fix: auth bypass, SPA serving, and provider improvements (#97)

* feat(chat): polish syntax highlighting and tool payload rendering (#94)

* [verified] feat(chat): polish syntax highlighting and tool payload rendering

* [verified] fix(chat): tighten large tool payload rendering

* docs: update data volume path in Docker docs

Align documentation with docker-compose.yml change:
hermes-web-ui-data -> hermes-web-ui, /app/dist/data -> /root/.hermes-web-ui

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: bundle server build and restructure service modules

- Add build-server.mjs script for standalone server compilation
- Add logger service with structured output
- Restructure auth, gateway-manager, hermes-cli, hermes services
- Update docker-compose volume mount path
- Update tsconfig and entry point for bundled server

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: separate controllers from routes and centralize route registration

- Extract business logic from route handlers into controllers/
- Add centralized route registry in routes/index.ts with public/auth/protected layers
- Replace global auth whitelist with sequential middleware registration
- Extract shared helpers to services/config-helpers.ts
- Allow custom provider name to be user-editable in ProviderFormModal
- Deduplicate custom providers by poolKey instead of base_url in getAvailable

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: auth bypass via path case, SPA serving, and provider improvements

- Fix auth bypass: path case-insensitive check for /api, /v1, /upload
- Fix SPA returning 401: skip auth for non-API paths (static files)
- Fix profile switch: use local loading state instead of shared store ref
- Auto-append /v1 to base_url when fetching models (frontend + backend)
- Guard .env writing to built-in providers only
- Add builtin field to provider presets, enable base_url input in form
- Print auth token to console on startup (pino only writes to file)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Zhicheng Han <43314240+hanzckernel@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

packages/server/src/controllers/hermes/skills.ts

@@ -0,0 +1,94 @@
+import { readdir } from 'fs/promises'
+import { join, resolve } from 'path'
+import {
+  readConfigYaml, writeConfigYaml,
+  safeReadFile, extractDescription, listFilesRecursive, getHermesDir,
+} from '../../services/config-helpers'
+
+export async function list(ctx: any) {
+  const skillsDir = join(getHermesDir(), 'skills')
+  try {
+    const config = await readConfigYaml()
+    const disabledList: string[] = config.skills?.disabled || []
+    const entries = await readdir(skillsDir, { withFileTypes: true })
+    const categories: any[] = []
+    for (const entry of entries) {
+      if (!entry.isDirectory() || entry.name.startsWith('.')) continue
+      const catDir = join(skillsDir, entry.name)
+      const catDesc = await safeReadFile(join(catDir, 'DESCRIPTION.md'))
+      const catDescription = catDesc ? catDesc.trim().split('\n')[0].replace(/^#+\s*/, '').slice(0, 100) : ''
+      const skillEntries = await readdir(catDir, { withFileTypes: true })
+      const skills: any[] = []
+      for (const se of skillEntries) {
+        if (!se.isDirectory()) continue
+        const skillMd = await safeReadFile(join(catDir, se.name, 'SKILL.md'))
+        if (skillMd) {
+          skills.push({ name: se.name, description: extractDescription(skillMd), enabled: !disabledList.includes(se.name) })
+        }
+      }
+      if (skills.length > 0) {
+        categories.push({ name: entry.name, description: catDescription, skills })
+      }
+    }
+    categories.sort((a, b) => a.name.localeCompare(b.name))
+    for (const cat of categories) { cat.skills.sort((a: any, b: any) => a.name.localeCompare(b.name)) }
+    ctx.body = { categories }
+  } catch (err: any) {
+    ctx.status = 500
+    ctx.body = { error: `Failed to read skills directory: ${err.message}` }
+  }
+}
+
+export async function toggle(ctx: any) {
+  const { name, enabled } = ctx.request.body as { name?: string; enabled?: boolean }
+  if (!name || typeof enabled !== 'boolean') {
+    ctx.status = 400
+    ctx.body = { error: 'Missing name or enabled flag' }
+    return
+  }
+  try {
+    const config = await readConfigYaml()
+    if (!config.skills) config.skills = {}
+    if (!Array.isArray(config.skills.disabled)) config.skills.disabled = []
+    const disabled = config.skills.disabled as string[]
+    const idx = disabled.indexOf(name)
+    if (enabled) { if (idx !== -1) disabled.splice(idx, 1) }
+    else { if (idx === -1) disabled.push(name) }
+    await writeConfigYaml(config)
+    ctx.body = { success: true }
+  } catch (err: any) {
+    ctx.status = 500
+    ctx.body = { error: err.message }
+  }
+}
+
+export async function listFiles(ctx: any) {
+  const { category, skill } = ctx.params
+  const skillDir = join(getHermesDir(), 'skills', category, skill)
+  try {
+    const allFiles = await listFilesRecursive(skillDir, '')
+    const files = allFiles.filter(f => f.path !== 'SKILL.md')
+    ctx.body = { files }
+  } catch (err: any) {
+    ctx.status = 500
+    ctx.body = { error: err.message }
+  }
+}
+
+export async function readFile_(ctx: any) {
+  const filePath = (ctx.params as any).path
+  const hd = getHermesDir()
+  const fullPath = resolve(join(hd, 'skills', filePath))
+  if (!fullPath.startsWith(join(hd, 'skills'))) {
+    ctx.status = 403
+    ctx.body = { error: 'Access denied' }
+    return
+  }
+  const content = await safeReadFile(fullPath)
+  if (content === null) {
+    ctx.status = 404
+    ctx.body = { error: 'File not found' }
+    return
+  }
+  ctx.body = { content }
+}