Fj*UdZddlZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddlZddlZddlmZddlmZmZmZmZmZddlZeejjZeee jvr$e j deeddl!m"Z"m#Z#ddl$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1ddl2m3Z3m4Z4ddl5m6Z6 dd l7m8Z8m9Z9m:Z:m;Z;mZ>dd l?m@Z@mAZAmBZBmCZCdd lDmEZEdd lFmGZGni#eH$ra ddlImJZKeKdddd l7m8Z8m9Z9m:Z:m;Z;mZ>dd l?m@Z@mAZAmBZBmCZCdd lDmEZEdd lFmGZGn#eL$reMde jNdwxYwYnwxYwdejOvreejOdneejdz ZPejQeRZSe8de"ZTejUdZVdZWdaXgZYeeZe[d<dZ\dZ]eT^e>ddgdgdd l_m`Zad!e:d"ebfd#Zcd!e:d"dfd$Zdeehd%Zfeee[d&<d'ed(ebd"ebfd)Zgd*ed+ed"ebfd,ZheTid-d!e:fd.ZjeTid-d!e:fd/ZkeTid-d!e:fd0Zlid1d2d3d4d5d6d7d8d4d5d9d:d;gd<d=d>d:d?d@dAgd=dBd:dCgdDd=dEd:dFdGdHgd=dId:dJgdKd=dLd:dMgdNd=dOd:dPgdQd=dRd:dSgdTd=dUd:dVdWdXgd=dYd:dZgd[d=d\d:d]d^d_gd=d`d:dagdbd=dcd:ddgded=dfd:dggdhd=did:djgdkd=Zmeeeeeffe[dl<dmdndndndndndmdododndndndpdq Zneeefe[dr<gdsZodted"efduZp ddweeefdxed"eeeeefffdyZqeqe&Zremd6ZsiZteeeeeffe[dz<eruD]\ZvZwewetev<evd1kresetd6<etZrGd{d|eGZxGd}d~eGZyGddeGZzGddeGZ{GddeGZ|ej}dZ~ eZej}ddZn3#eef$r)eSdej}ddZYnwxYwd"eebedzffdZeTddZe*dz Zee[d<dddZeeefe[d<iZeee jfe[d<deeded"e jfdZdeded"eefdZeTddZeTddZeTdddedefdZeTdddedefdZeTdddedefdZdweeefd"eeeffdZeTddZeTddZeTddZdvdvdddidZee[d<eTddZdZeedfe[d<eTddZeTddZeTdde|fdZdweeefd"eeeffdZeTddexfdZeTdd„ZeTddeyfdÄZeTddezfdĄZeTdŦde{d!e:fdƄZddteeded"efdɄZd"eeeffdʄZd"eeeffd˄ZdddddedќdddddedќdddddddќdddddddќdddddddќdddddddќfZeeeefdfe[d<ded"eeeffdZeTddZeTdded!e:fdZdZiZeeeeeffe[d<e jZ ddlmZmZmZmZmZdZn #eH$rdZYnwxYwdZddZdeded"eeeeefffdZdededed"dfdZd"eeeffdZdeded"eeeffdZded"eeeffdZded"dfdZded"dfdZded"dfdZeTdded!e:fdZGddeGZeTddeded!e:fdZeTd dedefd ZeTd ded!e:fd Zdefd ZeTddefdZeTddefdZeTddefdZeTddefdZeTd ddededeedeedeef dZGddeGZGddeGZe jZd"eeeeffd Zאd!eed"eeeffd"Zؐd#eeefd!ed$ed"eeeffd%Zِd!eed&efd'Zڐd(ed"eefd)ZeTd*dd!efd,ZeTd-dd(ed!eefd.ZeTd*ddeӐd!efd/ZeTd-dd(edeԐd!eefd0ZeTd1dd(ed!eefd2ZeTd3dd(ed!eefd4ZeTd5dd(ed!eefd6ZeTd-dd(ed!eefd7ZGd8d9eGZGd:d;eGZGd<d=eGZdded^ed"efd>Zd"eeeffd?Zd"eeeeffd@Zded"efdAZded"efdBZeTdCdDZeTdCdefdEZeTdFdefdGZeTdHdefdIZeTdJdedefdKZeTdJdefdLZeTdMdefdNZeTdMdedefdOZGdPdQeGZeTdRdSZeTdTdefdUZeTdVdWZGdXdYeGZeTdZd[ZeTdZdefd\ZeTd]dd^efd_ZeTd`dd^efdaZddlZ ddblmZmZdZn/#eH$r'ZdZdZGdcddeZYdZ[n dZ[wwxYwejdeZdfZejdgZeehdhZ didjd"ebfdkZ didjd"ebfdlZ didjd"ebfdmZ didjd"ebfdnZ iZeeefe[do<ejZ ddpeedqeed"eeeeeeeffdrZdsed"eefdtZdsedued"dfdvZdie;d"eefdwZeTdxdie;d"dfdyZeTdzdie;d"dfd{ZeTd|die;d"dfd}ZeTd~die;d"dfdZdeed"efdZde8fdZd^dddddddddddddddddddddddddddgZddtededeZd"eeeeffdZddddddZeeefe[d<dddZ eeefe[d<hdZ!hdZ"hdZ#hdZ$dZ%deeefd"eeeeffdZ&d"efdZ'eTddZ(GddeGZ)eTdde)fdZ*deded"eefdZ+d"efdZ,da-eee[d<ddebd"efdZ.eTddZ/eTddZ0GddeGZ1deeefd"eeeffdĄZ2d"eeeffdńZ3eTdƦd!e:fdDŽZ4eTdȦd!e:de1fdɄZ5ded"efdʄZ6eTd˦d!e:defd̄Z7eTdͦd!e:defd΄Z8eTdϦd!e:defdЄZ9eTdѦd!e:defd҄Z:GdӄdeGZ;eTdզd!e:de;fdքZ<GdׄdeGZ=eTd٦d!e:dede=fdڄZ>eTdۦdedefdބZ?d߄Z@e@ddlAmBZCeTDeCeeT dddd'ededebd(ebdebf dZEdS(u7 Hermes Agent — Web UI server. Provides a FastAPI backend serving the Vite/React frontend and REST API endpoints for managing configuration, environment variables, and sessions. Usage: python -m hermes_cli.main web # Start on http://127.0.0.1:9119 python -m hermes_cli.main web --port 8080 N)Path)AnyDictListOptionalTuple) __version____release_date__) cfg_getDEFAULT_CONFIGOPTIONAL_ENV_VARSget_config_path get_env_pathget_hermes_home load_configload_env save_configsave_env_valueremove_env_valuecheck_config_version redact_key)get_running_pidread_runtime_status)env_var_enabled)FastAPI HTTPExceptionRequest WebSocketWebSocketDisconnect)CORSMiddleware) FileResponse HTMLResponse JSONResponseResponse) StaticFiles) BaseModel)ensureztool.dashboardF)promptz3Web UI requires fastapi and uvicorn. Install with: z- -m pip install 'fastapi' 'uvicorn[standard]'HERMES_WEB_DISTweb_distz Hermes Agent)titleversion zX-Hermes-Session-Token_reveal_timestampsz*^https?://(localhost|127\.0\.0\.1)(:\d+)?$*)allow_origin_regex allow_methods allow_headers)PUBLIC_API_PATHSrequestreturnc|jtd}|r@tj|t rdS|jdd}dt }tj||S)a=True if the request carries a valid dashboard session token. The dedicated session header avoids collisions with reverse proxies that already use ``Authorization`` (for example Caddy ``basic_auth``). We still accept the legacy Bearer path for backward compatibility with older dashboard bundles. T authorizationzBearer )headersget_SESSION_HEADER_NAMEhmaccompare_digestencode_SESSION_TOKEN)r6session_headerauthexpecteds 4/usr/local/lib/hermes-agent/hermes_cli/web_server.py_has_valid_session_tokenrFs_(()=rBBN$-t ?   3 3D)))H  t{{}}hoo.?.? @ @@cFt|stdddS)z>Validate the ephemeral session token. Raises 401 on mismatch. Unauthorized status_codedetailN)rFr)r6s rE_require_tokenrNs2 #G , ,DNCCCCDDrG> localhost::1 127.0.0.1_LOOPBACK_HOST_VALUEShost allow_publicc|tvo| S)u\Return True iff the dashboard OAuth auth gate must be active. Truth table: host == loopback → False (no auth) host != loopback AND allow_public (--insecure)→ False (legacy escape hatch) host != loopback AND NOT allow_public → True (gate engages) "Loopback" matches the same set used by ``--insecure`` enforcement in ``start_server``: 127.0.0.1, localhost, ::1. RFC1918 / CGNAT / link-local are deliberately treated as PUBLIC — a hostile device on the same LAN is exactly the threat model the gate is designed for. )rR)rSrTs rEshould_require_authrVs - - E 4DErG host_header bound_hostc|sdS|}|dr<|d}|dkr |d|}n8|d}n"d|vr|dddn|}|}|d vrd S|}|t vr |t vS||kS) a#True if the Host header targets the interface we bound to. Accepts: - Exact bound host (with or without port suffix) - Loopback aliases when bound to loopback - Any host when bound to 0.0.0.0 (explicit opt-in to non-loopback, no protection possible at this layer) F[]z[]:r>::0.0.0.0T)strip startswithfindrsplitlowerrR)rWrXhclose host_onlybound_lcs rE_is_accepted_hostrjs u A||C;s  B;;!E' II II+.!88AHHS!$$Q'' !!I &&&t!!H(((111   rGhttpcKttjdd}|r>|jdd}t ||st dddiS||d{VS) uReject requests whose Host header doesn't match the bound interface. Defends against DNS rebinding: a victim browser on a localhost dashboard is tricked into fetching from an attacker hostname that TTL-flips to 127.0.0.1. CORS and same-origin checks don't help — the browser now treats the attacker origin as same-origin with the dashboard. Host-header validation at the app layer catches it. See GHSA-ppp5-vxwm-4cf7. rXNrSr9rMzVInvalid Host header. Dashboard requests must use the hostname the server was bound to.rLcontent)getattrappstater;r<rjr#)r6 call_nextrXrWs rEhost_header_middlewarertsL$77J o))&"55  j99 @ 7## # # # # # ##rGc6Kddlm}|||d{VS)Nr)gated_auth_middleware)$hermes_cli.dashboard_auth.middlewarerv)r6rsrvs rE_dashboard_auth_gaterx s=JJJJJJ&&w :: : : : : : ::rGcKt|jjddr||d{VS|jj}|dr+|t vr"t|stdddiS||d{VS) zERequire the session token on all /api/ routes except the public list. auth_requiredFNz/api/rIrMrJrn) rprqrrurlpathrb_PUBLIC_API_PATHSrFr#)r6rsr|s rEauth_middlewarer~s w{ /599(Yw''''''''' ; D wD0A$A$A'00 !>2 7## # # # # # ##rGmodelstringz0Default model (e.g. anthropic/claude-sonnet-4.6)generaltype descriptioncategorymodel_context_lengthnumberz=Context window override (0 = auto-detect from model metadata)zterminal.backendselectzTerminal execution backend)localdockersshmodaldaytona singularity)rroptionszterminal.modal_modezModal sandbox modesandboxfunctionz tts.providerzText-to-speech provider)edge elevenlabsopenaineuttsz stt.providerzSpeech-to-text providerrrz display.skinzCLI visual theme)defaultaresmonoslatezdashboard.themezWeb dashboard visual theme)rmidnightemberr cyberpunkrosezdisplay.resume_displayz$How resumed sessions display history)minimalfulloffzdisplay.busy_input_modez%Input behavior while agent is running) interruptqueuesteerzmemory.providerzMemory provider pluginbuiltinhonchozapprovals.modezDangerous command approval mode)askyolodenyzcontext.enginezContext management enginercustomzhuman_delay.modezSimulated typing delay mode)rtypingfixedz logging.levelzLog level for agent.log)DEBUGINFOWARNINGERRORzagent.service_tierz#API service tier (OpenAI/Anthropic))r9autorflexzdelegation.reasoning_effortz(Reasoning effort for delegated subagents)r9lowmediumhigh_SCHEMA_OVERRIDESsecurityagentdisplaydiscord) privacycontextskillscronnetwork checkpoints approvals human_delay dashboardcode_executionprompt_cachinggoalstelegram_CATEGORY_MERGE)rrterminalr delegationmemory compressionrbrowservoicettssttloggingr auxiliaryvaluect|trdSt|trdSt|trdSt|trdSt|t rdSdS)z*Infer a UI field type from a Python value.booleanrlistobjectr) isinstanceboolintfloatrdictrs rE _infer_typersz%y%x%x%v%x 8rGr9configprefixci}|D],\}}|r|d|n|}|dvr|r|dd}nt|tr|}nd}t|tr$|t ||t ||dddd|d}|tvr |t|t |d |d |d <|||<.|S) uFWalk DEFAULT_CONFIG and produce a flat dot-path → field schema dict..>_config_versionrru → _ rr) itemssplitrrupdate_build_schema_from_configrreplacer+rrr<)rrschemakeyrfull_keyrentrys rErrsk )+Fllnn%% U(.7f$$s$$$C + + +   !||C((+HH t $ $ !HH H eT " " % MM3E8DD E E E E$E**'//W==EEc3OOUUWW$%%E ,,, .x8999 / 3 3E*4EuZGX Y YE* $F8   MrG_ordered_schemaceZdZUeed<dS) ConfigUpdaterN__name__ __module__ __qualname__r__annotations__rGrErr LLLLLrGrc$eZdZUeed<eed<dS) EnvVarUpdaterrNrrrstrrrrGrErrs" HHH JJJJJrGrceZdZUeed<dS) EnvVarDeleterNrrrGrErr HHHHHrGrceZdZUeed<dS) EnvVarRevealrNrrrGrErrrrGrc@eZdZUdZeed<eed<eed<dZeed<dS)ModelAssignmentuPayload for POST /api/model/set — assign a provider/model to a slot. scope="main" → writes model.provider + model.default scope="auxiliary" → writes auxiliary..provider + auxiliary..model scope="auxiliary" with task="" → applied to every auxiliary.* slot scope="auxiliary" with task="__reset__" → resets every slot to provider="auto" scopeproviderrr9taskN)rrr__doc__rrrrrGrErrsD JJJMMM JJJD#NNNNNrGrGATEWAY_HEALTH_URLGATEWAY_HEALTH_TIMEOUT3u>Invalid GATEWAY_HEALTH_TIMEOUT value %r — using default 3.0sg@ctsdStd}|dr|dtd }n-|dr|dtd }|d|dfD]} tj|d}tj|t5}|j d kr8tj | }d |fcdddcS dddn #1swxYwY#t$rYwxYwdS) u>Probe the gateway via its HTTP health endpoint (cross-container). .. deprecated:: Driven by the deprecated ``GATEWAY_HEALTH_URL`` / ``GATEWAY_HEALTH_TIMEOUT`` env vars. Scheduled for removal alongside a move to a first-class dashboard config key. See :data:`_GATEWAY_HEALTH_URL` for context. Uses ``/health/detailed`` first (returns full state), falling back to the simpler ``/health`` endpoint. Returns ``(is_alive, body_dict)``. Accepts any of these as ``GATEWAY_HEALTH_URL``: - ``http://gateway:8642`` (base URL — recommended) - ``http://gateway:8642/health`` (explicit health path) - ``http://gateway:8642/health/detailed`` (explicit detailed path) This is a **blocking** call — run via ``run_in_executor`` from async code. )FN/z/health/detailedNz/healthGET)methodtimeoutT)_GATEWAY_HEALTH_URLrstripendswithlenurllibr6rurlopen_GATEWAY_HEALTH_TIMEOUTstatusjsonloadsread Exception)baser|reqrespbodys rE_probe_gateway_healthr!s& {  % %c * *D }}'(('.s-..../ y ! !'%s9~~o%&***t,<,<,<= .((e(<zget_status..\s'( ( ( 'HN( ( ( rG gateway_state platformsc$i|] \}}|v || Srr)r&rrconfigured_gateway_platformss rE zget_status..ls5!!!C666U666rG exit_reason updated_at>stoppedstartup_failedr0>Nr0running SessionDB2)limitc 3K|]L}|d5|d|ddz dkHdVMdS)ended_atN last_active started_atr,r]r<)r&snows rE zget_status..sm""55$$,155lA0F0FGGG3NNNNNN""rGrzFlist_providerscg|] }|j Srnamer&ps rE zget_status..s<<s @@rE get_statusrj<s244K "##K!-O&*  <2 <'))*.*>*> '+ + % % % % % % !!  <"O! <044U;; M 48 ,666666,,..( ( +9+Q+Q+S+S( ( ( $$ ,,,'+$$$, "##G-2D2H2H2Y2Y$* O44 #KK 44: ' 3!!!!"3"9"9";";!!!  &kk-88$[[66 *-:>[-[-[MMajM "    *!3!? 111 ) "=05G5S! O ****** Y[[ ,,2,66H)++C!""""#"""O HHJJJJBHHJJJJJ      OUCCDDM "N OOOOOO<`` detached and record the Popen handle. Uses the running interpreter's ``hermes_cli.main`` module so the action inherits the same venv/PYTHONPATH the web server is using. Tparentsexist_okabr) bufferingz === z started z%Y-%m-%d %H:%M:%Sz === z-mzhermes_cli.mainHERMES_NONINTERACTIVE1)cwdstdinstdoutstderrenvwin32DETACHED_PROCESS creationflagsstart_new_session)rorlmkdiropenwriter]strftimer@sys executabler PROJECT_ROOT subprocessDEVNULLSTDOUTosenvironr'CREATE_NEW_PROCESS_GROUPrpPopenrp)rqrD log_file_namelog_pathlog_filecmd popen_kwargsprocs rE_spawn_hermes_actionrsF &d+M$666.HHda000H NNJJJ .A B BJJJQQSS >4!2 @Z @C<  ##;"*;5s;; $$L |w  /j"4a88 9 _%% -1 ()  C 0 0< 0 0DM$ KrGr|nc|sgS |dd}n#t$rgcYSwxYw|}|dkr || dn|S)uReturn the last ``n`` lines of ``path``. Reads the whole file — fine for our small per-action logs. Binary-decoded with ``errors='replace'`` so log corruption doesn't 500 the endpoint.utf-8r)encodingerrorsrN)exists read_textOSError splitlines)r|rtextliness rE _tail_linesrs ;;== ~~wy~AA   OO  EQ5!::E)s 0 ??z/api/gateway/restartcK tddgd}n@#t$r3}tdt dd|d}~wwxYwd |jdd S) z8Kick off a ``hermes gateway restart`` in the background.gatewayrestartrmzFailed to spawn gateway restartzFailed to restart gateway: rKNTokr#rDrr_log exceptionrr#rexcs rErestart_gatewayrsY#Y $:r=s rE get_sessionsr9s8M****** Y[[ ,,5,HHH$$&&E)++C  EE*%%-Squu]AEE,4J4JKKKsR+!)55TZ[[ HHJJJJBHHJJJJ MMM 12224KLLLLMs#CBB>)C>CC6D z/api/sessions/searchqc K|r|sdgiS ddlm}|} ddl}g}|jd|D]Z}|ds|dr||B||dz[d|}| || }i} |D]z} | d } | | vrl| | d d | d | d| d| dd| | <{dt| i| S#| wxYw#t$r,tdt#ddwxYw)z;Full-text search across session message content using FTS5.resultsrr3Nz "[^"]*"|\S+"r1r)queryr6 session_idsnippetr9rolesourcersession_started)rrrrrrzGET /api/sessions/search failedrz Search failedrK)rar[r4refindallrbrappendjoinsearch_messagesr<rvaluesrgrrrr) rr6r4rgrtermstoken prefix_querymatchesseenmsids rEsearch_sessionsrOs AGGII2"E****** Y[[  IIIE#NAGGII>> . .##C((.ENN3,?,?.LL''''LL----88E??L((|5(IIGD   od??&)#$55B#7#7 !f "#%%//!"w+,551B+C+C !!DItDKKMM223 HHJJJJBHHJJJJ EEE 8999ODDDDEs#F.EFF.F++F..6G$cBt|}|d}t|tr`|dd}|d|dd|d<t|tr|nd|d<nd|d<|S)aNormalize config for the web UI. Hermes supports ``model`` as either a bare string (``"anthropic/claude-sonnet-4"``) or a dict (``{default: ..., provider: ..., base_url: ...}``). The schema is built from DEFAULT_CONFIG where ``model`` is a string, but user configs often have the dict form. Normalize to the string form so the frontend schema matches. Also surfaces ``model_context_length`` as a top-level field so the web UI can display and edit it. A value of 0 means "auto-detect". rcontext_lengthrrrDr9r)rr<rr)r model_valctx_lens rE_normalize_config_for_webrys&\\F 7##I)T""+-- 0!44#-- 9==3L3LMMw4>w4L4L)SRS%&&)*%& MrGz /api/configcxKtt}d|DS)NcDi|]\}}|d||Srrbr&kvs rEr-zget_config..s/ E E ETQ1<<3D3D EAq E E ErG)rrr)rs rE get_configrs3 &{}} 5 5F E EV\\^^ E E EErGz/api/config/defaultscKtSN)r rrGrE get_defaultsrs rGz/api/config/schemac$KttdS)N)fieldscategory_order) CONFIG_SCHEMA_CATEGORY_ORDERrrGrE get_schemars# G GGrGrrauto_context_lengthconfig_context_lengtheffective_context_length capabilities_EMPTY_MODEL_INFOz/api/model/infoc t}|dd}t|trl|d|dd}|dd}|dd}|d}n|rt |nd}d}d}d}|stt | S d d lm}||||d }n#t$rd }YnwxYwd }t|tr|d kr|}|d kr|n|} i} d d l m } | ||} | '| j | j | j| j| j| jd} n#t$rYnwxYw||||| | dS#t$r1t$dtt cYSwxYw)a.Return resolved model metadata for the currently configured model. Calls the same context-length resolution chain the agent uses, so the frontend can display "Auto-detected: 200K" alongside the override field. Also returns model capabilities (vision, reasoning, tools) when available. rr9rrDrbase_urlrN)rr)get_model_context_length)rrrrget_model_capabilitiesrrsupports_toolssupports_visionsupports_reasoningcontext_windowmax_output_tokens model_familyrzGET /api/model/info failed)rr<rrrragent.model_metadatarrragent.models_devrrrrrrrrr) cfg model_cfg model_namerr config_ctxrauto_ctxconfig_ctx_int effective_ctxcapsrmcs rEget_model_inforsaB'mmGGGR((  i & & "y)--2K2KLLJ }}Z44H }}Z44H"'788JJ+4<Y"JHHJ >)H=== =  E E E E E E// !!&* HH    HHH  j# & & (:>>'N+91*<*<(   ? ? ? ? ? ?''LLLB~&(&7')'9*,*?&(&7)+)=$&O     D   #+%3(5     ''' 3444%&&&&&'sZCFC/.F/ C>;F=C>>.F-=F>) vision web_extractr skills_hubapprovalmcptitle_generationtriage_specifierkanban_decomposerprofile_describercurator._AUX_TASK_SLOTSz/api/model/optionsc ddlm}m}||dS#t$r,tdt ddwxYw) aGReturn authenticated providers + their curated model lists. REST equivalent of the ``model.options`` JSON-RPC on tui_gateway, so the dashboard Models page can render the picker without a live chat session. The response shape matches ``model.options`` 1:1 so ``ModelPickerDialog`` can share the same types. rbuild_models_payloadload_picker_contextr5) max_modelszGET /api/model/options failedrzFailed to list model optionsrK)hermes_cli.inventoryrrrrrrrs rEget_model_optionsr"sTRRRRRRRR##$7$7$9$9bIIII TTT 67774RSSSSTs 6Az/api/model/auxiliaryc  t}|di}t|tsi}g}tD]}t||tr||ini}||t |ddpdt |ddpdt |ddpdd|di}t|tr`t |ddpdt |d|d dpdd }nd|rt |ndd }||d S#t$r,t d td dwxYw)aReturn current auxiliary task assignments. Shape: { "tasks": [ {"task": "vision", "provider": "auto", "model": "", "base_url": ""}, ... ], "main": {"provider": "openrouter", "model": "anthropic/claude-opus-4.7"}, } rrrrr9r)rrrrrrDr)tasksmainzGET /api/model/auxiliary failedrzFailed to read auxiliary configrK) rr<rrrrrrrrr)raux_cfgr$slotslot_cfgrr%s rEget_auxiliary_modelsr)!sWmm''+r**'4(( G#  D0:7;;t;L;Ld0S0S[w{{4,,,Y[H LL Z @ @ JFKKX\\'266<"== Z < < BCC     GGGR(( i & & R j" = = CDDY]]9immFB6O6OPPVTVWWDD !#y-PS^^^bQQD--- WWW 89994UVVVVWs F/F226G(z/api/model/setr cK|jpd}|jpd}|jpd}|jpd}|dvrt dd t}|dkr|r|st dd|di}t|tsi}||d <||d <d |vr|d rd|d <d |vr| d d ||d<t|dd||dS|d}t|tsi}|dkr_tD]=}||} t| tsi} d| d <d| d<| ||<>||d<t|ddddS|st dd|r|gntt} | D]Z}|tvrt dd|||} t| tsi} || d <|| d<| ||<[||d<t|dd| ||dS#t $rt$r,t dt ddwxYw)u!Assign a model to the main slot or an auxiliary task slot. Writes to ``~/.hermes/config.yaml`` — applies to **new** sessions only. The currently running chat PTY (if any) is not affected; use the ``/model`` slash command inside a chat to hot-swap that specific session. r9>r%rrmz#scope must be 'main' or 'auxiliary'rKr%z$provider and model required for mainrrrrrNT)rrrrr __reset__r)rrresetzprovider required for auxiliaryzunknown auxiliary task: )rrr$rrzPOST /api/model/set failedrzFailed to save model assignment)rrarerrrrrr<rrpoprrrrrr) r rrrrrrauxr'r(targetss rEset_model_assignmentr0MsZ 2 $ $ & & , , . .E #**,,H Z 2 $ $ & &E IO " " $ $ * * , ,D )))4YZZZZCWmm F?? d5 d#>>d| MMM /0004KLLLLMs $)6Az/api/envc Kt}i}tjD]\}}||}t ||rt |nd|dd|d|dd|dd|dg|ddd ||<|S) Nrr9r{rpasswordFtoolsadvanced)is_setredacted_valuerr{r is_passwordr=r>)rr rr<rr) env_on_diskresultvar_nameinfors rE get_env_varsrFs**K F+133   $))5kk38Bj///d88M26688E??R0088J66XXgr**U33   x MrGcK t|j|jd|jdS#t$r$}t dt ||d}~wt $r,tdt ddwxYw)NTrrrmrKzPUT /api/env failedrr) rrrr4rrrrr)r rs rE set_env_varrIs Mtx,,,48,,, GGG CHH===3F MMM ,---4KLLLLMs#( B A9B cK t|j}|std|jdd|jdS#t$rt$r,tdtddwxYw) Nr not found in .envrKTrHzDELETE /api/env failedrr)rrrrrr)r removeds rEremove_env_varrMs M"48,, YC488W8W8WXXX X48,,,  MMM /0004KLLLLMs 8=AA=z/api/env/revealcKt|tj}|tz fdtDtdd<t tt krt ddt|t}| |j }|t d|j dt d|j |j |d S) zReturn the real (unredacted) value of a single env var. Protected by: - Ephemeral session token (generated per server start, injected into SPA) - Rate limiting (max 5 reveals per 30s window) - Audit logging c g|] }|k| Srr)r&tcutoffs rErGz"reveal_env_var..#sIII1a&jjQjjjrGNiz,Too many reveal requests. Try again shortly.rKrrKzenv/reveal: %s)rr) rNr]_REVEAL_WINDOW_SECONDSr.r_REVEAL_MAX_PER_WINDOWrrrr<rrrE)r r6r>rBrrQs @rEreveal_env_varrTs7 )++C ) )FIIII(:IIIqqq "8884bccccc"""**K OODH % %E }tx4S4S4STTTTII)))8e , ,,rGvisiblec,|sdSt|rt|tsdSt|}d|vr5|ddkr|ddd}t ||kr|Sd|| dS) uReturn ``...XXXXXX`` (last N chars) for safe display in the UI. We never expose more than the trailing ``visible`` characters of an OAuth access token. JWT prefixes (the part before the first dot) are stripped first when present so the visible suffix is always part of the signing region rather than a meaningless header chunk. Returns the Entra-ID placeholder when handed a callable (Azure Foundry bearer provider) — the callable is NEVER invoked here. r9zrr]r\u…N)callablerrcountrdr)rrVr=s rE_truncate_tokenr[>s r#z%55#"" E A axxAGGCLLA%% HHS!  R  1vv G899  rGc , ddlm}m}m}n#t$r d}d}d}YnwxYwd}|r |}n#t $rd}YnwxYw|ru|dr`ddd|dt|d|d t|d d Sd}|r |}n#t $rd}YnwxYw|rq|dr\dd d t|d|d t|d d Stj dptj d}|rdddt|ddd SdddS)uCombined status across the three Anthropic credential sources we read. Hermes resolves Anthropic creds in this order at runtime: 1. ``~/.hermes/.anthropic_oauth.json`` — Hermes-managed PKCE flow 2. ``~/.claude/.credentials.json`` — Claude Code CLI credentials (auto) 3. ``ANTHROPIC_TOKEN`` / ``ANTHROPIC_API_KEY`` env vars The dashboard reports the highest-priority source that's actually present. r)read_hermes_oauth_credentialsread_claude_code_credentials_HERMES_OAUTH_FILEN accessTokenT hermes_pkcez Hermes PKCE () expiresAt refreshToken logged_inr source_label token_preview expires_athas_refresh_token claude_codez)Claude Code (~/.claude/.credentials.json)ANTHROPIC_TOKENCLAUDE_CODE_OAUTH_TOKENenv_varz$ANTHROPIC_TOKEN environment variableFrfr) agent.anthropic_adapterr]r^r_ ImportErrorrr<r[rrgetenv)r]r^r_ hermes_credscc_creds env_tokens rE_anthropic_oauth_statusrvWsZ "           """'+$(,%!" L$  88::LL   LLL  ((77 #A,>AAA,\-=-=m-L-LMM&**;77!%l&6&6~&F&F!G!G    H# 3355HH   HHH  HLL// #G,X\\--H-HII",,{33!%hll>&B&B!C!C     +,,T :S0T0TI B,Y77!&    $ / //s-    3 AA C CCc : ddlm}|}n#t$rd}YnwxYw|rq|dr\dddt |d|dt |d d Sd dd S) aSurface Claude Code CLI credentials as their own provider entry. Independent of the Anthropic entry above so users can see whether their Claude Code subscription tokens are actively flowing into Hermes even when they also have a separate Hermes-managed PKCE login. r)r^Nr`Tclaude_code_cliz~/.claude/.credentials.jsonrcrdreFro)rpr^rr<r[r)r^credss rE_claude_code_only_statusrzsHHHHHH,,..   =)) '9,UYY}-E-EFF))K00!%eii&?&?!@!@    $ / //s  "" anthropiczAnthropic (Claude API)pkcezhermes auth add anthropicz.https://docs.claude.com/en/api/getting-started)idrDflow cli_commanddocs_url status_fn claude-codezClaude Code (subscription)externalzclaude setup-tokenz+https://docs.claude.com/en/docs/claude-codenous Nous Portal device_codezhermes auth add nouszhttps://portal.nousresearch.com openai-codexzOpenAI Codex (ChatGPT)zhermes auth add openai-codexz https://platform.openai.com/docs qwen-oauthzQwen (via Qwen CLI)zhermes auth add qwen-oauthz#https://github.com/QwenLM/qwen-code minimax-oauthzMiniMax (OAuth)zhermes auth add minimax-oauthzhttps://www.minimax.io_OAUTH_PROVIDER_CATALOG provider_idc |4 |S#t$r}dt|dcYd}~Sd}~wwxYw ddlm}|dkr|}t |dd|d pd t|d |d t |d dS|dkr|}t |d|dpd|dpdt|ddd|ddS|dkr| }t |dd|dpdt|d |dt |d dS|dkrh| }t |ddd|dd d!d|dd"dSn)#t$r}dt|dcYd}~Sd}~wwxYwddiS)#z@Dispatch to the right status helper for an OAuth provider entry.NF)rferrorr)rCrrf nous_portalportal_base_urlr access_tokenaccess_expires_atrjrerr openai_codex auth_modez OpenAI Codexapi_key last_refresh)rfrrgrhrirjrrqwen_cliauth_store_pathzQwen CLIrir minimax_oauthz MiniMax (regionglobalrbT) rr hermes_clirCget_nous_auth_statusrr<r[get_codex_auth_statusget_qwen_auth_statusget_minimax_oauth_auth_status)rrehauthraws rE_resolve_provider_statusrs  99;;  9 9 9!&Q88 8 8 8 8 8 8 9,5,,,,,, & ,,..C!#''+"6"677' #(9 : : Km!01H1H!I!I!gg&9::%)#''2E*F*F%G%G   . ( (--//C!#''+"6"677''(++=~ # 4 4 F!01C1C!D!D"%* # 7 7  , & &,,..C!#''+"6"677$ #(9 : : Hj!01H1H!I!I!ggl33%)#''2E*F*F%G%G   / ) )5577C!#''+"6"677) JCGGHh,G,G J J J!%!ggl33%)   * 555"SVV444444445  sG  4/44B0J$)B J$ B*J$5A-J$$ K .K?K K z/api/providers/oauthc Kg}tD]e}t|d|d}||d|d|d|d|d|dfd|iS) u#Enumerate every OAuth-capable LLM provider with current status. Response shape (per provider): id stable identifier (used in DELETE path) name human label flow "pkce" | "device_code" | "external" cli_command fallback CLI command for users to run manually docs_url external docs/portal link for the "Learn more" link status: logged_in bool — currently has usable creds source short slug ("hermes_pkce", "claude_code", ...) source_label human-readable origin (file path, env var name) token_preview last N chars of the token, never the full token expires_at ISO timestamp string or null has_refresh_token bool r}rrDr~rr)r}rDr~rrr providers)rrr<r)rrFrs rElist_oauth_providersr's$I $   )!D'1553E3EFFD'fIfI]+*          ##rGz"/api/providers/oauth/{provider_id}c Kt|dtD}||vr7tdd|ddt ||dvr dd lm}|r|n#t$rYnwxYw dd l m }|d n#t$rYnwxYwt d |d |dS dd l m }||}t d||t||dS#t$r>}td|tdt!|d}~wwxYw)zDDisconnect an OAuth provider. Token-protected (matches /env/reveal).ch|] }|d Sr}rrEs rEr(z,disconnect_oauth_provider..Ls:::Q4:::rGrmzUnknown provider: . Available: , rK>r{rrr_)clear_provider_authr{zoauth/disconnect: %sT)rrz!oauth/disconnect: %s (cleared=%s)zdisconnect %s failedrN)rNrrrsortedrpr_runlinkrhermes_cli.authrrrErrr)rr6 valid_idsr_rclearedrs rEdisconnect_oauth_providerrGs7::"9:::I)##@ @@!%6)+<+D%% E-/9E((E-_oauth_sessions)_OAUTH_CLIENT_ID_OAUTH_TOKEN_URL_OAUTH_REDIRECT_URI _OAUTH_SCOPES_generate_pkceTz!https://claude.ai/oauth/authorizec tjtz t5fdtD}|D]}t|d ddddS#1swxYwYdS)z:Drop expired sessions. Called opportunistically on /start.c2g|]\}}|dk|S) created_atr)r&rsessrQs rErGz&_gc_oauth_sessions..s-]]]dlASV\A\A\A\A\A\rGN)r]_OAUTH_SESSION_TTL_SECONDS_oauth_sessions_lockrrr-)stalerrQs @rE_gc_oauth_sessionsrs Y[[5 5F ++]]]]o&;&;&=&=]]] + +C   T * * * * +++++++++++++++++++sAA88A<?A<r~ctjd}|||tjddd}t5|t|<dddn #1swxYwY||fS)zICreate + register a new OAuth session, return (session_id, session_dict).pendingN)rrr~rr error_message)secrets token_urlsafer]rr)rr~rrs rE_new_oauth_sessionrs   # #Cikk   D $$#$$$$$$$$$$$$$$$ 9s A  AAr refresh_token expires_at_msc ddlm}|||d}|jdd||jdt jdtj d} | d d 5}| tj |d |t j|dddn #1swxYwYt j|| |t&jt&jzn#t,$rYnwxYw |r|nO#t,$rYnCwxYw# |r|ww#t,$rYwwxYwxYw ddlm}m}m} mddl} |d} fd| D} | D]7} | tC| dd(#tD$rY4wxYw|d| #j$ddd| dd||| }| %|dS#tD$r&} tL'd| Yd} ~ dSd} ~ wwxYw)zPersist Anthropic PKCE creds to both Hermes file AND credential pool. Mirrors what auth_commands.add_command does so the dashboard flow leaves the system in the same state as ``hermes auth add anthropic``. rr)r`rdrcTrsz.tmp.rwrrrX)indentNPooledCredential load_poolAUTH_TYPE_OAUTH SOURCE_MANUALr{cbg|]+}t|ddd)|,S)rr9:dashboard_pkce)rprb)r&rrs rErGz/_save_anthropic_oauth_creds..sBxxx!Hb1I1I1T1TXeUvUvUv1w1wxAxxxrGr}r9rUzdashboard PKCEr) rr}label auth_typepriorityrrrrz)anthropic pool add (dashboard) failed: %s)(rpr_parentr with_namerDrgetpidr token_hexrrrdumpsflushfsyncfilenorchmodstatS_IRUSRS_IWUSRrrragent.credential_poolrrrruuidentries remove_entryrpruuid4hex add_entryrwarning)rrrr_payloadtmp_pathhandlerrrrpoolexistingrrrs @rE_save_anthropic_oauth_credsrs ;:::::#%"G ##D4#@@@!++  "MMMMw7H7K7KMMH ]]3] 1 1 &V LLGA666 7 7 7 LLNNN HV]]__ % % % & & & & & & & & & & & & & & & 8/000   $ $T\DL%@ A A A A    D     "!!!    D     "!!!! "    D  E             y%%xxxxt||~~xxx  A !!'!T2"6"67777       zz||#"%#444%''     u EEE @!DDDDDDDDDEs0FA$C7+ F7C;;F>C;?F,EF EFEF(E?? F  F G (F;9G ; GG GG ?J$H43J4 I>JIAJ KJ<<Kc ,tstddt\}}tdd\}}||d<||d<dtd t t |d |d }td tj |}|d|td S)z9Begin PKCE flow. Returns the auth URL the UI should open.iz/Anthropic OAuth not available (missing adapter)rKr{r|verifierrrtruecodeS256)r client_id response_type redirect_urircode_challengecode_challenge_methodrr?)rr~auth_url expires_in) _ANTHROPIC_OAUTH_AVAILABLEr_generate_pkce_pairr_ANTHROPIC_OAUTH_CLIENT_ID_ANTHROPIC_OAUTH_REDIRECT_URI_ANTHROPIC_OAUTH_SCOPES_ANTHROPIC_OAUTH_AUTHORIZE_URLrparse urlencoder)r challengerrparamsrs rE_start_anthropic_pkcer s %g4effff-//Hi";77ICDDM/5(#!'  F1SS6<3I3I&3Q3QSSH0   rGr code_inputc t5t|}dddn #1swxYwY|r|ddks |ddkrtdd|d d krd |d |d d S|dd}|d}|sd ddd St |dkr|dnd}tjdt||p|dt|dd }tj t|dddd} tj |d5}tj|} dddn #1swxYwYnO#t($rB} t5d|d <d| |d <dddn #1swxYwYd d|d d cYd} ~ Sd} ~ wwxYw| d d} | d!d} t+| d"pd#} | s5t5d|d <d$|d <dddn #1swxYwYd d|d d St+t-jd%z| d%zz} t/| | |nO#t($rB} t5d|d <d&| |d <dddn #1swxYwYd d|d d cYd} ~ Sd} ~ wwxYwt5d'|d <dddn #1swxYwYt0d(|d)d'd*S)+z>  D Ow;MNNN&)%jj1nn%(("J*/$5W 5j)   vxx . " .0   !  CR ^ # #C # 4 4 6Z 2 2 4 455F 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 RRR ! B B$DN$Aa$A$AD ! B B B B B B B B B B B B B B Bw4;PQQQQQQQQ R ::nb11LJJ33MVZZ --566J R ! ? ?$DN$>D ! ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?w4;PQQQ d*++zD/@AMR#L-OOOO RRR ! 8 8$DN$7A$7$7D ! 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8w4;PQQQQQQQQ R $$#X$$$$$$$$$$$$$$$IIBJOOO* - --s/33(!G 9G GGGGG H&$H!+H9 H!H H! H H!H&!H& JJ JK,, L86L3=L L3L L3L L3-L83L8MMMc K|dkrddlm}mm}ddl|d}t jdpt jdp|jd|j |d|j \fd }tj d|d{V\}}tdd \}}t|d |d <t!|d |d <t#jt!|d z|d <|d<|d<||d<t%jt(|fdd|dd|d t|dt|dt!|d t!|d dS|dkrtdd \}} t%jt,|fdd|ddt#jdz} t#j| krt05t2|} dddn #1swxYwY| r"| ds | ddkrn1tjdd{Vt#j| kt05t2|i} dddn #1swxYwY| ddkr&t9d| d pd!"| dst9d#d$"|d | d| d%t!| d pd&t!| d pd'dS|d(krdd)lm} mmm } ddl| \}t jd*p| dfd+}tj! d|d{V}td(d \}}|d }|t!|nd|d,<t|d|d<||d-<|d.<|d<|d<d/|d0<t!|d1}||d2<|d3kr7|d4z }tEdt!|t#jz }nt#j|z}|}||d <t%jtF|fdd|dd|d t|dt|d5|tEd6|d,pd7d8zdSt9d9d:|d;")._do_nous_device_request~s d++!#56 DD!$3'.<*<                   sA  AArintervalrrirrrTz oauth-poll-rU)targetargsdaemonrD user_codeverification_uri_complete)rr~r7verification_urlr poll_intervalrz oauth-codex- rrg?rrrzdevice-auth failedrKiz2device-auth timed out before returning a user coder9rr/r)_minimax_pkce_pair_minimax_request_user_codeMINIMAX_OAUTH_CLIENT_IDMINIMAX_OAUTH_GLOBAL_BASEMINIMAX_PORTAL_BASE_URLcdddid5}|cdddS#1swxYwYdS)Nr(r)rTrr;follow_redirects)r+rrrrrr-)r+r>r=r r1rrrs rE_do_minimax_requestz4_start_device_code_flow.._do_minimax_requests d++!#56!% 11!$35#,                   sA  AA interval_msrrrrr expired_inexpired_in_rawlJ)g@@verification_urirXrrrmz Provider z" does not support device-code flow)$rr!r"r#r1rrrrrrrrVrWrXrrrr] threadingThread _nous_pollerstart_codex_full_login_worker monotonicrrr<sleeprr<r=r>r?get_event_loopr_minimax_poller)rr!r#pconfigr2 device_dataeffective_scoperrrdeadliner=r<r?rrD interval_rawrG expires_at_tsexpires_in_secondsr>r=r"r rr0r1rrrrs @@@@@@@@@@rE_start_device_code_flowrYdsf           #F+ I. / / 'y/00 '& &++  % D D !-! ! ! ~          .5-E-G-G-W-W ). . ( ( ( ( ( ( $ _'v}== T!+m"<==]{:677Z!Y[[3{##b(n))% - -#'',, - - - - - - - - - - - - - - - aeeK(( AhK9,D,D-$$ $ $ $ $ $ $ $ n)) " - -##C,,A - - - - - - - - - - - - - - - 55??g % %Co8N8N8fRfggg guu[!! nC8lmmm m!; !"4 5aeeL118S99 z!2!2!7a88    o%%             %7%7%9%9")U I/ 0 0 M4M &++           $244DD %        ' FF T#z22 !-!9C   t ] K 899[ (_W "1 3[!X [677!/  - - -*V3M!$QMDIKK,G(H(H!I!I   IKK.8M!/ *\"(s2A2w((    %'''![566 #K0B$C D D, T-%8%@DT$IJJ     C0kK0k0k0k l l lls$JJJ'LLLc ddlm}m}m}ddlm}m}ddl}t5t |}dddn #1swxYwY|sdS|d}|d} |d} |d} | d } td t|d tj z } | |d d di5}|||| | | | }dddn #1swxYwY||j}t| dpd}|| d| | d p| | dd|d| d||rC|||z|jnd|d }||dd d|}ddlm}||t5d|d<dddn #1swxYwYt*d|dS#t.$rc}t*d ||t5d!|d<t3||d"<dddn#1swxYwYYd}~dSYd}~dSd}~wwxYw)#zDBackground poller that drives a Nous device-code flow to completion.r)NOUS_INFERENCE_AUTH_MODE_FRESH_poll_for_tokenrefresh_nous_oauth_from_statedatetimetimezoneNrrrr3r<rir(r)rr*)r+rrrrr:rinference_base_url token_typeBearerrrtz) rrbrrrcrr obtained_atrirr;F)min_key_ttl_secondstimeout_seconds force_refreshinference_auth_mode)persist_nous_credentialsrrz/oauth/device: nous login completed (session=%s)z-nous device-code poll failed (session=%s): %srr)rr[r\r]r_r`r1rrr<rrr]r.r/r>utc isoformat fromtimestamp timestamprlrrErrr)rr[r\r]r_r`r1rrrrr3rrr+ token_datar> token_ttl auth_state full_staterlrs rErKrKsm ,+++++++LLL //"":../////////////// ,-O[!I}%KJH HHW  ERT,/$)++=>>??J,+ \\%--"5"5J\?]\ ^ ^ bh( /#'%& J               ll8<(( |449:: .",..1E"F"F"^^G,,5$..x@@&~6'^^O<<==??'&&s}}'Bx|&TT^^```"&#  32  #  >     =<<<<<  ,,, ! ( ('DN ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( CZPPPPP +++ DjRSTTT ! + +$DN$'FFD ! + + + + + + + + + + + + + + + + + + + + + + + + + + ++sAA  A ,I/-D ? I/ DI/DD"I/5I; I/I  I/I I// K9#KK4 KK KK KKcTddlm}m}m}m}m}ddlm}m}ddl}t5t |} dddn #1swxYwY| sdS| d} | d} | d} | d} | d }| d } | | d d d id5}||| | | | ||}dddn #1swxYwY||j}|t!|d|}t#dt!||z }d| dd| || || dd|d|d| d||||j|d }||t5d| d<dddn #1swxYwYt*d|dS#t.$rc}t*d ||t5d!| d<t3|| d"<dddn#1swxYwYYd}~dSYd}~dSd}~wwxYw)#u Background poller that drives a MiniMax OAuth flow to completion. Mirrors `_nous_poller` but calls the MiniMax-specific token endpoint, which uses a PKCE-style ``code_verifier`` + ``user_code`` rather than the ``device_code`` field used by Nous. On success, builds the same auth_state dict that ``_minimax_oauth_login`` (the CLI flow) builds and persists via ``_minimax_save_auth_state`` — so the dashboard path leaves the system in the same state as ``hermes auth add minimax-oauth``. r)_minimax_poll_token"_minimax_resolve_token_expiry_unix_minimax_save_auth_stateMINIMAX_OAUTH_GLOBAL_INFERENCEMINIMAX_OAUTH_SCOPEr^Nrrr7rrErGr(r)rTrB)r+rrr7rrFrErF)r>rrrrcrdrr resource_urlre) rrrrbrrrcrrr{rgrirrrz2oauth/device: minimax login completed (session=%s)z0minimax device-code poll failed (session=%s): %srr)rrvrwrxryrzr_r`r1rrr<r.r/r>rmrrrprnrorrErrr)rrvrwrxryrzr_r`r1rrrr7rrErGr+rqr>rW expires_in_srsrs rErQrQUsT,+++++++LLL //"":../////////////// ,-O[!I[!I)M((=))K*+N2+ \\MM$''12!  ,, /##+)'J               &ll8<((::  <( ) )s   1c-#--//"ABBCC 'hhx22."@"($..x@@&~6'8&NN>::==??"00(,1ikk&  " ! ,,, ! ( ('DN ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( F SSSSS +++ GUVWWW ! + +$DN$'FFD ! + + + + + + + + + + + + + + + + + + + + + + + + + + ++sA  A A -H:C" H:"C&&H:)C&*DH:H H:HH:HH:: J'#J"'J ? J" J J"J J""J'c v ddl}ddlm}m}m}d}||d5}||dd|id d i }dddn #1swxYwY|jd krtd |j| }| dd} | dd} tdt| dd} | r| std|d} t5t |} | s ddddS| | d<| | d<| | d<| | d<d| d<t!j| dz| d<dddn #1swxYwYt!j| dz}d}||d5}t!j|krut!j| ||d| | dd d i }|jd kr| }n!|jdvrutd|jdddn #1swxYwY|+t5d| d<d | d!<dddn #1swxYwYdS| d"d}| d#d}|r|std$||d5}||d"||d%||d&d d'i(}dddn #1swxYwY|jd krtd)|j| }| d*d}| d+d}|std,dd-lm}m}m}m}ddl}|d.}t3jd/dd0p|}|d.|jdd1d2|d|d3|||4 }||t5d5| d<dddn #1swxYwYt@!d6|dS#tD$r}t@#d7||t5t |} | rd8| d<tI|| d!<dddn#1swxYwYYd}~dSYd}~dSd}~wwxYw)9uRun the complete OpenAI Codex device-code flow. Codex doesn't use the standard OAuth device-code endpoints; it has its own ``/api/accounts/deviceauth/usercode`` (JSON body, returns ``device_auth_id``) and ``/api/accounts/deviceauth/token`` (JSON body polled until 200). On success the response carries an ``authorization_code`` + ``code_verifier`` that get exchanged at CODEX_OAUTH_TOKEN_URL with grant_type=authorization_code. The flow is replicated inline (rather than calling _codex_device_code_login) because that helper prints/blocks/polls in a single function — we need to surface the user_code to the dashboard the moment we receive it, well before polling completes. rN)CODEX_OAUTH_CLIENT_IDCODEX_OAUTH_TOKEN_URLDEFAULT_CODEX_BASE_URLzhttps://auth.openai.comr(rz!/api/accounts/deviceauth/usercoderrr)rr;rzdeviceauth/usercode returned r7r9device_auth_idr35z8device-code response missing user_code or device_auth_idz /codex/devicer9rrriz/api/accounts/deviceauth/token)rr7>rzdeviceauth/token poll returned expiredrz#Device code expired before approvalrrrz=device-auth response missing authorization_code/code_verifierz/deviceauth/callback)rrrrrz!application/x-www-form-urlencoded)rr;ztoken exchange returned rrz*token exchange did not return access_tokenrrHERMES_CODEX_BASE_URLr rUzdashboard device_codez:dashboard_device_code) rr}rrrrrrrrz7oauth/device: openai-codex login completed (session=%s)z0codex device-code worker failed (session=%s): %sr)%r1rr~rrr.r/postrL RuntimeErrorrr<rrrrr]rNrOrrrrrrrrrrarrrrrrErrr)!rr1r~rrissuerr+rrSr7rr:r9rrU code_resprrr token_resptokensrrrrrr_uuidrrrrr=s! rErMrMsuw,           +\\%--"5"5\ 6 6 &;;<<<!#89');<D                 s " "Qt?OQQRR Riikk OOK44 $)92>>As;??:s#C#CDDEE  [ [YZZ Z$333 ! B B"&&z22D  B B B B B B B B!*D '7D# $%3D! ",D !(D !%tL/A!AD  B B B B B B B B B B B B B B B>##d<&88 \\%--"5"5\ 6 6 Y&.""X-- =))){{===,:SS+-?@# #s** $ I#z11"#WTEU#W#WXXX Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y  % N N!*X(M_% N N N N N N N N N N N N N N N F']]+?DD! or:: ! ` `^__ _ \\%--"5"5\ 6 6 &%"6.'-$C$C$C!6%2 ()LM%  J                 !S ( (R*:PRRSS S""zz."55  ?B77  MKLL L            y(( I-r 2 2 8 8 : : A A# F F &% ! #{{}} !$)%#;;;%'     u ! ( ('DN ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( KZXXXXX ,,, GUVWWW ! , ,##J//A ,%( %(VV/"  , , , , , , , , , , , , , , , , , , , , , , , , , , ,,s)9R/ A' R/'A++R/.A+/B5R/$F R/8F R/FR/FA R/%B I>2 R/>JR/J R/ J) R/)J--R/0J-1R/6A(R/$M R/MR/MDR/5R; R/R  R/R R// T89#T34T T3T T3#T $T33T8z(/api/providers/oauth/{provider_id}/startcxKt|tdtD}|vrtddt fdtD}|ddkrtdd|d d  |dd krd krt S|dd krt d{VSnU#t$rt$r>}t dtdt|d}~wwxYwtdd)z.Initiate an OAuth login flow. Token-protected.ch|] }|d SrrrEs rEr(z$start_oauth_login..6 s 6 6 6QtW 6 6 6rGrmzUnknown provider rKc34K|]}|dk|VdS)r}Nr)r&rFrs rEr?z$start_oauth_login..9 s1VVqqw+?U?U?U?U?U?UVVrGr~rz uses an external CLI; run `rz ` manuallyr|r{rNzoauth/start %s failedrzUnsupported flow) rNrrrnextr rYrrrr)rr6valid catalog_entryrs` rEstart_oauth_loginr1 s7 6 65 6 6 6E%4U 4U4UVVVVVVVV$;VVVVVMV **!gg}]?[ggg    <  F * *{k/I/I(** *  M 1 10======== = 2  <<< . <<<CFF;;;;< C0B C C CCsC4 CD(*9D##D(c$eZdZUeed<eed<dS)OAuthSubmitBodyrrNrrrGrErrR s"OOO IIIIIrGrz)/api/providers/oauth/{provider_id}/submitcKt||dkr>tjdt|j|jd{VStdd|)z5Submit the auth code for PKCE flows. Token-protected.r{Nrmzsubmit not supported for rK)rNrVrWrXrrrr)rr r6s rEsubmit_oauth_coderW s7k!!-//?? ($/49          C0YK0Y0Y Z Z ZZrGz4/api/providers/oauth/{provider_id}/poll/{session_id}c>Kt5t|}dddn #1swxYwY|stdd|d|krtdd||d|d |d d S) uBPoll a device-code session's status (no auth — read-only state).NrzSession not found or expiredrKrrmzProvider mismatch for sessionrrri)rrrri)rrr<r)rrrs rEpoll_oauth_sessionrb s //"":../////////////// T4RSSSS J;&&4STTTT x./22hh|,,   s 155z*/api/providers/oauth/sessions/{session_id}cKt|t5t|d}dddn #1swxYwY|dddSd|dS)z0Cancel a pending OAuth session. Token-protected.NFzsession not found)rrT)rr)rNrrr-)rr6rs rEcancel_oauth_sessionrs s7 55"":t44555555555555555 |(;<<<j 1 11sAAAc ddlm}d}|} ||}|r||sdgf|St |ddp2t |ddp!t |ddpt |dd}g}|g|d }|D]<}|||d d||d d ||d dd=n| dd}i} |D]Y}| d } | d } | r+| r)| | g|Zd} |} |g}|h| | r{fd| | D}|snd| | d|dd } ||  | | | {| |f|S#|wxYw)zResolve a session id to the newest child leaf session. /model may create child sessions. Dashboard refresh should continue the newest child instead of reopening the old parent. rr3ct|tr||S ||S#t$r ||cYS#t$rYYdSwxYwwxYwr)rrr<r)rowrindexs rErow_getz+_session_latest_descendant..row_get s c4  773<<  s8O    5z!!!   ttt  s,4 AA A AAAANconn_conn connection _connectionz6SELECT id, parent_session_id, started_at FROM sessionsr}parent_session_idr]r:rX)r}rr:i'rcn t|dpdS#t$rYdSwxYw)Nr:r)rr<r)rs rEstartedz+_session_latest_descendant..started sH SWW\227a888   ss s #& 44cBg|]}|dv|Srr<)r&rrs rErGz._session_latest_descendant.. s-RRR!%%++T:Q:Q!:Q:Q:QrGT)rreverse)r[r4resolve_session_id get_sessionrgrpexecutefetchallrr\r< setdefaultsortadd)rr4rrgrrrowsraw_rowsrchildrenridrrcurrentr| candidatesrs @rE_session_latest_descendantr s '&&&&&    B6##J// "..-- 8f  a B % % 0r7D)) 0r<.. 0r=$//   ||Hhjj     !'#tQ//)06I1)M)M")'#|Q"?"? ((uQ(??D < .; s+;;;v':':!':':':rG)hermes_cli.logsrrr<rrrhermes_loggingrrqupperrerrrr)rrrrrrrlog_namerrr comp_prefixesrrCrs @rEget_logsr s#65555555}}T""H Q4O4O4OPPPP  6)H4H ??  +r*** 5555555     C5;;==E#9#9tI Y__&&%//*..y99  MYMM%)YYv6H/I/I%J%JMM  ! y;M;V<.V s!JJJ ##JJJrGzJFailed to list profiles for cron dashboard; falling back to directory scanrr list_profilesrrr_fallback_profile_dicts profiles_mods rE_cron_profile_dictsrR s{3333335JJ\-G-G-I-IJJJJ 555 cddd&|444445s&3AAprofilecxddlm}|pdpd} ||}||n0#t $r#}t dt|d}~wwxYw||st dd|d || |fS) z=Resolve a profile query value to (profile_name, HERMES_HOME).rrrrmrKNr Profile '' does not exist.) rrranormalize_profile_namevalidate_profile_namer4rrprofile_existsget_profile_dir)rrrcanonrs rE_cron_profile_homer\ s333333  i & & ( ( 5IC<33C88**51111 <<<CFF;;;;<  & &u - -Z4X4X4X4XYYYY ,..u55 55s*A A8A33A8jobhomecnt|}||d<||d<t||d<|dk|d<|S)Nr profile_namerIris_default_profile)rr)rrr annotateds rE_annotate_cron_jobrk sGS I"Ii 'In"4yyIm&-&:I"# rG func_namec t|\ t5ddlm}|j}|j}|j} dz |_|jdz |_|jdz |_ t|||i|}||_||_||_n#||_||_||_wxYw dddn #1swxYwYt|tr fd|DSt|trt| S|S)azRun cron.jobs helpers against the selected profile's cron directory. cron.jobs keeps CRON_DIR/JOBS_FILE/OUTPUT_DIR as module globals resolved from the process HERMES_HOME at import time. The dashboard is a single process that can inspect many profiles, so temporarily retarget those globals while holding a lock and restore them immediately after the call. r)jobsrz jobs.jsonoutputNc2g|]}t|Sr)r)r&jrrs rErGz*_call_cron_for_profile.. s&JJJa"1lD99JJJrG) r_CRON_PROFILE_LOCKrrCRON_DIR JOBS_FILE OUTPUT_DIRrprrrr) rrr5kwargs cron_jobs old_cron_dir old_jobs_fileold_output_dirrCrrs @@rE_call_cron_for_profilert s,G44L$ 22****** ) !+ "-!F] '0;> (1H<  22WY 22DCFCCF!-I "/I #1I ".I "/I #1I 1 1 1 1 222222222222222 &$KJJJJJ6JJJJ&$>!&,=== Ms*AB4!B 7B4 B$$B44B8;B8job_idctD]Y}t|dpd}|s)t|dd}t fd|Dr|cSZdS)NrDr9 list_jobsTc3|K|]6}|dkp|dkV7dS)r}rDNr<)r&r rs rEr?z)_find_cron_job_profile.. sFNNAquuT{{f$?f (?NNNNNNrG)rrr<rany)rrrDrs` rE_find_cron_job_profiler s&((7;;v&&,"--  %dK>> NNNNNNN N N KKK  4rGz/api/cron/jobsrcK|pd}|dkrt|ddSg}tD]y}t |dpd}|s) |t|ddO#t$rt d|YvwxYw|S)NrrTrDr9z'Failed to list cron jobs for profile %s) rarerrrr<extendrrr)r requestedritemrDs rElist_cron_jobsr  s!E((**IE!!%idCCC!#D#%%LL488F##)r**   L KK.t[$GG H H H H L L L NNDd K K K K K L Ks<$B!!%C C z/api/cron/jobs/{job_id}cK|pt|}|stddt|d|}|stdd|S)Nr Job not foundrKget_jobrrrrrselectedrs rE get_cron_jobr' sg8088H EODDDD 9f = =C EODDDD JrGcK t|d|j|j|j|jS#t $r=}t dtdt|d}~wwxYw)N create_job)r(rrDrzPOST /api/cron/jobs failedrmrK) rr(rrDrrrrrr)r rrs rEcreate_cron_jobr* s <%  ;]L      <<< 3444CFF;;;;>=}a@@EAFF  rGcd}g}r`|fdd\}}|dtd||dz |fddd }|rt |D]}|rj |j s6||ffd d\}}||j t|d |||dz ||ffd dd |S) Nc< |S#t$r|cYSwxYwr)r) callable_rs rE_safez&_fallback_profile_dicts.._safe0 s7 9;;    NNN s c.Sr_read_config_model default_homersrEz)_fallback_profile_dicts..9 s (G(G (U(UrGNNrTz.envc.Sr _count_skillsrQsrErSz)_fallback_profile_dicts..A s)C)CL)Q)QrGrrIc.|SrrOrrs rErSz)_fallback_profile_dicts..I s 8W8WX]8^8^rGFc.|SrrVrYs rErSz)_fallback_profile_dicts..Q s9S9STY9Z9ZrG) _get_default_hermes_homeis_dirrrr_get_profiles_rootriterdir_PROFILE_ID_REmatchrD)rrMrrr profiles_rootrrRs` @rErr/ s &(H88::L  % U U U U UWcddx %% $v-5577 5!Q!Q!Q!Q!QSTUU     !3355M M113344  E<<>> )D)J)J5:)V)V #e$^$^$^$^$^`lmmOE8 OO E #$!FN2244$u%%Z%Z%Z%Z%Z\]^^     OrGcddlm} ||n0#t$r#}t dt |d}~wwxYw||st dd|d||S) zIValidate ``name`` and resolve to its directory or raise an HTTPException.rrrmrKNrrr)rrrr4rrrr)rDrrs rE_resolve_profile_dirrcW s333333<**40000 <<<CFF;;;;<  & &t , ,Y4W4W4W4WXXXX  ' ' - --s A AA c:t||dkrdn|dS)z@Return the shell command used to configure a profile in the CLI.rz hermes setupz setup)rcrCs rE_profile_setup_commandrec s*!Y..>>tOOOCrGz /api/profilescKddlm} dd|DiS#t$r.tddt |icYSwxYw)Nrrrc,g|]}t|SrrrEs rErGz*list_profiles_endpoint..m s!WWWQ-a00WWWrGz@GET /api/profiles failed; falling back to profile directory scanrrs rElist_profiles_endpointrhi s333333CWW,:T:T:V:VWWWXX CCC YZZZ3LAABBBBCs*5A"!A"cTKddlm} ||j|jrdnd|j|j}|js||d||j}|s||jn#tttf$r#}tdt|d}~wt$r=}td td t|d}~wwxYwd|jt|d S) Nrrr)rD clone_from clone_configr=T)quietrmrKzPOST /api/profiles failedrrrDr|)rrcreate_profilerDr<r=seed_profile_skillscheck_alias_collisioncreate_wrapper_scriptr4FileExistsErrorFileNotFoundErrorrrrrr)r rr| collisionrs rEcreate_profile_endpointrus sN333333<**$($;Eyy0n +  & ?  , ,T , > > >!66tyAA  :  . .ty 9 9 9 ): ;<<<CFF;;;; <<< 2333CFF;;;;< 3t99 = ==s$BBD'C D8D  Dz"/api/profiles/{name}/setup-commandc(Kdt|iS)Ncommand)rerCs rEget_profile_setup_commandrx s -d33 44rGz"/api/profiles/{name}/open-terminalcK t|}tjdrt jdddd|gntjdkrH|ddd d }d |d }t jd d|gnddddd|gfddddd|gfddddd|gfdddd|dgfdddd|dgfdddd|dgfddddd|gfddddd|gfdddd|gfddddd|gfg }|D]L\}}t jd|gtjtjd krt j|nMtd!d"#n#t$r#}td$t|#d}~wt$r#}td!t|#d}~wt$rt$r>}td%|td&t|#d}~wwxYwd'|d(S))Nwinzcmd.exez/crLr9darwin\z\\rz\"z0tell application "Terminal" activate do script "z " end tell osascriptz-ezx-terminal-emulatorshz-lczgnome-terminalz--konsolezxfce4-terminalzsh -lc ''z mate-terminal lxterminaltilix alacrittykittyxtermwhich)r|r}rrmz$No supported terminal emulator foundrKrz*POST /api/profiles/%s/open-terminal failedrT)rrw)rerr'rbrrrcallrrrsrr4rrr)rDrwescaped applescriptterminal_commandsr popen_argsrs rEopen_profile_terminal_endpointr s0<(.. < " "5 ) )$   iwGD E E E E \X % %oodF33;;CGGG%   k4= > > > >')>dESZ([\!$4dD%#QRYdE7CD!$4d}t d|t dt |d}~wwxYwd|jt |d S) NrrrrKrmzPATCH /api/profiles/%s failedrTrm) rrrename_profiler@rsrrr4rrrrr)rDr rr|rs rErename_profile_endpointr s333333<**4?? <<<CFF;;;;  (<<<CFF;;;; <<< 6===CFF;;;;< s4yy A AAs,& C AC "B C  9CC cKddlm} ||d}n#t$r#}t dt |d}~wt $r#}t dt |d}~wt$r>}t d |t d t |d}~wwxYwdt |d S) zDelete a profile. The dashboard collects the user's confirmation in its own dialog before this request, so we always pass ``yes=True`` to skip the CLI's interactive prompt.rrT)yesrrKNrmzDELETE /api/profiles/%s failedr)rr|) rrdelete_profilersrrr4rrr)rDrr|rs rEdelete_profile_endpointr s 433333<**4T*:: <<<CFF;;;; <<<CFF;;;; <<< 7>>>CFF;;;;<D * **s," CA  CA55 C9B;;Cz/api/profiles/{name}/soulcKt|dz }|r@ |dddS#t$r}t dd|d}~wwxYwd d dS) NSOUL.mdrrT)rorrzCould not read SOUL.md: rKr9F)rcrrrr)rD soul_pathrs rEget_profile_soulr s$T**Y6IX X(22G2DDPTUU U X X XC8VST8V8VWWW W XU + ++sA A& A!!A&cKt|dz } ||jdnA#t$r4}td|t dd|d}~wwxYwdd iS) Nrrrz PUT /api/profiles/%s/soul failedrzCould not write SOUL.md: rKrT)rc write_textrorrrr)rDr rrs rEupdate_profile_soulr s$T**Y6IUT\G<<<< UUU 94@@@4SPQ4S4STTTTU $<s3 A1/A,,A1c$eZdZUeed<eed<dS) SkillTogglerDenabledN)rrrrrrrrGrErr s" III MMMMMrGrz /api/skillscKddlm}ddlm}t }||}|d}|D]}|d|v|d<|S)Nr)_find_all_skills)get_disabled_skillsT) skip_disabledrDr)tools.skills_toolrhermes_cli.skills_configrr)rrrdisabledrr=s rE get_skillsr s~222222<<<<<< ]]F""6**H  D 1 1 1F 11y0) MrGz/api/skills/togglecKddlm}m}t}||}|jr||jn||j|||d|j|jdS)Nr)rsave_disabled_skillsT)rrDr)rrrrrdiscardrDr)r rrrrs rE toggle_skillr sRRRRRRRR ]]F""6**H | #### TY*** dl C CCrGz/api/tools/toolsetsc PKddlm}m}m}ddlm}t }||dd}g}|D]j\}}} tt||} n#t$rg} YnwxYw||v} | ||| | | |||| dk|S)Nr)$_get_effective_configurable_toolsets_get_platform_tools_toolset_has_keys)resolve_toolsetcliF)include_default_mcp_servers)rDrrr available configuredr=) hermes_cli.tools_configrrrtoolsetsrrrsetrr) rrrrrenabled_toolsetsrCrDrdescr= is_enableds rE get_toolsetsr' s= )((((( ]]F** $) FAACC   eT 3t445566EE   EEE --  5!#++D&99        Ms%A(( A76A7ceZdZUeed<dS)RawConfigUpdate yaml_textNrrrGrErrL sNNNNNrGrz/api/config/rawcKt}|sddiSd|diS)Nyamlr9rr)rrr)r|s rEget_config_rawrP sD   D ;;==| DNNGN44 55rGcK tj|j}t|tst ddt |ddiS#tj$r}t dd|d}~wwxYw)NrmzYAML must be a mappingrKrTzInvalid YAML: )r safe_loadrrrrr YAMLError)r parsedrs rEupdate_config_rawrX sJ//&$'' RC8PQQQ QFd| >JJJ4HQ4H4HIIIIJsAAA>%A99A>z/api/analytics/usagedayscKddlm}ddlm}|} t j|dzz }|jd|f}d|D}|jd|f}d|D}|jd |f} t| } || | } | d ddddd gd } ||| || d| S#| wxYw)Nrr3)InsightsEngineQa} SELECT date(started_at, 'unixepoch') as day, SUM(input_tokens) as input_tokens, SUM(output_tokens) as output_tokens, SUM(cache_read_tokens) as cache_read_tokens, SUM(reasoning_tokens) as reasoning_tokens, COALESCE(SUM(estimated_cost_usd), 0) as estimated_cost, COALESCE(SUM(actual_cost_usd), 0) as actual_cost, COUNT(*) as sessions, SUM(COALESCE(api_call_count, 0)) as api_calls FROM sessions WHERE started_at > ? GROUP BY day ORDER BY day c,g|]}t|Srrr&rs rErGz'get_usage_analytics..~ s111Qa111rGa SELECT model, SUM(input_tokens) as input_tokens, SUM(output_tokens) as output_tokens, COALESCE(SUM(estimated_cost_usd), 0) as estimated_cost, COUNT(*) as sessions, SUM(COALESCE(api_call_count, 0)) as api_calls FROM sessions WHERE started_at > ? AND model IS NOT NULL GROUP BY model ORDER BY SUM(input_tokens) + SUM(output_tokens) DESC c,g|]}t|Srrrs rErGz'get_usage_analytics.. s555DGG555rGa2 SELECT SUM(input_tokens) as total_input, SUM(output_tokens) as total_output, SUM(cache_read_tokens) as total_cache_read, SUM(reasoning_tokens) as total_reasoning, COALESCE(SUM(estimated_cost_usd), 0) as total_estimated_cost, COALESCE(SUM(actual_cost_usd), 0) as total_actual_cost, COUNT(*) as total_sessions, SUM(COALESCE(api_call_count, 0)) as total_api_calls FROM sessions WHERE started_at > ? )rr)total_skill_loadstotal_skill_editstotal_skill_actionsdistinct_skills_used)summary top_skills)dailyby_modeltotals period_daysr) r[r4agent.insightsrr]rrrrfetchonegenerater<rg) rr4rrgrQcurrcur2rcur3rinsights_reportrs rEget_usage_analyticsri s&&&&&&------ B<u -h Y  21#,,..111x ! Y  65T]]__555x ! Y  dmmoo&&(.,,5545@@ $$X%&%&'(()  0 0          s DD==Ez/api/analytics/modelscfKddlm}|} tj|dzz }|jd|f}d|D}g}|D]}|dpd}|d} i} dd lm} | || } | '| j | j | j | j | j | jd } n#t$rYnwxYw|| ||d |d|d|d|d|d|d|d|d|d|d| d|jd|f} t#| }|||d|S#|wxYw)zRich per-model analytics for the Models dashboard page. Returns token/cost/session breakdown per model plus capability metadata from models.dev (context window, vision, tools, reasoning, etc.). rr3ra SELECT model, billing_provider, SUM(input_tokens) as input_tokens, SUM(output_tokens) as output_tokens, SUM(cache_read_tokens) as cache_read_tokens, SUM(reasoning_tokens) as reasoning_tokens, COALESCE(SUM(estimated_cost_usd), 0) as estimated_cost, COALESCE(SUM(actual_cost_usd), 0) as actual_cost, COUNT(*) as sessions, SUM(COALESCE(api_call_count, 0)) as api_calls, SUM(tool_call_count) as tool_calls, MAX(started_at) as last_used_at, AVG(input_tokens + output_tokens) as avg_tokens_per_session FROM sessions WHERE started_at > ? AND model IS NOT NULL AND model != '' GROUP BY model, billing_provider ORDER BY SUM(input_tokens) + SUM(output_tokens) DESC c,g|]}t|Srrrs rErGz(get_models_analytics.. s000AQ000rGbilling_providerr9rrrNr input_tokens output_tokenscache_read_tokensreasoning_tokensestimated_cost actual_costrh api_calls tool_calls last_used_atavg_tokens_per_session)rrrrrrrrrhrrrrra SELECT COUNT(DISTINCT model) as distinct_models, SUM(input_tokens) as total_input, SUM(output_tokens) as total_output, SUM(cache_read_tokens) as total_cache_read, SUM(reasoning_tokens) as total_reasoning, COALESCE(SUM(estimated_cost_usd), 0) as total_estimated_cost, COALESCE(SUM(actual_cost_usd), 0) as total_actual_cost, COUNT(*) as total_sessions, SUM(COALESCE(api_call_count, 0)) as total_api_calls FROM sessions WHERE started_at > ? AND model IS NOT NULL AND model != '' )modelsrr)r[r4r]rrrr<rrrrrrrrrrrrrg)rr4rgrQrrrrrr rrr totals_currs rEget_models_analyticsr s>'&&&&& BPu -h "Y#$10000" " Cww1228bHWJD CCCCCC++XZPPP>*,*;+-+=.0.C*,*;-/-A(* D     MM#$ #N 3!$_!5%()<%=$'(:$;"%&6"7"=1 O -!,/ #N 3*-.F*G $    "X%% ' Y   j))++,,    s1A:FrO testclientrPrQwsrcttjddrdS|jr |jjnd}|sdS|t vS)uCheck if the WebSocket client IP is acceptable. Loopback mode: only loopback clients allowed — the legacy ``?token=<_SESSION_TOKEN>`` path is the only auth we have, so we don't want LAN hosts guessing tokens. Gated mode: any peer is allowed — uvicorn's ``proxy_headers=True`` (enabled when the OAuth gate is active so cookies can pick up ``X-Forwarded-Proto``) rewrites ``ws.client.host`` to the X-Forwarded-For value, which is the real internet client IP. The OAuth gate + single-use ``?ticket=`` is the auth at that point; the Host/Origin guard in :func:`_ws_host_origin_is_allowed` is what blocks DNS-rebinding here, not the peer IP. rzFTr9)rprqrrr+rS_LOOPBACK_HOSTS)r client_hosts rE_ws_client_is_allowedr2 sKsy/511t$&I5")..2K t / ))rGcdttjdd}|sdS|jdd}t ||sdS|jdd}|sdSt j|}|j dvs|j sdSt |j |S) aApply the dashboard Host/Origin guard to WebSocket upgrades. FastAPI HTTP middleware does not run for WebSocket routes, so the DNS-rebinding Host check used for normal dashboard HTTP requests must be repeated here before accepting the upgrade. Browsers also send an Origin header on WebSocket handshakes; when present, require it to target the same bound dashboard host. rXNTrSr9Forigin>rkhttps) rprqrrr;r<rjrrurlparseschemenetloc)rrXrWrrs rE_ws_host_origin_is_allowedrI sL$77J t*..,,K [* 5 5u Z^^Hb ) )F t \ " "6 * *F }---V]-u V]J 7 77rGc>t|ot|S)zDReturn True when the WebSocket upgrade matches dashboard boundaries.)rr)rs rE_ws_request_is_allowedre s %b ) ) G.CB.G.GGrGc$tttjdd}|r|jdd}|sdSddlm}m}ddl m }m } ||dS#|$rI}||j t||jr |jjnd|jj Yd }~dSd }~wwxYw|jd d}t%j|t*S) aValidate WS-upgrade auth in either loopback or gated mode. Loopback / ``--insecure``: legacy ``?token=<_SESSION_TOKEN>`` query parameter, constant-time compared. Gated (public bind, no ``--insecure``): ``?ticket=`` query parameter consumed against the dashboard-auth ticket store. The legacy token path is unconditionally rejected in this mode (the SPA bundle isn't carrying the token any longer). Returns True if the WS should be accepted; callers close with the appropriate WS code (4401) on False. Audit-logs the rejection so operators can debug "WS keeps closing" issues from the log. rzFticketr9r) AuditEvent audit_log) TicketInvalidconsume_ticketT)reasonipr|Nr)rrprqrr query_paramsr<hermes_cli.dashboard_auth.auditrr$hermes_cli.dashboard_auth.ws_ticketsrrWS_TICKET_REJECTEDrr+rSr{r|r>r?r@rA) rrzrrrrrrrs rE _ws_auth_okr j sWOUCCDDM$$Xr22 5 JIIIIIII         N6 " " "4    I-3xx&(i7BINNRV[      55555  O   , ,E  u||~~~/D/D/F/F G GGs A((B6->B11B6_event_channelsresume sidecar_urlcddlm}m}||dz d\}}tj}|dd|dd |d d |rt|\}}|r|}||d <|r||d <t||rt|nd |fS)uResolve the argv + cwd + env for the chat PTY. Default: whatever ``hermes --tui`` would run. Tests monkeypatch this function to inject a tiny fake command (``cat``, ``sh -c 'printf …'``) so nothing has to build Node or the TUI bundle. Session resume is propagated via the ``HERMES_TUI_RESUME`` env var — matching what ``hermes_cli.main._launch_tui`` does for the CLI path. Appending ``--resume `` to argv doesn't work because ``ui-tui`` does not parse its argv. `sidecar_url` (when set) is forwarded as ``HERMES_TUI_SIDECAR_URL`` so the spawned ``tui_gateway.entry`` can mirror dispatcher emits to the dashboard's ``/api/pub`` endpoint (see :func:`pub_ws`). r)r_make_tui_argvzui-tuiF)tui_devNODE_ENV productionHERMES_TUI_DISABLE_MOUSEryHERMES_TUI_INLINEHERMES_TUI_RESUMEHERMES_TUI_SIDECAR_URLN) hermes_cli.mainrrrrcopyrrrr) rrrrargvrzr~ latest_resume _latest_paths rE_resolve_chat_argvr s&=<<<<<<<|h6FFFID# *//  CNN:|,,,NN-s333NN&,,, *&@&H&H# |  #"F#)  4(3 $% ::30s3xxxD# 55rGchannelcttjdd}ttjdd}|r|sdSd|vr|dsd|d|n|d|}ttjddr6d d lm}|d d }t j||d}n't jt|d}d|d|S)uws:// URL the PTY child should publish events to, or None when unbound. Loopback / ``--insecure``: uses ``?token=<_SESSION_TOKEN>``. Gated mode: mints a single-use ticket via the dashboard-auth ticket store (server-side mint, no HTTP round trip — the PTY child is a server-spawned process and we trust it). The ticket binds to the pseudo-user ``"pty-sidecar"`` so audit logs can distinguish these from browser-initiated tickets. The single-use lifetime means the PTY child cannot reconnect without a new sidecar URL. PTY children open ``/api/pub`` once at startup; if reconnect semantics ever become important, this should be upgraded to a long-lived process-scoped token. rXN bound_portr^rZz]:rzFr) mint_ticketz pty-sidecarzserver-internal)user_idr)rr )rr zws://z /api/pub?) rprqrrrbr r#rrr rA)r rSportrr#rqss rE_build_sidecar_urlr' s 39lD 1 1D 39lD 1 1D tt#&$;;ts7K7K;      TXQaQa[_QaQaFsy/511SDDDDDD]=NOOO \ # #v'$J$J K K \ # #n$Q$Q R R (6 ( (B ( ((rGrcXKt4d{Vtt|d}dddd{Vn#1d{VswxYwY|D]K} ||d{V#t $r t d|dYHwxYwdS)z=Fan out one publisher frame to every subscriber on `channel`.Nrz*broadcast send failed for subscriber on %sT)exc_info) _event_lockrrr< send_textrrr)r rsubssubs rE_broadcast_eventr. se66666666O''4455666666666666666666666666666__ _--(( ( ( ( ( ( ( ( ( _ _ _ LLEwY]L ^ ^ ^ ^ ^ ___s#)A  AA!A=='B'&B'ct|jdd}t|r|ndS)z?Return the channel id from the query string or None if invalid.r r9N)r r<_VALID_CHANNEL_REr`rr s rE_channel_or_close_coder2 s6o!!)R00G'--g66 @77D@rGz/api/ptycKtsdd{VdStsdd{VdStsdd{VdSd{Vt s9dd{Vdd{VdSjdpd}t}|rt|nd} t||\}}}nS#t$rF}d|d d{Vdd{VYd}~dSd}~wwxYw tj||| n#t$rF}d|d d{Vdd{VYd}~dSd}~wt t"f$rF}d |d d{Vdd{VYd}~dSd}~wwxYwt%jdfd }t%j|} d{V} | d} | dkrn| d} | A| d} t-| t.r| dnd} | st2| }|r|t9| kr]t;|d}t;|d}||1 | Gn#tB$rYnwxYw| " | d{Vn#t$j#tHf$rYnwxYwdS#| " | d{Vn#t$j#tHf$rYnwxYwwxYw)N3r1u Chat unavailable: the embedded terminal requires a POSIX PTY, which native Windows Python doesn't provide. Install Hermes inside WSL2 to use the dashboard's /chat tab — the rest of the dashboard works here. ir)rrz Chat unavailable: z )rzr~z Chat failed to start: r7cK djtd{V}|dS|stjdd{VI |d{Vn#t $rYdSwxYww)NTr)rXr_PTY_READ_CHUNK_TIMEOUTrVrO send_bytesr)chunkbridgercrs rEpump_pty_to_wszpty_ws..pump_pty_to_ws<s ..fk#:E} mA&&&&&&&&& mmE**********     sA** A87A8Trzwebsocket.disconnectbytesrrrGr]rX)colsrr7N)% _DASHBOARD_EMBEDDED_CHAT_ENABLEDrgr raccept_PTY_BRIDGE_AVAILABLEr+r r<r2r'r SystemExitrspawnrrsrrVrW create_taskreceiverrr@ _RESIZE_REr`endrrgroupresizerrcancelCancelledErrorr)rrr rrrzr~rr< reader_taskmsgmsg_typerrr`r>rr;rcs` @@rEpty_wsrPs +hhDh!!!!!!!!! r??hhDh!!!!!!!!! !" % %hhDh!!!!!!!!! ))++ !ll G         hhDh!!!!!!!!!_  * * 2dF$R((G18B$W---dK+6{SSSc33 llLCLLLMMMMMMMMMhhDh!!!!!!!!!  3C888 llLCLLLMMMMMMMMMhhDh!!!!!!!!! w 'llPPPPQQQQQQQQQhhDh!!!!!!!!!  # % %D        %nn&6&677K  $$$$$$CwwvH111'''""C{wwv.8s.C.CLdkk'*** $$S))E C005;;q>>**5;;q>>** 4d 333 LL   ) "                & 2    D            & 2    D  sD44 F>;E??FF I*;G++I?;IIEO P) OP)OP).O77PP)Q9?QQ9Q!Q9 Q!!Q9z/api/wsc6Kts|dd{VdSt|s|dd{VdSt|s|dd{VdSddlm}||d{VdS)Nr4r5r6r) handle_ws)r@rgr rtui_gateway.wsrR)rrRs rE gateway_wsrTzs +hhDh!!!!!!!!! r??hhDh!!!!!!!!! !" % %hhDh!!!!!!!!!(((((( )B--rGz/api/pubcKts|dd{VdSt|s|dd{VdSt|s|dd{VdSt |}|s|dd{VdS|d{V t ||d{Vd{V/#t$rYdSwxYwNr4r5r6i0) r@rgr rr2rAr. receive_textrr1s rEpub_wsrXs~ +hhDh!!!!!!!!! r??hhDh!!!!!!!!! !" % %hhDh!!!!!!!!!$R((G hhDh!!!!!!!!! ))++  E"7"//2C2C,C,C,C,C,C,CDD D D D D D D D E      s 0C<< D  D z /api/eventscKts|dd{VdSt|s|dd{VdSt|s|dd{VdSt |}|s|dd{VdS|d{Vt 4d{Vt|t |dddd{Vn#1d{VswxYwY | d{V#t$rYnwxYw t 4d{Vt |}|2|||st|ddddd{VdS#1d{VswxYwYdS#t 4d{Vt |}|2|||st|ddddd{Vw#1d{VswxYwYwxYwrV)r@rgr rr2rAr*rrrrrWrr<rr-)rr r,s rE events_wsrZsU +hhDh!!!!!!!!! r??hhDh!!!!!!!!! !" % %hhDh!!!!!!!!!$R((G hhDh!!!!!!!!! ))++;;;;;;;;""7CEE2266r:::;;;;;;;;;;;;;;;;;;;;;;;;;;;7 $//## # # # # # # #  $        7 7 7 7 7 7 7 7"&&w//D R   7#''666 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7; 7 7 7 7 7 7 7 7"&&w//D R   7#''666 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7sn;D%% D/2D/7E E G&E  G&1AG G G&I'4AII' I I'"I #I'rc$ddlm}||S)uANormalise an X-Forwarded-Prefix header value. Thin re-export of :func:`hermes_cli.dashboard_auth.prefix.normalise_prefix` — the single source of truth lives in the dashboard_auth package so the gate middleware, the OAuth routes, the cookie helpers, and the SPA mount all agree on validation rules. r)normalise_prefix) hermes_cli.dashboard_auth.prefixr\)rr\s rE_normalise_prefixr^s(BAAAAA  C  rG applicationcts(|ddtfd}dStdz ddtffd |d d td tfd }|d t tdz d|ddtd tffd }dS)aMount the built SPA. Falls back to index.html for client-side routing. The session token is injected into index.html via a ``z)