0a2dabc730
stage-batch36: tighten #3064 MEDIA: token gate to non-user-role messages
...
Per Opus advisor on stage-batch36: skip role='user' messages in
_session_media_token_allows_image_path so a user-injected MEDIA: token
cannot mint an allow-list entry for the user's own request. Preserves
the original use case (assistant/tool emitted artifacts outside the
active workspace) while making the implicit threat model explicit.
Defense-in-depth — the single-user WebUI scope means same-origin user
input already had the same effective access, but multi-user / shared
WebUI deployments would benefit from the restriction.
2026-05-28 18:20:25 +00:00
371f77c9b9
stage-batch36: stamp v0.51.154 / Release DZ
...
9-PR medium-risk cleanup:
- #3037 routes.py: argv-style prefill hook + env-var override for notes drawer
- #3046 models.py: compression parent not repaired as stale interrupted turn
- #3048 session_discoverability.py: --repair-safe CLI with default dry-run
- #3053 ui.js: streaming KaTeX guard for parser-owned equations
- #3059 models.py: empty partial activity rows excluded from sidebar recency
- #3060 profiles.py: API key writes to .env (chmod 600), not config.yaml
- #3064 routes.py: MEDIA: image tokens allow exact session-referenced paths
- #3069 models.py: cron sessions with project_id surface via Cron Jobs chip
- #3077 gateway_chat.py: HTTP 401 maps to gateway_auth_error event
2026-05-28 18:04:24 +00:00
a3fc305aeb
Merge PR #3077
...
# Conflicts:
# CHANGELOG.md
# tests/test_webui_gateway_chat_backend.py
2026-05-28 17:47:56 +00:00
1c89c7d327
Merge PR #3064
...
# Conflicts:
# CHANGELOG.md
2026-05-28 17:47:35 +00:00
4412aea9e8
Merge PR #3059
...
# Conflicts:
# CHANGELOG.md
2026-05-28 17:47:34 +00:00
921b94a287
Merge PR #3046
...
# Conflicts:
# CHANGELOG.md
2026-05-28 17:47:34 +00:00
c642c1e438
Merge PR #3069
...
# Conflicts:
# CHANGELOG.md
2026-05-28 17:47:34 +00:00
83f8080103
Merge PR #3053
...
# Conflicts:
# CHANGELOG.md
2026-05-28 17:47:34 +00:00
11ea6c3023
Merge PR #3060
2026-05-28 17:47:33 +00:00
007ba46c3f
Merge PR #3048
...
# Conflicts:
# CHANGELOG.md
2026-05-28 17:47:33 +00:00
dc5b4b1697
Merge PR #3037
...
# Conflicts:
# CHANGELOG.md
2026-05-28 17:47:33 +00:00
b103f4ad68
Merge pull request #3081 from nesquena/release/stage-batch35
...
stage-batch35: v0.51.153 / Release DY — 11-PR low-risk cleanup
2026-05-28 10:46:25 -07:00
95aa69f951
stage-batch35: stamp v0.51.153 / Release DY
...
11-PR low-risk cleanup:
- #3043 openai-codex models.dev reasoning passes xhigh
- #3044 reset _messagesTruncated on new session
- #3047 discoverability: api lineage representative for stale CLI flag
- #3049 title-language detection threshold + English false-positive fix
- #3051 docker docs: sudo compose + Linux host-gateway
- #3054 SSE reconnect: visible-but-unfocused current pane
- #3055 fallback title: drop German-only Session Bilder case
- #3056 title prompt: language-neutral instruction
- #3070 /api/upload reports actual stored filename
- #3071 clarify SSE fallback preserves owner session id
- #3072 gateway-chat forwards image attachments as image_url parts
2026-05-28 16:13:58 +00:00
34d7585bb7
Merge PR #3051
...
# Conflicts:
# CHANGELOG.md
2026-05-28 16:11:17 +00:00
4058c741b6
Merge PR #3072
...
# Conflicts:
# CHANGELOG.md
2026-05-28 16:11:16 +00:00
2107160bf7
Merge PR #3054
...
# Conflicts:
# CHANGELOG.md
2026-05-28 16:11:16 +00:00
50a0d254a3
Merge PR #3047
...
# Conflicts:
# CHANGELOG.md
2026-05-28 16:11:16 +00:00
167ed85e8e
Merge PR #3070
...
# Conflicts:
# CHANGELOG.md
2026-05-28 16:11:16 +00:00
2443db60b6
Merge PR #3071
...
# Conflicts:
# CHANGELOG.md
2026-05-28 16:11:15 +00:00
d446a6c304
Merge PR #3049
...
# Conflicts:
# CHANGELOG.md
2026-05-28 16:10:49 +00:00
0fd12b2365
Merge PR #3056
...
# Conflicts:
# CHANGELOG.md
2026-05-28 16:10:12 +00:00
0147f05c0d
Merge PR #3055
2026-05-28 16:09:47 +00:00
b77398abbf
Merge PR #3043
2026-05-28 16:09:45 +00:00
fa34c7220d
Merge PR #3044
2026-05-28 16:09:44 +00:00
923b719ed1
fix: surface gateway auth errors in browser
2026-05-28 11:12:58 -04:00
790fc70e87
test: keep bare git fixtures on master
2026-05-28 10:37:38 -04:00
8e6ed66815
fix: clarify gateway chat auth errors
2026-05-28 09:59:35 -04:00
04e0f905dd
test: force master in git workspace fixtures
2026-05-28 09:50:07 -04:00
cbd3704a7f
fix: preserve literal prefill script paths
2026-05-28 09:31:07 -04:00
e4ef50a0da
test: cover provider-neutral notes sources
2026-05-28 09:26:09 -04:00
3469a2f898
fix: avoid interruption marker for completed journal runs
2026-05-28 15:19:09 +02:00
3f22902423
fix: forward gateway image attachments
2026-05-28 08:40:51 -04:00
0f26b99a11
fix: preserve clarify fallback ownership
2026-05-28 08:35:26 -04:00
0458a0a065
fix: report stored upload filenames
2026-05-28 08:33:50 -04:00
9e69db9920
fix: show cron sessions in project filter
2026-05-28 08:10:15 -04:00
1b5e6f6fae
fix: mirror WebUI prefill env for AI-recent notes
2026-05-28 07:19:31 -04:00
10573ab8aa
Fix session media image rendering
2026-05-28 18:05:01 +08:00
d77e8f0445
test: update _write_endpoint_to_config tests for api_key→.env migration
...
- test_writes_api_key: now asserts no-op (no config.yaml created)
since api_key-only is no longer a valid use case
- test_writes_both: asserts api_key is NOT written to config.yaml
2026-05-28 16:07:13 +08:00
821d4a7fa4
test: keep redaction fixture visible in session index
2026-05-28 09:52:42 +02:00
9e5403994c
fix(profiles): write API key to .env instead of config.yaml on profile creation
...
When a user creates a profile through the WebUI and supplies an API key,
the key was written to config.yaml under model.api_key. However, Hermes
Agent's provider layer reads keys from environment variables (.env), not
from config.yaml — making the key invisible to the actual LLM provider.
Additionally, hermes profile show reports .env: not configured when no
.env file exists, regardless of config.yaml contents, giving users the
false impression that their API key was not saved.
Changes:
- Add _PROVIDER_ENV_MAP to resolve provider IDs to .env variable names
(kimi-coding → KIMI_API_KEY, deepseek → DEEPSEEK_API_KEY, etc.)
- Add _write_api_key_to_dotenv() that writes the key to the profile's
.env file under the correct provider-specific variable
- Add _upsert_dotenv_line() helper for idempotent KEY=value writes
- Remove api_key writing from _write_endpoint_to_config()
- Wire _write_api_key_to_dotenv() into create_profile_api()
Fixes: profile created via WebUI shows .env: not configured despite
correct API key being entered in the form.
2026-05-28 15:45:17 +08:00
ce59e7ca20
fix: defer stale stream repair for active workers
2026-05-28 09:33:40 +02:00
9190ab4449
Fix empty partial activity tail recency
2026-05-28 15:30:49 +08:00
62efbfb13f
fix: use generic title language prompt
2026-05-28 09:14:46 +02:00
b046cb42c3
fix: remove German-only fallback title override
2026-05-28 09:09:59 +02:00
c197e0c091
fix: allow current-pane SSE reconnect when unfocused
2026-05-28 09:02:06 +02:00
2ee249112a
fix: defer streaming KaTeX for pending equations
2026-05-28 08:56:34 +02:00
eb8ecb2e61
docs: clarify Docker localhost and sudo compose setup
2026-05-28 08:39:59 +02:00
2aeebf56ac
fix: tighten title language detection
2026-05-28 08:21:58 +02:00
f879fd6bc3
fix: add dry-run discoverability safe repair
2026-05-28 08:19:49 +02:00
bd8fd22d81
fix: show lineage representative in discoverability audit
2026-05-28 08:13:35 +02:00
nesquena-hermes