🎯 Office v3 — Swarm Monitor Dashboard

3-panel dashboard: Agents · Kanban · Live Feed

• Popup v2 — run expansion, workspace files, event enrichment, load-more
• Live Feed filter — agent dropdown + keyword search + match badge
• Polling fix — 2s→30s + in-flight guard (no spawn storms)
• Agent states — config.yaml + kanban.db (~100ms, zero subprocess)

🎨 Design System

• Unified HCI dropdown selects (canonical SVG arrow + light/dark mode)
• All dropdowns: Chat agents, Office reassign, Live Feed filter

🛡 Security

• highlight.js unescaped HTML fix (textContent, not innerHTML)

📚 Docs

• README enterprise rewrite (748→130 loc)
• docs/API.md: Office v3 endpoints
• RELEASE_v3.6.0.md: full release notes

🏗 Architecture

• Monolithic main.js (−8,039 loc) → modular chat/ components/ core/ pages/
• PWA: manifest.json + service worker + icons

66 files · +12,540 / −9,136

🔒 Security

WebSocket RBAC Bypass — fixed (CVSS 9.9 → mitigated)

Reported by @BlessedOn3 (#66)

• WebSocket terminal-input/terminal-resize now enforces terminal permission — viewer cannot execute OS commands via WS
• POST /api/file now requires requireAuth + requirePerm('files.write') — viewer cannot overwrite files
• socket.user stored on WS connect for permission enforcement
• Unauthenticated → 401, viewer → 403

🐛 Bug Fixes

TUI Chat session persistence — fixed (#68)

Reported by @Patrick-81, confirmed by @MattXcz

• Subsequent messages no longer trigger session.resume → new slash_worker
• Message 1 → chat.start (session init)
• Message 2+ → chat.send (direct prompt.submit, zero overhead)
• No more orphan slash_worker processes

⬆️ Dependencies (#67)

📊 Stats

• Commit: 1419564
• Files: 5 changed, +44 / −6
• Tests: 12/13 pass
• npm audit: 0 vulnerabilities

v3.5.2 — i18n, Chat fixes & Profile isolation

6 PRs merged since v3.5.1 (10 May — 24 May 2026)

✨ Features

• i18n infrastructure + Japanese (ja) translation (#61 by @mosumoss) — Zero-dependency vanilla i18n layer with 430 translation keys, MutationObserver auto-reapply, and full Japanese locale. Drop-in for future locales.

🐛 Bug Fixes

• Chat timestamp + spacing (#65 by @tomekpanek) — Fixes new Date() without * 1000 multiplier in session detail (showed epoch-1970 times), adds date alongside time, and prevents "You23:27" label collision with explicit CSS gap.
• TUI Gateway respawn (#64 by @tomekpanek) — After a chat session ends, starting a new one no longer fails with "TUI gateway not ready". Bridge process reference is properly nullified on exit.
• Streaming text race (#63 by @tomekpanek) — Assistant response no longer disappears when DB write lags behind chat.done. Captured text shows immediately as a placeholder bubble.
• Profile isolation (#62 by @tomekpanek) — Chat conversations now save to the correct profile directory instead of always landing in default profile (HERMES_HOME vs HERMES_PROFILE).

v3.5.1 — Monitoring, Security & Cross-Platform

🆕 Features

Monitoring & Observability (#29)

• Cost chart: monthly pace projection (weighted average), configurable budget limit with status badge
• VPS health: CPU/RAM/Disk cards now show color-coded progress bars (green/yellow/red)
• Log viewer: typed entry badges (QC, ALERT, TASK, TOOL, MCP) with filter bar
• Monitor page: added nav link, removed duplicate route redirect

Home Page

• System Health/Details removed (moved to Monitor page with better UX)
• Cards now in 3-column grid (Agent Overview, Gateways, Hermes Auth)
• Each card updates independently — no more wiping other cards on refresh

🔧 Fixes

Skills Hub UI (#40)

• Installed skills now show ✅ Installed button instead of always showing Install
• Auto-refresh page after successful skill install
• execHermes: added optional stdin piping for confirmation prompts
• Skills uninstall: replaced shell() with execHermes() (security fix)

Gateway Status Detection (#30)

• API health probe now primary signal, systemctl as fallback
• Non-systemd setups (containers, supervisors) now show gateway as running
• Response includes managedBy field: 'api' | 'systemd' | 'unknown'

Profile Detection

• Read active profile from ~/.hermes/active_profile file directly
• Workaround for hermes CLI bug where marker doesn't update after profile use

Cross-Platform (from PR #43)

• shell(): removed timeout prefix (macOS incompatible), uses Node.js native timeout
• shell(): returns stdout OR stderr (was only stdout on error)
• parseShellTimeout(): supports '8s', '500ms', '2m' formats
• /api/system/health: uses os module for CPU/RAM (no top/free dependency)
• /api/monitoring: same cross-platform fix
• vite.config.js: backend proxy configurable via HCI_BACKEND_URL env var

Other

• Split layout: mobile breakpoint 768px to 640px (#47)
• Budget: exponential weighted average (recent days weighted more)
• setLogsType: exposed to window (fix ReferenceError)
• Home cards: update each card by ID, not entire grid

📦 14 commits since v3.5.0

v3.5.0 — Hermes Control Interface

🔒 Security

• XSS S1 (FIXED): 15+ error handler locations where `e.message`/`err.message` was rendered with `innerHTML` without escaping — now properly escaped with `escapeHtml()`
• Dead code removed: `getProjects()` (D1) + `formatBytes()` (D2) — never called, reduced attack surface

🐛 Bug Fixes

• Profile selector sync — UI selector now stays in sync with Hermes default agent after `hermes profile use`
• Profile modal — clicking Cancel properly reverts agent selection (was missing `return`)
• Race guards — `_finalizeInProgress` + `_reloadInProgress` flags prevent double-call DOM rebuild crashes
• insertBefore crash — `ensureThinkingPanel()` race condition fixed
• Agent Info Panel — always visible inside sidebar, no more `toggleChatInfoPanel` undefined error

📚 Documentation

All docs aligned to v3.5.0 — README, ARCHITECTURE, API, SECURITY, SECURITY_AUDIT

👥 Issues Closed

• #36 — XSS via escapeHtml
• #31 — Command Injection (v3.4.0)
• #32 — Path Traversal (v3.4.0)
• #34 — CSRF Protection (v3.4.0)
• #35 — Hardcoded API Key (v3.4.0)
• #37 — Session Rename Command Injection (v3.4.0)

Full changelog: v3.4.2...v3.5.0

Fixes

• Version sync: Bump package.json to 3.4.2 (was 3.4.0)
• Includes v3.4.1 fix: git reset before git pull in HCI update handler

Bug Fixes

• HCI Update Handler: Add +git reset+ step before +git pull --ff-only+
• Prevents update failure when +package-lock.json+ or other files have local modifications (e.g., from +npm install+)
• Fixes #29

Changes

• +server.js+: Discard local changes via +git checkout -- .+ before pulling updates

⚡ Chat Revamp (CLI → Gateway API)

• Gateway API chat with real-time SSE streaming, structured events
• Tool call cards with JSON viewer (collapsed by default)
• Session resume via X-Hermes-Session-Id header
• Stop button for mid-stream cancellation
• Multi-profile support (default/soci/cuan/david)
• Auto-fallback to CLI if gateway is down
• Session list sorted by last activity, filter by source type
• Mobile UX: auto-hide sidebar, responsive header

🔒 Security (CRITICAL + HIGH)

• Command injection fixes in skills endpoints (execHermes + regex)
• CSRF protection on 21 admin endpoints
• Gateway API key — dynamic from config.yaml (removed hardcoded)
• Dynamic CORS origins for open-source compatibility
• escapeHtml() fix + debug CSRF logging removed
• 18-item security audit report (SECURITY_AUDIT.md)

🧹 Maintenance

• ~270 lines dead code removed
• Session cache invalidation after CRUD operations
• .env.example updated with GATEWAY_API_KEY + HCI_CORS_ORIGINS

v3.3.2 — Release Notes

Bug Fixes

• FIX: upgrade-insecure-requests CSP directive breaking HTTP-only deployments (Tailscale, LAN, dev environments)
• FEAT: Support HOST env var for non-localhost server binding

What's Changed

• #22: Support HOST env var for non-localhost deployments (@hifiguy)
• #23: Disable upgrade-insecure-requests for HTTP-only deployments (@hifiguy)

Contributors

• @hifiguy — 2 fixes

Downloads

• ZIP: https://github.com/xaspx/hermes-control-interface/archive/refs/tags/v3.3.2.zip
• Compare with v3.3.1: v3.3.1...v3.3.2

Upgrade Notes

• No breaking changes. Safe to upgrade from v3.3.1.
• New HOST env var (optional): Deploy on specific IP/Tailscale/LAN without editing server.js
• HTTP-only deployments: UI now works correctly instead of blank screen.

Previous: v3.3.1 | Latest: v3.3.2

v3.3.0 Release

Features

• Chat system revamp — tool call cards (collapsible), session list, model switcher, banner suppression (-Q flag)
• RBAC v2 — 28 permissions across 12 groups (admin/viewer/custom roles)

Security

• XSS fix in home cards (escapeHtml)
• Admin gate on plugins API
• Terminal exec rate limiter (30/min per IP)
• Token cleanup interval (setInterval)

Fixes

• Notification dismiss endpoint
• Sidebar responsive CSS
• Session ID regex (new + old format support)
• Favicon 404 loop (moved to public/)
• Skills uninstall/check updates

Docs

• Security audit report (12 categories, 7.0/10 score)
• Screenshots (dark + light themes)