Review — end-to-end ✅ (clean approve)

What this ships

v0.50.221 batch — five contributor PRs absorbed and tested end-to-end:

Traced against upstream hermes-agent

Pulled fresh nousresearch/hermes-agent tarball. None of the changes touch shared agent state — api/config.py modifications are entirely inside the WebUI's _build_available_models_uncached function (auto-detection of models from custom endpoints). The SSRF check runs in WebUI process before urllib.request.urlopen; agent has no equivalent path. WebUI-only fix. ✅ no cross-tool risk.

End-to-end trace

SSRF fix (highest-stakes change)

api/config.py:1502-1542 — when cfg["model"]["base_url"] is set and resolves to a private IP, the check at L1538 now allows pass-through if parsed_url.hostname.lower() in _ssrf_trusted_hosts. The trusted set is built (L1506-1516) by iterating cfg["custom_providers"] and extracting hostnames via urlparse(base_url if "://" in base_url else f"http://{base_url}").

No bypass:

• Set membership is exact (in against set), not substring — attacker.com.victim.com doesn't accidentally match victim.com.
• Hostnames are lower-cased on both sides — case-insensitive without case bypass.
• The SSRF block still raises ValueError for private IPs whose hostname is neither in the hardcoded keyword check (ollama/localhost/127.0.0.1/lmstudio/lm-studio) nor in the trusted set (L1539-1542).
• The trusted set sources from cfg.get("custom_providers", []) — if the user can write to config.yaml they already have privileged access, so this is a UX fix not a security boundary.

Custom providers models dict iteration

api/config.py:1584-1608 — collects model IDs into _cp_model_ids (singular model first, then models dict keys), with type-guard isinstance(_m_id, str) and _m_id.strip() (L1592). Dedup is two-layered: in-list (L1592 _m_id not in _cp_model_ids) and global (L1596 _cp_model not in _seen_custom_ids). For unnamed providers _slug is None and the entry falls into auto_detected_models (L1607). All paths look correct.

Mobile/iPad pointerup

static/sessions.js:1035-1073 — onpointerup replaces onclick+ondblclick. Right/middle-click filter at L1036 uses e.pointerType==='mouse' && e.button!==0 so touch/stylus (which always report button===0 for primary) pass through. Double-tap detection compares now - _lastTapTime < 350ms; single-tap deferred 300ms. When the 300ms timer fires it resets _lastTapTime=0, so even at 350ms-window-edge timing the next tap is treated as a fresh single-tap (verified with behavioural harness — see Tests below).

static/style.css:245-256 — :hover removed from the combined padding-right selector and restored only in @media (hover:hover){.session-item:hover{padding-right:40px;}}. Touch devices (hover:none) skip that block, preventing the hover-triggered layout-reflow mid-tap that was the root cause of iPad ghost-clicks.

_IMAGE_EXTS hoist

static/ui.js:53 — moved from renderMd() local-scope to module-scope, plus avif added. Used at three call sites (L960, L967, L2253). Module scope means the const RegExp is shared, but RegExp literals have no flag-state that would bleed (g flag isn't used here). Without the hoist, renderMessages() at L2253 would get ReferenceError: _IMAGE_EXTS is not defined.

static/ui.js:2248-2258 — for each attachment, extract basename via f.split('/').pop()||f, test against _IMAGE_EXTS. If image: render <img class="msg-media-img" src="${esc('api/media?path='+encodeURIComponent(f))}" alt="${esc(fname)}">. Otherwise fall through to existing paperclip badge.

XSS check: esc() applied to both imgUrl and fname. The full attachment path f is encodeURIComponentd into the query string. The _IMAGE_EXTS regex anchors to end-of-string ($), so a file like evil.png<script> does NOT pass the test (string ends with >, not .png). Even a passing extension goes through esc() for both src and alt. ✅

Copy fallback

static/ui.js:1529-1542 — _copyText() checks navigator.clipboard && window.isSecureContext and falls back to a hidden-textarea + document.execCommand('copy') when not in a secure context. Textarea cleanup is in finally so it runs even on exception. Used by copyMsg() (L1546) and addCopyButtons() (L2768) — both now have .catch() handlers (silent failure was the existing bug fixed here).

Other audit — things that are correct already

• JS syntax clean — node --check passes on sessions.js, ui.js, i18n.js.
• CI green — test (3.11) ✅, test (3.12) ✅, test (3.13) ✅.
• i18n consistency — copy_failed key added to all 6 locales (en/ru/es/de/zh/zh-Hant) at the equivalent position in each block.
• Test isolation — the SSRF and custom-providers functional tests properly save/restore config.cfg and config._cfg_mtime to prevent cross-test contamination.
• Idempotent dedup — test_no_duplicates_when_model_and_models_overlap locks the in-list dedup; _seen_custom_ids locks the cross-provider dedup.
• Existing-test updates — test_issue856_pinned_indicator_layout.py and test_workspace_panel_session_list.py were updated to reflect the new :hover-only-via-@media (hover:hover) layout. Updates are correct (verified the assertions match the new CSS).

Edge-case trace

Tests

• Full local suite: 2463 passed, 47 skipped, 0 PR-related failures (1 pre-existing macOS-only deselect). CI on PR shows 3.11/3.12/3.13 all green.
• PR's own test files: 5 in test_issue1095_pasted_images.py, 10 in test_issue1096_copy_buttons.py, 7 in test_issue1105_ssrf_custom_providers.py, 7 in test_issue1106_custom_providers_models.py — all pass.
• Behavioural harness for the pointerup logic confirms all 5 timing/button-filter scenarios produce the right outcome:

  Test1 single tap: PASS  (navigated=true, renamed=false)
  Test2 double tap @200ms: PASS  (navigated=false, renamed=true)
  Test3 taps @320ms (timer-vs-window gap): clean state reset (navigated=true, renamed=false)
  Test4 right-click ignored: PASS  (no action)
  Test5 touch tap navigates: PASS
  

Minor observations (non-blocking)

• _custom_providers_cfg = cfg.get("custom_providers", []) is read twice — once at api/config.py:1507 inside the SSRF block and once at L1574 for the named-groups iteration. Different scopes, not a bug, slight redundancy.
• _copyText's textarea fallback calls resolve() unconditionally — document.execCommand('copy') returns false on failure but doesn't throw. A "silent" execCommand failure resolves as success. Not user-visible because the surrounding .catch() only handles thrown exceptions, but ideally would if (!document.execCommand('copy')) { reject(new Error(...)) }.
• The 300ms navigate-timer vs 350ms double-tap-window has a 50ms gap, but the timer's _lastTapTime=0 reset closes the gap correctly (verified in harness Test 3) — no race in practice.
• api/media?path=... endpoint that the new image-attachment src targets must validate path against the workspace root to prevent ../../etc/passwd reads. Not in this PR's scope, but worth a follow-up audit if not already done.

Recommendation

Approved. Five contributor PRs cleanly stitched together, comprehensive functional tests for the security-sensitive (SSRF) and config-shape (custom_providers) changes, behavioural harness confirms the touch-input timing logic, JS syntax clean, full suite green, no cross-tool agent regression. Parked at approval — ready for the release agent's merge/tag pipeline.