@hermespilot/link 0.7.5-beta.0 → 0.7.6

package/dist/{chunk-E7KAHPLU.js → chunk-P54DBGLE.js}

@@ -2314,6 +2314,9 @@ function resolveHermesProfilesDir() {
 function resolveHermesConfigPath(profileName = "default") {
   return path3.join(resolveHermesProfileDir(profileName), "config.yaml");
 }
+function resolveHermesEnvPath(profileName = "default") {
+  return path3.join(resolveHermesProfileDir(profileName), ".env");
+}
 async function readHermesSessionsDir(profileName = "default", configPath = resolveHermesConfigPath(profileName)) {
   const profileDir = resolveHermesProfileDir(profileName);
   const { config } = await readHermesConfigDocument(configPath);
@@ -2618,16 +2621,20 @@ async function saveHermesModelConfig(input, profileName = "default", configPath
   const shouldUpdateReasoningEffort = input.reasoningEffort !== void 0;
   const { document, config, existingRaw } = await readHermesConfigDocument(configPath);
   const providers = ensureProvidersRecordWithLegacyMigration(config);
-  const originalModelId = input.originalModelId?.trim() || normalized.id;
+  const originalModelId = input.originalModelId?.trim();
   const originalProvider = input.originalProvider?.trim();
   const originalBaseUrl = input.originalBaseUrl?.trim();
   const originalApiMode = input.originalApiMode?.trim();
-  const existingProviderKey = findProviderConfigKeyByModelIdentity(providers, {
-    id: originalModelId,
+  const originalIdentity = {
+    id: originalModelId || normalized.id,
     provider: originalProvider,
     baseUrl: originalBaseUrl,
     apiMode: originalApiMode
-  }) ?? (originalProvider && originalBaseUrl ? findProviderConfigKeyByEndpoint(providers, {
+  };
+  const hasOriginalIdentity = Boolean(
+    originalModelId || originalProvider || originalBaseUrl || originalApiMode
+  );
+  const existingProviderKey = (hasOriginalIdentity ? findProviderConfigKeyByModelIdentity(providers, originalIdentity) : null) ?? (originalProvider && originalBaseUrl ? findProviderConfigKeyByEndpoint(providers, {
     provider: originalProvider,
     baseUrl: originalBaseUrl,
     apiMode: originalApiMode
@@ -2647,7 +2654,7 @@ async function saveHermesModelConfig(input, profileName = "default", configPath
     await writeHermesEnvValue(profileName, keyEnv, normalized.apiKey);
   }
   writeProviderEndpointConfig(entry, normalized, keyEnv);
-  ensureEntryModelConfig(entry, originalModelId, normalized.id);
+  ensureEntryModelConfig(entry, originalIdentity.id, normalized.id);
   writeEntryModelContextLength(entry, normalized.id, normalized.contextLength);
   writeEntryModelSupportsVision(entry, normalized.id, input.supportsVision);
   if (shouldUpdateReasoningEffort) {
@@ -2662,15 +2669,29 @@ async function saveHermesModelConfig(input, profileName = "default", configPath
   const currentDefaultConfig = readModelConfig(modelConfig);
   const currentDefault = currentDefaultConfig.model;
   const currentDefaultReasoningEffort = readProfileReasoningEffort(config);
-  if (normalized.setDefault || !currentDefault || currentDefault === originalModelId) {
-    if (normalized.setDefault && currentDefault && currentDefault !== normalized.id && currentDefault !== originalModelId) {
+  const currentDefaultMatchesOriginal = hasOriginalIdentity && modelConfigMatchesModelIdentity(currentDefaultConfig, originalIdentity);
+  const currentDefaultMatchesNext = modelConfigMatchesModelIdentity(
+    currentDefaultConfig,
+    {
+      id: normalized.id,
+      provider: providerKey,
+      baseUrl: normalized.baseUrl,
+      apiMode: inferApiMode(
+        providerKey,
+        normalized.baseUrl,
+        normalized.apiMode
+      )
+    }
+  );
+  if (normalized.setDefault || !currentDefault || currentDefaultMatchesOriginal) {
+    if (normalized.setDefault && currentDefault && !currentDefaultMatchesNext && !currentDefaultMatchesOriginal) {
       retainModelDefaultAsProvider(providers, {
         ...currentDefaultConfig,
         ...currentDefaultReasoningEffort ? { reasoningEffort: currentDefaultReasoningEffort } : {}
       });
     }
-    const defaultKeyEnv = keyEnv ?? (currentDefault === originalModelId ? currentDefaultConfig.keyEnv : void 0);
-    const defaultApiKey = normalized.apiKey ?? (!defaultKeyEnv && currentDefault === originalModelId ? currentDefaultConfig.apiKey : void 0);
+    const defaultKeyEnv = keyEnv ?? (currentDefaultMatchesOriginal ? currentDefaultConfig.keyEnv : void 0);
+    const defaultApiKey = normalized.apiKey ?? (!defaultKeyEnv && currentDefaultMatchesOriginal ? currentDefaultConfig.apiKey : void 0);
     writeDefaultModelConfig(modelConfig, {
       ...normalized,
       provider: providerKey,
@@ -2858,7 +2879,12 @@ async function saveHermesModelDefaults(input, profileName = "default", configPat
     const modelConfig = ensureRecord(config, "model");
     const currentDefaultConfig = readModelConfig(modelConfig);
     const currentDefaultReasoningEffort = readProfileReasoningEffort(config);
-    if (currentDefaultConfig.model && currentDefaultConfig.model !== selected.id) {
+    if (currentDefaultConfig.model && !modelConfigMatchesModelIdentity(currentDefaultConfig, {
+      id: selected.id,
+      provider: selected.provider,
+      baseUrl: selected.baseUrl,
+      apiMode: selected.apiMode
+    })) {
       retainModelDefaultAsProvider(providers, {
         ...currentDefaultConfig,
         ...currentDefaultReasoningEffort ? { reasoningEffort: currentDefaultReasoningEffort } : {}
@@ -2923,7 +2949,9 @@ async function readHermesProfilePermissions(profileName = "default", configPath
 }
 async function saveHermesProfilePermissions(profileName, input, configPath = resolveHermesConfigPath(profileName)) {
   const { document, config, existingRaw } = await readHermesConfigDocument(configPath);
+  let configTouched = false;
   if (input.approvals) {
+    configTouched = true;
     const approvals = ensureRecord(config, "approvals");
     if (input.approvals.mode !== void 0) {
       approvals.mode = normalizeApprovalMode(input.approvals.mode);
@@ -2939,6 +2967,7 @@ async function saveHermesProfilePermissions(profileName, input, configPath = res
     }
   }
   if (input.terminal) {
+    configTouched = true;
     const terminal = ensureRecord(config, "terminal");
     if (input.terminal.backend !== void 0) {
       terminal.backend = normalizeTerminalBackend(input.terminal.backend);
@@ -2968,7 +2997,24 @@ async function saveHermesProfilePermissions(profileName, input, configPath = res
       terminal.container_persistent = input.terminal.containerPersistent;
     }
   }
+  let envChanged = false;
+  if (input.sudo) {
+    if (input.sudo.clear) {
+      envChanged = await deleteHermesEnvValue(profileName, "SUDO_PASSWORD") || envChanged;
+      const terminal = toRecord(config.terminal);
+      if (terminal.sudo_password !== void 0) {
+        delete terminal.sudo_password;
+        configTouched = true;
+      }
+    }
+    if (input.sudo.password !== void 0) {
+      const password = normalizeSudoPassword(input.sudo.password);
+      await writeHermesEnvValue(profileName, "SUDO_PASSWORD", password);
+      envChanged = true;
+    }
+  }
   if (input.toolsets) {
+    configTouched = true;
     const env = await readHermesEnvFile(profileName);
     const currentPermissions = profilePermissionsFromConfig(
       profileName,
@@ -2996,16 +3042,16 @@ async function saveHermesProfilePermissions(profileName, input, configPath = res
     }
     platformToolsets.api_server = next;
   }
-  const backupPath = await writeHermesConfigDocument({
+  const backupPath = configTouched ? await writeHermesConfigDocument({
     configPath,
     document,
     config,
     existingRaw
-  });
+  }) : null;
   return {
     ...await readHermesProfilePermissions(profileName, configPath),
     backupPath,
-    requiresGatewayReload: true,
+    requiresGatewayReload: configTouched || envChanged,
     restartHint: PROFILE_PERMISSIONS_RESTART_HINT
   };
 }
@@ -3472,6 +3518,11 @@ function providerConfigToLegacyEntry(providerKey, entry) {
 }
 function ensureProvidersRecordWithLegacyMigration(config) {
   const providers = ensureRecord(config, "providers");
+  for (const [key, rawEntry] of Object.entries(providers)) {
+    const entry = toRecord(rawEntry);
+    normalizeProviderCredentialReference(entry);
+    providers[key] = entry;
+  }
   const customProviders = Array.isArray(config.custom_providers) ? config.custom_providers : [];
   for (const rawEntry of customProviders) {
     const entry = toRecord(rawEntry);
@@ -3609,7 +3660,7 @@ function legacyEntryToProviderConfig(entry, baseUrl) {
   const apiKey = readString2(entry.api_key);
   const keyEnv = readString2(entry.key_env) ?? parseEnvReference(apiKey);
   if (keyEnv) {
-    next.key_env = keyEnv;
+    next.api_key = `\${${keyEnv}}`;
   } else if (apiKey) {
     next.api_key = apiKey;
   }
@@ -3643,6 +3694,15 @@ function legacyEntryToProviderConfig(entry, baseUrl) {
   }
   return next;
 }
+function normalizeProviderCredentialReference(entry) {
+  const apiKey = readString2(entry.api_key);
+  const keyEnv = readString2(entry.key_env) ?? parseEnvReference(apiKey);
+  if (!keyEnv) {
+    return;
+  }
+  entry.api_key = `\${${keyEnv}}`;
+  delete entry.key_env;
+}
 function normalizeEntryModelsMap(entry) {
   const models = entry.models;
   if (typeof models === "object" && models !== null && !Array.isArray(models)) {
@@ -3780,8 +3840,8 @@ function writeProviderEndpointConfig(entry, input, keyEnv) {
     delete entry.contextLength;
   }
   if (keyEnv) {
-    entry.key_env = keyEnv;
-    delete entry.api_key;
+    entry.api_key = `\${${keyEnv}}`;
+    delete entry.key_env;
   } else {
     delete entry.key_env;
   }
@@ -4041,22 +4101,18 @@ function managedModelPreferenceScore(model) {
   return (model.isDefault ? 1e3 : 0) + (model.credentialState === "configured" ? 200 : 0) + (model.credentialState === "missing" ? 50 : 0) + (model.source === "auth_store" ? 100 : 0) + (model.credentialSource !== "unknown" ? 40 : 0) + (model.isReadOnly ? 10 : 0);
 }
 function matchesDefaultModelConfig(input) {
-  if (!input.defaultModel || input.id !== input.defaultModel) {
-    return false;
-  }
-  const defaultApiMode = input.modelConfig.apiMode?.trim();
-  if (defaultApiMode && input.apiMode !== defaultApiMode) {
+  if (!input.defaultModel) {
     return false;
   }
-  const defaultBaseUrl = input.modelConfig.baseUrl;
-  if (defaultBaseUrl?.trim()) {
-    return normalizeBaseUrl(input.baseUrl) === normalizeBaseUrl(defaultBaseUrl);
-  }
-  const defaultProvider = input.modelConfig.provider?.trim();
-  if (defaultProvider) {
-    return input.provider === defaultProvider;
-  }
-  return true;
+  return modelConfigMatchesModelIdentity(
+    { ...input.modelConfig, model: input.defaultModel },
+    {
+      id: input.id,
+      provider: input.provider,
+      baseUrl: input.baseUrl,
+      apiMode: input.apiMode
+    }
+  );
 }
 function providerEntryMatchesManagedModel(entry, model) {
   const providerName = readString2(entry.name) ?? readString2(entry.provider_name) ?? readString2(entry.provider_key) ?? "Custom Provider";
@@ -4266,6 +4322,29 @@ function resolveCompressionModel(config, models) {
 function findManagedModelById(models, id) {
   return models.find((model) => model.id === id);
 }
+function modelConfigMatchesModelIdentity(modelConfig, input) {
+  if (modelConfig.model !== input.id) {
+    return false;
+  }
+  const provider = input.provider?.trim();
+  const configProvider = modelConfig.provider?.trim();
+  if (provider && configProvider && configProvider !== provider) {
+    return false;
+  }
+  const baseUrl = input.baseUrl?.trim();
+  if (baseUrl !== void 0 && normalizeBaseUrl(modelConfig.baseUrl ?? "") !== normalizeBaseUrl(baseUrl)) {
+    return false;
+  }
+  const apiMode = input.apiMode?.trim();
+  if (apiMode) {
+    const providerForApiMode = configProvider ?? provider ?? "default";
+    const configBaseUrl = modelConfig.baseUrl ?? baseUrl ?? "";
+    if (inferApiMode(providerForApiMode, configBaseUrl, modelConfig.apiMode) !== apiMode) {
+      return false;
+    }
+  }
+  return true;
+}
 function findManagedModel(models, input) {
   const provider = input.provider?.trim();
   const baseUrl = input.baseUrl?.trim();
@@ -4430,7 +4509,7 @@ function retainModelDefaultAsProvider(providers, model) {
     writeEntryModelSupportsVision(entry, id, model.supportsVision);
   }
   if (model.keyEnv) {
-    entry.key_env = model.keyEnv;
+    entry.api_key = `\${${model.keyEnv}}`;
   } else if (model.apiKey) {
     entry.api_key = model.apiKey;
   }
@@ -4891,6 +4970,7 @@ function readPositiveInteger(value) {
 function profilePermissionsFromConfig(profileName, configPath, config, env) {
   const approvals = toRecord(config.approvals);
   const terminal = toRecord(config.terminal);
+  const envPath = resolveHermesEnvPath(profileName);
   const platformToolsets = toRecord(config.platform_toolsets);
   const apiServerToolsets = readStringList(platformToolsets.api_server);
   const hasExplicitToolsets = apiServerToolsets.some(
@@ -4904,6 +4984,7 @@ function profilePermissionsFromConfig(profileName, configPath, config, env) {
   return {
     profileName,
     configPath,
+    envPath,
     approvals: {
       mode: readApprovalMode(approvals.mode),
       timeout: readPositiveInteger(approvals.timeout) ?? 60,
@@ -4917,6 +4998,11 @@ function profilePermissionsFromConfig(profileName, configPath, config, env) {
       containerDisk: readPositiveInteger(terminal.container_disk) ?? null,
       containerPersistent: terminal.container_persistent !== false
     },
+    sudo: {
+      configured: isEnvValueConfigured(env.SUDO_PASSWORD) || isEnvValueConfigured(readString2(terminal.sudo_password)),
+      envKey: "SUDO_PASSWORD",
+      envPath
+    },
     toolsets: {
       items: PROFILE_PERMISSION_TOOLSETS.map((toolset) => {
         const configState = readToolsetConfigState(toolset.key, config, env);
@@ -5119,6 +5205,15 @@ function normalizeCronApprovalMode(value) {
   }
   throw new Error("approvals.cron_mode must be deny or approve");
 }
+function normalizeSudoPassword(value) {
+  if (!value) {
+    throw new Error("sudo.password must be non-empty");
+  }
+  if (value.includes("\n") || value.includes("\r") || value.includes("\0")) {
+    throw new Error("sudo.password must not contain line breaks");
+  }
+  return value;
+}
 function normalizeTerminalBackend(value) {
   const backend = value.trim().toLowerCase();
   if (TERMINAL_BACKENDS.has(backend)) {
@@ -5876,7 +5971,7 @@ async function readHermesApiServerEnvOverrides(profileName) {
   };
 }
 async function readHermesEnvFile(profileName) {
-  const envPath = path3.join(resolveHermesProfileDir(profileName), ".env");
+  const envPath = resolveHermesEnvPath(profileName);
   const raw = await readFile2(envPath, "utf8").catch((error) => {
     if (isNodeError3(error, "ENOENT")) {
       return "";
@@ -5900,7 +5995,7 @@ async function readHermesEnvFile(profileName) {
   return values;
 }
 async function writeHermesEnvValue(profileName, key, value) {
-  const envPath = path3.join(resolveHermesProfileDir(profileName), ".env");
+  const envPath = resolveHermesEnvPath(profileName);
   const existingRaw = await readFile2(envPath, "utf8").catch(
     (error) => {
       if (isNodeError3(error, "ENOENT")) {
@@ -5935,8 +6030,32 @@ async function writeHermesEnvValue(profileName, key, value) {
   }
   await atomicWriteFilePreservingMetadata(envPath, nextRaw);
 }
+async function deleteHermesEnvValue(profileName, key) {
+  const envPath = resolveHermesEnvPath(profileName);
+  const raw = await readFile2(envPath, "utf8").catch((error) => {
+    if (isNodeError3(error, "ENOENT")) {
+      return "";
+    }
+    throw error;
+  });
+  if (!raw) {
+    return false;
+  }
+  const keyPattern = new RegExp(`^(?:export\\s+)?${escapeRegExp(key)}=`, "u");
+  const lines = raw.split(/\r?\n/u);
+  const nextLines = lines.filter((line) => !keyPattern.test(line.trim()));
+  const nextRaw = nextLines.join("\n").replace(/\n*$/u, "\n");
+  if (nextRaw === raw) {
+    return false;
+  }
+  await atomicWriteFilePreservingMetadata(`${envPath}.bak.${Date.now()}`, raw, {
+    metadataSourcePath: envPath
+  });
+  await atomicWriteFilePreservingMetadata(envPath, nextRaw);
+  return true;
+}
 async function writeHermesApiServerEnv(profileName, config, options = {}) {
-  const envPath = path3.join(resolveHermesProfileDir(profileName), ".env");
+  const envPath = resolveHermesEnvPath(profileName);
   const existingRaw = await readFile2(envPath, "utf8").catch(
     (error) => {
       if (isNodeError3(error, "ENOENT")) {
@@ -5960,7 +6079,7 @@ async function writeHermesApiServerEnv(profileName, config, options = {}) {
   );
 }
 async function writeHermesEnvValues(profileName, values, existingRaw) {
-  const envPath = path3.join(resolveHermesProfileDir(profileName), ".env");
+  const envPath = resolveHermesEnvPath(profileName);
   const raw = existingRaw ?? await readFile2(envPath, "utf8").catch((error) => {
     if (isNodeError3(error, "ENOENT")) {
       return "";
@@ -6454,7 +6573,7 @@ function isConversationMissingError(error) {
 }
 
 // src/constants.ts
-var LINK_VERSION = "0.7.5-beta.0";
+var LINK_VERSION = "0.7.6";
 var LINK_COMMAND = "hermeslink";
 var LINK_DEFAULT_PORT = 52379;
 var LINK_RUNTIME_DIR_NAME = ".hermeslink";
@@ -25802,7 +25921,9 @@ function registerModelConfigRoutes(router, options) {
     const body = await readJsonBody(ctx.req);
     try {
       const result = await saveHermesModelConfig(readModelConfigInput(body));
-      ctx.body = shouldReloadGatewayAfterModelConfigChange(body) ? await reloadGatewayAfterModelConfigChange(result, {
+      ctx.body = shouldReloadGatewayAfterModelConfigChange(body, {
+        defaultReload: true
+      }) ? await reloadGatewayAfterModelConfigChange(result, {
         paths,
         logger
       }) : markModelConfigAppliedWithoutGatewayReload(result);
@@ -25848,7 +25969,9 @@ function registerModelConfigRoutes(router, options) {
         readModelConfigInput(body),
         ctx.params.name
       );
-      ctx.body = shouldReloadGatewayAfterModelConfigChange(body) ? await reloadGatewayAfterProfileModelConfigChange(result, {
+      ctx.body = shouldReloadGatewayAfterModelConfigChange(body, {
+        defaultReload: true
+      }) ? await reloadGatewayAfterProfileModelConfigChange(result, {
         paths,
         logger,
         profileName: ctx.params.name
@@ -26001,15 +26124,20 @@ function readModelConfigImportInput(body) {
     setDefault: readBoolean3(body.set_default ?? body.setDefault)
   };
 }
-function shouldReloadGatewayAfterModelConfigChange(body) {
-  const explicit = readBoolean3(body.reload_gateway ?? body.reloadGateway) ?? (readBoolean3(body.skip_gateway_reload ?? body.skipGatewayReload) === true ? false : void 0);
-  return explicit ?? false;
+function shouldReloadGatewayAfterModelConfigChange(body, options = {}) {
+  if (readBoolean3(body.skip_gateway_reload ?? body.skipGatewayReload) === true) {
+    return false;
+  }
+  if (readBoolean3(body.reload_gateway ?? body.reloadGateway) === true) {
+    return true;
+  }
+  return options.defaultReload === true;
 }
 function markModelConfigAppliedWithoutGatewayReload(result) {
   return {
     ...result,
     requiresGatewayReload: false,
-    restartHint: "\u6A21\u578B\u914D\u7F6E\u5DF2\u4FDD\u5B58\u3002\u65B0\u7684 Run \u4F1A\u76F4\u63A5\u8BFB\u53D6\u6700\u65B0\u914D\u7F6E\uFF0C\u65E0\u9700\u91CD\u8F7D Hermes Gateway\u3002"
+    restartHint: "\u6A21\u578B\u914D\u7F6E\u5DF2\u4FDD\u5B58\uFF0C\u5DF2\u6309\u8BF7\u6C42\u8DF3\u8FC7 Hermes Gateway \u91CD\u8F7D\u3002\u82E5\u521A\u4FEE\u6539 API Key\u3001Base URL \u6216 API Mode\uFF0C\u8BF7\u624B\u52A8\u91CD\u8F7D Gateway \u540E\u518D\u5F00\u59CB\u65B0\u7684 Run\u3002"
   };
 }
 function toModelConfigHttpError(error) {
@@ -27310,6 +27438,17 @@ function readProfilePermissionsInput(body) {
       )
     };
   }
+  const sudo = readOptionalObject(body, "sudo");
+  if (sudo) {
+    const clear = readBoolean3(sudo.clear ?? sudo.remove ?? sudo.delete);
+    const sudoInput = {
+      password: readRawString(sudo, "password") ?? readRawString(sudo, "sudo_password") ?? readRawString(sudo, "sudoPassword") ?? void 0,
+      clear: clear === true ? true : void 0
+    };
+    if (sudoInput.password !== void 0 || sudoInput.clear !== void 0) {
+      input.sudo = sudoInput;
+    }
+  }
   const toolsets = readOptionalObject(body, "toolsets");
   if (toolsets) {
     input.toolsets = {
@@ -27343,6 +27482,10 @@ function readOptionalObject(body, key) {
   }
   return value;
 }
+function readRawString(body, key) {
+  const value = body[key];
+  return typeof value === "string" ? value : null;
+}
 function readStringListValue(value, field) {
   if (value === void 0) {
     return null;

package/dist/cli/index.js

@@ -53,7 +53,7 @@ import {
   stopDaemonProcess,
   summarizeUsageProbeEnsure,
   translate
-} from "../chunk-E7KAHPLU.js";
+} from "../chunk-P54DBGLE.js";
 
 // src/cli/index.ts
 import { Command } from "commander";

package/dist/http/app.js

@@ -1,6 +1,6 @@
 import {
   createApp
-} from "../chunk-E7KAHPLU.js";
+} from "../chunk-P54DBGLE.js";
 export {
   createApp
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hermespilot/link",
-  "version": "0.7.5-beta.0",
+  "version": "0.7.6",
   "private": false,
   "description": "Hermes Link companion service and CLI for connecting hermes-agent through HermesPilot",
   "license": "MIT",