Release DJ — stage-batch20 — 7-PR ultra-safe batch (v0.51.138)#2988
Merged
Conversation
The tool-card border-subtle was so faint that the cards visually melted into the surrounding prose once the cursor left the conversation. Bumps the resting border to --border-muted and adds a 2px left edge so a tool output row reads as metadata at a glance, even on light skins where border-subtle is barely visible. Hover still escalates to --border2. Verified by loading a session with mixed tool calls and assistant prose on the light theme and confirming the tool cards are now identifiable without mousing over them. Refs #2867
The Remove button under Settings -> Providers calls POST /api/providers/delete, which runs through _check_csrf. When the CSRF cookie/header pair has drifted (typically a tab opened before the most recent login or cookie rotation), the server returns 403 with the string 'Cross-origin request rejected'. That string reads like a reverse-proxy deployment problem and gives the user no next step (#2572). Surface a recovery-shaped toast on 403 from this endpoint: 'Session expired. Reload the page and try again.' The underlying server response is unchanged so logs/diagnostics still see the original string; only the user-facing toast is replaced for this code path. Verified locally by patching _check_csrf to return False, clicking Remove on a provider card, and confirming the toast now reads the new message instead of the raw cross-origin string. Refs #2572
Scheduled cron jobs created in the Tasks panel never tick on a single-container Docker install because the WebUI doesn't run the gateway daemon itself. The maintainer's analysis on #2785 spells this out: the gateway ticks the scheduler every 60s, and without it 'Gateway not configured' just sits there. The Tasks panel already shows a banner explaining this, but doesn't give the user anywhere to go. Two small docs-shaped changes: 1. Add a 'Scheduled jobs require a gateway daemon' section to docs/docker.md under 'What goes wrong' with the two-container compose command and a verify step. Cross-linked from the existing short paragraph higher up so both entry points land on the same fix. 2. Append a 'How to enable scheduled jobs in Docker' link to the cron panel banner (loadCronGatewayNotice) pointing at the new docs anchor when the gateway is unconfigured. The banner text itself is unchanged. Verified locally by serving the WebUI without a gateway, opening Tasks, and confirming the banner now shows the new link; clicked it and confirmed it lands on the new docs section. With the gateway running the banner stays hidden as before. Refs #2785
…(review feedback from @nesquena-hermes)
…essage (review feedback from @nesquena-hermes)
…command (review feedback from @nesquena-hermes)
api.opencode.ai/v1 -> opencode.ai/zen/go/v1 (canonical per hermes_cli/auth.py)
…qa, add docstrings
# Conflicts: # CHANGELOG.md
# Conflicts: # CHANGELOG.md
# Conflicts: # CHANGELOG.md
# Conflicts: # CHANGELOG.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release DJ / v0.51.138 — stage-batch20 (7 PRs)
Tier-1 ultra-safe batch — docs, tests cleanup, single-file behavioral fixes ≤53 LOC.
PRs merged
remote+forwarded_forto structured request logs (fail2ban-friendly)Verification
ast.parseclean on all changed .py,node -cclean onstatic/panels.js-p no:xdist)_json.dumps()escapes\n/\rin X-Forwarded-For — log injection safeapi()wrapper in static/workspace.js:44 setserr.statuson non-ok responses; 403 branch will fire correctlytool-card-subagentalways emitted alongsidetool-cardin static/ui.js:6723 — specificity bump is correct everywhere#scheduled-jobs-require-a-gateway-daemonmatches actual heading in docs/docker.md:63Notes for reviewers
This batch picks up smaller-than-typical fixes from
Sanjays2402(3 PRs, all surgical: toast text, CSS resting state, docker docs link), plus one tests-only cleanup, two docs PRs (one RFC slice, one contract-routing process), and one production-affecting fix (#2982 adds client IP to logs for fail2ban-style downstream tooling).Sitting on top of v0.51.137 (Release DI).