fix: patch auth bypass via case-sensitive path matching (#77)

- Normalize request path to lowercase before auth check to prevent
  bypassing authentication with uppercase paths like /API/hermes/sessions
- Auto-restart server after in-page update via detached hermes-web-ui restart

Closes #77

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

packages/server/src/index.ts

@@ -99,7 +99,16 @@ export async function bootstrap() {
         })
         ctx.body = { success: true, message: output.trim() }
         // Restart the server after response is sent
-        setTimeout(() => process.exit(0), 1000)
+        setTimeout(() => {
+          const { spawn } = require('child_process')
+          const isWin = process.platform === 'win32'
+          spawn(isWin ? 'cmd' : 'sh', isWin ? ['/c', 'hermes-web-ui restart'] : ['-c', 'hermes-web-ui restart'], {
+            detached: true,
+            stdio: 'ignore',
+            windowsHide: true,
+          }).unref()
+          process.exit(0)
+        }, 2000)
       } catch (err: any) {
         ctx.status = 500
         ctx.body = { success: false, message: err.stderr || err.message }