dd17a0e9b7
* security: fix bandit security issues (B310, B324) - Add usedforsecurity=False to MD5 hash in gateway_watcher.py - Add URL scheme validation to prevent file:// access in config.py - Add URL validation to bootstrap.py health check - Add nosec comments where runtime validation exists * fix: handle ConnectionResetError gracefully and add debug logging - Add QuietHTTPServer class to suppress noisy connection reset errors caused by clients disconnecting abruptly (fixes log spam from 'ConnectionResetError: [Errno 54] Connection reset by peer') - Replace silent 'pass' statements with logger.debug() calls across api/auth.py, api/config.py, api/gateway_watcher.py, api/models.py, and api/onboarding.py for better observability during troubleshooting - All tests pass (25 passed in test_regressions.py) * chore: add debug logging to profiles and routes modules - Replace silent 'pass' statements with logger.debug() calls in api/profiles.py for better error visibility during profile switching and module patching - Add logger initialization to api/routes.py * security: fix B110 bare except/pass issues (bandit security scan) - Replace bare except/pass patterns with logger.debug() calls - Fixes CWE-703 (improper check/handling of exceptional conditions) - Files affected: routes.py, state_sync.py, streaming.py, workspace.py, server.py - All tests pass successfully * security: bandit fixes B310/B324/B110 + QuietHTTPServer (#354) - api/gateway_watcher.py: MD5 usedforsecurity=False (B324) - api/config.py, bootstrap.py: URL scheme validation before urlopen (B310) - 12 files: replace bare except/pass with logger.debug() (B110) - server.py: QuietHTTPServer suppresses client disconnect log noise - server.py: fix sys.exc_info() (was traceback.sys.exc_info(), impl detail) - tests/test_sprint43.py: 19 new tests covering all security fixes - CHANGELOG.md: v0.50.14 entry; 841 tests total (up from 822) --------- Co-authored-by: lawrencel1ng <lawrence.ling@global.ntt> Co-authored-by: Nathan Esquenazi <nesquena@gmail.com>
119 lines
3.9 KiB
Python
119 lines
3.9 KiB
Python
"""
|
|
Hermes Web UI -- Optional state.db sync bridge.
|
|
|
|
Mirrors WebUI session metadata (token usage, title, model) into the
|
|
hermes-agent state.db so that /insights, session lists, and cost
|
|
tracking include WebUI activity.
|
|
|
|
This is opt-in via the 'sync_to_insights' setting (default: off).
|
|
All operations are wrapped in try/except -- if state.db is unavailable,
|
|
locked, or the schema doesn't match, the WebUI continues normally.
|
|
|
|
The bridge uses absolute token counts (not deltas) because the WebUI
|
|
Session object already accumulates totals across turns. This avoids
|
|
any double-counting risk.
|
|
"""
|
|
import logging
|
|
import os
|
|
from pathlib import Path
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
def _get_state_db():
|
|
"""Get a SessionDB instance for the active profile's state.db.
|
|
Returns None if hermes_state is not importable or DB is unavailable.
|
|
Each caller is responsible for calling db.close() when done.
|
|
"""
|
|
try:
|
|
from hermes_state import SessionDB
|
|
except ImportError:
|
|
return None
|
|
|
|
try:
|
|
from api.profiles import get_active_hermes_home
|
|
hermes_home = Path(get_active_hermes_home()).expanduser().resolve()
|
|
except Exception:
|
|
logger.debug("Failed to resolve hermes home, using default")
|
|
hermes_home = Path(os.getenv('HERMES_HOME', str(Path.home() / '.hermes')))
|
|
|
|
db_path = hermes_home / 'state.db'
|
|
if not db_path.exists():
|
|
return None
|
|
|
|
try:
|
|
return SessionDB(db_path)
|
|
except Exception:
|
|
logger.debug("Failed to open state.db")
|
|
return None
|
|
|
|
|
|
def sync_session_start(session_id: str, model=None) -> None:
|
|
"""Register a WebUI session in state.db (idempotent).
|
|
Called when a session's first message is sent.
|
|
"""
|
|
db = _get_state_db()
|
|
if not db:
|
|
return
|
|
try:
|
|
db.ensure_session(
|
|
session_id=session_id,
|
|
source='webui',
|
|
model=model,
|
|
)
|
|
except Exception:
|
|
logger.debug("Failed to sync session start to state.db")
|
|
finally:
|
|
try:
|
|
db.close()
|
|
except Exception:
|
|
logger.debug("Failed to close state.db")
|
|
|
|
|
|
def sync_session_usage(session_id: str, input_tokens: int=0, output_tokens: int=0,
|
|
estimated_cost=None, model=None, title: str=None,
|
|
message_count: int=None) -> None:
|
|
"""Update token usage and title for a WebUI session in state.db.
|
|
Called after each turn completes. Uses absolute=True to set totals
|
|
(the WebUI Session already accumulates across turns).
|
|
"""
|
|
db = _get_state_db()
|
|
if not db:
|
|
return
|
|
try:
|
|
# Ensure session exists first (idempotent)
|
|
db.ensure_session(session_id=session_id, source='webui', model=model)
|
|
# Set absolute token counts
|
|
db.update_token_counts(
|
|
session_id=session_id,
|
|
input_tokens=input_tokens,
|
|
output_tokens=output_tokens,
|
|
estimated_cost_usd=estimated_cost,
|
|
model=model,
|
|
absolute=True,
|
|
)
|
|
# Update title if we have one, using the public API
|
|
if title:
|
|
try:
|
|
db.set_session_title(session_id, title)
|
|
except Exception:
|
|
logger.debug("Failed to sync session title to state.db")
|
|
# Update message count
|
|
if message_count is not None:
|
|
try:
|
|
def _set_msg_count(conn):
|
|
conn.execute(
|
|
"UPDATE sessions SET message_count = ? WHERE id = ?",
|
|
(message_count, session_id),
|
|
)
|
|
db._execute_write(_set_msg_count)
|
|
except Exception:
|
|
logger.debug("Failed to sync message count to state.db")
|
|
except Exception:
|
|
logger.debug("Failed to sync session usage to state.db")
|
|
finally:
|
|
try:
|
|
db.close()
|
|
except Exception:
|
|
logger.debug("Failed to close state.db")
|