v0.1.9
Hermes Browser Extension v0.1.9
Release Date: July 5, 2026
Since v0.1.8: 10 commits · 38 files changed · 3,311 insertions · 211 deletions · 181 tests passing
Support the run before expanding the run. v0.1.9 turns the Browser Extension into a more supportable public alpha: stable browser-context protocol helpers, redacted Copy Diagnostics, clearer compatibility rows, runtime/tool event naming, and a private fail-soft Companion Plugin skeleton.
This release includes everything new since v0.1.8, including the runtime/readiness/security hardening that landed after the v0.1.8 tag and the final v0.1.9 supportability layer.
Highlights
-
Browser Context Protocol v1 — browser context packaging now has a stable
hermes.browser.context.v1module with deterministic payload hashes, chat-only fallback prompts, and literal untrusted-context receipts. Existing prompt/hash/receipt call sites stay compatibility-preserving wrappers. -
Copy Diagnostics for support — Settings now includes a Copy Diagnostics flow that produces a redacted support report with browser family, extension/build version, gateway origin, connection state, capability flags, selected model/provider, context mode, extractor mode, and last visible error.
-
Compatibility matrix + cleaner fallback language — README and side-panel compatibility rows now document Chrome/Edge/Chromium support, Chromium-fork best effort, Firefox/Safari preview status, local/remote Gateway modes, Browser Context Protocol support, private companion prototype status, and explicitly deferred control/Runs/debugger/nativeMessaging surfaces.
-
Stable runtime/tool event naming — current Hermes stream aliases normalize into stable Browser runtime event names for the Tool Activity Strip while browser-control-shaped events remain denied/disabled in the v0.1.9 surface.
-
Private Companion Plugin skeleton —
companion-plugin/now contains a fail-soft private prototype with policy constants, protocol helpers, context store, tools, hooks, install notes, and skill docs. It intentionally does not register API-server routes, assume side-channel availability, or expose browser-control/page-action channels. -
Runtime/readiness/security hardening since v0.1.8 — model/provider/reasoning controls, startup readiness checks, model discovery/session fixes, CI coverage, contributor credits, README visual restoration, and Issue #27 DOM/CSP hardening are included in this release.
What changed since v0.1.8
Runtime controls + readiness
- Tightened Browser runtime controls so model/provider/reasoning choices stay closer to the actual runtime request path instead of acting like stale UI chrome.
- Added readiness helpers and tests for startup gating, unconfigured/unreachable gateways, sparse model/capability data, and selected-model readiness.
- Kept older or partial Hermes runtimes usable by degrading missing capability/model data into explicit fallback states instead of blocking the whole side panel.
Model discovery and contributor follow-through
- Continued model-discovery hardening, including custom OpenAI-compatible model source discovery as discovery-only runtime data.
- Added public contributor credits for:
rahlquist— custom model source discovery contribution.KeyArgo— OpenAI-style SSE stream handling contribution.
CI + public hygiene
- Added a GitHub workflow that runs verify/lint/build checks with read-only repository permissions.
- Restored the README side-panel visual state after the v0.1.8 tag.
- Kept public docs focused on user-facing install/support behavior instead of internal planning notes.
Issue #27 security hardening
- Rendered session group labels with DOM text nodes instead of gateway-derived
innerHTMLinterpolation. - Constrained extension-page image sources through CSP.
- Added source/manifest regression guards for the label/CSP hardening path.
Browser Context Protocol
- Added
extension/lib/browser-context-protocol.mjs. - Added stable protocol id:
hermes.browser.context.v1. - Added deterministic browser-context payload hashing.
- Preserved chat-only prompt fallback behavior.
- Added literal untrusted-data receipt rendering so UI text sinks do not treat page/gateway data as trusted markup.
- Kept legacy wrappers in
common.mjsandcapabilities.mjsso existing flows still work.
Support diagnostics
- Added
extension/lib/support-diagnostics.mjs. - Added browser-family detection for Chrome, Edge, Opera, Firefox, Safari, and unknown browsers.
- Added origin-only URL redaction for diagnostics.
- Added Copy Diagnostics UI in Settings.
- Redacted API keys, bearer tokens, cookies, page text, selected text, tab titles, and full tab URLs from the copied support block.
Capability + compatibility rows
- Added explicit Browser capability flags for Browser Context Protocol, runtime events, tool events, support diagnostics, compatibility matrix, companion plugin, browser control, and action safety.
- Extended compatibility rows with Browser Context Protocol, browser-context upload fallback, and optional Companion Plugin status.
- Made support copy clear that browser control, Runs UI, debugger, and nativeMessaging are not part of v0.1.9.
Runtime/tool event naming
- Added
extension/lib/runtime-events.mjs. - Added stable names for run/tool event surfaces.
- Normalized current Hermes tool-progress aliases into the Tool Activity Strip.
- Classified browser-control-shaped events as denied/disabled for this release.
Companion Plugin private prototype
- Added
companion-plugin/plugin.yamlwith private prototype status. - Added
policy.pywith browser control, API-server routes, and network side effects disabled. - Added protocol helpers, context store, events, tools, hooks, install notes, and skill docs.
- Added tests to assert the skeleton exists and preserves the untrusted-context boundary.
Build/version/testing
- Bumped source, package, root manifest, extension manifest, built
dist/manifest, and package lock to0.1.9. - Added
runtime-eventsandsupport-diagnosticsto JS syntax/manifest checks. - Added tests for Browser Context Protocol, runtime event naming, support diagnostics redaction, capability rows, companion skeleton, readiness, and Issue #27 hardening.
Install / update
git clone https://github.com/abundantbeing/hermes-browser-extension
cd hermes-browser-extension
npm install
npm run buildThen open chrome://extensions / edge://extensions, enable Developer mode, click Load unpacked, and select the repo’s dist/ folder.
If Chromium still shows an older build after updating, click Reload on the extension card. If it still looks stale, remove the extension and load the fresh dist/ folder again.
Runtime compatibility
v0.1.9 keeps the public alpha conservative:
- Chrome / Edge / Chromium 114+ are the primary support target.
- Brave, Comet, and other Chromium forks are best-effort if they expose the Side Panel API and extension clipboard permissions.
- Firefox and Safari are preview/status-only in this release; diagnostics can report browser family, but cross-browser builds are not shipped here.
- Local Hermes API server remains the safest default:
http://127.0.0.1:8642. - Remote API mode still requires an explicit trusted URL/token setup.
- Remote dashboard WebSocket mode remains best-effort for chat/session/model paths.
- Browser control, Runs UI, debugger, and nativeMessaging remain deferred.
Verification
npm run verify— 181/181 tests passing, JS syntax checks passing, manifest check passing.npm run build— rebuilt unpackeddist/and stamped build metadata.npm run package— rebuilt the release archive.npm run lint— no errors; existing warnings only.git diff --check— clean before commit/push.- Secret-pattern scan — clean.
- GitNexus change detection — intentional high/critical blast radius around central Browser runtime/support paths; local verification passed.
- Build metadata:
0.1.9at commitdff30dd7e18740368a8ad6aa62e795f63375a146,dirty: false.
Assets
hermes-browser-extension-v0.1.9.tar.gz- SHA256:
fcca31a2362149d3fce0f2b03cf8fef75952099e46d102d43158cad01060baf9
- SHA256:
hermes-browser-v0.1.9-update-ad.png- SHA256:
4b9d6ab670b7a6a71a4c34ddda070401e0406274cab8e6af05950acca0799791
- SHA256:
