github nesquena/hermes-webui v0.51.29
on GitHub

latest release: v0.51.30
2 hours ago

v0.51.29 — Release F (Docker hardening + login persistence + scroll/lineage fixes + i18n cleanup)

Six-PR contributor batch shipping production-image security hardening, persistent login rate limiting, viewport preservation when loading older messages, and various small cleanups.

Highlights

Production Docker image is now sudo-free

PR #1921 by @Michaelyklam (closes #1908). The production image previously gave the runtime user passwordless sudo. Now:

  • sudo and the hermeswebuitoo sudo-capable staging user are gone
  • Privileged setup runs in an explicit root init block, then re-execs as hermeswebui without sudo
  • Init scratch state uses umask 0077, 0700 directory permissions, 0600 files
  • A shell gained through the WebUI runtime no longer has a passwordless sudo path to root
  • New docs/docker.md explains the production-image security model

Login rate limiting now persists across restarts

PR #1919 by @franksong2702 (closes #1910). Failed login attempts were stored only in process memory — a server restart wiped the window. Now buckets persist to STATE_DIR/.login_attempts.json with atomic temp+rename writes, 0600 permissions, and prune-on-load. If the file is missing, malformed, or unwritable, the auth path falls back to current in-memory behavior with debug-level logging.

Scroll fixes for chat sessions

Three coordinated fixes by @ai-ag2026:

  • PR #1926 — Bottom pin no longer breaks across renderMessages({preserveScroll: true}) and late Markdown layout growth. Clicking the active sidebar session is a no-op (no more scroll resets when you click "the open one" by accident).
  • PR #1927 — Loading older history anchors at the current viewport instead of snapping to the bottom. Adds a focused regression test for older-history viewport anchoring.
  • PR #1930 — Compression continuations (which carry _lineage_root_id) now collapse correctly in the sidebar even when stale optimistic parent segments are still locally visible.

i18n cleanup

PR #1920 by @franksong2702 — removes the dead kanban_card_start locale key (PR #1886 already removed the manual Start action). Strengthens regression test so the dead key cannot be reintroduced.

Verification

  • Tests: 4947 → 4960 passing (+13 net new)
  • Browser API harness (port 8789): all 11 endpoints + 20 QA tests PASS
  • node -c on all modified static/*.js files: clean
  • Opus advisor pre-release verdict: SHIP-READY
  • Coexistence verified for 3 PRs sharing static/sessions.js (different functions; scroll-pin and viewport-anchor cannot fight; lineage metadata degrades gracefully)
  • v0.51.28 carry-overs preserved

Full diff

18 files, +588/-150.

Full Changelog: v0.51.28...v0.51.29

Check out latest releases or
releases around nesquena/hermes-webui v0.51.29

Don't miss a new hermes-webui release

NewReleases is sending notifications on new releases.

Get notifications