sillytavern 1.17.0 → 1.18.0

package/Dockerfile

@@ -19,7 +19,7 @@ COPY --chown=node:node . ./
 
 RUN \
   echo "*** Install npm packages ***" && \
-  npm ci --no-audit --no-fund --loglevel=error --no-progress --omit=dev && npm cache clean --force
+  npm ci --no-audit --no-fund --loglevel=error --no-progress --omit=dev --ignore-scripts && npm cache clean --force
 
 # Create config directory and link config.yaml. Added hardcoded dirs(constants.js?)
 # that must be present for Non-Root Mode and volumeless docker runs.

package/Start.bat

@@ -1,7 +1,7 @@
 @echo off
 pushd %~dp0
 set NODE_ENV=production
-call npm install --no-save --no-audit --no-fund --loglevel=error --no-progress --omit=dev
+call npm install --no-save --no-audit --no-fund --loglevel=error --no-progress --omit=dev --ignore-scripts
 node server.js %*
 pause
 popd

package/UpdateAndStart.bat

@@ -20,7 +20,7 @@ if %errorlevel% neq 0 (
     )
 )
 set NODE_ENV=production
-call npm install --no-save --no-audit --no-fund --loglevel=error --no-progress --omit=dev
+call npm install --no-save --no-audit --no-fund --loglevel=error --no-progress --omit=dev --ignore-scripts
 node server.js %*
 :end
 pause

package/UpdateForkAndStart.bat

@@ -102,7 +102,7 @@ if %errorlevel% neq 0 (
 
 echo Installing npm packages and starting server
 set NODE_ENV=production
-call npm install --no-save --no-audit --no-fund --loglevel=error --no-progress --omit=dev
+call npm install --no-save --no-audit --no-fund --loglevel=error --no-progress --omit=dev --ignore-scripts
 node server.js %*
 
 :end

package/default/config.yaml

@@ -41,6 +41,9 @@ port: 8000
 # Interval in seconds to write a heartbeat file. Set to 0 to disable.
 # This is used primarily for Docker healthchecks.
 heartbeatInterval: 0
+# Enable HTTP/HTTPS keep-alive globally.
+# Disabling restores old Node 18 behavior, can help if ECONNRESET and other network errors occur.
+enableKeepAlive: false
 # -- SSL options --
 ssl:
   # Enable SSL/TLS encryption
@@ -55,7 +58,7 @@ ssl:
 # -- SECURITY CONFIGURATION --
 # Toggle whitelist mode
 whitelistMode: true
-# Whitelist will also verify IP in X-Forwarded-For / X-Real-IP headers
+# When enabled, whitelist will also verify IP in headers enabled in `forwardedHeaders` section.
 enableForwardedWhitelist: true
 # Whitelist of allowed IP addresses
 whitelist:
@@ -127,6 +130,13 @@ sso:
   # as that used for authentik. (Ensure the username in authentik
   # is an exact match in lowercase with that in sillytavern).
   authentikAuth: false
+  # List of trusted proxy IPs for SSO authentication.
+  # Supports wildcards or CIDR notation for subnets.
+  # Example: ['127.0.0.1', '192.168.1.1']
+  # Set to ['*'] to trust all proxies (NOT RECOMMENDED unless you have other security measures in place)
+  trustedProxies:
+    - ::1
+    - 127.0.0.1
 
 # Host whitelist configuration. Recommended if you're using a listen mode
 hostWhitelist:
@@ -141,6 +151,26 @@ hostWhitelist:
   # - .trycloudflare.com
   hosts: []
 
+# Perform whitelist checks against server-side HTTP requests that resolve to private IP addresses.
+# This is an additional layer of security to prevent Server-Side Request Forgery (SSRF) attacks.
+# Recommended when listen mode is enabled, or if your server is accessible by untrusted users.
+privateAddressWhitelist:
+  # Enable private address whitelist to block requests to private IP ranges.
+  enabled: false
+  # If true, requests to hosts that cannot be resolved will be allowed instead of blocked.
+  allowUnresolvedHosts: false
+  # Log blocked and allowed requests to the console.
+  log:
+    # Log blocked requests to the console with a warning message
+    blockedRequests: true
+    # Log allowed requests to the console with an info message
+    allowedRequests: false
+  # List of allowed private IP ranges (in CIDR notation or wildcard format).
+  # Allows loopback IP ranges by default, but you can customize this list to fit your needs.
+  allowedRanges:
+    - '127.0.0.0/8'      # Loopback (IPv4)
+    - '::1/128'          # Loopback (IPv6)
+
 # User session timeout *in seconds* (defaults to 24 hours).
 ## Set to a positive number to expire session after a certain time of inactivity
 ## Set to 0 to expire session when the browser is closed
@@ -159,9 +189,24 @@ logging:
   minLogLevel: 0
 # -- RATE LIMITING CONFIGURATION --
 rateLimiting:
-  # Use X-Real-IP header instead of socket IP for rate limiting
-  # Only enable this if you are using a properly configured reverse proxy (like Nginx/traefik/Caddy)
+  # Use any of the enabled headers in the `forwardedHeaders` section to identify the client IP for rate limiting.
+  # If disabled, only the socket IP will be used, which may not work correctly if you are behind a reverse proxy.
   preferRealIpHeader: false
+  # Set the maximum number of allowed failed basic authentication attempts before rate limiting is applied. Set to 0 to disable rate limiting for basic auth.
+  basicAuthMaxAttempts: 5
+  # Set the maximum number of allowed failed account login attempts before rate limiting is applied. Set to 0 to disable rate limiting for account logins.
+  accountsLoginMaxAttempts: 5
+  # Set the maximum number of allowed failed account recovery attempts before rate limiting is applied. Set to 0 to disable rate limiting for account recovery.
+  accountsRecoverMaxAttempts: 5
+# Set to true to enable support for real IPs in certain request headers for features like IP whitelisting, rate limiting and access logging.
+# Only change if you are sure that you use a correctly configured reverse proxy, otherwise this may lead to IP spoofing.
+forwardedHeaders:
+  # X-Real-IP header (common with Nginx and Caddy)
+  xRealIp: true
+  # X-Forwarded-For header (common with many proxies, but may contain multiple IPs - only the first one will be used)
+  xForwardedFor: true
+  # CF-Connecting-IP header (used by Cloudflare Tunnels)
+  cfConnectingIp: false
 
 ## BACKUP CONFIGURATION
 backups:

package/default/{public/error → content/errors}/url-not-found.html

@@ -2,11 +2,11 @@
 <html>
 
 <head>
-    <title>Not found</title>
+    <title>Not Found</title>
 </head>
 
 <body>
-    <h1>Not found</h1>
+    <h1>Not Found</h1>
     <p>
         The requested URL was not found on this server.
     </p>

package/default/content/index.json

@@ -642,5 +642,37 @@
     {
         "filename": "presets/reasoning/Think XML.json",
         "type": "reasoning"
+    },
+    {
+        "filename": "presets/reasoning/Gemma 4.json",
+        "type": "reasoning"
+    },
+    {
+        "filename": "presets/instruct/Gemma 4.json",
+        "type": "instruct"
+    },
+    {
+        "filename": "presets/context/Gemma 4.json",
+        "type": "context"
+    },
+    {
+        "filename": "user.css",
+        "type": "stylesheet"
+    },
+    {
+        "filename": "errors/forbidden-by-whitelist.html",
+        "type": "error_page"
+    },
+    {
+        "filename": "errors/host-not-allowed.html",
+        "type": "error_page"
+    },
+    {
+        "filename": "errors/unauthorized.html",
+        "type": "error_page"
+    },
+    {
+        "filename": "errors/url-not-found.html",
+        "type": "error_page"
     }
 ]

package/default/content/presets/context/Gemma 4.json

@@ -0,0 +1,14 @@
+{
+    "story_string": "{{#if anchorBefore}}{{anchorBefore}}\n{{/if}}{{#if system}}{{system}}\n{{/if}}{{#if wiBefore}}{{wiBefore}}\n{{/if}}{{#if description}}{{description}}\n{{/if}}{{#if personality}}{{personality}}\n{{/if}}{{#if scenario}}{{scenario}}\n{{/if}}{{#if wiAfter}}{{wiAfter}}\n{{/if}}{{#if persona}}{{persona}}\n{{/if}}{{#if anchorAfter}}{{anchorAfter}}\n{{/if}}{{trim}}",
+    "example_separator": "",
+    "chat_start": "",
+    "use_stop_strings": false,
+    "names_as_stop_strings": true,
+    "story_string_position": 0,
+    "story_string_depth": 1,
+    "story_string_role": 0,
+    "always_force_name2": true,
+    "trim_sentences": false,
+    "single_line": false,
+    "name": "Gemma 4"
+}

package/default/content/presets/instruct/Gemma 4.json

@@ -0,0 +1,25 @@
+{
+    "input_sequence": "<|turn>user\n",
+    "output_sequence": "<|turn>model\n",
+    "last_output_sequence": "",
+    "system_sequence": "<|turn>system\n",
+    "stop_sequence": "<turn|>",
+    "wrap": false,
+    "macro": true,
+    "names_behavior": "force",
+    "activation_regex": "",
+    "first_output_sequence": "",
+    "skip_examples": false,
+    "output_suffix": "<turn|>\n",
+    "input_suffix": "<turn|>\n",
+    "system_suffix": "<turn|>\n",
+    "user_alignment_message": "",
+    "system_same_as_user": false,
+    "last_system_sequence": "",
+    "first_input_sequence": "",
+    "last_input_sequence": "",
+    "sequences_as_stop_strings": true,
+    "story_string_prefix": "<|turn>system\n",
+    "story_string_suffix": "<turn|>\n",
+    "name": "Gemma 4"
+}

package/default/content/presets/openai/Default.json

@@ -10,6 +10,8 @@
     "mistralai_model": "mistral-large-latest",
     "chutes_model": "deepseek-ai/DeepSeek-V3-0324",
     "chutes_sort_models": "alphabetically",
+    "minimax_model": "MiniMax-M2.7",
+    "minimax_endpoint": "global",
     "electronhub_model": "gpt-4o-mini",
     "electronhub_sort_models": "alphabetically",
     "electronhub_group_models": false,

package/default/content/presets/reasoning/Gemma 4.json

@@ -0,0 +1,6 @@
+{
+    "name": "Gemma 4",
+    "prefix": "<|channel>thought\n",
+    "suffix": "<channel|>",
+    "separator": "\n\n"
+}

package/docker/docker-entrypoint.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Function to handle startup logic (Config check + Postinstall + Start)
+# Function to handle startup logic (Config check + init + Start)
 start_sillytavern() {
     local PREFIX="$1"
     shift # Remove the first argument (PREFIX) so $@ contains the rest
@@ -11,8 +11,8 @@ start_sillytavern() {
         $PREFIX cp "default/config.yaml" "config/config.yaml"
     fi
 
-    # Execute postinstall to auto-populate config.yaml with missing values
-    $PREFIX npm run postinstall
+    # Execute init script to auto-populate config.yaml with missing values
+    $PREFIX npm run init
 
     # Start the server
     exec $PREFIX node server.js --listen "$@"

package/index.d.ts

@@ -41,6 +41,10 @@ declare global {
              * Authenticated user handle.
              */
             handle: string | null;
+            /**
+             * Account version tag: shake256 derivative of password hash and salt.
+             */
+            version: string | null;
             /**
              * Last time the session was extended.
              */

package/package.json

@@ -29,13 +29,14 @@
         "@mozilla/readability": "^0.6.0",
         "@popperjs/core": "^2.11.8",
         "@zeldafan0225/ai_horde": "^5.2.0",
+        "agent-base": "^7.1.3",
         "archiver": "^7.0.1",
         "bing-translate-api": "^4.1.0",
         "body-parser": "^1.20.2",
         "bowser": "^2.12.1",
         "bytes": "^3.1.2",
         "chalk": "^5.6.0",
-        "chevrotain": "^11.1.1",
+        "chevrotain": "^11.2.0",
         "command-exists": "^1.2.9",
         "compression": "^1.8.1",
         "cookie-parser": "^1.4.6",
@@ -44,7 +45,7 @@
         "crc": "^4.3.2",
         "csrf-sync": "^4.2.1",
         "diff-match-patch": "^1.0.5",
-        "dompurify": "^3.2.6",
+        "dompurify": "^3.4.2",
         "droll": "^0.2.1",
         "env-paths": "^3.0.0",
         "express": "^4.21.0",
@@ -64,8 +65,9 @@
         "ipaddr.js": "^2.2.0",
         "is-docker": "^3.0.0",
         "isomorphic-git": "^1.36.3",
+        "js-sha256": "^0.11.1",
         "localforage": "^1.10.0",
-        "lodash": "^4.17.21",
+        "lodash": "^4.18.1",
         "mime-types": "^3.0.2",
         "moment": "^2.30.1",
         "morphdom": "^2.7.7",
@@ -113,8 +115,9 @@
         "type": "git",
         "url": "https://github.com/SillyTavern/SillyTavern.git"
     },
-    "version": "1.17.0",
+    "version": "1.18.0",
     "scripts": {
+        "init": "node src/server-init.js",
         "start": "node server.js",
         "debug": "node --inspect server.js",
         "start:global": "node server.js --global",
@@ -122,7 +125,6 @@
         "start:deno": "deno run --allow-run --allow-net --allow-read --allow-write --allow-sys --allow-env server.js",
         "start:bun": "bun server.js",
         "start:no-csrf": "node server.js --disableCsrf",
-        "postinstall": "node post-install.js",
         "lint": "eslint \"src/**/*.js\" \"public/**/*.js\" ./*.js",
         "lint:fix": "eslint \"src/**/*.js\" \"public/**/*.js\" ./*.js --fix",
         "plugins:update": "node plugins update",
@@ -137,7 +139,7 @@
     },
     "main": "server.js",
     "devDependencies": {
-        "@chevrotain/types": "^11.0.3",
+        "@chevrotain/types": "^11.2.0",
         "@types/archiver": "^6.0.3",
         "@types/bytes": "^3.1.5",
         "@types/command-exists": "^1.2.3",
@@ -151,7 +153,7 @@
         "@types/jquery-cropper": "^1.0.4",
         "@types/jquery.transit": "^0.9.33",
         "@types/jqueryui": "^1.12.24",
-        "@types/lodash": "^4.17.20",
+        "@types/lodash": "^4.17.24",
         "@types/mime-types": "^3.0.1",
         "@types/multer": "^2.1.0",
         "@types/node": "^18.19.84",
@@ -167,6 +169,7 @@
         "eslint": "^8.57.1",
         "eslint-plugin-jest": "^27.9.0",
         "eslint-plugin-jsdoc": "^48.10.0",
-        "eslint-plugin-playwright": "^2.3.0"
+        "eslint-plugin-playwright": "^2.3.0",
+        "typescript": "^5.9.3"
     }
 }

package/public/css/!USER-CSS-README.md

@@ -0,0 +1,7 @@
+# Looking for user.css?
+
+user.css is now located under your data root directory in the "_css" folder.
+
+Example for the default data root:
+
+/data/_css/user.css

package/public/css/extensions-panel.css

@@ -97,13 +97,23 @@ label[for="extensions_autoconnect"] {
     font-size: 1.05em;
 }
 
-.extensions_info .extension_version {
+.extensions_info :is(.extension_version, .extension_author) {
     opacity: 0.8;
     font-size: 0.8em;
     font-weight: normal;
     margin-left: 2px;
 }
 
+.extensions_info :is(.extension_version, .extension_author):empty {
+    display: none;
+}
+
+.extensions_info .extension_author {
+    display: inline-flex;
+    gap: 2px;
+    align-items: baseline;
+}
+
 .extensions_info .extension_block a {
     color: var(--SmartThemeBodyColor);
 }
@@ -161,4 +171,4 @@ input.extension_missing[type="checkbox"] {
     z-index: 1;
     margin-bottom: 10px;
     padding: 5px;
-}
+}

package/public/css/mobile-styles.css

@@ -500,6 +500,11 @@
     .horde_multiple_hint {
         display: none;
     }
+
+    select[multiple] {
+        max-height: 50px;
+        overflow-y: auto;
+    }
 }
 
 /*landscape mode phones and ipads*/

package/public/css/streaming-display.css

@@ -0,0 +1,236 @@
+/* ─────────────────────────────────────────────────────────────────────────────
+   Streaming Display — floating toast panel for live LLM generation output.
+   Shows reasoning (thinking) and content as they stream in.
+   Used by extensions that leverage ConnectionManagerRequestService streaming.
+   ───────────────────────────────────────────────────────────────────────────── */
+
+.streaming-display {
+    position: fixed;
+    bottom: max(calc(var(--bottomFormBlockSize) + 5px), 20px);
+    right: 20px;
+    width: min(550px, calc(100vw - 40px));
+    max-height: 70vh;
+    background: var(--SmartThemeBlurTintColor);
+    border: 1px solid var(--SmartThemeBorderColor);
+    border-radius: 10px;
+    padding: 14px;
+    z-index: 9000;
+    display: flex;
+    flex-direction: column;
+    gap: 10px;
+    opacity: 0;
+    transform: translateY(20px);
+    transition: opacity var(--animation-duration, 125ms) ease, transform var(--animation-duration, 125ms) ease;
+    overflow: hidden;
+    box-shadow: 0 4px 24px rgba(0, 0, 0, 0.25);
+    backdrop-filter: blur(12px);
+}
+
+.streaming-display-visible {
+    opacity: 1;
+    transform: translateY(0);
+}
+
+/* Header label with animated activity indicator */
+.streaming-display-label {
+    font-weight: 600;
+    font-size: 0.95em;
+    color: var(--SmartThemeBodyColor);
+    display: flex;
+    align-items: center;
+    gap: 8px;
+    user-select: none;
+}
+
+/* LED status indicator - pulsing while streaming */
+.streaming-display-led {
+    display: inline-block;
+    width: 8px;
+    height: 8px;
+    border-radius: 50%;
+    background: rgb(225, 138, 36);
+    animation: streaming-display-pulse 1.5s ease-in-out infinite;
+    flex-shrink: 0;
+}
+
+/* Completed state: solid green LED */
+.streaming-display-complete .streaming-display-led {
+    background: #4caf50;
+    animation: none;
+    opacity: 1;
+    box-shadow: 0 0 8px rgba(76, 175, 80, 0.6);
+}
+
+/* Stopped state: solid red LED */
+.streaming-display-stopped .streaming-display-led {
+    background: #f44336;
+    animation: none;
+    opacity: 1;
+    box-shadow: 0 0 8px rgba(244, 67, 54, 0.6);
+}
+
+@keyframes streaming-display-pulse {
+    0%, 100% { opacity: 0.4; transform: scale(0.9); }
+    50% { opacity: 1; transform: scale(1.1); }
+}
+
+/* Label text takes available space */
+.streaming-display-label-text {
+    flex: 1;
+    min-width: 0;
+    overflow: hidden;
+    text-overflow: ellipsis;
+    white-space: nowrap;
+}
+
+/* Window control buttons container */
+.streaming-display-controls {
+    display: flex;
+    align-items: center;
+    gap: 4px;
+    margin-left: auto;
+    flex-shrink: 0;
+}
+
+/* Window control buttons */
+.streaming-display-btn {
+    width: 22px;
+    height: 22px;
+    border: none;
+    border-radius: 4px;
+    background: transparent;
+    color: var(--SmartThemeBodyColor);
+    font-size: 14px;
+    line-height: 1;
+    cursor: pointer;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    opacity: 0.6;
+    transition: opacity 0.15s ease, background-color 0.15s ease;
+}
+
+.streaming-display-btn:hover {
+    opacity: 1;
+    background-color: rgba(255, 255, 255, 0.1);
+}
+
+.streaming-display-btn-close:hover {
+    background-color: rgba(244, 67, 54, 0.2);
+}
+
+.streaming-display-btn-stop {
+    font-size: 10px;
+}
+
+.streaming-display-btn-stop:hover {
+    background-color: rgba(244, 150, 36, 0.2);
+    color: rgb(225, 138, 36);
+}
+
+/* Content container - collapsible for minimize */
+.streaming-display-content {
+    display: flex;
+    flex-direction: column;
+    gap: 10px;
+    overflow: hidden;
+    transition: max-height var(--animation-duration, 125ms) ease, opacity var(--animation-duration, 125ms) ease;
+}
+
+/* Minimized state - hide content sections */
+.streaming-display-minimized .streaming-display-content {
+    max-height: 0;
+    opacity: 0;
+}
+
+.streaming-display-minimized {
+    gap: 0;
+}
+
+/* Model/API icon in the label */
+.streaming-display-icon {
+    width: 1.1em;
+    height: 1.1em;
+    flex-shrink: 0;
+}
+
+/* Minimized state adjustments */
+.streaming-display-minimized.streaming-display {
+    padding: 10px 14px;
+}
+
+/* Reasoning (thinking) section */
+.streaming-display-reasoning {
+    background: color-mix(in srgb, var(--SmartThemeBodyColor) 5%, transparent);
+    border-radius: 6px;
+    padding: 8px 10px;
+    border-left: 3px solid color-mix(in srgb, var(--SmartThemeBodyColor) 25%, transparent);
+}
+
+.streaming-display-reasoning-label {
+    font-size: 0.8em;
+    font-weight: 600;
+    opacity: 0.5;
+    margin-bottom: 4px;
+    letter-spacing: 0.03em;
+    text-transform: uppercase;
+}
+
+.streaming-display-reasoning-content {
+    font-size: 0.82em;
+    opacity: 0.65;
+    max-height: 25vh;
+    overflow-y: auto;
+    word-break: break-word;
+    line-height: 1.45;
+    scrollbar-width: thin;
+}
+
+.streaming-display-reasoning-content p {
+    margin: 0.3em 0;
+}
+
+.streaming-display-reasoning-content p:first-child {
+    margin-top: 0;
+}
+
+.streaming-display-reasoning-content p:last-child {
+    margin-bottom: 0;
+}
+
+/* Main content section */
+.streaming-display-text {
+    border-top: 1px solid color-mix(in srgb, var(--SmartThemeBorderColor) 50%, transparent);
+    padding-top: 8px;
+    min-height: 1.5em;
+}
+
+.streaming-display-text-content {
+    font-size: 0.9em;
+    color: var(--SmartThemeBodyColor);
+    max-height: 40vh;
+    overflow-y: auto;
+    word-break: break-word;
+    line-height: 1.5;
+    scrollbar-width: thin;
+}
+
+.streaming-display-text-content p {
+    margin: 0.4em 0;
+}
+
+.streaming-display-text-content p:first-child {
+    margin-top: 0;
+}
+
+.streaming-display-text-content p:last-child {
+    margin-bottom: 0;
+}
+
+/* Strip auto-added quotes from <q> tags, as message formatting adds them */
+.streaming-display-reasoning-content q:before,
+.streaming-display-reasoning-content q:after,
+.streaming-display-text-content q:before,
+.streaming-display-text-content q:after {
+    content: '';
+}

package/public/css/toggle-dependent.css

@@ -565,6 +565,10 @@ label[for="bind_preset_to_connection"]:has(input:checked) {
     display: none;
 }
 
+#openai_settings:has(#openai_function_calling:not(:checked)) #tool_call_recurse_limit_block {
+    display: none;
+}
+
 #adaptive_p_block:has([data-tg-samplers="adaptive_target"][style*="display: none"]):has([data-tg-samplers="adaptive_decay"][style*="display: none"]) {
     display: none;
 }

package/public/css/welcome.css

@@ -17,6 +17,7 @@
 .welcomePanel.recentHidden .welcomeRecent,
 .welcomePanel.recentHidden .recentChatsTitle,
 .welcomePanel.recentHidden .hideRecentChats,
+.welcomePanel.recentHidden .recentChatsSettings,
 .welcomePanel:not(.recentHidden) .showRecentChats {
     display: none;
 }