fix: auth bypass, SPA serving, and provider improvements (#97)

* feat(chat): polish syntax highlighting and tool payload rendering (#94)

* [verified] feat(chat): polish syntax highlighting and tool payload rendering

* [verified] fix(chat): tighten large tool payload rendering

* docs: update data volume path in Docker docs

Align documentation with docker-compose.yml change:
hermes-web-ui-data -> hermes-web-ui, /app/dist/data -> /root/.hermes-web-ui

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: bundle server build and restructure service modules

- Add build-server.mjs script for standalone server compilation
- Add logger service with structured output
- Restructure auth, gateway-manager, hermes-cli, hermes services
- Update docker-compose volume mount path
- Update tsconfig and entry point for bundled server

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: separate controllers from routes and centralize route registration

- Extract business logic from route handlers into controllers/
- Add centralized route registry in routes/index.ts with public/auth/protected layers
- Replace global auth whitelist with sequential middleware registration
- Extract shared helpers to services/config-helpers.ts
- Allow custom provider name to be user-editable in ProviderFormModal
- Deduplicate custom providers by poolKey instead of base_url in getAvailable

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: auth bypass via path case, SPA serving, and provider improvements

- Fix auth bypass: path case-insensitive check for /api, /v1, /upload
- Fix SPA returning 401: skip auth for non-API paths (static files)
- Fix profile switch: use local loading state instead of shared store ref
- Auto-append /v1 to base_url when fetching models (frontend + backend)
- Guard .env writing to built-in providers only
- Add builtin field to provider presets, enable base_url input in form
- Print auth token to console on startup (pino only writes to file)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Zhicheng Han <43314240+hanzckernel@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

packages/server/src/services/auth.ts

@@ -1,10 +1,10 @@
-import { readFile, writeFile } from 'fs/promises'
+import { readFile, writeFile, mkdir } from 'fs/promises'
 import { join } from 'path'
 import { randomBytes } from 'crypto'
-import { config } from '../config'
+import { homedir } from 'os'
 
-// Token stored in project data directory
-const TOKEN_FILE = join(config.dataDir, '.token')
+const APP_HOME = join(homedir(), '.hermes-web-ui')
+const TOKEN_FILE = join(APP_HOME, '.token')
 
 function generateToken(): string {
   return randomBytes(32).toString('hex')
@@ -14,12 +14,10 @@ function generateToken(): string {
  * Get or create the auth token. Returns null if auth is disabled.
  */
 export async function getToken(): Promise<string | null> {
-  // Auth can be disabled via env var
   if (process.env.AUTH_DISABLED === '1' || process.env.AUTH_DISABLED === 'true') {
     return null
   }
 
-  // Custom token via env var
   if (process.env.AUTH_TOKEN) {
     return process.env.AUTH_TOKEN
   }
@@ -28,41 +26,36 @@ export async function getToken(): Promise<string | null> {
     const token = await readFile(TOKEN_FILE, 'utf-8')
     return token.trim()
   } catch {
-    // Generate a new token
     const token = generateToken()
+    await mkdir(APP_HOME, { recursive: true })
     await writeFile(TOKEN_FILE, token + '\n', { mode: 0o600 })
     return token
   }
 }
 
 /**
- * Koa middleware: check Authorization header for API routes.
- * Skips /health, /webhook, and static file requests.
+ * Koa middleware: check Authorization header or query token.
+ * No path whitelisting — applied globally after public routes.
  */
-export async function authMiddleware(token: string | null) {
+export function requireAuth(token: string | null) {
   return async (ctx: any, next: () => Promise<void>) => {
-    // If auth is disabled, skip
     if (!token) {
       await next()
       return
     }
 
-    // Skip non-API paths (static files, health check, SPA)
-    const path = ctx.path.toLowerCase()
-    if (
-      path === '/health' ||
-      (!path.startsWith('/api') && !path.startsWith('/v1') && path !== '/webhook' && path !== '/upload')
-    ) {
-      await next()
-      return
-    }
-
     const auth = ctx.headers.authorization || ''
     const provided = auth.startsWith('Bearer ')
       ? auth.slice(7)
       : (ctx.query.token as string) || ''
 
     if (!provided || provided !== token) {
+      // Skip auth for non-API paths (SPA static files)
+      const lowerPath = ctx.path.toLowerCase()
+      if (!lowerPath.startsWith('/api') && !lowerPath.startsWith('/v1') && !lowerPath.startsWith('/upload')) {
+        await next()
+        return
+      }
       ctx.status = 401
       ctx.set('Content-Type', 'application/json')
       ctx.body = { error: 'Unauthorized' }