- Ports now bind to HERMES_PUBLISHED_BIND_IP (default 127.0.0.1) so
NPM on the same host proxies to 127.0.0.1:7843/8645/8646 and direct
LAN/internet access is blocked without firewall rules
- runHermes: settle promise immediately on timeout (SIGKILL) instead of
waiting for close event — prevents hanging when hermes spawns children
that keep stdout/stderr open after the parent is killed
- Add HERMES_ADMIN_COOKIE_SECURE env var to set Secure flag on admin
session cookie when the admin UI is served over HTTPS
- Document NPM deployment shapes in README
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Embed a postgres:16-alpine service so operators don't need an external
database. DATABASE_URL is now constructed internally via a YAML anchor
from POSTGRES_PASSWORD (default: hermes-change-me). Removed the manual
PostgreSQL setup section from README and updated backup instructions.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>