash-merges PR #610. Fixes Docker workspace env var override and trust validation (issue #609). 1367 tests passing, QA harness green. Reviewed by independent agent (see PR comments).
2026-04-16 18:09:16 -07:00
parent b608f8837e
commit 2484409b7a
6 changed files with 182 additions and 6 deletions
--- a/api/config.py
+++ b/api/config.py
@@ -1311,13 +1311,18 @@ def save_settings(settings: dict) -> dict:


 # Apply saved settings on startup (override env-derived defaults)
+# Exception: if HERMES_WEBUI_DEFAULT_WORKSPACE is explicitly set in the
+# environment, it wins over whatever settings.json has stored.  Persisted
+# config must never shadow an explicit env-var override (Docker deployments
+# rely on this — otherwise deleting settings.json is the only escape).
 _startup_settings = load_settings()
 if SETTINGS_FILE.exists():
    if _startup_settings.get("default_model"):
        DEFAULT_MODEL = _startup_settings["default_model"]
-    DEFAULT_WORKSPACE = resolve_default_workspace(
-        _startup_settings.get("default_workspace")
-    )
+    if not os.getenv("HERMES_WEBUI_DEFAULT_WORKSPACE"):
+        DEFAULT_WORKSPACE = resolve_default_workspace(
+            _startup_settings.get("default_workspace")
+        )
    if _startup_settings.get("default_workspace") != str(DEFAULT_WORKSPACE):
        _startup_settings["default_workspace"] = str(DEFAULT_WORKSPACE)
        try:
--- a/api/workspace.py
+++ b/api/workspace.py
@@ -283,9 +283,22 @@ def resolve_trusted_workspace(path: str | Path | None = None) -> Path:
    except Exception:
        pass

+    # (C) Trusted if it is equal to or under the boot-time DEFAULT_WORKSPACE.
+    #     In Docker deployments HERMES_WEBUI_DEFAULT_WORKSPACE is often set to a
+    #     volume mount outside the user's home (e.g. /data/workspace).  That path
+    #     was already validated at server startup, so any sub-path of it is safe
+    #     without requiring the user to add it to the workspace list manually.
+    try:
+        boot_default = Path(_BOOT_DEFAULT_WORKSPACE).expanduser().resolve()
+        candidate.relative_to(boot_default)
+        return candidate
+    except ValueError:
+        pass
+
    raise ValueError(
-        f"Path is outside the user home directory and not in the saved workspace "
-        f"list: {candidate}. Add it via Settings → Workspaces first."
+        f"Path is outside the user home directory, not in the saved workspace "
+        f"list, and not under the default workspace: {candidate}. "
+        f"Add it via Settings → Workspaces first."
    )