Ben a6e47314f9 fix(dashboard): sanction plugin WS/upload auth via SDK helpers (gated mode) ... Dashboard plugins (kanban, hermes-achievements) read window.__HERMES_SESSION_TOKEN__ directly and hand-assembled WebSocket URLs with ?token=. That works in loopback/--insecure mode but is rejected on OAuth-gated deployments, where the session token is absent and _ws_auth_ok only accepts single-use ?ticket= auth. The result was 401s on plugin REST calls and 1008/403 on the kanban live-events WS whenever the dashboard ran behind OAuth (e.g. hosted Fly agents). Make the plugin SDK the single sanctioned auth surface: - web/src/lib/api.ts: add authedFetch() (raw Response for FormData uploads / blob downloads, token-or-cookie auth, no throw / no 401 redirect) and buildWsUrl() (assembles a ws(s):// URL with the correct auth param for the active mode — fresh single-use ticket in gated mode, token in loopback). - web/src/plugins/registry.ts: expose authedFetch, buildWsUrl, buildWsAuthParam, and sdkVersion on window.__HERMES_PLUGIN_SDK__; add SDK_CONTRACT_VERSION. - web/src/plugins/sdk.d.ts: hand-authored typed contract for the plugin SDK + registry globals (single source of truth for the Window declarations). - plugins/kanban + hermes-achievements dist bundles: stop reading the session token directly; route uploads/downloads through SDK.authedFetch and the live-events WS through SDK.buildWsUrl. - plugins/kanban plugin_api.py: _ws_upgrade_authorized() delegates the /events WS upgrade to the canonical web_server._ws_auth_ok gate, so it transparently accepts loopback token / gated ticket / internal credential and can never drift from core auth again. - tests: guard test asserting no plugin dist reads __HERMES_SESSION_TOKEN__ directly; kanban gated-ticket WS test. Verified live on a gated staging Fly agent: kanban /events upgrades 101 with a minted ticket (ticket_len=43, ws_auth_ok=True) where the old code got 403.		2026-06-03 16:59:36 -07:00
..
browser	fix(managed-gateway): keep tool availability scans off the Nous token-refresh path	2026-05-30 07:58:08 -07:00
context_engine	feat(context-engine): host contract for external context engines	2026-05-28 01:45:30 -07:00
dashboard_auth/nous	feat(dashboard-auth): rotate dashboard sessions via refresh token (#37247)	2026-06-02 21:16:41 +10:00
disk-cleanup	fix(cron): exclude jobs.json registry from disk-cleanup pattern	2026-05-29 13:22:54 -07:00
google_meet	chore: prune unused imports and duplicate import redefinitions	2026-05-28 22:26:25 -07:00
hermes-achievements	fix(dashboard): sanction plugin WS/upload auth via SDK helpers (gated mode)	2026-06-03 16:59:36 -07:00
image_gen	feat(image_gen): add Krea provider plugin (Krea 2 Medium + Large) (#33236)	2026-05-27 11:01:47 -07:00
kanban	fix(dashboard): sanction plugin WS/upload auth via SDK helpers (gated mode)	2026-06-03 16:59:36 -07:00
memory	fix: make Honcho startup fail open	2026-06-01 20:13:42 -07:00
model-providers	fix(models): add gemini-3.5-flash to Gemini OAuth + API-key pickers (#37046)	2026-06-01 16:31:13 -07:00
observability	feat(observability): observer-grade telemetry hooks + NeMo-Relay plugin	2026-06-03 06:36:46 -07:00
platforms	fix(simplex): avoid reconnecting healthy idle websocket	2026-06-01 16:36:43 -07:00
security-guidance	plugins: add security-guidance — pattern-matched warnings on dangerous code writes (#33131)	2026-05-27 02:07:21 -07:00
spotify	chore: prune unused imports and duplicate import redefinitions	2026-05-28 22:26:25 -07:00
teams_pipeline	chore: prune unused imports and duplicate import redefinitions	2026-05-28 22:26:25 -07:00
video_gen	fix(xai): route video models by modality	2026-06-01 19:00:30 -07:00
web	fix(managed-gateway): keep tool availability scans off the Nous token-refresh path	2026-05-30 07:58:08 -07:00
__init__.py	feat(memory): pluggable memory provider interface with profile isolation, review fixes, and honcho CLI restoration (#4623)	2026-04-02 15:33:51 -07:00