admin/Hermes-ui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add user-scoped Hermes profile access

Browse Source
This commit is contained in:
ekko
2026-05-23 18:44:53 +08:00
committed by ekko
parent 56e7716302
commit 3f6a25d8f1
54 changed files with 2656 additions and 592 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/server/src/controllers/auth.ts
+283 -54
View File
@@ -1,24 +1,68 @@
import type { Context } from 'koa'
import { getCredentials, setCredentials, verifyCredentials, deleteCredentials } from '../services/credentials'
import { getToken } from '../services/auth'
import { checkPassword, recordPasswordFailure, recordPasswordSuccess, extractIp, getLockedIps, unlockIp, unlockAll } from '../services/login-limiter'
import {
DEFAULT_USERNAME,
bootstrapDefaultSuperAdmin,
countActiveSuperAdmins,
countUsers,
createUser,
deleteUser,
findFirstUser,
findUserById,
findUserByUsername,
listUsers,
updateUser,
updateUsername,
updateUserPassword,
verifyPassword,
type UserRole,
type UserStatus,
} from '../db/hermes/users-store'
import { issueUserJwt } from '../middleware/user-auth'
import { listProfileNamesFromDisk } from '../services/hermes/hermes-profile'
/**
* GET /api/auth/status
* Check if username/password login is configured (public).
*/
export async function authStatus(ctx: Context) {
const cred = await getCredentials()
const firstUser = findFirstUser()
ctx.body = {
hasPasswordLogin: !!cred,
username: cred?.username || null,
hasPasswordLogin: true,
username: firstUser?.username || DEFAULT_USERNAME,
hasUsers: countUsers() > 0,
}
}
/**
* GET /api/auth/me
* Return the authenticated account.
*/
export async function currentUser(ctx: Context) {
const userId = ctx.state.user?.id
const user = userId ? findUserById(userId) : null
if (!user) {
ctx.status = 404
ctx.body = { error: 'User not found' }
return
}
ctx.body = {
user: {
id: user.id,
username: user.username,
role: user.role,
status: user.status,
created_at: user.created_at,
updated_at: user.updated_at,
last_login_at: user.last_login_at,
},
}
}
/**
* POST /api/auth/login
* Authenticate with username/password (public).
* Returns the static token on success.
* Returns a user-scoped JWT on success.
*/
export async function login(ctx: Context) {
const { username, password } = ctx.request.body as { username?: string; password?: string }
@@ -36,18 +80,24 @@ export async function login(ctx: Context) {
return
}
const valid = await verifyCredentials(username, password)
if (!valid) {
const existingUserCount = countUsers()
const user = existingUserCount === 0
? bootstrapDefaultSuperAdmin(username, password)
: findUserByUsername(username)
if (!user || user.status !== 'active' || (existingUserCount > 0 && !verifyPassword(password, user.password_hash))) {
recordPasswordFailure(ip)
ctx.status = 401
ctx.body = { error: 'Invalid username or password' }
return
}
const token = await getToken()
if (!token) {
let token: string
try {
token = await issueUserJwt(user)
} catch (err: any) {
ctx.status = 500
ctx.body = { error: 'Auth is disabled on this server' }
ctx.body = { error: err?.message || 'Auth is disabled on this server' }
return
}
@@ -60,25 +110,8 @@ export async function login(ctx: Context) {
* Set up username/password (protected).
*/
export async function setupPassword(ctx: Context) {
const { username, password } = ctx.request.body as { username?: string; password?: string }
if (!username || !password) {
ctx.status = 400
ctx.body = { error: 'Username and password are required' }
return
}
if (username.length < 2) {
ctx.status = 400
ctx.body = { error: 'Username must be at least 2 characters' }
return
}
if (password.length < 6) {
ctx.status = 400
ctx.body = { error: 'Password must be at least 6 characters' }
return
}
await setCredentials(username, password)
ctx.body = { success: true }
ctx.status = 400
ctx.body = { error: 'Password login is managed by user accounts' }
}
/**
@@ -98,22 +131,15 @@ export async function changePassword(ctx: Context) {
return
}
const cred = await getCredentials()
if (!cred) {
ctx.status = 400
ctx.body = { error: 'Password login not configured' }
return
}
// Verify current password — use the username from stored credentials
const valid = await verifyCredentials(cred.username, currentPassword)
if (!valid) {
const userId = ctx.state.user?.id
const user = userId ? findUserById(userId) : null
if (!user || !verifyPassword(currentPassword, user.password_hash)) {
ctx.status = 400
ctx.body = { error: 'Current password is incorrect' }
return
}
await setCredentials(cred.username, newPassword)
updateUserPassword(user.id, newPassword)
ctx.body = { success: true }
}
@@ -134,22 +160,22 @@ export async function changeUsername(ctx: Context) {
return
}
const cred = await getCredentials()
if (!cred) {
ctx.status = 400
ctx.body = { error: 'Password login not configured' }
return
}
const valid = await verifyCredentials(cred.username, currentPassword)
if (!valid) {
const userId = ctx.state.user?.id
const user = userId ? findUserById(userId) : null
if (!user || !verifyPassword(currentPassword, user.password_hash)) {
ctx.status = 400
ctx.body = { error: 'Current password is incorrect' }
return
}
// Update username, keep the same password
await setCredentials(newUsername, currentPassword)
const existing = findUserByUsername(newUsername)
if (existing && existing.id !== user.id) {
ctx.status = 409
ctx.body = { error: 'Username already exists' }
return
}
updateUsername(user.id, newUsername)
ctx.body = { success: true }
}
@@ -158,8 +184,211 @@ export async function changeUsername(ctx: Context) {
* Remove username/password login (protected).
*/
export async function removePassword(ctx: Context) {
await deleteCredentials()
ctx.body = { success: true }
ctx.status = 400
ctx.body = { error: 'Password login cannot be removed for user accounts' }
}
function normalizeRole(value: unknown): UserRole | null {
return value === 'super_admin' || value === 'admin' ? value : null
}
function normalizeStatus(value: unknown): UserStatus | null {
return value === 'active' || value === 'disabled' ? value : null
}
function normalizeProfiles(value: unknown): string[] {
if (!Array.isArray(value)) return []
return [...new Set(value.map(item => String(item || '').trim()).filter(Boolean))]
}
function validateProfiles(profiles: string[]): string | null {
const available = new Set(listProfileNamesFromDisk())
const missing = profiles.find(profile => !available.has(profile))
return missing || null
}
/**
* GET /api/auth/users
* Super admin user management list.
*/
export async function listManagedUsers(ctx: Context) {
ctx.body = {
users: listUsers(),
profiles: listProfileNamesFromDisk(),
}
}
/**
* POST /api/auth/users
* Create a user account. Super admin only.
*/
export async function createManagedUser(ctx: Context) {
const body = ctx.request.body as {
username?: string
password?: string
role?: unknown
status?: unknown
profiles?: unknown
defaultProfile?: string | null
}
const username = String(body.username || '').trim()
const password = String(body.password || '')
const role = normalizeRole(body.role || 'admin')
const status = normalizeStatus(body.status || 'active')
const profiles = normalizeProfiles(body.profiles)
if (username.length < 2) {
ctx.status = 400
ctx.body = { error: 'Username must be at least 2 characters' }
return
}
if (password.length < 6) {
ctx.status = 400
ctx.body = { error: 'Password must be at least 6 characters' }
return
}
if (!role || !status) {
ctx.status = 400
ctx.body = { error: 'Invalid role or status' }
return
}
if (findUserByUsername(username)) {
ctx.status = 409
ctx.body = { error: 'Username already exists' }
return
}
const missingProfile = validateProfiles(profiles)
if (missingProfile) {
ctx.status = 400
ctx.body = { error: `Profile "${missingProfile}" does not exist` }
return
}
const user = createUser({
username,
password,
role,
status,
profiles: role === 'super_admin' ? [] : profiles,
defaultProfile: body.defaultProfile,
})
ctx.status = 201
ctx.body = { user, users: listUsers() }
}
/**
* PUT /api/auth/users/:id
* Update user account metadata, password, and profile bindings.
*/
export async function updateManagedUser(ctx: Context) {
const id = Number(ctx.params.id)
const user = Number.isInteger(id) ? findUserById(id) : null
if (!user) {
ctx.status = 404
ctx.body = { error: 'User not found' }
return
}
const body = ctx.request.body as {
username?: string
password?: string
role?: unknown
status?: unknown
profiles?: unknown
defaultProfile?: string | null
}
const username = body.username == null ? undefined : String(body.username).trim()
const password = body.password == null ? undefined : String(body.password)
const role = body.role == null ? undefined : normalizeRole(body.role)
const status = body.status == null ? undefined : normalizeStatus(body.status)
const profiles = body.profiles == null ? undefined : normalizeProfiles(body.profiles)
if (username !== undefined && username.length < 2) {
ctx.status = 400
ctx.body = { error: 'Username must be at least 2 characters' }
return
}
if (password !== undefined && password.length > 0 && password.length < 6) {
ctx.status = 400
ctx.body = { error: 'Password must be at least 6 characters' }
return
}
if (body.role != null && !role || body.status != null && !status) {
ctx.status = 400
ctx.body = { error: 'Invalid role or status' }
return
}
if (username && username !== user.username) {
const existing = findUserByUsername(username)
if (existing && existing.id !== user.id) {
ctx.status = 409
ctx.body = { error: 'Username already exists' }
return
}
}
const nextRole = role || user.role
const nextStatus = status || user.status
const currentUserId = ctx.state.user?.id
if (user.id === currentUserId && nextStatus !== 'active') {
ctx.status = 400
ctx.body = { error: 'You cannot disable your own account' }
return
}
if (user.role === 'super_admin' && user.status === 'active' && (nextRole !== 'super_admin' || nextStatus !== 'active') && countActiveSuperAdmins(user.id) === 0) {
ctx.status = 400
ctx.body = { error: 'At least one active super administrator is required' }
return
}
if (profiles) {
const missingProfile = validateProfiles(profiles)
if (missingProfile) {
ctx.status = 400
ctx.body = { error: `Profile "${missingProfile}" does not exist` }
return
}
}
updateUser({
userId: user.id,
username,
password: password || undefined,
role: role || undefined,
status: status || undefined,
profiles: nextRole === 'super_admin' ? [] : profiles,
defaultProfile: body.defaultProfile,
})
ctx.body = { user: findUserById(user.id), users: listUsers() }
}
/**
* DELETE /api/auth/users/:id
* Delete a user account. Super admin only.
*/
export async function deleteManagedUser(ctx: Context) {
const id = Number(ctx.params.id)
const user = Number.isInteger(id) ? findUserById(id) : null
if (!user) {
ctx.status = 404
ctx.body = { error: 'User not found' }
return
}
if (ctx.state.user?.id === user.id) {
ctx.status = 400
ctx.body = { error: 'You cannot delete your own account' }
return
}
if (user.role === 'super_admin' && user.status === 'active' && countActiveSuperAdmins(user.id) === 0) {
ctx.status = 400
ctx.body = { error: 'At least one active super administrator is required' }
return
}
deleteUser(user.id)
ctx.body = { success: true, users: listUsers() }
}
/**
packages/server/src/controllers/hermes/kanban.ts
+98 -4
View File
@@ -10,6 +10,85 @@ import {
getExactSessionDetailFromDbWithProfile,
findLatestExactSessionIdWithProfile,
} from '../../db/hermes/sessions-db'
import { listUserProfiles } from '../../db/hermes/users-store'
const DEFAULT_PROFILE = 'default'
function profileName(value: string | null | undefined): string {
return value?.trim() || DEFAULT_PROFILE
}
function requestedProfile(ctx: Context): string | null {
return ctx.state?.profile?.name || null
}
function allowedProfileSet(ctx: Context): Set<string> | null {
const user = ctx.state?.user
if (!user || user.role === 'super_admin') return null
return new Set(listUserProfiles(user.id).map(profile => profile.profile_name))
}
function visibleProfileSet(ctx: Context): Set<string> | null {
const profile = requestedProfile(ctx)
if (profile) return new Set([profile])
return allowedProfileSet(ctx)
}
function canUseProfile(ctx: Context, profile: string | null | undefined): boolean {
const allowed = allowedProfileSet(ctx)
return !allowed || allowed.has(profileName(profile))
}
function denyProfileAccess(ctx: Context, profile: string | null | undefined): boolean {
if (canUseProfile(ctx, profile)) return false
ctx.status = 403
ctx.body = { error: `Profile "${profileName(profile)}" is not available for this user` }
return true
}
function taskAssigneeProfile(task: { assignee: string | null }): string {
return profileName(task.assignee)
}
function filterTasksByVisibleProfiles(ctx: Context, tasks: kanbanCli.KanbanTask[]): kanbanCli.KanbanTask[] {
const visible = visibleProfileSet(ctx)
if (!visible) return tasks
return tasks.filter(task => visible.has(taskAssigneeProfile(task)))
}
function statsForTasks(tasks: kanbanCli.KanbanTask[]): kanbanCli.KanbanStats {
const by_status: Record<string, number> = {}
const by_assignee: Record<string, number> = {}
for (const task of tasks) {
by_status[task.status] = (by_status[task.status] || 0) + 1
const assignee = taskAssigneeProfile(task)
by_assignee[assignee] = (by_assignee[assignee] || 0) + 1
}
return { by_status, by_assignee, total: tasks.length }
}
function filterAssigneesByVisibleProfiles(ctx: Context, assignees: kanbanCli.KanbanAssignee[]): kanbanCli.KanbanAssignee[] {
const visible = visibleProfileSet(ctx)
if (!visible) return assignees
return assignees.filter(assignee => visible.has(profileName(assignee.name)))
}
async function getVisibleTasksForBoard(ctx: Context, board: string, opts: {
status?: string
assignee?: string
tenant?: string
includeArchived?: boolean
} = {}): Promise<kanbanCli.KanbanTask[]> {
if (opts.assignee && denyProfileAccess(ctx, opts.assignee)) return []
const tasks = await kanbanCli.listTasks({
board,
status: opts.status,
assignee: opts.assignee,
tenant: opts.tenant,
includeArchived: opts.includeArchived,
})
return filterTasksByVisibleProfiles(ctx, tasks)
}
function getLatestRunProfile(detail: { runs: Array<{ profile: string | null }> }): string | null {
return [...detail.runs].reverse().find(run => run.profile)?.profile || null
@@ -211,7 +290,8 @@ export async function list(ctx: Context) {
const board = requestBoard(ctx)
if (!board) return
try {
const tasks = await kanbanCli.listTasks({ board, status, assignee, tenant, includeArchived })
const tasks = await getVisibleTasksForBoard(ctx, board, { status, assignee, tenant, includeArchived })
if (ctx.status === 403) return
ctx.body = { tasks }
} catch (err: any) {
ctx.status = 500
@@ -229,6 +309,11 @@ export async function get(ctx: Context) {
ctx.body = { error: 'Task not found' }
return
}
if (!filterTasksByVisibleProfiles(ctx, [detail.task]).length) {
ctx.status = 404
ctx.body = { error: 'Task not found' }
return
}
// For terminal tasks, find related session from the worker's profile DB.
// Archived tasks can still carry the worker result/session users need to inspect.
@@ -291,10 +376,12 @@ export async function create(ctx: Context) {
const priority = optionalInteger(payload.priority, 'priority')
const tenant = optionalString(payload.tenant, 'tenant')
if (rejectBadRequest(ctx, title.error || body.error || assignee.error || priority.error || tenant.error)) return
const targetAssignee = assignee.value || requestedProfile(ctx) || undefined
if (targetAssignee && denyProfileAccess(ctx, targetAssignee)) return
const board = requestBoard(ctx)
if (!board) return
try {
const task = await kanbanCli.createTask(title.value!, { board, body: body.value, assignee: assignee.value, priority: priority.value, tenant: tenant.value })
const task = await kanbanCli.createTask(title.value!, { board, body: body.value, assignee: targetAssignee, priority: priority.value, tenant: tenant.value })
ctx.body = { task }
} catch (err: any) {
ctx.status = 500
@@ -357,6 +444,7 @@ export async function assign(ctx: Context) {
if (rejectBadRequest(ctx, bodyResult.error)) return
const profile = requiredNonEmptyString(bodyResult.body.profile, 'profile')
if (rejectBadRequest(ctx, profile.error)) return
if (denyProfileAccess(ctx, profile.value)) return
const board = requestBoard(ctx)
if (!board) return
try {
@@ -426,6 +514,7 @@ export async function bulkUpdateTasks(ctx: Context) {
const summary = optionalString(body.summary, 'summary')
const reason = optionalString(body.reason, 'reason')
if (rejectBadRequest(ctx, ids.error || status.error || assignee.error || archive.error || summary.error || reason.error)) return
if (assignee.value && denyProfileAccess(ctx, assignee.value)) return
if (!archive.value && status.value === undefined && !hasOwn(body, 'assignee')) {
ctx.status = 400
ctx.body = { error: 'at least one bulk action is required' }
@@ -516,6 +605,7 @@ export async function reassign(ctx: Context) {
const reclaim = optionalBoolean(body.reclaim, 'reclaim')
const reason = optionalString(body.reason, 'reason')
if (rejectBadRequest(ctx, profile.error || reclaim.error || reason.error)) return
if (denyProfileAccess(ctx, profile.value)) return
const board = requestBoard(ctx)
if (!board) return
try {
@@ -566,7 +656,10 @@ export async function stats(ctx: Context) {
const board = requestBoard(ctx)
if (!board) return
try {
const stats = await kanbanCli.getStats({ board })
const visible = visibleProfileSet(ctx)
const stats = visible
? statsForTasks(await getVisibleTasksForBoard(ctx, board, { includeArchived: true }))
: await kanbanCli.getStats({ board })
ctx.body = { stats }
} catch (err: any) {
ctx.status = 500
@@ -578,7 +671,7 @@ export async function assignees(ctx: Context) {
const board = requestBoard(ctx)
if (!board) return
try {
const assignees = await kanbanCli.getAssignees({ board })
const assignees = filterAssigneesByVisibleProfiles(ctx, await kanbanCli.getAssignees({ board }))
ctx.body = { assignees }
} catch (err: any) {
ctx.status = 500
@@ -628,6 +721,7 @@ export async function searchSessions(ctx: Context) {
ctx.body = { error: 'task_id and profile are required' }
return
}
if (denyProfileAccess(ctx, profile)) return
try {
if (!q) {
const exactSessionId = await findLatestExactSessionIdWithProfile(task_id, profile)
packages/server/src/controllers/hermes/models.ts
+17 -4
View File
@@ -8,6 +8,7 @@ import { getCopilotModelsDetailed, resolveCopilotOAuthToken, type CopilotModelMe
import { readAppConfig, writeAppConfig, type ModelVisibilityRule } from '../../services/app-config'
import { getDb } from '../../db'
import { MODEL_CONTEXT_TABLE } from '../../db/hermes/schemas'
import { listUserProfiles } from '../../db/hermes/users-store'
const PROVIDER_MODEL_CATALOG = buildProviderModelMap()
@@ -194,6 +195,19 @@ function mergeAvailableGroups(groups: AvailableGroup[]): AvailableGroup[] {
type ProviderFetchCache = Map<string, Promise<string[]>>
function requestedProfileName(ctx: any): string {
const queryProfile = ctx.query?.profile
return typeof queryProfile === 'string' && queryProfile.trim() ? queryProfile.trim() : ''
}
function visibleProfileNamesForUser(ctx: any): string[] {
const diskProfiles = listProfileNamesFromDisk()
const user = ctx.state?.user
if (!user || user.role === 'super_admin') return diskProfiles
const allowed = new Set(listUserProfiles(user.id).map(profile => profile.profile_name))
return diskProfiles.filter(profile => allowed.has(profile))
}
function cachedProviderModels(
cache: ProviderFetchCache,
baseUrl: string,
@@ -379,17 +393,16 @@ async function buildAvailableForProfile(
export async function getAvailable(ctx: any) {
try {
const requestedProfile = typeof ctx.query.profile === 'string' && ctx.query.profile.trim()
? ctx.query.profile.trim()
: ''
const requestedProfile = requestedProfileName(ctx)
if (!requestedProfile) {
const appConfig = await readAppConfig()
const modelAliases = normalizeAliases(appConfig.modelAliases)
const modelVisibility = normalizeModelVisibility(appConfig.modelVisibility)
const customModels = normalizeCustomModels(appConfig.customModels)
const fetchCache: ProviderFetchCache = new Map()
const visibleProfiles = visibleProfileNamesForUser(ctx)
const profileResults = await Promise.all(
listProfileNamesFromDisk().map(profile => buildAvailableForProfile(profile, fetchCache, appConfig)),
visibleProfiles.map(profile => buildAvailableForProfile(profile, fetchCache, appConfig)),
)
const mergedGroups = mergeAvailableGroups(profileResults.flatMap(result => result.groups))
const groupsWithAliases = applyModelAliases(mergedGroups, modelAliases)
packages/server/src/controllers/hermes/profiles.ts
+47 -41
View File
@@ -16,6 +16,7 @@ import { detectHermesRootHome } from '../../services/hermes/hermes-path'
import { getActiveProfileName } from '../../services/hermes/hermes-profile'
import { HermesSkillInjector } from '../../services/hermes/skill-injector'
import type { HermesProfile } from '../../services/hermes/hermes-cli'
import { listUserProfiles } from '../../db/hermes/users-store'
const bridgeCleanupClient = () => new AgentBridgeClient({ connectRetryMs: 0, timeoutMs: 5000 })
@@ -127,6 +128,30 @@ function filterVisibleProfiles(profiles: HermesProfile[]): HermesProfile[] {
return profiles.filter(profile => !isForbiddenProfileName(profile.name))
}
function requestedProfileName(ctx: any): string {
return ctx.state?.profile?.name || ctx.get?.('x-hermes-profile') || getActiveProfileName()
}
function filterProfilesForUser(ctx: any, profiles: HermesProfile[]): HermesProfile[] {
const user = ctx.state?.user
if (!user || user.role === 'super_admin') return profiles
const allowed = new Set(listUserProfiles(user.id).map(profile => profile.profile_name))
return profiles.filter(profile => allowed.has(profile.name))
}
function canAccessProfile(ctx: any, profileName: string): boolean {
const user = ctx.state?.user
if (!user || user.role === 'super_admin') return true
return listUserProfiles(user.id).some(profile => profile.profile_name === profileName)
}
function denyProfile(ctx: any, profileName: string): boolean {
if (canAccessProfile(ctx, profileName)) return false
ctx.status = 403
ctx.body = { error: `Profile "${profileName}" is not available for this user` }
return true
}
function profileMetadataRoot(): string {
return join(getWebUiHome(), 'profile-metadata')
}
@@ -299,21 +324,12 @@ export async function list(ctx: any) {
profiles = listProfilesFromDisk('default')
}
// Override active flag from the authoritative source (active_profile file)
// CLI output may be stale, but the file is written by hermes profile use
const { getActiveProfileName } = await import('../../services/hermes/hermes-profile')
const activeProfileName = getActiveProfileName()
const activeProfileName = requestedProfileName(ctx)
profiles = filterVisibleProfiles(profiles)
profiles = filterProfilesForUser(ctx, profiles)
// Check if CLI's active flag matches the file (warn if inconsistent)
const cliActive = profiles.find(p => p.active)
if (cliActive?.name !== activeProfileName) {
logger.warn('[listProfiles] CLI active flag (%s) differs from active_profile file (%s) - using file as authoritative source',
cliActive?.name || 'none', activeProfileName)
}
// Fix the active flag based on the actual active_profile file
// Web UI active profile is request-scoped and comes from X-Hermes-Profile.
profiles.forEach(p => {
p.active = (p.name === activeProfileName)
})
@@ -388,8 +404,10 @@ export async function create(ctx: any) {
}
export async function get(ctx: any) {
const name = String(ctx.params.name || '').trim() || 'default'
if (denyProfile(ctx, name)) return
try {
const profile = await hermesCli.getProfile(ctx.params.name)
const profile = await hermesCli.getProfile(name)
ctx.body = { profile: { ...profile, avatar: readProfileAvatar(profile.name) } }
} catch (err: any) {
ctx.status = err.message.includes('not found') ? 404 : 500
@@ -399,6 +417,7 @@ export async function get(ctx: any) {
export async function updateAvatar(ctx: any) {
const name = String(ctx.params.name || '').trim() || 'default'
if (denyProfile(ctx, name)) return
if (isForbiddenProfileName(name)) {
ctx.status = 400
ctx.body = { error: `Profile name '${name}' is reserved` }
@@ -438,6 +457,7 @@ export async function updateAvatar(ctx: any) {
export async function deleteAvatar(ctx: any) {
const name = String(ctx.params.name || '').trim() || 'default'
if (denyProfile(ctx, name)) return
try {
removeProfileMetadata(name)
ctx.body = { success: true }
@@ -449,6 +469,7 @@ export async function deleteAvatar(ctx: any) {
export async function runtimeStatus(ctx: any) {
const name = String(ctx.params.name || '').trim() || 'default'
if (denyProfile(ctx, name)) return
if (isForbiddenProfileName(name)) {
ctx.status = 400
ctx.body = { error: `Profile name '${name}' is reserved` }
@@ -465,7 +486,7 @@ export async function runtimeStatus(ctx: any) {
export async function runtimeStatuses(ctx: any) {
try {
const profiles = await listProfilesForStatus()
const profiles = filterProfilesForUser(ctx, await listProfilesForStatus())
const bridge = await readBridgeWorkers()
const statuses = await Promise.all(profiles.map(profile => buildRuntimeStatus(profile, bridge)))
ctx.body = { profiles: statuses }
@@ -487,6 +508,7 @@ async function listProfilesForStatus(): Promise<HermesProfile[]> {
export async function restartGatewayForProfile(ctx: any) {
const name = String(ctx.params.name || '').trim() || 'default'
if (denyProfile(ctx, name)) return
if (isForbiddenProfileName(name)) {
ctx.status = 400
ctx.body = { error: `Profile name '${name}' is reserved` }
@@ -509,6 +531,7 @@ export async function restartGatewayForProfile(ctx: any) {
export async function restartProfileRuntime(ctx: any) {
const name = String(ctx.params.name || '').trim() || 'default'
if (denyProfile(ctx, name)) return
if (isForbiddenProfileName(name)) {
ctx.status = 400
ctx.body = { error: `Profile name '${name}' is reserved` }
@@ -532,6 +555,7 @@ export async function restartProfileRuntime(ctx: any) {
export async function remove(ctx: any) {
const { name } = ctx.params
if (denyProfile(ctx, name)) return
if (name === 'default') {
ctx.status = 400
ctx.body = { error: 'Cannot delete the default profile' }
@@ -562,6 +586,7 @@ export async function remove(ctx: any) {
}
export async function rename(ctx: any) {
if (denyProfile(ctx, ctx.params.name)) return
const { new_name } = ctx.request.body as { new_name?: string }
if (!new_name) {
ctx.status = 400
@@ -596,32 +621,20 @@ export async function switchProfile(ctx: any) {
return
}
try {
if (denyProfile(ctx, name)) return
const output = await useProfileWithFallback(name)
// Verify the active_profile file immediately (Hermes CLI writes synchronously)
// Quick verification with 2 retries to handle edge cases (filesystem delays, concurrency)
const { getActiveProfileName } = await import('../../services/hermes/hermes-profile')
let actualActive = getActiveProfileName()
// Quick retry (max 2 times, 100ms delay each)
for (let i = 0; i < 2; i++) {
if (actualActive === name) break
logger.debug('[switchProfile] Quick retry %d: current=%s, expected=%s', i + 1, actualActive, name)
await new Promise(r => setTimeout(r, 100))
actualActive = getActiveProfileName()
}
const actualActive = getActiveProfileName()
if (actualActive !== name) {
logger.error('[switchProfile] Verification failed: active_profile is %s (expected %s)', actualActive, name)
ctx.status = 500
ctx.body = { error: `Profile switch verification failed - active profile is ${actualActive}` }
return
}
// Destroy all bridge sessions so they get recreated with the new profile config
try {
await bridgeCleanupClient().destroyAll()
logger.info('[switchProfile] destroyed all bridge sessions for profile "%s"', name)
const result = await bridgeCleanupClient().destroyAll()
logger.info('[switchProfile] destroyed all bridge sessions for Hermes profile "%s" destroyed=%s', name, result.destroyed)
} catch (err: any) {
logger.warn(err, '[switchProfile] failed to destroy bridge sessions')
}
@@ -630,7 +643,6 @@ export async function switchProfile(ctx: any) {
const detail = await hermesCli.getProfile(name)
logger.debug('Profile detail.path = %s', detail.path)
// 确保配置文件存在,但不调用 setupReset()(会重置端口配置)
const profileConfig = join(detail.path, 'config.yaml')
if (!existsSync(profileConfig)) {
writeFileSync(profileConfig, '# Hermes Agent Configuration\n', 'utf-8')
@@ -647,20 +659,13 @@ export async function switchProfile(ctx: any) {
}
await injectBundledSkillsForProfile(name)
// TODO: re-enable pending session delete drain after confirming safety
// const drainResult = await SessionDeleter.getInstance().drain(name)
SessionDeleter.getInstance().switchProfile(name)
logger.info('[switchProfile] switched session deleter to profile "%s"', name)
// if (drainResult.failed.length > 0) {
// logger.warn({ profile: name, failed: drainResult.failed }, 'Failed to drain some pending session deletes after profile switch')
// }
logger.info('[switchProfile] switched session deleter to Hermes profile "%s"', name)
ctx.body = {
success: true,
message: output.trim(),
// drained_session_deletes: drainResult.deleted.length,
// failed_session_deletes: drainResult.failed.length,
active: name,
}
} catch (err: any) {
ctx.status = 500
@@ -670,6 +675,7 @@ export async function switchProfile(ctx: any) {
export async function exportProfile(ctx: any) {
const { name } = ctx.params
if (denyProfile(ctx, name)) return
const outputPath = join(tmpdir(), `hermes-profile-${name}.tar.gz`)
try {
await hermesCli.exportProfile(name, outputPath)
packages/server/src/controllers/hermes/sessions.ts
+78 -25
View File
@@ -1,5 +1,5 @@
import * as hermesCli from '../../services/hermes/hermes-cli'
import { listSessionSummaries, getUsageStatsFromDb, getSessionDetailFromDb, getExactSessionDetailFromDbWithProfile } from '../../db/hermes/sessions-db'
import { listSessionSummaries, getUsageStatsFromDb, getSessionDetailFromDb, getSessionDetailFromDbWithProfile, getExactSessionDetailFromDbWithProfile } from '../../db/hermes/sessions-db'
import {
listSessions as localListSessions,
searchSessions as localSearchSessions,
@@ -17,6 +17,7 @@ import { isPathWithin } from '../../services/hermes/hermes-path'
import { getGroupChatServer } from '../../routes/hermes/group-chat'
import { logger } from '../../services/logger'
import type { ConversationSummary } from '../../services/hermes/conversations'
import { listUserProfiles } from '../../db/hermes/users-store'
function getPendingDeletedSessionIds(): Set<string> {
return getGroupChatServer()?.getStorage().getPendingDeletedSessionIds() || new Set<string>()
@@ -32,6 +33,35 @@ function filterPendingDeletedConversationSummaries(items: ConversationSummary[])
return filterPendingDeletedSessions(items)
}
function requestedProfile(ctx: any): string | undefined {
const value = ctx.state?.profile?.name || (typeof ctx.query?.profile === 'string' ? ctx.query.profile.trim() : '')
return value || undefined
}
function allowedProfileSet(ctx: any): Set<string> | null {
const user = ctx.state?.user
if (!user || user.role === 'super_admin') return null
return new Set(listUserProfiles(user.id).map(profile => profile.profile_name))
}
function canAccessProfile(ctx: any, profile: string | null | undefined): boolean {
const allowed = allowedProfileSet(ctx)
return !allowed || allowed.has(profile || 'default')
}
function filterByAllowedProfiles<T>(ctx: any, items: T[]): T[] {
const allowed = allowedProfileSet(ctx)
if (!allowed) return items
return items.filter(item => allowed.has(((item as any).profile as string | null | undefined) || 'default'))
}
function denySessionAccess(ctx: any, session: any | null | undefined): boolean {
if (!session || canAccessProfile(ctx, session.profile)) return false
ctx.status = 403
ctx.body = { error: `Profile "${session.profile || 'default'}" is not available for this user` }
return true
}
interface HermesDeleteResult {
attempted: boolean
deleted: boolean
@@ -73,10 +103,11 @@ export async function listConversations(ctx: any) {
const source = (ctx.query.source as string) || undefined
const limit = ctx.query.limit ? parseInt(ctx.query.limit as string, 10) : undefined
const profile = getActiveProfileName()
const profile = requestedProfile(ctx)
const sessions = localListSessions(profile, source, limit && limit > 0 ? limit : 200)
const summaries: ConversationSummary[] = sessions.map(s => ({
id: s.id,
profile: s.profile || null,
source: s.source,
model: s.model,
provider: s.provider,
@@ -100,7 +131,7 @@ export async function listConversations(ctx: any) {
is_active: s.ended_at == null && (Date.now() / 1000 - s.last_active) <= 300,
thread_session_count: 1,
}))
ctx.body = { sessions: filterPendingDeletedConversationSummaries(summaries) }
ctx.body = { sessions: filterPendingDeletedConversationSummaries(filterByAllowedProfiles(ctx, summaries)) }
}
export async function getConversationMessages(ctx: any) {
@@ -112,6 +143,7 @@ export async function getConversationMessages(ctx: any) {
ctx.body = { error: 'Conversation not found' }
return
}
if (denySessionAccess(ctx, detail)) return
const messages = detail.messages
.filter(m => {
if (humanOnly && m.role !== 'user' && m.role !== 'assistant') return false
@@ -136,15 +168,13 @@ export async function getConversationMessages(ctx: any) {
export async function list(ctx: any) {
const source = (ctx.query.source as string) || undefined
const limit = ctx.query.limit ? parseInt(ctx.query.limit as string, 10) : undefined
const profile = typeof ctx.query.profile === 'string' && ctx.query.profile.trim()
? ctx.query.profile.trim()
: undefined
const profile = requestedProfile(ctx)
const effectiveLimit = limit && limit > 0 ? limit : 2000
const allSessions = localListSessions(profile, source, effectiveLimit)
const knownProfiles = profile ? null : new Set(listProfileNamesFromDisk())
ctx.body = {
sessions: filterPendingDeletedSessions(allSessions.filter(s =>
sessions: filterPendingDeletedSessions(filterByAllowedProfiles(ctx, allSessions).filter(s =>
(s.source === 'api_server' || s.source === 'cli') &&
(!knownProfiles || knownProfiles.has(s.profile || 'default')),
)),
@@ -158,23 +188,22 @@ export async function list(ctx: any) {
export async function listHermesSessions(ctx: any) {
const source = (ctx.query.source as string) || undefined
const limit = ctx.query.limit ? parseInt(ctx.query.limit as string, 10) : undefined
const profile = getActiveProfileName()
const profile = requestedProfile(ctx)
const effectiveLimit = limit && limit > 0 ? limit : 2000
const allSessions = await listSessionSummaries(source, effectiveLimit, profile)
ctx.body = { sessions: filterPendingDeletedSessions(allSessions.filter(s => s.source !== 'api_server')) }
const allSessions = (await listSessionSummaries(source, effectiveLimit, profile))
.map(session => profile ? { ...session, profile } : session)
ctx.body = { sessions: filterPendingDeletedSessions(filterByAllowedProfiles(ctx, allSessions).filter(s => s.source !== 'api_server')) }
}
export async function search(ctx: any) {
const q = typeof ctx.query.q === 'string' ? ctx.query.q : ''
const limit = ctx.query.limit ? parseInt(ctx.query.limit as string, 10) : undefined
const profile = typeof ctx.query.profile === 'string' && ctx.query.profile.trim()
? ctx.query.profile.trim()
: undefined
const profile = requestedProfile(ctx)
const results = localSearchSessions(profile, q, limit && limit > 0 ? limit : 20)
const knownProfiles = profile ? null : new Set(listProfileNamesFromDisk())
ctx.body = {
results: filterPendingDeletedSessions(results.filter(s =>
results: filterPendingDeletedSessions(filterByAllowedProfiles(ctx, results).filter(s =>
!knownProfiles || knownProfiles.has(s.profile || 'default'),
)),
}
@@ -187,6 +216,7 @@ export async function get(ctx: any) {
ctx.body = { error: 'Session not found' }
return
}
if (denySessionAccess(ctx, session)) return
ctx.body = { session }
}
@@ -195,20 +225,28 @@ export async function get(ctx: any) {
* GET /api/hermes/sessions/hermes/:id
*/
export async function getHermesSession(ctx: any) {
const profile = requestedProfile(ctx)
// Prefer the Web UI local session store. Hermes state.db can lag behind or
// miss messages for Bridge-backed runs, while the local store is the source
// used by chat rendering and compression.
const localSession = localGetSessionDetail(ctx.params.id)
if (localSession && localSession.source !== 'api_server') {
const localSessionProfile = (localSession?.profile || 'default') as string
if (localSession && localSession.source !== 'api_server' && (!profile || localSessionProfile === profile)) {
if (denySessionAccess(ctx, localSession)) return
ctx.body = { session: localSession }
return
}
// Try Hermes state.db next (consistent with listHermesSessions)
try {
const session = await getSessionDetailFromDb(ctx.params.id)
const session = profile
? await getSessionDetailFromDbWithProfile(ctx.params.id, profile)
: await getSessionDetailFromDb(ctx.params.id)
if (session && session.source !== 'api_server') {
ctx.body = { session }
const sessionWithProfile = profile ? { ...session, profile } : session
if (denySessionAccess(ctx, sessionWithProfile)) return
ctx.body = { session: sessionWithProfile }
return
}
} catch (err) {
@@ -228,13 +266,15 @@ export async function getHermesSession(ctx: any) {
ctx.body = { error: 'Session not found' }
return
}
if (denySessionAccess(ctx, session)) return
ctx.body = { session }
}
export async function remove(ctx: any) {
const sessionId = ctx.params.id
const existing = localGetSession(sessionId)
const hermesProfile = existing?.profile || getActiveProfileName()
if (denySessionAccess(ctx, existing)) return
const hermesProfile = requestedProfile(ctx) || existing?.profile || getActiveProfileName()
const hermes = await deleteHermesSessionIfPresent(sessionId, hermesProfile)
const localDeleted = existing ? localDeleteSession(sessionId) : true
if (!localDeleted) {
@@ -272,6 +312,11 @@ export async function batchRemove(ctx: any) {
for (const id of validIds) {
const existing = localGetSession(id)
if (existing && !canAccessProfile(ctx, existing.profile)) {
results.failed++
results.errors.push({ id, error: `Profile "${existing.profile || 'default'}" is not available for this user` })
continue
}
const hermes = await deleteHermesSessionIfPresent(id, existing?.profile)
if (hermes.deleted) {
results.hermesDeleted++
@@ -304,6 +349,8 @@ export async function usageBatch(ctx: any) {
}
export async function usageSingle(ctx: any) {
const session = localGetSession(ctx.params.id)
if (denySessionAccess(ctx, session)) return
const result = getUsage(ctx.params.id)
if (!result) {
ctx.body = { input_tokens: 0, output_tokens: 0 }
@@ -319,6 +366,8 @@ export async function rename(ctx: any) {
ctx.body = { error: 'title is required' }
return
}
const existing = localGetSession(ctx.params.id)
if (denySessionAccess(ctx, existing)) return
const ok = localRenameSession(ctx.params.id, title.trim())
if (!ok) {
ctx.status = 500
@@ -336,10 +385,11 @@ export async function setWorkspace(ctx: any) {
return
}
const { updateSession, getSession, createSession } = await import('../../db/hermes/session-store')
const { getActiveProfileName } = await import('../../services/hermes/hermes-profile')
const id = ctx.params.id
if (!getSession(id)) {
createSession({ id, profile: getActiveProfileName(), title: '' })
const existing = getSession(id)
if (denySessionAccess(ctx, existing)) return
if (!existing) {
createSession({ id, profile: requestedProfile(ctx) || 'default', title: '' })
}
updateSession(id, { workspace: workspace || null } as any)
ctx.body = { ok: true }
@@ -358,17 +408,18 @@ export async function setModel(ctx: any) {
return
}
const { updateSession, getSession, createSession } = await import('../../db/hermes/session-store')
const { getActiveProfileName } = await import('../../services/hermes/hermes-profile')
const id = ctx.params.id
if (!getSession(id)) {
createSession({ id, profile: getActiveProfileName(), title: '' })
const existing = getSession(id)
if (denySessionAccess(ctx, existing)) return
if (!existing) {
createSession({ id, profile: requestedProfile(ctx) || 'default', title: '' })
}
updateSession(id, { model: model.trim(), provider: (provider || '').trim() } as any)
ctx.body = { ok: true }
}
export async function contextLength(ctx: any) {
const profile = (ctx.query.profile as string) || undefined
const profile = requestedProfile(ctx)
const model = typeof ctx.query.model === 'string' ? ctx.query.model : undefined
const provider = typeof ctx.query.provider === 'string' ? ctx.query.provider : undefined
ctx.body = { context_length: getModelContextLength({ profile, model, provider }) }
@@ -484,6 +535,7 @@ export async function exportSession(ctx: any) {
ctx.body = { error: 'Session not found' }
return
}
if (denySessionAccess(ctx, session)) return
const mode = (ctx.query.mode as string) || 'full'
const ext = (ctx.query.ext as string) || (mode === 'compressed' ? 'txt' : 'json')
@@ -560,6 +612,7 @@ export async function getConversationMessagesPaginated(ctx: any) {
ctx.body = { error: 'Conversation not found' }
return
}
if (denySessionAccess(ctx, result.session)) return
ctx.body = {
session: {
packages/server/src/db/hermes/schemas.ts
+39
View File
@@ -104,6 +104,38 @@ export const MODEL_CONTEXT_SCHEMA: Record<string, string> = {
export const MODEL_CONTEXT_INDEX = 'CREATE UNIQUE INDEX IF NOT EXISTS idx_model_context_provider_model ON model_context(provider, model)'
// ============================================================================
// Users and Profile Access
// ============================================================================
export const USERS_TABLE = 'users'
export const USERS_SCHEMA: Record<string, string> = {
id: 'INTEGER PRIMARY KEY AUTOINCREMENT',
username: 'TEXT NOT NULL UNIQUE',
password_hash: 'TEXT NOT NULL',
role: "TEXT NOT NULL DEFAULT 'admin'",
status: "TEXT NOT NULL DEFAULT 'active'",
created_at: 'INTEGER NOT NULL',
updated_at: 'INTEGER NOT NULL',
last_login_at: 'INTEGER',
}
export const USER_PROFILES_TABLE = 'user_profiles'
export const USER_PROFILES_SCHEMA: Record<string, string> = {
user_id: 'INTEGER NOT NULL',
profile_name: "TEXT NOT NULL DEFAULT 'default'",
is_default: 'INTEGER NOT NULL DEFAULT 0',
created_at: 'INTEGER NOT NULL',
}
export const USER_PROFILES_INDEXES = {
idx_user_profiles_user: 'CREATE INDEX IF NOT EXISTS idx_user_profiles_user ON user_profiles(user_id)',
idx_user_profiles_profile: 'CREATE INDEX IF NOT EXISTS idx_user_profiles_profile ON user_profiles(profile_name)',
idx_user_profiles_default: 'CREATE UNIQUE INDEX IF NOT EXISTS idx_user_profiles_default ON user_profiles(user_id) WHERE is_default = 1',
}
// ============================================================================
// Group Chat (services/hermes/group-chat/index.ts)
// ============================================================================
@@ -329,6 +361,13 @@ export function initAllHermesTables(): void {
}
})
// Users and profile access
syncTable(USERS_TABLE, USERS_SCHEMA)
syncTable(USER_PROFILES_TABLE, USER_PROFILES_SCHEMA, {
primaryKey: 'user_id, profile_name',
indexes: USER_PROFILES_INDEXES,
})
// Group chat - basic tables
syncTable(GC_ROOMS_TABLE, GC_ROOMS_SCHEMA)
syncTable(GC_MESSAGES_TABLE, GC_MESSAGES_SCHEMA)
packages/server/src/db/hermes/users-store.ts
+300
View File
@@ -0,0 +1,300 @@
import { randomBytes, scryptSync, timingSafeEqual } from 'crypto'
import { getDb } from '../index'
import { USER_PROFILES_TABLE, USERS_TABLE } from './schemas'
export type UserRole = 'super_admin' | 'admin'
export type UserStatus = 'active' | 'disabled'
export type UserId = number | string
export interface UserRecord {
id: number
username: string
password_hash: string
role: UserRole
status: UserStatus
created_at: number
updated_at: number
last_login_at: number | null
}
export interface UserProfileRecord {
user_id: number
profile_name: string
is_default: number
created_at: number
}
export interface UserSummary {
id: number
username: string
role: UserRole
status: UserStatus
profiles: string[]
default_profile: string | null
created_at: number
updated_at: number
last_login_at: number | null
}
export const DEFAULT_USERNAME = 'admin'
export const DEFAULT_PASSWORD = '123456'
export const DEFAULT_PROFILE_NAME = 'default'
const SCRYPT_KEY_LEN = 64
function normalizeUserId(id: UserId): number | null {
const userId = typeof id === 'number' ? id : Number(id)
return Number.isInteger(userId) && userId > 0 ? userId : null
}
export function hashPassword(password: string): string {
const salt = randomBytes(16).toString('hex')
const hash = scryptSync(password, salt, SCRYPT_KEY_LEN).toString('hex')
return `scrypt:${salt}:${hash}`
}
export function verifyPassword(password: string, passwordHash: string): boolean {
const [scheme, salt, expectedHex] = passwordHash.split(':')
if (scheme !== 'scrypt' || !salt || !expectedHex) return false
try {
const expected = Buffer.from(expectedHex, 'hex')
const actual = scryptSync(password, salt, expected.length)
return actual.length === expected.length && timingSafeEqual(actual, expected)
} catch {
return false
}
}
export function findUserById(id: UserId): UserRecord | null {
const db = getDb()
if (!db) return null
const userId = normalizeUserId(id)
if (!userId) return null
const row = db.prepare(`SELECT * FROM ${USERS_TABLE} WHERE id = ?`).get(userId) as UserRecord | undefined
return row || null
}
export function findUserByUsername(username: string): UserRecord | null {
const db = getDb()
if (!db) return null
const row = db.prepare(`SELECT * FROM ${USERS_TABLE} WHERE username = ?`).get(username) as UserRecord | undefined
return row || null
}
export function findFirstUser(): UserRecord | null {
const db = getDb()
if (!db) return null
const row = db.prepare(`SELECT * FROM ${USERS_TABLE} ORDER BY id ASC LIMIT 1`).get() as UserRecord | undefined
return row || null
}
export function listUsers(): UserSummary[] {
const db = getDb()
if (!db) return []
const users = db.prepare(
`SELECT id, username, role, status, created_at, updated_at, last_login_at FROM ${USERS_TABLE} ORDER BY id ASC`
).all() as Array<Omit<UserSummary, 'profiles' | 'default_profile'>>
return users.map(user => {
const profiles = listUserProfiles(user.id)
return {
...user,
profiles: profiles.map(profile => profile.profile_name),
default_profile: profiles.find(profile => profile.is_default === 1)?.profile_name || null,
}
})
}
export function listUserProfiles(userId: UserId): UserProfileRecord[] {
const db = getDb()
if (!db) return []
const id = normalizeUserId(userId)
if (!id) return []
return db.prepare(
`SELECT * FROM ${USER_PROFILES_TABLE} WHERE user_id = ? ORDER BY is_default DESC, profile_name ASC`
).all(id) as unknown as UserProfileRecord[]
}
export function userCanAccessProfile(userId: UserId, profileName: string): boolean {
const db = getDb()
if (!db) return false
const id = normalizeUserId(userId)
if (!id) return false
const row = db.prepare(
`SELECT 1 FROM ${USER_PROFILES_TABLE} WHERE user_id = ? AND profile_name = ?`
).get(id, profileName)
return !!row
}
export function getDefaultProfileForUser(userId: UserId): string {
const db = getDb()
if (!db) return DEFAULT_PROFILE_NAME
const id = normalizeUserId(userId)
if (!id) return DEFAULT_PROFILE_NAME
const row = db.prepare(
`SELECT profile_name FROM ${USER_PROFILES_TABLE} WHERE user_id = ? AND is_default = 1 LIMIT 1`
).get(id) as { profile_name?: string } | undefined
return row?.profile_name || DEFAULT_PROFILE_NAME
}
export function countUsers(): number {
const db = getDb()
if (!db) return 0
const row = db.prepare(`SELECT COUNT(*) as count FROM ${USERS_TABLE}`).get() as { count?: number } | undefined
return Number(row?.count || 0)
}
export function countActiveSuperAdmins(excludeUserId?: UserId): number {
const db = getDb()
if (!db) return 0
const exclude = excludeUserId == null ? null : normalizeUserId(excludeUserId)
const row = exclude
? db.prepare(`SELECT COUNT(*) as count FROM ${USERS_TABLE} WHERE role = 'super_admin' AND status = 'active' AND id != ?`).get(exclude)
: db.prepare(`SELECT COUNT(*) as count FROM ${USERS_TABLE} WHERE role = 'super_admin' AND status = 'active'`).get()
return Number((row as { count?: number } | undefined)?.count || 0)
}
export function touchUserLogin(userId: UserId, at = Date.now()): void {
const db = getDb()
if (!db) return
const id = normalizeUserId(userId)
if (!id) return
db.prepare(`UPDATE ${USERS_TABLE} SET last_login_at = ?, updated_at = ? WHERE id = ?`).run(at, at, id)
}
export function updateUserPassword(userId: UserId, password: string): boolean {
const db = getDb()
if (!db) return false
const id = normalizeUserId(userId)
if (!id) return false
const result = db.prepare(`UPDATE ${USERS_TABLE} SET password_hash = ?, updated_at = ? WHERE id = ?`)
.run(hashPassword(password), Date.now(), id)
return result.changes > 0
}
export function updateUsername(userId: UserId, username: string): boolean {
const db = getDb()
if (!db) return false
const id = normalizeUserId(userId)
if (!id) return false
const result = db.prepare(`UPDATE ${USERS_TABLE} SET username = ?, updated_at = ? WHERE id = ?`)
.run(username, Date.now(), id)
return result.changes > 0
}
export function createUser(input: {
username: string
password: string
role?: UserRole
status?: UserStatus
profiles?: string[]
defaultProfile?: string | null
}): UserRecord | null {
const db = getDb()
if (!db) return null
const now = Date.now()
const role = input.role || 'admin'
const status = input.status || 'active'
db.prepare(
`INSERT INTO ${USERS_TABLE} (username, password_hash, role, status, created_at, updated_at)
VALUES (?, ?, ?, ?, ?, ?)`
).run(input.username, hashPassword(input.password), role, status, now, now)
const user = findUserByUsername(input.username)
if (user) replaceUserProfiles(user.id, input.profiles || [], input.defaultProfile)
return user
}
export function updateUser(input: {
userId: UserId
username?: string
role?: UserRole
status?: UserStatus
password?: string
profiles?: string[]
defaultProfile?: string | null
}): UserRecord | null {
const db = getDb()
if (!db) return null
const id = normalizeUserId(input.userId)
if (!id) return null
const current = findUserById(id)
if (!current) return null
const nextUsername = input.username ?? current.username
const nextRole = input.role ?? current.role
const nextStatus = input.status ?? current.status
const nextPasswordHash = input.password ? hashPassword(input.password) : current.password_hash
const now = Date.now()
db.prepare(
`UPDATE ${USERS_TABLE}
SET username = ?, password_hash = ?, role = ?, status = ?, updated_at = ?
WHERE id = ?`
).run(nextUsername, nextPasswordHash, nextRole, nextStatus, now, id)
if (input.profiles) replaceUserProfiles(id, input.profiles, input.defaultProfile)
return findUserById(id)
}
export function deleteUser(userId: UserId): boolean {
const db = getDb()
if (!db) return false
const id = normalizeUserId(userId)
if (!id) return false
db.exec('BEGIN')
try {
db.prepare(`DELETE FROM ${USER_PROFILES_TABLE} WHERE user_id = ?`).run(id)
const result = db.prepare(`DELETE FROM ${USERS_TABLE} WHERE id = ?`).run(id)
db.exec('COMMIT')
return result.changes > 0
} catch (err) {
db.exec('ROLLBACK')
throw err
}
}
export function replaceUserProfiles(userId: UserId, profiles: string[], defaultProfile?: string | null): void {
const db = getDb()
if (!db) return
const id = normalizeUserId(userId)
if (!id) return
const uniqueProfiles = [...new Set(profiles.map(profile => profile.trim()).filter(Boolean))]
const defaultName = defaultProfile && uniqueProfiles.includes(defaultProfile) ? defaultProfile : uniqueProfiles[0] || null
const now = Date.now()
db.exec('BEGIN')
try {
db.prepare(`DELETE FROM ${USER_PROFILES_TABLE} WHERE user_id = ?`).run(id)
const stmt = db.prepare(
`INSERT INTO ${USER_PROFILES_TABLE} (user_id, profile_name, is_default, created_at) VALUES (?, ?, ?, ?)`
)
uniqueProfiles.forEach(profile => {
stmt.run(id, profile, profile === defaultName ? 1 : 0, now)
})
db.exec('COMMIT')
} catch (err) {
db.exec('ROLLBACK')
throw err
}
}
export function createDefaultSuperAdmin(): UserRecord | null {
const db = getDb()
if (!db) return null
const now = Date.now()
db.prepare(
`INSERT INTO ${USERS_TABLE} (username, password_hash, role, status, created_at, updated_at)
VALUES (?, ?, ?, ?, ?, ?)`
).run(DEFAULT_USERNAME, hashPassword(DEFAULT_PASSWORD), 'super_admin', 'active', now, now)
return findUserByUsername(DEFAULT_USERNAME)
}
export function bootstrapDefaultSuperAdmin(username: string, password: string): UserRecord | null {
if (countUsers() > 0) return null
if (username !== DEFAULT_USERNAME || password !== DEFAULT_PASSWORD) return null
return createDefaultSuperAdmin()
}
packages/server/src/index.ts
+2 -8
View File
@@ -8,7 +8,6 @@ import { resolve } from 'path'
import { mkdir } from 'fs/promises'
import { readFileSync } from 'fs'
import { config } from './config'
import { getToken, requireAuth } from './services/auth'
import { initLoginLimiter } from './services/login-limiter'
import { bindShutdown } from './services/shutdown'
import { setupTerminalWebSocket } from './routes/hermes/terminal'
@@ -23,6 +22,7 @@ import { startAgentBridgeManager } from './services/hermes/agent-bridge'
import { HermesSkillInjector } from './services/hermes/skill-injector'
import { ensureProfileGatewaysRunning } from './services/hermes/gateway-autostart'
import { logger } from './services/logger'
import { requireUserJwt, resolveUserProfile } from './middleware/user-auth'
// Injected by esbuild at build time; fallback to reading package.json in dev mode
declare const __APP_VERSION__: string
@@ -86,7 +86,6 @@ export async function bootstrap() {
await mkdir(config.uploadDir, { recursive: true })
await mkdir(config.dataDir, { recursive: true })
const authToken = await getToken()
await initLoginLimiter()
try {
const skillInjector = new HermesSkillInjector()
@@ -138,15 +137,10 @@ export async function bootstrap() {
console.log('[bootstrap] cors + bodyParser registered')
// Register all routes (handles auth internally)
const proxyMiddleware = registerRoutes(app, requireAuth(authToken))
const proxyMiddleware = registerRoutes(app, [requireUserJwt, resolveUserProfile])
app.use(proxyMiddleware)
console.log('[bootstrap] routes registered')
if (authToken) {
console.log(`Auth enabled — token: ${authToken}`)
logger.info('Auth enabled — token: %s', authToken)
}
// SPA fallback
const distDir = resolve(__dirname, '..', 'client')
app.use(serve(distDir))
packages/server/src/middleware/user-auth.ts
+215
View File
@@ -0,0 +1,215 @@
import type { Context, Next } from 'koa'
import { createHmac, timingSafeEqual } from 'crypto'
import { getToken } from '../services/auth'
import {
findUserById,
touchUserLogin,
userCanAccessProfile,
type UserRecord,
type UserRole,
} from '../db/hermes/users-store'
export interface AuthenticatedUser {
id: number
username: string
role: UserRole
}
export interface RequestProfile {
name: string
}
interface JwtPayload {
sub: string
username: string
role: UserRole
type: 'access'
aud: 'hermes-web-ui'
iat: number
exp: number
}
declare module 'koa' {
interface DefaultState {
user?: AuthenticatedUser
profile?: RequestProfile
}
}
const JWT_AUDIENCE = 'hermes-web-ui'
const DEFAULT_EXPIRES_SECONDS = 60 * 60 * 24 * 30
function base64UrlJson(value: unknown): string {
return Buffer.from(JSON.stringify(value)).toString('base64url')
}
function sign(input: string, secret: string): string {
return createHmac('sha256', secret).update(input).digest('base64url')
}
function safeEqual(a: string, b: string): boolean {
try {
const left = Buffer.from(a)
const right = Buffer.from(b)
return left.length === right.length && timingSafeEqual(left, right)
} catch {
return false
}
}
async function getJwtSecret(): Promise<string | null> {
return process.env.AUTH_JWT_SECRET || await getToken()
}
function requestToken(ctx: Context): string {
const auth = ctx.headers.authorization || ''
if (typeof auth === 'string' && auth.startsWith('Bearer ')) return auth.slice(7).trim()
return typeof ctx.query.token === 'string' ? ctx.query.token.trim() : ''
}
export function signUserJwt(user: Pick<UserRecord, 'id' | 'username' | 'role'>, secret: string, now = Date.now()): string {
const iat = Math.floor(now / 1000)
const payload: JwtPayload = {
sub: String(user.id),
username: user.username,
role: user.role,
type: 'access',
aud: JWT_AUDIENCE,
iat,
exp: iat + DEFAULT_EXPIRES_SECONDS,
}
const header = base64UrlJson({ alg: 'HS256', typ: 'JWT' })
const body = base64UrlJson(payload)
const unsigned = `${header}.${body}`
return `${unsigned}.${sign(unsigned, secret)}`
}
export function verifyUserJwt(token: string, secret: string, now = Date.now()): JwtPayload | null {
const parts = token.split('.')
if (parts.length !== 3) return null
const [header, body, signature] = parts
const expected = sign(`${header}.${body}`, secret)
if (!safeEqual(signature, expected)) return null
try {
const payload = JSON.parse(Buffer.from(body, 'base64url').toString('utf-8')) as Partial<JwtPayload>
if (payload.type !== 'access' || payload.aud !== JWT_AUDIENCE) return null
if (!payload.sub || !payload.username || !payload.role || !payload.exp) return null
if (Math.floor(now / 1000) >= payload.exp) return null
return payload as JwtPayload
} catch {
return null
}
}
export async function issueUserJwt(user: Pick<UserRecord, 'id' | 'username' | 'role'>): Promise<string> {
const secret = await getJwtSecret()
if (!secret) throw new Error('Auth is disabled on this server')
return signUserJwt(user, secret)
}
export function toAuthenticatedUser(user: Pick<UserRecord, 'id' | 'username' | 'role'>): AuthenticatedUser {
return {
id: user.id,
username: user.username,
role: user.role,
}
}
export async function authenticateUserToken(token: string): Promise<AuthenticatedUser | null> {
const secret = await getJwtSecret()
if (!secret) return null
const payload = token ? verifyUserJwt(token, secret) : null
if (!payload) return null
const user = findUserById(payload.sub)
if (!user || user.status !== 'active') return null
return toAuthenticatedUser(user)
}
export async function isAuthEnabled(): Promise<boolean> {
return !!await getJwtSecret()
}
export async function requireUserJwt(ctx: Context, next: Next): Promise<void> {
const secret = await getJwtSecret()
if (!secret) {
await next()
return
}
const token = requestToken(ctx)
const payload = token ? verifyUserJwt(token, secret) : null
if (!payload) {
ctx.status = 401
ctx.body = { error: 'Unauthorized' }
return
}
const user = findUserById(payload.sub)
if (!user || user.status !== 'active') {
ctx.status = 403
ctx.body = { error: 'User is disabled or does not exist' }
return
}
ctx.state.user = toAuthenticatedUser(user)
touchUserLogin(user.id)
await next()
}
export async function requireSuperAdmin(ctx: Context, next: Next): Promise<void> {
if (ctx.state.user?.role !== 'super_admin') {
ctx.status = 403
ctx.body = { error: 'Super administrator privileges are required' }
return
}
await next()
}
export function resolveRequestedProfile(ctx: Context): string {
if (ctx.path === '/api/hermes/available-models' && typeof ctx.query.profile !== 'string') {
return ''
}
const headerProfile = ctx.get('x-hermes-profile')
const queryProfile = typeof ctx.query.profile === 'string' ? ctx.query.profile : ''
const body = ctx.request.body as { profile?: unknown } | undefined
const bodyProfile = typeof body?.profile === 'string' ? body.profile : ''
return (headerProfile || queryProfile || bodyProfile || '').trim()
}
export async function resolveUserProfile(ctx: Context, next: Next): Promise<void> {
const user = ctx.state.user
if (!user) {
await next()
return
}
const profileName = resolveRequestedProfile(ctx)
if (!profileName) {
await next()
return
}
if (user.role !== 'super_admin' && !userCanAccessProfile(user.id, profileName)) {
ctx.status = 403
ctx.body = { error: `Profile "${profileName}" is not available for this user` }
return
}
ctx.state.profile = { name: profileName }
await next()
}
export async function requireUserProfile(ctx: Context, next: Next): Promise<void> {
if (!ctx.state.profile?.name) {
ctx.status = 400
ctx.body = { error: 'Profile is required' }
return
}
await next()
}
export const userAuthMiddleware = [requireUserJwt, resolveUserProfile]
packages/server/src/routes/auth.ts
+6
View File
@@ -1,5 +1,6 @@
import Router from '@koa/router'
import * as ctrl from '../controllers/auth'
import { requireSuperAdmin } from '../middleware/user-auth'
// Public routes (no auth required)
export const authPublicRoutes = new Router()
@@ -9,8 +10,13 @@ authPublicRoutes.post('/api/auth/login', ctrl.login)
// Protected routes (auth required)
export const authProtectedRoutes = new Router()
authProtectedRoutes.post('/api/auth/setup', ctrl.setupPassword)
authProtectedRoutes.get('/api/auth/me', ctrl.currentUser)
authProtectedRoutes.post('/api/auth/change-password', ctrl.changePassword)
authProtectedRoutes.post('/api/auth/change-username', ctrl.changeUsername)
authProtectedRoutes.delete('/api/auth/password', ctrl.removePassword)
authProtectedRoutes.get('/api/auth/users', requireSuperAdmin, ctrl.listManagedUsers)
authProtectedRoutes.post('/api/auth/users', requireSuperAdmin, ctrl.createManagedUser)
authProtectedRoutes.put('/api/auth/users/:id', requireSuperAdmin, ctrl.updateManagedUser)
authProtectedRoutes.delete('/api/auth/users/:id', requireSuperAdmin, ctrl.deleteManagedUser)
authProtectedRoutes.get('/api/auth/locked-ips', ctrl.listLockedIps)
authProtectedRoutes.delete('/api/auth/locked-ips', ctrl.unlockIpHandler)
packages/server/src/routes/hermes/kanban-events.ts
+14 -5
View File
@@ -1,12 +1,14 @@
import { WebSocketServer } from 'ws'
import type { WebSocket } from 'ws'
import type { Server as HttpServer, IncomingMessage } from 'http'
import { getToken } from '../../services/auth'
import { authenticateUserToken, isAuthEnabled } from '../../middleware/user-auth'
import { userCanAccessProfile } from '../../db/hermes/users-store'
import { logger } from '../../services/logger'
import * as kanbanCli from '../../services/hermes/hermes-kanban'
interface KanbanEventsRequest extends IncomingMessage {
kanbanBoard?: string
kanbanProfile?: string
}
function sendJson(ws: WebSocket, payload: Record<string, unknown>) {
@@ -35,14 +37,21 @@ export function setupKanbanEventsWebSocket(httpServers: HttpServer | HttpServer[
const url = new URL(req.url || '', `http://${req.headers.host}`)
if (url.pathname !== '/api/hermes/kanban/events') return
const authToken = await getToken()
if (authToken) {
if (await isAuthEnabled()) {
const token = url.searchParams.get('token') || ''
if (token !== authToken) {
const user = await authenticateUserToken(token)
if (!user) {
socket.write('HTTP/1.1 401 Unauthorized\r\n\r\n')
socket.destroy()
return
}
const profile = (url.searchParams.get('profile') || '').trim()
if (profile && user.role !== 'super_admin' && !userCanAccessProfile(user.id, profile)) {
socket.write('HTTP/1.1 403 Forbidden\r\n\r\n')
socket.destroy()
return
}
req.kanbanProfile = profile || undefined
}
try {
@@ -74,7 +83,7 @@ export function setupKanbanEventsWebSocket(httpServers: HttpServer | HttpServer[
child.stdout?.on('data', streamLines((line) => {
if (line.toLowerCase().startsWith('watching kanban events')) return
sendJson(ws, { type: 'event', board, line })
sendJson(ws, { type: 'event', board })
}))
child.stderr?.on('data', streamLines((line) => {
packages/server/src/routes/hermes/performance-monitor.ts
+2 -1
View File
@@ -1,6 +1,7 @@
import Router from '@koa/router'
import * as ctrl from '../../controllers/hermes/performance-monitor'
import { requireSuperAdmin } from '../../middleware/user-auth'
export const performanceMonitorRoutes = new Router()
performanceMonitorRoutes.get('/api/hermes/performance/runtime', ctrl.runtime)
performanceMonitorRoutes.get('/api/hermes/performance/runtime', requireSuperAdmin, ctrl.runtime)
packages/server/src/routes/hermes/profiles.ts
+2 -1
View File
@@ -1,5 +1,6 @@
import Router from '@koa/router'
import * as ctrl from '../../controllers/hermes/profiles'
import { requireSuperAdmin } from '../../middleware/user-auth'
export const profileRoutes = new Router()
@@ -14,6 +15,6 @@ profileRoutes.delete('/api/hermes/profiles/:name/avatar', ctrl.deleteAvatar)
profileRoutes.get('/api/hermes/profiles/:name', ctrl.get)
profileRoutes.delete('/api/hermes/profiles/:name', ctrl.remove)
profileRoutes.post('/api/hermes/profiles/:name/rename', ctrl.rename)
profileRoutes.put('/api/hermes/profiles/active', ctrl.switchProfile)
profileRoutes.put('/api/hermes/profiles/active', requireSuperAdmin, ctrl.switchProfile)
profileRoutes.post('/api/hermes/profiles/:name/export', ctrl.exportProfile)
profileRoutes.post('/api/hermes/profiles/import', ctrl.importProfile)
packages/server/src/routes/hermes/terminal.ts
+3 -4
View File
@@ -5,7 +5,7 @@ import { dirname, join, isAbsolute, resolve as resolvePath } from 'path'
import { homedir } from 'os'
import { getActiveProfileDir } from '../../services/hermes/hermes-profile'
import { getTerminalConfig, type TerminalConfig } from '../../services/hermes/file-provider'
import { getToken } from '../../services/auth'
import { authenticateUserToken, isAuthEnabled } from '../../middleware/user-auth'
import { logger } from '../../services/logger'
let pty: any = null
@@ -151,10 +151,9 @@ export function setupTerminalWebSocket(httpServers: HttpServer | HttpServer[]) {
}
// Auth check
const authToken = await getToken()
if (authToken) {
if (await isAuthEnabled()) {
const token = url.searchParams.get('token') || ''
if (token !== authToken) {
if (!await authenticateUserToken(token)) {
socket.write('HTTP/1.1 401 Unauthorized\r\n\r\n')
socket.destroy()
return
packages/server/src/routes/index.ts
+2 -2
View File
@@ -38,7 +38,7 @@ import { performanceMonitorRoutes } from './hermes/performance-monitor'
* Public routes are registered first, then auth middleware,
* then all protected routes. Returns the proxy middleware (must be mounted last).
*/
export function registerRoutes(app: any, requireAuth: (ctx: Context, next: Next) => Promise<void>) {
export function registerRoutes(app: any, authMiddleware: Array<(ctx: Context, next: Next) => Promise<void>>) {
// --- Public routes (no auth required) ---
app.use(healthRoutes.routes())
app.use(webhookRoutes.routes())
@@ -46,7 +46,7 @@ export function registerRoutes(app: any, requireAuth: (ctx: Context, next: Next)
app.use(ttsRoutes.routes()) // TTS proxy/generation — must be before auth
// --- Auth middleware: all routes below require authentication ---
app.use(requireAuth)
authMiddleware.forEach((middleware) => app.use(middleware))
// --- Protected routes (auth required) ---
app.use(authProtectedRoutes.routes())
packages/server/src/services/hermes/conversations.ts
+1
View File
@@ -34,6 +34,7 @@ const exportCache = new Map<string, CachedExport>()
export interface ConversationSummary {
id: string
profile?: string | null
source: string
model: string
title: string | null
packages/server/src/services/hermes/group-chat/index.ts
+11 -7
View File
@@ -1,6 +1,5 @@
import { Server, Socket, Namespace } from 'socket.io'
import type { Server as HttpServer } from 'http'
import { getToken } from '../../../services/auth'
import { logger } from '../../../services/logger'
import { getDb } from '../../../db'
import { normalizeMessageContentForStorage, normalizeMessageContentForStorageRole } from '../../../db/hermes/message-content'
@@ -9,6 +8,7 @@ import { ContextEngine } from '../context-engine/compressor'
import { SessionDeleter } from '../session-deleter'
import { countTokens, SUMMARY_PREFIX } from '../../../lib/context-compressor'
import { AgentBridgeClient } from '../agent-bridge'
import { authenticateUserToken, isAuthEnabled } from '../../../middleware/user-auth'
// ─── Types ────────────────────────────────────────────────────
@@ -780,12 +780,16 @@ export class GroupChatServer {
// ─── Auth ───────────────────────────────────────────────────
private async authMiddleware(socket: Socket, next: (err?: Error) => void): Promise<void> {
const authToken = await getToken()
const token = socket.handshake.auth.token || socket.handshake.query.token || ''
if (authToken) {
if (token !== authToken) {
return next(new Error('Unauthorized'))
}
const auth = socket.handshake.auth as { source?: string; agentSocketSecret?: string; token?: string }
const isAgentSocket = auth.source === 'agent' && auth.agentSocketSecret === GROUP_CHAT_AGENT_SOCKET_SECRET
if (isAgentSocket) {
next()
return
}
const token = auth.token || socket.handshake.query.token || ''
if (await isAuthEnabled() && !await authenticateUserToken(String(token))) {
return next(new Error('Unauthorized'))
}
next()
}
packages/server/src/services/hermes/run-chat/index.ts
+51 -11
View File
@@ -20,6 +20,8 @@ import { handleAbort } from './abort'
import { getOrCreateSession } from './compression'
import { handleSessionCommand, isSessionCommand, parseSessionCommand } from './session-command'
import type { ContentBlock, QueuedRun, SessionState } from './types'
import { authenticateUserToken, isAuthEnabled, type AuthenticatedUser } from '../../../middleware/user-auth'
import { userCanAccessProfile } from '../../../db/hermes/users-store'
export type { ContentBlock } from './types'
@@ -43,31 +45,55 @@ export class ChatRunSocket {
private async authMiddleware(socket: Socket, next: (err?: Error) => void) {
const token = socket.handshake.auth?.token as string | undefined
if (!process.env.AUTH_DISABLED && process.env.AUTH_DISABLED !== '1') {
const { getToken } = await import('../../auth')
const serverToken = await getToken()
if (serverToken && token !== serverToken) {
return next(new Error('Authentication failed'))
}
if (!await isAuthEnabled()) {
next()
return
}
const user = await authenticateUserToken(token || '')
if (!user) {
return next(new Error('Authentication failed'))
}
const socketProfile = String(socket.handshake.query?.profile || '').trim()
if (socketProfile && !this.canAccessProfile(user, socketProfile)) {
return next(new Error('Profile access denied'))
}
socket.data.user = user
next()
}
// --- Connection handler ---
private onConnection(socket: Socket) {
const socketUser = socket.data.user as AuthenticatedUser | undefined
const socketProfile = (socket.handshake.query?.profile as string) || 'default'
const currentProfile = () => getActiveProfileName() || socketProfile || 'default'
const currentProfile = () => socketProfile || getActiveProfileName() || 'default'
const profileExists = (profile: string) => {
if (!profile || profile === 'default') return true
return listProfileNamesFromDisk().includes(profile)
}
const resolveRunProfile = (sessionId?: string, requested?: string) => {
const requestedProfile = typeof requested === 'string' ? requested.trim() : ''
if (requestedProfile && profileExists(requestedProfile)) return requestedProfile
if (!sessionId) return currentProfile()
if (requestedProfile) {
if (!profileExists(requestedProfile)) throw new Error(`Profile "${requestedProfile}" does not exist`)
if (socketUser && !this.canAccessProfile(socketUser, requestedProfile)) {
throw new Error(`Profile "${requestedProfile}" is not available for this user`)
}
return requestedProfile
}
if (!sessionId) {
const profile = currentProfile()
if (socketUser && !this.canAccessProfile(socketUser, profile)) {
throw new Error(`Profile "${profile}" is not available for this user`)
}
return profile
}
const storedProfile = getSession(sessionId)?.profile || ''
return storedProfile && profileExists(storedProfile) ? storedProfile : currentProfile()
const profile = storedProfile && profileExists(storedProfile) ? storedProfile : currentProfile()
if (socketUser && !this.canAccessProfile(socketUser, profile)) {
throw new Error(`Profile "${profile}" is not available for this user`)
}
return profile
}
socket.on('run', async (data: {
@@ -81,7 +107,17 @@ export class ChatRunSocket {
source?: string
profile?: string
}) => {
const runProfile = resolveRunProfile(data.session_id, data.profile)
let runProfile: string
try {
runProfile = resolveRunProfile(data.session_id, data.profile)
} catch (err) {
socket.emit('run.failed', {
event: 'run.failed',
session_id: data.session_id,
error: err instanceof Error ? err.message : String(err),
})
return
}
if (data.session_id) {
const state = getOrCreateSession(this.sessionMap, data.session_id)
const source = resolveRunSource(data.source, data.session_id)
@@ -313,6 +349,10 @@ export class ChatRunSocket {
}
}
private canAccessProfile(user: AuthenticatedUser, profile: string): boolean {
return user.role === 'super_admin' || userCanAccessProfile(user.id, profile)
}
/** Close all active upstream response streams */
close() {
for (const [sessionId, state] of this.sessionMap.entries()) {