fix(dashboard): trust non-web WS origins on OAuth-gated binds after ticket auth by benbarclay · Pull Request #37870 · NousResearch/hermes-agent

benbarclay · 2026-06-03T04:18:57Z

Summary

Generalises #37747 so the packaged Hermes Desktop app can connect to a remote OAuth-gated gateway. This is not a revert of #37747 — it extends the same "trust a non-web origin once the WS credential has been validated" rule to the one case #37747 left out.

Root cause

The WS Origin guard _ws_host_origin_is_allowed trusted the packaged Electron app's non-web origin (file:// / null / app://) only when the bind was not OAuth-gated (return not auth_required, from #37747). The packaged desktop renderer loads over file://, so when it drives a remote OAuth-gated gateway its /api/ws upgrade was rejected with HTTP 403 — even though _ws_auth_ok had already validated the single-use ?ticket= one line earlier.

Symptom: desktop → hosted-gateway connection fails. The token/OAuth probe succeeds (/api/status, ws-ticket mint returns 200), but the chat WebSocket silently 403s on upgrade.

Why this is safe

_ws_host_origin_is_allowed runs only after _ws_auth_ok has accepted the WS credential, which is the real auth boundary in every mode:

Bind	Credential validated upstream
loopback	legacy dashboard session token
non-loopback `--insecure` (Tailscale/LAN)	legacy session token — #37747
OAuth-gated public	single-use, 30 s-TTL, identity-bound `?ticket=` minted at the cookie-authed `POST /api/auth/ws-ticket`

A non-web origin (file:///null/app://) can only be produced by a native client; a DNS-rebinding attack always arrives from an http(s) origin and is still match-checked against the bound host. An attacker can't obtain a ticket without the victim's session cookie. So once the upstream credential check passes, the Origin guard adds nothing for a non-web origin — collapsed the loopback / non-gated special cases to return True for non-web origins. http(s) origins keep the strict same-host check, so browser DNS-rebinding defence is unchanged.

Changes

hermes_cli/web_server.py: non-web WS origins are trusted in every mode (the upstream ticket/token check is the gate), instead of only non-gated binds.
tests/hermes_cli/test_dashboard_auth_ws_auth.py: gated file:///null/app:// now asserted allowed; cross-site http(s) still rejected on gated and loopback binds; fix(dashboard): allow desktop websocket origins on remote binds #37747's loopback + non-loopback-insecure cases retained.

Validation

	Before (main, post-#37747)	After
Desktop → OAuth-gated gateway WS, `file://` origin	rejected (403)	accepts with valid ticket
Desktop → Tailscale/LAN `--insecure`, `file://`	accepts (#37747)	accepts
OAuth-gated, cross-site `https://evil` origin	rejected	rejected
`tests/hermes_cli/test_dashboard_auth_ws_auth.py`	—	37/37
`tests/hermes_cli/test_web_server_host_header.py`	—	pass

Verified end-to-end against the full gateway_ws guard chain (_ws_auth_ok AND _ws_host_origin_is_allowed AND _ws_client_is_allowed) on a gated non-loopback bind with a real minted ticket: file:///null/app:///same-host-https → ACCEPT; cross-site https → REJECT.

Notes

This is the gateway/server half of the desktop remote-OAuth feature. The desktop client half (ticket minting, probe-based settings UI, the token-box flicker fix) is a separate PR. The gateway image must be rebuilt/redeployed with this change before the desktop can connect to a hosted gateway.
Touches the dashboard-auth layer + generalises a recent merge, so flagging for @teknium1 review.

…icket auth Generalises #37747. The WS Origin guard (_ws_host_origin_is_allowed) only trusted the packaged Electron app's non-web origin (file:// / null / app://) when the bind was NOT OAuth-gated. The packaged Hermes Desktop renderer loads over file://, so when it drives a remote OAuth-gated gateway its /api/ws upgrade was rejected with HTTP 403 even though _ws_auth_ok had already validated the single-use ?ticket= one line earlier. This guard runs only AFTER _ws_auth_ok has accepted the WS credential, which is the real auth boundary in every mode: * loopback bind -> legacy dashboard session token * non-loopback --insecure -> legacy session token (Tailscale / LAN, #37747) * OAuth-gated public bind -> single-use, 30s-TTL, identity-bound ?ticket= A non-web origin can only come from a native client; a DNS-rebinding attack always arrives from an http(s) origin and is still match-checked against the bound host. So once the upstream credential check has passed, the Origin guard adds nothing for a non-web origin. Collapsed the loopback/non-gated special cases to 'return True' for non-web origins. http(s) origins keep the strict same-host check, so browser DNS-rebinding defence is unchanged. Tests: gated file:///null/app:// now asserted ALLOWED; cross-site http(s) still rejected on gated and loopback binds; #37747's loopback and non-loopback-insecure cases retained. 37/37 test_dashboard_auth_ws_auth + test_web_server_host_header pass.

github-actions · 2026-06-03T04:19:44Z

🔎 Lint report: `dashboard-ws-origin-gated` vs `origin/main`

ruff

Total: 0 on HEAD, 0 on base (➖ 0)

🆕 New issues: none

✅ Fixed issues: none

Unchanged: 0 pre-existing issues carried over.

ty (type checker)

Total: 9707 on HEAD, 9707 on base (➖ 0)

🆕 New issues: none

✅ Fixed issues: none

Unchanged: 5029 pre-existing issues carried over.

Diagnostics are surfaced as warnings — this check never fails the build.

The remote-gateway settings rendered the session-token box for every gateway during the idle/probing window before the first /api/status probe lands, because authMode defaults to 'token'. Gate both the OAuth sign-in button and the token box behind an authResolved flag so neither renders until the probe resolves the scheme (or a previously-saved remote config is being re-shown, so re-opening settings doesn't flicker). The gateway-side WS Origin fix that lets the packaged desktop (file:// origin) connect to an OAuth-gated remote gateway landed separately in #37870; this branch is now purely the desktop client + this UI fix.

* refactor(desktop): consolidate skills + tools management into one pane The left-nav Skills pane and Settings > Skills & Tools rendered the same getSkills()/getToolsets() data with the same helpers and toggles — genuine duplication that drifted (different default category labels, sort orders). Make the left pane the single home: it keeps its category-tabbed browsing and now gains the functional bits it lacked — a real toolset enable/disable switch (was a read-only pill) and the expandable ToolsetConfigPanel for provider selection + per-key credential config. Remove the Tools section from Settings (nav item, view branch, query slot, type union entries) and delete tools-settings.tsx, migrating its toggle coverage into the skills pane test. Relabel the entry point to 'Skills & Tools' in the sidebar and command center. * refactor(desktop): move model management from Command Center into Settings Command Center's Models section and Settings > Model rendered the same model state with identical persistence semantics — both write config and apply to new sessions only (POST /api/model/set). The Command Center UI was strictly better (provider catalog, curated model lists, friendly auxiliary-task labels, Nous-gateway auto-routing on main-provider switch), while Settings > Model was three barebones config fields. Extract that UI into a shared settings/model-settings.tsx (restyled with Settings primitives) and render it at the top of Settings > Model: main model picker via setModelAssignment + the 9 auxiliary task slots with per-task set-to-main / change / reset-all. model_context_length and fallback_providers stay as config fields below it; the raw auxiliary.* keys are dropped from Advanced (now covered by the panel). Strip the Models section from Command Center entirely (section, state, handlers, render, nav, search entry) leaving it focused on Sessions / System / Usage, and move the live store-sync callback (onMainModelChanged) from CommandCenterView to SettingsView. The composer's per-session model picker (the only live hot-swap, via /model) is unchanged. * feat(dashboard-auth): rotate dashboard sessions via refresh token (#37247) * feat(dashboard-auth): rotate dashboard sessions via refresh token The dashboard auth-code grant now issues a 24h rotating refresh token (server side: NousResearch/nous-account-service#293). This wires up the Hermes client half so an expired access token is transparently refreshed instead of bouncing the user to /login every 15 minutes. plugins/dashboard_auth/nous: - refresh_session() now POSTs grant_type=refresh_token to Portal's token endpoint and returns a Session carrying the ROTATED refresh token (was an unconditional RefreshExpiredError under the old "no RT in V1" contract). The RT is sent in BOTH the request body (Portal's schema requires it there) and the X-Refresh-Token header (log redaction) — verified against the #293 preview deploy: header-only is rejected as invalid_request, body is accepted. - A 400 from Portal (expired / revoked / reuse-detected) maps to RefreshExpiredError so the middleware forces a clean re-login; network errors map to ProviderError; empty RT fast-fails without a network call. - complete_login now captures the initial refresh token Portal returns (forward-tolerant: empty string if a deploy omits it). - Extracted the shared token-response handling into _token_response_to_session, parameterised on the 400 exception type so the auth-code path raises InvalidCodeError and the refresh path raises RefreshExpiredError. - revoke_session stays a best-effort no-op: Portal exposes no public token-endpoint revocation grant (revocation is the authenticated /sessions UI, keyed by sessionId+userId), so logout is cookie-clearing and the 24h session expires on its own. Documented for a future revoke grant. hermes_cli/dashboard_auth/middleware: - On an expired/invalid access token the gate now attempts refresh via the session's RT BEFORE forcing re-login. On success it serves the request and re-sets the rotated cookies on the response (mandatory: Portal rotates the RT every refresh and reuse-detects, so a stale RT cookie would revoke the whole session on the next refresh). On RefreshExpiredError (or no RT) it falls through to clear-and-relogin. - ProviderError during refresh (Portal unreachable) forces a clean re-login rather than 500-ing the request. - Uses the existing REFRESH_SUCCESS / REFRESH_FAILURE audit events. Validation: - 176 dashboard-auth unit/integration tests pass. - Live E2E against the #293 preview deploy: refresh_session(bad rt) -> RefreshExpiredError through the real token endpoint; live JWKS fetch + RS256 verification rejects a forged token; empty-RT fast-fail. The successful happy-path rotation is covered by unit tests (a live run needs an interactive browser OAuth round trip + registered agent:* client). Depends on: NousResearch/nous-account-service#293 (server-side RT issuance). * fix(dashboard-auth): use Portal's x-nous-refresh-token header name The refresh-token header must match Portal's REFRESH_TOKEN_HEADER exactly ("x-nous-refresh-token"); the initial cut used "X-Refresh-Token", which Portal silently ignores (harmless since the RT is also in the body, which is what the schema requires — but the header redaction was a no-op). Confirmed against the NAS token route + re-validated live against the #293 preview deploy. * fix(dashboard-auth): refresh session when access-token cookie has been evicted The gated middleware bounced users to /login the instant the access-token cookie was absent, without ever consulting the refresh token: at, _rt = read_session_cookies(request) if not at: return _unauth_response(...) # bailed here This made transparent refresh effectively dead for the common case. The access-token cookie is set with Max-Age = access_token_expires_in (~15 min), so a real browser EVICTS hermes_session_at the moment the token lapses while hermes_session_rt persists (30-day Max-Age). From that point the browser sends only the refresh-token cookie — and the old guard rejected it before _attempt_refresh could run. The _attempt_refresh path only fired for a present-but-invalid access token, which never happens in a browser. Fix: only hard-bounce when NEITHER cookie is present. A request carrying just the refresh token now skips verification (no AT to verify) and flows into the existing refresh path, which rotates both cookies and serves the request transparently. A dead/expired RT still raises RefreshExpiredError and falls through to clear-and-relogin. This failure mode escaped the original tests + manual refresh button because both kept the access-token cookie present; only a real browser evicting the cookie at Max-Age exposes it. Added 3 regression tests covering: AT-evicted + RT-present (transparent refresh), no-cookies (still bounces), and RT-only with a dead RT (clean 401, no 500). * fix(desktop): keep pinned + recent sessions visible across compression Long-running sessions auto-compress: the gateway ends the original session and surfaces the live continuation under a new id (list_sessions_rich projects the root forward to its tip). Two symptoms fell out of the id rotation: - A pinned session "vanished" — the pin is stored as the pre-compression root id, but the sidebar only matched on the live id, so it was filtered out. Pins now resolve on the durable lineage-root id (`_lineage_root_id`, already surfaced by the projection): the sidebar indexes sessions by both ids, pin/ unpin and reorder operate on the durable id, and `sessionPinId()` is shared with the Cmd+P toggle. Existing pins keep working with no migration. - A freshly-continued session was missing from the list until you ungrouped + "load 50 more" — the list paginated by original start time, so an old-but- active conversation sat past the first page. The desktop now requests `order=recent` (GET /api/sessions gains an `order` param backed by the existing recency CTE), surfacing live continuations on the first page. * feat(desktop): stable in-workspace ordering + No-workspace default - Sidebar: rows within a workspace group now sort by creation time instead of last activity, so they stop reshuffling every time a message lands (muscle memory). Groups still float up by recency. - Sessions only persist a workspace cwd when one was explicitly chosen; an auto-detected launch directory is no longer stamped on the row, so untargeted sessions group under "No workspace" instead of "desktop". The agent still runs in the detected directory. * feat(desktop): session search in the sidebar Adds a search box above the session list. Loaded sessions match instantly client-side; a debounced full-text search (existing /api/sessions/search FTS) covers the rest so all sessions stay findable at 699+. Results replace the pinned/agents sections while a query is active and resume on click. * feat(streaming): per-platform streaming defaults (Telegram on, Discord off) + dashboard toggles (#37303) Streaming quality differs sharply by platform: Telegram has native animated draft streaming (sendMessageDraft) which is smooth, while Discord/Slack only have edit-based streaming (repeated editMessage) which visibly flickers. Ship defaults that match reality instead of one global flag. - hermes_cli/config.py: DEFAULT_CONFIG display.platforms now ships telegram.streaming=true and discord.streaming=false (was empty {}). These are gap-fillers — config deep-merge has user values win, so anyone who explicitly sets discord.streaming=true keeps it. The global streaming.enabled master switch still gates everything; these per-platform flags only take effect once streaming is on. - Dashboard exposure comes for free: the web settings schema is generated from DEFAULT_CONFIG, so display.platforms.telegram.streaming and .discord.streaming now surface as editable boolean toggles in the UI with no frontend change. (Previously the per-platform tree was {} and invisible.) - tests: pin the defaults, the resolver outcome (telegram on / discord off / unlisted platforms follow global), user-override-wins, and dashboard schema exposure. No _config_version bump: deep-merge fills the gap for existing installs; no value migration needed. * fix(model-picker): OpenAI shows curated models; OpenRouter no longer phantom-shows (#37404) The model picker now matches `hermes model` for OpenAI, and OpenRouter stops appearing as authenticated when only OPENAI_API_KEY is set. - models.py: provider_model_ids() for the default api.openai.com endpoint intersects the live /v1/models dump (120+ entries incl. embeddings, whisper, tts, dall-e, moderation, legacy chat) with the curated agentic list, preserving curated order. Custom OpenAI-compatible endpoints keep the live list verbatim so discovery still works. - providers.py: drop extra_env_vars=("OPENAI_API_KEY",) from the openrouter overlay. list_authenticated_providers reads extra_env_vars to decide whether a provider is authenticated, so any OpenAI user saw a phantom OpenRouter row. Runtime OpenRouter credential resolution still falls back to OPENAI_API_KEY (runtime_provider.py), independent of the overlay. - Regression tests for both paths. * feat(desktop): cancellable first-launch install The install overlay had no way to stop a running install — the runner already supported an abortSignal, but nothing drove it. Wire it end to end: - main.cjs holds an AbortController for the active runBootstrap and aborts it on a new hermes:bootstrap:cancel IPC and on app quit, so quitting/cancelling mid-install actually kills install.sh/ps1 instead of orphaning it. - runBootstrap bails before spawning anything if the signal is already aborted. - Install overlay gains a "Cancel install" button while a bootstrap is active; a cancel surfaces the recovery overlay (retry/repair). Test: electron/bootstrap-runner.test.cjs asserts the already-aborted early return (no spawn) via `node --test`. * chore: uptick * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * docs: add Desktop App guide (#37457) The native Electron desktop app shipped (PR #20059 and follow-ups) but the docs only told people how to download it, not what it is or how to use it. Adds website/docs/user-guide/desktop.md covering install (installer + prebuilt + Windows GUI), the chat-first UI and management panes, the hermes desktop CLI flag reference, self-update, how-it-works, and troubleshooting. Sourced from apps/desktop/README.md, routes.ts, and the real argparse. Wired into sidebars.ts under Interfaces after the TUI. * Merge pull request #37462 from NousResearch/bb/desktop-update-throttle fix(desktop): throttle the update-available toast * fix(docs): update desktop app docs * feat(dashboard): nous-blue theme, bulk sessions, schedule picker (#37383) * feat(dashboard): nous-blue theme, bulk sessions, schedule picker Batch of related dashboard improvements gathered on austin/fix/dashboard-changes: * Nous Blue theme — faithful port of the LENS_5I overlay system onto the existing DashboardTheme. Lifts the foreground inversion layer to z-index 200 to fix the long-standing hover / loading visual artifact, adds an explicit swatchColors slot so the theme picker shows the post-inversion preview, and migrates the legacy "lens-5i" theme key from localStorage / API to "nous-blue" on first read. * Theme-aware series colors: new --series-input-token / --series-output-token CSS vars consumed by Analytics + Models charts; ToolCall + ModelInfoCard switched to semantic --color-success for diff lines and the Tools capability badge. * Analytics + Models headers: consolidate period selector + refresh next to the page title and drop the redundant period badge. * Bulk session management — "Delete empty (N)" button + per-row checkboxes with shift-click range select and a bulk-delete action bar. Backed by SessionDB.delete_sessions() / delete_empty_sessions() plus POST /api/sessions/bulk-delete and DELETE /api/sessions/empty (registered before the templated /api/sessions/{session_id} family so they don't get shadowed). Hard cap of 500 IDs per bulk request. Full pytest coverage. * Cron page — human-readable schedule picker (every-interval / daily / weekly / monthly / once / custom) replaces the raw cron expression input; the job list now renders "Weekly on Mon, Wed, Fri at 14:30" instead of "30 14 * * 1,3,5". English-only ordinals for monthly schedules so non-English locales don't get incorrect suffixes. * example-dashboard plugin moved from plugins/ to tests/fixtures/ so stock installs no longer ship the demo. Tests install it dynamically via a pytest fixture that also reorders the FastAPI routes. * i18n: 40+ new keys for the bulk-select UI and schedule picker/describer translated across all 16 locales. Co-authored-by: Cursor <cursoragent@cursor.com> * refactor(dashboard): dedupe memory provider picker The memory provider <Select> lived on both /system and /plugins, writing the same config.yaml field through two different endpoints with no cross-page refresh. Remove the picker from /system in favor of a read-only status row + link to /plugins, where it pairs with the context-engine picker under "Plugin providers". /system retains the destructive admin controls (file sizes, Reset MEMORY.md / USER.md / all). The api.setMemoryProvider client and PUT /api/memory/provider backend endpoint are left in place for CLI / script callers. Co-authored-by: Cursor <cursoragent@cursor.com> * docs(dashboard): address Copilot review on PR #37383 - Backdrop layer-stack comment claimed LENS_5I-style themes override --component-backdrop-bg-blend-mode to multiply, but our only LENS_5I-style theme (nous-blue) keeps the default difference. Reword to describe what the code actually does and present the var as a forward-looking extension hook. - /api/sessions/bulk-delete docstring promised the response would echo back the list of deleted IDs, but the implementation only returns {ok, deleted}. Tighten the docstring to match the wire format; the client already knows what it asked to delete, so the IDs aren't needed. Co-authored-by: Cursor <cursoragent@cursor.com> * fix(dashboard): address copilot review on cron describe + bulk-select checkbox - schedule.ts: restrict `describeCronExpression` to strictly 5-field cron expressions. The backend `parse_schedule` also accepts the 6-field `min hour dom month dow year` form, and humanising those by destructuring only the first five fields would silently drop the year (e.g. ``0 9 * * * 2099`` rendered as "Daily at 09:00"). 6+ field expressions now fall through to the raw-string fallback so the user sees what's actually scheduled. - SessionsPage.tsx (SessionRow): wire the bulk-select Checkbox's ``onClick`` directly instead of attaching it to a parent ``<span>`` with a no-op ``onCheckedChange``. Radix forwards onClick to the underlying ``<button role=checkbox>``, so the same handler now drives both mouse clicks (preserving shift-key state for range select) and keyboard activation (Space on the focused checkbox, which the browser synthesises as a click on the <button>). Improves a11y / keyboard UX without changing the controlled-selection model. - SessionsPage.tsx: also extend ``SessionRowProps`` with the new ``onRename`` / ``onExport`` props introduced on main so the row's destructured prop types resolve after the merge. Co-authored-by: Cursor <cursoragent@cursor.com> --------- Co-authored-by: Cursor <cursoragent@cursor.com> * Clarify desktop install retry guidance * fix(auth): align Codex OAuth persistence paths (#37517) * fix(desktop): codex OAuth onboarding now resolves on fresh install The desktop codex device-code worker persisted tokens with a hand-rolled pool.add_entry(), writing only credential_pool.openai-codex. It never set active_provider, so on a fresh install the onboarding setup.runtime_check resolved provider "auto", couldn't detect the Codex OAuth session, and raised "No inference provider configured" — while setup.status (which sniffs the pool) reported configured. The disagreement surfaced as the onboarding banner "Connected, but Hermes still cannot resolve a usable provider." Use the canonical _save_codex_tokens() instead, matching the CLI's `hermes auth add openai-codex` path and the Nous/MiniMax dashboard workers. It writes the providers.openai-codex singleton (setting active_provider) and syncs the pool. * fix(auth): align Codex OAuth persistence paths Ensure desktop and CLI Codex OAuth logins both write the canonical provider state so fresh installs resolve a usable runtime provider. --------- Co-authored-by: teknium1 <127238744+teknium1@users.noreply.github.com> * feat(installer): rename macOS installer to "Hermes" and make it a launcher (#37516) * feat(installer): rename macOS installer to "Hermes" and make it a launcher The bootstrap installer was branded "Hermes Setup" and always re-ran the full install flow on every open — so the /Applications app said "Setup" and couldn't double as a way to relaunch Hermes (the real desktop app lives in ~/.hermes, not /Applications, with no Dock/Launchpad entry). Two changes, macOS-focused: 1. Rename the installer's user-visible name to "Hermes" (productName, window title, shortDescription, document title). Bundle id stays com.nousresearch.hermes.setup (distinct from the desktop app's com.nousresearch.hermes); the on-disk staged updater name (hermes-setup) is unchanged, so the desktop's update hand-off still resolves it. 2. Launcher fast path: on a bare ("Install") launch, if Hermes is already installed (bootstrap-complete marker + a built desktop app on disk), skip the installer UI entirely and relaunch the desktop app, then exit. First run still installs; Update mode and fresh/repair installs still show the UI. The window now starts hidden ("visible": false) and is revealed only when the UI is actually needed, so the launcher path never flashes a window. Net UX: one "Hermes" in /Applications you can pin to the Dock — first click installs, every later click opens the app instantly (same icon throughout, so the Dock stays seamless). Nothing pins to the Dock permanently; the app shows a normal Dock icon only while running. Windows naming is intentionally left as-is in this change (scope: macOS). * fix(installer): gate launcher fast path to macOS + log window-show failures Address review feedback: - Gate the already-installed launcher fast path to macOS (cfg!(target_os = "macos")). On Windows/Linux the installer keeps its prior behavior, so the change is a pure no-op there. This avoids relaunching the desktop app on Windows via a spawn that lacks the DETACHED_PROCESS + startup-grace handling launch_hermes_desktop uses (which could race the installer's exit). - Add a brief startup grace before exiting on the mac fast path, mirroring launch_hermes_desktop. - Log (instead of silently ignoring) failures to show the main window, and log when the "main" window can't be found, so a no-UI state is diagnosable. * fix(installer): add --reinstall escape hatch + keep spawn detached on Windows Address follow-up review: - Add a `--reinstall`/`--repair` flag that forces the installer UI even when Hermes is already installed, so a broken install can be repaired by re-running setup instead of the launcher fast path silently relaunching the (possibly bad) app. - Apply DETACHED_PROCESS on Windows in spawn_installed_desktop, mirroring launch_hermes_desktop, so the helper stays correct cross-platform even though its only caller is macOS-gated today. * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * test(installer): unit-test --reinstall/--repair force-setup parsing Extract the force-setup flag parsing into a unit-testable `force_setup_from_args` helper (mirrors `AppMode::from_args`) and add tests: - --reinstall and --repair are recognized - bare/unrelated args (incl. --update) do not force setup - the repair flags never affect Install<->Update mode selection --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * feat(desktop): content-hash build stamp with --build-only and --force-build flags Add a SHA-256 content-hash based build stamp to `hermes desktop` so unchanged source trees skip the npm install + build step. Uses pathspec for .gitignore-aware file matching instead of a hardcoded skip-list. New CLI flags: - --build-only: run the build but don't launch the app - --force-build: rebuild even when the stamp matches `hermes update` now calls `hermes desktop --build-only` so the desktop app is rebuilt (if needed) as part of the update flow. 16/16 tests passing. * fix(models): restore gemini-3-flash-preview to Gemini OAuth picker (#37606) #37046 swapped gemini-3-flash-preview -> gemini-3.5-flash in the google-gemini-cli (OAuth/Code Assist) picker on the premise that the preview slug was renamed. It wasn't. Per gemini-cli's models.ts, Code Assist serves two distinct flash slugs with different access gates: gemini-3-flash-preview (PREVIEW_GEMINI_FLASH_MODEL — what subscription/ free-tier OAuth users reach) and gemini-3.5-flash (DEFAULT_GEMINI_3_5_FLASH_MODEL — GA-channel-gated). The model string is passed verbatim into the {project, model, ...} envelope sent to cloudcode-pa.googleapis.com, so non-GA users got a hard error on every prompt because gemini-3.5-flash 404s for them. Offer both slugs in the OAuth picker (matching gemini-cli's own /model list) so non-GA users can select the preview flash that works. The gemini (API-key), OpenRouter, and Nous lists are untouched — google/gemini-3.5-flash is a real live model on those surfaces. * fix(desktop): stabilize project folder sessions (#37586) * fix(desktop): stabilize project folder sessions Keep desktop folder selection aligned with new sessions and scope TUI gateway cwd through session context so prompts and tools resolve against the selected workspace. * fix(desktop): address review feedback on folder sessions Snapshot sessions before iterating to avoid concurrent-mutation crashes, optional-chain the revealLogs catch, and read console-message args from the correct Electron event/messageDetails positions. * fix(desktop): address second review pass on folder sessions Sync the remembered workspace key with the cwd atom (clear on empty), only load tree children for real directory nodes, and throttle renderer auto-reloads so a deterministic startup crash can't loop forever. * fix(desktop): inherit parent workspace for ephemeral agent tasks Background and preview tasks use ephemeral ids absent from the session map, so pass the parent session cwd into the session context explicitly instead of clearing it back to the gateway launch dir. Also correct the set_session_vars docstring about clear_session_vars semantics. * fix(desktop): validate preview cwd before pinning session context A non-empty but non-existent client cwd would pin an unusable override and silently fall back to the launch dir. Validate once, reuse for both the session context and the terminal override, and fall back to the parent session workspace when invalid. * fix(desktop): harden preview cwd normalization and adopt normalized cwd Guard preview cwd normalization against malformed client paths so a bad input can't fail the whole restart, and adopt the backend's normalized config.get cwd in the no-active-session path so the persisted workspace stays consistent with what the agent uses. * fix(desktop): triage batch of GUI quality-of-life fixes (#37536) * fix(desktop): triage 24 GUI quality-of-life fixes across sidebar, composer, tool cards, messaging, and platform plumbing A grab-bag of high-leverage UX fixes plus a few backend touches that the GUI needs to behave correctly on Windows. Sidebar / sessions - Decrement $sessionsTotal on delete + archive so "Load N more" stops claiming removed rows are still on the server. - Hide the "Group by workspace" toggle when no unpinned sessions exist. - Accept Cmd/Ctrl+N as a "new session" accelerator (in addition to bare Shift+N), and render the kbd hint per-platform. - Switch the statusbar to overflow-x-clip so untitled sessions don't paint a horizontal scrollbar at the bottom of the window. Messaging + Cron - Add [-webkit-app-region: no-drag] to the page-search input so clicks reach the field instead of routing to the OS window-drag handler. - Replace single-letter PlatformAvatar with brand glyphs from @icons-pack/react-simple-icons (telegram, discord, matrix, signal, whatsapp, mattermost, wechat, qq, ...). Letter monogram fallback for Slack / Dingtalk / Feishu / WeCom (removed from Simple Icons at brand owner request). - Drop the duplicate "Create first cron" button in the empty state. Composer - Dedupe pasted images by (name, size, lastModified, type) instead of Blob identity; Chromium hands us the same screenshot via both clipboard.items and clipboard.files with fresh File instances. - Enable spellcheck on the contentEditable, configure Chromium's spellchecker with the system locale on whenReady, and add replaceMisspelling + "Add to dictionary" entries to the context menu. - Render user messages through a minimal markdown pipeline (inline backtick code + fenced ``` blocks) while keeping @file:/@image: directive chips intact. - max-h-[60vh] overflow-y-auto + collisionPadding on the prompt-snippet submenu. - Bake cursor-pointer into the <Button> primitive (with disabled:cursor-default) and into titlebarButtonClass. Dialogs + tabs + version - Default DialogContent now has max-h-[85vh] overflow-y-auto so long bodies scroll instead of falling off-screen. - Right-rail preview tabs close on middle-click (button === 1), with an onMouseDown swallow to suppress Chromium autoscroll. - New refreshDesktopVersion() helper called from About mount, after every update check, and on throttled window focus so About reflects the just-installed binary. Keys + Artifacts + Terminal - Drop the global "Show advanced" toggle in KeysSettings. Provider groups now default-expand when they have any key set. - Extend openExternalUrl to handle file:// via shell.openPath, with showItemInFolder fallback when the OS can't open the file. - New lib/ansi.ts SGR parser + <AnsiText> component, applied to terminal/execute_code tool output. - ToolView gained stdout / stderr / rendersAnsi; tool-fallback renders the two streams as separate labeled blocks with stderr in a neutral tone (not destructive — many CLIs log info on stderr). - Drop 'stderr' from ERROR_MSG_KEYS in tool-result-summary. Paths + platform - resolveHermesCwd skips process.cwd() when packaged and prefers a user-configurable default project directory. - New hermes:setting:defaultProjectDir:{get,set,pick} IPC handlers + preload bridge + global.d.ts typing + a "Default project directory" row in Sessions settings. - FileOperations.delete_path(path, recursive=True) on the abstract base; ShellFileOperations.delete_file rewritten to run a cross- platform python3 -c snippet so deletes work on Windows shells (which have no rm/rm -rf). Fallback to `python` when `python3` isn't on PATH. - README troubleshooting block split into macOS/Linux + Windows PowerShell recipes. - Tightened renderer favicon links in index.html + added color-scheme and theme-color meta. Backend lifecycle (renderer-side mitigation) - New noteSessionActivity() heartbeat + session.ts watchdog: an 8-minute silence on the stream auto-clears stuck $workingSessionIds entries so "Session Busy" never gets permanently wedged. Wired into useSessionStateCache so every state update refreshes the timer. i18n spike - docs/desktop-i18n-rfc.md scoping a future language-switcher PR (recommends react-intl, audits IME/RTL/CJK in the composer + chat bubbles, 4-PR rollout plan, ~3-4 eng-weeks for the first non-English locale). Co-authored-by: Cursor <cursoragent@cursor.com> * fix(desktop): replace native OS scrollbar in portaled dropdown menus Radix's DropdownMenuPrimitive.Portal renders content under document.body, outside the `.scrollbar-dt` scope on #root. Whenever a menu's max-height clipped its content (even by a pixel — common for the composer "+" menu that opens upward near the bottom of the window), the user saw the OS's chunky native scrollbar painted across the whole menu. Bake a thin, slot-styled scrollbar onto DropdownMenuContent and DropdownMenuSubContent via [scrollbar-width:thin] + WebKit pseudo-element arbitrary variants. The submenu also gets a max-h tied to --radix-dropdown-menu-content-available-height so long snippet lists scroll cleanly instead of running off the bottom of the viewport. Drop the now- redundant max-h-[60vh] override on the prompt-snippet submenu. Co-authored-by: Cursor <cursoragent@cursor.com> * fix(desktop): unbork dropdown menu — submenu opens, parent isn't a circle Two regressions from the previous dropdown-scrollbar fix: - The parent menu rendered as a rounded oval. Long Tailwind v4 arbitrary- variant strings like [&::-webkit-scrollbar-thumb]:rounded-full inside a cn() call were being mis-resolved so the `rounded-full` leaked onto the menu container itself. Replaced the whole tower of arbitrary variants with a real `.dt-portal-scrollbar` class in styles.css that mirrors what `.scrollbar-dt` already does for #root descendants. Plain CSS, no Tailwind parser ambiguity. - The Prompt snippets submenu didn't open. Radix publishes --radix-dropdown-menu-content-available-height on Content but NOT on SubContent, so the `max-h` bound to that variable computed to 0 and the submenu collapsed to zero height. Switched SubContent to a fixed max-h-80 (≈20rem) which is plenty for a snippet list and never collapses. Co-authored-by: Cursor <cursoragent@cursor.com> * fix(desktop): promote prompt snippets from Radix submenu to a real Dialog The submenu refused to open when the parent dropdown was anchored at the bottom of the window (composer "+" button) — Radix's collision detection + SubContent positioning was fighting us. Rather than keep tuning side / sideOffset / collisionPadding / max-h until something stuck, replace the DropdownMenuSub with a clicked DropdownMenuItem that opens a proper Dialog. Side benefits over the submenu: - Each snippet gets a description line, so a glance is enough to pick one. - Focus management is handled by Dialog automatically. - Easy to grow (search, custom user snippets, categories) without another round of Radix positioning bugs. Also extract types/interfaces to the bottom of the file per workspace convention. Co-authored-by: Cursor <cursoragent@cursor.com> * fix(desktop): move cron 'New cron' button off the top bar into the body Reverses the previous direction on cron empty-state dedup. The body button is more discoverable for first-time users (it's anchored next to the "No scheduled jobs yet" copy that explains the feature) and frees the top bar from a global CTA that wasn't pulling its weight. - Empty (zero jobs): EmptyState renders the "Create first cron" button again, like the original design. - Empty (search filtered out all jobs): no button, just "Try a broader search query" copy. - Has jobs: small inline header above the list shows `N/M active` plus a single "New cron" button (right-aligned). The rows themselves already cover edit/pause/trigger/delete, so this is the only "create" affordance. Also drop the dead `<div className="hidden">…</div>` enabledCount line the previous patch left behind; the count is now visible in the new header instead of hidden. Co-authored-by: Cursor <cursoragent@cursor.com> * fix(desktop): address Copilot review on PR 37536 - sessions-settings: guard the WHOLE bridge call rather than chaining `?.settings.foo().then(...)` — the latter throws when `window.hermesDesktop` is undefined (non-Electron / Vitest contexts) because the chain short-circuits to `undefined.then(...)`. - file_operations: drop `Path.unlink(missing_ok=True)` (Py>=3.8) so the generated delete snippet still works on remote backends running Python 3.7. The existing FileNotFoundError handler covers the same case and works back to 3.4. - ansi.test.ts: add focused Vitest coverage for the SGR parser (basic/bright colors, bold toggles, default-fg reset, coalescing, 256-color / truecolor arg consumption, non-SGR CSI drop, empty SGR full-reset) so future refactors can't silently regress terminal rendering. Co-authored-by: Cursor <cursoragent@cursor.com> * fix(desktop/updates): swallow refreshDesktopVersion bridge errors `refreshDesktopVersion()` is called best-effort with `void` from `checkUpdates()`, `startUpdatePoller()`, and the window focus handler. If the IPC bridge rejects (main process shutting down during reload, bridge not yet ready on first paint), the rejection surfaces as an unhandled promise rejection in the renderer. Wrap the call in try/catch and return null on failure so callers can keep the existing fire-and-forget pattern safely. Co-authored-by: Cursor <cursoragent@cursor.com> * chore(desktop): drop work duplicated by other in-flight PRs - composer/text-utils.ts: revert paste-image dedupe — PR #37596 ships the same fix with a cleaner content-key approach and a Vitest file (text-utils.test.ts). Letting that PR own the change. - docs/desktop-i18n-rfc.md: delete the i18n scoping RFC — PR #37568 has already shipped a working i18n surface (homegrown nanostores `t()` helper over en/zh dictionaries), so the RFC's framework recommendation (`react-intl`) is now obsolete and would just contradict the implementation that's actually landing. Co-authored-by: Cursor <cursoragent@cursor.com> --------- Co-authored-by: Cursor <cursoragent@cursor.com> * feat(desktop): make xAI Grok a first-class OAuth provider in the launcher xAI Grok was only reachable via the "I have an API key" form. xAI's OAuth (SuperGrok / Premium+) flow already exists in the backend (`hermes auth add xai-oauth`) but was never surfaced in the desktop onboarding launcher. Add a loopback PKCE flow: the local backend binds the 127.0.0.1 callback listener, the client opens the browser, and the redirect lands back automatically — no code to copy/paste. Reuses the existing xAI OAuth helpers (discovery, callback server, token exchange, persist) rather than duplicating them. - web_server: catalog entry (flow: loopback) + status dispatch + _start_xai_loopback_flow + background worker + route branch - desktop: 'loopback' flow type, awaiting_browser status, xAI Grok card (PROVIDER_DISPLAY / FLOW_SUBTITLES / FlowPanel waiting render) - tests: catalog listing, start authorize-url, worker persist, state mismatch rejection * fix(desktop): order xAI Grok after MiniMax in the OAuth catalog * fix(desktop): address Copilot review on xAI loopback flow - web_server: join the callback-server thread in the start error path so a failed discovery/URL build doesn't leave a daemon thread running - web_server: loopback worker now bails if the session was cancelled while waiting for the callback or exchanging the code, instead of persisting tokens the user no longer wants (+ regression test) - onboarding: fall back to window.open when the desktop bridge's openExternal is unavailable, so the flow never silently stalls * fix(desktop): address second Copilot pass on xAI loopback flow - onboarding: openSignInUrl now falls back to window.open when the desktop bridge's openExternal throws/rejects (OS handler missing, user denied), not just when the bridge is absent - web_server: cancelling a loopback session shuts down the 127.0.0.1 callback server + joins its thread immediately, freeing the port instead of holding it until the wait times out (+ regression test) - web_server: document the new "loopback" flow in the /api/providers/oauth enum, the poll-endpoint docstring, and the Phase 2 flow comment block * ci(nix): fold package+devShell builds into flake check Add build-package and build-devshell as cross-platform check derivations so nix flake check verifies the default package and devShell build on every platform (including darwin, which previously only did eval-only checks). This lets us drop the separate nix build step from the CI workflow and removes the macOS-only eval fallback — a single nix flake check now covers builds + runtime checks on all runners. * fix(desktop): use auth-store path as xAI OAuth source_label source_label is meant to be a human-readable origin (file path / source), not the internal auth_mode string ("oauth_pkce"). Surface the auth-store path, then the source slug, then a generic label. * fix(desktop): signal loopback worker to stop on cancel Shutting down the callback server stopped the serve thread but left the worker spinning in _xai_wait_for_callback (which polls callback_result) until the timeout. Flag callback_result as cancelled on DELETE so the wait returns promptly and the daemon thread exits — avoids thread buildup on repeated cancel/retry. * fix(web-server): move event channel state from module globals to app.state (#37683) Module-level asyncio.Lock() binds to whatever event loop was active at import time. When the same web_server module is reused across multiple TestClient instances (or across uvicorn reloads), the old lock still references a defunct loop, causing 'attached to a different loop' errors and flaky subscriber-registration races in CI. Replace the module-level _event_channels dict + _event_lock with: - _lifespan() async context manager that creates both on the running event loop during FastAPI startup (guaranteed correct loop binding) - _get_event_state() lazy accessor that initialises on app.state when TestClient is used without a `with` block (preserves backward compat) All call sites (_broadcast_event, /api/pub, /api/events) now receive the app reference and read state via _get_event_state(app) instead of the module globals. The test polling loop is updated to check app.state.event_channels rather than the removed module attribute. * fix(gateway): route /background result media by type Background-task (/background, /btw) result media now routes to the type-specific sender — TTS clip → voice bubble, video → send_video, image → send_image_file — instead of forcing everything through send_document. Mirrors the streaming + kanban delivery paths and reuses base.should_send_media_as_audio for the Telegram OGG nuance. Co-authored-by: LJ Li <liliangjya@gmail.com> Co-authored-by: Kolektori <256073454+Kolektori@users.noreply.github.com> * test(honcho): de-flake prewarm smoke test's thread wait (#37614) TestDialecticLifecycleSmoke._await_thread did a single join(timeout=3.0) and then proceeded regardless of whether the background dialectic thread had finished. On a loaded CI runner (6 parallel test slices) the prewarm thread's completion can slip past that 3s window, so the join times out silently and the test reads _prefetch_result before the worker wrote it — the intermittent 'session-start prewarm must land in _prefetch_result' failure. Join in a loop up to a 30s ceiling and assert the thread is actually dead, so a genuine hang surfaces as a clear failure instead of a timing race. Reproduced the old failure deterministically (5/5 fails with a 3.5s prewarm delay) and confirmed the fix (0/8) before/after. * feat(desktop): inline model picker in the status bar Replace the status-bar model chip's modal with a Cursor-style dropdown: - providers grouped by name in a stable order (no recency reshuffle on select) - per-model hover-Edit submenu for reasoning effort + fast, gated by per-model capabilities now surfaced in the model.options payload - unified Fast toggle: flips the speed=fast param where supported, else swaps to the model's `-fast` variant (base and variant collapse into one row) - localStorage-backed "Edit Models" dialog to choose which models appear Adds reusable dropdown primitives (DropdownMenuSearch, shared row/label tokens, portaled + collision-aware submenus) and reads session state from nanostores rather than prop-drilling, so editing options doesn't rebuild and close the menu. * fix(desktop): adopt existing macOS install + auto-place app First-launch "already installed?" hinged solely on a marker that only the desktop's own bootstrap writes, so a runtime from `install.sh --include-desktop` (or a DMG launch over a prior CLI install) was runnable yet markerless and got the WHOLE installer re-run on top of it. Detect a runnable ACTIVE_HERMES_ROOT (valid source + venv), adopt it (stamp the marker, recording HEAD), and forward straight to the app. Repair keeps forcing a real re-bootstrap. Also: on first packaged macOS launch relocate the bundle into /Applications (Electron relaunches from there) and pin the canonical copy to the Dock once, so users stop re-opening the installer from Downloads/the DMG. * fix(aux): self-heal Nous-routed calls when a pinned model leaves the catalog (#37732) A long-lived process (gateway, watcher) caches the Nous Portal's recommended-models payload and can pin a model for its whole lifetime. When that model is later dropped from the Nous -> OpenRouter catalog, every auxiliary call 404s with 'model does not exist in our configuration or OpenRouter catalog' until the process restarts. Now such a 404 force-refreshes the Portal recommendation and retries once with the current pick (or the gemini-3-flash-preview default). Scoped to Nous-routed calls only. - _is_model_not_found_error(): 404/400 'not found / does not exist / not a valid model' predicate, excludes billing keywords so it never overlaps _is_payment_error. - _refresh_nous_recommended_model(): force-refresh fetch, returns a model distinct from the one that failed, else the known-good default. - Wired into both call_llm and async_call_llm error chains. * fix(gateway): close ResponseStore + dispose unowned adapter on reconnect failure Three separate code paths in the gateway's platform reconnect loop leaked file descriptors every retry, exhausting the default 2560-fd ulimit in ~12 hours of continuous failure and turning the gateway into a zombie that raises OSError: [Errno 24] on every open() (#37011). Root cause: * APIServerAdapter.__init__ opens a ResponseStore SQLite connection that holds 2 fds (db file + WAL sidecar). * APIServerAdapter.disconnect() previously only stopped the aiohttp web server — the ResponseStore connection was never closed. * The reconnect watcher in _platform_reconnect_watcher constructs a fresh adapter on every retry attempt. When the connect call fails (3 paths: non-retryable error, retryable error, exception during connect) the adapter is dropped without ever being installed on self.adapters, so nothing else calls its disconnect(). Result: the 2 ResponseStore fds stay open until GC sweeps the unreachable object, which Python's cyclic GC does not do promptly for asyncio-bound native handles. 2 fds × 1 retry × (3600s / 300s backoff cap) ≈ 12 fds/hour. 2560 fds / 12 fds/hr ≈ 12h to ulimit exhaustion. Fix: * APIServerAdapter.disconnect() now also calls self._response_store.close() (with a try/except so a SQLite close failure doesn't abort the aiohttp teardown). * New module-level helper _dispose_unused_adapter(adapter) in gateway/run.py that calls adapter.disconnect() and swallows any exception (so half-constructed adapters whose __init__ crashed don't kill the watcher loop). * _platform_reconnect_watcher calls _dispose_unused_adapter() in all three failure paths: non-retryable, retryable, and the except Exception arm. adapter = None is initialized before the try so the except arm can see the partial construction. Tests: * New file tests/gateway/test_platform_reconnect_fd_leak.py with 7 regression tests covering all three failure paths, the _dispose_unused_adapter helper (None + raising-disconnect cases), and the APIServerAdapter ResponseStore close behavior (success + close-exception cases). The _CountingAdapter fixture tracks disconnect() invocations and an _open_fds counter that is decremented on dispose, so the assertion is the literal observable behavior of the leak. Refs: - Closes #37011 (the original fd-leak report) - Supersedes #37018, #37110, #37238, #37260, #37394 (7 competing open PRs all addressing the same root cause from different angles; none of them rebased cleanly against current main, and none covered all three failure paths in one fix with regression tests for both the watcher and the platform-level close behavior) * fix(release): add fearvox1015@gmail.com -> Fearvox to AUTHOR_MAP The check-attribution CI job on #37679 failed because the commit author email nolan@0xvox.com (a local git config mistake on this machine) is not in scripts/release.py AUTHOR_MAP. The commit itself is now re-authored to fearvox1015@gmail.com, and this follow-up adds the entry to AUTHOR_MAP so any future commits authored from this email also pass the check. * polish(gateway): address Copilot review comments on fd-leak fix Seven Copilot inline review comments on #37679, four worth landing in a polish pass before merge: 1. _dispose_unused_adapter signature: 'BasePlatformAdapter' -> 'BasePlatformAdapter | None'. The function explicitly handles None and the reconnect watcher calls it with None in the except arm, so the annotation now matches the actual contract. 2. (duplicate of #1 on a different line) — same fix. 3. except Exception in _dispose_unused_adapter — the reviewer asked about asyncio.CancelledError swallowing. On Python 3.8+ (Hermes requires 3.13, see pyproject.toml), CancelledError inherits from BaseException, NOT Exception, so the existing 'except Exception' does NOT swallow task cancellation. Added an explicit comment explaining the contract so future readers don't repeat the analysis. We don't re-raise because the watcher loop intentionally treats dispose failures as best-effort: a failed dispose on an unowned adapter should not take down the watcher that's keeping the gateway alive. 4. _response_store = None after close in api_server.py — the reviewer flagged this for idempotency. Decided to keep the non-None state intentionally: setting it to None cascades to ~9 callers that access self._response_store without a None check, and 'close() is idempotent on a closed sqlite3 Connection' means the current code is already safe. The type stays stable; LSP doesn't flag a cascade of reportOptionalMemberAccess errors. (This matches the pre-existing pattern in the codebase — e.g. _mark_disconnected doesn't reset state to None either.) 5. _build_adapter_with_store: reviewer worried about disconnect() failing on the self.name property if __init__ wasn't called. Already handled: we set 'adapter.platform = Platform.API_SERVER' so the 'self.platform.value.title()' property returns 'Api_Server' without raising. The exception-swallowing branch in disconnect() does call self.name via the logger.debug format, so this is a real path that needs the platform attribute, and we have it. 6. test_disconnect_closes_response_store: bare 'pytest.raises(Exception)' -> 'pytest.raises(sqlite3.ProgrammingError)'. The bare Exception matcher would silently accept AttributeError, OperationalError, env-related issues, etc. The specific exception type ('Cannot operate on a closed database') is the actual signal we want — proves the SQLite conn is closed, not just that *something* raised. 7. test_nonretryable_failure_disposes_unowned_adapter: assertion tightened from '>= 1' to '== 1' on adapter._disconnect_calls. The docstring said 'exactly once', the assertion now matches. Catches the hypothetical 'watcher disposes the same adapter twice' regression that '>=' would have missed. * fix(desktop): address Copilot review on model picker - selectModel reports success; edits bail (and roll back) instead of landing on the previously active model when a switch fails - Fast toggle stays available to turn off a carried-over speed param even when the new model has no native fast mechanism - active row's "Fast" label derives from the same fastControl as the submenu toggle, so it's consistent and handles standalone `-fast` model ids * fix(node/nix): consolidate workspace lockfile + update all consumers Consolidate per-package package-lock.json files into a single root-level workspace lockfile. Update all consumers: - Nix: shared src/npmDeps/npmDepsHash in lib.nix; devshell hook stamps package.json paths then runs npm ci from root; individual .nix files use mkNpmPassthru attrs instead of per-package fetchNpmDeps. - Python CLI: new _workspace_root() helper so _tui_need_npm_install, _make_tui_argv, _build_web_ui resolve lockfile/node_modules from the workspace root. - Desktop: replace --force-build/mtime heuristic with content-hash build stamp (_compute_desktop_content_hash via pathspec). Remove --force-build flag. - Dockerfile: single root npm install; no per-directory lockfile copies. - CI: nix-lockfile-fix and osv-scanner reference root package-lock.json; apps/dashboard → apps/desktop. - Tests: new test_tui_npm_install.py; desktop stamp tests in test_gui_command.py; updated assertions in test_cmd_update.py, test_web_ui_build.py, test_dockerfile_pid1_reaping.py. - Docs: remove --force-build from desktop flag table. Deleted: apps/desktop/package-lock.json, ui-tui/package-lock.json, ui-tui/packages/hermes-ink/package-lock.json, web/package-lock.json. * refactor(uv): single managed-uv path, delete fts5 installer escalation Replace the multi-path UV resolution chain (PATH probing, conda guards, 5-location trust ordering, temp-dir fallback installs) with a single managed uv binary at $HERMES_HOME/bin/uv. Every code path that needs uv resolves it from that one location; if missing, ensure_uv() bootstraps it via the official standalone installer. Key changes: - New hermes_cli/managed_uv.py: managed_uv_path(), resolve_uv(), ensure_uv() (returns (path, freshly_bootstrapped) tuple), update_managed_uv(), rebuild_venv(), installer internals. - hermes_cli/main.py: replace all shutil.which('uv') with ensure_uv(), add venv rebuild on first-time managed uv bootstrap, update_managed_uv before dep install on all 3 update paths. - scripts/install.sh: install_uv() always installs to $HERMES_HOME/bin/uv; delete ensure_fts5, _python_has_fts5, _reinstall_python_with_fts5, _warn_no_fts5 (61 lines). Managed uv always installs current Python with FTS5. - scripts/install.ps1: Install-Uv always installs to $HermesHome\bin\uv.exe; Resolve-UvCmd checks managed location first. - hermes_state.py: simplified FTS5 warning now suggests 'hermes update' as the fix instead of blaming install method. - tests: 15 tests in test_managed_uv.py, autouse _patch_managed_uv fixture in test_cmd_update.py. Closes #37605, Closes #37622 * fix(tests): add _patch_managed_uv autouse fixture to uv-dependent test files Production code now uses ensure_uv()/update_managed_uv() from managed_uv.py instead of shutil.which("uv") directly. Tests that patched shutil.which to control uv availability no longer controlled the actual code path, causing CI failures. Add an autouse _patch_managed_uv fixture to test_update_autostash.py and test_uv_tool_update.py (matching the existing fixture in test_cmd_update.py). The fixture makes managed_uv functions delegate to shutil.which so existing test patches flow through naturally. * fix(desktop): write Dock tile as a file-reference URL The Dock stores persistent-apps as type-15 file:// URLs; the type-0/raw-path tile we wrote was silently dropped on the next Dock restart (so the pin never took, yet we'd stamped the marker and never retried). Use pathToFileURL + type 15 and flush prefs through cfprefsd before `killall Dock`. Verified end-to-end on a packaged build: move -> adopt -> Dock tile lands as file:///Applications/Hermes.app/. * fix(desktop): configure Linux Electron sandbox helper Electron's chrome-sandbox helper must be root:root 4755 on Linux or the sandboxed renderer aborts before the desktop app starts. The existing installer only searched for macOS .app bundles, so a successful Linux build was reported as missing. Changes: - Add _desktop_linux_sandbox_fixup() to hermes_cli/main.py, called before launching a packaged desktop app on Linux. - Use lstat() + S_ISREG check to reject symlinks — chown/chmod on a symlink target would set SUID on an arbitrary path. - Update install.sh to recognize Linux unpacked artifacts and configure chrome-sandbox with proper error handling (the original PR silently ignored chown/chmod failures). - Add regression tests: normal fixup flow, symlink rejection, and already-configured skip path. Closes #37529 (rebased, merge conflicts resolved, copilot review feedback addressed). * fix(desktop): inherit microphone entitlement for macOS helpers Add com.apple.security.device.audio-input to entitlements.mac.inherit.plist. Under hardenedRuntime the Electron Helper/Setup processes inherit this file, and the missing entitlement made macOS TCC deny the microphone with no prompt, breaking voice chat. Fixes #37718 * test(desktop): assert macOS device entitlements are inherited Pin #37718: the inherit plist must grant audio-input, every device.* entitlement on the main app must also be inherited by the Helper/Setup processes, and both entitlement files must stay valid plists. * fix(desktop): roll back optimistic model switch on failure selectModel snapshots the prior model/provider and restores the store + query cache when the backend switch fails, so the UI never shows a model the backend didn't actually select. * docs(desktop): sync marker schema comment + default dock note arg Address Copilot review: document the `adopted` flag and nullable `pinnedCommit` in the marker schema comment, and default `done(note = {})` so the dock-pinned marker write is unambiguous (object spread of undefined was already a no-op, but explicit is clearer). * fix(desktop): switch model on keyboard activation of picker rows The model row is a Radix sub-trigger (no onSelect), so switching was pointer-only. Wire Enter/Space alongside onClick so keyboard users can switch models too. * fix(dashboard): allow desktop websocket origins on remote binds * chore: add leonardsellem to AUTHOR_MAP for PR #37405 * fix: expand skill bundles in cron jobs * feat(cli): configurable default interface (cli vs tui) Add `display.interface` config key so users can make the modern TUI the default for bare `hermes` / `hermes chat` without exporting HERMES_TUI=1 in every shell. Default stays "cli" to preserve current behavior. Add a `--cli` flag (mirrors `--tui`) so an explicit invocation can force the classic prompt_toolkit REPL even when `display.interface: tui` is configured. Precedence (highest first): `--cli` > `--tui`/`HERMES_TUI=1` > config `display.interface` > classic REPL. Two resolvers enforce it: * `_resolve_use_tui(args)` — the args-aware resolver used by `cmd_chat` and the Termux fast-TUI path (uses full load_config()). * `_wants_tui_early(argv)` — a dependency-free early resolver used by mouse-residue suppression and the Termux fast paths, which run before argparse / hermes_cli.config are importable (minimal cached YAML read). Both `--cli` and `--tui` are registered via `_inherited_flag`, so they are carried across self-relaunch automatically. - config: add display.interface ("cli" default), bump _config_version 25->26. The generic missing-field migration + load_config() deep-merge seed the key for existing configs; no bespoke migration block needed. - docs: document --cli flag and display.interface in cli-commands.md and the TUI user guide. - tests: new test_default_interface_resolution.py covering resolver precedence at every layer, early resolver edge cases (missing/garbage config), parser flags, and relaunch inheritance. * fix(deps): refresh lockfile to clear 6 npm audit findings (#37752) * fix(deps): refresh lockfile to clear 6 npm audit findings Plain `npm audit fix` (no --force, no overrides) — every patched version was already in-range, so a lockfile refresh clears all findings without permanent override pins. Cleared: - tmp 0.2.5 -> 0.2.7 (path traversal, HIGH — GHSA-ph9p-34f9-6g65) - brace-expansion 5.0.5 -> 5.0.6 (DoS — GHSA-jxxr-4gwj-5jf2) - mermaid 11.14.0 -> 11.15.0 (4 advisories: GHSA-6m6c-36f7-fhxh, GHSA-xcj9-5m2h-648r, GHSA-87f9-hvmw-gh4p, GHSA-ghcm-xqfw-q4vr) npm audit: 6 vulnerabilities -> 0. package.json untouched. * fix(nix): bump npmDepsHash for refreshed lockfile Uses the hash fetchNpmDeps (the actual build fetcher) produces, which diverges from prefetch-npm-deps / nix run .#fix-lockfiles output for this lockfile. * fix(setup): default browser/TTS picker to free local backend, not paid Nous (#37800) The Browser Automation and Text-to-Speech provider pickers listed the paid "Nous Subscription" gateway row first, so on a fresh install the menu cursor defaulted to index 0 (Nous). Pressing Enter selected it and ran the inline Nous Portal device-code login — walking users into a paid offering they never chose. Reorder both provider lists so the free, no-key local backend is index 0 (Local Browser / Microsoft Edge TTS). Users who already configured Nous are unaffected: _detect_active_provider_index still resolves their active row first, so the cursor lands on Nous (now index 1) for them. Reported by Javier via Kujila. * fix(tui): clear selection on right-click copy + group transcript blocks Two TUI polish fixes. (1) Right-click copy now clears the highlight. The right-click handler copied an active selection via onCopySelectionNoClear (the copy-on-select variant that keeps the highlight during a drag) and never cleared it, so after right-click-to-copy the selection stayed lit with no confirmation and a follow-up right-click re-copied the stale range instead of pasting. A successful right-click copy now clears the selection and notifies; if the copy fails (no clipboard path) the highlight survives and we fall back to the right-click paste handler, exactly as before. (2) Group transcript blocks so boundaries read clearly. Model replies, reasoning/tool trails, and system/error notes rendered with no vertical separation, so distinct block types butted together and were hard to scan. Group adjacent blocks by kind: one blank line opens only where the visual group changes (model prose <-> reasoning/tool trails <-> notes), while a run of same-kind blocks renders flush. The rule lives in domain/blockLayout.ts (messageGroup + hasLeadGap) and is applied intrinsically in MessageLine via a `prev` prop, which fixes the things ad-hoc per-block margins kept breaking: - Streaming stability: the gap is derived from the stable predecessor, never the live block's own changing text, so the actively-streaming reply computes the same gap while it streams as the settled segment does once it flushes. No reflow/jump. - Transparent empty trails: a trail hidden by /details, or one carrying only a token tally (the finalDetails segment message.complete appends), renders nothing and is transparent to grouping (prevRenderedMsg skips it), so there are no floating gaps, no doubled gap after a prompt, and no padded space above the final reply. In the default/collapsed modes content-bearing trails always render, so the grouping is a no-op there. The virtual-height estimator counts the group-boundary line so scroll math stays accurate before Yoga remeasures. ui-tui/src/domain/blockLayout.ts (new), components/messageLine.tsx, components/streamingAssistant.tsx, components/appLayout.tsx, lib/virtualHeights.ts, app/useMainApp.ts. Tests: blockLayout.test.ts (grouping + hidden/empty-trail visibility), virtualHeights leadGap, app-mouse.test.ts copy behavior. Full ui-tui suite green apart from 3 pre-existing local/env failures (cursorDrift, ink-resize, virtualHeights user-prompt-width) unchanged from main. * fix(desktop): stop chat scroll jumping by disabling native scroll anchoring The thread renders virtualized turns in natural document flow with padding spacers, and @tanstack/react-virtual already adjusts scrollTop itself when an off-screen turn is measured and its real height differs from the 220px estimate. With the browser default `overflow-anchor: auto`, native scroll anchoring corrects that SAME size delta too, so the two double-correct and the view lurches — most visibly with Windows mouse wheels, whose coarse notches mount/measure several under-estimated turns per tick (Mac trackpads scroll ~1-3px/frame, keeping it sub-perceptual). Set `overflow-anchor: none` on the thread viewport so only the virtualizer compensates. Also adds `diag-scroll-reset.mjs`, a CDP wheel-up repro that A/B tests the anchor behavior at runtime to confirm the fix. * feat(desktop): clamp sticky human messages to ~2 lines until hover/focus Long user prompts stick to the top of the thread while the response streams beneath them, so a multi-line prompt could eat most of the viewport. Clamp the read-only human bubble's text to ~2 lines with a soft bottom fade; the clamp lifts on hover or keyboard focus, and clicking the bubble still opens the edit composer (which shows the full text). Short messages are untouched — no clamp, no fade. Overflow is measured on an unclamped inner wrapper so the ResizeObserver only fires on real content/width changes, not every frame while the outer max-height animates open; the measured height feeds --human-msg-full so expand/collapse animate to the true height instead of overshooting the cap. * fix(dashboard): trust non-web WS origins on OAuth-gated binds after ticket auth (#37870) Generalises #37747. The WS Origin guard (_ws_host_origin_is_allowed) only trusted the packaged Electron app's non-web origin (file:// / null / app://) when the bind was NOT OAuth-gated. The packaged Hermes Desktop renderer loads over file://, so when it drives a remote OAuth-gated gateway its /api/ws upgrade was rejected with HTTP 403 even though _ws_auth_ok had already validated the single-use ?ticket= one line earlier. This guard runs only AFTER _ws_auth_ok has accepted the WS credential, which is the real auth boundary in every mode: * loopback bind -> legacy dashboard session token * non-loopback --insecure -> legacy session token (Tailscale / LAN, #37747) * OAuth-gated public bind -> single-use, 30s-TTL, identity-bound ?ticket= A non-web origin can only come from a native client; a DNS-rebinding attack always arrives from an http(s) origin and is still match-checked against the bound host. So once the upstream credential check has…

…icket auth (NousResearch#37870) Generalises NousResearch#37747. The WS Origin guard (_ws_host_origin_is_allowed) only trusted the packaged Electron app's non-web origin (file:// / null / app://) when the bind was NOT OAuth-gated. The packaged Hermes Desktop renderer loads over file://, so when it drives a remote OAuth-gated gateway its /api/ws upgrade was rejected with HTTP 403 even though _ws_auth_ok had already validated the single-use ?ticket= one line earlier. This guard runs only AFTER _ws_auth_ok has accepted the WS credential, which is the real auth boundary in every mode: * loopback bind -> legacy dashboard session token * non-loopback --insecure -> legacy session token (Tailscale / LAN, NousResearch#37747) * OAuth-gated public bind -> single-use, 30s-TTL, identity-bound ?ticket= A non-web origin can only come from a native client; a DNS-rebinding attack always arrives from an http(s) origin and is still match-checked against the bound host. So once the upstream credential check has passed, the Origin guard adds nothing for a non-web origin. Collapsed the loopback/non-gated special cases to 'return True' for non-web origins. http(s) origins keep the strict same-host check, so browser DNS-rebinding defence is unchanged. Tests: gated file:///null/app:// now asserted ALLOWED; cross-site http(s) still rejected on gated and loopback binds; NousResearch#37747's loopback and non-loopback-insecure cases retained. 37/37 test_dashboard_auth_ws_auth + test_web_server_host_header pass.

The remote-gateway settings rendered the session-token box for every gateway during the idle/probing window before the first /api/status probe lands, because authMode defaults to 'token'. Gate both the OAuth sign-in button and the token box behind an authResolved flag so neither renders until the probe resolves the scheme (or a previously-saved remote config is being re-shown, so re-opening settings doesn't flicker). The gateway-side WS Origin fix that lets the packaged desktop (file:// origin) connect to an OAuth-gated remote gateway landed separately in NousResearch#37870; this branch is now purely the desktop client + this UI fix.

#69) * fix(tui): clear selection on right-click copy + group transcript blocks Two TUI polish fixes. (1) Right-click copy now clears the highlight. The right-click handler copied an active selection via onCopySelectionNoClear (the copy-on-select variant that keeps the highlight during a drag) and never cleared it, so after right-click-to-copy the selection stayed lit with no confirmation and a follow-up right-click re-copied the stale range instead of pasting. A successful right-click copy now clears the selection and notifies; if the copy fails (no clipboard path) the highlight survives and we fall back to the right-click paste handler, exactly as before. (2) Group transcript blocks so boundaries read clearly. Model replies, reasoning/tool trails, and system/error notes rendered with no vertical separation, so distinct block types butted together and were hard to scan. Group adjacent blocks by kind: one blank line opens only where the visual group changes (model prose <-> reasoning/tool trails <-> notes), while a run of same-kind blocks renders flush. The rule lives in domain/blockLayout.ts (messageGroup + hasLeadGap) and is applied intrinsically in MessageLine via a `prev` prop, which fixes the things ad-hoc per-block margins kept breaking: - Streaming stability: the gap is derived from the stable predecessor, never the live block's own changing text, so the actively-streaming reply computes the same gap while it streams as the settled segment does once it flushes. No reflow/jump. - Transparent empty trails: a trail hidden by /details, or one carrying only a token tally (the finalDetails segment message.complete appends), renders nothing and is transparent to grouping (prevRenderedMsg skips it), so there are no floating gaps, no doubled gap after a prompt, and no padded space above the final reply. In the default/collapsed modes content-bearing trails always render, so the grouping is a no-op there. The virtual-height estimator counts the group-boundary line so scroll math stays accurate before Yoga remeasures. ui-tui/src/domain/blockLayout.ts (new), components/messageLine.tsx, components/streamingAssistant.tsx, components/appLayout.tsx, lib/virtualHeights.ts, app/useMainApp.ts. Tests: blockLayout.test.ts (grouping + hidden/empty-trail visibility), virtualHeights leadGap, app-mouse.test.ts copy behavior. Full ui-tui suite green apart from 3 pre-existing local/env failures (cursorDrift, ink-resize, virtualHeights user-prompt-width) unchanged from main. * fix(desktop): stop chat scroll jumping by disabling native scroll anchoring The thread renders virtualized turns in natural document flow with padding spacers, and @tanstack/react-virtual already adjusts scrollTop itself when an off-screen turn is measured and its real height differs from the 220px estimate. With the browser default `overflow-anchor: auto`, native scroll anchoring corrects that SAME size delta too, so the two double-correct and the view lurches — most visibly with Windows mouse wheels, whose coarse notches mount/measure several under-estimated turns per tick (Mac trackpads scroll ~1-3px/frame, keeping it sub-perceptual). Set `overflow-anchor: none` on the thread viewport so only the virtualizer compensates. Also adds `diag-scroll-reset.mjs`, a CDP wheel-up repro that A/B tests the anchor behavior at runtime to confirm the fix. * feat(desktop): clamp sticky human messages to ~2 lines until hover/focus Long user prompts stick to the top of the thread while the response streams beneath them, so a multi-line prompt could eat most of the viewport. Clamp the read-only human bubble's text to ~2 lines with a soft bottom fade; the clamp lifts on hover or keyboard focus, and clicking the bubble still opens the edit composer (which shows the full text). Short messages are untouched — no clamp, no fade. Overflow is measured on an unclamped inner wrapper so the ResizeObserver only fires on real content/width changes, not every frame while the outer max-height animates open; the measured height feeds --human-msg-full so expand/collapse animate to the true height instead of overshooting the cap. * fix(dashboard): trust non-web WS origins on OAuth-gated binds after ticket auth (#37870) Generalises #37747. The WS Origin guard (_ws_host_origin_is_allowed) only trusted the packaged Electron app's non-web origin (file:// / null / app://) when the bind was NOT OAuth-gated. The packaged Hermes Desktop renderer loads over file://, so when it drives a remote OAuth-gated gateway its /api/ws upgrade was rejected with HTTP 403 even though _ws_auth_ok had already validated the single-use ?ticket= one line earlier. This guard runs only AFTER _ws_auth_ok has accepted the WS credential, which is the real auth boundary in every mode: * loopback bind -> legacy dashboard session token * non-loopback --insecure -> legacy session token (Tailscale / LAN, #37747) * OAuth-gated public bind -> single-use, 30s-TTL, identity-bound ?ticket= A non-web origin can only come from a native client; a DNS-rebinding attack always arrives from an http(s) origin and is still match-checked against the bound host. So once the upstream credential check has passed, the Origin guard adds nothing for a non-web origin. Collapsed the loopback/non-gated special cases to 'return True' for non-web origins. http(s) origins keep the strict same-host check, so browser DNS-rebinding defence is unchanged. Tests: gated file:///null/app:// now asserted ALLOWED; cross-site http(s) still rejected on gated and loopback binds; #37747's loopback and non-loopback-insecure cases retained. 37/37 test_dashboard_auth_ws_auth + test_web_server_host_header pass. * fix(desktop): inset sticky human messages with --sticky-human-top Pin user bubbles 0.75rem below the scroll top via a single token instead of flush top-0, so the sticky header doesn't sit hard against the thread edge. * chore: uptick * fix(desktop): drop sticky human clamp max-height transition * fix(desktop): restore sticky human clamp transition at 0.75s * chore: uptick * feat(desktop): custom zoom shortcuts at half default step Replace Electron's built-in zoomIn/zoomOut/resetZoom menu roles with custom implementations that use a 0.1 zoom-level step instead of Chromium's default 0.2. This makes Ctrl/Cmd + +/-0 zoom feel more granular and less jumpy. Also adds installZoomShortcuts() which intercepts the keyboard shortcuts via before-input-event. This is necessary on Linux/Windows where the application menu is set to null, so Chromium's default handler would otherwise apply the full 0.2 step. * fix(docker): seed gateway_state.json from HERMES_GATEWAY_BOOTSTRAP_STATE on first boot (#37896) On a fresh volume there is no gateway_state.json, so the boot reconciler (cont-init.d/02-reconcile-profiles) registers the gateway-default s6 slot but leaves it down — it only auto-starts when the last recorded state was "running". A freshly-provisioned container therefore comes up with the gateway down until something starts it (e.g. the dashboard's start button). Add a generic, first-boot-only env-seed in stage2-hook.sh (which runs before 02-reconcile-profiles): when HERMES_GATEWAY_BOOTSTRAP_STATE=running and no gateway_state.json exists yet, seed {"gateway_state":"running"} so the reconciler brings the supervised slot up on the very first boot. This mirrors the existing HERMES_AUTH_JSON_BOOTSTRAP pattern: it seeds the same state file the reconciler already consults, guarded by [ ! -f ] so persisted runtime state always wins on later boots (a deliberately-stopped gateway stays stopped across restarts). Only the literal "running" is honoured (the sole value in the reconciler's _AUTOSTART_STATES). Generic container contract — no host-specific code. Useful to any orchestrator that provisions a blank volume and wants the gateway up from first boot (the supervised gateway/dashboard already work on such hosts; only the first-boot autostart was missing because the CLI lifecycle commands can't drive the s6 layer when container self-detection misses). Adds a shell-level contract test and documents the env var. * fix(desktop): keep in-flight new chats from vanishing on refresh Creating several sessions in a row (Ctrl-N, type, send, repeat) and waiting for one to finish made the other still-running chats disappear from the sidebar. Root cause: a new session's first user message isn't flushed to the SessionDB until its turn is persisted, so the row's message_count stays 0 mid-response. `refreshSessions()` lists with min_messages=1 and then hard-replaces $sessions. Because every message.complete triggers a refresh, the moment one session finished, the others (still at message_count 0) were filtered out of the server page and dropped from the list. Fix: merge instead of replace. `mergeWorkingSessions()` preserves any session that is still in $workingSessionIds but absent from the server page, so concurrent new chats stay visible until their own turn persists. Optimistic deletes/archives already remove the row from the previous list, so a removed session can't be resurrected by the merge. * fix(desktop): label in-flight new chats with the first message The send path created the optimistic sidebar row with a null preview, so a new chat read "Untitled session" until its turn persisted and auto-title ran. With concurrent new chats now preserved across refreshes, several "Untitled session" rows could show at once. Seed the optimistic preview with the user's first message (the branch path already does this) so each in-flight row is labeled immediately. The server's own preview/title supersedes it once the turn persists. * fix(docker): point TUI launcher at prebuilt bundle via HERMES_TUI_DIR (#37923) The embedded dashboard Chat tab dies on hosted images with a 502 / "[session ended]": the PTY child's `hermes --tui` spawn runs a runtime `npm install` that fails. Root cause: the root package-lock.json describes the WHOLE npm monorepo workspace set (root + web + ui-tui + apps/*), but the image only installs root/web/ui-tui — apps/* (the desktop app) is never `npm install`ed here, and its deps hoist into the shared root node_modules. So the actualized node_modules permanently disagrees with the canonical lock, `_tui_need_npm_install()` returns True on every launch, and the runtime `npm install` it triggers (a) can never converge against the partial monorepo and (b) races itself across concurrent /api/pty connections -> ENOTEMPTY -> the launcher `sys.exit(1)`s, the slow install blows past Fly's WS-upgrade window -> 502 -> the browser shows "[session ended]". Fix: set `ENV HERMES_TUI_DIR=/opt/hermes/ui-tui` so `_make_tui_argv` takes the prebuilt-bundle fast path (`node --expose-gc /opt/hermes/ui-tui/dist/entry.js`) and never reaches the install check — exactly the nix/packaged-release path the launcher was designed for. The bundle is already built at Layer 8 (`ui-tui && npm run build`); this just tells the launcher to use it. Verified on a freshly-built image: HERMES_TUI_DIR is set, the prebuilt dist/entry.js is present, `_make_tui_argv` resolves to the prebuilt node invocation (no npm), and `docker run ... --tui` no longer prints "npm install failed". New regression guard: tests/docker/test_tui_prebuilt_bundle.py. A separate launcher hardening (make _tui_need_npm_install tolerant of partial-monorepo installs) is tracked independently; this Docker-side fix resolves the hosted-chat symptom on its own. Area: docker (Dockerfile + tests/docker). * fix(desktop): disable GPU acceleration on remote displays to stop flicker Users on remote/forwarded displays (SSH X11 forwarding, VNC, RDP, WSLg) reported the window flickering during scroll/streaming; nobody on native Windows/macOS ever saw it. Root cause: the app shipped with Chromium's default GPU hardware acceleration and no remote-display handling. Over a remote connection the GPU compositor can't present accelerated layers cleanly across the wire, so the surface flashes on repaint. Local sessions composite on the GPU and never hit it. Detect a remote display before app `ready` (detectRemoteDisplay in bootstrap-platform.cjs) and fall back to software rendering via app.disableHardwareAcceleration() + --disable-gpu-compositing. Software compositing is rock-steady over the wire and the CPU cost is negligible next to the connection's latency. HERMES_DESKTOP_DISABLE_GPU overrides detection both ways for VNC/screen-sharing setups we can't sniff or remote hosts that do have working acceleration. * fix(desktop): don't treat WSLg as a remote display WSLg renders Linux GUIs locally through a vGPU surface rather than shipping frames over the wire, so it doesn't show the remote-compositor flicker — confirmed by a WSL user seeing zero flickering. Drop the WSL branch from detectRemoteDisplay so WSLg keeps hardware acceleration; detection now covers only genuinely-remote displays (SSH X11 forwarding, VNC, RDP). The HERMES_DESKTOP_DISABLE_GPU override still works for anyone who does hit it. * fix(desktop): keep slash/@ completion menu navigable and Esc-dismissable The desktop composer's `onKeyUp` handler unconditionally re-ran `refreshTrigger` on every keyup, including the Arrow/Enter/Tab/Escape keys the open-trigger `onKeyDown` branch had already fully handled. Because `refreshTrigger` re-detects the trigger and resets the active index to 0, this produced two bugs in the `/` (and `@`) completion popover: - ArrowDown/ArrowUp moved the highlight on keydown, then keyup snapped it straight back to the top — so the user could never cycle past the first couple of items. - Escape closed the menu on keydown, then keyup re-detected the still-present `/` and immediately reopened it — so Esc appeared to do nothing. Fix: skip the keyup-driven refresh for the navigation/control keys while a trigger menu is open (they never edit text, so refreshing is pointless), and only reset the highlight in `refreshTrigger` when the detected trigger query actually changed. Applied to both the main composer (chat/composer/index.tsx) and the message-edit composer (assistant-ui/thread.tsx), which shared the same bug. New `shouldSkipTriggerRefreshOnKeyUp` helper is unit-tested. * fix(desktop): make Stop button actually interrupt when a turn is queued When a follow-up message is queued during a busy turn, the composer clears and the primary button switches back to the Stop affordance. But clicking Stop ran interruptAndSendNextQueued(), which cancelled the turn and *immediately* re-sent the head of the queue. The auto-drain effect (busy true to false) compounded this: any explicit cancel flipped busy false and re-fired the queue. The net effect was that Stop appeared to never interrupt -- the agent kept running on the queued prompt. Fix: - Stop button (busy + empty composer) now always performs a pure interrupt via onCancel(); it no longer hijacks the queue. - An explicit interrupt latches userInterruptedRef so the busy to false auto-drain skips exactly one drain. Queued turns are preserved and the user resumes them deliberately (Cmd/Ctrl+K, Enter, or the per-row send-now arrow), matching the documented Esc=cancel / Cmd+K=send-next affordances. - Extracted the settle decision into shouldAutoDrainOnSettle() with unit tests covering natural completion vs. explicit interrupt. * fix(desktop): stop background session messages bleeding into the active transcript A still-busy background session (one the user toggled away from) keeps emitting updateSessionState() heartbeats — stream deltas, and especially the 'session busy' prompt-rejection errors from auto-drained queued turns. Each call invoked syncSessionStateToView() unconditionally, staging that session's messages into the shared $messages view. flushPendingViewState() guarded against the wrong session reaching the view, but only one requestAnimationFrame is scheduled per frame and pendingViewStateRef holds just the latest writer. So within a single frame a background write could overwrite an already-pending foreground write, and the stale background transcript (e.g. the red 'session busy' rows) would render on top of whatever session the user switched to — appearing to 'bleed' into every session. Guard at the staging site: a session may only stage into the view when it is the currently-active session. Background sessions still update their own cache entry; they just never touch $messages. Pure render fix, no behavior change to queuing, interrupt, or drain. * fix(dashboard): authenticate server-spawned PTY child WS with a process-internal credential The embedded-TUI PTY child attaches to two server-internal WebSockets: /api/ws (its primary JSON-RPC gateway backend) and /api/pub (the event sidecar). Both URLs are built server-side in web_server.py and handed to the child via its environment. In OAuth-gated mode (auth_required=true, every hosted Fly agent), _ws_auth_ok unconditionally rejects the legacy ?token=<_SESSION_TOKEN> path — a leaked session token must not grant WS access once the gate is engaged. But _build_gateway_ws_url() still only emitted ?token=, with no gated-mode branch (its sibling _build_sidecar_url had been given a ticket branch; the gateway-url builder was missed). So the TUI child's /api/ws upgrade was rejected 4401 -> 'gateway websocket connection failed' -> 'gateway startup timeout', leaving the embedded chat unusable on every gated deployment. A single-use 30s browser ticket is the wrong shape for this link: the child reads its attach URL once at startup and reuses it on every reconnect, and on a slow cold boot it may not dial within the TTL. (_build_sidecar_url's own docstring already flagged this fragility.) Fix: add a process-lifetime, multi-use internal credential to dashboard_auth.ws_tickets (internal_ws_credential / consume_internal_credential), minted once per process and NEVER injected into the SPA — it only leaves the process via a spawned child's env, so browser-side XSS can't read it, and a leak grants no more than a ticket already does. _ws_auth_ok accepts it via ?internal= in gated mode only. Both _build_gateway_ws_url and _build_sidecar_url now use it, so the child can reconnect both sockets. Loopback / --insecure behavior is unchanged (still ?token=). Needs review: touches _ws_auth_ok + dashboard_auth (core auth surface). * test(dashboard): direct unit coverage for internal WS credential + docstring fix Follow-up to Ben's PR #37892. Adds a TestInternalCredential block to test_dashboard_auth_ws_tickets.py exercising the mint-once stability, multi-use, unminted-rejection, empty-value, wrong-value, reset-and-remint, and ticket-store-independence branches directly (previously only covered indirectly via _ws_auth_ok, which left the unminted and empty-value branches unexercised). Also corrects the consume_internal_credential docstring: the returned identity dict is discarded by the current _ws_auth_ok caller (which only needs the boolean outcome), so the prior 'carry it into its session log' wording over-promised. * test(desktop): real-DOM regression for slash/@ menu keyboard nav The existing slash-menu fix (PR #37937) shipped a unit test that drove the keydown reducer directly. It did not exercise the actual DOM event path — specifically the keyup-driven `refreshTrigger` that was the root cause — so it would not have caught a regression in that path. This adds a faithful @testing-library reproduction that mounts the real `useLiveCompletionAdapter` plus the index.tsx trigger wiring and fires real `keyDown` + `keyUp` event pairs on a contentEditable. It asserts: - ArrowDown cycles through ALL items (0,1,2,3,4,0,1), not just the first two - Escape closes the menu and keyup does not reopen it Reverting the fix (always-refresh keyup + unconditional setTriggerActive(0)) makes this test fail with the highlight stuck at the top — confirming it guards the real bug. * fix(desktop): stop Esc reopening the slash/@ menu; harden keyup guard Follow-up to #37937. That fix guarded the composer's keyup with `shouldSkipTriggerRefreshOnKeyUp(key, trigger !== null)`. The `trigger !== null` check is timing-fragile for Escape: Escape's *keydown* sets `trigger = null` and closes the menu, but in a real browser the *keyup* fires after a re-render, so the handler closure sees `trigger === null`, the guard returns false, `refreshTrigger` runs, re-detects the still-present `/` in the input, and instantly reopens the menu. (jsdom batches state synchronously so a unit test could not observe this -- only the running app does.) Replace the value-based guard with a `triggerKeyConsumedRef` set synchronously in keydown whenever the open popover consumes a nav/control key (Arrow/Enter/Tab/Escape). keyup consults and clears that ref, so it is immune to the keydown->re-render->keyup timing. Applied to both the main composer (chat/composer/index.tsx) and the message-edit composer (assistant-ui/thread.tsx). Removes the now-unused `shouldSkipTriggerRefreshOnKeyUp` helper and its unit test. The real-DOM regression test now fires keydown+keyup pairs through the ref-based handlers and asserts Esc closes and stays closed. Verified by running a production renderer build (Vite v8) under Electron against a local backend: ArrowDown/ArrowUp cycle the full list and Esc dismisses the menu without reopening. * chore: remove committed RELEASE_v*.md changelogs from repo root (#37855) These per-release changelog files are transient working files used only to feed `gh release create --notes-file` at release time; the GitHub Release itself permanently stores the published notes. They were never a build artifact (no package-data glob, no MANIFEST.in include, no CI reference) and don't belong in the tracked tree. - Delete all 15 (v0.2.0 through v0.15.1) - Add RELEASE_v*.md to .gitignore so an accidental `git add -A` can't recommit them The hermes-release skill is updated separately to write the changelog to /tmp/ for the whole release process and never stage it. * fix(windows): rip out unused submodule support in installer & docker & docs we have no submodules anymore, so #37702 was kinda right, but we can just delete it entirely. * fix(docs): remove remaining stale submodule references missed by #38089 (#38105) Follow-up to #38089. The merged PR removed --recurse-submodules from the installer, CI, and getting-started docs, but missed the same stale clause in: - CONTRIBUTING.md (Prerequisites table) - website/docs/developer-guide/contributing.md (table + clone command) - zh-Hans mirror of the developer-guide contributing doc git-lfs is kept in the Git requirement rows since it's a separate, real prerequisite. No .gitmodules has existed since the Atropos RL submodule was removed in #26106. * docs: explain remote-gateway session token for Hermes Desktop (#38144) The desktop Remote gateway field asks for a session token that Hermes never surfaces — by default web_server.py mints an ephemeral token per boot and injects it into the served HTML, so there is nothing in config.yaml, /gateway, or env to copy. Document that you pin it yourself via HERMES_DASHBOARD_SESSION_TOKEN, run the backend with --insecure (keeps the legacy token auth path instead of engaging the OAuth gate), then paste that value into the desktop app. - web-dashboard.md: new 'Connecting Hermes Desktop to a remote backend' section (backend + desktop steps, --insecure vs OAuth-gate nuance, HERMES_DESKTOP_* env override, Tailscale guidance, troubleshooting). - environment-variables.md: new 'Web Dashboard & Hermes Desktop' env-var table (HERMES_DASHBOARD_SESSION_TOKEN, HERMES_DESKTOP_REMOTE_URL/TOKEN, the OAuth and public-url vars) — none were previously documented. * feat(matrix): support bang command aliases * fix(matrix): make bang-command resolution robust + fix dead skill-command branch Follow-up to the salvaged contributor commit: - Underscore→hyphen tolerance now emits a resolvable token. Previously the detect set accepted the hyphenated variant but emit returned the raw token, so '!set_home' produced '/set_home' which the dispatcher could not resolve. Now emits '/set-home'. Aliases are left as-is — the gateway dispatcher canonicalizes them itself. - Fix dead skill-command branch: skill command keys are stored slash-prefixed (e.g. '/arxiv') in get_skill_commands(), but the check compared the bare token, so '!arxiv' never normalized. Now compares the '/candidate' form, making skill aliases (e.g. !gif-search) work. - Re-run bang normalization after Matrix reply-fallback stripping so a quoted reply whose content is a bang command reaches command parity with the slash form. - Replace silent 'except Exception: pass' with logger.debug(exc_info=True). - Add AUTHOR_MAP entry for @nepenth. Tests: +5 (underscore-alias, skill-command branch, quoted-reply bang + slash parity). 162 Matrix tests pass. * docs: add remote-backend section to the Desktop App page (#38180) The Desktop App page covered install, settings, and chat but not how to connect the app to a backend on another machine — the exact thing @PedjaDrazic asked about. Add a 'Connecting to a remote backend' section that explains the Session token is the dashboard token Hermes never surfaces (pin it via HERMES_DASHBOARD_SESSION_TOKEN + run --insecure), and link to the web-dashboard page for the full backend setup rather than duplicating it. Add a reciprocal link from the web-dashboard remote section back to the Desktop App page. * fix(cli): exclude desktop-managed backend from stale-dashboard kill Fixes #37532 * fix(desktop): pass live backend PID to in-app update so its own dashboard is spared The Python half (#37538) reads HERMES_DESKTOP_CHILD_PID to exclude the desktop-managed backend from _kill_stale_dashboard_processes, but nothing set it. applyUpdatesPosixInApp now passes the live backend PID in the `hermes update` env, completing the #37532 fix end-to-end. * chore: add bbednarski9 to AUTHOR_MAP for #29722 salvage (#38189) Co-authored-by: kshitijk4poor <kshitijk4poor@users.noreply.github.com> * docs: make the Desktop App remote-backend section self-contained (#38194) The section explained why the Session token is hidden but punted the actual setup steps to the web-dashboard page via a link — a bounce for someone on the Desktop App page trying to connect. Inline the concrete steps instead: backend command block (mint token -> .env -> hermes dashboard --insecure), the in-app Remote gateway steps, the env-var override, Tailscale guidance, and a troubleshooting list. Keep a short pointer to the web-dashboard page for the same setup from that angle. * fix(mcp): banner shows 'disabled' not 'failed' for enabled:false servers (#38204) get_mcp_status() treated every non-connected server as a failure, so a server configured with enabled: false rendered as red '— failed' in the startup banner even though it was intentionally off. Add a 'disabled' field derived from the enabled flag and render disabled servers dim as '— disabled' instead. * feat(debug): include desktop.log in hermes debug share / /debug / hermes logs (#38203) The Electron desktop app writes boot failures, backend spawn output, and Python tracebacks to HERMES_HOME/logs/desktop.log, but debug-share only captured agent/errors/gateway — so desktop boot issues never made it into shared debug reports. - logs.py: register desktop -> desktop.log (enables 'hermes logs desktop') - debug.py: capture desktop snapshot, add to summary report, upload full desktop.log in 'share', update privacy notice - gateway /debug inherits the desktop tail via collect_debug_report() - main.py + docs: help text and log-name table (also adds missing gui row) - tests: desktop seed in fixture, new report test, three_pastes -> four_pastes * fix(desktop): add @testing-library/dom as explicit dev dependency @testing-library/react@16 declares @testing-library/dom as a peerDependency and re-exports waitFor/fireEvent/screen/within from it. Without dom installed as a direct dependency, tsc -b fails with TS2305 in every test file that imports those names — which breaks the apps/desktop build during installer bootstrap (Hermes Setup → "INSTALL DIDN'T FINISH"). * chore: regenerate lockfile + map vladkvlchk for salvaged #36978 - Add @testing-library/dom to apps/desktop devDeps in package-lock.json so npm ci validates against the manifest change (contributor left the lockfile out of the PR intentionally). - Removes stale 'peer: true' flags now that dom is an explicit devDep. - AUTHOR_MAP: prostoandrei9@gmail.com -> vladkvlchk (CI author gate). * fix(nix): bump npmDepsHash for refreshed lockfile Lockfile regeneration invalidated the flake's pinned npm-deps hash. Hash taken from fetchNpmDeps' authoritative 'got:' line (the prefetch-npm-deps Diagnose helper reports a different, wrong value due to a fetcherVersion normalization discrepancy). * fix(desktop): stop chat scroll backward-jump from content-growth interim scrolls (#37997) The thread scroll-anchor hook in apps/desktop/src/components/assistant-ui/ thread-virtualizer.tsx was disarming sticky-bottom whenever scrollTop decreased by >1px between scroll events. That check was too eager: when content height grows mid-frame (virtualizer measurement of a newly visible turn, streaming token, Streamdown/Shiki re-tokenization, composer chip toggle), the browser emits an interim 'scroll' event whose scrollTop is smaller than the previous frame's because scrollHeight just jumped. The rAF-scheduled pinToBottom hasn't run yet, so programmaticScrollPendingRef is 0 and the disarm fired. With sticky-bottom disarmed the scroller stuck ~50px above bottom — the visible at-rest backward jump that #37997 describes (and the same root cause as the wheel-up variant in #37527). Fix: - Track scrollHeight per frame (lastHeightRef). Disarm on scrollTop decrease ONLY when scrollHeight did not grow this frame. Real upward user intent (scrollbar drag, keyboard PgUp, programmatic scrollIntoView) still disarms because it moves scrollTop without growing the content. Wheel-up and touchmove continue to disarm via their own listeners. - Stop observing the scroller element itself in the ResizeObserver; only observe its content child. Viewport-only resizes (window resize, devtools panel toggle) no longer trigger spurious pins, matching the intent of the auto-stick-to-bottom behavior. Verified: - apps/desktop `tsc -b` clean. - apps/desktop `vitest run src/components/assistant-ui/streaming.test.tsx` passes (9/9), including the existing wheel-up disarm regression test that asserts scrollTop stays at 420 after a wheel-up + content growth. * fix(desktop): honor upward wheel scroll in long threads * feat(dashboard): check-before-update flow on the System page (#38205) The dashboard's update button ran 'hermes update' immediately with no preview. Now the System page shows whether an update is available and asks the user to confirm before applying it. - New GET /api/hermes/update/check: reports install method, current version, and commits-behind (via banner.check_for_updates, 6h-cached; ?force=1 busts the cache). Soft-fails to behind=null on network error; marks docker/nix/homebrew as can_apply=false with the out-of-band cmd. - System page: update-status badge on the Hermes version row (latest / N behind), a Check-for-updates button, and an Update-now button that opens a ConfirmDialog showing the commit count before POST /api/hermes/ update fires. Cached status loads with the rest of the page. - Docs + 5 endpoint tests (git/up-to-date/docker/soft-failure + auth gate). * fix(tui): stop persisting full tool output in trail lines (silent OOM death) A heavy --tui session (browser snapshots, large tool outputs) silently OOM-killed the Node parent within minutes — closing the gateway child's stdin, which the user saw only as a bare "gateway exited" / stdin EOF. CLI was immune. Root cause: each completed tool's verbose trail line embedded up to 16KB of result_text, persisted in transcript Msg.tools[] for the whole session and rendered EXPANDED by default, so an Ink render-node tree was built for every one of up to 800 messages at once. That tree blew past Node's heap at a few hundred MB — far below the 2.5GB memory-monitor exit threshold, so the death was never even attributed. - text.ts: persisted verbose tool-trail blocks now cap to a small preview (VERBOSE_TRAIL_MAX_CHARS=800/12 lines), not the 16KB live-render budget. Retained trail strings drop ~17x (12.2MB -> 0.7MB at 800 msgs); the live streaming tail still uses the larger LIVE_RENDER budget. - tui_gateway/server.py: lower the gateway-side verbose text cap to match (1KB/16 lines) so we stop shipping output the TUI no longer renders. - memoryMonitor.ts: derive critical/high thresholds from the real V8 heap ceiling (~88%/70%) instead of the hardcoded 2.5GB that killed the process at 31% of an 8GB ceiling; add a one-shot onWarn early-warning on fast sub-threshold heap growth so the next such death is diagnosable, not silent. - entry.tsx: wire onWarn to a crash-log breadcrumb + stderr line. Full tool output is unchanged in the agent context and SQLite session — this is display/transport only, no behavior or context change. Fixes #34095. Related #27282. Tests: ui-tui text + new memoryMonitor suites (33 pass), python verbose-cap guard (5 pass); full ui-tui suite shows no new failures vs pristine main. E2E repro confirms the retention drop. * fix(kanban): don't permanently block tasks that hit a provider rate limit (#38223) A kanban worker that exhausted its retries purely on a provider rate limit / quota wall (e.g. opencode-go's 5-hour window) exited with code 1. The dispatcher counted that as a crash, and with DEFAULT_FAILURE_LIMIT=2 two quota-wall hits permanently blocked the card. Fanning out many workers against one shared quota made this routine. Now a rate-limited worker exits with EX_TEMPFAIL (75); the dispatcher classifies that as a 'rate_limited' exit, releases the task back to 'ready' WITHOUT incrementing consecutive_failures (the breaker can't trip on a transient throttle), and the respawn guard defers the next attempt on a cooldown (default 5min, HERMES_KANBAN_RATE_LIMIT_COOLDOWN_SECONDS) until the quota window clears. Genuine crashes still count and trip the breaker as before. The 120s Retry-After cap is unchanged — no worker parks for hours holding a slot. - conversation_loop.py: surface failure_reason in the exhaustion return - cli.py: kanban worker picks exit 75 on rate_limit/billing failure - kanban_db.py: rate_limited exit kind, no-count requeue, cooldown guard * feat(observability): observer-grade telemetry hooks + NeMo-Relay plugin Adds backend-neutral observer hooks for plugins: session, turn, API request, tool, approval, and subagent lifecycle events with stable correlation IDs (session_id, task_id, turn_id, api_request_id, tool_call_id, parent/child subagent ids). Extends VALID_HOOKS with api_request_error and subagent_start. Hot path is zero-cost when no plugin subscribes: has_hook()/presence checks gate all payload construction, request payloads are returned by reference when no middleware rewrites, and the sanitized response payload no longer embeds raw response objects. Bundles the optional NeMo-Relay observability plugin (plugins/observability/nemo_relay) as an in-repo consumer of the new hooks, peer to the existing langfuse plugin. Fails open when the optional nemo-relay package is not installed. Authored-by: Bryan Bednarski <bbednarski@nvidia.com> Salvaged from #29722 onto current main. * test: restore unrelated trailing newlines in cwd/tool-search tests The salvaged PR incidentally stripped a trailing blank line from two unrelated test files (test_file_tools_cwd_resolution.py, test_tool_search.py). Restore them to keep the salvage diff scoped to the observability feature. * perf(observability): gate tool-hook emit on has_hook; slim per-tool footprint The salvaged observer contract gated the API-request hot path on has_hook() but left the per-tool emit ungated: every tool call ran result-field derivation + payload dict build + invoke_hook dispatch even with zero plugins registered. - _emit_post_tool_call_hook now short-circuits on has_hook("post_tool_call") and derives status/error fields lazily (after the gate, only when a listener will consume them). status defaults to None -> derived; explicit blocked/cancelled callers still pass status through. - transform_tool_result emit (pre-existing hook) likewise gated on has_hook(); skips _tool_result_observer_fields when no listener. - Removed the now-redundant _tool_result_observer_fields pre-computation at the three ok-path call sites (model_tools, agent_runtime_helpers, tool_executor) — the helper derives them, so the no-listener path costs one dict lookup and the call sites shrink. - Tests: stub has_hook=True where payload correctness is asserted; add a no-listener regression proving post_tool_call/transform_tool_result emit is skipped when nothing is registered. * test: stub has_hook in transform_tool_result hook tests CI slice 3 caught that tests/test_transform_tool_result_hook.py monkeypatches invoke_hook but not has_hook, so the new has_hook("transform_tool_result") gate skipped the emit and the transform never ran. Stub has_hook=True in the shared _run_handle_function_call helper whenever a custom invoke_hook is supplied (the test intends hooks to fire). The no-hook-registered test keeps the real has_hook=False path — that's the gate's intended behavior. * fix(doctor): detect + repair stale HERMES_MAX_ITERATIONS .env ghost shadowing config.yaml (#38222) * fix(doctor): detect + repair stale HERMES_MAX_ITERATIONS .env ghost shadowing config.yaml hermes doctor now flags when ~/.hermes/.env carries a HERMES_MAX_ITERATIONS value that disagrees with agent.max_turns in config.yaml, and 'hermes doctor --fix' removes the stale .env line so config.yaml is authoritative. 'hermes config show' surfaces the same drift inline under Max turns. The setup wizard stopped dual-writing this value, but users who edited only config.yaml from a pre-fix install keep a .env ghost. The gateway bridge normally overrides it at startup, but if the bridge bails on any earlier config-parse error the ghost silently wins — config says 400 while the gateway activity line reads N/90. The detector reads the .env FILE directly (load_env), not get_env_value/ os.environ, since the startup bridge may already have overwritten os.environ with the config value. Closes #17534. * fix(config): stop offering HERMES_MAX_ITERATIONS as an editable env var Removes HERMES_MAX_ITERATIONS from OPTIONAL_ENV_VARS so the dashboard env editor (PUT /api/env) and any env-var prompt no longer let a user write it to .env — which would recreate the stale ghost that shadows config.yaml's agent.max_turns (issue #17534). The iteration budget is configured only via config.yaml; the env var stays a read-only backward-compat fallback in the gateway/CLI, never a promoted write target. Regression test asserts it is absent from OPTIONAL_ENV_VARS. * fix(install.ps1): handle dirty worktree on Windows update (#38239) Git for Windows defaults to core.autocrlf=true, which renormalizes the repo's LF-only text files to CRLF in the working tree. On a managed, never-user-edited clone this makes tracked files (.envrc, AGENTS.md, agent/*.py, workflows) show as locally modified, so the update path's bare git checkout aborts with 'Your local changes would be overwritten by checkout' and the desktop bootstrap fails at stage=repository. The bash installer already autostashes before checkout; the PowerShell path had no dirty-tree handling at all and never pinned autocrlf. Fix: (1) git reset --hard HEAD before fetch/checkout in the update path to discard any pre-existing dirt, and (2) pin core.autocrlf=false on both the update and fresh-clone paths so the dirt is never created again. * fix(install): require Node >=20.19/22.12 for the desktop build The "Build desktop app" install step failed with an opaque "exit code 1" on machines with an old Node, and nothing in the logs explained it. Reproduced: on Node 20.5.1, `npm run pack`'s `vite build` crashes with You are using Node.js 20.5.1. Vite requires Node.js version 20.19+ or 22.12+. SyntaxError: The requested module 'node:util' does not provide an export named 'styleText' Vite 8 (rolldown) imports node:util.styleText, which doesn't exist before Node 20.12, so the build dies before producing the app. The installer's check_node / Test-Node accepted ANY pre-existing Node with no version floor, so a too-old system Node was used for the build instead of the bundled Node 22. Add a version floor (^20.19 || >=22.12) to check_node (install.sh) and Test-Node (install.ps1): a too-old system Node is replaced with the Hermes-managed Node 22 LTS, and the desktop stage re-resolves Node so the build always runs on a satisfying version. Declare the same range in apps/desktop/package.json engines. Verified: build succeeds on Node 22, fails on 20.5.1 with the error above; the floor logic matches Vite's range across boundary versions (20.18/20.19, 21.x, 22.11/22.12). * feat(dashboard): enrich profiles dashboard and de-dupe channel env vars (#37872) * feat(desktop): enrich profiles dashboard and de-dupe channel env vars Add active-profile switching, role descriptions (manual + auto-generate via the auxiliary LLM), per-profile model selection, and gateway-running / distribution badges to the GUI Profiles page. New profile creation gains clone-all, optional description and model assignment. Hide messaging-platform credentials (channel_managed) from the Keys/Env page since the Channels page is the canonical surface for them, and relabel the trimmed "messaging" category as "Gateway". Co-authored-by: Cursor <cursoragent@cursor.com> * fix(desktop): address review feedback on profiles/env changes - ProfilesPage: scope the action-menu outside-click handler to the menu's own container via a ref so opening one card's menu no longer leaves others open. - EnvPage: route the "Gateway" label and hint through i18n (t.common.gateway / gatewayHint) instead of hard-coded English, with an English fallback for untranslated locales. - web_server: only report description_auto=true when auto-generation actually succeeded. Co-authored-by: Cursor <cursoragent@cursor.com> * fix(desktop): address second-round review on profiles - ProfilesPage: treat describe-auto success by null-checking the description and trust the response's description_auto flag instead of assuming true; disable the model-editor Save button unless the selected choice resolves to a real /api/model/options entry (avoids silent no-op saves). - tests: cover the new profile endpoints (active get/set + 404, description round-trip + 404, model round-trip + 400 validation, and describe-auto success/failure contracts). Co-authored-by: Cursor <cursoragent@cursor.com> * fix(desktop): more profiles review fixes (toggles, races, tests) - ProfilesPage: use the canonical `active` returned by setActiveProfile; make the SOUL/description/model action-menu items toggle their editor closed when already open; guard description save/auto-describe against stale responses via an activeDescRequest ref so a late reply can't clobber a different open editor. - tests: assert /api/env channel_managed classification matches _channel_managed_env_keys(). Co-authored-by: Cursor <cursoragent@cursor.com> --------- Co-authored-by: Cursor <cursoragent@cursor.com> * fix(tui): save TUI /save snapshots under Hermes home with system prompt (#38251) * fix(tui): save TUI /save snapshots under Hermes home with system prompt The TUI gateway's session.save RPC wrote hermes_conversation_<ts>.json to the workspace/project CWD via os.path.abspath(...) and only exported model and messages. This diverged from the classic CLI /save (which writes under the Hermes profile home) and from the dashboard save (which includes the system prompt). Write the snapshot under get_hermes_home()/sessions/saved/ and include system_prompt, session_id, and session_start so the TUI export matches the CLI and dashboard behavior. Co-authored-by: Cursor <cursoragent@cursor.com> * fix(tui): prefer agent.session_start for /save export; assert it in test Address review feedback: derive session_start from the agent's session_start datetime (matching the classic CLI export) and fall back to the gateway session's created_at only when unavailable. Assert session_start in the regression test. Co-authored-by: Cursor <cursoragent@cursor.com> --------- Co-authored-by: Cursor <cursoragent@cursor.com> * fix(desktop): self-update rebuilds and relaunches cleanly on macOS The macOS DMG / in-app update could leave Hermes unable to relaunch: the staged updater rebuilt the desktop without managed Node on PATH ("npm not found"), never installed the rebuilt bundle over the running app, and could race itself on `git stash`. Child install scripts also inherited a deleted cwd from the .app bundle replaced during self-update. - update.rs: prepend $HERMES_HOME/node/bin + venv bin to the rebuild PATH; read --branch / --target-app from args; add a macOS "install" stage that dittos the rebuilt bundle over the target app, clears quarantine, and relaunches via `open` (rolling back on a failed swap); guard start_update with an AtomicBool so concurrent startUpdate() calls can't race git stash. - main.cjs: pass --branch <configured> and --target-app <running bundle> to the staged updater, and spawn it with HERMES_HOME + managed Node/venv on PATH and cwd=HERMES_HOME. - bootstrap.rs: launch the desktop via `open <App>.app` on macOS instead of exec'ing Contents/MacOS/Hermes, avoiding cwd/quarantine issues post-rebuild. - powershell.rs: pin child install scripts to a stable cwd so they don't emit getcwd errors when the launching .app is replaced mid-install. - failure.tsx: in update mode show "Update didn't finish" / "Retry update" and retry via startUpdate() instead of re-running the installer bootstrap. * fix(desktop): dedupe clipboard image paste Chromium exposes the same pasted image on both DataTransfer.items and .files as distinct Blob objects, which attached twice. Prefer items and skip the files mirror when items already yielded images. * fix(installer): stop mislabeling stdout-style progress as stderr Both installers (Electron bootstrap-runner + Tauri) hardcoded a literal `stderr: ` prefix onto every line that arrived on fd 2. Tools like uv/pip/git/npm write normal progress to stderr by design, so routine install output showed up tagged as "stderr" (and rendered red in the Tauri progress UI), making a healthy install look like it was erroring. Carry the stream as structured metadata (`stream: 'stdout' | 'stderr'`) on the log event instead of mangling the line text. The UI now styles stderr subtly (dimmed) rather than alarmingly, and the persistent forensic logs keep their stdout/stderr distinction. * fix(dashboard): clamp PTY resize dimensions for WSL2 winsize garbage (#38200) * fix(dashboard): clamp PTY resize dimensions for WSL2 winsize garbage WSL2 reports columns=131072, rows=1 from a broken winsize probe. The dashboard /chat tab forwards xterm.js dimensions through PtyBridge.resize(), which packs them as unsigned short via struct.pack. 131072 > 65535 raised struct.error — uncaught (only OSError was handled) — breaking the resize path and leaving the TUI laid out for a one-row, absurdly-wide screen, which surfaces as blank/disappearing text. Clamp cols/rows to a sane [1, 2000]x[1, 1000] range before packing. Non-finite/non-integer probes fall back to the minimum so nothing can reach struct.pack and raise. * test(dashboard): de-flake pub/events broadcast test test_pub_broadcasts_to_events_subscribers round-tripped a frame through two nested Starlette TestClient WebSocket portals within a 10s wall-clock budget. Under heavy parallel CI load a starved ASGI thread occasionally blew that budget even though the server logic is correct, producing intermittent 'broadcast not received within 10s' failures. Drive _broadcast_event directly under asyncio with fake subscribers instead. Same fan-out contract (verbatim delivery to every subscriber on the channel, nothing to other channels), zero scheduling surface. Runs in ~0.3s, deterministic across 10 consecutive runs. * fix(gateway): decode schtasks output with locale encoding on Windows _exec_schtasks ran schtasks.exe with text=True but no encoding/errors, so localized Windows (e.g. Chinese) output in the console code page raised UnicodeDecodeError tracebacks from subprocess' reader threads during `hermes gateway status`. Decode with the locale's preferred encoding and errors="replace" so non-UTF-8 status output is read cleanly. Fixes #38172 * test(gateway): cover schtasks locale-safe decoding on Windows Assert _exec_schtasks passes an explicit encoding and errors="replace" to subprocess.run, and that _schtasks_encoding falls back to utf-8 when the locale lookup is empty or raises (#38172). * docs: remote desktop connect needs --tui on the backend (#38350) The Desktop App and Web Dashboard remote-connect instructions told users to start the backend with `hermes dashboard --no-open --insecure --host 0.0.0.0`, omitting --tui. Without --tui the embedded-chat WebSockets (/api/ws, /api/pty) are refused, so the desktop passes the /api/status health check and reports the backend "ready" — but chat never works because the socket is closed on connect. - Add --tui to both backend command blocks (with an inline why-comment). - Explain that the desktop chat runs over /api/ws + /api/pty and needs the embedded-chat surface enabled; a plain dashboard/gateway is not enough. - Add a troubleshooting entry for the exact symptom (connects, says ready, chat dead) on both pages. * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * fix(installer): pass LogStream to emit_log calls from #38296 PR #38296 added four emit_log() calls using the old 3-arg signature, but main had already changed emit_log to take a `stream: LogStream` argument (#38312, "stop mislabeling stdout-style progress as stderr"). The two PRs touched different lines, so the merge auto-resolved with no conflict and left main unable to compile the bootstrap installer (E0061: 4 args expected, 3 supplied). Supply the missing stream: Stdout for the update/install progress lines and Stderr for the "could not auto-launch desktop" failure, matching the convention from #38312. cargo check passes. Co-authored-by: Cursor <cursoragent@cursor.com> * fix(desktop): persist pins, reconnect after sleep, dedupe session search Four related desktop session-management bugs: - Pins lost until refresh: pinned sessions are joined against the paginated in-memory session list, so a pinned chat that aged off the most-recent page got evicted on the next refresh (every message.complete triggers one) and the Pinned section went empty. mergeWorkingSessions -> mergeSessionPage now also preserves pinned rows (matched by live id or lineage root). Pin id checks in the chat header, command center, and delete/archive are normalized to the durable sessionPinId so pins survive auto-compression. - Stuck on "Starting Hermes" after sleep: macOS sleep drops the renderer WebSocket; nothing reconnected on wake so the composer stayed disabled. The gateway boot hook now auto-reconnects with backoff on close/error and on wake signals (powerMonitor resume/unlock-screen IPC, window online, visibilitychange). connect() gains an open timeout so a hung reconnect can't deadlock in 'connecting'. Composer placeholder distinguishes "Reconnecting to Hermes" from a cold start. - Loses chats from itself: the same hard-replace that dropped pins also dropped loaded sessions; mergeSessionPage keeps them. - Multiple copies/branches in search: /api/sessions/search deduped only by raw session_id, so compression segments and branches surfaced as separate hits. It now dedupes by lineage root and returns the live compression tip, matching the session_search tool's behavior. * fix(desktop): guard reconnect sockets and keep branch search precise Avoid stale WebSocket events from an old reconnect attempt flipping the gateway state after a newer socket opens. Also limit session-search dedupe to compression edges so branch-specific hits still open the branch instead of collapsing to the parent. * fix(packaging): ship locales/ i18n catalogs in wheel, sdist, and Nix (#38383) * fix(packaging): ship locales/ i18n catalogs in wheel, sdist, and Nix locales/ is a bare data dir (no __init__.py), invisible to packages.find and package-data. Sealed installs (pip wheel, Nix store venv) dropped it, so gateway/CLI commands rendered raw i18n keys like gateway.reset.header_default. - pyproject: [tool.setuptools.data-files] locales = ["locales/*.yaml"] (wheel) - MANIFEST.in: graft locales (sdist) - agent/i18n._locales_dir: env override -> source -> sysconfig data scheme - nix/hermes-agent.nix: copy locales into the store + set HERMES_BUNDLED_LOCALES as defense-in-depth. The wheel's data-files already materialize into the uv2nix venv, so resolution works with no env var; the override pins the store path against a future uv2nix change that could drop data-files. - tests: metadata regression, wheel + sdist build-install smoke tests, and a bundled-locales flake check that verifies BOTH the wrapper override and the env-var-less data-files path. Smoke test wired into CI. Closes #23943, #27632, #35374. Supersedes #23966, #27716, #30261, #33841, #35429, #35494, #35735, #36697. * test: cap locale e2e timeout, tighten catalog count guard The two wheel/sdist e2e tests inherit the global --timeout=30 from addopts; a cold-CI run (isolated build env + venv create + network pip install) can plausibly exceed it. Add @pytest.mark.timeout(300) so they don't ride the unit-test budget and flake intermittently. Also assert the shipped catalog count equals len(SUPPORTED_LANGUAGES) instead of a hardcoded >=16 floor, so the guard self-updates and trips on a single dropped catalog (not just a fully-empty graft). * fix(installer): never brick the install when a self-update swap fails The macOS self-update bundle swap (install_macos_app_update, added in #38296) could leave the user with NO app installed. If moving the existing /Applications/Hermes.app aside failed, the code deleted the running app outright and set moved_old=false; if the subsequent move of the freshly built bundle into place then also failed, the rollback was gated on moved_old (now false) and skipped — leaving the target deleted with no replacement. Extract the swap into swap_in_new_bundle() with a strict invariant: on ANY failure path the target is left pointing at a working bundle (either the original, rolled back, or untouched) and is never deleted with no replacement. Also clean up the staged .hermes-update-new copy on the failure paths instead of orphaning it. Add unit tests covering the happy path, the rollback-on-install-failure path, and the catastrophic both-moves-fail path. The catastrophic-path test was verified to FAIL against the old code ("original app must NOT be deleted on failure") and pass against the fix. * test(installer): cover the post-update relaunch/install target derivation The macOS self-update relaunches and installs over the app it derives via resolve_hermes_desktop_app (.../Hermes.app/Contents/MacOS/Hermes -> .../Hermes.app). That derivation is load-bearing for both the ditto install target and the auto-relaunch (open <app>), but had no test. Add unit coverage: - resolve_hermes_desktop_app_finds_built_bundle: a fake built release tree resolves to the .app bundle on macOS (and the exe elsewhere). - resolve_hermes_desktop_app_is_none_without_a_build: no build => None. Verified the positive test FAILS if the .app parent-walk is wrong (e.g. one too few .parent() hops), so it's a real guard against a regression that would break the post-update relaunch target. cargo test -> 17 passed. * feat(cli): make `hermes portal` the human-readable Portal onboarding alias `hermes portal` (no subcommand) now runs the one-shot Nous Portal onboarding — OAuth login, switch provider to Nous, offer Tool Gateway — identical to `hermes setup --portal` and the human-readable alias for `hermes auth add nous --type oauth` (which still works). The prior status default moves to `hermes portal info`; `status` is kept as a hidden back-compat alias. `open`/`tools` subcommands are unchanged. User-facing hints and docs (status.py, conversation_loop 401 guidance, SystemPage, README, website docs + zh-Hans) now point at `hermes portal` / `hermes portal info`. `--manual-paste` references keep the explicit auth command since `hermes portal` does not expose that flag. * fix(setup): point Portal login-failure retry hints at `hermes portal` The two retry hints inside _run_portal_one_shot (shown when the OAuth login fails) still suggested `hermes auth add nous --type oauth`. Since this path backs both `hermes portal` and `hermes setup --portal`, point users at the new human-readable `hermes portal` for consistency. * fix(desktop): prevent IME Enter from splitting messages and viewport resize from disarming scroll anchor (#38333) * fix(desktop): prevent IME Enter from splitting messages and viewport resize from disarming scroll anchor Two fixes for the Hermes Desktop composer: 1. IME composition Enter was treated as message submission. When a Korean/ Japanese/Chinese IME is composing text and the user presses Enter to finalise the preedit, handleEditorKeyDown fired submitDraft() because it did not check event.nativeEvent.isComposing. The assistant-ui hidden textarea already guards this correctly; the custom contentEditable handler was missing it. Added an early return when isComposing is true. 2. Viewport resize (composer expand/collapse, window resize) was disarming the scroll sticky-bottom anchor. When the composer grows, the thread viewport shrinks, the browser adjusts scrollTop down to keep content visible, and the onScroll handler misread this as a user scroll-up. Added lastClientHeightRef tracking so the disarm condition now requires BOTH stable scrollHeight AND stable clientHeight before treating a scrollTop decrease as user intent. Fixes: random mid-message sends during IME typing; scroll jumps when the composer resizes or the window changes size. * fix(desktop): prevent virtualizer measurement adjustments from fighting scroll anchoring The virtualizer's measureElement callbacks trigger scroll adjustments when item sizes differ from estimates. These fight our ResizeObserver + pinToBottom loop, creating visible rubber-banding (view snaps to composer then jumps back up), even during idle. Three changes: 1. React.memo on VirtualizedThread to stop parent re-renders cascading 2. Shared stickyBottomRef so scrollToFn can check bottom state 3. scrollToFn override: skip adjustments when user is at bottom * fix(desktop): use stable useCallback ref instead of inline arrow for onBranchInNewChat The inline arrow `messageId => void branchInNewChat(messageId)` created a new function reference on every render. This cascaded through: desktop-controller → ChatView → Thread → useMemo([...onBranchInNewChat]) → new messageComponents object → VirtualizedThread receives new prop → React.memo overridden → virtualizer recalculates → measurement adjustments trigger scroll jumps at the 15-second useStatusSnapshot interval. Pass the already-useCallback'd branchInNewChat directly. * fix(desktop): use ctrlEnter submitMode on hidden textarea + gate ResizeObserver on isRunning Two root-cause fixes: 1. IME message splitting: The hidden ComposerPrimitive.Input textarea had submitMode='enter' (default), so any Enter keydown it received — even during IME composition — triggered form.requestSubmit(). Changed to submitMode='ctrlEnter' so only the contentEditable div (which correctly checks isComposing) handles plain-Enter submission. 2. Scroll jumps during idle: The ResizeObserver auto-follow loop was active even when the thread wasn't running, causing spurious pinToBottom calls whenever any layout shift occurred (browser reflow, font load, GPU cache eviction). Gated the ResizeObserver on thread.isRunning so auto-scroll only follows during active streaming. User messages still pin via useLayoutEffect, and thread.runStart still calls jumpToBottom. * fix(desktop): keep chat bottom anchor stable through idle layout shifts * fix(desktop): prevent code block shrink scroll bounce * fix(desktop): release bottom height lock on run completion * fix(desktop): keep streaming code blocks rendered * fix(desktop): keep bottom anchored through final render * fix(desktop): render streaming reasoning code blocks * feat(desktop): add subtle streaming block animations * feat(cli): make `hermes portal` run the full quick-setup Nous flow (model picker) `hermes portal` / `hermes setup --portal` previously logged in and set provider=nous but left the model UNSELECTED (blank -> runtime default) and never showed a picker — unlike the first-time quick setup, which runs the model picker. Route `_run_portal_one_shot` through `_model_flow_nous` — the exact same routine quick setup (`_run_first_time_quick_setup`) and `hermes model` -> Nous use. It handles both the logged-out path (device-code OAuth, which picks a model internally) and the logged-in path (curated Nous model picker), then offers the Tool Gateway opt-in and sets provider=nous. Net effect: `hermes portal` now offers a model picker every time and is a true single-command collapse of quick setup's Nous step. Removes the hand-rolled auth_add_command + manual provider write + separate Tool Gateway prompt (now a single source of truth). Re-syncs the in-memory config from disk afterward so a caller's later save_config can't clobber the model/provider written by the login flow. Docs (CLI help, portal_cli docstrings, nous-portal EN + zh-Hans) updated to mention model selection. New regression test asserts `_run_portal_one_shot` delegates to `_model_flow_nous`. Verified live: `hermes portal` now shows the 27-model curated picker, 'Skip (keep current)' preserves prior provider/model. * fix(cli): harden `hermes portal` SystemExit handling + finish model-pick doc sweep Self-review of #38465 surfaced three real items: 1. SystemExit escape (defense): `_login_nous` raises SystemExit(130)/(1) on cancel/failure. The logged-out login path inside `_model_flow_nous` catches it, but the expired-session re-login path (main.py) only catches Exception, so a Ctrl-C during re-auth could propagate past `_run_portal_one_shot` and kill the CLI. Add SystemExit to the portal handler so all cancel/abort cases end with the graceful 'Setup cancelled / retry later' message. 2. Doc sweep: the model-pick step was only added to the bare-`hermes portal` prose. Propagate it to the surfaces describing `hermes setup --portal` behavior that still omitted model selection: - `--portal` argparse help (main.py) - nous-portal.md intro + the numbered 'what it does' step list (EN + zh-Hans) - run-hermes-with-nous-portal.md 'default model after setup --portal' line, which was now contradictory (there's a picker, not a forced default) (EN + zh) 3. Test coverage: add parametrized regression test asserting the portal handler swallows KeyboardInterrupt / EOFError / SystemExit (returns None, no escape). Note on 'Skip (keep current)': delegating to _model_flow_nous means picking Skip preserves the prior provider instead of force-switching to nous — this is intentional and matches quick setup exactly; docs now say 'sets Nous as your provider (when you pick a model)' rather than unconditionally. * fix(packaging): modernize project.license to PEP 639 SPDX string (#38353) * fix(packaging): modernize project.license to PEP 639 SPDX string Drops the SetuptoolsDeprecationWarning ('project.license as a TOML table is deprecated') emitted on every editable build under setuptools>=77 by switching license = { text = "MIT" } to the SPDX string form plus an explicit license-files entry. Bumps build-system requires to setuptools>=77 so an older build backend can't reject the string form. The warning was non-fatal (builds succeed with it) but surfaces prominently in install.ps1 build-failure output, where it gets mistaken for the cause of unrelated Windows build_editable crashes. * fix(packaging): bound setuptools build requirement per supply-chain policy Add the <83 upper bound to setuptools>=77.0 so the dep-bounds supply-chain gate (>=floor,<next_major) passes. * fix(skills): document xurl X Article ingestion * fix(docker): bake hindsight-client into the image (#38128) (#38530) …

…icket auth (NousResearch#37870) Generalises NousResearch#37747. The WS Origin guard (_ws_host_origin_is_allowed) only trusted the packaged Electron app's non-web origin (file:// / null / app://) when the bind was NOT OAuth-gated. The packaged Hermes Desktop renderer loads over file://, so when it drives a remote OAuth-gated gateway its /api/ws upgrade was rejected with HTTP 403 even though _ws_auth_ok had already validated the single-use ?ticket= one line earlier. This guard runs only AFTER _ws_auth_ok has accepted the WS credential, which is the real auth boundary in every mode: * loopback bind -> legacy dashboard session token * non-loopback --insecure -> legacy session token (Tailscale / LAN, NousResearch#37747) * OAuth-gated public bind -> single-use, 30s-TTL, identity-bound ?ticket= A non-web origin can only come from a native client; a DNS-rebinding attack always arrives from an http(s) origin and is still match-checked against the bound host. So once the upstream credential check has passed, the Origin guard adds nothing for a non-web origin. Collapsed the loopback/non-gated special cases to 'return True' for non-web origins. http(s) origins keep the strict same-host check, so browser DNS-rebinding defence is unchanged. Tests: gated file:///null/app:// now asserted ALLOWED; cross-site http(s) still rejected on gated and loopback binds; NousResearch#37747's loopback and non-loopback-insecure cases retained. 37/37 test_dashboard_auth_ws_auth + test_web_server_host_header pass.

The remote-gateway settings rendered the session-token box for every gateway during the idle/probing window before the first /api/status probe lands, because authMode defaults to 'token'. Gate both the OAuth sign-in button and the token box behind an authResolved flag so neither renders until the probe resolves the scheme (or a previously-saved remote config is being re-shown, so re-opening settings doesn't flicker). The gateway-side WS Origin fix that lets the packaged desktop (file:// origin) connect to an OAuth-gated remote gateway landed separately in NousResearch#37870; this branch is now purely the desktop client + this UI fix.

* refactor(supermemory): session-level ingest + kebab aliases (salvaged from #32487) (#38756) * refactor(supermemory): session-level conversation ingest + kebab tool aliases Salvaged from #32487 (by @MaheshtheDev), rebased onto current main. - sync_turn now buffers cleaned turns; the full session is ingested once at session end / switch / shutdown via the conversations endpoint - ingest_conversation() accepts and forwards functional document metadata (type, session_id, message_count, partial) - register kebab-case tool aliases (supermemory-save/search/forget/profile) alongside the snake_case names - README + docs (EN/zh-Hans) updated for the simplified session model Source/vendor-attribution removed per project policy (no telemetry): dropped x-sm-source header, sm_source metadata, and sm_capture_mode tags. Preserved the post-branch atomic_json_write(mode=0o600) hardening that the PR's stale base had reverted. Updated provider tests for the new behavior and added maheshthedev@gmail.com to release.py AUTHOR_MAP. Co-authored-by: alt-glitch <balyan.sid@gmail.com> * feat(supermemory): restore x-sm-source for Spaces routing Reinstates x-sm-source: hermes (SDK default_headers + conversations POST) and sm_source: hermes document metadata. Per @Dhravya (Supermemory), this is a functional routing key, not telemetry: it groups Hermes writes into a dedicated "Hermes" Space in the Supermemory app so users can filter and bulk-manage memories per source agent. sm_capture_mode remains dropped (appears analytics-only; Spaces are routed by sm_source) pending confirmation. Adds README note + a unit test covering _merge_metadata sm_source stamping and legacy source->type migration. --------- Co-authored-by: Mahesh Sanikommu <maheshthedev@gmail.com> * feat(dashboard): `hermes dashboard register` for self-hosted OAuth client Adds a CLI command that registers this install as a self-hosted dashboard with the user's Nous Portal account, automating the manual browser flow on /local-dashboards. - New hermes_cli/dashboard_register.py: resolves a fresh Nous access token from auth.json (fast-fails with a `hermes setup` hint when not logged in), POSTs to {portal}/api/oauth/self-hosted-client, and writes HERMES_DASHBOARD_OAUTH_CLIENT_ID into ~/.hermes/.env idempotently. - Docker-style adjective_noun auto-naming; --name and --redirect-uri overrides. - Persists HERMES_DASHBOARD_PORTAL_URL only when non-default and unset (so a Vercel preview / staging portal sticks, prod default stays implicit). - Refuses in managed/hosted installs (the orchestrator stamps the client_id). - Post-register hint explains the OAuth gate only engages on a non-loopback bind. - Nested 'register' subparser leaves bare `hermes dashboard` unchanged. - 9 unit tests (name gen, fast-fails, POST shape, env writes, redirect URI, portal-URL persistence, 401/403 mapping); dashboard lifecycle tests still green. Depends on NousResearch/nous-account-service#324 (the portal endpoint). * fix(dashboard): honor --portal-url / HERMES_DASHBOARD_PORTAL_URL override in register The register command resolved the portal base URL purely from the stored login, ignoring any override. That meant `HERMES_DASHBOARD_PORTAL_URL` (and the absence of any flag) gave no way to point registration at a staging or preview portal — the request always hit the login's portal, returning 404 against a branch that wasn't deployed there. - _resolve_portal_base_url now takes an optional override (precedence: override > stored login portal > prod default). - New --portal-url flag; falls back to HERMES_DASHBOARD_PORTAL_URL env. - Documents that the access token must be valid at the overridden portal (it's minted by whoever you logged into). - 3 new tests for override precedence. Verified live against the PR #324 Vercel preview: CLI -> preview endpoint -> real agent:{id} client_id written to .env. * fix(dashboard): explain WHY a chat WS connection was refused (#38743) * Port from google-gemini/gemini-cli#21541: back up corrupted config.yaml When config.yaml fails to parse, load_config() silently falls back to DEFAULT_CONFIG and leaves the broken file on disk. If the user then re-runs the setup wizard or hermes config set (both rewrite config.yaml), their broken-but-recoverable overrides are lost for good. Adapts the policy-file recovery from gemini-cli#21541: on the first parse warning for a given broken file, snapshot it to config.yaml.corrupt.<ts>.bak (best-effort, symlink-guarded, size-deduped) and tell the user where it landed. Unlike Gemini's version we deliberately do NOT reset config.yaml to a clean state — hermes never silently mutates user config, and leaving it means a hand-fixed file is re-read on the next load. Tests: 3 new cases (backup created + content preserved + original untouched; same-size backup dedup; symlink not copied). E2E verified with isolated HERMES_HOME and a real tab-indented broken config. * fix(dashboard): explain WHY a chat WS connection was refused The embedded-chat PTY WebSocket (/api/pty) collapsed every rejection into a bare close code: 4401 for any auth failure, 4403 for three unrelated failures (host mismatch, origin mismatch, peer-IP). Neither the server log nor the browser said which gate fired or why, so a "chat won't connect" report was undiagnosable without a repro. Server (web_server.py): - _ws_auth_reason / _ws_host_origin_reason / _ws_client_reason return a short machine-parseable reason; old bool wrappers kept for callers/tests. - pty_ws splits the overloaded 4403 into 4401 (auth), 4403 (host/origin), 4408 (peer not allowed), 4404 (chat disabled), and sends the reason on the close frame (clamped to the 123-byte RFC6455 limit). - Each path logs one line: 'pty auth rejected reason=.. mode=.. cred=.. peer=..' / 'pty refused: <reason> ..'. Accepted path logs 'pty accepted peer=.. mode=.. cred=..' so an audit shows HOW a peer authed, not just that it did. tui_gateway/ws.py: - 'ws send/write failed' now logs error_type=<ExcName> so an exception whose str() is empty (closed-transport sends) no longer logs 'error='. web/src/pages/ChatPage.tsx: - console.warn the real close code + server reason on every close. - Map 4404/4408 to specific banners; 4401/4403 banners echo the server reason; [session ended] prints the close code. E2E verified all five reject paths + accepted path produce matching close code, wire reason, and server log line. * fix(dashboard_auth): allow any http:// host in redirect_uri fast-fail (#38827) The Nous dashboard OAuth login rejected any http:// redirect_uri whose host was not localhost/127.0.0.1, surfacing "redirect_uri may only use http:// for localhost/127.0.0.1" on the login screen. This broke self-hosted dashboards reached over plain HTTP — LAN IPs, internal hostnames, and reverse proxies that terminate TLS upstream. The Portal-side check (agent-redirect-uri.ts) is authoritative on which redirect_uris are permitted; this client-side _validate_redirect_uri is only a fast-fail for obvious operator error and should not second-guess valid http:// deployments. Fix: drop the localhost-only branch on the http scheme. Validation now enforces only that the scheme is http(s) and the path ends with /auth/callback. Updated the docstring to explain the relaxed contract, and replaced test_rejects_http_with_non_localhost (which pinned the old behavior) with test_allows_http_with_arbitrary_host covering a Fly hostname, a LAN IP, and an internal hostname. * feat(dashboard-auth): add pluggable password (non-redirect) login The dashboard auth gate was OAuth-only: a DashboardAuthProvider could authenticate only via a redirect to an IDP (start_login -> /auth/callback -> complete_login). There was no first-class path for username/password auth, so self-hosters who just want a password on their dashboard had no clean option short of an external OAuth IDP. Extend the provider framework with a parallel, non-redirect front door that converges on the same Session + cookie + refresh machinery: - base.py: add the optional supports_password flag and complete_password_login(username, password) -> Session (default raises NotImplementedError so an OAuth-only provider that forgets the flag fails loudly). Add InvalidCredentialsError. OAuth providers are unaffected (flag defaults False; the method is never called). - routes.py: add POST /auth/password-login, mirroring the cookie-minting tail of /auth/callback but skipping PKCE/state/code. Returns JSON {ok, next} (the form POSTs via fetch). Generic 401 for both unknown user and wrong password (no enumeration oracle); 404 hides whether a provider exists or supports passwords; per-IP sliding-window rate limit (10/min -> 429). /api/auth/providers now reports supports_password so the login page can branch. - middleware.py: allowlist /auth/password-login (a bootstrap route). verify/refresh/revoke/ws-tickets/logout need zero changes — a password session is just a Session with provider-minted opaque tokens. - login_page.py: render a credential form (instead of a redirect button) for supports_password providers, wired by a small inline script that POSTs to /auth/password-login and navigates on success. OAuth-only pages stay script-free. * feat(dashboard-auth): add BasicAuthProvider username/password plugin A bundled, zero-infrastructure 'just put a password on my dashboard' provider that uses the supports_password extension point. No external IDP, no database: sessions are stateless HMAC-signed tokens the provider mints and verifies itself, and passwords are hashed with stdlib scrypt (no third-party dependency — deliberately avoids bcrypt to keep the dep surface unchanged). - plugins/dashboard_auth/basic: BasicAuthProvider (scrypt verify with a constant-time dummy-hash path for unknown users so the endpoint is not a username-timing oracle; access/refresh tokens carry a 'kind' claim that verify/refresh enforce; cross-secret tokens are rejected). The register() entry point mirrors the Nous plugin's config/env precedence (env wins; empty treated as unset) and LAST_SKIP_REASON channel. - config.py: document the canonical dashboard.basic_auth.* surface (username / password_hash / password / secret / session_ttl_seconds). Activates only when username + (password or password_hash) are set, so OAuth users and loopback/--insecure operators are unaffected. Without an explicit secret a random per-process key is generated (logged): fine for a single process, but sessions then don't survive restart or span workers. * test(dashboard-auth): cover password login route, provider, and plugin - test_dashboard_auth_password_login.py: drives /auth/password-login end-to-end through the REAL gated_auth_middleware (login -> session cookie -> authenticated /api/auth/me -> transparent refresh via the RT cookie), plus protocol-extension checks, the generic-401/404 oracle properties, the rate limiter, and login-page rendering (form+script when supports_password, script-free otherwise, both for mixed providers). Reuses the existing StubAuthProvider harness convention. - test_basic_provider.py: scrypt hash/verify, login mint, kind-claim enforcement (access != refresh), cross-secret rejection, and the register() config/env precedence + skip reasons. Mutation-tested: dropping the kind-claim check in verify_session makes test_access_token_not_accepted_as_refresh fail, confirming the test isn't theater. * docs(dashboard-auth): document the username/password provider Add a 'Username/password provider (no OAuth IDP)' section to the web dashboard guide (config.yaml + env surfaces, the explicit-secret caveat, the rate-limit/generic-401 properties, and a 'write your own password provider' pointer to the supports_password extension point), and list the HERMES_DASHBOARD_BASIC_AUTH_* env vars in the environment-variables reference. * feat(desktop): dedicated Providers settings + polished Accounts/API-keys UX (#38551) * feat(desktop): dedicated Providers settings with Accounts/API-keys subnav Rework provider configuration in the desktop app into its own Providers page that mirrors the first-run onboarding picker, instead of burying provider keys in the generic Tools & Keys list. - Add a Providers settings page (providers-settings.tsx) reusing the onboarding picker cards/ApiKeyForm so the two surfaces stay identical - Add a sidebar subnav (Accounts vs API keys) backed by a deep-linkable `pview` URL param; nested OverlayNavItem variant for a lighter active state so children don't compete with the parent item - Scope provider search to the active sub-view in its native card format (no more accordion fallback); collapse the API-key grid to the top providers behind a "Show all" toggle to cut scrolling - Launch real in-app OAuth from settings via startManualProviderOAuth; fix the misleading red "reason" banner that showed during an active connect (neutral style, hidden during a flow, omitted for direct per-provider launches) - Expand PROVIDER_GROUPS and add longest-prefix matching so providers like xAI/Ollama group correctly instead of landing under "Other" - Drop redundant messaging API keys from Tools & Keys (channel_managed) Co-authored-by: Cursor <cursoragent@cursor.com> * feat(desktop): Cursor-style provider key list with inline inputs Replace the card-grid API-key form on the Providers page with a per-provider list (mirrors Cursor's API keys section): - One row per vendor with its primary key input inline; rows with extra vars (base URL, region, alt tokens) expand to reveal those on focus - Set keys show their redacted value as the placeholder; Save appears on edit, Remove on a set key - Hide redundant alias key fields (e.g. ANTHROPIC_TOKEN vs ANTHROPIC_API_KEY) unless already set, and label set aliases by env var name so they're unambiguous - Smaller mono input text + compact height Co-authored-by: Cursor <cursoragent@cursor.com> * style(desktop): flatten providers settings UI chrome Tighten the providers settings surface to match the newer desktop style: remove extra card rails/borders in API-key rows, reduce visual noise in the providers subnav, replace bespoke link-like controls with shared text-button variants, and improve key input readability. * feat(desktop): rework providers settings UI - Flatten the shared OAuth picker rows (accounts + onboarding): drop the rounded-2xl/border cards for flat hover-bg rows; Nous hero keeps a subtle tint plus an animated blue→purple arc border. - Key fields collapse to a single input: a set key reads read-only (redacted) and edits in place on focus/click — no Replace/Cancel chrome. Save on type, Esc cancels (without closing the overlay), "Remove or esc to cancel" hint. - Non-key overrides render boxless, content-sized (field-sizing) and right-anchored; advanced fields align under the primary key column. - Add `xs` control size; size fields via padding (no fixed heights). - Cards expand on key-input focus; chevron shows on hover/expanded; expanded state uses a ring + softer bg tier so hover ≠ focus. - Relocate "Get a key" to the bottom-right of the expanded panel; drop the redundant provider description. - Cmd+K: add Providers (accounts) and Provider API keys deep-links. * fix(desktop): flatten provider fields, drop input shadows, fix Cmd+K provider rank - KeyField: collapse to one stacked label-above-input form field (drop the bespoke `naked`/inline/column branches); empty advanced overrides fade until hover/focus/set - styles: kill the resting + focus drop shadow on shared input chrome so form inputs sit flat (composer keeps its own shadow) - Cmd+K: drop stray `providers` keyword from Skills & Tools so the Providers settings entry ranks first for "provider" * fix(desktop): nous portal arc blue → orange * fix(desktop): rank appearance above settings in Cmd+K --------- Co-authored-by: Cursor <cursoragent@cursor.com> Co-authored-by: Brooklyn Nicholson <brooklyn.bb.nicholson@gmail.com> * desktop: OAuth-aware remote gateway connection The desktop remote-gateway settings now auto-detect whether a gateway authenticates with OAuth or a static session token and present the matching UI + connection mechanism. Detection: an unauthenticated GET {base}/api/status reads auth_required (true => OAuth, false => session token); /api/auth/providers supplies the provider label. The settings UI debounce-probes the entered URL and shows either a 'Sign in with <provider>' button or the session-token box. OAuth connection mechanism: - REST is authed by the HttpOnly session cookie held in a persistent Electron session partition (persist:hermes-remote-oauth); main-process REST routes through electron net bound to that partition so the cookie attaches automatically. - Login opens a BrowserWindow on {base}/login in that partition and resolves once the hermes_session_at cookie lands. - WebSocket upgrades use a single-use ?ticket= minted at POST /api/auth/ws-ticket (the gateway rejects ?token= in gated mode); getGatewayWsUrl() re-mints before every (re)connect since tickets are single-use and short-lived. - Missing cookie / 401 surfaces needsOauthLogin to prompt re-sign-in (Nous Portal contract v1 issues no refresh token). Local and token modes are unchanged. Pure helpers (URL normalize, ws-url token/ticket builders, auth-mode classify/resolve, cookie detector) are extracted to a standalone connection-config.cjs (no electron import) and unit-tested with node --test (26 tests), matching the backend-probes.cjs pattern. * fix(desktop): hide gateway auth control until probe resolves the scheme The remote-gateway settings rendered the session-token box for every gateway during the idle/probing window before the first /api/status probe lands, because authMode defaults to 'token'. Gate both the OAuth sign-in button and the token box behind an authResolved flag so neither renders until the probe resolves the scheme (or a previously-saved remote config is being re-shown, so re-opening settings doesn't flicker). The gateway-side WS Origin fix that lets the packaged desktop (file:// origin) connect to an OAuth-gated remote gateway landed separately in #37870; this branch is now purely the desktop client + this UI fix. * fix(desktop): don't fall back to a dead WS ticket on OAuth re-mint failure The reconnect and boot paths resolved the WS URL with `(await getGatewayWsUrl().catch(() => null)) || conn.wsUrl`. For OAuth gateways the cached conn.wsUrl carries a single-use, ~30s-TTL ticket; the desktop connection is memoized for the process lifetime, so on reconnect that ticket is both expired and already consumed. A failed fresh mint therefore fell back to a guaranteed-dead ticket and surfaced as an opaque "connection closed", masking the gateway's actionable "session expired, sign in again" message. Extract resolveGatewayWsUrl() (with unit tests): in OAuth mode a mint failure throws a tagged GatewayReauthRequiredError instead of falling back; token/local modes keep the long-lived-token fallback. Thread that error through the reconnect path so requestGateway surfaces the reauth message rather than the generic transport error that triggered the retry. Co-authored-by: Kenmege <205099287+Kenmege@users.noreply.github.com> * fix(test): expect 4404 close code for disabled embedded chat (#38841) PR #38743 split the dashboard PTY WebSocket refusal codes (4404 = chat disabled, 4403 = host/origin mismatch — see web_server.py refusal site comment) but left test_rejects_when_embedded_chat_disabled asserting the old 4403, so it has expected 4403 while the server sends 4404. Main CI has been red on test (2)/(4) shards since that commit. Update the assertion to 4404 to match the disabled-chat path. * feat(desktop): username/password login for remote gateways (#38851) Surface the username/password dashboard-auth provider in Hermes Desktop's remote-gateway connect flow. A password gateway gates the same way an OAuth one does (auth_required + session cookie + ws-ticket), so the desktop already drives it through the existing sign-in window; the only gaps were that the probe dropped supports_password and the UI always said "OAuth". - main.cjs: capture supports_password from /api/auth/providers in the probe. - global.d.ts: add optional supportsPassword to DesktopAuthProvider. - gateway-settings.tsx: derive isPasswordProvider; render a plain "Sign in" button + "username and password" copy instead of an OAuth provider label when every advertised provider is password-based. Login still flows through the gateway's /login credential form (POST /auth/password-login). * fix(update): don't fail desktop rebuild / skills sync on mid-rebuild venv (#38885) When 'hermes update' rebuilds the project venv (rmtree + uv venv on the first managed-uv migration), the desktop-rebuild and profile-skills-sync steps that follow both spawn sys.executable. Firing while the venv is mid-rewrite makes the child interpreter abort with the bare stderr line 'No pyvenv.cfg file', surfacing as a spurious 'Desktop build failed' / 'default: sync failed' on an update that actually succeeded. Add _wait_for_interpreter_venv_ready(): resolve the venv hosting sys.executable and poll briefly for pyvenv.cfg to (re)appear before each of those subprocess steps. No-op when the interpreter isn't venv-hosted. The desktop rebuild also retries once after re-waiting, and keeps streaming its output live (no capture). Best-effort throughout — callers proceed regardless, so a genuinely broken venv still surfaces the real error. * fix(desktop): re-mint OAuth WS ticket on gateway reconnect (#38886) attemptReconnect() connected with the stale cached conn.wsUrl. OAuth WS tickets are single-use with a ~30s TTL, so the first sign-in (which goes through boot() and re-mints via resolveGatewayWsUrl) succeeds, but every reconnect (sleep/wake, network online, window refocus, socket drop, app restart) reused a dead ticket and failed the WS upgrade with an opaque "Could not connect to Hermes gateway" — even though backend resolution (cookie + REST) reported ready. attemptReconnect now mints a fresh ticket before connecting, mirroring use-gateway-request.ts, and surfaces the reauth "sign in again" message once on OAuth expiry instead of silently looping backoff against a dead ticket. Local/token gateways are unaffected (re-mint is a no-op). * chore(desktop): silence Vite chunk-size warning for intentional single bundle (#38888) The desktop renderer is bundled as one chunk on purpose (codeSplitting: false) because Shiki's many dynamic chunks make electron-builder OOM scanning thousands of files. That makes the ~22 MB bundle expected, but Vite still nags with 'Some chunks are larger than 500 kB' on every build. Raise chunkSizeWarningLimit to 25000 kB so the cosmetic warning stays quiet while still firing as a regression alarm if the bundle grows well past today's size. Config-only; codeSplitting:false is untouched. * fix(desktop): surface command approval even when its tool is in a collapsed group (#38829) The desktop command-approval ApprovalBar renders inline inside ToolEntry, which lives inside ToolGroupSlot. When 2+ tools group, the group body is hidden until expanded, so an approval raised by a pending terminal/ execute_code call was buried behind "Tool actions · N steps" and required manual expansion to act on (sudo/secret were unaffected — they use modal overlays). ToolGroupSlot now subscribes to $approvalRequest and force-opens its body while an approval targeting one of its pending approval-eligible tools is in flight, so the inline controls surface with nothing expanded. The group reverts to the user's stored collapse state once the approval resolves. * fix(installer): symlink bundled node/npm into command bin dir for FHS root installs Root installs on Linux (FHS layout, #15608) put the `hermes` command in `/usr/local/bin` (on PATH) but symlinked the bundled node/npm/npx into `~/.local/bin`, which isn't on PATH for a stock root shell. `node`/`npm` were 'command not found' and `hermes dashboard` failed with 'npm is not available' because its build-on-demand fallback couldn't find npm. Fix: `install_node()` now symlinks into `get_command_link_dir()` — the same helper the `hermes` command link already uses — so node/npm/npx land wherever the command does (`/usr/local/bin` on FHS root, `~/.local/bin` otherwise, `$PREFIX/bin` on Termux). Non-root and Termux installs are unchanged. Also fixes: - `scripts/lib/node-bootstrap.sh`: adds `_nb_get_link_dir()` mirroring the same root/Termux/user logic for the standalone bootstrap path (used by `hermes update`, TUI node bootstrap, etc.) - `hermes_cli/uninstall.py`: `remove_node_symlinks()` now checks all candidate directories (`~/.local/bin`, `/usr/local/bin`, `$PREFIX/bin`) so root FHS uninstalls don't leave orphan symlinks Regression from #15608, which created the FHS path for the command but left `install_node` pointed at the legacy user-local dir. * fix(cli): erase live chrome on exit so it isn't stranded above the session summary Sets erase_when_done=True on the classic CLI's prompt_toolkit Application so the live bottom chrome (status bar, input box, separator rules) is wiped on exit instead of frozen into scrollback. Previously prompt_toolkit's render_as_done teardown repainted the chrome one final time and left it on screen (ESC[J only erases below the cursor, not the chrome above), so a dead status bar + empty prompt + rules were stranded between the conversation transcript and the 'Resume this session' summary, and stacked with the next session's UI on resume. erase_when_done routes teardown through renderer.erase() which wipes exactly the managed chrome region; the conversation transcript prints through patch_stdout into normal scrollback and is untouched. Applies to every exit path (/exit, /quit, EOF, Ctrl+C). Fixes #38252. * feat(dashboard): always enable embedded chat; remove dashboard --tui flag The dashboard's embedded Chat surface (/chat, /api/ws, /api/pty) was gated behind `hermes dashboard --tui` / HERMES_DASHBOARD_TUI=1. The desktop app and the dashboard's own Chat tab both drive the agent over the /api/ws + /api/pty WebSockets, so a dashboard started without the flag would pass the /api/status health check but slam the chat WebSocket shut with WS code 4403 — the app connects, reports "ready", and chat stays dead. This was the root cause behind multiple user reports of the desktop app failing to connect to a self-hosted gateway/dashboard, and it bit Docker and host installs alike. Make the embedded chat unconditional: - web_server.py: _DASHBOARD_EMBEDDED_CHAT_ENABLED defaults to True; drop the embedded_chat parameter and the runtime reassignment from start_server(). The WS gates still read the constant (now always true) so the seam — and its "rejects when disabled" contract test — stays meaningful. - main.py: remove the `--tui` argument from the dashboard subparser and the `embedded_chat = args.tui or HERMES_DASHBOARD_TUI==1` derivation. - web/: isDashboardEmbeddedChatEnabled() returns true unconditionally; drop the deprecated __HERMES_DASHBOARD_TUI__ alias and the dead LEGACY_TUI_RE scrape in the vite dev-token plugin. - apps/desktop/electron/main.cjs: drop `--tui` from the spawned dashboardArgs (it would now error with "unrecognized arguments: --tui") and the redundant HERMES_DASHBOARD_TUI env injection. - Docker: no s6 run-script change needed — the script never passed --tui; the HERMES_DASHBOARD_TUI env var is now simply a no-op, so the image works out of the box with no extra var. - Docs: remove every dashboard --tui / HERMES_DASHBOARD_TUI reference across the CLI reference, env-var reference, docker/desktop/web-dashboard guides, in-app tips, and the zh-Hans translations. The terminal `hermes --tui` / HERMES_TUI references are intentionally left untouched. Tests: 270 passing across web_server, dashboard lifecycle, host-header, auth-gate, and docker-override-scripts suites. * feat(dashboard-auth): add generic self-hosted OIDC provider Adds a bundled dashboard-auth provider plugin that authenticates the web dashboard against any conformant self-hosted OpenID Connect server (Authentik, Keycloak, Zitadel, Authelia, Auth0, Okta, Google, …) using standard OIDC — no per-IDP code. It's a pure drop-in plugin implementing the DashboardAuthProvider protocol; it touches no core auth/runtime/login paths. Mechanics: - OIDC discovery from {issuer}/.well-known/openid-configuration (cached; issuer pinned; endpoints required HTTPS, loopback http allowed for local-dev IDPs) - authorization-code + PKCE (S256), public client - verifies the OIDC ID token (RS256/ES256) against the discovered jwks_uri with iss/aud pinned to the configured issuer/client_id, and maps standard claims (sub/email/name/preferred_username, groups→org) onto a Session - standard refresh_token grant for silent re-auth; RFC 7009 revocation on logout when advertised Verifies the ID token (not the access token) because OIDC guarantees the ID token is a signed JWT carrying identity, while access-token format is opaque to the client per spec — the only universally-correct choice across self-hosted IDPs. Config via dashboard.oauth.self_hosted.{issuer,client_id,scopes} in config.yaml or HERMES_DASHBOARD_OIDC_{ISSUER,CLIENT_ID,SCOPES} env vars (env-wins-config, empty-is-unset — same convention as the nous plugin). Confidential clients (client_secret) left as a documented TODO seam. Docs: adds a Self-hosted OIDC section to the web-dashboard guide, including a copy-paste Keycloak worked example (realm import + docker run + dashboard wiring + login walkthrough). Tests: 65 cases covering construction, discovery (incl. issuer mismatch + https enforcement), start_login/PKCE, complete_login, ID token verification, refresh/revoke, and env/config precedence. * fix(dashboard-auth): don't abort verify chain on one provider's ProviderError The gated dashboard verifies a session cookie by trying each registered DashboardAuthProvider's verify_session in turn (the session cookie stores only the access token, not which provider issued it). A provider that doesn't recognise a token returns None; a provider whose IDP/JWKS is unreachable raises ProviderError. The loop used to return HTTP 503 on the FIRST ProviderError, before any later provider got a turn. With multiple providers stacked, that means an unreachable IDP for a session you didn't even use blocks login through a different, reachable provider. Concrete repro: a self-hosted-OIDC session hits the 'nous' provider first (registered earlier); nous tries to reach Nous Portal's JWKS, which is unreachable in a self-hosted deployment, so it raises — and the gate 503s before the 'self-hosted' provider can verify the token. Hit live while testing the new self-hosted OIDC plugin against a local Keycloak. Fix: a ProviderError from one provider is logged and the loop continues to the next. A 503 is returned only if NO provider verified the token AND at least one was unreachable — distinguishing a transient IDP outage (don't force a needless re-login) from a token that's genuinely invalid (fall through to refresh/relogin). Single-provider behaviour is unchanged. Tests: adds an _UnreachableProvider stub and three cases — unreachable provider first must not block a working second; all-unreachable still 503s; reachable-but-unrecognised falls through to 401/relogin (not 503). Mutation-tested: reverting the fix makes the first case fail with the exact 503 bug. * fix(tools): stop hermes tools reporting kanban as removed (#38918) The hermes tools save summary printed '- kanban' (and would print '+ kanban') for a platform even though kanban is never offered as a checklist option. kanban is a check_fn-gated toolset whose tools are a subset of the platform composite, so _get_platform_tools resolves it as enabled, but _prompt_toolset_checklist only renders CONFIGURABLE_TOOLSETS — so it can never survive into the returned selection. The added/removed diff (current_enabled - new_enabled) then surfaced kanban as removed. Scope the printed diff to the checklist's actual universe via the new _checklist_toolset_keys() helper at all three diff sites (first-install, all-platforms, per-platform). The persisted config is unaffected — _save_platform_tools already preserves non-configurable entries; this was purely a false-signal in the UI. * docs: remote desktop connect uses username/password, not --insecure + session token (#38926) The documented path for connecting Hermes Desktop to a remote backend was `--insecure` + a pinned HERMES_DASHBOARD_SESSION_TOKEN — an unauthenticated bind plus a copy-pasted token. Replace it everywhere with the bundled username/password dashboard-auth provider: set HERMES_DASHBOARD_BASIC_AUTH_*, run `hermes dashboard --host 0.0.0.0` (the non-loopback bind engages the auth gate), and Sign in from the app. - desktop.md: rewrite 'Connecting to a remote backend' for the user/pass + Sign in flow - web-dashboard.md: rewrite both remote-backend sections (overview + dedicated); reframe the auth-gate section so --insecure is a discouraged escape hatch, not a co-equal use case; drop the removed --tui flag from the systemd example - environment-variables.md: lead with HERMES_DASHBOARD_BASIC_AUTH_*; drop the session-token / HERMES_DESKTOP_REMOTE_TOKEN remote-connect entries - docker.md: mention the username/password provider as the simplest gate provider * fix(cli): clear screen on exit so live chrome isn't stranded in scrollback (#38928) The classic CLI left its live bottom chrome — the status bar, input box, and separator rules — frozen in terminal scrollback after exit, on every exit path (/exit, /quit, Ctrl+C, EOF) and on both Linux and Windows. The prior erase_when_done=True fix (bf82a7f1c) routes prompt_toolkit's teardown through renderer.erase(), but that walks back by the renderer's internal cursor model and does not reliably wipe the chrome in practice — users still saw a dead status bar + the rest of the session sitting above the resume summary. Clear the screen + scrollback directly at the single exit funnel instead. All exit paths converge on _print_exit_summary() (called from the run-loop finally block after app.run() returns and prompt_toolkit has restored terminal modes), so a new _clear_terminal_on_exit() helper runs there before the summary prints. It writes ESC[3J ESC[2J ESC[H (erase scrollback, erase screen, home cursor) on a real TTY, no-ops silently when stdout is not a terminal (pipes/redirects), and falls back to the platform clear command if the escape write fails. Works on Linux, macOS, and modern Windows terminals (Terminal/conhost with VT processing, already enabled by prompt_toolkit). The resume/goodbye summary now prints at a clean top-left with nothing stranded above it. Fixes #38252. * fix(gateway): bridge shared-key loop to nested platform config blocks The shared-key bridging loop (allow_from, require_mention, free_response_channels, …) read only the top-level yaml platform block (yaml_cfg.get(plat.value)). When a user configured a platform solely under ``platforms:`` or ``gateway.platforms:`` with no top-level block, the loop skipped that platform entirely and all bridged keys were silently dropped into PlatformConfig.extra — making allow_from, require_mention, etc. ineffective for nested-only configs. The apply_yaml_config_fn dispatch already received this same fallback in 44f3e51 to handle plugin adapters (e.g. Discord allow_from). The shared-key loop now mirrors it: if yaml_cfg.get(plat.value) is absent, fall back to gateway.platforms.<name> then platforms.<name>. The enabled field is deliberately excluded from the nested fallback (guarded by _cfg_toplevel): _merge_platform_map already merged it with the correct precedence, so re-applying it from a single nested source would overwrite the correctly-merged value. Two new regression tests assert that allow_from and require_mention configured under platforms.telegram and gateway.platforms.telegram are bridged into PlatformConfig.extra. All 54 existing config tests pass. * fix(memory): register parent packages for user-installed provider imports User-installed memory providers load under the synthetic _hermes_user_memory.<name> package, but the loader never registered that parent namespace in sys.modules (it only registers "plugins" and "plugins.memory" for bundled providers). As a result any external provider using a relative import failed to load: from . import config ModuleNotFoundError: No module named '_hermes_user_memory' The same gap in discover_plugin_cli_commands() meant an external provider's cli.py with a relative import could never be discovered, so the documented "hermes <plugin>" CLI integration did not work for standalone plugins. Register the synthetic parent namespace before loading user-installed providers, mirror it for cli.py discovery (including the per-provider parent package, without executing the plugin's __init__.py), and make _load_provider_from_dir() reuse only modules actually loaded from disk so a parent shell registered by CLI discovery is never mistaken for the loaded provider. Regressions cover: a flat provider with a sibling relative import, a provider with its implementation in a nested subpackage (including a namespace intermediate directory), cli.py discovery with a relative import, and provider load after CLI discovery ran first. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * chore(release): add AUTHOR_MAP entry for solaitken * fix(approval): gate perl/ruby -i in-place edits of Hermes config/env sed -i coverage for ~/.hermes/config.yaml and .env was added in #14639, but perl -i and ruby -i — which perform the same direct file mutation — were not covered. The existing perl/ruby pattern only catches -e/-c (code evaluation), not -i (file mutation), so: perl -i -pe 's/approvals.mode: on/approvals.mode: off/' ~/.hermes/config.yaml bypasses the approval gate entirely, letting the agent flip approvals.mode off mid-session via the mtime-keyed config cache reload. Add a single pattern mirroring the sed -i lines: `\b(?:perl|ruby)\s+-[^\s]*i` against both _HERMES_CONFIG_PATH and _HERMES_ENV_PATH. Three regression tests pin the new coverage. * fix(approval): catch perl/ruby -i as a separate flag token The salvaged pattern matched -i only inside the first flag token, so `perl -p -i -e '...' config.yaml` (the -i split out after -p) slipped through. Widen to match a -...i flag token anywhere in the args; still no false positive on `perl -e` code eval or config reads. Adds tests for the separate-token, backup-suffix, and read-safe forms. * fix(model_metadata): drop stale ≤256,000 cache entries for Grok-4.3 The ``grok-4.3`` (1M context) catalog entry was added on 2026-05-15 (ce0e189d3). Between 2026-04-10 (when ``grok-4`` at 256,000 was first added by b57769718) and 2026-05-15, grok-4.3 slugs resolved via the generic ``grok-4`` substring catch-all and that 256,000 value was persisted to context_length_cache.yaml. Users who first queried grok-4.3 in that 35-day window are stuck at 256K forever — the cache is read at step 1 before the hardcoded defaults in step 8, so the correct 1M entry is never reached. Mirror the existing Kimi/Codex/MiniMax-M3 stale-cache guards: add _model_name_suggests_grok_4_3() and an elif branch that drops any cached value ≤ 256,000 for a grok-4.3 slug so the next lookup falls through to the 1M hardcoded default. Adds 4 regression tests: helper unit test, stale-drop-and-re-resolve, correct-cache-preserved, and no-clobber for plain grok-4 (256K correct). * fix(vision): convert video_url blocks to Anthropic input_video format for MiniMax providers The video_analyze tool sends OpenAI-style 'video_url' content blocks, which breaks Anthropic-protocol providers (minimax, minimax-cn). These providers expect 'input_video' blocks with base64 data instead of data: URLs. Extends _convert_openai_images_to_anthropic() to also handle video_url blocks, converting them to Anthropic's input_video format when targeting Anthropic-compatible endpoints. Fixes #37219 * fix(vision): use MiniMax type="video" block (not input_video) + tests The salvaged conversion emitted type:"input_video", which MiniMax M3 rejects just like the original video_url block. Per MiniMax's Anthropic-compat docs, the video content block is type:"video" with an image-style source (base64 or url). Fixes the block type, converts URL-based videos too, and adds 4 video conversion tests (none shipped with the original PR). * fix(cli): launchd KeepAlive unconditional restart (#37388) Replace KeepAlive.SuccessfulExit=false dict with <key>KeepAlive</key><true/> so launchd restarts hermes-gateway on any exit, matching the documented drain-then-exit restart protocol used by --graceful-restart. * chore(release): map ashishpatel26 author email for salvage * fix(cron): decouple job dispatch from completion in tick() PR #13021 fixed serial starvation by adding ThreadPoolExecutor to tick(), but kept as_completed(timeout=600) which still blocks the ticker thread until the slowest job finishes. This causes the same starvation pattern: when one job runs long (15+ min), other jobs' next_run_at expires past the grace window and they get perpetually fast-forwarded instead of running. This PR decouples dispatch from completion: - Persistent ThreadPoolExecutor (reused across ticks, no auto-join) - Fire-and-forget dispatch: tick submits and returns immediately - Running-job guard: prevents re-dispatching active jobs - sync parameter: defaults to True (backward compatible), callers opt into sync=False for non-blocking behavior - atexit shutdown handler for clean pool teardown - gateway/run.py: production ticker opts into sync=False Refs #33315 (complementary — that issue's PRs fix grace handling in jobs.py; this PR prevents the grace from expiring in the first place) * fix(cron): make sequential jobs non-blocking too + sweep MCP after jobs finish Follow-up on the parallel-dispatch decoupling: the sequential pass for workdir/profile jobs still ran inline in the ticker thread, so a long workdir/profile job reintroduced the exact starvation #37312 describes, just for env-mutating jobs. And the MCP orphan sweep ran immediately after dispatch in sync=False mode — before jobs finished — defeating its own 'runs after every job' contract and racing jobs still spawning MCP children. - Sequential jobs now queue to a persistent single-thread cron-seq pool (preserves one-at-a-time ordering across ticks, never blocks the tick). - Same in-flight dedup guard now covers sequential jobs. - MCP orphan sweep runs via a done-callback after the LAST dispatched job completes in async mode; inline after as_completed in sync mode. Verified E2E: tick(sync=False) returns in ~1ms with a 1.5s sequential job in flight; sweep fires only after that job ends. * fix(auth): set active_provider after hermes auth add google-gemini-cli hermes auth add google-gemini-cli called pool.add_entry() but never wrote to providers["google-gemini-cli"] or set active_provider in auth.json. _model_section_has_credentials() checks get_active_provider() first; with active_provider unset and no api_key_env_vars configured for oauth_external providers, the setup wizard reported "No inference provider configured" even after a successful OAuth login. Add _mark_google_gemini_cli_active() in auth.py: writes a minimal provider state entry (email for display only) and calls _save_provider_state() to set active_provider. The function deliberately does not copy access_token or refresh_token — those are managed by agent.google_oauth in the Google credential file and must not be duplicated in auth.json where they would become stale. pool.add_entry() is retained so "hermes auth list" continues to show the entry. Runtime credential resolution continues to use agent.google_oauth directly. Mirrors the fix applied to openai-codex (#37517) and xai-oauth (#37576). * fix(desktop): remove session search aux model * chore: add scubamount to AUTHOR_MAP for salvaged PR #37616 * fix(auth): use _save_xai_oauth_tokens in auth_commands to set active_provider hermes auth add xai-oauth called pool.add_entry() directly, writing only the credential-pool entry (source "manual:xai_pkce") without touching providers["xai-oauth"] or setting active_provider in auth.json. _model_section_has_credentials() checks get_active_provider() first; with active_provider unset and no api_key_env_vars configured for oauth_external providers, the setup wizard reported "No inference provider configured" even after a successful OAuth login. Use _save_xai_oauth_tokens() — the canonical path already called from the hermes model xAI login flow — which writes providers["xai-oauth"]["tokens"] (setting active_provider) and lets _seed_from_singletons seed the pool with a "loopback_pkce" entry on the next load_pool() call. Mirrors the fix applied to openai-codex in #37517. * fix(minimax): align default_aux_model with M3 frontier on minimax + minimax-cn The minimax / minimax-cn / minimax-oauth profiles still advertised M2.7 (and M2.7-highspeed for OAuth) as their default_aux_model, predating the M3 release (2026-06-01). The user-facing _PROVIDER_MODELS['minimax'] catalog top entry is M3, and the recommended config for a Token-Plan install now sets model.default: MiniMax-M3, so the aux default was the only remaining drift. Updates: * minimax default_aux_model: M2.7 -> M3 * minimax-cn default_aux_model: M2.7 -> M3 * minimax-oauth default_aux_model: M2.7-highspeed -> M2.7 (M3 is not on the OAuth / Coding Plan tier per platform docs as of this PR; the highspeed variant was the 2x-cost regression from #4082 that PR #6082 collapsed to plain M2.7 for minimax / minimax-cn but missed OAuth) * agent/auxiliary_client.py: drop the three legacy _API_KEY_PROVIDER_AUX_MODELS_FALLBACK entries for the minimax family. _get_aux_model_for_provider() reads from ProviderProfile.default_aux_model first (line 250) and only falls back to the dict when the profile has no aux model or the profile import fails. With the profile now set, the dict entries are dead code and a drift hazard. Mirrors the deepseek cleanup in 773a0faca. * tests/agent/test_minimax_provider.py: update the existing TestMinimaxAuxModel assertions from MiniMax-M2.7 to MiniMax-M3 (the intent — 'standard, not highspeed' — is unchanged; the pin value is). * tests/plugins/model_providers/test_minimax_profile.py: new file mirroring tests/plugins/model_providers/test_deepseek_profile.py. Pins each of the three profiles' default_aux_model and asserts _get_aux_model_for_provider() returns it. A second class guards against the highspeed regression coming back. Refs: - Closes #36196 in spirit (M3 support — the catalog half of that issue is #36212; this PR covers the profile half) - Related: #4082 (M2.7-highspeed 2x-cost), #6082 (previous M2.7-highspeed -> M2.7 fix that missed OAuth + the auxiliary_client.py fallback dict) - Pattern: 773a0faca (same profile-layer fix for deepseek) * fix(minimax): update AUTHOR_MAP entry + test_minimax_oauth_aux_model_registered Two follow-ups to the M3 default-aux-model PR (#37664): 1. AUTHOR_MAP entry: add fearvox1015@gmail.com -> Fearvox so the check-attribution CI job recognises Nolan's real contributor email. The previous run of the attribution check on #37664 failed because the commit was authored as nolan@0xvox.com (wrong local git config) which isn't in AUTHOR_MAP. The commit itself is now re-authored to fearvox1015@gmail.com so both the per-commit check and the AUTHOR_MAP lookup pass. 2. tests/hermes_cli/test_api_key_providers.py::TestMinimaxOAuthProvider ::test_minimax_oauth_aux_model_registered was pinning the aux model in the legacy _API_KEY_PROVIDER_AUX_MODELS dict, which the PR correctly removed (mirrors the deepseek cleanup in 773a0faca). The test now asserts the new world order: the aux model comes from ProviderProfile.default_aux_model on the minimax-oauth profile, not the fallback dict. This is the same pattern that the profile-layer deepseek fix introduced. * polish(minimax): address Copilot review comments on M3 default-aux fix Three Copilot inline review comments on #37664, two worth landing in a polish pass before merge: 1. auxiliary_client.py:270 — Copilot suggested keeping the minimax-* entries in _API_KEY_PROVIDER_AUX_MODELS_FALLBACK as a safety net for environments where the profile-based resolution can't import or run plugin discovery. **Declined.** The deepseek precedent (commit 773a0faca) explicitly removed deepseek from the same dict for the same reason — the profile layer is the source of truth and the dict is a legacy pre-profiles-system fallback. We do not want to fragment the codebase by provider: either the profile layer is authoritative or the dict is. The minimax PR picks profile (matching deepseek) and the dict stays cleaned up. The risk Copilot raises is real but theoretical — plugin discovery runs at import time of the providers module, which is the first thing any modern Hermes entrypoint imports. 2. tests/agent/test_minimax_provider.py:162 — Copilot flagged that the test class relies on _get_aux_model_for_provider() resolving via provider profiles but doesn't explicitly trigger plugin discovery. **Fixed.** Added 'import model_tools # noqa: F401' at the top of both test_minimax_aux_is_standard and test_minimax_aux_not_highspeed. The fixtures in the parallel test_minimax_profile.py already did this; the legacy test in test_minimax_provider.py was order-dependent and would silently break if anyone reorganised the test ordering. Pinned the dependency explicitly so the test is order-independent. 3. tests/plugins/model_providers/test_minimax_profile.py:46 — Copilot flagged that the docstring referenced a hard-coded line number 'hermes_cli/models.py:298' that would go stale. **Fixed.** Replaced with the symbol reference 'hermes_cli.models._PROVIDER_MODELS[\'minimax\']' which is stable under file edits and grep-friendly. The new docstring also reads more naturally — readers don't have to look up 'what's at line 298' to follow the reasoning. All 221 minimax-related tests still pass. * fix(gateway): retry startup auto-resume when a failed platform reconnects * docs(wecom): stop implying live streaming and typing support (#38990) The WeCom adapter delivers each response as a single complete message via aibot_respond_msg / aibot_send_msg — it does not stream tokens incrementally (no edit_message override) and send_typing is a no-op. Reword the 'Reply-mode streaming' feature bullet to 'Reply correlation', retitle the section to 'Reply-Mode Responses', and add a note clarifying that neither token streaming nor typing indicators are supported. * fix(auth): set active_provider after hermes auth add qwen-oauth hermes auth add qwen-oauth called pool.add_entry() but never wrote to providers["qwen-oauth"] or set active_provider in auth.json. _model_section_has_credentials() checks get_active_provider() first; with active_provider unset and no api_key_env_vars configured for oauth_external providers, the setup wizard reported "No inference provider configured" even after a successful Qwen CLI OAuth login. Add _mark_qwen_oauth_active() in auth.py: writes a minimal provider state entry (base_url for display only) and calls _save_provider_state() to set active_provider. The function deliberately does not copy the api_key — that lives in the Qwen CLI credential file managed by _save_qwen_cli_tokens / resolve_qwen_runtime_credentials and must not be duplicated in auth.json where it would become stale. pool.add_entry() is retained so "hermes auth list" continues to show the entry. Runtime credential resolution continues to use resolve_qwen_runtime_credentials. Mirrors the fix applied to openai-codex (#37517) and xai-oauth (#37576). * docs(guides): Run Nemotron 3 Ultra free in Hermes Agent (launch guide) (#38769) * docs(guides): add "Run Nemotron 3 Ultra free in Hermes Agent" launch guide Day-0 NVIDIA Nemotron 3 Ultra availability on Nous Portal (free June 4-18, in partnership with NVIDIA + Nebius). Quick Setup walkthrough for selecting the nvidia/nemotron-3-ultra:free tier, plus switching/troubleshooting notes. Registered at the top of Guides & Tutorials. * docs(guides): reword Nemotron lead-in to match launch copy Frame as Nemotron Coalition induction (working with NVIDIA) + Nebius partnership for the free tier, rather than a direct NVIDIA partnership, to avoid overstating the relationship. * docs(guides): lead Nemotron guide with desktop app, CLI second Add a one-click desktop-app install track (download → Nous Portal recommended sign-in → pick the Free-tier nemotron-3-ultra model) as the recommended path for non-terminal users, and keep the CLI curl flow as Option B. Update switching/troubleshooting to cover both surfaces. * fix(gateway): guard kanban dispatcher against malformed config and empty summaries Two error handling gaps in the gateway kanban dispatcher: 1. float() on dispatch_interval_seconds crashes with ValueError if the config value is a non-numeric string. Wrap in try/except and fall back to the default 60-second interval with a warning log. 2. splitlines()[0] on payload_summary and task.result raises IndexError when the string is whitespace-only (truthy but strip() produces empty string, splitlines() returns []). Guard with a check on the lines list before indexing. * fix(update): harden venv rebuild + verify core deps after install Two complementary fixes for a silent partial-install failure that bit ``hermes update`` in the wild: a fresh checkout pulled 145 commits, ``rebuild_venv`` failed to recreate the venv on Windows because ``shutil.rmtree(ignore_errors=True)`` couldn't delete files held open by the running ``hermes.exe`` shim. ``uv venv`` then refused with "A directory already exists at: venv" and the update fell back to installing on top of the stale venv. The resulting partial install missed exactly one newly-added base dep — ``pathspec==1.1.1`` — which ``hermes desktop --build-only`` imports at the top of its content-hash check. The desktop rebuild died with ModuleNotFoundError and the parent update only logged "⚠ Desktop build failed (non-fatal)". Same root cause made the "default: sync failed" line in the skill-sync stage, because that sync subprocess hit the same missing import. Fix 1: ``rebuild_venv`` retries with ``--clear`` ------------------------------------------------ If ``uv venv`` fails with "already exists" in stderr (which is what uv prints, and what uv's own hint tells you to fix with --clear), retry once with ``--clear``. Only this specific failure pattern triggers the retry — disk-full / interpreter-download failures still surface as before so we don't mask real problems. Fix 2: post-install dep verification ------------------------------------ Belt-and-suspenders so future uv resolver quirks (or any other cause of partial installs) surface immediately instead of hours later in a downstream subprocess. After ``_install_python_dependencies_with_optional_fallback`` runs, ``_verify_core_dependencies_installed``: 1. Reads ``[project.dependencies]`` straight from pyproject.toml (so we don't trust the venv's stale metadata). 2. Filters by environment markers via ``packaging.requirements.Requirement`` so cross-platform exclusions (``ptyprocess ; sys_platform != 'win32'``) don't false-positive on Windows. 3. Runs ``importlib.metadata.version()`` for each remaining dep inside the *target* venv interpreter (resolved from ``VIRTUAL_ENV``, not ``sys.executable``). 4. If anything is missing, reinstalls the base group with ``--reinstall`` to force re-resolution. If a second probe still reports missing deps, force-installs each one with its pinned spec. 5. Treats final failure as a warning rather than a hard error — a single broken-on-PyPI dep shouldn't block an otherwise-successful update — but the message points at ``hermes update --force`` and names the missing packages so the user knows what's wrong. Tests ----- - ``TestRebuildVenv::test_retries_with_clear_when_dir_already_exists`` — simulates the rmtree-couldn't-delete-it failure mode and asserts the ``--clear`` retry path is taken and succeeds. - ``TestRebuildVenv::test_does_not_retry_when_first_failure_is_not_dir_exists`` — guards against masking real failures (disk full, etc.). - ``test_verify_core_dependencies.py`` — 7 tests covering the happy path, the regression (missing pathspec triggers --reinstall), the per-package fallback when --reinstall doesn't help, the platform- marker filter so Windows doesn't try to install ptyprocess, the missing-pyproject noop, and the VIRTUAL_ENV resolver. Co-authored-by: Kyssta <218078013+kyssta-exe@users.noreply.github.com> * refactor(skills): clean up bundled skill set + add environments: relevance gate (#39028) * refactor(skills): clean up bundled skill set + add environments: relevance gate Bundled skills cleanup pass plus a new offer-time relevance gate. Removals (redundant / dead): - spotify (covered by the spotify plugin's 7 native tools) - linear (covered by `hermes mcp install linear`) - kanban-codex-lane, debugging-hermes-tui-commands - empty category markers: diagramming, gifs, inference-sh, mlops/training, mlops/vector-databases - domain (stale orphan dup of optional/research/domain-intel) Bundled -> optional: - baoyu-article-illustrator, baoyu-comic, creative-ideation, pixel-art - dspy, subagent-driven-development - minecraft-modpack-server, pokemon-player - hermes-s6-container-supervision (-> optional/devops) Consolidation: - webhook-subscriptions + native-mcp folded into the hermes-agent skill as references/webhooks.md + references/native-mcp.md with SKILL.md pointers - writing-plans merged into plan (v2.0.0); related_skills + prose refs updated New: environments: frontmatter gate (agent/skill_utils.skill_matches_environment) - Offer-time relevance filter (kanban / docker / s6), parallel to platforms:. - Wired into the 3 OFFER surfaces only (prompt_builder skills index, skills_tool.list_skills, skill_commands slash discovery). - Explicit loads (skill_view, --skills preload) intentionally BYPASS it, so load-bearing force-loads like the kanban dispatcher's `--skills kanban-worker` always resolve. Verified via E2E. - kanban-orchestrator/kanban-worker tagged environments: [kanban]; hermes-s6-container-supervision tagged environments: [s6] + platforms: [linux]. Validation: 8/8 E2E gating assertions (incl force-load invariant); 442 targeted tests green (agent, skills_tool, skill_commands, kanban worker). * docs: regenerate skill catalogs + pages for the bundled cleanup Regenerated per-skill doc pages, catalogs, and sidebar to match the skill moves/removals in the parent commit. Moved skills' pages relocate bundled -> optional (history preserved); removed skills' pages deleted; edited skills' pages refreshed (hermes-agent now embeds the webhook + native-mcp reference pointers). zh-Hans i18n mirror: stale bundled pages and catalog rows for moved/removed skills pruned (new optional translations land via the translation pipeline). * test: drop regression test for removed kanban-codex-lane skill The kanban-codex-lane skill was removed in the bundled-skills cleanup; its dedicated regression test read the now-deleted SKILL.md and failed with FileNotFoundError on CI shard 6. * fix(gateway): visually expire Discord interactive views on timeout All Discord interactive views (ExecApprovalView, SlashConfirmView, UpdatePromptView, ModelPickerView, ClarifyChoiceView) now edit their message when the view times out, disabling buttons and updating the embed to show a 'Prompt expired' footer. Previously, timed-out buttons remained visually clickable in the UI, causing Discord's generic 'Interaction failed' error when clicked. Fixes #38022 * feat(gateway): handle Feishu meeting invitations Change-Id: I8cf5638393dd9adb1d7be5e170ce5082b41f77fa * refactor(feishu): slim meeting-invite parser; add AUTHOR_MAP entry Collapse the payload-shape normalization helpers into one _as_dict and drop unused dataclass fields (user_type/user_role, duplicate id, bot) on the meeting-invite handler. Module 274->212 LOC, behavior unchanged. Add zhaolei.vc@bytedance.com -> zhaoleibd to release.py AUTHOR_MAP. * fix(api-server): guard json.loads against corrupted SQLite data in response cache The ResponseStore.get() method calls json.loads(row[0]) without any error handling. If the SQLite responses table contains corrupted JSON data (e.g. from a crash mid-write or disk corruption), this raises an unhandled JSONDecodeError that propagates to the caller. Fix: wrap in try/except (json.JSONDecodeError, TypeError). On parse failure, log a warning, evict the corrupted entry from the cache, and return None (consistent with the function's Optional return type). * fix(vision): guard image pixel dimensions, not just bytes (#37677) Anthropic enforces two independent ceilings per image: 1. 5 MB encoded byte size 2. 8000 px longest side Hermes only guarded #1. A tall screenshot (e.g. 1200x12000 at 0.06 MB) passes every byte check but fails the pixel check, returning a non-retryable HTTP 400 that permanently bricks the conversation thread. Fixes: - error_classifier: add 'image dimensions exceed' pattern to _IMAGE_TOO_LARGE_PATTERNS so the 400 is classified as image_too_large and triggers the shrink/retry path instead of falling through to non-retryable error. - conversation_compression: check pixel dimensions (via Pillow) even when byte size is under the 4 MB target. If max(dims) > 8000, force shrink. - vision_tools._resize_image_for_vision: add optional max_dimension param. When set, images exceeding the pixel cap are downscaled even if they're under the byte budget. The resize loop now checks both byte AND pixel limits before accepting a candidate. Closes #37677 * fix(vision): cap pixel dimensions proactively at embed time + declare Pillow Follow-up to the salvaged #37727. That PR fixed the reactive recovery path (classifier + post-failure shrinker) but left the PROACTIVE embed-time guard in vision_tools byte-only — a tall small-byte screenshot (e.g. 1200x12000 at 0.06 MB) still baked into immutable history un-resized, relying on a failed round-trip to trigger reactive shrink. - vision_tools: add _image_exceeds_dimension() + _EMBED_MAX_DIMENSION (7900px); the embed-time cap now fires on bytes OR pixels and passes max_dimension to the resizer, so tall small-byte images are shrunk before they're embedded. - vision_tools: best-effort lazy-install of Pillow (tool.vision) in the resize ImportError fallback so the soft dep self-heals (respects allow_lazy_installs). - error_classifier: add two more Anthropic dimension-cap wording variants. - pyproject + lazy_deps: declare Pillow as the [vision] extra / tool.vision lazy dep (it was undeclared everywhere; without it ALL resize recovery no-ops). - tests: cover _image_exceeds_dimension (tall/small/edge/no-Pillow/corrupt). Co-authored-by: kyssta-exe <kyssta-exe@users.noreply.github.com> * fix(tools): add raise_for_status for MiniMax t2a_v2 TTS path The MiniMax t2a_v2 code path calls response.json() without first checking the HTTP status code. If the API returns HTTP 4xx/5xx with non-JSON content (e.g. HTML error page), response.json() raises an opaque JSONDecodeError instead of a clear HTTPError. The non-t2a_v2 path already has response.raise_for_status() at line 1299. Add the same check before response.json() in the t2a_v2 path for consistent error handling. * fix(gateway): don't treat dm_policy: pairing as open access on own-policy adapters * fix(gateway): anchor Google Chat OAuth client secret to default Hermes root * fix(desktop): detect linux arm64 binary * fix(gateway): keep pending /update completion notifications until the target platform reconnects * fix(cli): honor global-root active_provider fallback for named profiles * chore(desktop): zero eslint/typecheck debt + prettier pass (#39100) - eslint --fix across src/ and electron/ (unused imports, import/prop sort, padding) - flatten empty catch blocks in electron CJS; drop unused applyUpdatesPosixInApp arg - add setMutableRef helper for imperative ref writes (react-compiler clean) - move sidebar cookie persistence into an effect; extract scrollElementToBottom helper * fix(desktop): recover from corrupt cached Electron download on build hermes desktop failed on Linux with an ENOENT renaming release/linux-unpacked/electron -> Hermes. Root cause is a corrupt cached Electr…

…icket auth (NousResearch#37870) Generalises NousResearch#37747. The WS Origin guard (_ws_host_origin_is_allowed) only trusted the packaged Electron app's non-web origin (file:// / null / app://) when the bind was NOT OAuth-gated. The packaged Hermes Desktop renderer loads over file://, so when it drives a remote OAuth-gated gateway its /api/ws upgrade was rejected with HTTP 403 even though _ws_auth_ok had already validated the single-use ?ticket= one line earlier. This guard runs only AFTER _ws_auth_ok has accepted the WS credential, which is the real auth boundary in every mode: * loopback bind -> legacy dashboard session token * non-loopback --insecure -> legacy session token (Tailscale / LAN, NousResearch#37747) * OAuth-gated public bind -> single-use, 30s-TTL, identity-bound ?ticket= A non-web origin can only come from a native client; a DNS-rebinding attack always arrives from an http(s) origin and is still match-checked against the bound host. So once the upstream credential check has passed, the Origin guard adds nothing for a non-web origin. Collapsed the loopback/non-gated special cases to 'return True' for non-web origins. http(s) origins keep the strict same-host check, so browser DNS-rebinding defence is unchanged. Tests: gated file:///null/app:// now asserted ALLOWED; cross-site http(s) still rejected on gated and loopback binds; NousResearch#37747's loopback and non-loopback-insecure cases retained. 37/37 test_dashboard_auth_ws_auth + test_web_server_host_header pass.

The remote-gateway settings rendered the session-token box for every gateway during the idle/probing window before the first /api/status probe lands, because authMode defaults to 'token'. Gate both the OAuth sign-in button and the token box behind an authResolved flag so neither renders until the probe resolves the scheme (or a previously-saved remote config is being re-shown, so re-opening settings doesn't flicker). The gateway-side WS Origin fix that lets the packaged desktop (file:// origin) connect to an OAuth-gated remote gateway landed separately in NousResearch#37870; this branch is now purely the desktop client + this UI fix.

alt-glitch added type/bug Something isn't working P2 Medium — degraded but workaround exists comp/cli CLI entry point, hermes_cli/, setup wizard area/auth Authentication, OAuth, credential pools type/security Security vulnerability or hardening labels Jun 3, 2026

benbarclay merged commit dd28f2a into main Jun 3, 2026
23 checks passed

benbarclay deleted the dashboard-ws-origin-gated branch June 3, 2026 04:32

benbarclay mentioned this pull request Jun 3, 2026

feat(desktop): connect to OAuth-gated remote gateways #37888

Merged

BrewTestBot mentioned this pull request Jun 6, 2026

hermes-agent 2026.6.5 Homebrew/homebrew-core#286569

Merged

1 task

github-actions Bot mentioned this pull request Jun 6, 2026

chore: bump NousResearch/hermes-agent version from v2026.5.29.2 to v2026.6.5 Docker-Hub-sirmark/docker-hermes-agent#9

Merged

Gmatrix2022 mentioned this pull request Jun 7, 2026

[Bug]: Desktop "Remote gateway" can't connect over WebSocket — /api/ws always rejected (4403) for packaged Electron client #38412

Open

1 task

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(dashboard): trust non-web WS origins on OAuth-gated binds after ticket auth#37870

fix(dashboard): trust non-web WS origins on OAuth-gated binds after ticket auth#37870
benbarclay merged 1 commit into
mainfrom
dashboard-ws-origin-gated

benbarclay commented Jun 3, 2026

Uh oh!

github-actions Bot commented Jun 3, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

benbarclay commented Jun 3, 2026

Summary

Root cause

Why this is safe

Changes

Validation

Notes

Uh oh!

github-actions Bot commented Jun 3, 2026

🔎 Lint report: dashboard-ws-origin-gated vs origin/main

ruff

ty (type checker)

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

🔎 Lint report: `dashboard-ws-origin-gated` vs `origin/main`