fix: auth bypass, SPA serving, and provider improvements (#97)

* feat(chat): polish syntax highlighting and tool payload rendering (#94)

* [verified] feat(chat): polish syntax highlighting and tool payload rendering

* [verified] fix(chat): tighten large tool payload rendering

* docs: update data volume path in Docker docs

Align documentation with docker-compose.yml change:
hermes-web-ui-data -> hermes-web-ui, /app/dist/data -> /root/.hermes-web-ui

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: bundle server build and restructure service modules

- Add build-server.mjs script for standalone server compilation
- Add logger service with structured output
- Restructure auth, gateway-manager, hermes-cli, hermes services
- Update docker-compose volume mount path
- Update tsconfig and entry point for bundled server

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: separate controllers from routes and centralize route registration

- Extract business logic from route handlers into controllers/
- Add centralized route registry in routes/index.ts with public/auth/protected layers
- Replace global auth whitelist with sequential middleware registration
- Extract shared helpers to services/config-helpers.ts
- Allow custom provider name to be user-editable in ProviderFormModal
- Deduplicate custom providers by poolKey instead of base_url in getAvailable

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: auth bypass via path case, SPA serving, and provider improvements

- Fix auth bypass: path case-insensitive check for /api, /v1, /upload
- Fix SPA returning 401: skip auth for non-API paths (static files)
- Fix profile switch: use local loading state instead of shared store ref
- Auto-append /v1 to base_url when fetching models (frontend + backend)
- Guard .env writing to built-in providers only
- Add builtin field to provider presets, enable base_url input in form
- Print auth token to console on startup (pino only writes to file)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Zhicheng Han <43314240+hanzckernel@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

packages/server/src/routes/hermes/logs.ts

@@ -1,101 +1,7 @@
 import Router from '@koa/router'
-import { existsSync, statSync } from 'fs'
-import { readFile } from 'fs/promises'
-import { join } from 'path'
-import { homedir } from 'os'
-import * as hermesCli from '../../services/hermes/hermes-cli'
+import * as ctrl from '../../controllers/hermes/logs'
 
 export const logRoutes = new Router()
 
-const WEBUI_LOG_FILE = join(homedir(), '.hermes-web-ui', 'server.log')
-
-// List available log files
-logRoutes.get('/api/hermes/logs', async (ctx) => {
-  const files = await hermesCli.listLogFiles()
-
-  if (existsSync(WEBUI_LOG_FILE)) {
-    try {
-      const stat = statSync(WEBUI_LOG_FILE)
-      const size = stat.size > 1024 * 1024
-        ? `${(stat.size / 1024 / 1024).toFixed(1)}MB`
-        : `${(stat.size / 1024).toFixed(1)}KB`
-      const modified = stat.mtime.toLocaleString()
-      files.push({ name: 'webui', size, modified })
-    } catch { }
-  }
-
-  ctx.body = { files }
-})
-
-interface LogEntry {
-  timestamp: string
-  level: string
-  logger: string
-  message: string
-  raw: string
-}
-
-// Parse a single log line into structured entry
-function parseLine(line: string): LogEntry {
-  // Match: 2026-04-11 20:16:16,289 INFO aiohttp.access: message (agent log format)
-  let match = line.match(/^(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3})\s+(DEBUG|INFO|WARNING|ERROR|CRITICAL)\s+(\S+?):\s(.*)$/)
-  if (match) {
-    return { timestamp: match[1], level: match[2], logger: match[3], message: match[4], raw: line }
-  }
-  // Match: [Lark] [2026-04-19 18:46:54,864] [INFO] message (gateway log format)
-  match = line.match(/^\[(\S+?)\]\s+\[(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3})\]\s+\[(DEBUG|INFO|WARNING|ERROR|CRITICAL)\]\s(.*)$/)
-  if (match) {
-    return { timestamp: match[2], level: match[3], logger: match[1], message: match[4], raw: line }
-  }
-  // Unparseable line — keep as raw entry so nothing is lost
-  return { timestamp: '', level: '', logger: '', message: line, raw: line }
-}
-
-// Read log lines (parsed)
-logRoutes.get('/api/hermes/logs/:name', async (ctx) => {
-  const logName = ctx.params.name
-  const lines = ctx.query.lines ? parseInt(ctx.query.lines as string, 10) : 100
-  const level = (ctx.query.level as string) || undefined
-  const session = (ctx.query.session as string) || undefined
-  const since = (ctx.query.since as string) || undefined
-
-  // Handle hermes-web-ui's own server log
-  if (logName === 'webui') {
-    try {
-      if (!existsSync(WEBUI_LOG_FILE)) {
-        ctx.body = { entries: [] }
-        return
-      }
-      const content = await readFile(WEBUI_LOG_FILE, 'utf-8')
-      const rawLines = content.split('\n')
-      const sliced = rawLines.length > lines ? rawLines.slice(-lines) : rawLines
-      const entries: LogEntry[] = []
-      for (const line of sliced) {
-        if (!line.trim()) continue
-        entries.push(parseLine(line))
-      }
-      ctx.body = { entries }
-    } catch (err: any) {
-      ctx.status = 500
-      ctx.body = { error: err.message }
-    }
-    return
-  }
-
-  try {
-    const content = await hermesCli.readLogs(logName, lines, level, session, since)
-    const rawLines = content.split('\n')
-
-    const entries: (LogEntry | null)[] = []
-    for (const line of rawLines) {
-      // Skip header lines like "--- ~/.hermes/logs/agent.log (last 100) ---"
-      if (line.startsWith('---') || line.trim() === '') continue
-      entries.push(parseLine(line))
-    }
-
-    ctx.body = { entries }
-  } catch (err: any) {
-    ctx.status = 500
-    ctx.body = { error: err.message }
-  }
-})
+logRoutes.get('/api/hermes/logs', ctrl.list)
+logRoutes.get('/api/hermes/logs/:name', ctrl.read)