[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-74008":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":23,"hasPages":25,"topics":26,"createdAt":10,"pushedAt":10,"updatedAt":32,"readmeContent":33,"aiSummary":34,"trendingCount":16,"starSnapshotCount":16,"syncStatus":35,"lastSyncTime":36,"discoverSource":37},74008,"hermes-webui","nesquena\u002Fhermes-webui","nesquena","Hermes WebUI: The best way to use Hermes Agent from the web or from your phone!","https:\u002F\u002Fget-hermes.ai\u002F",null,"Python",14169,1741,50,170,0,546,4335,5781,1638,119.72,"MIT License",false,"master",true,[27,28,29,30,31],"agent","ai-agents","hermes","hermes-agent","nous-research","2026-06-12 04:01:12","# Hermes Web UI\n\n[Hermes Agent](https:\u002F\u002Fhermes-agent.nousresearch.com\u002F) is a sophisticated autonomous agent that lives on your server, accessed via a terminal or messaging apps, that remembers what it learns and gets more capable the longer it runs.\n\nHermes WebUI is a lightweight, dark-themed web app interface in your browser for [Hermes Agent](https:\u002F\u002Fhermes-agent.nousresearch.com\u002F).\nFull parity with the CLI experience - everything you can do from a terminal,\nyou can do from this UI. No build step, no framework, no bundler. Just Python\nand vanilla JS.\n\nLayout: three-panel. Left sidebar for sessions and navigation, center for chat,\nright for workspace file browsing. Model, profile, and workspace controls live in\nthe **composer footer** — always visible while composing. A circular context ring\nshows token usage at a glance. All settings and session tools are in the\n**Hermes Control Center** (launcher at the sidebar bottom).\n\n\u003Cimg width=\"2448\" height=\"1748\" alt=\"Hermes Web UI — three-panel layout\" src=\"https:\u002F\u002Fgithub.com\u002Fuser-attachments\u002Fassets\u002F6bf8af4c-209d-441e-8b92-6515d7a0c369\" \u002F>\n\n\u003Ctable>\n  \u003Ctr>\n    \u003Ctd width=\"50%\" align=\"center\">\n      \u003Cimg width=\"2940\" height=\"1848\" alt=\"Light mode with full profile support\" src=\"https:\u002F\u002Fgithub.com\u002Fuser-attachments\u002Fassets\u002F4ef3a59c-7a66-4705-b4e7-cb9148fe4c47\" \u002F>\n      \u003Cbr \u002F>\u003Csub>Light mode with full profile support\u003C\u002Fsub>\n    \u003C\u002Ftd>\n    \u003Ctd width=\"50%\" align=\"center\">\n      \u003Cimg alt=\"Customize your settings, configure a password\" src=\"https:\u002F\u002Fgithub.com\u002Fuser-attachments\u002Fassets\u002F941f3156-21e3-41fd-bcc8-f975d5000cb8\" \u002F>\n      \u003Cbr \u002F>\u003Csub>Customize your settings, configure a password\u003C\u002Fsub>\n    \u003C\u002Ftd>\n  \u003C\u002Ftr>\n\u003C\u002Ftable>\n\n\u003Ctable>\n  \u003Ctr>\n    \u003Ctd width=\"50%\" align=\"center\">\n      \u003Cimg alt=\"Workspace file browser with inline preview\" src=\"docs\u002Fimages\u002Fui-workspace.png\" \u002F>\n      \u003Cbr \u002F>\u003Csub>Workspace file browser with inline preview\u003C\u002Fsub>\n    \u003C\u002Ftd>\n    \u003Ctd width=\"50%\" align=\"center\">\n      \u003Cimg alt=\"Session projects, tags, and tool call cards\" src=\"docs\u002Fimages\u002Fui-sessions.png\" \u002F>\n      \u003Cbr \u002F>\u003Csub>Session projects, tags, and tool call cards\u003C\u002Fsub>\n    \u003C\u002Ftd>\n  \u003C\u002Ftr>\n\u003C\u002Ftable>\n\nThis gives you nearly **1:1 parity with Hermes CLI from a convenient web UI** which you can access securely through an SSH tunnel from your Hermes setup. Single command to start this up, and a single command to SSH tunnel for access on your computer. Every single part of the web UI uses your existing Hermes agent and existing models, without requiring any additional setup.\n\n---\n\n## Why Hermes\n\nMost AI tools reset every session. They don't know who you are, what you worked on, or what\nconventions your project follows. You re-explain yourself every time.\n\nHermes retains context across sessions, runs scheduled jobs while you're offline, and gets\nsmarter about your environment the longer it runs. It uses your existing Hermes agent setup,\nyour existing models, and requires no additional configuration to start.\n\nWhat makes it different from other agentic tools:\n\n- **Persistent memory** — user profile, agent notes, and a skills system that saves reusable\n  procedures; Hermes learns your environment and does not have to relearn it\n- **Self-hosted scheduling** — cron jobs that fire while you're offline and deliver results to\n  Telegram, Discord, Slack, Signal, email, and more\n- **10+ messaging platforms** — the same agent available in the terminal is reachable from your phone\n- **Self-improving skills** — Hermes writes and saves its own skills automatically from experience;\n  no marketplace to browse, no plugins to install\n- **Provider-agnostic** — OpenAI, Anthropic, Google, DeepSeek, OpenRouter, and more\n- **Orchestrates other agents** — can spawn Claude Code or Codex for heavy coding tasks and bring\n  the results back into its own memory\n- **Self-hosted** — your conversations, your memory, your hardware\n\n**vs. the field** *(landscape is actively shifting — see [HERMES.md](HERMES.md) for the full breakdown)*:\n\n| | OpenClaw | Claude Code | Codex CLI | OpenCode | Hermes |\n|---|---|---|---|---|---|\n| Persistent memory (auto) | Yes | Partial† | Partial | Partial | Yes |\n| Scheduled jobs (self-hosted) | Yes | No‡ | No | No | Yes |\n| Messaging app access | Yes (15+ platforms) | Partial (Telegram\u002FDiscord preview) | No | No | Yes (10+) |\n| Web UI (self-hosted) | Dashboard only | No | No | Yes | Yes |\n| Self-improving skills | Partial | No | No | No | Yes |\n| Python \u002F ML ecosystem | No (Node.js) | No | No | No | Yes |\n| Provider-agnostic | Yes | No (Claude only) | Yes | Yes | Yes |\n| Open source | Yes (MIT) | No | Yes | Yes | Yes |\n\n† Claude Code has CLAUDE.md \u002F MEMORY.md project context and rolling auto-memory, but not full automatic cross-session recall  \n‡ Claude Code has cloud-managed scheduling (Anthropic infrastructure) and session-scoped `\u002Floop`; no self-hosted cron\n\n**The closest competitor is OpenClaw** — both are always-on, self-hosted, open-source agents\nwith memory, cron, and messaging. The key differences: Hermes writes and saves its own skills\nautomatically as a core behavior (OpenClaw's skill system centers on a community marketplace);\nHermes is more stable across updates (OpenClaw has documented release regressions and ClawHub\nhas had security incidents involving malicious skills); and Hermes runs natively in the Python\necosystem. See [HERMES.md](HERMES.md) for the full side-by-side.\n\n---\n\n## Quick start\n\nRun the repo bootstrap:\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Fnesquena\u002Fhermes-webui.git hermes-webui\ncd hermes-webui\npython3 bootstrap.py\n```\n\nOr keep using the shell launcher:\n\n```bash\n.\u002Fstart.sh\n```\n\nFor self-hosted VM or homelab installs, `ctl.sh` wraps the common daemon lifecycle commands without requiring `fuser` or `pkill`:\n\n```bash\n.\u002Fctl.sh start              # background daemon, PID at ~\u002F.hermes\u002Fwebui.pid\n.\u002Fctl.sh status             # PID, uptime, bound host\u002Fport, log path, \u002Fhealth\n.\u002Fctl.sh logs --lines 100   # tail ~\u002F.hermes\u002Fwebui.log\n.\u002Fctl.sh restart\n.\u002Fctl.sh stop\n```\n\n`ctl.sh start` runs the bootstrap in foreground\u002Fno-browser mode behind the daemon wrapper, writes logs to `~\u002F.hermes\u002Fwebui.log`, and respects `.env` plus inline overrides such as `HERMES_WEBUI_HOST=0.0.0.0 .\u002Fctl.sh start`.\n\nThe bootstrap will:\n\n1. Detect Hermes Agent and, if missing, attempt the official installer (`curl -fsSL https:\u002F\u002Fraw.githubusercontent.com\u002FNousResearch\u002Fhermes-agent\u002Fmain\u002Fscripts\u002Finstall.sh | bash`).\n2. Find or create a Python environment with the WebUI dependencies.\n3. Start the web server and wait for `\u002Fhealth`.\n4. Open the browser unless you pass `--no-browser`.\n5. Drop you into a first-run onboarding wizard inside the WebUI.\n\n> Native Windows is not supported for this bootstrap yet. Use Linux, macOS, or WSL2.\n> For Windows \u002F WSL auto-start at login, see [`docs\u002Fwsl-autostart.md`](docs\u002Fwsl-autostart.md).\n> A community-maintained native Windows guide is tracked in [#1952](https:\u002F\u002Fgithub.com\u002Fnesquena\u002Fhermes-webui\u002Fissues\u002F1952).\n\nIf provider setup is still incomplete after install, the onboarding wizard will point you to finish it with `hermes model` instead of trying to replicate the full CLI setup in-browser.\nFor a step-by-step walkthrough of the wizard, provider choices, local model server Base URLs, and safe re-runs, see [`docs\u002Fonboarding.md`](docs\u002Fonboarding.md).\nIf an AI assistant is helping with install, reinstall, bootstrap, provider setup, or first-run support, have it read [`docs\u002Fonboarding-agent-checklist.md`](docs\u002Fonboarding-agent-checklist.md) before running commands or inspecting logs.\n\n---\n\n## Docker\n\n**Pre-built images** (amd64 + arm64) are published to GHCR on every release.\n\nFor a comprehensive setup guide covering all 3 compose files, common failure modes, and bind-mount migration, see [`docs\u002Fdocker.md`](docs\u002Fdocker.md). The README covers the 5-minute happy path.\n\n### 5-minute quickstart (single container)\n\nThe simplest setup: one WebUI container that runs the agent in-process.\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Fnesquena\u002Fhermes-webui\ncd hermes-webui\ncp .env.docker.example .env\n# Edit .env if your host UID isn't 1000 (e.g. macOS where UIDs start at 501)\ndocker compose up -d\n# Open http:\u002F\u002Flocalhost:8787\n```\n\nThe container auto-detects your UID\u002FGID from the mounted `~\u002F.hermes` volume so files written by the agent stay readable by you on the host.\n\nTo enable password protection (required if you expose the port outside `127.0.0.1`):\n\n```bash\necho \"HERMES_WEBUI_PASSWORD=change-me-to-something-strong\" >> .env\ndocker compose up -d --force-recreate\n```\n\n### Manual `docker run` (no compose)\n\n```bash\ndocker pull ghcr.io\u002Fnesquena\u002Fhermes-webui:latest\ndocker run -d \\\n  -e WANTED_UID=$(id -u) -e WANTED_GID=$(id -g) \\\n  -v ~\u002F.hermes:\u002Fhome\u002Fhermeswebui\u002F.hermes \\\n  -e HERMES_WEBUI_STATE_DIR=\u002Fhome\u002Fhermeswebui\u002F.hermes\u002Fwebui \\\n  -v ~\u002Fworkspace:\u002Fworkspace \\\n  -p 127.0.0.1:8787:8787 \\\n  ghcr.io\u002Fnesquena\u002Fhermes-webui:latest\n```\n\n### Build locally\n\n```bash\ndocker build -t hermes-webui .\ndocker run -d \\\n  -e WANTED_UID=$(id -u) -e WANTED_GID=$(id -g) \\\n  -v ~\u002F.hermes:\u002Fhome\u002Fhermeswebui\u002F.hermes \\\n  -e HERMES_WEBUI_STATE_DIR=\u002Fhome\u002Fhermeswebui\u002F.hermes\u002Fwebui \\\n  -v ~\u002Fworkspace:\u002Fworkspace \\\n  -p 127.0.0.1:8787:8787 \\\n  hermes-webui\n```\n\n### Multi-container setups\n\nIf you want the agent and WebUI in separate containers (for isolation, or because you're already running an agent gateway elsewhere):\n\n```bash\n# Agent + WebUI\ndocker compose -f docker-compose.two-container.yml up -d\n\n# Agent + Dashboard + WebUI\ndocker compose -f docker-compose.three-container.yml up -d\n```\n\nBoth compose files use **named Docker volumes** by default, which solves the UID\u002FGID problem by construction. If you need bind mounts to share an existing host directory, see [`docs\u002Fdocker.md`](docs\u002Fdocker.md) for the full migration recipe.\n\n> **Known limitation (#681)**: in the two-container setup, tools triggered from the WebUI run in the **WebUI container**, not the agent container. If you need git\u002Fnode\u002Fetc. on the WebUI's filesystem, either use the single-container setup, extend the WebUI Dockerfile, or use the community [all-in-one image](https:\u002F\u002Fgithub.com\u002Fsunnysktsang\u002Fhermes-suite).\n>\n> **Source boundary note (#2453)**: the multi-container setup mounts `hermes-agent-src` read-only into the WebUI by default. This prevents WebUI-side source rewrites but is still an implementation-coupling bridge, not a stable Agent API boundary. See [`docs\u002Frfcs\u002Fagent-source-boundary.md`](docs\u002Frfcs\u002Fagent-source-boundary.md) for the current source\u002FAPI decoupling inventory.\n\n### Common failure modes\n\n| Symptom | Likely cause | Fix |\n|---|---|---|\n| `PermissionError` at startup | UID mismatch on bind mount | Set `UID=$(id -u)` in `.env` |\n| `.env: permission denied` (#1389) | `fix_credential_permissions()` enforced 0600 | Set `HERMES_SKIP_CHMOD=1` in `.env` |\n| Workspace appears empty | UID mismatch on `\u002Fworkspace` mount | Set `UID=$(id -u)` in `.env` |\n| `git: command not found` in chat | Two-container architectural limit (#681) | Use single-container or extend Dockerfile |\n| WebUI can't find agent source | `hermes-agent-src` volume misconfigured | Use the named volumes from compose files as-is |\n| Podman shared `.hermes` fails | Podman 3.4 `keep-id` limitation | Use Podman 4+ or single-container |\n\nFor the deep dive on each of these, see [`docs\u002Fdocker.md`](docs\u002Fdocker.md).\n\n> **Note:** By default, Docker Compose binds to `127.0.0.1` (localhost only).\n> To expose on a network, change the port to `\"8787:8787\"` in `docker-compose.yml`\n> and set `HERMES_WEBUI_PASSWORD` to enable authentication.\n\n---\n\n## What start.sh discovers automatically\n\n| Thing | How it finds it |\n|---|---|\n| Hermes agent dir | `HERMES_WEBUI_AGENT_DIR` env, then `~\u002F.hermes\u002Fhermes-agent`, then sibling `..\u002Fhermes-agent` |\n| Python executable | Agent venv first, then `.venv` in this repo, then system `python3` |\n| State directory | `HERMES_WEBUI_STATE_DIR` env, then `~\u002F.hermes\u002Fwebui` |\n| Default workspace | `HERMES_WEBUI_DEFAULT_WORKSPACE` env, then `~\u002Fworkspace`, then state dir |\n| Port | `HERMES_WEBUI_PORT` env or first argument, default `8787` |\n\nIf discovery finds everything, nothing else is required.\n\n---\n\n## Overrides (only needed if auto-detection misses)\n\n```bash\nexport HERMES_WEBUI_AGENT_DIR=\u002Fpath\u002Fto\u002Fhermes-agent\nexport HERMES_WEBUI_PYTHON=\u002Fpath\u002Fto\u002Fpython\nexport HERMES_WEBUI_PORT=9000\nexport HERMES_WEBUI_AUTO_INSTALL=1  # enable auto-install of agent deps (disabled by default)\n.\u002Fstart.sh\n```\n\nOr inline:\n\n```bash\nHERMES_WEBUI_AGENT_DIR=\u002Fcustom\u002Fpath .\u002Fstart.sh 9000\n```\n\nFull list of environment variables:\n\n| Variable | Default | Description |\n|---|---|---|\n| `HERMES_WEBUI_AGENT_DIR` | auto-discovered | Path to the hermes-agent checkout |\n| `HERMES_WEBUI_PYTHON` | auto-discovered | Python executable |\n| `HERMES_WEBUI_HOST` | `127.0.0.1` | Bind address (`0.0.0.0` for all IPv4, `::` for all IPv6, `::1` for IPv6 loopback) |\n| `HERMES_WEBUI_PORT` | `8787` | Port |\n| `HERMES_WEBUI_STATE_DIR` | `~\u002F.hermes\u002Fwebui` | Where sessions and state are stored |\n| `HERMES_WEBUI_DEFAULT_WORKSPACE` | `~\u002Fworkspace` | Default workspace |\n| `HERMES_WEBUI_DEFAULT_MODEL` | *(provider default)* | Optional model override; leave unset to use the active Hermes provider default |\n| `HERMES_WEBUI_PASSWORD` | *(unset)* | Set to enable password authentication |\n| `HERMES_WEBUI_EXTENSION_DIR` | *(unset)* | Optional local directory served at `\u002Fextensions\u002F`; must point to an existing directory before extension injection is enabled |\n| `HERMES_WEBUI_EXTENSION_SCRIPT_URLS` | *(unset)* | Optional comma-separated same-origin script URLs to inject; see [WebUI Extensions](docs\u002FEXTENSIONS.md) |\n| `HERMES_WEBUI_EXTENSION_STYLESHEET_URLS` | *(unset)* | Optional comma-separated same-origin stylesheet URLs to inject; see [WebUI Extensions](docs\u002FEXTENSIONS.md) |\n| `HERMES_HOME` | `~\u002F.hermes` | Base directory for Hermes state (affects all paths) |\n| `HERMES_CONFIG_PATH` | `~\u002F.hermes\u002Fconfig.yaml` | Path to Hermes config file |\n\n---\n\n## Accessing from a remote machine\n\nThe server binds to `127.0.0.1` by default (loopback only). If you are running\nHermes on a VPS or remote server, use an SSH tunnel from your local machine:\n\n```bash\nssh -N -L \u003Clocal-port>:127.0.0.1:\u003Cremote-port> \u003Cuser>@\u003Cserver-host>\n```\n\nExample:\n\n```bash\nssh -N -L 8787:127.0.0.1:8787 user@your.server.com\n```\n\nThen open `http:\u002F\u002Flocalhost:8787` in your local browser.\n\n`start.sh` will print this command for you automatically when it detects you\nare running over SSH.\n\n---\n\n## Accessing on your phone with Tailscale\n\n[Tailscale](https:\u002F\u002Ftailscale.com) is a zero-config mesh VPN built on\nWireGuard. Install it on your server and your phone, and they join the same\nprivate network -- no port forwarding, no SSH tunnels, no public exposure.\n\nThe Hermes Web UI is fully responsive with a mobile-optimized layout\n(hamburger sidebar, sidebar top tabs in the drawer, touch-friendly controls),\nso it works well as a daily-driver agent interface from your phone.\n\n**Setup:**\n\n1. Install [Tailscale](https:\u002F\u002Ftailscale.com\u002Fdownload) on your server and\n   your iPhone\u002FAndroid.\n2. Start the WebUI listening on all interfaces with password auth enabled:\n\n```bash\nHERMES_WEBUI_HOST=0.0.0.0 HERMES_WEBUI_PASSWORD=your-secret .\u002Fstart.sh\n```\n\n3. Open `http:\u002F\u002F\u003Cserver-tailscale-ip>:8787` in your phone's browser\n   (find your server's Tailscale IP in the Tailscale app or with\n   `tailscale ip -4` on the server).\n\nThat's it. Traffic is encrypted end-to-end by WireGuard, and password auth\nprotects the UI at the application level. You can add it to your home screen\nfor an app-like experience.\n\n### Community field report: ARM64 Android via AVF\n\nA community report in [#2364](https:\u002F\u002Fgithub.com\u002Fnesquena\u002Fhermes-webui\u002Fissues\u002F2364)\ndocuments Hermes Agent + WebUI running on a mid-range ARM64 Android phone inside\na Debian 12 VM via Android Virtualization Framework (AVF). The reported setup\nused a Xiaomi Redmi Note 13 Pro 4G, 3.8 GiB RAM allocated to the VM, 8 visible\nCPU cores, Chrome on Android at `localhost:8787`, and cloud-hosted inference.\n\nThis is not an official support baseline or provider\u002Fmodel benchmark, but it is\na useful compatibility signal for mobile ARM64 experiments: the WebUI rendered\nsmoothly in Chrome, ARM64 Debian worked for the agent stack, and the total local\nfootprint was about 1.7 GB. Practical caveats from the report: first install can\ntake longer when dependencies compile from source, Android browser tabs may\nreload when switching apps, and disabling battery optimization for the terminal\nor VM host may be needed for longer-running sessions.\n\n> **Tip:** If using Docker, set `HERMES_WEBUI_HOST=0.0.0.0` in your\n> `docker-compose.yml` environment (already the default) and set\n> `HERMES_WEBUI_PASSWORD`.\n\n---\n\n## Manual launch (without start.sh)\n\nIf you prefer to launch the server directly:\n\n```bash\ncd \u002Fpath\u002Fto\u002Fhermes-agent          # or wherever sys.path can find Hermes modules\nHERMES_WEBUI_PORT=8787 venv\u002Fbin\u002Fpython \u002Fpath\u002Fto\u002Fhermes-webui\u002Fserver.py\n```\n\nNote: use the agent venv Python (or any Python environment that has the Hermes agent dependencies installed). System Python will be missing `openai`, `httpx`, and other required packages.\n\nHealth check:\n\n```bash\ncurl http:\u002F\u002F127.0.0.1:8787\u002Fhealth\n```\n\n---\n\n## Running tests\n\nTests discover the repo and the Hermes agent dynamically -- no hardcoded paths.\n\n```bash\ncd hermes-webui\npytest tests\u002F -v --timeout=60\n```\n\nOr using the agent venv explicitly:\n\n```bash\n\u002Fpath\u002Fto\u002Fhermes-agent\u002Fvenv\u002Fbin\u002Fpython -m pytest tests\u002F -v\n```\n\nTests run against an isolated server with a separate state directory.\nProduction data and real cron jobs are never touched. Current snapshot:\n**5303 tests collected** across **488 test files**.\n\n---\n\n## Features\n\n### Chat and agent\n- Streaming responses via SSE (tokens appear as they are generated)\n- Multi-provider model support -- any Hermes API provider (OpenAI, Anthropic, Google, DeepSeek, Nous Portal, OpenRouter, MiniMax, Xiaomi MiMo, Z.AI); dynamic model dropdown populated from configured keys\n- Send a message while one is processing -- it queues automatically\n- Edit any past user message inline and regenerate from that point\n- Retry the last assistant response with one click\n- Cancel a running task directly from the composer footer (Stop button next to Send)\n- Tool call cards inline -- each shows the tool name, args, and result snippet; expand\u002Fcollapse all toggle for multi-tool turns\n- Subagent delegation cards -- child agent activity shown with distinct icon and indented border\n- Mermaid diagram rendering inline (flowcharts, sequence diagrams, gantt charts)\n- Thinking\u002Freasoning display -- collapsible gold-themed cards for Claude extended thinking and o3 reasoning blocks\n- Approval card for dangerous shell commands (allow once \u002F session \u002F always \u002F deny)\n- SSE auto-reconnect on network blips (SSH tunnel resilience)\n- File attachments persist across page reloads and are stored outside the active workspace by default (`~\u002F.hermes\u002Fwebui\u002Fattachments\u002F\u003Csession_id>\u002F`, or `HERMES_WEBUI_ATTACHMENT_DIR\u002F\u003Csession_id>\u002F` when configured)\n- Message timestamps (HH:MM next to each message, full date on hover)\n- Code block copy button with \"Copied!\" feedback\n- Syntax highlighting via Prism.js (Python, JS, bash, JSON, SQL, and more)\n- Safe HTML rendering in AI responses (bold, italic, code converted to markdown)\n- rAF-throttled token streaming for smoother rendering during long responses\n- Context usage indicator in composer footer -- token count, cost, and fill bar (model-aware)\n\n### Sessions\n- Create, rename, duplicate, delete, search by title and message content\n- Session actions via `⋯` dropdown per session — pin, move to project, archive, duplicate, delete\n- Pin\u002Fstar sessions to the top of the sidebar (gold indicator)\n- Archive sessions (hide without deleting, toggle to show)\n- Session projects -- named groups with colors for organizing sessions\n- Session tags -- add #tag to titles for colored chips and click-to-filter\n- Grouped by Today \u002F Yesterday \u002F Earlier in the sidebar (collapsible date groups)\n- Download as Markdown transcript, full JSON export, or import from JSON\n- Sessions persist across page reloads and SSH tunnel reconnects\n- Browser tab title reflects the active session name\n- CLI session bridge -- CLI sessions from hermes-agent's SQLite store appear in the sidebar with a gold \"cli\" badge; click to import with full history and reply normally\n- Token\u002Fcost display -- input tokens, output tokens, estimated cost shown per conversation (toggle in Settings or `\u002Fusage` command)\n\n### Workspace file browser\n- Directory tree with expand\u002Fcollapse (single-click toggles, double-click navigates)\n- Breadcrumb navigation with clickable path segments\n- Preview text, code, Markdown (rendered), and images inline\n- Edit, create, delete, and rename files; create folders\n- Binary file download (auto-detected from server)\n- File preview auto-closes on directory navigation (with unsaved-edit guard)\n- Git detection -- branch name and dirty file count badge in workspace header\n- Right panel is drag-resizable\n- Syntax highlighted code preview (Prism.js)\n\n### Voice input\n- Microphone button in the composer (Web Speech API)\n- Tap to record, tap again or send to stop\n- Live interim transcription appears in the textarea\n- Auto-stops after ~2s of silence\n- Appends to existing textarea content (doesn't replace)\n- Hidden when browser doesn't support Web Speech API (Chrome, Edge, Safari)\n\n### Profiles\n- Profile chip in the **composer footer** -- dropdown showing all profiles with gateway status and model info\n- Gateway status dots (green = running), model info, skill count per profile\n- Profiles management panel -- create, switch, and delete profiles from the sidebar\n- Clone config from active profile on create\n- Optional custom endpoint fields on create -- Base URL and API key written into the profile's `config.yaml` at creation time, so Ollama, LMStudio, and other local endpoints can be configured without editing files manually\n- Seamless switching -- no server restart; reloads config, skills, memory, cron, models\n- Per-session profile tracking (records which profile was active at creation)\n\n### Authentication and security\n- Optional password auth -- off by default, zero friction for localhost\n- Enable via `HERMES_WEBUI_PASSWORD` env var or Settings panel\n- Signed HMAC HTTP-only cookie with 24h TTL\n- Minimal dark-themed login page at `\u002Flogin`\n- Security headers on all responses (X-Content-Type-Options, X-Frame-Options, Referrer-Policy)\n- 20MB POST body size limit\n- CDN resources pinned with SRI integrity hashes\n\n### Themes\n- Appearance is split into two axes: Theme (`system`, `dark`, `light`) and Skin\n  (`default`, `ares`, `mono`, `slate`, `poseidon`, `sisyphus`, `charizard`,\n  `sienna`, `catppuccin`, `nous`)\n- Switch via Settings -> Appearance (instant live preview) or `\u002Ftheme \u003Ctheme-or-skin>`\n- Persists across reloads (server-side in settings.json + localStorage for flicker-free loading)\n- Skins use `data-skin` plus CSS variables; dark mode resolves through the\n  `.dark` class, not a `data-theme` custom-theme axis — see [THEMES.md](THEMES.md)\n\n### Settings and configuration\n- **Hermes Control Center** (sidebar launcher button) -- Conversation tab (export\u002Fimport\u002Fclear), Preferences tab (model, send key, theme, language, all toggles), System tab (version, password)\n- Send key: Enter (default) or Ctrl\u002FCmd+Enter\n- Show\u002Fhide CLI sessions toggle (enabled by default)\n- Token usage display toggle (off by default, also via `\u002Fusage` command)\n- Control Center always opens on the Conversation tab; resets on close\n- Unsaved changes guard -- discard\u002Fsave prompt when closing with unpersisted changes\n- Cron completion alerts -- toast notifications and unread badge on Tasks tab\n- Background agent error alerts -- banner when a non-active session encounters an error\n\n### Slash commands\n- Type `\u002F` in the composer for autocomplete dropdown\n- Built-in: `\u002Fhelp`, `\u002Fclear`, `\u002Fcompress [focus topic]`, `\u002Fcompact` (alias), `\u002Fmodel \u003Cname>`, `\u002Fworkspace \u003Cname>`, `\u002Fnew`, `\u002Fusage`, `\u002Ftheme`\n- Arrow keys navigate, Tab\u002FEnter select, Escape closes\n- Unrecognized commands pass through to the agent\n\n### Panels\n- **Chat** -- session list, search, pin, archive, projects, new conversation\n- **Tasks** -- view, create, edit, run, pause\u002Fresume, delete cron jobs; run history; completion alerts\n- **Skills** -- list all skills by category, search, preview, create\u002Fedit\u002Fdelete; linked files viewer\n- **Memory** -- view and edit MEMORY.md and USER.md inline\n- **Profiles** -- create, switch, delete agent profiles; clone config\n- **Todos** -- live task list from the current session\n- **Spaces** -- add, rename, remove workspaces; quick-switch from topbar\n\n### Mobile responsive\n- Hamburger sidebar -- slide-in overlay on mobile (\u003C640px)\n- Sidebar top tabs stay available on mobile; no fixed bottom nav stealing chat height\n- Files slide-over panel from right edge\n- Touch targets minimum 44px on all interactive elements\n- Full-height chat\u002Fcomposer on phones without bottom-nav spacing\n- Desktop layout completely unchanged\n\n---\n\n## Architecture\n\n```\nserver.py               HTTP routing shell + auth middleware (~446 lines)\napi\u002F\n  auth.py               Optional password authentication, signed cookies (~366 lines)\n  config.py             Discovery, globals, model detection, reloadable config (~4139 lines)\n  helpers.py            HTTP helpers, security headers (~302 lines)\n  models.py             Session model + CRUD + CLI bridge (~1927 lines)\n  onboarding.py         First-run onboarding wizard, OAuth provider support (~1002 lines)\n  profiles.py           Profile state management, hermes_cli wrapper (~1056 lines)\n  routes.py             All GET + POST route handlers (~9772 lines)\n  state_sync.py         \u002Finsights sync — message_count to state.db (~118 lines)\n  streaming.py          SSE engine, run_agent, cancel support (~4420 lines)\n  updates.py            Self-update check and release notes (~545 lines)\n  upload.py             Multipart parser, file upload handler (~284 lines)\n  workspace.py          File ops, workspace helpers, git detection (~810 lines)\nstatic\u002F\n  index.html            HTML template (~1323 lines)\n  style.css             All CSS incl. mobile responsive, themes (~3767 lines)\n  ui.js                 DOM helpers, renderMd, tool cards, context indicator (~7216 lines)\n  workspace.js          File preview, file ops, git badge (~369 lines)\n  sessions.js           Session CRUD, collapsible groups, search, reload recovery (~3517 lines)\n  messages.js           send(), SSE handlers, live streaming, session recovery (~2301 lines)\n  panels.js             Cron, skills, memory, profiles, settings (~6480 lines)\n  commands.js           Slash command autocomplete (~1302 lines)\n  boot.js               Mobile nav, voice input, boot IIFE (~1607 lines)\ntests\u002F\n  conftest.py           Isolated test server\u002Fstate fixtures\n  488 test files         5303 tests collected\nDockerfile              python:3.12-slim container image\ndocker-compose.yml      Compose with named volume and optional auth\n.github\u002Fworkflows\u002F      CI: multi-arch Docker build + GitHub Release on tag\n```\n\nState lives outside the repo at `~\u002F.hermes\u002Fwebui\u002F` by default\n(sessions, workspaces, settings, projects, last_workspace). Override with `HERMES_WEBUI_STATE_DIR`.\n\n---\n\n## Docs\n\n- `HERMES.md` -- why Hermes, mental model, and detailed comparison to Claude Code \u002F Codex \u002F OpenCode \u002F Cursor\n- `ROADMAP.md` -- feature roadmap and sprint history\n- `ARCHITECTURE.md` -- system design, all API endpoints, implementation notes\n- `TESTING.md` -- manual browser test plan and automated coverage reference\n- `CHANGELOG.md` -- release notes per sprint\n- `SPRINTS.md` -- forward sprint plan with CLI + Claude parity targets\n- `THEMES.md` -- theme system documentation, custom theme guide\n- `docs\u002FCONTRACTS.md` -- project contract\u002FRFC\u002Fdesign index for contributors and agents\n- `docs\u002FUIUX-GUIDE.md` -- UI\u002FUX principles sourced from existing design docs and visual inventories\n- `docs\u002Fdocker.md` -- Docker compose setup, common failures, and bind-mount migration\n- `docs\u002Fsupervisor.md` -- launchd, systemd, supervisord, runit, and s6 process-supervisor setup\n- `docs\u002Fonboarding.md` -- first-run wizard, provider setup, local model server Base URLs, and safe re-runs\n- `docs\u002Fonboarding-agent-checklist.md` -- safety rules, evidence commands, and pass\u002Ffail checks for assistant-led install or reinstall support\n- `docs\u002Ftroubleshooting.md` -- diagnostic flows for common failures (e.g. \"AIAgent not available\")\n- `docs\u002Fwsl-autostart.md` -- WSL2 auto-start at Windows login\n- `docs\u002FEXTENSIONS.md` -- administrator-controlled WebUI extension injection\n- `docs\u002Frfcs\u002FREADME.md` -- RFC index for larger architecture and durability proposals\n\n## Contributors\n\nHermes WebUI is built with help from the open-source community. Every PR — whether merged directly, absorbed into a batch release, or salvaged from a larger proposal — shapes the project, and we're grateful to everyone who has taken the time to contribute.\n\n**137 contributors have shipped code that landed in a release tag** as of v0.51.58. The full credit roll lives in [`CONTRIBUTORS.md`](CONTRIBUTORS.md). The highlights:\n\n### Top contributors (by PR count, including absorbed\u002Fbatch-released work)\n\n| # | Contributor | PRs | First → latest release |\n|---|---|---:|---|\n| 1 | [@franksong2702](https:\u002F\u002Fgithub.com\u002Ffranksong2702) | 117 | `v0.49.3` → `v0.51.58` |\n| 2 | [@Michaelyklam](https:\u002F\u002Fgithub.com\u002FMichaelyklam) | 92 | `v0.50.240` → `v0.51.57` |\n| 3 | [@bergeouss](https:\u002F\u002Fgithub.com\u002Fbergeouss) | 62 | `v0.48.0` → `v0.51.46` |\n| 4 | [@ai-ag2026](https:\u002F\u002Fgithub.com\u002Fai-ag2026) | 55 | `v0.50.279` → `v0.51.47` |\n| 5 | [@dso2ng](https:\u002F\u002Fgithub.com\u002Fdso2ng) | 23 | `v0.50.227` → `v0.51.51` |\n| 6 | [@jasonjcwu](https:\u002F\u002Fgithub.com\u002Fjasonjcwu) | 16 | `v0.50.227` → `v0.51.55` |\n| 7 | [@Jordan-SkyLF](https:\u002F\u002Fgithub.com\u002FJordan-SkyLF) | 12 | `v0.50.18` → `v0.51.58` |\n| 8 | [@aronprins](https:\u002F\u002Fgithub.com\u002Faronprins) | 10 | `v0.44.0` → `v0.50.233` |\n| 9 | [@JKJameson](https:\u002F\u002Fgithub.com\u002FJKJameson) | 10 | `v0.50.233` → `v0.51.31` |\n| 10 | [@starship-s](https:\u002F\u002Fgithub.com\u002Fstarship-s) | 10 | `v0.50.128` → `v0.51.58` |\n\nSee [`CONTRIBUTORS.md`](CONTRIBUTORS.md) for the full ranked list of all 137 contributors, including everyone with one or two PRs and the special-thanks roll for design and architectural contributions.\n\n### Notable contributions\n\n**[@franksong2702](https:\u002F\u002Fgithub.com\u002Ffranksong2702)** — Most prolific external contributor (117 PRs, `v0.49.3` → `v0.51.58`)\nAcross the longest tenure of any external contributor: the session title guard (#301), breadcrumb workspace navigation (#302), embedded workspace terminal (#1099), worktree-backed session creation (#2053), onboarding documentation (#2052), composer footer container queries, streaming-session sidebar exemption (#1327), session sidecar repair, cron output preservation (#1295), profile default workspace persistence, manual `\u002Fcompress` async start\u002Fstatus endpoints (#2128), worktree status surface (#2109) + guarded remove (#2156) for the lifecycle umbrella #2057, session post-render dedup (#2166), native-WebUI fast path (#2170), tail-window response trim (#2171), stale-stream guard extension (#2158), CSP report collector (#2160), and a long tail of polish across mobile\u002Fresponsive, the session sidebar, and the workspace state machine.\n\n**[@Michaelyklam](https:\u002F\u002Fgithub.com\u002FMichaelyklam)** — Most prolific contributor of recent releases (92 PRs, `v0.50.240` → `v0.51.57`)\nProduction Docker hardening (#1921, drops sudo-capable staging user), profile-scoped skills endpoints (#1903), gateway PID resolution under profile-scoped HERMES_HOME (#1901), profile-aware AIAgent cache (#1898\u002F#1904), backslash LaTeX delimiters (#1848), Codex quota error surfacing (#1770), shell-route HTML 503 (#1836), stale Kanban client recovery (#1828), context auto-compression toast lifetime (#1988), `\u002Fgoal` command (#1866), Kanban detail-view scrolling (#1916), CLI session tool metadata preservation (#1778), Traditional Chinese kanban locale backfill (#1979), v0.51.51 mobile Insights bucketing\u002Flayout (#2120\u002F#2121), Hermes run adapter RFC (#2105 for #1925), fork-from-here absolute index (#2198 for #2184), opencode-go custom-provider overlap routing (#2204 for #1894).\n\n**[@bergeouss](https:\u002F\u002Fgithub.com\u002Fbergeouss)** — Provider management UI + Docker hardening (62 PRs, `v0.48.0` → `v0.51.46`)\nProvider management UI for adding\u002Fediting custom providers from Settings, OAuth provider status detection (#1552), two-container Docker setup, profile isolation hardening (per-profile `.env` secrets), the bulk of what users see when they touch Settings → Providers, Reveal-in-Finder context menu (#1551), gateway status card (#1552), auto-assign session to active project filter (#1550), \"What's new?\" link in update banner (#1549), OpenRouter free-tier live fetch (#1548), credential pool 401 self-heal (#1553), inline provider chip + group model count in model picker (#1644).\n\n**[@ai-ag2026](https:\u002F\u002Fgithub.com\u002Fai-ag2026)** — Session recovery + audit infrastructure (55 PRs, `v0.50.279` → `v0.51.47`)\nAutonomous-AI contributor (Hermes Agent-driven) focused on durability: `state.db`-backed sidecar reconciliation (#2041), orphan `.json.bak` recovery on startup (#2035), read-only session recovery audit endpoints (#2036, #2040), active run lifecycle in `\u002Fhealth` (#2039), crash-safe turn-journal RFC at `docs\u002Frfcs\u002Fturn-journal.md` (#2042), append-only turn-journal helper (#2059), lifecycle events layer (#2062), `Content-Security-Policy-Report-Only` header (#2084), per-cron toast toggle (#2100), fork-session compression lineage isolation (#2014).\n\n**[@dso2ng](https:\u002F\u002Fgithub.com\u002Fdso2ng)** — Session lineage + diagnostics (23 PRs, `v0.50.227` → `v0.51.51`)\n`\u002Fapi\u002Fsession\u002Flineage-report\u002F\u003Csid>` endpoint for bounded session graph diagnostics (#2012), stale Mermaid render error cleanup (#1337), `session_source=\"fork\"` continuation-chain isolation (#2063), lazy lineage-report fetch on sidebar badge expand (#2130), and a long tail of frontend reliability fixes around session loading.\n\n**[@jasonjcwu](https:\u002F\u002Fgithub.com\u002Fjasonjcwu)** — Composer + transcript polish (16 PRs, `v0.50.227` → `v0.51.55`)\nSidebar collapse via active-rail click (#2054, fuses #1884 + #1924), composer chip lightbox (#1758), title fixes for tool-heavy first turns, silent compress-status during session switch (#2185), concurrent-send loss fix (#2186), in-transcript steer message badges (#2187), and a string of frontend polish fixes.\n\n**[@Jordan-SkyLF](https:\u002F\u002Fgithub.com\u002FJordan-SkyLF)** — Live streaming + UX polish (12 PRs, `v0.50.18` → `v0.51.58`)\nOriginal sprint of workspace fallback resolution, live reasoning cards (#366, #367, #394–#397), then a recent burst: manual \"Refresh usage\" button on the Provider quota card (#2150), cancelled-turn status classification (#2151), Firefox sidebar scroll stabilization (#2200), early provisional session titles (#2202), target-aware \"What's new?\" update-banner links (#2207), and MCP tools overflow fix in Settings (#2210).\n\n**[@aronprins](https:\u002F\u002Fgithub.com\u002Faronprins)** — `v0.50.0` UI overhaul (PR #242, plus 9 follow-ups)\nThe biggest single contribution to the project: a complete UI redesign that moved model\u002Fprofile\u002Fworkspace controls into the composer footer, replaced the gear-icon settings panel with the Hermes Control Center (tabbed modal), removed the activity bar in favor of inline composer status, redesigned the session list with a `⋯` action dropdown, and added the workspace panel state machine. Plus chat transcript redesign (#587), sidebar declutter (#584), three-column layout refactor (#899), light\u002Fdark theme + accent skins (#627), and shared `confirm()`\u002F`prompt()` dialog replacement (PR #251 extracted from #242).\n\n**[@iRonin](https:\u002F\u002Fgithub.com\u002FiRonin)** — Security hardening sprint (PRs #196–#204)\nSix consecutive, focused security PRs: session memory leak fix (expired token pruning), CSP + Permissions-Policy headers, 30-second slow-client connection timeout, optional HTTPS\u002FTLS support via environment variables, upstream branch tracking fix for self-update, and CLI session support in the file-browser API. The kind of focused, high-quality security work that makes a self-hosted tool trustworthy.\n\n**[@lucasrc](https:\u002F\u002Fgithub.com\u002Flucasrc)** — Auth-hardening trilogy (PRs #2191, #2192, #2193)\nThree coordinated security PRs that all landed in v0.51.57: thread-safe login rate limiter with PBKDF2 key separation, password-hash cache invalidation on Settings save, and the full 64-char HMAC-SHA256 session signature with a backwards-compatible migration bridge. The kind of cleanly-decomposed security work that's reviewable as three independent pieces.\n\n**[@LumenYoung](https:\u002F\u002Fgithub.com\u002FLumenYoung)** — Streaming hot-path correctness (4 PRs, `v0.51.47` → `v0.51.55`)\nThe original stale-stream writeback guard (#2136 — the bug class the next two releases extended), gateway-state alive-null classification (#2075), compression-banner anchor alignment (#2182), and context-progress ring auto-refresh on compression complete (#2188). Each PR opened a small surgical fix in one of the most fragile subsystems in the codebase.\n\n**[@dobby-d-elf](https:\u002F\u002Fgithub.com\u002Fdobby-d-elf)** — Frontend reliability + motion polish (6 PRs, `v0.51.38` → `v0.51.58`)\nWorkspace fallback on deleted directories (#2138), iPhone PWA bottom-scroll fix (#2143), the new \"Activity: X tools\" composer footer shimmer animation (#2203), and follow-up animation tuning (#2212).\n\n**[@JKJameson](https:\u002F\u002Fgithub.com\u002FJKJameson)** — Composer + session polish (10 PRs)\nPersistent composer draft per session (#1956), and a long tail of polish across the composer and session sidebar.\n\n**[@gabogabucho](https:\u002F\u002Fgithub.com\u002Fgabogabucho)** — Spanish locale + onboarding wizard\nFull Spanish (`es`) locale covering all UI strings, plus the one-shot bootstrap onboarding wizard that guides new users through provider setup on first launch.\n\n**[@deboste](https:\u002F\u002Fgithub.com\u002Fdeboste)** — Reverse-proxy auth + mobile responsive layout (PRs #3, #4, #5)\nThree of the very first community PRs: fixed EventSource\u002Ffetch to use URL origin for reverse-proxy setups, corrected model provider routing from config, and added mobile responsive layout with dvh viewport fix. Early foundation work.\n\n**[@indigokarasu](https:\u002F\u002Fgithub.com\u002Findigokarasu)** — Visual redesign proposal (PR #213)\nA CSS-only redesign of the full UI — proper design tokens, an icon rail sidebar replacing the emoji tab strip, consistent form cards, breadcrumb nav, and 7 built-in themes as custom properties. The PR didn't merge as-is but shaped the design language and theme architecture that shipped in v0.50.0.\n\n**[@zenc-cp](https:\u002F\u002Fgithub.com\u002Fzenc-cp)** — Anti-hallucination guard for the ReAct loop (PR #133)\nA three-layer approach (ephemeral anti-hallucination prompt, live token filtering, session-history cleanup) that the streaming pipeline still uses.\n\n**[@Hinotoi-agent](https:\u002F\u002Fgithub.com\u002FHinotoi-agent)** — Profile + session security (PRs #351, #2048)\nProfile `.env` secret isolation fix (PR #351) preventing API key leakage between profiles, and session-import workspace validation (PR #2048) blocking a crafted-JSON file-read against `\u002F`.\n\n**[@Sanjays2402](https:\u002F\u002Fgithub.com\u002FSanjays2402)** — Endless-scroll + Start-jump race fix (PR #1949)\nA generation-token + mutex pair fixing the v0.51.30 race between endless-scroll prefetch and Start-jump's `_ensureAllMessagesLoaded`. The naive same-flag-check approach (proposed in #1942 and #1962) was a no-op for the post-await race — Sanjays2402's fix was the correct shape.\n\n**[@fxd-jason](https:\u002F\u002Fgithub.com\u002Ffxd-jason)** — Real-time approval + clarify via SSE (PRs #1350, #1355)\nReplaced 1.5s HTTP polling with SSE long-connections for both approval and clarify, cutting latency from up to 1.5s to near-instant. Got all the correctness details right (atomic subscribe + snapshot, notify-inside-lock, head-of-queue payload, trailing event re-emission).\n\n**[@happy5318](https:\u002F\u002Fgithub.com\u002Fhappy5318)** — Custom provider model dedup (PR #1947)\nFixed the same model from different named custom providers being silently deduplicated in the picker, with Opus catching a race in the original tests that needed augmentation.\n\n**[@NocGeek](https:\u002F\u002Fgithub.com\u002FNocGeek)** — Streaming scroll + manual cron output persistence (7 PRs)\nStreaming scroll viewport stability when tool\u002Fqueue cards insert (#1360), manual cron-run output and metadata persistence (#1372, split from held #1352).\n\n**[@DavidSchuchert](https:\u002F\u002Fgithub.com\u002FDavidSchuchert)** — German translation (PR #190)\nComplete German locale (`de`) covering all UI strings, settings labels, commands, and system messages — and stress-tested the i18n system, exposing several elements that weren't yet translatable and getting them fixed as part of the same PR.\n\n**[@Bobby9228](https:\u002F\u002Fgithub.com\u002FBobby9228)** — Mobile Profiles button (PR #265)\nAdded the Profiles entry to the mobile navigation flow, making profile switching reachable on phones.\n\n**[@kevin-ho](https:\u002F\u002Fgithub.com\u002Fkevin-ho)** — OLED theme (PR #168)\nThe 7th built-in theme: pure black backgrounds with warm accents tuned to reduce burn-in risk.\n\n**[@andrewy-wizard](https:\u002F\u002Fgithub.com\u002Fandrewy-wizard)** — Chinese localization (PR #177)\nInitial Simplified Chinese (`zh`) locale. One of the first non-English locales.\n\n**[@DelightRun](https:\u002F\u002Fgithub.com\u002FDelightRun)** — `session_search` fix for WebUI sessions (PR #356)\nTracked down the missing `SessionDB` injection in the streaming path that was silently breaking the tool for every WebUI session.\n\n**[@lawrencel1ng](https:\u002F\u002Fgithub.com\u002Flawrencel1ng)** — Bandit security fixes (PR #354)\nSystematic bandit-scan fixes: URL scheme validation before `urlopen`, MD5 `usedforsecurity=False`, and 40+ bare `except: pass` blocks replaced with proper logging.\n\n**[@shaoxianbilly](https:\u002F\u002Fgithub.com\u002Fshaoxianbilly)** — Unicode filename downloads (PR #378)\nProper `Content-Disposition` with RFC 5987 `filename*=UTF-8''...` encoding so non-ASCII filenames download without crashing.\n\n**[@lx3133584](https:\u002F\u002Fgithub.com\u002Flx3133584)** — CSRF fix for reverse proxy (PR #360)\nA real-world blocker for anyone hosting behind Nginx Proxy Manager or similar on a port other than 80\u002F443.\n\n**[@betamod](https:\u002F\u002Fgithub.com\u002Fbetamod)** — Security audit (PR #171)\nA comprehensive CSRF \u002F SSRF \u002F XSS \u002F env-race-condition audit that shipped in v0.39.0.\n\n**[@TaraTheStar](https:\u002F\u002Fgithub.com\u002FTaraTheStar)** — Bot name + thinking blocks + login refactor (PRs #132, #176, #181)\nConfigurable assistant display name, thinking\u002Freasoning block display, and a login page refactor.\n\n## Repo\n\n```\ngit@github.com:nesquena\u002Fhermes-webui.git\n```\n","Hermes WebUI 是一个为 Hermes Agent 提供的轻量级网页界面，让用户能够通过浏览器或手机访问自主运行于服务器上的智能代理。项目采用 Python 和原生 JavaScript 构建，不依赖任何前端框架或打包工具，实现了与命令行界面相同的功能体验。其核心功能包括三面板布局设计（左侧会话导航、中间聊天窗口、右侧文件浏览）、即时可见的上下文环以显示令牌使用情况，以及全面的设置和会话管理工具。适用于需要长期维护特定工作环境记忆，并希望在不同设备上便捷访问 AI 代理服务的场景，如个人开发者、小型团队等，特别适合那些寻求持续学习能力且无需重复配置的人工智能助手用户。",2,"2026-06-11 03:48:21","high_star"]