Commit Graph

6724 Commits

Author SHA1 Message Date
Nathan Esquenazi ab4333dfd0 fix(review): correct the i18n coverage claim to measured reality
The refresh claimed "Full translation coverage across all non-English
locales (no English fallback strings)", but measuring i18n.js directly
falsifies it: full-sentence keys are English-identical in several locales
(e.g. gateway_start_success: 'Gateway start completed.' appears verbatim in
4+ locale blocks) -- ~30/1574 keys for Czech (~2%), 66 for Polish, 140 for
Vietnamese, 243 for Turkish (~15%). These are genuine untranslated
fallbacks on recently added keys, consistent with the repo's documented
add-keys-with-English-fallback convention.

Reword the line to the accurate shape (near-full coverage, measured
fallback tail, backfilled by periodic translation passes) so the accuracy
refresh stays accurate.
2026-07-06 19:50:59 -07:00
t 30073740a4 docs: full accuracy refresh of ROADMAP.md
The roadmap had drifted ~120 releases (stamped v0.51.792, current is
v0.51.911) and was missing entire surfaces the project now ships. This is
a full pass to make every section reflect what actually exists today.

What changed:

- Status snapshot rewritten: adds the extension system, the native-client
  fleet (macOS/Windows/Linux/Android/iOS), i18n, gateway, and autonomous
  maintenance as first-class rows.
- Skins corrected 11 -> 21 (authoritative _SKINS array in boot.js); base
  model restated as 3 modes (Light/Dark/System) x 21 skins, dropping the
  stale legacy "8 themes" list (solarized/monokai/nord/oled are legacy
  aliases mapped onto skins, not standalone skins).
- Locales 14 -> 15 (adds Czech); note full non-English coverage.
- Gateway platforms expanded to include WeChat/Weixin, Signal, SMS.
- New "Extension system" checklist section: loader, one-click gallery,
  manifest contract, theme/TTS/nav/sidecar capabilities, settings schema +
  owned storage, trust model, and the vetted library repo.
- New "Native clients" section: per-repo table for hermes-swift-mac,
  hermes-desktop-rust (Tauri), hermes-android, hermes-swift-ios. No version
  numbers (they drift per repo).
- New "Autonomous project maintenance" section pointing at StewardOS.
- Chat/sessions/workspace/cron/security/mobile checklists updated with the
  many features shipped since the last stamp (Steer default, Transparent
  Stream, compression-recovery, cron fork, schedule builder, self-hosted
  provider from Settings, copy-relative-path, CORS/open-redirect hardening,
  mobile scroll hardening, stable sidebar grouping, etc.).
- Forward work pruned: ~20 of the ~30 listed issues have shipped and were
  removed; remaining list is the actually-open set (verified live via gh).
  Marketplace moved out of "not planned" (the extension system fills it);
  added multi-tenant/white-label to "not planned" per project scope.
- Removed the hardcoded version/test-count stamp from the header in favor
  of live-derivation pointers (matches the rest of the docs).
2026-07-06 22:23:09 +00:00
nesquena-hermes 5ecd248e92 Merge pull request #5708 from nesquena/release/stage-5688b
Release: self-update .git/index.lock recovery (#5688)
v0.51.911
2026-07-06 14:52:25 -07:00
t 9ae4ec8f09 docs(changelog): stamp #5688 self-update lock recovery 2026-07-06 21:46:39 +00:00
t e2184b7b12 stage 5688 on current master (post parallel release) 2026-07-06 21:45:49 +00:00
nesquena-hermes 8d5d28903c Merge pull request #5546: add Czech (cs) locale support
Complete Czech locale (1642/1642 key parity, all function values, login screen, test guard). Rebased + translation-quality fixes by maintainer; original author @ostravajih. Gate: full suite + Codex SAFE TO SHIP.
v0.51.910
2026-07-06 14:42:12 -07:00
nesquena-hermes 16c3b4d91e docs(changelog): add Czech locale entry (#5546) 2026-07-06 21:37:22 +00:00
ostravajih 6da81f7a30 feat(i18n): add Czech (cs) locale support
Add a complete Czech (cs) locale to hermes-webui: full key parity with the
English reference (1642/1642 keys), real Czech translations for all string and
function-valued keys, Slavic plural helpers for tool/worklog summaries, the cs
login-screen locale in api/routes.py, and a dedicated tests/test_czech_locale.py
parity+placeholder+diacritics guard mirroring the other per-locale tests. All
15 locale-count assertions bumped 14->15.

Co-authored-by: ostravajih <ostravajih@users.noreply.github.com>
2026-07-06 21:27:46 +00:00
nesquena-hermes bb0439dcfa Merge pull request #5707 from nesquena/fix/last-two-flakes
Fix the last 2 chronic local full-suite test-isolation flakes (test-only)
2026-07-06 14:24:13 -07:00
nesquena-hermes d5210b7efc lint: drop now-unused importlib.util import 2026-07-06 21:19:20 +00:00
nesquena-hermes acfd0e9719 fix: defensive agent-importable probe (find_spec raises ValueError on spec-less partial agent module on CI) 2026-07-06 21:14:58 +00:00
nesquena-hermes 88d94556d2 docs(changelog): stamp last-2-flakes fix 2026-07-06 21:10:00 +00:00
t cec093eef6 test: fix chronic full-suite agent/hermes_cli __path__ isolation poison (2 flakes)
Convert in-place pkg.__path__=[] mutations on the REAL agent/hermes_cli
packages to monkeypatch.setattr (auto-restored), and make
test_issue1574's _activate_spawn_fake_agent snapshot+restore the
HERMES_WEBUI_AGENT_DIR/PYTHONPATH/sys.path it mutates.

Fixes:
- test_v050259_sessiondb_fd_leak::test_session_db_close_is_idempotent
- test_tls_support::test_tls_startup_failure_fallback_to_http
2026-07-06 21:08:52 +00:00
nesquena-hermes ade6de5294 Merge pull request #5704 from nesquena/fix/5696-profiles-ttl
fix(#5696): revert profiles cache TTL to 4s (stale profile rows)
v0.51.909
2026-07-06 13:44:17 -07:00
t 5df8a06800 fix(#5696): revert profiles cache TTL 60s->4s (stale profile rows); contributor-flagged follow-up 2026-07-06 20:40:08 +00:00
nesquena-hermes 116d81d3c8 Merge pull request #5703 from nesquena/release/stage-5696
Release: session-load latency fix (#5696)
v0.51.908
2026-07-06 13:36:48 -07:00
t 36176a9ee4 docs(changelog): stamp #5696 session-load perf 2026-07-06 20:21:04 +00:00
t 2454719f2e gate 5696 + fold-in: non-throwing HERMES_DEBUG_SLOW parse (Codex CORE fix) 2026-07-06 20:15:42 +00:00
t 06590556f5 gate 5696 on current master 2026-07-06 20:05:17 +00:00
nesquena-hermes e785264e4e Merge pull request #5702 from nesquena/release/stage-flakefix
Fix chronic full-suite test-isolation flakes (hermes_cli __path__ poison, 8 tests)
v0.51.907
2026-07-06 12:57:23 -07:00
nesquena-hermes 44be49ebc7 test: fix chronic full-suite hermes_cli __path__ isolation poison (8 flakes) 2026-07-06 19:53:32 +00:00
b3nw 2ddef230ff fix: drop auto-delete; manual-instruction only (PR #5688 round-3)
Address round-2 gate cert (issuecomment-4896321817) on sha:dcec232d:

1. BRICK (Codex strace-verified): v2's fcntl-flock holder check on
   .git/index.lock was wrong. Codex straced git 2.43.0 and proved
   that git uses O_CREAT|O_EXCL + rename(2), NOT advisory locking,
   so an fcntl-flock probe returns False for a lock file a live git
   process is holding open. The 'fail-closed' claim was wrong:
   auto-delete could still race and corrupt the index.

2. CORE (Codex): if .git/index.lock vanished between _is_lock_held
   and os.remove, the FileNotFoundError surfaced as a 'remove-failed'
   diagnostic instead of 'already gone' and prevented the apply retry.

Fix: stop deleting lock files from the server entirely. The only thing
that removes a lock is the user, on the host, via the manual command
surfaced in the response. Once the lock is gone, the user re-clicks
Update Now and the normal non-destructive apply path runs.

Implementation:

api/updates.py:
  - Removed _is_lock_held (fcntl-flock probe) -- was provably unsafe.
  - Removed _try_remove_lock (os.remove path) -- was provably unsafe.
  - Removed _GIT_LOCK_FILES_REMOVABLE (no longer enumerable by name).
  - Added _inventory_locks(path) -> dict: pure inventory of well-known
    + other lock files under .git/. Never touches anything.
  - Rewrote apply_clear_lock to inventory-only + manual-instruction.
    When .git/index.lock is absent, runs the normal non-destructive
    apply path; when present, returns ok=False with the exact 'rm -f'
    command + an explanation of why the server cannot do this safely
    (O_CREAT|O_EXCL cannot be detected with advisory probes).
    CORE-1 race evaporates: there is no os.remove to race against.

api/routes.py:
  - Updated the /api/updates/clear_lock comment to reflect v2.2.

static/ui.js:
  - applyClearUpdateLock: when res.lock_held, call new
    _renderLockManualInstruction(target, res) which surfaces the exact
    'rm -f <path>' command in a copyable code block plus an
    'I've removed the lock -- retry update' button that POSTs the
    same endpoint again; the second call takes the success branch
    and re-runs the normal apply path. Also lists any other lock
    files present so the operator can investigate.

tests/test_updates.py:
  - Removed all 4 tests for the deleted v2 helpers (_is_lock_held
    Returns*, _try_remove_lock*).
  - Added test_v2_probe_helpers_removed: regression guard that
    fails loud if either helper is ever reintroduced.
  - Rewrote test_apply_clear_lock_removes_unheld_lock_and_runs_normal_update
    and test_apply_clear_lock_refuses_when_lock_held for the v2.2
    contract. The 'refuses' test monkeypatches os.remove to record
    any deletion attempt and asserts the call list is empty -- a
    strict runtime guard against future regressions to auto-delete.
  - Added 7 new tests: test_inventory_locks_* (4), test_apply_clear
    lock_with_no_lock_runs_normal_update, test_apply_clear_lock_with
    lock_present_returns_manual_instruction, test_apply_clear_lock
    listing_includes_other_locks, test_apply_clear_lock_rejects
    unknown_target, test_apply_clear_lock_rejects_not_git_repo.

Verification:
  ./scripts/test.sh tests/test_updates.py          -> 73 passed
  ./scripts/test.sh tests/test_update_banner_fixes.py -> 102 passed
  ./scripts/test.sh tests/test_api_timeout.py      -> 8 passed
  python3 scripts/ruff_lint.py --diff upstream/master -> 0 new violations
  Full ./scripts/test.sh -> 12137 passed, 18 failed (all 18 pre-existing
    flakes in unrelated subsystems; verified not v2.2 regressions)
2026-07-06 19:02:16 +00:00
Konstantin M 2a54e77ef2 fix(webui): drop SQL path in user_message_count — restore sidecar as source of truth
Greptile rerun and the maintainer review both raised the same concern:
state.db and the sidecar self.messages can diverge by hundreds of
messages during recovery / mid-flight writes / pending_user_message.
On the test corpus:
  0db167553ac7  db=11  sidecar=12
  295592fd560e  db=813 sidecar=889
  7478cae31f01  db=2730 sidecar=2405

The previous patch's SQL path was reading state.db. The pre-patch
inline walk was reading self.messages (the sidecar). Sidebar stale-row
detection (_looks_like_stale_zero_message_row,
_row_may_need_sidecar_metadata_refresh) consumes this field as if the
sidecar were the source of truth, so swapping the source silently flips
the field's semantics.

Drop the SQL path entirely. The helper now does the same in-memory
walk the pre-patch code did, extracted into a named method for
visibility. The inline role check (dict.get('role') with default
empty string) is 1.7x faster than calling _message_role() per
iteration on the test corpus (2.57ms -> 1.49ms across 8 sidecars,
2405 msgs total).

Bench (2405-msg sidecar): 0.76ms per call, vs ~1.5s for the pre-patch
inline walk on the same sidecar (the original perf hotspot). The
1.5s figure included JSON parse, dict construction, and the SQLite
overhead of the now-removed SQL path; the bare walk is the
0.76ms shown here.

Correctness: 27/27 webui sidecars produce identical counts vs the
pre-patch inline walk. No behavior change for any caller.

Addresses Greptile findings (P1 silent-zero, P2 docstring, P2 dead
allowlist) by removing the SQL path entirely rather than patching
around its divergent-source issue.
2026-07-06 18:45:32 +00:00
Konstantin M 2a4e86f5c3 fix(webui): preserve user_message_count under DB contention
Greptile flagged that _compute_user_message_count_lazy silently returns 0
when the SQLite query fails (DB locked, missing file, schema drift).
The pre-patch compact() walked self.messages in Python and returned the
correct count without ever touching the DB, so the silent zero
fallback is a regression that breaks _looks_like_stale_zero_message_row
under contention.

Fix: helper now takes an optional messages argument. On SQLite failure
it falls back to the same in-memory walk the original code used, so
callers see the same number they'd have seen before for any session
where Session.load() populated self.messages.

Also drop the dead ('GET', '/api/session') allowlist entry flagged by
Greptile — the /api/session handler already does its own per-stage
logging via the _t0.._t6 block (with auto-log on slow requests), and
adding RequestDiagnostics on top would just duplicate the slow-request
journal entries without adding information.
2026-07-06 18:34:02 +00:00
nesquena-hermes 40ac0c6be2 Merge pull request #5697 from nesquena/release/stage-5674
Release: stabilize sidebar lineage grouping across live refreshes (#5674)
v0.51.906
2026-07-06 11:25:36 -07:00
t 1a71779952 docs(changelog): stamp #5674 sidebar lineage grouping stability 2026-07-06 18:21:13 +00:00
t d7b01185ac chore: drop .claude pr-sweep proof artifact from release (gitignored, not for public repo) 2026-07-06 18:20:45 +00:00
t c1c26ca4aa test merge 5674 2026-07-06 18:20:03 +00:00
nesquena-hermes 93b7ed90bf Merge pull request #5695 from nesquena/release/stage-5672
Release: reserve real off-screen height for user rows (#5672)
v0.51.905
2026-07-06 11:13:56 -07:00
t 2283babbba docs(changelog): stamp #5672 content-visibility scrollHeight root fix 2026-07-06 18:05:03 +00:00
t efe768fb17 test merge 5672 on master w/ 5685+5681+5666 2026-07-06 17:59:15 +00:00
nesquena-hermes c93672abee Merge pull request #5694 from nesquena/release/stage-5666
Release: refuse stale-anchor scroll restore during streaming, Android (#5666)
v0.51.904
2026-07-06 10:56:52 -07:00
t 5b4397e9de docs(changelog): stamp #5666 mobile stale-anchor stream nudge fix 2026-07-06 17:48:11 +00:00
t a7b9b2a132 test merge 5666 on master w/ 5685+5681 2026-07-06 17:47:30 +00:00
b3nw dcec232dfa fix: add btnClearUpdateLock markup for PR #5688 v2 frontend path
Address Greptile P1 review (discussion r3530941293) on commit e8f7e28a:
the v2 frontend recovery path was dead at the DOM level. static/ui.js
references $('btnClearUpdateLock') but no matching element existed in
static/index.html, so users hitting a lock conflict never saw a clickable
affordance -- the error panel was the only visible state.

Add the missing button next to btnForceUpdate in the update-banner action
row:

  <button class="update-btn" id="btnClearUpdateLock"
          style="display:none"
          onclick="applyClearUpdateLock(this)">
    Clear lock and retry update
  </button>

Style mirrors the neutral update-btn (NOT the red --error used by the
destructive Force update) so the recovery affordance doesn't read as a
warning. Hidden by default; revealed by the existing _showUpdateError()
helper when res.lock_conflict is set.

Regression tests in TestClearLockButton (3 tests):

- test_clear_lock_button_exists
- test_clear_lock_button_hidden_by_default
- test_clear_lock_button_calls_applyClearUpdateLock_handler

These lock in the contract that the button element must be present and
correctly bound; future refactors that rename the id or strip the button
will fail loud. Mirrors the existing TestIndexHtmlBanner conventions
for btnForceUpdate.

Verification:

- ./scripts/test.sh tests/test_updates.py  -k lock -> 35 passed
- ./scripts/test.sh tests/test_update_banner_fixes.py  -> 102 passed
- ./scripts/test.sh tests/test_api_timeout.py  -> 8 passed
- ruff_lint --diff upstream/master  -> 0 new violations
2026-07-06 17:46:30 +00:00
nesquena-hermes cfc0ffe102 Merge pull request #5693 from nesquena/release/stage-5681
Release: restore unpinned reader after mid-stream scroll clamp (#5681)
v0.51.903
2026-07-06 10:45:24 -07:00
t db231464c8 docs(changelog): stamp #5681 unpinned-reader scroll-jump fix 2026-07-06 17:37:15 +00:00
b3nw e8f7e28a3c fix: address gate cert BRICKs + Greptile P1 on PR #5688
Address the RED gate cert on PR #5688 (2 BRICK + 1 CORE) and the
incoming Greptile review (1 P1 + 3 P2):

- BRICK-1 (race-safety): drop the mtime heuristic and any age-based
  lock removal. Add /api/updates/clear_lock with a fail-closed
  fcntl.flock holder probe (refuses if any process still holds the
  file, on POSIX). On non-POSIX, fails closed. Touches only
  .git/index.lock (the only well-known short-lived lock git creates).
- BRICK-2 (destructive path coupling): remove lock_conflict from the
  force-button condition. Add a separate btnClearUpdateLock that calls
  /api/updates/clear_lock -- never apply_force_update. The recovery
  path never runs checkout/clean/reset --hard.
- CORE-1 (unconditional pre-cleanup): apply_force_update no longer
  iterates .git/**/*.lock. Lock cleanup is exclusively the clear_lock
  endpoint's job.
- Greptile P1: when a pull-lock error fires after a stash was pushed,
  run git stash pop (with apply+drop fallback) so the user's local
  modifications aren't stranded in the stash silently. v2 tests
  cover the stashed and the clean cases.
- Greptile P2 (broad 'lock file' substring): tightened _GIT_LOCK_SIGNATURES
  to specific git error strings ('index.lock': file exists, '.lock':
  file exists, 'another git process seems to be running',
  'unable to create .git/index.lock') so unrelated ref-transaction
  lock-loss messages no longer trigger a lock-conflict response.
- Greptile P2 (redundant git_dir.exists / magic number): both gone as a
  side effect of removing the apply_force_update cleanup loop entirely.

Refactor: rebased onto current upstream/master so PR is no longer
'behind' 130 commits.

Tests:
- 14 new v2 tests covering holder probe (true/false/NOGIL probe),
  _try_remove_lock (refuse-on-held/success-on-unheld),
  apply_clear_lock (success/refused), signature set parameter table
  including false-positive class, apply_force_update no-touch
  contract, pull-lock stash restore, pull-lock no-stash-when-clean.
- 2 v1 tests removed (they encoded the unsafe behavior).
- 2 v1 parametrize rows dropped (their positive cases relied on the
  broad 'lock file' substring).

Closes #5687
2026-07-06 17:37:05 +00:00
t 3cbca94f9c test merge 5681 on post-5685 master 2026-07-06 17:36:12 +00:00
nesquena-hermes 501d7184ff Merge pull request #5691 from nesquena/release/stage-5685
Release: stop pinned tail-follower mid-stream scroll jitter (#5685)
v0.51.902
2026-07-06 10:33:39 -07:00
nesquena-hermes b08e6d91af docs(changelog): stamp #5685 pinned tail jitter fix 2026-07-06 17:24:26 +00:00
nesquena-hermes ffe6163be8 Merge PR #5685 into stage 2026-07-06 17:23:43 +00:00
b3nw 3c5b00f928 fix: detect and recover from stale git lock files during self-update
- Detect lock file errors (lock_conflict flag) on fetch/status/pull
  failures in _apply_update_inner (#1)
- Expose Force Update button on frontend when lock_conflict is
  received (#3)
- Proactively clean stale lock files (>30s old) in apply_force_update
  using rglob discovery instead of a hardcoded path list (#2)
- Add 10 tests: _is_git_lock_error parametrized unit tests,
  _apply_update_inner lock path coverage, and apply_force_update
  stale/recent lock behavior
2026-07-06 17:17:21 +00:00
nesquena-hermes 426f12ce51 Merge pull request #5690 from nesquena/release/stage-5673
Release: proxy-auth PWA caveat docs (#5673)
v0.51.901
2026-07-06 10:13:02 -07:00
nesquena-hermes 21755195ee docs(changelog): stamp #5673 proxy-auth PWA caveat docs 2026-07-06 17:05:11 +00:00
nesquena-hermes 8a7d3eb6c2 Merge PR #5673 into stage 2026-07-06 17:04:53 +00:00
Konstantin M 60e1b5277d perf(webui): bound _last_message_timestamp to a tail window
Session.compact() called _last_message_timestamp(self.messages) which
reversed-walked all 2,730 messages on every /api/session response.
The messages array is chronologically ordered, so the last non-tool
message sits at the very end. Scan only the last 8 messages; fall
back to a full scan only if no timestamp is found in the window
(unusual sessions with >8 trailing tool rows).

Reverts to identical behavior when the window hits, since the most
recent user/assistant message's timestamp is what compact() emits.

Bench (single-shot, live Chromebook eMMC):
  before: get_session=1107ms compact=1725ms total=2880ms
  after:  get_session= 648ms compact= 288ms total=1313ms
  (-80% on compact, -54% on total)

Revert: git checkout master && systemctl --user restart hermes-webui
2026-07-06 16:53:01 +00:00
nesquena-hermes 26a829c952 docs: weekly contributor tally refresh (20260706) (#5689) 2026-07-06 09:29:07 -07:00
Konstantin M af67bd5968 perf(webui): Priority 1+4 - cheap user_message_count + profiles TTL bump
Priority 1: Session.compact() walked all self.messages to count user-role
messages. For a 2,730-msg session that's ~1.5s on eMMC. Replaced with
Session._compute_user_message_count_lazy(): single indexed SQLite query,
~5ms, same correctness. Field is consumed by sidebar-row code
(_looks_like_stale_zero_message_row, _row_may_need_sidecar_metadata_refresh)
so we MUST keep emitting a real value, not None.

Priority 4: _LIST_PROFILES_CACHE_TTL 4s -> 60s. Invalidation hooks
(create_profile_api, delete_profile_api) already call
_invalidate_list_profiles_cache() so the bump is safe.

Bench (10 iters, 10s timeout, live Chromebook eMMC):
  long_session_idle   p50  5759ms -> 2869ms  (-50%)
                     p95  9141ms -> 3156ms  (-65%)
                     max  9740ms -> 3283ms  (-66%)
                     timeouts 2/10 -> 0/10
  session_switch_idle p50  2336ms -> 1316ms  (-44%)
                     p95  3708ms -> 1442ms  (-61%)
                     max  4218ms -> 1525ms  (-64%)
  profiles_idle       p50    6ms ->    6ms
                     p95  821ms ->  248ms   (-70%)
                     max 1488ms ->  445ms   (-70%)
  sidebar_idle        p50  123ms ->   31ms   (-75%)
                     p95  887ms ->   57ms   (-94%)
                     max  986ms ->   59ms   (-94%)
  normal_session_idle p50  359ms ->   56ms   (-84%)
                     p95  749ms ->  131ms   (-83%)
                     max  794ms ->  167ms   (-79%)

Revert: git checkout master && systemctl --user restart hermes-webui
2026-07-06 15:40:29 +00:00
Konstantin M ce1aaf9d7b perf(webui): auto-log slow /api/session requests with stage breakdown
Adds auto-logging when total /api/session latency exceeds 2s, so we don't
need HERMES_DEBUG_SLOW env var to diagnose regressions in production.
Env var still forces logging on every request for development.

Baseline data on the Chromebook (Celeron N3350, eMMC storage):
- long_session_idle (2,445 msgs) p50=5.8s, p95=9.1s, max=9.7s, 2/10 timeouts
- stage breakdown for a 2.8s request:
    get_session=1041ms, compact=1717ms, redact=31ms, json_write=8ms
- compact stage iterates all messages for user_message_count and runs
  recursive redact_session_data + json.dumps -- biggest single cost

Ref: perf/session-load-latency
2026-07-06 15:21:12 +00:00