@bitseek/hermes-webui 0.1.0-beta.0 → 0.1.0

package/vendor/agent-frontend-shell/api/config.py

@@ -26,75 +26,14 @@ from pathlib import Path
 from urllib.parse import parse_qs, urlparse
 
 # ── Basic layout ──────────────────────────────────────────────────────────────
-HOME = Path.home()
-# REPO_ROOT is the directory that contains this file's parent (api/ -> repo root)
-REPO_ROOT = Path(__file__).parent.parent.resolve()
-
-
-def _hermes_home_has_webui_state(base: Path) -> bool:
-    """Return True when *base* holds real WebUI state under its ``webui/`` dir.
-
-    Used only on Windows to detect a pre-v0.51.134 install at the legacy
-    ``%USERPROFILE%\\.hermes`` location so we don't strand the user's existing
-    sessions/pins/settings when the default moved to ``%LOCALAPPDATA%\\hermes``
-    (#2905).
-
-    We intentionally check ONLY WebUI-owned artifacts (the ``webui/`` subtree),
-    NOT agent-owned files like ``config.yaml`` / ``auth.json``.  The agent has
-    defaulted to ``%LOCALAPPDATA%\\hermes`` on Windows since before #2897, so a
-    long-time agent user who never ran WebUI at the legacy location would have a
-    stray ``auth.json`` there — keying on that would wrongly divert a *fresh*
-    WebUI install to the legacy dir.  Only ``webui/`` state is what actually
-    gets stranded by the move, so it is the correct and narrow signal.
-    Cheap stat-only checks; never raises.
-    """
-    try:
-        if not base.is_dir():
-            return False
-        markers = (
-            base / "webui" / "sessions",        # WebUI session store
-            base / "webui" / "settings.json",   # WebUI UI settings + pins
-            base / "webui",                     # WebUI state dir at all
-        )
-        return any(m.exists() for m in markers)
-    except OSError:
-        return False
-
-
-def _platform_default_hermes_home() -> Path:
-    """Return the platform-aware default Hermes home when HERMES_HOME is unset.
+import api.paths as _paths
 
-    Native Windows Hermes Agent installs default to %LOCALAPPDATA%\\hermes,
-    while POSIX installs use ~/.hermes.
+HOME = _paths.HOME
+_hermes_home_has_webui_state = _paths._hermes_home_has_webui_state
+_platform_default_hermes_home = _paths._platform_default_hermes_home
 
-    Windows migration safety (#2905): v0.51.134 moved the Windows default from
-    ``%USERPROFILE%\\.hermes`` to ``%LOCALAPPDATA%\\hermes`` to match the agent.
-    Upgrading users whose WebUI state still lives at the old location saw an
-    empty app (sessions/pins/settings "lost" — actually just at an address the
-    new build no longer reads).  To avoid stranding that data, prefer the
-    legacy ``%USERPROFILE%\\.hermes`` ONLY when it is populated AND the new
-    ``%LOCALAPPDATA%\\hermes`` location is not yet established.  This is a
-    non-destructive, self-healing fallback: no files are moved, and once the
-    new location has state (fresh installs, or users who set HERMES_HOME) the
-    legacy path is never preferred.  Explicit HERMES_HOME / HERMES_WEBUI_STATE_DIR
-    overrides take precedence upstream and are unaffected.
-    """
-    if os.name == "nt":
-        local_app_data = os.getenv("LOCALAPPDATA", "").strip()
-        if local_app_data:
-            new_home = Path(local_app_data) / "hermes"
-            legacy_home = HOME / ".hermes"
-            # Only fall back to the legacy home if it actually holds state and
-            # the new location has not been established yet — the exact
-            # post-upgrade fingerprint from #2905.
-            if (
-                legacy_home != new_home
-                and not _hermes_home_has_webui_state(new_home)
-                and _hermes_home_has_webui_state(legacy_home)
-            ):
-                return legacy_home
-            return new_home
-    return HOME / ".hermes"
+# REPO_ROOT is the directory that contains this file's parent (api/ -> repo root)
+REPO_ROOT = Path(__file__).parent.parent.resolve()
 
 # ── Network config (env-overridable) ─────────────────────────────────────────
 HOST = os.getenv("HERMES_WEBUI_HOST", "127.0.0.1")
@@ -1311,14 +1250,29 @@ _PROVIDER_MODELS = {
 
 _AMBIENT_GH_CLI_MARKERS = frozenset({"gh_cli", "gh auth token"})
 
+# Environment variable sources that are auto-detected and should be filtered
+# when the token is a classic PAT (ghp_*) that Copilot API doesn't support.
+# Note: COPILOT_GITHUB_TOKEN is NOT included here - it's user-specific config.
+_AMBIENT_GH_ENV_SOURCES = frozenset({"env:github_token", "env:gh_token"})
+
 
 def _is_ambient_gh_cli_entry(source: str, label: str, key_source: str) -> bool:
     """True when a credential-pool entry is a seeded gh-cli token rather than
     one the user added explicitly. Filter these so Copilot doesn't appear in
     the dropdown just because `gh` is installed on the system.
+
+    Also filters GITHUB_TOKEN and GH_TOKEN env var entries, which are
+    auto-detected from the environment and should not cause Copilot to appear
+    in the picker when the token is a classic PAT (ghp_*) that Copilot API
+    doesn't support.
+
+    Note: COPILOT_GITHUB_TOKEN is NOT filtered - it's user-specific config
+    that should always be respected.
     """
+    source_lower = source.strip().lower()
     return (
-        source.strip().lower() in _AMBIENT_GH_CLI_MARKERS
+        source_lower in _AMBIENT_GH_CLI_MARKERS
+        or source_lower in _AMBIENT_GH_ENV_SOURCES
         or label.strip().lower() == "gh auth token"
         or key_source.strip().lower() == "gh auth token"
     )
@@ -2155,6 +2109,90 @@ def _strip_provider_hint_for_reasoning(model_id: str) -> str:
     return model
 
 
+def _reasoning_name_candidates(model_id: str) -> list[str]:
+    """Return normalized model-name candidates for heuristic capability checks."""
+    bare = str(model_id or "").strip().lower().rsplit("/", 1)[-1]
+    if not bare:
+        return []
+
+    candidates: list[str] = []
+
+    def _add(value: str) -> None:
+        candidate = str(value or "").strip().lower()
+        if candidate and candidate not in candidates:
+            candidates.append(candidate)
+
+    _add(bare)
+
+    dot_parts = [part for part in bare.split(".") if part]
+    if len(dot_parts) > 1:
+        # Try progressively stripping dot-separated vendor namespaces so inputs like
+        # "moonshotai.kimi-k2.5" and "vendor.deepseek.v3.2" both surface the real
+        # model family rather than treating every dot as part of the provider slug.
+        for index in range(1, len(dot_parts)):
+            suffix = ".".join(dot_parts[index:])
+            if any(ch.isalpha() for ch in suffix):
+                _add(suffix)
+
+    for candidate in list(candidates):
+        normalized = re.sub(r"[^a-z0-9]+", "-", candidate).strip("-")
+        _add(normalized)
+
+    return candidates
+
+
+def _candidate_supports_reasoning(candidate: str) -> bool:
+    normalized = re.sub(r"[^a-z0-9]+", "-", str(candidate or "").strip().lower()).strip("-")
+    if not normalized:
+        return False
+
+    tokens = [token for token in normalized.split("-") if token]
+    token_set = set(tokens)
+
+    if "thinking" in token_set or "reasoning" in token_set:
+        return True
+    if "gpt" in token_set or normalized.startswith("gpt"):
+        # Restrict to GPT-5+ (exclude GPT-4o/4.1/3.5 — reasoning_effort unsupported)
+        m = re.search(r"gpt-(\d+)", normalized)
+        if m and int(m.group(1)) >= 5:
+            return True
+        return False
+    if normalized in {"o1", "o3", "o4"} or normalized.startswith(("o1-", "o3-", "o4-")):
+        return True
+    if "claude" in token_set or normalized.startswith("claude"):
+        # Restrict to Claude 4+ or Claude 3.7+ (exclude Claude 3.0/3.5)
+        match = re.search(r"claude.*?(\d+)(?:\D+(\d+))?", normalized)
+        if match:
+            major = int(match.group(1))
+            minor = int(match.group(2)) if match.group(2) else 0
+            if major >= 4 or (major == 3 and minor >= 7):
+                return True
+        return False
+    if "qwen" in token_set or normalized.startswith("qwen"):
+        # Restrict to Qwen 3+ (exclude Qwen 2/2.5)
+        match = re.search(r"qwen.*?(\d+)(?:\D+(\d+))?", normalized)
+        if match:
+            major = int(match.group(1))
+            if major >= 3:
+                return True
+        return False
+    if "kimi" in token_set or normalized.startswith("kimi"):
+        return True
+    if "minimax" in token_set or normalized.startswith("minimax"):
+        return True
+    if "mimo" in token_set or normalized.startswith("mimo"):
+        return True
+    if "glm" in token_set or normalized.startswith("glm"):
+        return True
+    if "step" in token_set or normalized.startswith("step"):
+        return True
+    if normalized.startswith(("deepseek-v", "deepseek-r")):
+        return True
+    if len(tokens) >= 2 and tokens[0] == "deepseek" and tokens[1].startswith(("v", "r")):
+        return True
+    return False
+
+
 def _heuristic_reasoning_efforts(model_id: str, provider_id: str) -> list[str]:
     """Fallback when hermes_cli is unavailable."""
     model = _strip_provider_hint_for_reasoning(model_id).lower()
@@ -2184,31 +2222,11 @@ def _heuristic_reasoning_efforts(model_id: str, provider_id: str) -> list[str]:
     )
     if any(model.startswith(prefix) for prefix in prefixes):
         return list(VALID_REASONING_EFFORTS)
-    # Custom API aggregators (e.g. New API, One API) use non-standard model naming:
-    # bare names like "deepseek-v4-flash" or dot-separated "moonshotai.kimi-k2.5"
-    # rather than the OpenRouter-style "vendor/model" that the prefix list targets.
-    # Strip a dot-vendor prefix (e.g. "moonshotai.kimi-k2.5" → "kimi-k2.5") and
-    # check both the original bare name and the stripped suffix.
-    bare_after_dot = bare.split(".", 1)[-1] if "." in bare else bare
-    thinking_bare_prefixes = (
-        "deepseek-v4",
-        "deepseek-r1",
-        "deepseek-r2",
-        "kimi-k2",
-        "kimi-thinking",
-        "qwen3",
-        "claude-3",
-        "claude-4",
-        "o1-",
-        "o3-",
-        "o4-",
-    )
-    if any(
-        bare.startswith(p) or bare_after_dot.startswith(p)
-        for p in thinking_bare_prefixes
-    ):
-        return list(VALID_REASONING_EFFORTS)
-    if "thinking" in bare or "reasoning" in bare:
+    # Named custom providers often rewrite model ids with dots, underscores, or
+    # extra vendor namespaces. Normalize those shapes before applying family-level
+    # reasoning heuristics so "deepseek.v3.2", "deepseek_v4_flash", and
+    # "vendor.deepseek.v3.2" are treated consistently.
+    if any(_candidate_supports_reasoning(candidate) for candidate in _reasoning_name_candidates(bare)):
         return list(VALID_REASONING_EFFORTS)
     return []
 
@@ -3094,17 +3112,20 @@ def _get_label_for_model(model_id: str, existing_groups: list) -> str:
     if lookup_id.startswith("@") and ":" in lookup_id:
         lookup_id = lookup_id.split(":", 1)[1]
 
-    # Check existing groups for a matching label
-    _norm = lambda s: (s.split("/", 1)[-1] if "/" in s else s).replace("-", ".").lower()
+    # Check existing groups for a matching label.
+    # Skip slash stripping for URI-scheme IDs (e.g. gpt://folder/model) (#3429).
+    _has_scheme = lambda s: "://" in s
+    _norm = lambda s: (s.split("/", 1)[-1] if ("/" in s and not _has_scheme(s)) else s).replace("-", ".").lower()
     norm_lookup = _norm(lookup_id)
     for g in existing_groups:
         for m in g.get("models", []):
             if m.get("label") and _norm(str(m.get("id", ""))) == norm_lookup:
                 return m["label"]
 
-    # Fall back: capitalize each hyphen-separated word, preserve dots in version numbers.
-    # The catalog lookup above handles well-known models; this only fires for unlisted IDs.
-    bare = lookup_id.split("/")[-1] if "/" in lookup_id else lookup_id
+    # Fall back: strip only the first slash-segment (provider prefix),
+    # preserving vendor hierarchy for multi-slash IDs (#3360).
+    # Skip for URI-scheme IDs whose slashes are path separators (#3429).
+    bare = lookup_id.split("/", 1)[1] if ("/" in lookup_id and not _has_scheme(lookup_id)) else lookup_id
     return " ".join(
         w.upper() if (len(w) <= 3 and w.replace(".", "").isalnum() and not w.isdigit()) else w.capitalize()
         for w in bare.replace("_", "-").split("-")
@@ -3257,11 +3278,18 @@ def get_available_models() -> dict:
             if s.startswith("@") and ":" in s:
                 parts = s.split(":")
                 s = parts[-1] or s
-            # Strip provider/model prefix (e.g., custom:jingdong/GLM-5 -> GLM-5).
-            # Same trailing-empty guard.
-            if "/" in s:
-                parts = s.split("/")
-                s = parts[-1] or s
+            # Skip slash-based stripping for URI-scheme IDs (e.g.
+            # gpt://folder/model/latest) whose slashes are path separators,
+            # not provider delimiters (#3429).
+            if "://" not in s:
+                # Strip only the first slash-segment (provider prefix), preserving
+                # any remaining vendor hierarchy.  Using parts[-1] here previously
+                # discarded ALL segments except the last, collapsing distinct
+                # multi-slash IDs like 'vendor_a/deepseek-v4-pro' and
+                # 'vendor_b/deepseek/deepseek-v4-pro' to the same key (#3360).
+                if "/" in s:
+                    stripped = s.split("/", 1)[1]
+                    s = stripped or s
             return s.replace("-", ".")
 
         def _build_configured_model_badges() -> dict[str, dict[str, str]]:
@@ -4867,7 +4895,7 @@ _SETTINGS_DEFAULTS = {
     "show_cli_sessions": False,  # merge CLI sessions from state.db into the sidebar
     "show_previous_messaging_sessions": False,  # show older Telegram/Discord/etc. reset segments
     "sync_to_insights": False,  # mirror WebUI token usage to state.db for /insights
-    "check_for_updates": True,  # check if webui/agent repos are behind upstream
+    "check_for_updates": False,  # check if webui/agent repos are behind upstream
     "ignore_agent_updates": False,  # keep WebUI update notices but suppress Agent update checks
     "whats_new_summary_enabled": False,  # show an LLM-written What's New summary before diff links
     "theme": "dark",  # light | dark | system
@@ -4892,6 +4920,7 @@ _SETTINGS_DEFAULTS = {
     "show_thinking": True,  # show/hide thinking/reasoning blocks in chat view
     "simplified_tool_calling": True,  # render tools/thinking as compact inline timeline activity
     "api_redact_enabled": True,  # redact sensitive data (API keys, secrets) from API responses
+    "dashboard_plugins": {},  # plugin_name -> bool, opt-in per plugin (default off per PF-10b)
     "sidebar_density": "compact",  # compact | detailed
     "auto_title_refresh_every": "0",  # adaptive title refresh: 0=off, 5/10/20=every N exchanges
     "busy_input_mode": "queue",  # behavior when sending while agent is running: queue | interrupt | steer
@@ -5063,7 +5092,19 @@ def save_settings(settings: dict) -> dict:
     if settings.pop("_clear_password", False):
         current["password_hash"] = None
         _password_changed = True
+    # Deep-merge dashboard_plugins dict (plugin_name -> bool)
+    _dashboard_plugins = settings.get("dashboard_plugins")
+    if isinstance(_dashboard_plugins, dict):
+        current_dash = current.get("dashboard_plugins", {})
+        if isinstance(current_dash, dict):
+            # Coerce values to bool + keep only str keys so settings.json can't be
+            # polluted with non-bool/non-str junk from a crafted POST.
+            current_dash.update({k: bool(v) for k, v in _dashboard_plugins.items() if isinstance(k, str)})
+            current["dashboard_plugins"] = current_dash
     for k, v in settings.items():
+        # dashboard_plugins is deep-merged above (not a flat allowlisted scalar).
+        if k == "dashboard_plugins":
+            continue
         if k in _SETTINGS_ALLOWED_KEYS:
             if k == "theme":
                 if isinstance(v, str) and v.strip():

package/vendor/agent-frontend-shell/api/gateway_chat.py

@@ -24,7 +24,7 @@ from api.config import (
     update_active_run,
 )
 from api.helpers import _redact_text, redact_session_data
-from api.models import get_session
+from api.models import get_session, merge_session_messages_append_only
 from api.run_journal import RunJournalWriter
 
 logger = logging.getLogger(__name__)
@@ -250,10 +250,29 @@ def _run_gateway_chat_streaming(
                 _load_webui_prefill_context,
                 _prefill_messages_with_webui_context,
                 _public_prefill_context_status,
+                _webui_ephemeral_system_prompt,
             )
 
             prefill_context = _load_webui_prefill_context(cfg)
-            prefill_messages = _prefill_messages_with_webui_context(prefill_context, cfg)
+            # #3324: the WebUI session/delivery context (connected platforms,
+            # home channels, delivery hints, session framing) is now carried in
+            # the ephemeral system prompt rather than a prefill `user` message.
+            # The gateway-backed path must build the SAME system prompt so that
+            # context is not silently dropped on Gateway-routed WebUI chats.
+            _gateway_system_prompt = _webui_ephemeral_system_prompt(
+                None,
+                surface_context={
+                    "source": "webui",
+                    "session_id": session_id,
+                    "profile": getattr(s, "profile", None),
+                    "workspace": s.workspace if s is not None else str(workspace),
+                },
+                config_data=cfg,
+            )
+            prefill_messages = [
+                {"role": "system", "content": _gateway_system_prompt},
+                *_prefill_messages_with_webui_context(prefill_context, cfg),
+            ]
             put_gateway_event("context_status", {
                 "session_id": session_id,
                 "prefill": _public_prefill_context_status(prefill_context),
@@ -380,16 +399,41 @@ def _run_gateway_chat_streaming(
             assistant_msg = {"role": "assistant", "content": assistant_text, "timestamp": assistant_ts}
             previous_context = list(getattr(s, "context_messages", None) or getattr(s, "messages", None) or [])
             s.context_messages = previous_context + [user_msg, assistant_msg]
-            display = list(getattr(s, "messages", None) or [])
-            # Avoid duplicating the eager-save checkpointed user message.
-            if display:
-                latest = display[-1]
-                if isinstance(latest, dict) and latest.get("role") == "user":
-                    latest_text = " ".join(str(latest.get("content") or "").split())
-                    msg_norm = " ".join(str(msg_text or "").split())
-                    if latest_text == msg_norm:
-                        display = display[:-1]
-            s.messages = display + [user_msg, assistant_msg]
+            try:
+                from api.streaming import _is_context_compression_marker
+
+                display_context = [
+                    msg
+                    for msg in previous_context
+                    if not _is_context_compression_marker(msg)
+                ]
+            except Exception:
+                logger.debug("Failed to filter gateway display context markers", exc_info=True)
+                display_context = previous_context
+            display = merge_session_messages_append_only(
+                list(getattr(s, "messages", None) or []),
+                display_context,
+            )
+            try:
+                from api.streaming import _merge_display_messages_after_agent_result
+
+                s.messages = _merge_display_messages_after_agent_result(
+                    display,
+                    previous_context,
+                    s.context_messages,
+                    str(msg_text or ""),
+                )
+            except Exception:
+                logger.debug("Failed to merge gateway display transcript", exc_info=True)
+                # Avoid duplicating the eager-save checkpointed user message.
+                if display:
+                    latest = display[-1]
+                    if isinstance(latest, dict) and latest.get("role") == "user":
+                        latest_text = " ".join(str(latest.get("content") or "").split())
+                        msg_norm = " ".join(str(msg_text or "").split())
+                        if latest_text == msg_norm:
+                            display = display[:-1]
+                s.messages = display + [user_msg, assistant_msg]
             s.active_stream_id = None
             s.pending_user_message = None
             s.pending_attachments = None

package/vendor/agent-frontend-shell/api/helpers.py

@@ -367,9 +367,9 @@ def _redact_value(v, *, _enabled: bool | None = None):
 
 
 def redact_session_data(session_dict: dict) -> dict:
-    """Redact credentials from message content and tool_call data before API response.
+    """Redact credentials from message content, tool data, and session sidecars.
 
-    Applies to: messages[], tool_calls[], and title.
+    Applies to: messages[], tool_calls[], todo_state, and title.
     The underlying session file is not modified; redaction is response-layer only.
 
     Reads the ``api_redact_enabled`` setting ONCE for the entire response and
@@ -387,6 +387,8 @@ def redact_session_data(session_dict: dict) -> dict:
         result['messages'] = _redact_value(result['messages'], _enabled=_enabled)
     if 'tool_calls' in result:
         result['tool_calls'] = _redact_value(result['tool_calls'], _enabled=_enabled)
+    if 'todo_state' in result:
+        result['todo_state'] = _redact_value(result['todo_state'], _enabled=_enabled)
     return result