Upstream hermes-agent 0.14.0 (both the PyPI wheel and the public git source
at NousResearch/hermes-agent) ships hermes_cli/web_server.py with hard imports
of hermes_cli.dashboard_auth.{audit,middleware,prefix,routes,ws_tickets} but
those source files are not included in the distribution, and the dashboard
SPA bundle (hermes_cli/web_dist/) is also missing. On Windows this makes
'hermes dashboard' crash on startup, which collapses every ClawPanel page
that talks to port 9119 (Profile / Kanban / OAuth / Channels / Sessions
detail) into a 'request rejected by target machine' error.
Per project policy we do not patch upstream. Instead, after each install /
upgrade and again before spawning the dashboard, ClawPanel now injects a
minimal pass-through stub into the installed venv:
- hermes_cli/dashboard_auth/{__init__,audit,middleware,prefix,routes,
ws_tickets}.py — no-op providers, safe on loopback (127.0.0.1) where
the auth gate is intentionally disabled.
- hermes_cli/web_dist/index.html + assets/ — so mount_spa() takes the
token-injecting branch instead of the 'Frontend not built' 404 branch.
Without this the panel can never scrape window.__HERMES_SESSION_TOKEN__
from the dashboard HTML and every /api/* call fails with 401.
Injection is idempotent: if upstream eventually ships the real files, the
stub writer skips them so the real implementation wins. Failures are
logged-and-swallowed so install/upgrade is never blocked by best-effort
compatibility patches.
Group-chat page is also fixed: hermes_agent_run resolves to the run_id
string (not a result object), so the page was rendering 'run_xxx...' as
the assistant reply. It now listens to hermes-run-{started,delta,done,
error,cancelled} events and resolves to payload.output (with accumulated
delta as fallback).
Adds two loadSeq guards in _loadDashboardDataInner: after the first await coreP and before the self-heal writeOpenclawConfig path. Prevents stale loads from polluting cache, popping toasts, or writing config after a newer load has been queued.
