Dashboard chat silently breaks behind reverse proxies: _hermes_ink_bundle_stale() always returns True, triggering 15s blocking npm run build on every PTY spawn

[tcconnally]

Summary

Every time a user opens the /chat tab, _make_tui_argv() in hermes_cli/main.py runs a synchronous 15-second npm run build inside FastAPI's async event handler before spawning the PTY. This blocks the entire event loop, preventing WebSocket keepalives from being processed. Reverse proxies with WebSocket idle timeouts (Cloudflare, nginx, Traefik defaults) kill the connection before the build finishes, and the user sees [session ended] with no error message.

Root Cause

_hermes_ink_bundle_stale() checks for packages/hermes-ink/dist/ink-bundle.js:

# hermes_cli/main.py
def _hermes_ink_bundle_stale(tui_dir: Path) -> bool:
    ink_root = tui_dir / "packages" / "hermes-ink"
    bundle = ink_root / "dist" / "ink-bundle.js"
    if not bundle.exists():
        return True   # <-- always True
    ...

But the @hermes/ink build script outputs dist/entry-exports.js, not dist/ink-bundle.js:

> @hermes/ink@0.0.1 build
> esbuild src/entry-exports.ts ... --outdir=dist

  dist/entry-exports.js  418.8kb

ink-bundle.js is never created, so _hermes_ink_bundle_stale() always returns True → _tui_build_needed() always returns True → npm run build runs on every single chat session start.

Impact

• Chat is completely broken for anyone running the dashboard behind a reverse proxy with WebSocket idle timeouts shorter than ~15s (Cloudflare Tunnel default: ~100s, but practical idle timeout is lower; nginx default proxy_read_timeout: 60s)
• Fails silently — no error is surfaced to the user, the PTY just never starts
• The build also runs synchronously in FastAPI's async event loop (subprocess.run with capture_output=True), blocking all other WebSocket/HTTP traffic during the build

Reproduction

from pathlib import Path
from hermes_cli.main import _tui_build_needed
print(_tui_build_needed(Path("/opt/hermes/ui-tui")))  # True, always

Confirmed on a fresh container start — packages/hermes-ink/dist/ink-bundle.js does not exist in the shipped image.

Workaround

Set HERMES_TUI_DIR=/opt/hermes/ui-tui in the dashboard container's environment. This activates the fast path in _make_tui_argv() which checks only for dist/entry.js existence and skips _tui_build_needed() entirely:

if not tui_dev:
    ext_dir = os.environ.get("HERMES_TUI_DIR")
    if ext_dir:
        p = Path(ext_dir)
        if (p / "dist" / "entry.js").exists() and not _tui_need_npm_install(p):
            return [node, str(p / "dist" / "entry.js")], p  # no build check

Suggested Fix

Either:

1. Fix _hermes_ink_bundle_stale() to check for dist/entry-exports.js instead of dist/ink-bundle.js
2. Pre-build the ink bundle in the Docker image so the file is present on startup
3. Run the build asynchronously (via asyncio.create_subprocess_exec) so it doesn't block the event loop

Option 3 is the most defensive regardless of the stale-check fix.

[briandevans]

Heads-up @tcconnally — the specific function this issue identifies (_hermes_ink_bundle_stale) no longer exists on main. Commit c6ca11618 ("refactor(tui): simplify TUI build logic, remove stale staleness checks", 2026-05-11) removed the entire mtime-tracking staleness machinery (_tui_build_needed, _hermes_ink_bundle_stale, _find_bundled_tui) and replaced it with three explicit paths in hermes_cli/main.py:

1. HERMES_TUI_DIR set (prebuilt/nix): node dist/entry.js, no build
2. --dev mode: tsx src/entry.tsx, no build, hot reload
3. Normal: always npm run build (esbuild ~1s, correctness > caching)

Likely checks if you're still seeing the silent [session ended] behind your reverse proxy:

1. Stale install — if you're on a release or older container image, the buggy mtime check is still in there. hermes update (or rebuild your image off current main) and confirm hermes --version.
2. HERMES_TUI_DIR is the canonical fix for your deployment — your existing workaround (HERMES_TUI_DIR=/opt/hermes/ui-tui) is now the documented "prebuilt" path on main. If you can pre-build during image build, path 1 above is build-free at runtime.
3. Normal path on main still runs npm run build on every spawn by design (the maintainer chose correctness > caching). If npm run build in your container takes 15s rather than ~1s, that's a separate question — worth measuring on main directly (time npm run build in ui-tui/) and filing a follow-up if it's materially over a second, since the new design assumes ~1s.

Worth retrying against current main first. Happy to dig further if the symptom reproduces there.

[alt-glitch]

Duplicate of #20951 (ink-bundle.js → entry-exports.js filename mismatch in _hermes_ink_bundle_stale()). Multiple fix PRs already exist: #20686 (superset with auto-resume), #20322 (original fix), #23319. See also the comment above about this code path being refactored on main.

[teknium1]

Automated hermes-sweeper review: this appears implemented on current main.

Evidence:

• The reported stale-check path is gone: repo-wide search on current main found no _hermes_ink_bundle_stale, no _tui_build_needed, and no ink-bundle.js; the TUI freshness helper now keys off dist/entry.js in hermes_cli/main.py.
• The dashboard container path is fixed directly: Dockerfile now builds ui-tui during image build and sets ENV HERMES_TUI_DIR=/opt/hermes/ui-tui, which makes _make_tui_argv() take the prebuilt dist/entry.js fast path instead of runtime npm work.
• Regression coverage exists in tests/docker/test_tui_prebuilt_bundle.py, asserting the image has HERMES_TUI_DIR=/opt/hermes/ui-tui and launches the prebuilt bundle rather than npm.
• The Docker fix landed in 9272e4019aa43d9d28f6f9d3a4cf62e2278dbd00 (fix(docker): point TUI launcher at prebuilt bundle via HERMES_TUI_DIR (#37923)), included in v2026.6.5.

Thanks for the detailed root-cause writeup and for calling out the HERMES_TUI_DIR workaround; that is now the baked container path on main.