Review — end-to-end ✅ (approved after fallback-path consistency fix pushed)

What this ships

Follow-up to #1171 / #1176 — addresses the data-model root cause that the button guard in #1176 only patched at the input layer. A session now becomes "real" only once message_count > 0. Three coordinated changes:

1. Server filter (api/models.py:564-567) — removed the 60-second grace window from the index-path filter. Empty Untitled sessions are filtered regardless of age.
2. Boot path (static/boot.js:894-907) — when the page loads and S.session.message_count === 0, treat as fresh start: clear stored session ID, render empty state, return early.
3. Client filter (static/sessions.js:749-754) — withMessages filter in renderSessionListFromCache as belt-and-suspenders against stale _allSessions snapshots.

Traced against upstream hermes-agent

Pulled fresh nousresearch/hermes-agent tarball.

The change is purely WebUI list-presentation. Empty sessions remain on disk under ~/.hermes/webui/sessions/*.json and the agent's CLI/Telegram session-search would still see them via the state.db join. WebUI just stops surfacing them. No agent coupling.

What I caught — second filter site missed; tests silently masked it

The PR removed the 60s grace from all_sessions() at the index path (lines 558-567), but the full-scan fallback path at api/models.py:589-594 still had:

result = [s.compact(...) for s in out if not (
    s.title == 'Untitled'
    and len(s.messages) == 0
    and (_now - s.updated_at) > 60   # ← still has the grace
)]

Production behaviour: index-path filter is always taken (the index file is auto-created), so the PR works as documented. But:

• Legacy installs without _index.json: fall back to the unchanged path with the old grace → empty sessions still surface for 60s.
• The existing regression tests in tests/test_issue789.py use monkeypatch.setattr(models, "SESSION_INDEX_FILE", index_file) against a temp path — but never create the file. So the test fixture forces SESSION_INDEX_FILE.exists() == False, which means tests run against the fallback path. The PR's CI passed because the fallback path's behaviour was unchanged — but it asserted the OLD behaviour the PR's description claims to have replaced. The two paths had diverged.

Pre-fix behavioural verification:

$ pytest tests/test_issue789.py
test_new_untitled_session_is_visible_in_sidebar PASSED   # old behaviour, fallback path
test_recent_untitled_session_under_60s_is_visible PASSED # old behaviour, fallback path
test_mixed_sessions_correct_visibility PASSED            # old behaviour, fallback path

After making the fallback path consistent (both filters now have no grace), those three tests fail because they assert the old behaviour:

$ pytest tests/test_issue789.py
FAILED test_new_untitled_session_is_visible_in_sidebar
FAILED test_recent_untitled_session_under_60s_is_visible
FAILED test_mixed_sessions_correct_visibility

What I pushed — 7e20006

Two changes, single commit:

1. api/models.py full-scan fallback: same removal of the grace clause + a comment explaining the consistency intent.
2. tests/test_issue789.py: updated three test assertions to match the new contract (renamed two tests to _is_hidden_*, flipped their assertion polarity, updated the mixed-bag test). The other 5 tests in the file still pass because they were testing the old-age path which already returned hidden.

The test file's docstring also got updated to record the contract change so future readers know the original #789 fix was superseded by #1171.

CI re-ran green on 7e20006: 3.11 ✅, 3.12 ✅, 3.13 ✅.

End-to-end trace

Server filter (#1182 + my fix)

Both filter sites now have the same shape:

result = [s for s in result if not (
    s.title == 'Untitled' and s.message_count == 0
)]

Filters Untitled+0-message sessions regardless of age. ✅

Boot restore early-exit (static/boot.js:891-907)

await loadSession(saved);
if(S.session && (S.session.message_count||0) === 0){
  localStorage.removeItem('hermes-webui-session');
  S.session=null; S.messages=[];
  S._bootReady=true;
  syncTopbar();syncWorkspacePanelState();
  $('emptyState').style.display='';
  await renderSessionList();if(typeof startGatewaySSE==='function')startGatewaySSE();
  return;
}

• loadSession(saved) populates S.session from server
• If empty: clear localStorage, null out S.session, render empty state
• Returns BEFORE the panel-pref restore block (which is the normal-path restore) — correct, there's no workspace to restore for an empty session

The orphaned empty session file remains on disk. That's acceptable per the PR description. A periodic cleanup task could prune them later.

Client withMessages filter (sessions.js:749-754)

const withMessages=allMatched.filter(s=>(s.message_count||0)>0 || (S.session&&s.session_id===S.session.session_id&&(S.session.message_count||0)>0));

Belt-and-suspenders. The OR clause preserves the active session in the list only if it has messages — so an empty active session is also filtered (matches the data model contract). Subsequent profile/project/archive filters operate on this trimmed set.

The otherProfileCount calculation on sessions.js:806 was also updated to use withMessages — keeps the "show other profiles" toggle count consistent with the actual rendered list.

Edge-case trace

Tests

• PR's targeted test update (test_workspace_panel_restore_before_sync): passes; correctly uses rfind for the last syncWorkspacePanelState call (normal path) and workspace-panel-pref (only present in normal path).
• My updated tests (8 in test_issue789.py): all pass after assertion polarity flip.
• Local full suite: 2596 passed, 47 skipped, 1 PR-unrelated pre-existing failure (macOS-only test_sprint3 quirk; verified pre-existing on master).
• CI on PR after my push: ✅ test (3.11), ✅ test (3.12), ✅ test (3.13).

Other audit — confirmed correct

• JS syntax: node --check passes on boot.js, sessions.js.
• _hide_from_default_sidebar ordering: still applied AFTER the empty-session filter in both paths — cron/internal sessions remain filtered. ✅
• time module still used elsewhere in api/models.py (line 50, 327, 328, 351), so the unused import isn't a concern after removing _now = time.time() from the fallback path.
• No regression in cron-completion flow: cron sessions have source='cron', hit the _hide_from_default_sidebar filter independently of the empty-Untitled filter. Title/message_count don't matter for them.

Minor observations (non-blocking)

• Orphaned empty sessions accumulate on disk forever. The PR description acknowledges this ("left on disk for cleanup but never surfaced"). Worth a follow-up sweep that deletes Untitled+0-msg sessions older than N days from the SESSION_DIR. Out of scope for this PR.
• Stale _allSessions cache OR clause: S.session && s.session_id === S.session.session_id && (S.session.message_count||0) > 0 — the inner check S.session.message_count > 0 is redundant because if S.session.message_count > 0 the cache entry's s.message_count > 0 would catch it on the next refresh. The OR clause specifically handles the window between "user sent first message" (S.session updated) and "cache refreshed" (s.message_count still 0). Acceptable; the comment explains it.
• The boot early-exit doesn't call loadDir('.') — but that's fine because there's no session workspace to load. If the user then clicks "+" and gets a session, loadSession handles dir loading.

Recommendation

Approved (after consistency fix pushed). Solid root-cause fix at the data-model layer. The inconsistency I caught between the two filter sites was real — production worked but the test suite was silently testing the wrong code path, and legacy installs would have gotten the old behaviour. After my fix both paths converge on the documented contract: a 0-message Untitled session is never surfaced in the sidebar, regardless of age. CI green; full suite 2596 passed; updated test_issue789.py assertions document the contract change. Parked at approval — ready for the release agent's merge/tag pipeline.