gooneyryan/hermes-webui
1
0
Fork 0
mirror of https://github.com/nesquena/hermes-webui.git synced 2026-05-26 11:40:26 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
v0.50.235
hermes-webui/api
T
History
nesquena-hermes 7189416969 fix: batch v0.50.234-235 — XSS hardening, workspace validation, profile switch fixes (#1206) 
fix: batch v0.50.234-235 — XSS hardening, workspace validation, profile switch fixes

v0.50.235 (#1203 — profile switch workspace/model/chip, 3 bugs + flaky test):
- switch_profile now reads target profile's workspace directly (thread-local bypass)
- invalidate_models_cache() after profile switch (model dropdown staleness)
- syncTopbar() updates chip before early-return (no-session path)

v0.50.234 (#1201/#1205 — XSS hardening + workspace security):
- renderMd() full HTML attribute sanitizer replacing tag-name-only allowlist
- Delegated image lightbox (removes all inline onclick)
- macOS /etc → /private/etc symlink bypass fixed
- /System /Library added to blocked workspace roots
- Legacy /api/chat workspace trust gap closed

Both PRs independently reviewed. 2787/2787 tests. QA harness 20/20 + 11/11 API checks.

Co-authored-by: Brendan Schmid <bschmidy10@Wilson.bschmidy10>
Co-authored-by: Nathan Esquenazi <nesquena@gmail.com>
2026-04-27 21:39:30 -07:00
..
__init__.py
Hermes Web UI — Sprints 11-14: multi-provider models, settings, session QoL, alerts, polish
2026-03-31 07:02:47 +00:00
agent_sessions.py
fix: batch triage — 12 contributor PRs (v0.50.227) (#1168)
2026-04-27 13:34:59 -07:00
auth.py
fix(auth): persist sessions across restarts via STATE_DIR/.sessions.json (#962)
2026-04-24 11:21:41 -07:00
background.py
feat(commands): /background, /btw slash commands + undo button + reasoning chip
2026-04-24 01:24:51 +00:00
clarify.py
feat: harden clarify dialog flow and refresh recovery
2026-04-15 13:10:50 +08:00
commands.py
feat: slash command parity + skill autocomplete — v0.50.91 (PR #711)
2026-04-19 05:37:44 +00:00
config.py
fix: batch v0.50.232 — fuzzy match, codex detection, workspace reload, timestamp sync (#1198)
2026-04-27 18:40:13 -07:00
gateway_watcher.py
v0.50.207: batch of 10 PRs — TPS stat, SSE guard, session polish, cron UX, folder create, model errors, session speed, title gen (#1031)
2026-04-25 13:07:35 -07:00
helpers.py
v0.50.223: model picker, idle retry, drag-drop, CSP, clipboard copy (#1127)
2026-04-26 15:29:02 -07:00
metering.py
v0.50.207: batch of 10 PRs — TPS stat, SSE guard, session polish, cron UX, folder create, model errors, session speed, title gen (#1031)
2026-04-25 13:07:35 -07:00
models.py
fix(models): defer first save() until session has real state (v0.50.230) (#1185)
2026-04-27 16:44:07 -07:00
onboarding.py
fix: batch v0.50.228 — renderer, model race, tool card, empty session, .env (#1179)
2026-04-27 15:28:19 -07:00
profiles.py
fix: batch v0.50.234-235 — XSS hardening, workspace validation, profile switch fixes (#1206)
2026-04-27 21:39:30 -07:00
providers.py
fix: batch v0.50.228 — renderer, model race, tool card, empty session, .env (#1179)
2026-04-27 15:28:19 -07:00
routes.py
fix: batch v0.50.234-235 — XSS hardening, workspace validation, profile switch fixes (#1206)
2026-04-27 21:39:30 -07:00
session_ops.py
fix: batch triage — 12 contributor PRs (v0.50.227) (#1168)
2026-04-27 13:34:59 -07:00
startup.py
fix(security): gate auto-install behind HERMES_WEBUI_AUTO_INSTALL=1 — v0.50.156
2026-04-22 20:49:28 +00:00
state_sync.py
security: bandit fixes B310/B324/B110 + QuietHTTPServer (#354)
2026-04-13 11:11:56 -07:00
streaming.py
fix: batch v0.50.234-235 — XSS hardening, workspace validation, profile switch fixes (#1206)
2026-04-27 21:39:30 -07:00
updates.py
fix: update banner — conflict recovery path + server self-restart after update (#816)
2026-04-21 17:10:41 -07:00
upload.py
v0.50.25: mobile scroll, import timestamps, profile security, mic fallback (#404)
2026-04-13 22:11:45 -07:00
workspace.py
fix: batch v0.50.234-235 — XSS hardening, workspace validation, profile switch fixes (#1206)
2026-04-27 21:39:30 -07:00