Commit Graph

1981 Commits

Author SHA1 Message Date
nesquena-hermes 58ba991c0d feat(extensions): opt-in CSP frame-src allowlist (HERMES_WEBUI_CSP_FRAME_EXTRA)
Adds a configurable frame-src directive so an extension can embed a
self-hosted web app in an iframe (e.g. an 'external app tab' pinning
Grafana / Vaultwarden / a dashboard). Mirrors the existing
HERMES_WEBUI_CSP_CONNECT_EXTRA knob: space-separated http(s) origins with
optional *.subdomain wildcard + port, validated, ignored if malformed
(directive-injection / paths / ws scheme / bad ports all rejected).

- Default frame-src is 'self' only, so existing same-origin iframes are
  unchanged; default-off when the env var is unset.
- frame-ancestors stays 'none' -- this only governs what THIS page may embed,
  never who may embed the WebUI.
- Threaded through both the enforced and report-only CSP builders + the
  server.py Handler wrapper, so both headers stay identical.

Docs in docs/EXTENSIONS.md. 8 new regression tests
(tests/test_csp_frame_src_extra.py) cover default, valid widening, enforced
parity, directive-injection rejection, path/ws/port rejection, and
connect/frame independence. Existing CSP test suite still green.

Note: full suite shows 2 pre-existing order-dependent flakes
(test_issue1574 spawn-context, test_issue3283 import-order) that pass in
isolation and are untouched by this CSP-only diff.
2026-06-28 04:08:04 +00:00
nesquena-hermes dbfa33a999 feat(moa): route /moa through WebUI via server-resolved MoA config (#5070, #5057)
Adds a dedicated GET /api/commands/moa/resolve endpoint + resolve_moa_config()
that reads the MoA preset/usage server-side. The /moa send-path passes only a
moa_config:true boolean to /api/chat/start; the server re-resolves the real
config itself (never trusts a browser-supplied dict) and threads it per-turn into
the live agent run. Fails closed (409) on gateway-backed sessions.

Replaces the originally-proposed broad 43-command subprocess approach (bounced)
with this narrow, security-reviewed /moa route. Maintainer fixes on top of the
contributor's converged design: moa_config is added to run_conversation only
when not None (older-agent TypeError safety) at the main call AND both auth
self-heal retry sites, and forwarded through the legacy-journal runtime adapter.

Gate: Codex SAFE (after the maintainer fixes) + full suite 10784 pass + the
activity-stream regression gate clean.

Co-authored-by: rodboev <rodboev@users.noreply.github.com>
2026-06-28 00:23:51 +00:00
nesquena-hermes e2ade27bfe fix(anchor): preserve settled mixed content order (#4958)
When a settled assistant turn carries _anchor_activity_scene and has mixed
content[] (text interleaved with tool_use), promote that ordering into anchor
scene rows (prose / tool / thinking rows in sequence) instead of only the raw
content[] fallback, and mirror the same scene model in the backend hydration
path so a cold reload reconstructs an identical transcript.

Also fixes: post-tool_use text/thinking in a NON-FINAL assistant message was
silently dropped — only the turn-final assistant's post-last-tool text is the
"final answer" tail; earlier assistant messages keep post-tool content as
activity rows. Tail thinking is excluded from the final-answer text but still
emitted as a thinking row (verified on both JS and Python paths).

Tool-row de-duplication is conservative — ID-equal always merges; name/
invocation matches are cardinality-gated and same-message; body-prefix is only
a secondary confirmation inside the id-flexible branch (also requires matching
started_at + compatible name + invocation). It biases toward an extra visible
tool card over ever silently merging two distinct calls.

Gate: Codex SAFE (tail-thinking edge verified already-handled both sides),
Opus SHIP (dedup fails toward duplicate-not-loss; non-final preservation, XSS,
non-mixed regression all clean), full suite 10778 passed (only the 4 known
pre-existing flakes). One non-blocking follow-up noted: bring the prose/thinking
peer-dedup into JS↔Python parity (cosmetic cold-reload extra-narration row).

Co-authored-by: franksong2702 <franksong2702@users.noreply.github.com>
2026-06-27 22:54:29 +00:00
nesquena-hermes f7d727d061 fix(compress): make manual /compress durable across reload + restart (#4986)
Manual /compress shrinks the model-facing context_messages but keeps the
visible messages[] transcript. The old context returned via two paths (#4836):
(1) append-only state.db reconciliation re-appending pre-compression rows, and
(2) startup .bak recovery treating the intentional shrink as data loss.

Half A (routes.py _handle_session_compress): persist truncation_watermark +
truncation_boundary (= watermark of the compressed context), set
compression_anchor_mode="manual", refresh last_prompt_tokens, stamp missing
timestamps on the compressed context, and delete the now-stale .bak. The
boundary==watermark stamp drives the #4772 reconciliation logic onto its
conservative path (block replay of pre-compression rows) while post-compression
turns still merge once sidecar timestamps advance past the watermark.

Half B (session_recovery.py): the .bak recovery guard. MAINTAINER FIX over the
original PR — the contributor suppressed recovery whenever
compression_anchor_mode=="manual", a flag set once at compress and never
cleared, which PERMANENTLY disabled #1558 crash-recovery for any compressed
session (real data loss). Recovery is now suppressed only when the session was
intentionally compressed AND the .bak is genuinely the pre-compression backup,
discriminated by the compaction marker (the same _context_messages_include_
compression_marker signal reconciliation uses): a marked .bak post-dates the
compression -> recover; an unmarked .bak with a larger context is the
shrink-undoing pre-compression one -> suppress. Fail-open on any error.

Resolves an Opus-gate edge in the first cut (length-only heuristic wrongly
suppressed a loss that shrank BOTH messages and context). Two new non-vacuous
regression tests: post-compression real loss recovers, and the both-shrunk
marked-backup case recovers.

Co-authored-by: hyl-ailab <hyl-ailab@users.noreply.github.com>
2026-06-27 21:43:27 +00:00
nesquena-hermes 20d0313d0c feat(settings): expose max_tokens override in Settings (#5010)
The streaming path already honored a max_tokens cap from the active profile's
config.yaml, but there was no UI to manage it. Settings > Preferences now has a
"Max output tokens" field that writes a root-level max_tokens override through
the profile config (not settings.json, which the streaming worker never reads
for this), preserving unrelated YAML keys under _cfg_lock. Blank clears the
override so agent.max_tokens fallback resumes; get_max_tokens_status() surfaces
root / effective / fallback so the field shows what a new turn would use.

Co-authored-by: rodboev <rodboev@users.noreply.github.com>
2026-06-27 20:27:18 +00:00
nesquena-hermes 3ad07ba363 fix(agent_health): read cross-container gateway runtime status from gateway_state.json (#5065)
In cross-container Docker setups the agent-health check resolves the gateway's
runtime status from a shared gateway_state.json. After the keyword-form
read_runtime_status(pid_path=...) call fails against an older agent signature,
_read_gateway_runtime_status fell back to read_runtime_status(pid_path) passing
the sibling gateway.pid path positionally — so the reader parsed PID metadata as
runtime metadata and gateway_state/updated_at never resolved, breaking the
freshness check (issue #5030, #1879).

The positional fallback now passes the correct gateway_state.json sibling path
(pid_path.with_name(runtime_status_file), where runtime_status_file comes from
the agent's _RUNTIME_STATUS_FILE attr, defaulting to gateway_state.json). The
path computation is hoisted so both fallback branches use the correct file. The
keyword happy-path is unchanged for agents that accept pid_path=..., and normal
PID-based health is unaffected.

Verified: the new test test_cross_container_runtime_status_reads_sibling_runtime_file
fails on master without the fix and passes with it; #716 PID-health tests still pass.

Co-authored-by: rodboev <rodboev@users.noreply.github.com>
2026-06-27 19:54:50 +00:00
nesquena-hermes 97a25a98fb fix(streaming): strip consumed OOB steer blocks from model-facing history (#4978)
When a turn is steered, the agent embeds an
[OUT-OF-BAND USER MESSAGE]...[/OUT-OF-BAND USER MESSAGE] control block, and that
block gets persisted into the session's messages/context_messages (appended onto
a tool-result entry — verified present in real prod session JSON, in both
messages[] and context_messages[]). WebUI then replays context_messages into the
provider-facing conversation history every turn, so the model kept re-seeing the
internal control marker: wasted tokens + stale control data.

Adds a non-mutating, recursive _strip_oob_blocks() (regex, DOTALL+IGNORECASE,
non-greedy) wired into every model-facing chokepoint:
_sanitize_messages_for_api, _api_safe_message_positions,
_restore_reasoning_metadata projection, and the gateway runs-API
conversation_history (context_messages + prefill). The compression path
(/session/compress) inherits the strip via _sanitize_messages_for_api.

The marker stays intact in the persisted transcript (display/reload/audit
fidelity); it's removed only on the way to the provider. Idempotent, only strips
a complete open+close pair, and does not mutate persisted session objects (the
content key is reassigned to a freshly-built value).

Maintainer hardening (Opus gate): relaxed the opening pattern from a mandatory
`]\r?\n` to `]\s*?` so a single-line OOB block is also stripped (DOTALL .*?
already spans newlines) — robustness against a format that omits the newline.

Co-authored-by: Stacey2911 <Stacey2911@users.noreply.github.com>
2026-06-27 19:13:36 +00:00
nesquena-hermes 3c493a9e37 fix(cancel): preserve partial turn payload via embedded cancel snapshot (#4647)
Cancelling a running turn briefly collapsed the already-streamed reasoning,
tool cards, and text to a bare "Task cancelled" marker before a follow-up
GET /api/session repopulated them — a visible race between the terminal
cancel SSE event and the refetch (#4076, #1361).

The terminal cancel event now carries a canonical, redacted session snapshot
captured under the per-session agent lock right after the cancelled turn is
persisted (including the recovered partial-assistant message). The frontend
applies that embedded snapshot immediately via _applyCancelSessionPayload and
skips the GET round-trip. The snapshot is a fully detached deep copy (redaction
rebuilds every container) so it cannot alias or be staled by concurrent writes;
it is only applied when its session_id matches the active view; and a
missing/failed snapshot degrades cleanly to the existing GET fallback.

The seven other cancel call sites are standardized via _cancel_event_payload()
(message + type + status), backward-compatible (no session key when none).

Co-authored-by: franksong2702 <franksong2702@users.noreply.github.com>
2026-06-27 16:43:37 +00:00
allenliang2022 363097adad fix(webui): hold per-session lock for state.db sidecar self-heal (TOCTOU + clobber) 2026-06-27 15:24:15 +00:00
allenliang2022 dbe470aa6f test(webui): add registration-window race regression + grace guard 2026-06-27 15:24:15 +00:00
allenliang2022 f3da26dc07 fix(webui): address greptile P1 - snapshot-first save, safer recovery gate 2026-06-27 15:24:15 +00:00
allenliang2022 a3030fb498 fix: sync stale sidecars from newer state db 2026-06-27 15:24:15 +00:00
Rod Boev 9b9ff4053f fix(#5047): honor bounded refresh follower latency 2026-06-27 13:35:24 +00:00
Rod Boev 6649db7041 fix(#5047): prevent sync refresh follower hangs 2026-06-27 13:35:24 +00:00
Rod Boev 4f2bcada31 fix(#5047): keep sync refresh followers coalesced 2026-06-27 13:35:24 +00:00
Rod Boev 8da4c7a334 fix(#5047): require live rebuild publication for refresh reuse 2026-06-27 13:35:24 +00:00
Rod Boev bcfec68c5c fix(#5047): cover bounded refresh followers 2026-06-27 13:35:24 +00:00
Rod Boev 53d44d3795 fix(#5047): coalesce session-visit refresh followers 2026-06-27 13:35:24 +00:00
Rod Boev 8f0cc7912b fix(#5000): settle mirrored gateway approval cleanup 2026-06-27 06:03:24 +00:00
Rod Boev 5f1e308341 fix(#5000): relay mirrored gateway approvals after stream loss 2026-06-27 06:03:24 +00:00
Rod Boev e22ad662b7 fix(#5022): keep corrupt auth state from bricking startup 2026-06-27 01:58:40 +00:00
Rod Boev 64db24c753 fix(#5022): keep malformed session loads fail-open 2026-06-27 01:58:40 +00:00
Rod Boev 3c4ef72a51 fix(#5022): surface auth persistence failures 2026-06-27 01:58:40 +00:00
jkobject 19d1f435b8 fix: keep psutil optional for system health 2026-06-26 20:49:13 +00:00
jkobject 0905adcf43 fix: narrow system health psutil fallback 2026-06-26 20:49:12 +00:00
jkobject 9f5aa98621 fix: support macOS system health metrics 2026-06-26 20:49:12 +00:00
Rod Boev 6cb55b5df8 Keep session cache invalidation signals live across the routes extraction 2026-06-26 18:36:07 +00:00
Rod Boev 47485b3a82 Preserve route-level cache overrides after helper extraction 2026-06-26 18:36:07 +00:00
Rod Boev 1bffabbfec refactor(routes): extract session-list cache helpers from api/routes.py (#1907) 2026-06-26 18:36:07 +00:00
Rod Boev 781223fa18 fix(agent): keep real checkouts ahead of pip-style lookalikes (#4700) 2026-06-26 17:15:03 +00:00
Rod Boev b4dadc9939 fix(#4700): recognize nested pip-style agent roots 2026-06-26 17:15:03 +00:00
Rod Boev b5d462812c fix(#4700): recognize pip-style agent roots for cron imports 2026-06-26 17:15:02 +00:00
nesquena-hermes f8c4d50950 harden(#4991): session_id max() tiebreaker + membership-completeness doc (Opus gate findings)
Co-authored-by: franksong2702 <franksong2702@users.noreply.github.com>
2026-06-26 16:40:27 +00:00
Frank Song d68760b288 Prove continuation index completeness before trusting it
Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-26 16:27:40 +00:00
Frank Song eda4c50cf5 Handle stale compression continuation index fallback
Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-26 16:27:40 +00:00
Frank Song 0f87757a47 Use session index for compression continuations 2026-06-26 16:27:40 +00:00
nesquena-hermes 903dabd29b fix(providers): strip Anthropic env values so whitespace-only OAuth tokens don't false-positive (#4995 gate finding) 2026-06-26 15:44:15 +00:00
Rod Boev 06902d8038 fix(providers): detect Anthropic OAuth credentials in WebUI parity paths (#4770) 2026-06-26 15:34:59 +00:00
Rod Boev f36a427872 fix(models): make session-index rebuild thread ownership explicit (#3894) 2026-06-26 15:13:41 +00:00
Frank Song f15f178b5e Guard state db prefix keys with tool calls
Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-26 10:43:28 +00:00
Frank Song 7a38b09af1 Fix lint for state db prefix key guard
Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-26 10:43:28 +00:00
Frank Song fd81b6cb08 Guard state db tail reads by prefix keys
Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-26 10:43:28 +00:00
Frank Song dc9d6275cb Address state db tail-window coordinate guards 2026-06-26 10:43:27 +00:00
Frank Song 91f7e7f816 Address state db tail window review 2026-06-26 10:43:27 +00:00
Frank Song 8bd31891e3 Bound state.db reads for paginated session loads 2026-06-26 10:43:27 +00:00
nesquena-hermes 2f7c5f01ee fix(#4973): replace per-request diagnostics Timer with a process-global watchdog thread
A threading.Timer per RequestDiagnostics spawns one OS thread per request, held
alive until finish() cancels it. Under sustained /api/sessions poll load this
exhausts the per-process thread cap (RuntimeError: can't start new thread) and
the server stops accepting connections. Replace with a single lazy-init
watchdog daemon thread that scans pending diags every ~1s; public API
unchanged. Caps timeout-tracking at 1 thread/process regardless of request rate.
2026-06-26 07:58:13 +00:00
nesquena-hermes 74cee77738 fix(approval): stale local approval card clears instead of dead-ending (#4948 local variant, #4771 follow-up)
On the default local in-process backend, an approval card whose stream
ended while still pending (cancel/fork/provider-error/completion) left the
agent queue entry dropped and the _pending mirror reconciled away. Clicking
Approve/Deny then sent an approval_id that matched nothing, so the handler
returned a bare {ok:false}; since #4771 the frontend surfaces that as
'Approval response not accepted.' with a stuck card (reported by
@santastabber on v0.51.666 and b3nw).

Distinguish a genuinely stale card (no pending approval for the session ->
benign {ok:true, stale_cleared:true} so the UI clears the orphan) from a
stale-id click made while a DIFFERENT approval is live (still ok:false so it
can never resolve the wrong command -- #527 guard preserved). Frontend
clears the orphan card on stale_cleared even if the displayed id drifted.

Co-authored-by: b3nw <b3nw@users.noreply.github.com>
2026-06-26 06:46:22 +00:00
Rod Boev 3979ea6023 fix(sidebar): restrict cron pre-aggregation to missing-index scans 2026-06-26 03:06:40 +00:00
Rod Boev 810707d47a fix(sidebar): gate cron pre-aggregation to large scans 2026-06-26 03:06:40 +00:00
Rod Boev eb10cecf0b fix(sidebar): keep cron candidate ordering scoped 2026-06-26 03:06:40 +00:00