feat(web-ui): add pinned sessions and live monitor in Chat (#118)

* feat: add single-page live session monitor and chat pinning

* fix: restore full test green after main merge

* fix: use Array.from instead of Set spread for ts-node compatibility

[...new Set()] requires downlevelIteration which isn't enabled in
ts-node dev mode, causing sonic-boom crash on startup.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: ekko <fqsy1416@gmail.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

tests/server/auth.test.ts

@@ -1,21 +1,40 @@
-import { describe, it, expect, vi, beforeEach, afterAll } from 'vitest'
+import { afterAll, beforeEach, describe, expect, it, vi } from 'vitest'
 
-// Mock fs/promises
-vi.mock('fs/promises', () => ({
-  readFile: vi.fn(),
-  writeFile: vi.fn(),
-}))
+type FsMocks = {
+  readFile: ReturnType<typeof vi.fn>
+  writeFile: ReturnType<typeof vi.fn>
+  mkdir: ReturnType<typeof vi.fn>
+}
 
-// Mock config
-vi.mock('../../packages/server/src/config', () => ({
-  config: { dataDir: '/tmp/hermes-test-data' },
-}))
+async function loadAuth(overrides: Partial<FsMocks> & { home?: string } = {}) {
+  const readFile = overrides.readFile ?? vi.fn()
+  const writeFile = overrides.writeFile ?? vi.fn()
+  const mkdir = overrides.mkdir ?? vi.fn()
+  const home = overrides.home ?? '/tmp/hermes-home'
 
-import { readFile, writeFile } from 'fs/promises'
-import { getToken, authMiddleware } from '../../packages/server/src/services/auth'
+  vi.resetModules()
+  vi.doMock('fs/promises', () => ({ readFile, writeFile, mkdir }))
+  vi.doMock('os', () => ({ homedir: () => home }))
 
-const mockedReadFile = vi.mocked(readFile)
-const mockedWriteFile = vi.mocked(writeFile)
+  const mod = await import('../../packages/server/src/services/auth')
+  return {
+    ...mod,
+    mocks: { readFile, writeFile, mkdir },
+    appHome: `${home}/.hermes-web-ui`,
+    tokenFile: `${home}/.hermes-web-ui/.token`,
+  }
+}
+
+function createMockCtx(path: string, headers: Record<string, string> = {}, query: Record<string, string> = {}) {
+  return {
+    path,
+    headers,
+    query,
+    status: 200,
+    body: null,
+    set: vi.fn(),
+  }
+}
 
 describe('Auth Service', () => {
   const originalEnv = process.env
@@ -32,98 +51,125 @@ describe('Auth Service', () => {
   describe('getToken', () => {
     it('returns null when AUTH_DISABLED=1', async () => {
       process.env.AUTH_DISABLED = '1'
+      const { getToken, mocks } = await loadAuth()
 
       const token = await getToken()
 
       expect(token).toBeNull()
-      expect(mockedReadFile).not.toHaveBeenCalled()
+      expect(mocks.readFile).not.toHaveBeenCalled()
     })
 
     it('returns null when AUTH_DISABLED=true', async () => {
       process.env.AUTH_DISABLED = 'true'
+      const { getToken } = await loadAuth()
 
-      const token = await getToken()
-
-      expect(token).toBeNull()
+      await expect(getToken()).resolves.toBeNull()
     })
 
     it('returns AUTH_TOKEN env var if set', async () => {
       process.env.AUTH_TOKEN = 'my-custom-token'
+      const { getToken, mocks } = await loadAuth()
 
       const token = await getToken()
 
       expect(token).toBe('my-custom-token')
-      expect(mockedReadFile).not.toHaveBeenCalled()
+      expect(mocks.readFile).not.toHaveBeenCalled()
     })
 
-    it('reads token from file if exists', async () => {
-      mockedReadFile.mockResolvedValue('file-token\n')
+    it('reads token from file if it exists', async () => {
+      const readFile = vi.fn().mockResolvedValue('file-token\n')
+      const { getToken, tokenFile } = await loadAuth({ readFile })
 
       const token = await getToken()
 
       expect(token).toBe('file-token')
-      expect(mockedReadFile).toHaveBeenCalledWith('/tmp/hermes-test-data/.token', 'utf-8')
+      expect(readFile).toHaveBeenCalledWith(tokenFile, 'utf-8')
     })
 
-    it('generates and saves new token if file missing', async () => {
-      mockedReadFile.mockRejectedValue(new Error('ENOENT'))
+    it('generates and saves a token if the token file is missing', async () => {
+      const readFile = vi.fn().mockRejectedValue(new Error('ENOENT'))
+      const writeFile = vi.fn()
+      const mkdir = vi.fn()
+      const { getToken, appHome, tokenFile } = await loadAuth({ readFile, writeFile, mkdir })
 
       const token = await getToken()
 
-      expect(token).toBeTruthy()
-      expect(token).toHaveLength(64) // 32 bytes hex
-      expect(mockedWriteFile).toHaveBeenCalledWith(
-        '/tmp/hermes-test-data/.token',
+      expect(token).toMatch(/^[a-f0-9]{64}$/)
+      expect(mkdir).toHaveBeenCalledWith(appHome, { recursive: true })
+      expect(writeFile).toHaveBeenCalledWith(
+        tokenFile,
         expect.stringMatching(/^[a-f0-9]{64}\n$/),
         { mode: 0o600 },
       )
     })
   })
 
-  describe('authMiddleware', () => {
-    function createMockCtx(path: string, headers: Record<string, string> = {}, query: Record<string, string> = {}) {
-      return {
-        path,
-        headers,
-        query,
-        status: 200,
-        body: null,
-        set: vi.fn(),
-      }
-    }
-
-    const next = vi.fn()
-
+  describe('requireAuth', () => {
     it('allows all requests when auth is disabled (null token)', async () => {
-      const middleware = await authMiddleware(null)
+      const { requireAuth } = await loadAuth()
+      const middleware = requireAuth(null)
       const ctx = createMockCtx('/api/hermes/sessions')
+      const next = vi.fn(async () => {})
 
       await middleware(ctx, next)
 
       expect(next).toHaveBeenCalledOnce()
     })
 
-    it('skips /health path', async () => {
-      const middleware = await authMiddleware('secret')
+    it('skips /health', async () => {
+      const { requireAuth } = await loadAuth()
+      const middleware = requireAuth('secret')
       const ctx = createMockCtx('/health')
+      const next = vi.fn(async () => {})
 
       await middleware(ctx, next)
 
       expect(next).toHaveBeenCalledOnce()
+      expect(ctx.status).toBe(200)
+    })
+
+    it('skips /webhook because it is treated as a public non-API path', async () => {
+      const { requireAuth } = await loadAuth()
+      const middleware = requireAuth('secret')
+      const ctx = createMockCtx('/webhook')
+      const next = vi.fn(async () => {})
+
+      await middleware(ctx, next)
+
+      expect(next).toHaveBeenCalledOnce()
+      expect(ctx.status).toBe(200)
     })
 
     it('skips non-API paths', async () => {
-      const middleware = await authMiddleware('secret')
+      const { requireAuth } = await loadAuth()
+      const middleware = requireAuth('secret')
       const ctx = createMockCtx('/index.html')
+      const next = vi.fn(async () => {})
 
       await middleware(ctx, next)
 
       expect(next).toHaveBeenCalledOnce()
+      expect(ctx.status).toBe(200)
     })
 
-    it('requires auth for /webhook path (it is an API-like endpoint)', async () => {
-      const middleware = await authMiddleware('secret')
-      const ctx = createMockCtx('/webhook', {})
+    it('requires auth for /upload', async () => {
+      const { requireAuth } = await loadAuth()
+      const middleware = requireAuth('secret')
+      const ctx = createMockCtx('/upload')
+      const next = vi.fn(async () => {})
+
+      await middleware(ctx, next)
+
+      expect(ctx.status).toBe(401)
+      expect(ctx.body).toEqual({ error: 'Unauthorized' })
+      expect(next).not.toHaveBeenCalled()
+    })
+
+    it('rejects request without auth header for protected API routes', async () => {
+      const { requireAuth } = await loadAuth()
+      const middleware = requireAuth('secret')
+      const ctx = createMockCtx('/api/hermes/sessions')
+      const next = vi.fn(async () => {})
 
       await middleware(ctx, next)
 
@@ -131,19 +177,11 @@ describe('Auth Service', () => {
       expect(next).not.toHaveBeenCalled()
     })
 
-    it('rejects request without auth header', async () => {
-      const middleware = await authMiddleware('secret')
-      const ctx = createMockCtx('/api/hermes/sessions', {})
-
-      await middleware(ctx, next)
-
-      expect(ctx.status).toBe(401)
-      expect(next).not.toHaveBeenCalled()
-    })
-
-    it('rejects request with wrong token', async () => {
-      const middleware = await authMiddleware('secret')
+    it('rejects request with the wrong bearer token', async () => {
+      const { requireAuth } = await loadAuth()
+      const middleware = requireAuth('secret')
       const ctx = createMockCtx('/api/hermes/sessions', { authorization: 'Bearer wrong' })
+      const next = vi.fn(async () => {})
 
       await middleware(ctx, next)
 
@@ -151,18 +189,22 @@ describe('Auth Service', () => {
       expect(next).not.toHaveBeenCalled()
     })
 
-    it('allows request with correct Bearer token', async () => {
-      const middleware = await authMiddleware('secret')
+    it('allows request with the correct bearer token', async () => {
+      const { requireAuth } = await loadAuth()
+      const middleware = requireAuth('secret')
       const ctx = createMockCtx('/api/hermes/sessions', { authorization: 'Bearer secret' })
+      const next = vi.fn(async () => {})
 
       await middleware(ctx, next)
 
       expect(next).toHaveBeenCalledOnce()
     })
 
-    it('allows request with correct query token', async () => {
-      const middleware = await authMiddleware('secret')
+    it('allows request with the correct query token', async () => {
+      const { requireAuth } = await loadAuth()
+      const middleware = requireAuth('secret')
       const ctx = createMockCtx('/api/hermes/sessions', {}, { token: 'secret' })
+      const next = vi.fn(async () => {})
 
       await middleware(ctx, next)
 
@@ -170,8 +212,10 @@ describe('Auth Service', () => {
     })
 
     it('returns 401 JSON on auth failure', async () => {
-      const middleware = await authMiddleware('secret')
+      const { requireAuth } = await loadAuth()
+      const middleware = requireAuth('secret')
       const ctx = createMockCtx('/api/hermes/sessions', { authorization: 'Bearer wrong' })
+      const next = vi.fn(async () => {})
 
       await middleware(ctx, next)