v0.50.293 — 3-PR batch (profile isolation trio + agent version + #1597 follow-up)

3 PRs from 3 contributors. Closes #1606, #1611, #1612, #1614.

Highlights

Profile isolation trio (#1629 by @nesquena-hermes, Co-authored @stefanpieter)

Three tightly-coupled bugs sharing the same root pattern: WebUI was treating profiles as a UI-only concept while the rest of Hermes treats them as runtime isolation boundaries.

• #1611 /api/sessions not profile-scoped — multi-profile install was returning every profile's sessions to every UI via Cookie: hermes_profile=.... Frontend is_cli_session bypass let CLI-imported sessions through regardless of which profile owned them.
• #1612 Renamed root profile 404s on switch — five hard-coded if name == 'default': literals in api/profiles.py didn't recognize a renamed root display name.
• #1614 /api/projects not profile-scoped — project list was global; cron-spawned sessions in profile A surfaced under cron chip of profile B.

Reporter @stefanpieter ran curl /api/sessions -H 'Cookie: hermes_profile=haku' against a multi-profile install and got back sessions tagged haku, kinni, AND noblepro — every profile's history visible from every UI.

Architecture: new _is_root_profile() central helper with _root_profile_name_cache + lock + invalidation hooks; new _profiles_match() and _all_profiles_query_flag() route helpers; server-side filtering on both endpoints with ?all_profiles=1 opt-in; project rows now carry a profile field; mutation guards on /api/projects/{rename,delete} and /api/session/move; ensure_cron_project() keys on (name, profile); one-time idempotent migration for legacy untagged projects.

31 dedicated regression tests + nesquena APPROVED with comprehensive end-to-end trace + cross-tool verification against agent tarball + security audit + race/state analysis.

Show Hermes Agent version (#1627 by @franksong2702, closes #1606)

Settings → System now shows two version pills — WebUI: v0.50.293 and Agent: v2026.4.30-406-gcf1426ed8-dirty. New _detect_agent_version() mirrors the existing _detect_webui_version() pattern: VERSION file → git describe --tags --always --dirty fallback → "not detected" if agent missing. Operators can confirm both moving parts from the WebUI when diagnosing parity issues, install drift, or cases where WebUI is updated but the agent checkout isn't.

Provider config cleanup regression test (#1630 by @Michaelyklam, follow-up to #1597)

Drops 1 unused _get_config_path import from api.providers (left over after #1597's call-time resolution refactor) and adds a regression test that monkeypatches both stale and active config paths to verify cleanup only touches the live path. Belt-and-braces against a future import-cleanup silently reintroducing the original bug.

Tests

4142 → 4180 passing (+38). 0 regressions. Full suite ~115s.

Pre-release verification

• Opus advisor on full stage-293 diff: SHIP verdict. Two SHOULD-FIX absorbed in-release per <20-LOC defensive policy:
  • api/models.py:load_projects() re-reads from disk inside _PROJECTS_MIGRATION_LOCK when _projects_migrated is found True post-wait — closes a startup-window staleness race where Thread B that read pre-migration could return stale untagged rows after a peer migrated and wrote disk.
  • _detect_agent_version() now uses git describe --tags --always --dirty for symmetry with _detect_webui_version(). Operators with locally-modified agent checkouts now see the dirty marker (e.g. v2026.4.30-406-gcf1426ed8-dirty).
• #1629 has nesquena APPROVED with thorough behavioral analysis. Cross-tool verified against agent tarball — no agent-side surface touched.
• JS syntax: 2 modified .js files (panels.js, sessions.js) clean.
• Browser API sanity: 11/11 endpoints OK on stage server.
• Live behavioral verification post-deploy: _profiles_match correctly rejects cross-profile rows, _all_profiles_query_flag correctly parses opt-in flag, agent_version exposed in /api/settings with --dirty marker confirmed.

Authors

• @nesquena-hermes (Co-authored @stefanpieter) — 1 PR (#1629)
• @franksong2702 — 1 PR (#1627)
• @Michaelyklam — 1 PR (#1630)

Full changelog: https://github.com/nesquena/hermes-webui/blob/master/CHANGELOG.md