# Web Chat Server for Hermes Agent

A standalone Python HTTP server that provides a password-protected web chat interface for Hermes Agent. Uses only Python standard library — no pip installs needed.

## When to Use

- You want a browser-based chat UI for Hermes with password protection
- Hermes Dashboard (`hermes dashboard`) has no built-in auth and you need one
- You want to share Hermes access via a simple URL + password

## File Location

`/root/.hermes/webchat/server.py` (or any path you choose)

## Quick Start

```bash
# Start the server (HTTP, port 8888)
python3 /root/.hermes/webchat/server.py

# Or use the template below and customize PASSWORD / PORT
```

Then access `http://<server-ip>:8888`, enter the password, and chat.

## Nginx Reverse Proxy (Recommended)

Put Nginx in front for SSL termination and proper security:

```nginx
server {
    listen 80;
    server_name _;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name _;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;

    location / {
        proxy_pass http://127.0.0.1:8888;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_read_timeout 120;
    }
}
```

**Important:** The Python server must run plain HTTP (`USE_SSL = False`) when Nginx handles TLS. Setting both to SSL causes `502 Bad Gateway`.

## Server Template

```python
#!/usr/bin/env python3
"""Hermes Web Chat Server - password-protected web chat"""

import http.server
import json
import hashlib
import os
import subprocess
import time
import threading

PASSWORD = "CHANGE_ME"
PORT = 8888
HOST = "0.0.0.0"
HERMES_CLI = "hermes"

sessions = {}
sessions_lock = threading.Lock()

def gen_session_id():
    return hashlib.sha256(os.urandom(32) + str(time.time()).encode()).hexdigest()[:32]

# ... (full HTML templates for LOGIN_PAGE and CHAT_PAGE) ...

class Handler(http.server.BaseHTTPRequestHandler):
    # Session management via cookies
    # POST /api/login  -> {password} -> sets cookie
    # POST /api/chat   -> {message}   -> calls `hermes chat -Q -q <msg> --yolo`
    # POST /api/logout -> clears session

if __name__ == '__main__':
    server = http.server.HTTPServer((HOST, PORT), Handler)
    server.serve_forever()
```

## Hermes CLI Invocation

The server calls Hermes via subprocess:

```python
result = subprocess.run(
    [HERMES_CLI, 'chat', '-Q', '-q', message, '--yolo'],
    capture_output=True, text=True, timeout=120
)
response = result.stdout.strip()
# Filter out session_id metadata lines
lines = [l for l in response.split('\n')
         if l.strip() and not l.strip().startswith('session_id:')]
response = '\n'.join(lines).strip()
```

## Security Notes

- Change the default password immediately
- Use HTTPS (via Nginx + Let's Encrypt or Cloudflare Tunnel)
- The server stores sessions in memory — restarting clears all sessions
- No rate limiting is implemented; add it if exposed to untrusted networks
- Firewall port 8888 to only allow Nginx (or localhost) if using a reverse proxy