packages/client/src/api/client.ts

import router from '@/router'

const DEFAULT_BASE_URL = ''

function getBaseUrl(): string {
  if (import.meta.env.VITE_HERMES_PREVIEW === '1') return DEFAULT_BASE_URL
  return localStorage.getItem('hermes_server_url') || DEFAULT_BASE_URL
}

export function getApiKey(): string {
  return localStorage.getItem('hermes_api_key') || ''
}

export function setServerUrl(url: string) {
  localStorage.setItem('hermes_server_url', url)
}

export function setApiKey(key: string) {
  localStorage.setItem('hermes_api_key', key)
}

export function clearApiKey() {
  localStorage.removeItem('hermes_api_key')
}

export function hasApiKey(): boolean {
  return !!getApiKey()
}

export type StoredUserRole = 'super_admin' | 'admin'

export function getStoredUserRole(): StoredUserRole | null {
  const token = getApiKey()
  const payload = token.split('.')[1]
  if (!payload) return null
  try {
    const normalized = payload.replace(/-/g, '+').replace(/_/g, '/')
    const padded = normalized.padEnd(Math.ceil(normalized.length / 4) * 4, '=')
    const data = JSON.parse(atob(padded)) as { role?: unknown }
    return data.role === 'super_admin' || data.role === 'admin' ? data.role : null
  } catch {
    return null
  }
}

export function isStoredSuperAdmin(): boolean {
  return getStoredUserRole() === 'super_admin'
}

export function getActiveProfileName(): string | null {
  return localStorage.getItem('hermes_active_profile_name')
}

function bodyHasProfileSelector(body: BodyInit | null | undefined): boolean {
  if (typeof body !== 'string') return false
  try {
    const parsed = JSON.parse(body) as { profile?: unknown }
    return typeof parsed?.profile === 'string' && parsed.profile.trim().length > 0
  } catch {
    return false
  }
}

function shouldAttachProfileHeader(path: string, options: RequestInit): boolean {
  try {
    const url = new URL(path, 'http://hermes.local')
    if (url.searchParams.has('profile')) return false
    if (url.pathname.startsWith('/api/hermes/profiles')) return false
    if (isProfileWideSessionCollection(url.pathname)) return false
  } catch {
    if (path.startsWith('/api/hermes/profiles')) return false
    if (isProfileWideSessionCollection(path.split('?')[0] || path)) return false
  }
  return !bodyHasProfileSelector(options.body)
}

function isProfileWideSessionCollection(pathname: string): boolean {
  return pathname === '/api/hermes/sessions' ||
    pathname === '/api/hermes/sessions/batch-delete' ||
    pathname === '/api/hermes/search/sessions' ||
    pathname === '/api/hermes/sessions/search' ||
    pathname === '/api/hermes/sessions/conversations'
}

function emitAuthNotice(kind: 'expired' | 'forbidden') {
  if (typeof window === 'undefined') return
  window.dispatchEvent(new CustomEvent('hermes-auth-notice', { detail: { kind } }))
}

export async function request<T>(path: string, options: RequestInit = {}): Promise<T> {
  const base = getBaseUrl()
  const url = `${base}${path}`
  const headers: Record<string, string> = {
    'Content-Type': 'application/json',
    ...options.headers as Record<string, string>,
  }

  const apiKey = getApiKey()
  if (apiKey) {
    headers['Authorization'] = `Bearer ${apiKey}`
  }

  // Inject active profile header for request-scoped endpoints. Explicit profile
  // selectors in the URL/body and profile-name routes are validated directly.
  const profileName = getActiveProfileName()
  if (profileName && shouldAttachProfileHeader(path, options)) {
    headers['X-Hermes-Profile'] = profileName
  }

  const res = await fetch(url, { ...options, headers })

  // Global 401 handler — only redirect to login for local BFF endpoints
  // Proxied gateway requests should not trigger logout
  const isLocalBff = !path.startsWith('/api/hermes/v1/') &&
    !path.startsWith('/v1/')

  if (res.status === 401 && isLocalBff) {
    clearApiKey()
    emitAuthNotice('expired')
    if (router.currentRoute.value.name !== 'login') {
      router.replace({ name: 'login' })
    }
    throw new Error('Unauthorized')
  }

  if (!res.ok) {
    const text = await res.text().catch(() => '')
    if (res.status === 403 && isLocalBff) {
      if (text.includes('User is disabled or does not exist')) {
        clearApiKey()
        emitAuthNotice('expired')
        if (router.currentRoute.value.name !== 'login') {
          router.replace({ name: 'login' })
        }
      } else {
        emitAuthNotice('forbidden')
      }
    }
    throw new Error(`API Error ${res.status}: ${text || res.statusText}`)
  }

  return res.json()
}

export function getBaseUrlValue(): string {
  return getBaseUrl()
}
feat: add token auth, login page, skill toggle, and route restructure 2026-04-14 21:48:53 +08:00			`import router from '@/router'`

init: hermes-web-ui v0.1.0 2026-04-11 15:59:14 +08:00			`const DEFAULT_BASE_URL = ''`

			`function getBaseUrl(): string {`
[codex] add version preview workflow (#1086 ) 2026-05-28 12:30:49 +08:00			`if (import.meta.env.VITE_HERMES_PREVIEW === '1') return DEFAULT_BASE_URL`
init: hermes-web-ui v0.1.0 2026-04-11 15:59:14 +08:00			`return localStorage.getItem('hermes_server_url') \|\| DEFAULT_BASE_URL`
			`}`

fix: pass auth token via query param for SSE EventSource 2026-04-15 09:13:27 +08:00			`export function getApiKey(): string {`
init: hermes-web-ui v0.1.0 2026-04-11 15:59:14 +08:00			`return localStorage.getItem('hermes_api_key') \|\| ''`
			`}`

			`export function setServerUrl(url: string) {`
			`localStorage.setItem('hermes_server_url', url)`
			`}`

			`export function setApiKey(key: string) {`
			`localStorage.setItem('hermes_api_key', key)`
			`}`

feat: add token auth, login page, skill toggle, and route restructure 2026-04-14 21:48:53 +08:00			`export function clearApiKey() {`
			`localStorage.removeItem('hermes_api_key')`
			`}`

			`export function hasApiKey(): boolean {`
			`return !!getApiKey()`
			`}`

Add user-scoped Hermes profile access 2026-05-23 18:44:53 +08:00			`export type StoredUserRole = 'super_admin' \| 'admin'`

			`export function getStoredUserRole(): StoredUserRole \| null {`
			`const token = getApiKey()`
			`const payload = token.split('.')[1]`
			`if (!payload) return null`
			`try {`
			`const normalized = payload.replace(/-/g, '+').replace(/_/g, '/')`
			`const padded = normalized.padEnd(Math.ceil(normalized.length / 4) * 4, '=')`
			`const data = JSON.parse(atob(padded)) as { role?: unknown }`
			`return data.role === 'super_admin' \|\| data.role === 'admin' ? data.role : null`
			`} catch {`
			`return null`
			`}`
			`}`

			`export function isStoredSuperAdmin(): boolean {`
			`return getStoredUserRole() === 'super_admin'`
			`}`

Scope files jobs and plugins to request profile 2026-05-24 09:25:52 +08:00			`export function getActiveProfileName(): string \| null {`
Add user-scoped Hermes profile access 2026-05-23 18:44:53 +08:00			`return localStorage.getItem('hermes_active_profile_name')`
			`}`

			`function bodyHasProfileSelector(body: BodyInit \| null \| undefined): boolean {`
			`if (typeof body !== 'string') return false`
Release v0.5.9 (#435 ) 2026-05-04 12:46:26 +08:00			`try {`
Add user-scoped Hermes profile access 2026-05-23 18:44:53 +08:00			`const parsed = JSON.parse(body) as { profile?: unknown }`
			`return typeof parsed?.profile === 'string' && parsed.profile.trim().length > 0`
Release v0.5.9 (#435 ) 2026-05-04 12:46:26 +08:00			`} catch {`
Add user-scoped Hermes profile access 2026-05-23 18:44:53 +08:00			`return false`
Release v0.5.9 (#435 ) 2026-05-04 12:46:26 +08:00			`}`
			`}`

Add user-scoped Hermes profile access 2026-05-23 18:44:53 +08:00			`function shouldAttachProfileHeader(path: string, options: RequestInit): boolean {`
			`try {`
			`const url = new URL(path, 'http://hermes.local')`
			`if (url.searchParams.has('profile')) return false`
			`if (url.pathname.startsWith('/api/hermes/profiles')) return false`
fix session profile listing and cli sqlite warning (#971 ) 2026-05-24 17:54:17 +08:00			`if (isProfileWideSessionCollection(url.pathname)) return false`
Add user-scoped Hermes profile access 2026-05-23 18:44:53 +08:00			`} catch {`
			`if (path.startsWith('/api/hermes/profiles')) return false`
fix session profile listing and cli sqlite warning (#971 ) 2026-05-24 17:54:17 +08:00			`if (isProfileWideSessionCollection(path.split('?')[0] \|\| path)) return false`
Add user-scoped Hermes profile access 2026-05-23 18:44:53 +08:00			`}`
			`return !bodyHasProfileSelector(options.body)`
			`}`

fix session profile listing and cli sqlite warning (#971 ) 2026-05-24 17:54:17 +08:00			`function isProfileWideSessionCollection(pathname: string): boolean {`
			`return pathname === '/api/hermes/sessions' \|\|`
fix profile-aware session history actions (#1011 ) 2026-05-25 12:32:42 +08:00			`pathname === '/api/hermes/sessions/batch-delete' \|\|`
fix session profile listing and cli sqlite warning (#971 ) 2026-05-24 17:54:17 +08:00			`pathname === '/api/hermes/search/sessions' \|\|`
			`pathname === '/api/hermes/sessions/search' \|\|`
			`pathname === '/api/hermes/sessions/conversations'`
			`}`

Add user-scoped Hermes profile access 2026-05-23 18:44:53 +08:00			`function emitAuthNotice(kind: 'expired' \| 'forbidden') {`
			`if (typeof window === 'undefined') return`
			`window.dispatchEvent(new CustomEvent('hermes-auth-notice', { detail: { kind } }))`
			`}`

init: hermes-web-ui v0.1.0 2026-04-11 15:59:14 +08:00			`export async function request<T>(path: string, options: RequestInit = {}): Promise<T> {`
			`const base = getBaseUrl()`
			const url = `${base}${path}`
			`const headers: Record<string, string> = {`
			`'Content-Type': 'application/json',`
			`...options.headers as Record<string, string>,`
			`}`

			`const apiKey = getApiKey()`
			`if (apiKey) {`
			headers['Authorization'] = `Bearer ${apiKey}`
			`}`

Add user-scoped Hermes profile access 2026-05-23 18:44:53 +08:00			`// Inject active profile header for request-scoped endpoints. Explicit profile`
			`// selectors in the URL/body and profile-name routes are validated directly.`
Release v0.5.9 (#435 ) 2026-05-04 12:46:26 +08:00			`const profileName = getActiveProfileName()`
Add user-scoped Hermes profile access 2026-05-23 18:44:53 +08:00			`if (profileName && shouldAttachProfileHeader(path, options)) {`
feat: multi-gateway profile support, provider management overhaul, and model settings tab 2026-04-19 20:59:25 +08:00			`headers['X-Hermes-Profile'] = profileName`
			`}`

init: hermes-web-ui v0.1.0 2026-04-11 15:59:14 +08:00			`const res = await fetch(url, { ...options, headers })`

feat: add Vitest testing framework, fix proxy auth stripping and 401 handling 2026-04-16 20:24:09 +08:00			`// Global 401 handler — only redirect to login for local BFF endpoints`
			`// Proxied gateway requests should not trigger logout`
			`const isLocalBff = !path.startsWith('/api/hermes/v1/') &&`
Add user-scoped Hermes profile access 2026-05-23 18:44:53 +08:00			`!path.startsWith('/v1/')`
feat: add Vitest testing framework, fix proxy auth stripping and 401 handling 2026-04-16 20:24:09 +08:00
			`if (res.status === 401 && isLocalBff) {`
feat: support concurrent session streaming, persist active session, and improve 401 handling 2026-04-15 11:00:47 +08:00			`clearApiKey()`
Add user-scoped Hermes profile access 2026-05-23 18:44:53 +08:00			`emitAuthNotice('expired')`
feat: support concurrent session streaming, persist active session, and improve 401 handling 2026-04-15 11:00:47 +08:00			`if (router.currentRoute.value.name !== 'login') {`
			`router.replace({ name: 'login' })`
			`}`
feat: add token auth, login page, skill toggle, and route restructure 2026-04-14 21:48:53 +08:00			`throw new Error('Unauthorized')`
			`}`

init: hermes-web-ui v0.1.0 2026-04-11 15:59:14 +08:00			`if (!res.ok) {`
			`const text = await res.text().catch(() => '')`
Add user-scoped Hermes profile access 2026-05-23 18:44:53 +08:00			`if (res.status === 403 && isLocalBff) {`
			`if (text.includes('User is disabled or does not exist')) {`
			`clearApiKey()`
			`emitAuthNotice('expired')`
			`if (router.currentRoute.value.name !== 'login') {`
			`router.replace({ name: 'login' })`
			`}`
			`} else {`
			`emitAuthNotice('forbidden')`
			`}`
			`}`
init: hermes-web-ui v0.1.0 2026-04-11 15:59:14 +08:00			throw new Error(`API Error ${res.status}: ${text \|\| res.statusText}`)
			`}`

			`return res.json()`
			`}`

			`export function getBaseUrlValue(): string {`
			`return getBaseUrl()`
			`}`