security: fix reset token leak, add rate limiting, body limits, webhook HMAC, JWT_SECRET

- CRITICAL: forgot-password no longer returns token in response; sends email via info@squaremcp.com instead - Rate limit: login 10/15min, forgot-password 5/hr, chat 30/hr (Redis, per IP) - express.json() capped at 100kb - WhatsApp webhook HMAC verification (activates when WHATSAPP_APP_SECRET is set) - JWT_SECRET now explicitly set in K8s (was falling back to CREDENTIAL_ENCRYPTION_KEY) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17 20:14:08 -04:00
parent 423dc89c94
commit 34983c44e2
2 changed files with 53 additions and 15 deletions
--- a/hermes-k8s.yaml
+++ b/hermes-k8s.yaml
@@ -22,7 +22,7 @@ spec:
        fsGroup: 1000
      containers:
        - name: hermes-mcp
-          image: localhost:32000/hermes-mcp@sha256:c65ffbbf87a8741c1c9d79e1b39be735535871a9968c680c2c8ff3fb108acfb0
+          image: localhost:32000/hermes-mcp@sha256:b566707150fb4dd3f566b5c258d6f4d0ed8bf5c4405321268dfc647afa0ddda2
          imagePullPolicy: Always
          securityContext:
            allowPrivilegeEscalation: false
@@ -119,6 +119,8 @@ spec:
              value: "redis://127.0.0.1:6379"
            - name: CREDENTIAL_ENCRYPTION_KEY
              value: "4ef9c48e9f4e5dfa843d4bfcc3a8f69c5ad5738326c8b0e878076853ae4b8416"
+            - name: JWT_SECRET
+              value: "7a3f9d2e1c8b5a4f6e0d3c7b9a2e5f8d1c4b7a0e3f6d9c2b5a8e1f4d7c0b3a"
            - name: OAUTH_CLIENT_ID
              value: "fecb863c9aa334aba93c9017f4b9bee8"
            - name: OAUTH_CLIENT_SECRET