mirror of
https://github.com/nesquena/hermes-webui.git
synced 2026-05-25 03:00:23 +00:00
nesquena-hermes
7d1aa2e261
* feat: add manual 'Check for Updates' button in System settings (#785) Add a 'Check now' button next to the version badge in the System settings section, allowing users to manually trigger an update check at any time without waiting for the automatic periodic check. Changes: - index.html: add button with spinner and status text inline with version badge - panels.js: add checkUpdatesNow() calling /api/updates/check?force=1 with immediate feedback (checking... / up to date / X updates available) - style.css: style the button block and spinner - i18n.js: add 5 new keys (settings_check_now, settings_checking, settings_up_to_date, settings_updates_available, settings_updates_disabled) in all 6 locales (en, ru, es, de, zh, zh-Hant) * fix: sanitize error message in checkUpdatesNow to avoid exposing paths Review feedback: strip filesystem paths from error messages and cap length to prevent internal details leaking into the UI. * fix: fully sanitize error in update check — never expose raw e.message in UI Previous partial fix (80cdaee) stripped filesystem paths from e.message but still displayed the JS exception message to users. Per reviewer feedback and project convention (NEVER expose raw e.message in UI), replace with: - A generic user-facing i18n key (settings_update_check_failed) as default - Fallback to API response body error if available (structured, not raw) - Full error logged via console.warn for debugging - Button disable-during-check already confirmed working (try/finally pattern) - settings_update_check_failed key added in all 6 locales * fix(#785): align HTML selectors with CSS and add regression tests - Wrap update button in div#checkUpdatesBlock so CSS selectors apply - Change button class from sm-btn to btn-tiny (matching stylesheet) - Remove inline styles now handled by CSS (#checkUpdatesBlock, .btn-tiny) - Move spinner sizing to CSS class .spinner-xs - Add 4 static tests in test_update_banner_fixes.py: checkUpdatesNow defined, btnCheckUpdatesNow in HTML, CSS selectors exist, i18n key in all locales * feat: 'Keep workspace panel open' toggle in Appearance settings (#999) * feat: categorize providers in setup wizard (#603) - Add 6 new providers: Google Gemini, DeepSeek, Mistral, xAI (Grok), Ollama, LM Studio to the onboarding quick-setup catalog - Group providers into 3 categories: Easy start, Open/self-hosted, Specialized — rendered as <optgroup> in the provider dropdown - Generic base_url save logic (requires_base_url + default_base_url) instead of hardcoded provider checks - i18n keys for category labels in en, ru, es, zh, zh-Hant * ci: re-run tests * fix(tests): prevent reload_config() from overwriting in-memory mock in test_issue644 The test helper _available_models_with_cfg patches cfg in-memory but get_available_models() calls reload_config() when the config file's mtime doesn't match _cfg_mtime. On CI, config.yaml exists so mtime > 0 and _cfg_mtime starts at 0.0, triggering a reload that overwrites the test's mock with on-disk content. Fix: freeze _cfg_mtime to the current config file mtime inside the helper, so reload_config() is not triggered during the test. * fix: correct default model IDs for gemini, xai, deepseek; add specialized provider tests - gemini: gemini-3.1-pro-preview → gemini-2.5-pro-preview - x-ai: grok-4.20 → grok-3 - deepseek: deepseek-chat-v3-0324 → deepseek-chat - Add TestApplyBaseURLSpecialized: 4 tests verifying base_url written for gemini, deepseek, mistral, and x-ai through apply_onboarding_setup * test: add TestApplyBaseURLSpecialized — verify base_url written for gemini, deepseek, mistralai, x-ai * fix(onboarding): correct stale model defaults for specialized providers Three issues in the new specialized provider catalog (#1027 hold reason): 1. gemini default_model was `gemini-2.5-pro-preview` — agent's catalog has the 3.1 family. Updated to `gemini-3.1-pro-preview`. 2. x-ai default_model was `grok-3` — agent's catalog has `grok-4.20`. Updated. 3. gemini `models` list was sourcing from `_PROVIDER_MODELS.get("gemini")` which returns []. The catalog in api/config.py is keyed under "google" (even though the agent's alias map normalizes google -> gemini). Switched to `_PROVIDER_MODELS.get("google")` so the wizard surfaces the actual 5-model list. Also forward-compatible lookup for x-ai (xai or x-ai key). Without these fixes, users picking gemini or x-ai in the wizard would see no model dropdown and the default_model written to config.yaml would 404 on first chat. deepseek default_model bumped from `deepseek-chat` to `deepseek-chat-v3-0324` to match the test fixture's expectation and the agent catalog's pinned version. Added two regression tests: - test_gemini_model_list_is_populated: pins the catalog-key correctness - test_specialized_default_models_match_catalog: pins the version prefixes (3.x for gemini, 4.x for grok) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat: inline HTML preview in workspace panel (#779) Render .html/.htm files as live previews in a sandboxed iframe instead of showing raw source code. Adds an 'Open in browser' button to open the file in a new tab. Changes: - workspace.js: add HTML_EXTS set, 'html' preview mode, iframe routing in openFile(), and openInBrowser() function - index.html: add sandboxed iframe element and 'Open in browser' button in preview toolbar (visible only for HTML files) - i18n.js: add 'open_in_browser' key in all 6 locales The iframe uses sandbox='allow-scripts' for security. Download button remains available alongside the new preview. * docs: document sandbox security tradeoff for HTML preview Review feedback: fileExt() already lowercases extensions so .HTML/.HTM work. Added code comment explaining the deliberate sandbox=allow-scripts choice: scripts are needed for most HTML documents but the iframe is still origin- isolated and cannot access parent cookies/data. * fix: pass ?inline=1 to file/raw so HTML preview iframe renders instead of downloading routes.py: add inline_preview param — bypasses Content-Disposition:attachment for text/html when ?inline=1 is set, serving the file inline for the sandboxed iframe. workspace.js: add &inline=1 to the iframe src URL. test: add 5 static regression tests for the inline HTML preview. * fix(security): CSP sandbox header for inline HTML preview The iframe sandbox="allow-scripts" attribute on previewHtmlIframe only applies when HTML is loaded INSIDE that iframe. A user tricked into opening /api/file/raw?path=evil.html&inline=1 directly in a top-level tab (e.g. via a chat link) would render the HTML in the WebUI's origin without any sandbox, giving the page full access to cookies and localStorage. Server-side Content-Security-Policy: sandbox allow-scripts mirrors the iframe sandbox exactly: scripts run, but the document is treated as a unique opaque origin (no allow-same-origin) and cannot read WebUI cookies, localStorage, or postMessage to the parent regardless of how the URL is accessed. Added test_inline_html_response_sets_csp_sandbox to pin the header. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs: v0.50.209 release notes — 4 PRs, 2212 tests (+43) * docs(changelog): document #1040 queue flyout and Cloudflare CSP in v0.50.209 The stage commited2bd18listed v0.50.209 as a 4-PR release but the stage actually bundles 5 PRs — #1040 (queue flyout) was cherry-picked in without a corresponding CHANGELOG entry. Without this fix, the queue feature ships silently and the bundled Cloudflare CSP relaxation in api/helpers.py is also undocumented. Adds two entries: - Added: queue flyout (#1040) under v0.50.209 - Changed: CSP allowlist for Cloudflare Access deployments Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: bergeouss <bergeouss@users.noreply.github.com> Co-authored-by: nesquena-hermes <nesquena-hermes@users.noreply.github.com> Co-authored-by: Nathan Esquenazi <nesquena@gmail.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
317 lines
12 KiB
JavaScript
317 lines
12 KiB
JavaScript
async function api(path,opts={}){
|
|
// Strip leading slash so URL resolves relative to location.href (supports subpath mounts)
|
|
const rel = path.startsWith('/') ? path.slice(1) : path;
|
|
const url=new URL(rel,location.href);
|
|
const res=await fetch(url.href,{credentials:'include',headers:{'Content-Type':'application/json'},...opts});
|
|
if(!res.ok){
|
|
const text=await res.text();
|
|
// Parse JSON error body and surface the human-readable message,
|
|
// rather than showing raw JSON like {"error":"Profile 'x' does not exist."}
|
|
try{const j=JSON.parse(text);throw new Error(j.error||j.message||text);}
|
|
catch(e){if(e instanceof SyntaxError)throw new Error(text);throw e;}
|
|
}
|
|
const ct=res.headers.get('content-type')||'';
|
|
return ct.includes('application/json')?res.json():res.text();
|
|
}
|
|
|
|
// Persist/restore expanded directory state per workspace in localStorage
|
|
function _wsExpandKey(){
|
|
const ws=S.session&&S.session.workspace;
|
|
return ws?'hermes-webui-expanded:'+ws:null;
|
|
}
|
|
function _saveExpandedDirs(){
|
|
const key=_wsExpandKey();if(!key)return;
|
|
try{localStorage.setItem(key,JSON.stringify([...(S._expandedDirs||new Set())]));}catch(e){}
|
|
}
|
|
function _restoreExpandedDirs(){
|
|
const key=_wsExpandKey();
|
|
if(!key){S._expandedDirs=new Set();return;}
|
|
try{
|
|
const raw=localStorage.getItem(key);
|
|
S._expandedDirs=raw?new Set(JSON.parse(raw)):new Set();
|
|
}catch(e){S._expandedDirs=new Set();}
|
|
}
|
|
|
|
async function loadDir(path){
|
|
if(!S.session)return;
|
|
try{
|
|
if(!path||path==='.'){
|
|
S._dirCache={};
|
|
_restoreExpandedDirs(); // restore per-workspace expanded state on root load
|
|
}
|
|
S.currentDir=path||'.';
|
|
const data=await api(`/api/list?session_id=${encodeURIComponent(S.session.session_id)}&path=${encodeURIComponent(path)}`);
|
|
S.entries=data.entries||[];renderBreadcrumb();renderFileTree();
|
|
// Pre-fetch contents of restored expanded dirs so they render without a second click
|
|
if(!path||path==='.'){
|
|
for(const dirPath of (S._expandedDirs||[])){
|
|
if(!S._dirCache[dirPath]){
|
|
try{
|
|
const dc=await api(`/api/list?session_id=${encodeURIComponent(S.session.session_id)}&path=${encodeURIComponent(dirPath)}`);
|
|
S._dirCache[dirPath]=dc.entries||[];
|
|
}catch(e2){S._dirCache[dirPath]=[];}
|
|
}
|
|
}
|
|
if(S._expandedDirs&&S._expandedDirs.size>0)renderFileTree();
|
|
}
|
|
if(typeof clearPreview==='function'){
|
|
if(typeof _previewDirty!=='undefined'&&_previewDirty){
|
|
showConfirmDialog({title:t('unsaved_confirm'),message:'',confirmLabel:'Discard',danger:true,focusCancel:true}).then(ok=>{if(ok)clearPreview();});
|
|
}else{
|
|
clearPreview();
|
|
}
|
|
}
|
|
// Fetch git info for workspace root (non-blocking)
|
|
if(!path||path==='.') _refreshGitBadge();
|
|
}catch(e){console.warn('loadDir',e);}
|
|
}
|
|
|
|
async function _refreshGitBadge(){
|
|
const badge=$('gitBadge');
|
|
if(!badge||!S.session)return;
|
|
try{
|
|
const data=await api(`/api/git-info?session_id=${encodeURIComponent(S.session.session_id)}`);
|
|
if(data.git&&data.git.is_git){
|
|
const g=data.git;
|
|
let text=g.branch||'git';
|
|
if(g.dirty>0) text+=` \u00b7 ${g.dirty}\u2206`; // middot + delta
|
|
if(g.behind>0) text+=` \u2193${g.behind}`;
|
|
if(g.ahead>0) text+=` \u2191${g.ahead}`;
|
|
badge.textContent=text;
|
|
badge.className='git-badge'+(g.dirty>0?' dirty':'');
|
|
badge.style.display='';
|
|
} else {
|
|
badge.style.display='none';
|
|
badge.textContent='';
|
|
}
|
|
}catch(e){badge.style.display='none';}
|
|
}
|
|
|
|
function navigateUp(){
|
|
if(!S.session||S.currentDir==='.')return;
|
|
const parts=S.currentDir.split('/');
|
|
parts.pop();
|
|
loadDir(parts.length?parts.join('/'):'.');
|
|
}
|
|
|
|
// File extension sets for preview routing (must match server-side sets)
|
|
const IMAGE_EXTS = new Set(['.png','.jpg','.jpeg','.gif','.svg','.webp','.ico','.bmp']);
|
|
const MD_EXTS = new Set(['.md','.markdown','.mdown']);
|
|
const HTML_EXTS = new Set(['.html','.htm']);
|
|
// Binary formats that should download rather than preview
|
|
const DOWNLOAD_EXTS = new Set([
|
|
'.docx','.doc','.xlsx','.xls','.pptx','.ppt','.odt','.ods','.odp',
|
|
'.pdf','.zip','.tar','.gz','.bz2','.7z','.rar',
|
|
'.mp3','.mp4','.wav','.m4a','.ogg','.flac','.mov','.avi','.mkv','.webm',
|
|
'.exe','.dmg','.pkg','.deb','.rpm',
|
|
'.woff','.woff2','.ttf','.otf','.eot',
|
|
'.bin','.dat','.db','.sqlite','.pyc','.class','.so','.dylib','.dll',
|
|
]);
|
|
|
|
function fileExt(p){ const i=p.lastIndexOf('.'); return i>=0?p.slice(i).toLowerCase():''; }
|
|
|
|
let _previewCurrentPath = ''; // relative path of currently previewed file
|
|
let _previewCurrentMode = ''; // 'code' | 'md' | 'image' | 'html'
|
|
let _previewDirty = false; // true when edits are unsaved
|
|
|
|
function showPreview(mode){
|
|
// mode: 'code' | 'image' | 'md' | 'html'
|
|
$('previewCode').style.display = mode==='code' ? '' : 'none';
|
|
$('previewImgWrap').style.display = mode==='image' ? '' : 'none';
|
|
$('previewMd').style.display = mode==='md' ? '' : 'none';
|
|
$('previewHtmlWrap').style.display = mode==='html' ? '' : 'none';
|
|
$('previewEditArea').style.display = 'none'; // start in read-only
|
|
const badge=$('previewBadge');
|
|
badge.className='preview-badge '+mode;
|
|
badge.textContent = mode==='image'?'image':mode==='md'?'md':mode==='html'?'html':fileExt($('previewPathText').textContent)||'text';
|
|
_previewCurrentMode = mode;
|
|
_previewDirty = false;
|
|
updateEditBtn();
|
|
// Show "Open in browser" button only for HTML mode
|
|
const openBtn=$('btnOpenInBrowser');
|
|
if(openBtn) openBtn.style.display = mode==='html'?'inline-flex':'none';
|
|
}
|
|
|
|
function updateEditBtn(){
|
|
const btn=$('btnEditFile');
|
|
if(!btn)return;
|
|
const editable = _previewCurrentMode==='code'||_previewCurrentMode==='md';
|
|
btn.style.display = editable?'':'none';
|
|
const editing = $('previewEditArea').style.display!=='none';
|
|
btn.innerHTML = editing ? `💾 ${t('save')}` : `✎ ${t('edit')}`;
|
|
btn.title = editing ? t('save_title') : t('edit_title');
|
|
btn.style.color = editing ? 'var(--blue)' : '';
|
|
if(_previewDirty) btn.innerHTML = '💾 Save*';
|
|
}
|
|
|
|
async function toggleEditMode(){
|
|
const editing = $('previewEditArea').style.display!=='none';
|
|
if(editing){
|
|
// Save
|
|
if(!S.session||!_previewCurrentPath)return;
|
|
const content=$('previewEditArea').value;
|
|
try{
|
|
await api('/api/file/save',{method:'POST',body:JSON.stringify({
|
|
session_id:S.session.session_id, path:_previewCurrentPath, content
|
|
})});
|
|
_previewDirty=false;
|
|
// Update read-only views
|
|
if(_previewCurrentMode==='code') $('previewCode').textContent=content;
|
|
else { $('previewMd').innerHTML=renderMd(content); requestAnimationFrame(()=>{if(typeof renderKatexBlocks==='function')renderKatexBlocks();}); }
|
|
$('previewEditArea').style.display='none';
|
|
if(_previewCurrentMode==='code') $('previewCode').style.display='';
|
|
else $('previewMd').style.display='';
|
|
showToast(t('saved'));
|
|
}catch(e){setStatus(t('save_failed')+e.message);}
|
|
}else{
|
|
// Enter edit mode: populate textarea with current content
|
|
const currentText = _previewCurrentMode==='code'
|
|
? $('previewCode').textContent
|
|
: _previewRawContent||'';
|
|
$('previewEditArea').value=currentText;
|
|
$('previewEditArea').style.display='';
|
|
if(_previewCurrentMode==='code') $('previewCode').style.display='none';
|
|
else $('previewMd').style.display='none';
|
|
// Escape cancels the edit without saving
|
|
$('previewEditArea').onkeydown=e=>{
|
|
if(e.key==='Escape'){e.preventDefault();cancelEditMode();}
|
|
};
|
|
}
|
|
updateEditBtn();
|
|
}
|
|
|
|
let _previewRawContent = ''; // raw text for md files (to populate editor)
|
|
|
|
function cancelEditMode(){
|
|
// Discard changes and return to read-only view
|
|
$('previewEditArea').style.display='none';
|
|
$('previewEditArea').onkeydown=null;
|
|
if(_previewCurrentMode==='code') $('previewCode').style.display='';
|
|
else $('previewMd').style.display='';
|
|
_previewDirty=false;
|
|
updateEditBtn();
|
|
}
|
|
|
|
async function openFile(path){
|
|
if(!S.session)return;
|
|
const ext=fileExt(path);
|
|
|
|
// Binary/download-only formats: trigger browser download, don't preview
|
|
if(DOWNLOAD_EXTS.has(ext)){
|
|
downloadFile(path);
|
|
return;
|
|
}
|
|
|
|
$('previewPathText').textContent=path;
|
|
$('previewArea').classList.add('visible');
|
|
$('fileTree').style.display='none';
|
|
|
|
_previewCurrentPath = path;
|
|
renderFileBreadcrumb(path);
|
|
if(IMAGE_EXTS.has(ext)){
|
|
// Image: load via raw endpoint, show as <img>
|
|
showPreview('image');
|
|
const url=`api/file/raw?session_id=${encodeURIComponent(S.session.session_id)}&path=${encodeURIComponent(path)}`;
|
|
$('previewImg').alt=path;
|
|
$('previewImg').src=url;
|
|
$('previewImg').onerror=()=>setStatus(t('image_load_failed'));
|
|
} else if(MD_EXTS.has(ext)){
|
|
// Markdown: fetch text, render with renderMd, display as formatted HTML
|
|
try{
|
|
const data=await api(`/api/file?session_id=${encodeURIComponent(S.session.session_id)}&path=${encodeURIComponent(path)}`);
|
|
showPreview('md');
|
|
_previewRawContent = data.content;
|
|
$('previewMd').innerHTML=renderMd(data.content);
|
|
requestAnimationFrame(()=>{if(typeof renderKatexBlocks==='function')renderKatexBlocks();});
|
|
}catch(e){setStatus(t('file_open_failed'));}
|
|
} else if(HTML_EXTS.has(ext)){
|
|
// HTML: render in sandboxed iframe via raw endpoint.
|
|
// SECURITY TRADEOFF: We use sandbox="allow-scripts" which lets inline JS run
|
|
// but prevents access to the parent frame (origin isolation). This is a
|
|
// deliberate choice — the user is previewing their own workspace files, so
|
|
// blocking scripts entirely would break most HTML documents. The sandbox
|
|
// still prevents the preview from navigating the parent, accessing cookies,
|
|
// or reading other origin data. If a stricter mode is needed, remove
|
|
// allow-scripts (or add sandbox="") to disable all JS execution.
|
|
showPreview('html');
|
|
const url=`api/file/raw?session_id=${encodeURIComponent(S.session.session_id)}&path=${encodeURIComponent(path)}&inline=1`;
|
|
const iframe=$('previewHtmlIframe');
|
|
if(iframe){
|
|
iframe.src=''; // clear first to avoid stale content
|
|
iframe.src=url;
|
|
}
|
|
} else {
|
|
// Plain code / text -- but fall back to download if server signals binary
|
|
try{
|
|
const data=await api(`/api/file?session_id=${encodeURIComponent(S.session.session_id)}&path=${encodeURIComponent(path)}`);
|
|
if(data.binary){
|
|
// Server flagged this as binary content
|
|
downloadFile(path);
|
|
return;
|
|
}
|
|
showPreview('code');
|
|
$('previewCode').textContent=data.content;
|
|
}catch(e){
|
|
// If it's a 400/too-large error, offer download instead
|
|
downloadFile(path);
|
|
}
|
|
}
|
|
}
|
|
|
|
function downloadFile(path){
|
|
if(!S.session)return;
|
|
// Trigger browser download via the raw file endpoint with content-disposition attachment
|
|
const url=`api/file/raw?session_id=${encodeURIComponent(S.session.session_id)}&path=${encodeURIComponent(path)}&download=1`;
|
|
const filename=path.split('/').pop();
|
|
const a=document.createElement('a');
|
|
a.href=url;a.download=filename;
|
|
document.body.appendChild(a);a.click();
|
|
setTimeout(()=>document.body.removeChild(a),100);
|
|
showToast(t('downloading',filename),2000);
|
|
}
|
|
|
|
|
|
// ── Render breadcrumb for file preview mode ──────────────────────────────────
|
|
function renderFileBreadcrumb(filePath) {
|
|
const bar = $('breadcrumbBar');
|
|
if (!bar) return;
|
|
bar.style.display = 'flex';
|
|
const upBtn = $('btnUpDir');
|
|
if (upBtn) upBtn.style.display = '';
|
|
|
|
bar.innerHTML = '';
|
|
// Root
|
|
const root = document.createElement('span');
|
|
root.className = 'breadcrumb-seg breadcrumb-link';
|
|
root.textContent = '~';
|
|
root.onclick = () => { clearPreview(); loadDir('.'); };
|
|
bar.appendChild(root);
|
|
|
|
const parts = filePath.split('/');
|
|
let accumulated = '';
|
|
for (let i = 0; i < parts.length; i++) {
|
|
const sep = document.createElement('span');
|
|
sep.className = 'breadcrumb-sep';
|
|
sep.textContent = '/';
|
|
bar.appendChild(sep);
|
|
|
|
accumulated += (accumulated ? '/' : '') + parts[i];
|
|
const seg = document.createElement('span');
|
|
seg.textContent = parts[i];
|
|
if (i < parts.length - 1) {
|
|
seg.className = 'breadcrumb-seg breadcrumb-link';
|
|
const target = accumulated;
|
|
seg.onclick = () => { clearPreview(); loadDir(target); };
|
|
} else {
|
|
seg.className = 'breadcrumb-seg breadcrumb-current';
|
|
}
|
|
bar.appendChild(seg);
|
|
}
|
|
}
|
|
|
|
function openInBrowser(){
|
|
if(!_previewCurrentPath||!S.session) return;
|
|
const url=`api/file/raw?session_id=${encodeURIComponent(S.session.session_id)}&path=${encodeURIComponent(_previewCurrentPath)}`;
|
|
window.open(url,'_blank');
|
|
}
|