# WebUI Extensions Hermes WebUI supports a small, opt-in extension surface for self-hosted installs. It lets an administrator serve local static assets and inject same-origin CSS or JavaScript into the app shell without editing the WebUI source tree. > **Trust model — read this first.** Extensions execute with full WebUI session > authority. An extension JS file can call any API the logged-in user can call, > including reading conversation history, sending messages, modifying settings, > and triggering tool actions. **Only enable extensions you wrote yourself or > from sources you trust as much as the WebUI source itself.** If your WebUI is > shared with users you do not fully trust, do not enable extensions. > If you set `HERMES_WEBUI_EXTENSION_DIR` yourself, do not point it at a > user-writable directory on a shared host. This is intentionally not a plugin marketplace or dependency system. It is a safe escape hatch for local dashboards, internal tooling, and workflow-specific panels that should not live in core Hermes WebUI. > **The vetted extension library.** The curated, one-click-installable extensions > that appear in the gallery live in a separate public repo: > **[hermes-webui/hermes-webui-extensions](https://github.com/hermes-webui/hermes-webui-extensions)**. > "In the registry == vetted." That repo holds the entries, the authoring > conventions ([`docs/extension-entry.md`](https://github.com/hermes-webui/hermes-webui-extensions/blob/main/docs/extension-entry.md)), > the JSON schema, and the CI safety gates. This document covers the WebUI-side > *infrastructure* (loader, manifest contract, capabilities, install client); > see the library repo to browse existing extensions or contribute a new one. ## What extensions can do Extensions can: - serve files from one configured local directory at `/extensions/...` - inject configured same-origin stylesheets into `` - inject configured same-origin scripts before `` - read a local JSON manifest that lists bundled scripts/styles to inject - call the normal WebUI APIs available to the browser session - call trusted local loopback sidecars directly from extension JavaScript when the browser Content Security Policy allows that origin Extensions cannot, by themselves: - bypass WebUI authentication - serve files outside the configured extension directory - load third-party scripts/styles through the built-in injection config - register new WebUI backend routes or proxy arbitrary sidecar/backend traffic outside the fixed consented extension sidecar path described below - change Hermes Agent permissions, models, memory, or tools unless they call existing authenticated APIs that already allow those changes ## Configuration ### One-click install (no configuration required) For a single-user self-hosted instance you do not need to configure anything. Open **Settings → Extensions**, pick an extension from the gallery, and click **Install** — it just works. The first install creates a WebUI-managed extension directory under your state dir (`STATE_DIR/extensions`, e.g. `~/.hermes/webui/extensions/`) and installs into it; gallery-installed extensions load automatically on the next app-shell render with no environment variables and no restart of your shell. The managed directory lives alongside your sessions and settings in the WebUI-owned state dir. That is a different trust domain from "a world-writable directory on a shared box": only the WebUI process (and whoever can already write your `~/.hermes` state) can place code there. The trust model below still applies — installed extension code runs with full session authority — so only install extensions from the vetted gallery or sources you trust as much as the WebUI source itself. Some gallery entries need more than WebUI assets. If an extension declares post-install guidance or lifecycle requirements such as a loopback sidecar or a native host, Settings -> Extensions shows a **Next step** note on the card after install. For example, Desktop Companion can install the WebUI bridge from the gallery, but the desktop pet is only visible after the local Desktop Companion app is started. ### Manual / advanced configuration (optional) `HERMES_WEBUI_EXTENSION_DIR` is **optional** and overrides the managed default. Set it when you want extensions to live in a specific directory you control (e.g. a checked-out bundle, or a path mounted into a container). When set it must point to an existing directory before any script or stylesheet URLs are injected; WebUI never auto-creates an admin-specified path: ```bash export HERMES_WEBUI_EXTENSION_DIR=/path/to/my-extension/static export HERMES_WEBUI_EXTENSION_SCRIPT_URLS=/extensions/app.js export HERMES_WEBUI_EXTENSION_STYLESHEET_URLS=/extensions/app.css ./start.sh ``` Multiple URLs may be comma-separated: ```bash export HERMES_WEBUI_EXTENSION_SCRIPT_URLS=/extensions/runtime.js,/extensions/app.js export HERMES_WEBUI_EXTENSION_STYLESHEET_URLS=/extensions/base.css,/extensions/theme.css ``` For bundled or multi-extension installs, you may list assets in a manifest file inside `HERMES_WEBUI_EXTENSION_DIR` instead of maintaining long comma-separated environment variables: ```bash cat > ~/.hermes/webui-extension-bundle/extensions.json <<'JSON' { "extensions": [ { "id": "templates", "scripts": ["templates/templates.js"], "stylesheets": ["templates/templates.css"] }, { "id": "sidebar-tools", "scripts": ["sidebar-tools/sidebar-tools.js"], "stylesheets": ["sidebar-tools/sidebar-tools.css"] } ] } JSON HERMES_WEBUI_EXTENSION_DIR=~/.hermes/webui-extension-bundle \ HERMES_WEBUI_EXTENSION_MANIFEST=extensions.json \ ./start.sh ``` Manifest entries use the same URL safety rules as the environment variables. Bare relative entries such as `templates/templates.js` resolve to `/extensions/templates/templates.js`; absolute same-origin entries such as `/extensions/shared.js` or `/static/theme.css` are also accepted. A manifest may be an object with top-level `scripts` / `stylesheets`, an object with an `extensions` array, or a top-level array of extension objects. Disabled entries may be kept in the manifest with the JSON boolean `"enabled": false`. Explicit `HERMES_WEBUI_EXTENSION_SCRIPT_URLS` and `HERMES_WEBUI_EXTENSION_STYLESHEET_URLS` still work and are appended after manifest assets, with duplicates ignored. When an extension is installed from Settings -> Extensions, WebUI records the installed package and loads that package's `manifest.json` automatically on the next app-shell render. In this gallery-installed mode, a manifest located at `HERMES_WEBUI_EXTENSION_DIR//manifest.json` resolves bare relative assets relative to that package directory. For example, `"scripts": ["assets/companion-adapter.js"]` in `desktop-companion/manifest.json` injects `/extensions/desktop-companion/assets/companion-adapter.js`. Manual manifests configured with `HERMES_WEBUI_EXTENSION_MANIFEST` follow the same rule: relative assets resolve from the manifest file's directory. A root manifest such as `extensions.json` keeps the existing `/extensions/` behavior, while a subdirectory manifest such as `desktop-companion/manifest.json` resolves relative assets under `/extensions/desktop-companion/`. Extension entries may also declare a loopback sidecar for diagnostics and the opt-in proxy: ```json { "extensions": [ { "id": "desktop-companion", "name": "Desktop Companion", "scripts": ["companion-adapter.js"], "stylesheets": ["companion-adapter.css"], "sidecar": { "type": "loopback", "origin": "http://127.0.0.1:17787", "health_path": "/health" } } ] } ``` Loopback sidecars do **not** change asset injection behavior. They are reported by diagnostics so an operator can see that a local companion service was declared and optionally check its health from the browser. If the operator later approves the proxy in **Settings → Extensions**, WebUI may proxy requests only through the fixed per-extension sidecar path for that extension. Extension entries may declare browser-local settings when they also request extension-owned storage: ```json { "id": "desktop-companion", "permissions": { "storage": { "owned": true } }, "settings_schema": [ { "key": "show_badge", "type": "boolean", "label": "Show badge", "default": true }, { "key": "mode", "type": "enum", "label": "Mode", "options": [ {"value": "compact", "label": "Compact"}, {"value": "full", "label": "Full"} ], "default": "compact" } ] } ``` Settings are a first-pass browser feature. WebUI sanitizes the manifest schema, injects the accepted schema before extension scripts, and leaves persistence to the browser. The backend does not store extension settings or expose a generic settings write route, and it does not treat these values as secrets. The sanitizer accepts only `boolean`, `string`, `number`, `integer`, and `enum` fields. It drops `sensitive: true` fields, unsupported types, malformed enum options, duplicate keys after the first valid field, and defaults that do not match the declared type. `settings_schema` is honored only when `permissions.storage.owned` is exactly `true`. Extension scripts can use the sanctioned browser accessors: ```js const settings = window.HermesExtensionSettings.settingsForExtension("desktop-companion"); const value = settings.get("show_badge"); settings.set("show_badge", false); const storage = window.HermesExtensionSettings.storageForExtension("desktop-companion"); storage.set("lastPanel", "settings"); const sameSettings = window.hermesExt.settings.forExtension("desktop-companion"); const sameStorage = window.hermesExt.storage.forExtension("desktop-companion"); ``` Settings persist only non-default overrides. Resetting settings removes those overrides and returns schema defaults. Extension-owned storage uses a separate browser-local namespace, and clearing storage removes that namespace without changing settings. ## URL rules Injected asset URLs are deliberately restricted: - must be same-origin paths - must start with `/extensions/` or `/static/` after manifest normalization - must not include a URL scheme, host, fragment, quote, angle bracket, newline, NUL byte, or backslash - must not contain dot-segments or dotfiles after percent-decoding Allowed examples: ```text /extensions/app.js /extensions/app.css /extensions/app.js?v=1 /static/theme.css ``` Rejected examples: ```text https://example.com/app.js //example.com/app.js javascript:alert(1) /api/session /extensions/app.js#fragment ``` These restrictions keep the existing Content Security Policy intact and avoid turning the extension hook into a third-party script loader. Invalid configured URLs are ignored rather than injected. ## Trusted local sidecars Manifest-bundled extensions may integrate with a trusted local sidecar process, such as a desktop companion listening on `http://127.0.0.1:17787`. The injected extension JavaScript can talk to that sidecar directly from the browser, and WebUI diagnostics still use that direct browser path. WebUI may also proxy the same sidecar through a fixed per-extension sidecar path after explicit persisted user consent. WebUI does not create arbitrary extension-owned backend routes. Loopback sidecar origins are already included in WebUI's enforced CSP `connect-src` directive: ```text http://127.0.0.1:* http://localhost:* http://ipc.localhost ws://127.0.0.1:* ws://localhost:* ``` The wildcard ports above cover any loopback port, including `http://127.0.0.1:17787`. For a trusted non-loopback origin that you explicitly control, append the exact origin with `HERMES_WEBUI_CSP_CONNECT_EXTRA` before starting WebUI: ```bash HERMES_WEBUI_CSP_CONNECT_EXTRA=https://companion.example.internal HERMES_WEBUI_EXTENSION_DIR=/path/to/my-extension/static HERMES_WEBUI_EXTENSION_MANIFEST=extensions.json ./start.sh ``` `HERMES_WEBUI_CSP_CONNECT_EXTRA` accepts space-separated `http(s)://` or `ws(s)://` origins only. It rejects paths, directive injection, and invalid port numbers. Avoid wildcard or remote origins unless you fully control the target; extension JavaScript runs with the logged-in WebUI session's authority. ## Loopback sidecar declarations Sidecar declarations are sanitized before they appear in diagnostics: - only `"type": "loopback"` is supported - `origin` must be an `http` or `https` origin on `127.0.0.1`, `localhost`, or `[::1]` - `origin` must not include a username, password, path, query string, or fragment - `health_path` is optional and defaults to `/health` - when present, `health_path` must start with `/` and must not contain a scheme, host, query string, fragment, quotes, control characters, backslashes, empty segments, whitespace, or path traversal Invalid sidecars are skipped with a stable warning code such as `sidecar_origin_rejected`, `sidecar_type_unsupported`, `sidecar_health_path_rejected`, or `sidecar_invalid`. Raw rejected origins and paths are never returned by the status endpoint. If `health_path` is omitted, diagnostics use `/health`; if `health_path` is present but invalid, the sidecar is skipped rather than probed. ## Embedding an external web app in an iframe By default the WebUI's Content-Security-Policy only allows it to embed **same-origin** content in an `