sillytavern 1.16.0 → 1.18.0

package/.dockerignore

@@ -11,6 +11,7 @@
 /docker/extensions
 /docker/data
 /docker/plugins
+/docker/dist
 /public/scripts/extensions/third-party
 
 # --- Plugins (keep only package files) ---

package/.eslintrc.cjs

@@ -102,5 +102,28 @@ module.exports = {
         // These rules should eventually be enabled.
         'no-async-promise-executor': 'off',
         'no-inner-declarations': 'off',
+        // Additional formatting rules based on codebase conventions
+        'brace-style': ['error', '1tbs', { allowSingleLine: true }],
+        'array-bracket-spacing': ['error', 'never'],
+        'computed-property-spacing': ['error', 'never'],
+        'block-spacing': ['error', 'always'],
+        'keyword-spacing': ['error', { before: true, after: true }],
+        'space-before-blocks': ['error', 'always'],
+        'space-before-function-paren': ['error', { anonymous: 'always', named: 'never', asyncArrow: 'always' }],
+        'space-in-parens': ['error', 'never'],
+        'comma-spacing': ['error', { before: false, after: true }],
+        'key-spacing': ['error', { beforeColon: false, afterColon: true }],
+        'func-call-spacing': ['error', 'never'],
+        'no-multiple-empty-lines': ['error', { max: 2, maxEOF: 1, maxBOF: 0 }],
+        'padded-blocks': ['error', 'never'],
+        'no-whitespace-before-property': 'error',
+        'space-unary-ops': ['error', { words: true, nonwords: false }],
+        'arrow-spacing': ['error', { before: true, after: true }],
+        'template-curly-spacing': ['error', 'never'],
+        'rest-spread-spacing': ['error', 'never'],
+        'generator-star-spacing': ['error', { before: false, after: true }],
+        'yield-star-spacing': ['error', { before: false, after: true }],
+        'template-tag-spacing': ['error', 'never'],
+        'switch-colon-spacing': ['error', { after: true, before: false }],
     },
 };

package/Dockerfile

@@ -19,7 +19,7 @@ COPY --chown=node:node . ./
 
 RUN \
   echo "*** Install npm packages ***" && \
-  npm ci --no-audit --no-fund --loglevel=error --no-progress --omit=dev && npm cache clean --force
+  npm ci --no-audit --no-fund --loglevel=error --no-progress --omit=dev --ignore-scripts && npm cache clean --force
 
 # Create config directory and link config.yaml. Added hardcoded dirs(constants.js?)
 # that must be present for Non-Root Mode and volumeless docker runs.

package/Start.bat

@@ -1,7 +1,7 @@
 @echo off
 pushd %~dp0
 set NODE_ENV=production
-call npm install --no-save --no-audit --no-fund --loglevel=error --no-progress --omit=dev
+call npm install --no-save --no-audit --no-fund --loglevel=error --no-progress --omit=dev --ignore-scripts
 node server.js %*
 pause
 popd

package/UpdateAndStart.bat

@@ -20,7 +20,7 @@ if %errorlevel% neq 0 (
     )
 )
 set NODE_ENV=production
-call npm install --no-save --no-audit --no-fund --loglevel=error --no-progress --omit=dev
+call npm install --no-save --no-audit --no-fund --loglevel=error --no-progress --omit=dev --ignore-scripts
 node server.js %*
 :end
 pause

package/UpdateForkAndStart.bat

@@ -102,7 +102,7 @@ if %errorlevel% neq 0 (
 
 echo Installing npm packages and starting server
 set NODE_ENV=production
-call npm install --no-save --no-audit --no-fund --loglevel=error --no-progress --omit=dev
+call npm install --no-save --no-audit --no-fund --loglevel=error --no-progress --omit=dev --ignore-scripts
 node server.js %*
 
 :end

package/default/config.yaml

@@ -41,6 +41,9 @@ port: 8000
 # Interval in seconds to write a heartbeat file. Set to 0 to disable.
 # This is used primarily for Docker healthchecks.
 heartbeatInterval: 0
+# Enable HTTP/HTTPS keep-alive globally.
+# Disabling restores old Node 18 behavior, can help if ECONNRESET and other network errors occur.
+enableKeepAlive: false
 # -- SSL options --
 ssl:
   # Enable SSL/TLS encryption
@@ -55,7 +58,7 @@ ssl:
 # -- SECURITY CONFIGURATION --
 # Toggle whitelist mode
 whitelistMode: true
-# Whitelist will also verify IP in X-Forwarded-For / X-Real-IP headers
+# When enabled, whitelist will also verify IP in headers enabled in `forwardedHeaders` section.
 enableForwardedWhitelist: true
 # Whitelist of allowed IP addresses
 whitelist:
@@ -127,6 +130,13 @@ sso:
   # as that used for authentik. (Ensure the username in authentik
   # is an exact match in lowercase with that in sillytavern).
   authentikAuth: false
+  # List of trusted proxy IPs for SSO authentication.
+  # Supports wildcards or CIDR notation for subnets.
+  # Example: ['127.0.0.1', '192.168.1.1']
+  # Set to ['*'] to trust all proxies (NOT RECOMMENDED unless you have other security measures in place)
+  trustedProxies:
+    - ::1
+    - 127.0.0.1
 
 # Host whitelist configuration. Recommended if you're using a listen mode
 hostWhitelist:
@@ -141,6 +151,26 @@ hostWhitelist:
   # - .trycloudflare.com
   hosts: []
 
+# Perform whitelist checks against server-side HTTP requests that resolve to private IP addresses.
+# This is an additional layer of security to prevent Server-Side Request Forgery (SSRF) attacks.
+# Recommended when listen mode is enabled, or if your server is accessible by untrusted users.
+privateAddressWhitelist:
+  # Enable private address whitelist to block requests to private IP ranges.
+  enabled: false
+  # If true, requests to hosts that cannot be resolved will be allowed instead of blocked.
+  allowUnresolvedHosts: false
+  # Log blocked and allowed requests to the console.
+  log:
+    # Log blocked requests to the console with a warning message
+    blockedRequests: true
+    # Log allowed requests to the console with an info message
+    allowedRequests: false
+  # List of allowed private IP ranges (in CIDR notation or wildcard format).
+  # Allows loopback IP ranges by default, but you can customize this list to fit your needs.
+  allowedRanges:
+    - '127.0.0.0/8'      # Loopback (IPv4)
+    - '::1/128'          # Loopback (IPv6)
+
 # User session timeout *in seconds* (defaults to 24 hours).
 ## Set to a positive number to expire session after a certain time of inactivity
 ## Set to 0 to expire session when the browser is closed
@@ -159,12 +189,29 @@ logging:
   minLogLevel: 0
 # -- RATE LIMITING CONFIGURATION --
 rateLimiting:
-  # Use X-Real-IP header instead of socket IP for rate limiting
-  # Only enable this if you are using a properly configured reverse proxy (like Nginx/traefik/Caddy)
+  # Use any of the enabled headers in the `forwardedHeaders` section to identify the client IP for rate limiting.
+  # If disabled, only the socket IP will be used, which may not work correctly if you are behind a reverse proxy.
   preferRealIpHeader: false
+  # Set the maximum number of allowed failed basic authentication attempts before rate limiting is applied. Set to 0 to disable rate limiting for basic auth.
+  basicAuthMaxAttempts: 5
+  # Set the maximum number of allowed failed account login attempts before rate limiting is applied. Set to 0 to disable rate limiting for account logins.
+  accountsLoginMaxAttempts: 5
+  # Set the maximum number of allowed failed account recovery attempts before rate limiting is applied. Set to 0 to disable rate limiting for account recovery.
+  accountsRecoverMaxAttempts: 5
+# Set to true to enable support for real IPs in certain request headers for features like IP whitelisting, rate limiting and access logging.
+# Only change if you are sure that you use a correctly configured reverse proxy, otherwise this may lead to IP spoofing.
+forwardedHeaders:
+  # X-Real-IP header (common with Nginx and Caddy)
+  xRealIp: true
+  # X-Forwarded-For header (common with many proxies, but may contain multiple IPs - only the first one will be used)
+  xForwardedFor: true
+  # CF-Connecting-IP header (used by Cloudflare Tunnels)
+  cfConnectingIp: false
 
 ## BACKUP CONFIGURATION
 backups:
+  # Allow users to create a full backup archive of their data
+  allowFullDataBackup: true
   # Common settings for all backup types
   common:
     # Number of backups to keep for each chat and settings file
@@ -202,6 +249,16 @@ performance:
   memoryCacheCapacity: '100mb'
   # Enables disk caching for character cards. Improves performances with large card libraries.
   useDiskCache: true
+  # Configures gzip compression for client requests with large payloads (e.g. settings or chat saves).
+  requestCompression:
+    # Enable request compression.
+    enabled: false
+    # Minimum payload size to trigger compression. Set to 0 to compress all requests regardless of size.
+    minPayloadSize: '256kb'
+    # Hard upper payload size limit for compression. Set to 0 to allow compression of any size.
+    maxPayloadSize: '8mb'
+    # Timeout for request compression in milliseconds.
+    timeout: 4000
 
 # CACHE BUSTER CONFIGURATION
 # IMPORTANT: Requires localhost or a domain with HTTPS, otherwise will not work!
@@ -250,6 +307,13 @@ extensions:
     speechToText: Xenova/whisper-small
     textToSpeech: Xenova/speecht5_tts
 
+# Git backend for plugin/extension repository operations.
+# - Use "auto" to prefer system git, falling back to the integrated backend
+# - Use "system" to force system backend
+# - Use "builtin" to force integrated backend
+git:
+  backend: auto
+
 # Additional model tokenizers can be downloaded on demand.
 # Disabling will fallback to another locally available tokenizer.
 enableDownloadableTokenizers: true
@@ -293,7 +357,7 @@ claude:
   # Otherwise, you'll just waste money on cache misses.
   enableSystemPromptCache: false
   # Enables caching of the message history at depth (if supported).
-  # https://docs.anthropic.com/en/docs/build-with-claude/prompt-caching
+  # https://platform.claude.com/docs/en/build-with-claude/prompt-caching
   # -- IMPORTANT! --
   # Use with caution. Behavior may be unpredictable and no guarantees can or will be made.
   # Set to an integer to specify the desired depth. 0 (which does NOT include the prefill)
@@ -304,6 +368,10 @@ claude:
   ## 5m: base price x 1.25
   ## 1h: base price x 2
   extendedTTL: false
+  # Enables adaptive thinking for supported models (Opus 4.6+).
+  # Disable to enforce legacy thinking mode (with thinking budget).
+  # https://platform.claude.com/docs/en/build-with-claude/adaptive-thinking
+  enableAdaptiveThinking: false
 # -- GOOGLE GEMINI API CONFIGURATION --
 gemini:
   # API endpoint version ("v1beta" or "v1alpha")

package/default/{public/error → content/errors}/url-not-found.html

@@ -2,11 +2,11 @@
 <html>
 
 <head>
-    <title>Not found</title>
+    <title>Not Found</title>
 </head>
 
 <body>
-    <h1>Not found</h1>
+    <h1>Not Found</h1>
     <p>
         The requested URL was not found on this server.
     </p>

package/default/content/index.json

@@ -638,5 +638,41 @@
     {
         "filename": "presets/reasoning/OpenAI Harmony.json",
         "type": "reasoning"
+    },
+    {
+        "filename": "presets/reasoning/Think XML.json",
+        "type": "reasoning"
+    },
+    {
+        "filename": "presets/reasoning/Gemma 4.json",
+        "type": "reasoning"
+    },
+    {
+        "filename": "presets/instruct/Gemma 4.json",
+        "type": "instruct"
+    },
+    {
+        "filename": "presets/context/Gemma 4.json",
+        "type": "context"
+    },
+    {
+        "filename": "user.css",
+        "type": "stylesheet"
+    },
+    {
+        "filename": "errors/forbidden-by-whitelist.html",
+        "type": "error_page"
+    },
+    {
+        "filename": "errors/host-not-allowed.html",
+        "type": "error_page"
+    },
+    {
+        "filename": "errors/unauthorized.html",
+        "type": "error_page"
+    },
+    {
+        "filename": "errors/url-not-found.html",
+        "type": "error_page"
     }
 ]

package/default/content/presets/context/Gemma 4.json

@@ -0,0 +1,14 @@
+{
+    "story_string": "{{#if anchorBefore}}{{anchorBefore}}\n{{/if}}{{#if system}}{{system}}\n{{/if}}{{#if wiBefore}}{{wiBefore}}\n{{/if}}{{#if description}}{{description}}\n{{/if}}{{#if personality}}{{personality}}\n{{/if}}{{#if scenario}}{{scenario}}\n{{/if}}{{#if wiAfter}}{{wiAfter}}\n{{/if}}{{#if persona}}{{persona}}\n{{/if}}{{#if anchorAfter}}{{anchorAfter}}\n{{/if}}{{trim}}",
+    "example_separator": "",
+    "chat_start": "",
+    "use_stop_strings": false,
+    "names_as_stop_strings": true,
+    "story_string_position": 0,
+    "story_string_depth": 1,
+    "story_string_role": 0,
+    "always_force_name2": true,
+    "trim_sentences": false,
+    "single_line": false,
+    "name": "Gemma 4"
+}

package/default/content/presets/instruct/Gemma 4.json

@@ -0,0 +1,25 @@
+{
+    "input_sequence": "<|turn>user\n",
+    "output_sequence": "<|turn>model\n",
+    "last_output_sequence": "",
+    "system_sequence": "<|turn>system\n",
+    "stop_sequence": "<turn|>",
+    "wrap": false,
+    "macro": true,
+    "names_behavior": "force",
+    "activation_regex": "",
+    "first_output_sequence": "",
+    "skip_examples": false,
+    "output_suffix": "<turn|>\n",
+    "input_suffix": "<turn|>\n",
+    "system_suffix": "<turn|>\n",
+    "user_alignment_message": "",
+    "system_same_as_user": false,
+    "last_system_sequence": "",
+    "first_input_sequence": "",
+    "last_input_sequence": "",
+    "sequences_as_stop_strings": true,
+    "story_string_prefix": "<|turn>system\n",
+    "story_string_suffix": "<turn|>\n",
+    "name": "Gemma 4"
+}

package/default/content/presets/instruct/KoboldAI.json

@@ -1,6 +1,6 @@
 {
     "input_sequence": "{{[INPUT]}}",
-    "output_sequence": "{{[OUPUT]}}",
+    "output_sequence": "{{[OUTPUT]}}",
     "last_output_sequence": "",
     "system_sequence": "{{[SYSTEM]}}",
     "stop_sequence": "",

package/default/content/presets/openai/Default.json

@@ -10,6 +10,8 @@
     "mistralai_model": "mistral-large-latest",
     "chutes_model": "deepseek-ai/DeepSeek-V3-0324",
     "chutes_sort_models": "alphabetically",
+    "minimax_model": "MiniMax-M2.7",
+    "minimax_endpoint": "global",
     "electronhub_model": "gpt-4o-mini",
     "electronhub_sort_models": "alphabetically",
     "electronhub_group_models": false,

package/default/content/presets/reasoning/Gemma 4.json

@@ -0,0 +1,6 @@
+{
+    "name": "Gemma 4",
+    "prefix": "<|channel>thought\n",
+    "suffix": "<channel|>",
+    "separator": "\n\n"
+}

package/default/content/presets/reasoning/Think XML.json

@@ -0,0 +1,6 @@
+{
+    "name": "Think XML",
+    "prefix": "<think>",
+    "suffix": "</think>",
+    "separator": "\n"
+}

package/default/content/settings.json

@@ -191,7 +191,7 @@
         "custom_stopping_strings_macro": true,
         "fuzzy_search": true,
         "encode_tags": false,
-        "experimental_macro_engine": false,
+        "experimental_macro_engine": true,
         "enableLabMode": false,
         "enableZenSliders": false,
         "ui_mode": 1,

package/docker/docker-entrypoint.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Function to handle startup logic (Config check + Postinstall + Start)
+# Function to handle startup logic (Config check + init + Start)
 start_sillytavern() {
     local PREFIX="$1"
     shift # Remove the first argument (PREFIX) so $@ contains the rest
@@ -11,8 +11,8 @@ start_sillytavern() {
         $PREFIX cp "default/config.yaml" "config/config.yaml"
     fi
 
-    # Execute postinstall to auto-populate config.yaml with missing values
-    $PREFIX npm run postinstall
+    # Execute init script to auto-populate config.yaml with missing values
+    $PREFIX npm run init
 
     # Start the server
     exec $PREFIX node server.js --listen "$@"

package/index.d.ts

@@ -40,7 +40,11 @@ declare global {
             /**
              * Authenticated user handle.
              */
-            handle: string;
+            handle: string | null;
+            /**
+             * Account version tag: shake256 derivative of password hash and salt.
+             */
+            version: string | null;
             /**
              * Last time the session was extended.
              */

package/package.json

@@ -29,13 +29,14 @@
         "@mozilla/readability": "^0.6.0",
         "@popperjs/core": "^2.11.8",
         "@zeldafan0225/ai_horde": "^5.2.0",
+        "agent-base": "^7.1.3",
         "archiver": "^7.0.1",
         "bing-translate-api": "^4.1.0",
         "body-parser": "^1.20.2",
         "bowser": "^2.12.1",
         "bytes": "^3.1.2",
         "chalk": "^5.6.0",
-        "chevrotain": "^11.1.1",
+        "chevrotain": "^11.2.0",
         "command-exists": "^1.2.9",
         "compression": "^1.8.1",
         "cookie-parser": "^1.4.6",
@@ -44,14 +45,15 @@
         "crc": "^4.3.2",
         "csrf-sync": "^4.2.1",
         "diff-match-patch": "^1.0.5",
-        "dompurify": "^3.2.6",
+        "dompurify": "^3.4.2",
         "droll": "^0.2.1",
         "env-paths": "^3.0.0",
         "express": "^4.21.0",
+        "fflate": "^0.8.2",
         "form-data": "^4.0.4",
         "fuse.js": "^7.1.0",
         "google-translate-api-x": "^10.7.2",
-        "handlebars": "^4.7.8",
+        "handlebars": "^4.7.9",
         "helmet": "^8.1.0",
         "highlight.js": "^11.11.1",
         "host-validation-middleware": "^0.1.1",
@@ -62,12 +64,14 @@
         "ip-regex": "^5.0.0",
         "ipaddr.js": "^2.2.0",
         "is-docker": "^3.0.0",
+        "isomorphic-git": "^1.36.3",
+        "js-sha256": "^0.11.1",
         "localforage": "^1.10.0",
-        "lodash": "^4.17.21",
+        "lodash": "^4.18.1",
         "mime-types": "^3.0.2",
         "moment": "^2.30.1",
         "morphdom": "^2.7.7",
-        "multer": "^2.0.2",
+        "multer": "^2.1.1",
         "node-fetch": "^3.3.2",
         "node-persist": "^4.0.4",
         "open": "^10.2.0",
@@ -80,21 +84,21 @@
         "seedrandom": "^3.0.5",
         "showdown": "^2.1.0",
         "sillytavern-transformers": "2.14.6",
-        "simple-git": "^3.28.0",
+        "simple-git": "^3.33.0",
         "slidetoggle": "^4.0.0",
         "tiktoken": "^1.0.22",
         "url-join": "^5.0.0",
         "vectra": "^0.2.2",
         "wavefile": "^11.0.0",
-        "webpack": "^5.98.0",
+        "webpack": "^5.105.4",
         "write-file-atomic": "^5.0.1",
         "ws": "^8.18.3",
-        "yaml": "^2.8.1",
+        "yaml": "^2.8.3",
         "yargs": "^17.7.1",
-        "yauzl": "^3.2.0"
+        "yauzl": "^3.2.1"
     },
     "engines": {
-        "node": ">= 18"
+        "node": ">= 20"
     },
     "overrides": {
         "vectra": {
@@ -111,8 +115,9 @@
         "type": "git",
         "url": "https://github.com/SillyTavern/SillyTavern.git"
     },
-    "version": "1.16.0",
+    "version": "1.18.0",
     "scripts": {
+        "init": "node src/server-init.js",
         "start": "node server.js",
         "debug": "node --inspect server.js",
         "start:global": "node server.js --global",
@@ -120,7 +125,6 @@
         "start:deno": "deno run --allow-run --allow-net --allow-read --allow-write --allow-sys --allow-env server.js",
         "start:bun": "bun server.js",
         "start:no-csrf": "node server.js --disableCsrf",
-        "postinstall": "node post-install.js",
         "lint": "eslint \"src/**/*.js\" \"public/**/*.js\" ./*.js",
         "lint:fix": "eslint \"src/**/*.js\" \"public/**/*.js\" ./*.js --fix",
         "plugins:update": "node plugins update",
@@ -135,7 +139,7 @@
     },
     "main": "server.js",
     "devDependencies": {
-        "@chevrotain/types": "^11.0.3",
+        "@chevrotain/types": "^11.2.0",
         "@types/archiver": "^6.0.3",
         "@types/bytes": "^3.1.5",
         "@types/command-exists": "^1.2.3",
@@ -149,9 +153,9 @@
         "@types/jquery-cropper": "^1.0.4",
         "@types/jquery.transit": "^0.9.33",
         "@types/jqueryui": "^1.12.24",
-        "@types/lodash": "^4.17.20",
+        "@types/lodash": "^4.17.24",
         "@types/mime-types": "^3.0.1",
-        "@types/multer": "^2.0.0",
+        "@types/multer": "^2.1.0",
         "@types/node": "^18.19.84",
         "@types/node-persist": "^3.1.8",
         "@types/png-chunk-text": "^1.0.3",
@@ -165,6 +169,7 @@
         "eslint": "^8.57.1",
         "eslint-plugin-jest": "^27.9.0",
         "eslint-plugin-jsdoc": "^48.10.0",
-        "eslint-plugin-playwright": "^2.3.0"
+        "eslint-plugin-playwright": "^2.3.0",
+        "typescript": "^5.9.3"
     }
 }

package/plugins.js

@@ -9,11 +9,13 @@ import process from 'node:process';
 import { fileURLToPath } from 'node:url';
 
 import { default as git, CheckRepoActions } from 'simple-git';
+import { createGitClient } from './src/git/client.js';
 import { color } from './src/util.js';
 
 const __dirname = import.meta.dirname ?? path.dirname(fileURLToPath(import.meta.url));
 process.chdir(__dirname);
 const pluginsPath = './plugins';
+const gitBackend = process.env.SILLYTAVERN_GIT_BACKEND || 'auto';
 
 const command = process.argv[2];
 
@@ -87,10 +89,9 @@ async function installPlugin(pluginName) {
             return console.log(color.yellow(`Directory already exists at ${pluginPath}`));
         }
 
-        await git().clone(pluginName, pluginPath, { '--depth': 1 });
+        await createGitClient({ backend: gitBackend }).clone(pluginName, pluginPath, { depth: 1 });
         console.log(`Plugin ${color.green(pluginName)} installed to ${color.cyan(pluginPath)}`);
-    }
-    catch (error) {
+    } catch (error) {
         console.error(color.red(`Failed to install plugin ${pluginName}`), error);
     }
 }

package/public/css/!USER-CSS-README.md

@@ -0,0 +1,7 @@
+# Looking for user.css?
+
+user.css is now located under your data root directory in the "_css" folder.
+
+Example for the default data root:
+
+/data/_css/user.css