[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-891":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":25,"hasPages":23,"topics":26,"createdAt":10,"pushedAt":10,"updatedAt":29,"readmeContent":30,"aiSummary":31,"trendingCount":16,"starSnapshotCount":16,"syncStatus":14,"lastSyncTime":32,"discoverSource":33},891,"hermes-control-interface","xaspx\u002Fhermes-control-interface","xaspx","A self-hosted web dashboard for the Hermes AI agent stack. Provides a browser-based terminal, file explorer, session overview, cron management, system metrics, and an agent status panel — all behind a single password gate.","https:\u002F\u002Fx.com\u002Fbayendor",null,"JavaScript",759,116,2,1,0,6,33,139,18,10.2,"MIT License",false,"main",true,[27,28],"ai-agents","hermes-agent","2026-06-12 02:00:20","# Hermes Control Interface\n\nA self-hosted web dashboard for the [Hermes AI agent](https:\u002F\u002Fgithub.com\u002FNousResearch\u002Fhermes-agent) stack. Manage terminals, files, sessions, cron jobs, token analytics, multi-agent gateways, and team access — all behind a password gate.\n\n**Stack:** Vanilla JS + Vite · Node.js · Express · WebSocket · xterm.js\n**Version:** 3.5.0\n\n---\n\n## Highlights\n\n> **Chat via Gateway API** — Real-time streaming, tool call cards with JSON viewer, session resume, stop button, multi-profile support. Auto-fallback to CLI.\n\n> **RBAC v2** — 20 permissions across 3 roles. Admin, viewer, or custom roles per user.\n\n> **Multi-Agent Gateway** — Start\u002Fstop\u002Fconfigure multiple Hermes profiles. Real-time logs. Systemd service management.\n\n> **Token Analytics** — Track sessions, messages, tokens, cost by model, platform, and time range.\n\n> **Security Hardened** — Command injection fixes, CSRF on 21 endpoints, dynamic CORS, comprehensive XSS protection (escapeHtml on all error handlers), 18 findings addressed.\n\n---\n\n## Screenshots\n\n### Navigation — 8 Pages\n\n**Home · Agents · Usage · Skills · Chat · Logs · Maintenance · Files**\n\n### Dark Mode\n\n| Home | Agents |\n|------|--------|\n| ![Home](docs\u002Fscreenshots\u002Fdark\u002F01-home.png) | ![Agents](docs\u002Fscreenshots\u002Fdark\u002F02-agents.png) |\n\n| Chat | Usage & Analytics |\n|------|------------------|\n| ![Chat](docs\u002Fscreenshots\u002Fdark\u002Fchat.png) | ![Usage](docs\u002Fscreenshots\u002Fdark\u002F03-usage.png) |\n\n| Skills Hub | Maintenance |\n|------------|-------------|\n| ![Skills](docs\u002Fscreenshots\u002Fdark\u002F04-skills.png) | ![Maintenance](docs\u002Fscreenshots\u002Fdark\u002F05-maintenance.png) |\n\n| File Explorer | Agent Dashboard |\n|---------------|----------------|\n| ![Files](docs\u002Fscreenshots\u002Fdark\u002F06-files.png) | ![Dashboard](docs\u002Fscreenshots\u002Fdark\u002F07-agent-dashboard.png) |\n\n| Agent Gateway | Agent Sessions |\n|---------------|----------------|\n| ![Gateway](docs\u002Fscreenshots\u002Fdark\u002F09-agent-gateway.png) | ![Sessions](docs\u002Fscreenshots\u002Fdark\u002F08-agent-sessions.png) |\n\n| Agent Config | Agent Memory |\n|---------------|--------------|\n| ![Config](docs\u002Fscreenshots\u002Fdark\u002F10-agent-config.png) | ![Memory](docs\u002Fscreenshots\u002Fdark\u002F11-agent-memory.png) |\n\n| Agent Skills | Agent Cron |\n|--------------|------------|\n| ![Skills](docs\u002Fscreenshots\u002Fdark\u002F12-agent-skills.png) | ![Cron](docs\u002Fscreenshots\u002Fdark\u002F13-agent-cron.png) |\n\n### Light Mode\n\n| Home | Agents | Skills Hub |\n|------|--------|------------|\n| ![Home](docs\u002Fscreenshots\u002Flight\u002F01-home.png) | ![Agents](docs\u002Fscreenshots\u002Flight\u002F02-agents.png) | ![Skills](docs\u002Fscreenshots\u002Flight\u002F04-skills.png) |\n\n| Gateway | Memory |\n|---------|--------|\n| ![Gateway](docs\u002Fscreenshots\u002Flight\u002F09-agent-gateway.png) | ![Memory](docs\u002Fscreenshots\u002Flight\u002F11-agent-memory.png) |\n\n---\n\n## Features\n\n### 🔐 Authentication\n\n- Single password login (configurable via `HERMES_CONTROL_PASSWORD`)\n- bcrypt password hashing (cost factor 10)\n- CSRF tokens on all mutating requests\n- Conditional Secure cookie flag (auto-detects HTTPS)\n- Rate limiting: 5 failed logins per 15 minutes per IP\n- Multi-user support with role-based access control (RBAC)\n\n---\n\n### 🏠 Home Dashboard\n\nSystem overview at a glance:\n- **System Health**: CPU usage, RAM usage, Disk usage, Uptime\n- **Agent Overview**: active model, provider, gateway status, configured API keys, active platforms\n- **Gateway Status**: per-profile running\u002Fstopped indicators\n- **Token Usage (7d)**: sessions count, messages, total tokens, estimated cost, models used, platforms breakdown, top tools\n\n---\n\n### 🤖 Agents — Multi-Agent Management\n\nManage all Hermes profiles from one place:\n- List all profiles with status badge (running\u002Fstopped) and active model\n- Create new profile\n- Clone existing profile\n- Delete profile\n- Set default profile\n- Start\u002FStop\u002FRestart gateway per profile\n- Quick gateway log viewer\n\n---\n\n### 💬 Chat — Revamped Interface\n\nThe chat interface got a full overhaul in v3.3.0:\n\n**Tool Call Cards**\n- Each tool call displayed as a collapsible card\n- Shows tool name, status (running\u002Fsuccess\u002Ferror), and execution time\n- Expand to see full JSON input\u002Foutput\n- Collapsed by default for clean output\n\n**Session Sidebar**\n- List of past chat sessions with timestamps\n- Resume any session with one click\n- New chat button for fresh session\n- Shows active model tag\n\n**Clean Output**\n- Banner suppression (`-Q` flag) for noise-free responses\n- Auto-detects both new (`session_id:`) and legacy (`Session:`) session ID formats\n- `--continue \"\"` (empty) creates new session\n- Bare `--continue` resumes last session\n\n**Session Management**\n- Rename sessions\n- Delete sessions\n- Export session transcript\n\n---\n\n### 📊 Usage & Analytics — Token Insights\n\nFull breakdown of LLM usage:\n- **Time Range**: Today, 7d, 30d, 90d filters\n- **Agent Filter**: per-profile or all combined\n- **Overview Cards**: total sessions, messages, tokens, cost, active hours\n- **Models Table**: per-model breakdown — sessions count, total tokens, avg tokens\u002Fsession\n- **Platforms Table**: per-platform breakdown (CLI, Telegram, WhatsApp, etc.)\n- **Top Tools**: most called tools with call counts and success rates\n\n---\n\n### 🛠️ Agent Detail — Per-Agent Management\n\nSix-tab interface for deep agent configuration:\n\n#### Dashboard Tab\n- Agent identity: name, model, provider\n- Gateway service status\n- Quick token usage summary\n- Active platforms\n\n#### Sessions Tab\n- List all sessions for this profile\n- Search by keyword\n- Rename session\n- Delete session\n- Export session (JSON format)\n- Resume session in CLI (one click)\n\n#### Gateway Tab\n- Start\u002FStop\u002FRestart gateway service\n- Real-time log stream (WebSocket)\n- Systemd service management (for non-root users: `hermes-gateway-\u003Cprofile>`)\n- Gateway configuration panel\n\n#### Config Tab\n- 13 categories, 80+ settings\n- Structured form editor with labeled fields\n- Raw YAML editor toggle\n- Reset to defaults per category\n- Apply changes with validation\n\n#### Memory Tab\n- Dynamic memory provider panel\n- Provider options: Built-in MEMORY.md, Honcho (self-hosted), External providers\n- Honcho status: connected\u002Fdisconnected\n- Memory usage stats\n\n#### Cron Tab\n- List all scheduled jobs for this profile\n- Create new cron job with schedule presets (hourly, daily, weekly, custom cron expression)\n- Pause\u002FResume scheduled jobs\n- Run job immediately (on-demand)\n- Edit\u002FDelete cron jobs\n- Next run time display\n\n---\n\n### 📦 Skills Marketplace\n\nBrowse and manage installed Hermes skills:\n- Grouped by category (devops, mlops, creative, etc.)\n- Shows skill name, description snippet, source (builtin\u002Flocal), trust level\n- Search and filter skills\n- Install new skills from the Hermes skills registry\n- Check for updates\n- Uninstall skills\n\n---\n\n### 🔧 Maintenance — System Administration\n\nFull admin panel:\n- **Doctor**: Run diagnostics — detects common issues, auto-fix where possible\n- **Dump**: Generate debug summary (system info, config, recent logs)\n- **Update**: Update Hermes agent to latest version\n- **Backup**: Download all Hermes data as a zip file\n- **Import**: Restore from backup zip\n- **HCI Restart**: Restart the Control Interface web server from UI (no SSH needed)\n- **Users** (NEW in v3.3.0): Create\u002Fedit\u002Fdelete users, assign roles, manage permissions\n- **Auth**: View provider status (OpenRouter, Nous Portal, etc.), add\u002Fremove API keys\n- **Audit**: Timestampped activity log — who did what and when\n\n---\n\n### 📁 File Explorer\n\nSplit-view file editor:\n- **Left panel**: Directory tree browser\n- **Right panel**: Text editor with syntax highlighting\n- **Save**: Write changes back to disk\n- **Secure**: Paths scoped to `~\u002F.hermes`, traversal attacks prevented\n- **Multiple roots**: Configurable via `HERMES_CONTROL_ROOTS`\n\n---\n\n### 💻 Terminal\n\nReal browser-based terminal:\n- Full PTY via node-pty + xterm.js over WebSocket\n- Touch-friendly controls (↑↓␣↵) for mobile\n- Fullscreen toggle\n- Auto-cleanup flow: Ctrl+C → clear → ready for next command\n- Rate limited: 30 commands\u002Fminute per IP\n\n---\n\n### 🔔 Notifications\n\n- Bell icon with unread count badge (top-right)\n- Dropdown panel with notification list\n- Dismiss individual or clear all\n- Sources: system alerts (disk\u002FRAM\u002FCPU), gateway events, session CRUD, user management\n- Persistent: stored in `~\u002F.hermes\u002Fhci-notifications.json`\n\n---\n\n### 🎨 Theme\n\n- **Dark mode** (default): `#0b201f` background, `#dccbb5` foreground, `#7c945c` accent\n- **Light mode**: `#e4ebdf` background, `#0b201f` foreground, `#2e6fb0` accent\n- Toggle via header button\n- Preference persisted in localStorage\n- Login page: themed background image with overlay\n\n---\n\n### 🔒 Security\n\n- **Multi-user RBAC**: 20 permissions across 3 roles\n- **Roles**: `admin` (full access), `viewer` (read-only), `custom` (your choice)\n- **bcrypt** password hashing (cost factor 10)\n- **CSRF tokens** on all mutating requests\n- **Secure cookie** flag (auto-detects HTTPS)\n- **WebSocket origin** verification (exact match)\n- **Input sanitization**: strict regex on all user inputs (profiles, sessions, titles, filenames)\n- **Path traversal prevention** in file explorer\n- **Rate limiting**: login (5 failed\u002F15min), terminal exec (30\u002Fmin)\n- **XSS protection**: all dynamic values escaped via escapeHtml() — code blocks extracted before render, error messages sanitized in all 15+ catch blocks\n- **Admin gate**: critical endpoints (`\u002Fapi\u002Fplugins`, etc.) require admin role\n- **Token cleanup**: automatic session token cleanup every 15 minutes\n- **Unhandled exception handlers**: `unhandledRejection` + `uncaughtException` caught and logged\n\nSee full security audit: [docs\u002FSECURITY_AUDIT.md](docs\u002FSECURITY_AUDIT.md)\n\n---\n\n## Where HCI Can Be Installed\n\nHCI runs as a single Node.js process — any server environment that supports Node.js works.\n\n| Environment | Status | Notes |\n|---|---|---|\n| Local Linux server | ✅ | Full support |\n| VPS (DigitalOcean, Hetzner, AWS EC2, Linode, etc.) | ✅ | Recommended for production |\n| macOS | ✅ | Works |\n| WSL2 (Windows Subsystem for Linux) | ✅ | Full support |\n| Raspberry Pi (arm64) | ✅ | Works |\n| Docker \u002F Podman | ⚠️ | Works but not officially supported |\n| Shared hosting | ❌ | Requires Node.js + WebSocket + PTY support |\n| Browser-only (no server) | ❌ | Requires Node.js backend |\n\n---\n\n## Requirements\n\n| Requirement | Minimum | Recommended |\n|---|---|---|\n| Node.js | v18+ | v20 LTS |\n| RAM | 512 MB | 1 GB+ |\n| Disk | 200 MB | 500 MB+ |\n| OS | Linux \u002F macOS \u002F WSL2 | Ubuntu 22.04 LTS |\n| Hermes Agent | v0.3.x | Latest |\n| Build tools | python3, make, g++ | For node-pty native module |\n\n**Dependencies** (installed via `npm install`):\n- `express` — HTTP server\n- `ws` — WebSocket\n- `node-pty` — PTY support (requires build tools)\n- `xterm.js` — Terminal emulator in browser\n- `bcrypt` — Password hashing\n- `cookie-parser`, `dotenv`, `js-yaml`, etc.\n\n---\n\n## Installation Methods\n\n### Manual (Recommended)\n\n```bash\n# 1. Clone\ngit clone https:\u002F\u002Fgithub.com\u002Fxaspx\u002Fhermes-control-interface.git\ncd hermes-control-interface\n\n# 2. Install dependencies\nnpm install\n\n# 3. Configure\ncp .env.example .env\n# Edit .env and set:\n#   HERMES_CONTROL_PASSWORD=your-secure-password\n#   HERMES_CONTROL_SECRET=$(openssl rand -hex 32)\n\n# 4. Build frontend\nnpm run build\n\n# 5. Start\nnpm start\n```\n\nAccess at `http:\u002F\u002Flocalhost:10272` (default PORT).\n\n### Systemd Service (Production)\n\n```bash\n# Use the provided gateway service script as reference\nbash scripts\u002Fsetup-gateway-service.sh\n```\n\nOr create a simple systemd unit:\n\n```ini\n# \u002Fetc\u002Fsystemd\u002Fsystem\u002Fhermes-control.service\n[Unit]\nDescription=Hermes Control Interface\nAfter=network.target\n\n[Service]\nType=simple\nUser=root\nWorkingDirectory=\u002Fpath\u002Fto\u002Fhermes-control-interface\nExecStart=\u002Fusr\u002Fbin\u002Fnode server.js\nRestart=always\n\n[Install]\nWantedBy=multi-user.target\n```\n\n```bash\nsudo systemctl enable hermes-control\nsudo systemctl start hermes-control\n```\n\n---\n\n\n## Environment Variables\n\n| Variable | Required | Description |\n|---|---|---|\n| `HERMES_CONTROL_PASSWORD` | Yes | Login password |\n| `HERMES_CONTROL_SECRET` | Yes | CSRF + internal auth secret |\n| `PORT` | No | Server port (default: 10272) |\n| `HERMES_CONTROL_HOME` | No | Hermes home dir (default: ~\u002F.hermes) |\n| `HERMES_CONTROL_ROOTS` | No | File explorer roots (JSON array) |\n| `HERMES_PROJECTS_ROOT` | No | Projects directory |\n\n---\n\n## Reset Password Without Dashboard Access\n\nIf you can't log in to the dashboard, reset the password via CLI:\n\n**Option 1 — Edit .env directly**\n```bash\n# SSH into your server\nnano ~\u002F.hermes\u002F.env\n# Change HERMES_CONTROL_PASSWORD=your-new-password\n\n# Restart\nsudo systemctl restart hermes-control\n# or: pkill node; npm start &\n```\n\n**Option 2 — Generate bcrypt hash via Node.js**\n```bash\nnode -e \"const bcrypt=require('bcrypt'); bcrypt.hash(require('crypto').randomBytes(24).toString('hex'), 10).then(h=>console.log('HERMES_CONTROL_PASSWORD='+h))\"\n# Copy the output to .env, then restart\n```\n\n**Key point:** `.env` is the source of truth. Dashboard access = server access. If you lose access to both, you must have server\u002FSSH access to reset.\n\n---\n\n## Architecture\n\n```\nsrc\u002F                    # Vite source (ES modules)\n├── index.html          # Entry point\n├── js\u002Fmain.js          # App logic (~4800 lines, modular sections)\n├── css\u002F\n│   ├── theme.css       # Color palette (dark\u002Flight)\n│   ├── layout.css      # Topbar, modals, dropdowns, sidebar\n│   └── components.css  # Cards, tables, forms, editor, file explorer\n├── public\u002F\n│   └── favicon.svg     # Served unhashed\n└── assets\u002F             # SVG icons\n\ndist\u002F                   # Vite build output (served by Express)\nserver.js               # Express + WebSocket + PTY + API (~2300 lines)\nauth.js                 # Multi-user auth + RBAC (bcrypt, sessions, permissions)\n```\n\n---\n\n## Development\n\n```bash\n# Edit source in src\u002F\nnpx vite build\n\n# Restart (never in foreground — use detached)\nkill $(lsof -t -i:10272) 2>\u002Fdev\u002Fnull\nnohup node server.js &>\u002Fdev\u002Fnull & disown\n```\n\n---\n\n## API\n\n100+ endpoints covering:\n- **Auth**: login, logout, session management, setup\n- **Users**: CRUD, role assignment, permission management, reset password\n- **Sessions**: list, rename, delete, export, resume\n- **Profiles**: list, create, clone, delete, use, gateway control\n- **Chat**: send message, stream response, tool calls\n- **Cron**: list, create, pause, resume, run, remove\n- **Config**: read, write, YAML parsing, reset\n- **Memory**: provider-specific panels (MEMORY.md, honcho, external)\n- **Skills**: list, parse, search, install, uninstall, check updates\n- **Files**: list, read, write, save (scoped to Hermes home)\n- **System**: health, insights, usage analytics, doctor, dump, update, backup\n- **Notifications**: list, dismiss, clear\n- **Plugins**: admin-only plugin management\n- **Terminal**: exec command via PTY\n- **Audit**: activity log\n\nSee `docs\u002FAPI.md` for full reference.\n\n---\n\n**Security Audit**\n\nFull audit report: [docs\u002FSECURITY_AUDIT.md](docs\u002FSECURITY_AUDIT.md)\n**Score: 7.5\u002F10** — Production-ready.\n\nIssues found and fixed in v3.3.0 and later:\n- XSS in home cards (`loadHomeCards()`) — fixed with `escapeHtml()`\n- XSS in error handlers (15+ locations) — all `e.message` now sanitized in innerHTML (v3.5.0)\n- Missing admin gate on plugins API — fixed\n- Terminal exec rate limit — 30 commands\u002Fminute per IP\n- Token cleanup interval — now runs every 15 minutes\n\n---\n\n## Updating HCI\n\n```bash\n# 1. Pull latest code\ncd \u002Froot\u002Fprojects\u002Fhermes-control-interface\ngit pull origin main\n\n# 2. Install dependencies (if package.json changed)\nnpm install\n\n# 3. Rebuild frontend\nnpm run build\n\n# 4. Restart production server\nkill $(lsof -t -i :10272) 2>\u002Fdev\u002Fnull\nnohup node server.js &>\u002Fdev\u002Fnull & disown\n```\n\nOr use the HCI UI: **Maintenance → HCI Restart** (restarts from browser).\n\n**Non-root users:** Replace `\u002Froot\u002Fprojects` with your user's project directory.\nIf running via systemd, use `sudo systemctl restart hermes-control`.\n\n---\n\n## Changelog\n\n### v3.5.0 (2026-04-27)\n\n**🧹 Maintenance & Security Hardening:**\n\n- **Dead code removed:** `getProjects()` and `formatBytes()` functions (unused — never called anywhere)\n- **XSS audit complete (S1):** All 15+ `e.message` and `err.message` in `innerHTML` now wrapped with `escapeHtml()` — error handlers across all pages (home, agents, sessions, logs, config, files, terminal, modals, audit log, users)\n- **RBAC precision:** Permissions refined to 20 across 3 roles (admin\u002Fviewer\u002Fcustom) — cleaner than 28 across 12 groups\n- **Session sorting:** Chat sessions sorted by last activity (MAX message timestamp from messages table)\n- **Audit log UX:** Newest-first ordering with Load More at bottom (consistent with other paginated lists)\n\n**🐛 Bug Fixes:**\n\n- **Profile selector sync:** Profile dropdown now correctly syncs after `hermes profile use` (no more stale state after setting default)\n- **Chat agent info panel:** Always visible inside sidebar (no toggle) — shows active agent with bold gold name, all agents list with status dots, ★ default badge\n- **`finalizeWsChat` race guard:** `_finalizeInProgress` flag prevents double-call race condition\n- **`reloadCurrentSessionMessages` race guard:** `_reloadInProgress` flag + all exit paths clear the flag\n- **`showModal` return fix:** Proper if\u002Felse with `return` in cancel branch (prevents undefined `.action`)\n\n### v3.4.0 (2026-04-19)\n\n**⚡ Chat Revamp (CLI → Gateway API):**\n- **Gateway API chat:** Full rewrite from CLI subprocess to Gateway API (`\u002Fv1\u002Fresponses`) — real-time SSE streaming, structured events, no more waiting for full response\n- **Tool call cards:** Collapsible cards with JSON viewer for tool results (collapsed by default)\n- **Session resume:** Auto via `X-Hermes-Session-Id` header — conversations persist across page reloads\n- **Stop button:** Cancel running streams mid-response\n- **Multi-profile support:** All profiles (default\u002Fsoci\u002Fcuan\u002Fdavid) work via Gateway API with auto port discovery\n- **CLI fallback:** Automatic fallback to CLI if gateway is down\n- **Session list:** Sorted by last activity, filter by source type (Telegram\u002FDiscord\u002FAPI\u002FCLI\u002FCron)\n- **Mobile UX:** Auto-hide sidebar on session select, responsive header, opaque topbar\n\n**🔒 Security (CRITICAL + HIGH):**\n- **Command injection fixed:** Skills uninstall\u002Fupdate endpoints use `execHermes()` + strict regex `^[\\w.\\-]+$` validation\n- **CSRF protection:** 21 admin endpoints now require `requireCsrf` (user mgmt, config, keys, skills, HCI update\u002Frollback\u002Frestart, backup, doctor, profiles)\n- **Gateway API key:** Dynamic from `~\u002F.hermes\u002Fconfig.yaml` (removed hardcoded `'hci-gateway-2026'` from source)\n- **Dynamic CORS origins:** `cors_origins` no longer hardcoded — supports `HCI_CORS_ORIGINS` env var, auto-detect from request, or localhost defaults\n- **`escapeHtml()` fix:** Added `\"` and `'` escaping to prevent XSS via HTML attributes\n- **Debug CSRF logging removed:** Partial tokens no longer logged to console\n- **18-item security audit report** (SECURITY_AUDIT.md)\n\n**🧹 Maintenance:**\n- ~270 lines dead code removed (unused functions, duplicate endpoints, redundant imports, duplicate CSS)\n- Session cache invalidation after rename and delete operations\n\n**🔌 Open-Source Ready:**\n- CORS origins: dynamic resolution for any deployment (env var → auto-detect → localhost defaults)\n- Gateway API key: reads from config.yaml, env var override supported\n- `.env.example` updated with `GATEWAY_API_KEY` and `HCI_CORS_ORIGINS` documentation\n\n### v3.3.3 (2026-04-19)\n\n**🔒 Security (Critical + High):**\n- **Command injection fix:** Skills uninstall\u002Fupdate endpoints now use `execHermes()` + strict regex validation `^[\\w.\\-]+$` on skill names (prevents shell metacharacter injection)\n- **CSRF protection:** Added `requireCsrf` to 21 admin endpoints (user mgmt, config, keys, skills, HCI update\u002Frollback\u002Frestart, backup, doctor, profile create\u002Fdelete)\n- **Hardcoded API key removed:** Gateway API key now reads from `~\u002F.hermes\u002Fconfig.yaml` dynamically (was hardcoded `'hci-gateway-2026'` in source)\n- **Dynamic CORS origins:** `cors_origins` no longer hardcoded to specific domains — supports `HCI_CORS_ORIGINS` env var, auto-detect from request origin, or localhost defaults\n- **Session rename:** Switched from `shell()` to `execHermes()` (defense-in-depth)\n\n**🧹 Maintenance:**\n- **Dead code cleanup:** ~270 lines removed across 6 files (unused functions, duplicate endpoints, redundant imports, duplicate CSS)\n- **18-item security audit report** added (SECURITY_AUDIT.md)\n\n**🐛 Bug Fixes:**\n- **Session list sorting:** Fixed sort order — backend now correctly sorts by last activity timestamp\n- **Delete session button:** Fixed operator precedence bug in `await showModal({...})?.action` that prevented delete API call\n- **Session list refresh:** Cache invalidated after rename and delete operations (stale 10s cache)\n- **Gateway session resume:** Gateway process restart fixed stale bytecode issue\n\n**🔌 Open-Source Ready:**\n- CORS origins: dynamic resolution (env var → auto-detect → localhost defaults)\n- Gateway API key: reads from config.yaml, env var override supported\n- `.env.example` updated with `GATEWAY_API_KEY` and `HCI_CORS_ORIGINS` docs\n\n### v3.3.2 (2026-04-17)\n\n**🐛 Bug Fixes:**\n- **HTTP-only deployments:** Disable `upgrade-insecure-requests` CSP directive that broke UI on Tailscale\u002FLAN\u002Fdev environments\n- **HOST env var:** Support `HOST` env var for non-localhost server binding (Tailscale IP, LAN, specific interface)\n\n**🤝 Contributors:**\n- @hifiguy — 2 fixes (HOST env + CSP HTTP fix)\n\n### v3.3.0 (2026-04-17)\n\n**💬 Chat Revamp:**\n- Tool call cards: collapsible cards with JSON viewer, collapsed by default\n- Banner suppression: `-Q` flag passed to hermes for clean output\n- Session sidebar: model tag, session list, resume\u002Fnew chat buttons\n- Auto-detect session ID format: new (`session_id: YYYYMMDD_HHMMSS_HEX`) and legacy (`Session: YYYYMMDD_HHMMSS_HEX`)\n- `--continue \"\"` (empty) creates fresh session; bare `--continue` resumes last session\n\n**👥 User Management v2 (RBAC):**\n- 20 permissions across 3 roles: Admin (full), Viewer (read-only), Custom (your choice)\n- Built-in roles: `admin` (full access), `viewer` (read-only), custom role\n- Create\u002Fedit user modal: role presets (Admin\u002FViewer), grouped permission checklist, reset password button\n- Permission gating on 9 previously-unprotected endpoints\n\n**🔒 Security:**\n- Full security audit (docs\u002FSECURITY_AUDIT.md) — score 7.0\u002F10\n- XSS fix: `loadHomeCards()` now escapes all dynamic values with `escapeHtml()`\n- Rate limiter: terminal exec limited to 30 commands\u002Fminute per IP (429 on exceeded)\n- Token cleanup: proper `setInterval()` every 15 minutes (was only on token creation)\n- Admin-only gate: `GET \u002Fapi\u002Fplugins` now requires admin role\n- Full activity audit log: Maintenance → Audit panel\n\n**📦 Skills:**\n- Check updates: handles \"unavailable\" source status gracefully (info message, not error)\n- Uninstall: uses stdin pipe (`echo y |`) instead of unsupported `--yes` flag\n\n**🐛 Bug Fixes:**\n- Notification dismiss: backend handles both `\u002Fapi\u002Fnotifications\u002F:id\u002Fdismiss` and `\u002Fapi\u002Fnotifications\u002Fdismiss`\n- Sidebar: responsive CSS, `flex-shrink:0`, mobile breakpoints at 480px\n- Agent dropdown: follows dark\u002Flight theme correctly\n- Favicon 404 loop: moved to `public\u002F` to prevent Vite hash mismatch\n- HCI Info panel: version, GitHub link, Twitter @bayendor link in Maintenance\n\n**📝 Docs:**\n- Security audit report (12 categories)\n- Removed outdated script references (install.sh, reset-password.sh)\n- Screenshots: 13 dark mode, 6 light mode\n\n### v3.2.0 (2026-04-14)\n\n**⚡ Performance:**\n- Insights speed: 60s+ timeout → 0.65s via IPv4 adapter on model_metadata.py\n- Timeouts reduced: 10s → 5s (model metadata), 5s → 3s (llama.cpp props)\n\n**🔒 Security:**\n- WebSocket origin: exact match (was substring check)\n- Body limit: 10MB → 1MB global, 10MB only on avatar upload\n- Temp files: `crypto.randomUUID()` (no predictable paths)\n- Skills install\u002Funinstall: `execHermes()` instead of shell interpolation\n- Username validation: 2-32 chars, alphanumeric\u002F_.- only\n\n**✨ Features:**\n- Log tabs: Agent, Error, and Gateway logs now working\n- Non-root user support: dynamic HCI identity, HOME-aware paths\n- Gateway service: auto-detect `hermes-gateway-\u003Cprofile>` for non-root\n\n**🐛 Fixes:**\n- Terminal flow: transcript handling after sendCommand\n- XSS: 15+ escaped user-facing error messages\n- Auth panel: data loaded async, doesn't block page load\n- CPR stripping: removed ANSI escape from terminal\n\n### v3.1.0 (2026-04-12)\n\n- Skills Hub + Honcho panel + Gateway connections\n- HTTPS support\n- Maintenance UI: Backup & Import, HCI Restart buttons\n\n---\n\n## License\n\nMIT\n\n## Credits\n\nBuilt for the [Hermes Agent](https:\u002F\u002Fgithub.com\u002FNousResearch\u002Fhermes-agent) ecosystem.\n\n[@bayendor](https:\u002F\u002Fx.com\u002Fbayendor) — GitHub: [xaspx](https:\u002F\u002Fgithub.com\u002Fxaspx)\n","Hermes Control Interface 是一个自托管的Web仪表板，专为Hermes AI代理堆栈设计。它提供基于浏览器的终端、文件管理器、会话概览、定时任务管理、系统指标以及代理状态面板等功能，并通过单一密码门进行访问控制。项目采用Vanilla JS + Vite、Node.js、Express和WebSocket等技术构建，支持实时流式聊天、多代理网关配置、令牌分析及强大的安全特性如CSRF保护和XSS防护。适用于需要集中管理和监控AI代理运行环境的企业或个人开发者，特别是在追求高安全性与便捷性并重的应用场景下表现尤为出色。","2026-06-11 02:40:02","CREATED_QUERY"]