Web Dashboard: multi-profile switching support (analysis, root causes, and recommended design)

[traceless929]

Summary

The built-in Web Dashboard currently behaves as a single-profile UI bound to one HERMES_HOME per process. This makes profile switching awkward compared with CLI usage and creates friction for users running multiple profiles.

This issue proposes a design direction for safe multi-profile switching in Web Dashboard, including root-cause analysis, implementation options, and recommended best practices.

---

Current behavior (observed)

• Dashboard process is profile-bound at startup (--profile/-p -> HERMES_HOME set before imports).
• Backend APIs expose current profile paths (hermes_home, config_path, env_path) but do not expose profile list/switch endpoints.
• Frontend routes/pages do not include a profile selector.

As a result, users typically run one dashboard per profile on different ports.

---

Why this happens (root causes)

1. Process-level profile context

   • Profile is resolved early and materialized as HERMES_HOME, then reused across config/session/log/gateway helpers.
   • This is robust for isolation, but not designed for runtime context switching.

2. No profile-scoped API contract in Web layer

   • Existing dashboard APIs are implicitly “active profile only”.
   • No standardized request field/header for profile context.

3. Stateful resources are loaded from active home

   • Config/env/files/session DB/log paths/gateway status are all path-derived from current HERMES_HOME.
   • Runtime switching in a single process risks stale handles/caches and mixed state if not carefully re-scoped.

4. Safety concerns from prior multi-instance issues

   • Historical reports around cross-instance/session contamination and profile reauth loops indicate this area needs strict isolation guarantees.

---

Recommended design (best path)

Phase 1 (short-term, low risk)

Keep backend isolation model (one process == one profile), but improve UX:

• Add docs-first guidance and helper command for launching multi-profile dashboards:
  • hermes -p <profile> dashboard --port <port>
• Provide a small “profile launcher” view/script that opens known profile dashboards in tabs.

Phase 2 (product feature)

Add multi-profile awareness to dashboard with strict boundary control:

Option A (recommended): Supervisor + per-profile backend workers

• Dashboard UI talks to a lightweight supervisor API.
• Supervisor enumerates profiles and proxies requests to profile-specific workers.
• Each worker keeps strict HERMES_HOME isolation (same as today).

Pros: safest isolation model, minimal risk of cross-profile leakage, easy mental model.
Cons: more moving parts (worker lifecycle/proxying).

Option B: Single backend process with request-scoped profile context

• Introduce profile identifier in every API request.
• All path/config/session/log resolvers become request-scoped.

Pros: fewer processes.
Cons: high refactor risk; easier to introduce contamination bugs.

I recommend Option A.

---

Implementation principles

1. Isolation first

   • No shared mutable caches across profiles.
   • Session DB/log readers/config writers must be profile-bound.

2. Explicit profile context everywhere

   • API contract should always know target profile.
   • UI should visibly indicate active profile at all times.

3. Safe switching semantics

   • Switching profile should reset page-local state (search/filter/open session details) unless intentionally preserved per-profile.

4. Per-profile auth/session safety

   • If dashboard auth/session token is introduced/expanded, ensure token scope includes profile.

5. Observability

   • Include profile name in dashboard API logs/metrics for debugging.

---

Proposed UX

• Header profile dropdown with:
  • current profile badge
  • profile status (gateway running/stopped)
  • quick actions: open profile dashboard, restart profile gateway
• “Remember last profile” local setting
• warning modal before destructive actions if profile changed recently

---

Backward compatibility

• Existing hermes dashboard behavior should remain valid for default profile.
• Existing API paths can remain, while adding profile-aware variants or proxy routes.

---

Interim best practices (today)

Until native switching lands:

1. Run separate dashboards per profile (-p + different ports).
2. Keep one browser tab per profile with clear naming/bookmarks.
3. Avoid sharing the same dashboard tab for rapid profile task hopping.
4. Use profile-specific gateway/API ports for integrations (e.g., Open WebUI multi-connection setup).

---

Acceptance criteria

• User can switch profiles in one Web Dashboard entrypoint.
• All data shown (config/sessions/logs/env/cron/skills/status) is strictly profile-correct.
• No cross-profile session/memory/log leakage in tests.
• Existing single-profile workflows keep working unchanged.

[traceless929]

Thanks for reading — here is a concrete phased rollout proposal to make implementation easier to review and de-risk.

Suggested milestones

M1: Safe multi-profile UX without architecture change

Goal: Improve usability immediately while preserving current isolation model.

• Add docs and CLI helper examples for running one dashboard per profile/port.
• Add a small profile launcher page/script (links to known profile dashboards).
• Add profile identity banner in dashboard header (profile name + HERMES_HOME).

Exit criteria:

• Users can reliably operate multiple profiles from browser bookmarks/tabs.
• No backend behavior changes; no regression risk to current dashboard.

---

M2: Supervisor entrypoint (recommended architecture path)

Goal: Single entrypoint URL with strict per-profile isolation.

• Introduce a lightweight supervisor service that:
  • enumerates profiles,
  • tracks worker health,
  • routes/proxies requests to profile workers.
• Keep workers equivalent to today’s dashboard backend (one worker == one HERMES_HOME).
• Add profile selector in UI (reads from supervisor profile list).

Exit criteria:

• User can switch profile from one UI entrypoint.
• All profile actions are routed to matching worker.
• No shared mutable state between profile workers.

---

M3: Hardening + test coverage

Goal: Production-safe multi-profile switching.

• Add end-to-end tests for profile switching across pages:
  • status/config/env/sessions/logs/cron/skills.
• Add negative tests proving no cross-profile leakage.
• Add request/response observability with profile labels (logs/metrics).
• Add UX safeguards (confirm destructive actions after recent profile switch).

Exit criteria:

• CI includes profile-isolation test suite.
• No leakage/regression in stress switching scenarios.
• Ready for broader release.

---

Optional stretch goals

• “Remember last profile” client setting.
• Quick actions in selector (restart gateway, open logs for selected profile).
• Profile-scoped auth/session tokens if dashboard auth model is expanded.

If useful, I can also contribute a follow-up implementation skeleton PR for M1 (docs + helper launcher + header identity badge).

[alt-glitch]

Related to #13547 — existing feature request for profile support in the dashboard. Also see #13823 which implements profile switcher scoping.

[stefanpieter]

Adding a concrete user workflow/use case for this feature request:

I would like to keep multiple Hermes WebUI browser windows open at the same time, with each window pinned to a different Hermes profile, for example:

• one window using kinni
• one window using noblepro
• one window using haku or another isolated business/work profile

Expected behavior:

• Profile selection should be per browser window/tab/session, not a single global UI state that affects all open WebUI windows.
• A chat/session started in a window pinned to profile A should always use profile A's config, memory, skills, sessions, logs, env, cron/gateway context, and HERMES_HOME.
• Sessions should be saved under the selected profile's session directory, never the profile that happened to launch the dashboard process.
• Switching or opening another browser window should not cause cross-profile leakage or move an existing conversation to another profile.

Current practical workaround is to run one backend/API/dashboard process per profile on different ports and open those URLs separately. That works for isolation, but the desired UX is first-class WebUI support for multiple concurrently-open profile contexts.

The safest design still seems to be the supervisor + per-profile backend worker model described in this issue, because it preserves the existing process-level isolation while giving the WebUI a proper profile-aware UX.

[konsisumer]

This issue appears to describe the same problem as #13547, #21642.
Maintainer might want to consolidate or pick one as canonical.