hermes-webui

gooneyryan/hermes-webui

Fork 0

mirror of https://github.com/nesquena/hermes-webui.git synced 2026-05-26 19:50:15 +00:00

Commit Graph

Author	SHA1	Message	Date
starship-s	93e7ba5a6b	test: stabilize session time bucket boundary	2026-04-29 04:31:36 +00:00
nesquena-hermes	7189416969	fix: batch v0.50.234-235 — XSS hardening, workspace validation, profile switch fixes (#1206 ) fix: batch v0.50.234-235 — XSS hardening, workspace validation, profile switch fixes v0.50.235 (#1203 — profile switch workspace/model/chip, 3 bugs + flaky test): - switch_profile now reads target profile's workspace directly (thread-local bypass) - invalidate_models_cache() after profile switch (model dropdown staleness) - syncTopbar() updates chip before early-return (no-session path) v0.50.234 (#1201/#1205 — XSS hardening + workspace security): - renderMd() full HTML attribute sanitizer replacing tag-name-only allowlist - Delegated image lightbox (removes all inline onclick) - macOS /etc → /private/etc symlink bypass fixed - /System /Library added to blocked workspace roots - Legacy /api/chat workspace trust gap closed Both PRs independently reviewed. 2787/2787 tests. QA harness 20/20 + 11/11 API checks. Co-authored-by: Brendan Schmid <bschmidy10@Wilson.bschmidy10> Co-authored-by: Nathan Esquenazi <nesquena@gmail.com>	2026-04-27 21:39:30 -07:00
nesquena-hermes	3780df9428	fix: batch v0.50.232 — fuzzy match, codex detection, workspace reload, timestamp sync (#1198 ) Batch release v0.50.232 — 4 fixes. ## PRs included \| PR \| Author \| Fix \| \|---\|---\|---\| \| #1192 \| @nesquena-hermes \| Model chip fuzzy-match false positive (#1188) \| \| #1193 \| @nesquena-hermes \| openai-codex not detected in model picker (#1189) \| \| #1196 \| @nesquena-hermes \| Workspace files blank after second empty-session reload \| \| #1197 \| @bergeouss \| Session timestamps wrong with server/client clock drift (#1144) \| All four PRs independently reviewed and approved by @nesquena. ## Integration fixes applied #1193: Updated misleading comment — `OPENAI_API_KEY` does NOT authenticate the default Codex OAuth endpoint (that uses `chatgpt.com/backend-api/codex` and requires a separate OAuth flow). The comment now accurately states the known limitation. Also replaced a fragile 400-char source-scan test with an isolation-safe unit test. Note: OAuth-authenticated users already get detected via `hermes_cli.auth` — this fix only addresses the env-var fallback path. ## Test results 2764 passed, 2 skipped (macOS-only workspace tests). Browser QA: 21/21. `/api/sessions` confirmed returning `server_time` and `server_tz` fields.	2026-04-27 18:40:13 -07:00

Author

SHA1

Message

Date

starship-s

93e7ba5a6b

test: stabilize session time bucket boundary

2026-04-29 04:31:36 +00:00

nesquena-hermes

7189416969

fix: batch v0.50.234-235 — XSS hardening, workspace validation, profile switch fixes (#1206 )

fix: batch v0.50.234-235 — XSS hardening, workspace validation, profile switch fixes

v0.50.235 (#1203 — profile switch workspace/model/chip, 3 bugs + flaky test):
- switch_profile now reads target profile's workspace directly (thread-local bypass)
- invalidate_models_cache() after profile switch (model dropdown staleness)
- syncTopbar() updates chip before early-return (no-session path)

v0.50.234 (#1201/#1205 — XSS hardening + workspace security):
- renderMd() full HTML attribute sanitizer replacing tag-name-only allowlist
- Delegated image lightbox (removes all inline onclick)
- macOS /etc → /private/etc symlink bypass fixed
- /System /Library added to blocked workspace roots
- Legacy /api/chat workspace trust gap closed

Both PRs independently reviewed. 2787/2787 tests. QA harness 20/20 + 11/11 API checks.

Co-authored-by: Brendan Schmid <bschmidy10@Wilson.bschmidy10>
Co-authored-by: Nathan Esquenazi <nesquena@gmail.com>

2026-04-27 21:39:30 -07:00

nesquena-hermes

3780df9428

fix: batch v0.50.232 — fuzzy match, codex detection, workspace reload, timestamp sync (#1198 )

Batch release v0.50.232 — 4 fixes.

## PRs included

| PR | Author | Fix |
|---|---|---|
| #1192 | @nesquena-hermes | Model chip fuzzy-match false positive (#1188) |
| #1193 | @nesquena-hermes | openai-codex not detected in model picker (#1189) |
| #1196 | @nesquena-hermes | Workspace files blank after second empty-session reload |
| #1197 | @bergeouss | Session timestamps wrong with server/client clock drift (#1144) |

All four PRs independently reviewed and approved by @nesquena.

## Integration fixes applied

**#1193:** Updated misleading comment — `OPENAI_API_KEY` does NOT authenticate the default Codex OAuth endpoint (that uses `chatgpt.com/backend-api/codex` and requires a separate OAuth flow). The comment now accurately states the known limitation. Also replaced a fragile 400-char source-scan test with an isolation-safe unit test. Note: OAuth-authenticated users already get detected via `hermes_cli.auth` — this fix only addresses the env-var fallback path.

## Test results

**2764 passed, 2 skipped** (macOS-only workspace tests). Browser QA: **21/21**. `/api/sessions` confirmed returning `server_time` and `server_tz` fields.

2026-04-27 18:40:13 -07:00

3 Commits