§ ãFjºãó<—UdZddlmZehd£¦«Zded<dS)u|Shared allowlist of ``/api/*`` paths that bypass dashboard auth. Two middlewares enforce dashboard auth and previously kept independent copies of this list: * ``hermes_cli.web_server.auth_middleware`` — loopback / ``--insecure`` mode, gates on the ephemeral ``_SESSION_TOKEN``. * ``hermes_cli.dashboard_auth.middleware.gated_auth_middleware`` — non-loopback mode, gates on the OAuth session cookie. When the lists drifted, ``/api/status`` ended up public under the legacy gate but 401'd under the OAuth gate. That broke the portal's wildcard liveness probe (``nous-account-service`` ``fly-provider.ts`` ``getInstanceRuntimeStatus``), which fetches ``/api/status`` without a cookie as its sole signal of "agent dashboard is alive": every healthy wildcard-subdomain agent surfaced as STARTING/down in the portal UI even though the dashboard was serving correctly. Centralising the allowlist here so both middlewares import the same frozenset prevents the next drift. Keep this list minimal — only truly non-sensitive, read-only endpoints belong here. As a sanity check, every entry should be safe to expose to: * external uptime probes (Pingdom, Better Stack, NAS), * the dashboard SPA before the user has logged in, * anyone who happens to ``curl`` the hostname. If a new endpoint doesn't pass all three tests, it should be gated and the SPA should bootstrap it after login instead. é)Ú annotations>ú /api/statusú/api/model/infoú/api/config/schemaú/api/config/defaultsú/api/dashboard/themesú/api/dashboard/pluginszfrozenset[str]ÚPUBLIC_API_PATHSN)Ú__doc__Ú __future__rÚ frozensetr Ú__annotations__©óúE/usr/local/lib/hermes-agent/hermes_cli/dashboard_auth/public_paths.pyúrsgððððð<#Ð"Ð"Ð"Ð"Ð"à#, 9ð.ð.ð.ñ$ô$Ððððñððr