Skip to content

v0.1.9

Choose a tag to compare

@abundantbeing abundantbeing released this 05 Jul 22:43

Hermes Browser Extension v0.1.9 update ad

Hermes Browser Extension v0.1.9

Release Date: July 5, 2026
Since v0.1.8: 10 commits · 38 files changed · 3,311 insertions · 211 deletions · 181 tests passing

Support the run before expanding the run. v0.1.9 turns the Browser Extension into a more supportable public alpha: stable browser-context protocol helpers, redacted Copy Diagnostics, clearer compatibility rows, runtime/tool event naming, and a private fail-soft Companion Plugin skeleton.

This release includes everything new since v0.1.8, including the runtime/readiness/security hardening that landed after the v0.1.8 tag and the final v0.1.9 supportability layer.

Highlights

  • Browser Context Protocol v1 — browser context packaging now has a stable hermes.browser.context.v1 module with deterministic payload hashes, chat-only fallback prompts, and literal untrusted-context receipts. Existing prompt/hash/receipt call sites stay compatibility-preserving wrappers.

  • Copy Diagnostics for support — Settings now includes a Copy Diagnostics flow that produces a redacted support report with browser family, extension/build version, gateway origin, connection state, capability flags, selected model/provider, context mode, extractor mode, and last visible error.

  • Compatibility matrix + cleaner fallback language — README and side-panel compatibility rows now document Chrome/Edge/Chromium support, Chromium-fork best effort, Firefox/Safari preview status, local/remote Gateway modes, Browser Context Protocol support, private companion prototype status, and explicitly deferred control/Runs/debugger/nativeMessaging surfaces.

  • Stable runtime/tool event naming — current Hermes stream aliases normalize into stable Browser runtime event names for the Tool Activity Strip while browser-control-shaped events remain denied/disabled in the v0.1.9 surface.

  • Private Companion Plugin skeletoncompanion-plugin/ now contains a fail-soft private prototype with policy constants, protocol helpers, context store, tools, hooks, install notes, and skill docs. It intentionally does not register API-server routes, assume side-channel availability, or expose browser-control/page-action channels.

  • Runtime/readiness/security hardening since v0.1.8 — model/provider/reasoning controls, startup readiness checks, model discovery/session fixes, CI coverage, contributor credits, README visual restoration, and Issue #27 DOM/CSP hardening are included in this release.

What changed since v0.1.8

Runtime controls + readiness

  • Tightened Browser runtime controls so model/provider/reasoning choices stay closer to the actual runtime request path instead of acting like stale UI chrome.
  • Added readiness helpers and tests for startup gating, unconfigured/unreachable gateways, sparse model/capability data, and selected-model readiness.
  • Kept older or partial Hermes runtimes usable by degrading missing capability/model data into explicit fallback states instead of blocking the whole side panel.

Model discovery and contributor follow-through

  • Continued model-discovery hardening, including custom OpenAI-compatible model source discovery as discovery-only runtime data.
  • Added public contributor credits for:
    • rahlquist — custom model source discovery contribution.
    • KeyArgo — OpenAI-style SSE stream handling contribution.

CI + public hygiene

  • Added a GitHub workflow that runs verify/lint/build checks with read-only repository permissions.
  • Restored the README side-panel visual state after the v0.1.8 tag.
  • Kept public docs focused on user-facing install/support behavior instead of internal planning notes.

Issue #27 security hardening

  • Rendered session group labels with DOM text nodes instead of gateway-derived innerHTML interpolation.
  • Constrained extension-page image sources through CSP.
  • Added source/manifest regression guards for the label/CSP hardening path.

Browser Context Protocol

  • Added extension/lib/browser-context-protocol.mjs.
  • Added stable protocol id: hermes.browser.context.v1.
  • Added deterministic browser-context payload hashing.
  • Preserved chat-only prompt fallback behavior.
  • Added literal untrusted-data receipt rendering so UI text sinks do not treat page/gateway data as trusted markup.
  • Kept legacy wrappers in common.mjs and capabilities.mjs so existing flows still work.

Support diagnostics

  • Added extension/lib/support-diagnostics.mjs.
  • Added browser-family detection for Chrome, Edge, Opera, Firefox, Safari, and unknown browsers.
  • Added origin-only URL redaction for diagnostics.
  • Added Copy Diagnostics UI in Settings.
  • Redacted API keys, bearer tokens, cookies, page text, selected text, tab titles, and full tab URLs from the copied support block.

Capability + compatibility rows

  • Added explicit Browser capability flags for Browser Context Protocol, runtime events, tool events, support diagnostics, compatibility matrix, companion plugin, browser control, and action safety.
  • Extended compatibility rows with Browser Context Protocol, browser-context upload fallback, and optional Companion Plugin status.
  • Made support copy clear that browser control, Runs UI, debugger, and nativeMessaging are not part of v0.1.9.

Runtime/tool event naming

  • Added extension/lib/runtime-events.mjs.
  • Added stable names for run/tool event surfaces.
  • Normalized current Hermes tool-progress aliases into the Tool Activity Strip.
  • Classified browser-control-shaped events as denied/disabled for this release.

Companion Plugin private prototype

  • Added companion-plugin/plugin.yaml with private prototype status.
  • Added policy.py with browser control, API-server routes, and network side effects disabled.
  • Added protocol helpers, context store, events, tools, hooks, install notes, and skill docs.
  • Added tests to assert the skeleton exists and preserves the untrusted-context boundary.

Build/version/testing

  • Bumped source, package, root manifest, extension manifest, built dist/ manifest, and package lock to 0.1.9.
  • Added runtime-events and support-diagnostics to JS syntax/manifest checks.
  • Added tests for Browser Context Protocol, runtime event naming, support diagnostics redaction, capability rows, companion skeleton, readiness, and Issue #27 hardening.

Install / update

git clone https://github.com/abundantbeing/hermes-browser-extension
cd hermes-browser-extension
npm install
npm run build

Then open chrome://extensions / edge://extensions, enable Developer mode, click Load unpacked, and select the repo’s dist/ folder.

If Chromium still shows an older build after updating, click Reload on the extension card. If it still looks stale, remove the extension and load the fresh dist/ folder again.

Runtime compatibility

v0.1.9 keeps the public alpha conservative:

  • Chrome / Edge / Chromium 114+ are the primary support target.
  • Brave, Comet, and other Chromium forks are best-effort if they expose the Side Panel API and extension clipboard permissions.
  • Firefox and Safari are preview/status-only in this release; diagnostics can report browser family, but cross-browser builds are not shipped here.
  • Local Hermes API server remains the safest default: http://127.0.0.1:8642.
  • Remote API mode still requires an explicit trusted URL/token setup.
  • Remote dashboard WebSocket mode remains best-effort for chat/session/model paths.
  • Browser control, Runs UI, debugger, and nativeMessaging remain deferred.

Verification

  • npm run verify181/181 tests passing, JS syntax checks passing, manifest check passing.
  • npm run build — rebuilt unpacked dist/ and stamped build metadata.
  • npm run package — rebuilt the release archive.
  • npm run lint — no errors; existing warnings only.
  • git diff --check — clean before commit/push.
  • Secret-pattern scan — clean.
  • GitNexus change detection — intentional high/critical blast radius around central Browser runtime/support paths; local verification passed.
  • Build metadata: 0.1.9 at commit dff30dd7e18740368a8ad6aa62e795f63375a146, dirty: false.

Assets

  • hermes-browser-extension-v0.1.9.tar.gz
    • SHA256: fcca31a2362149d3fce0f2b03cf8fef75952099e46d102d43158cad01060baf9
  • hermes-browser-v0.1.9-update-ad.png
    • SHA256: 4b9d6ab670b7a6a71a4c34ddda070401e0406274cab8e6af05950acca0799791