github →

New request

#2284: Support runtime-configurable upload limits across server, browser preflight, and archive extraction

We'll provision a sandbox, run an agent against the issue, and open a draft PR. You can pull the branch and iterate from there.

Issue
enhancementsprint-candidate

Summary

Hermes WebUI currently treats the attachment upload limit as effectively hard-coded. This makes it difficult for operators to support larger uploads and creates a risk that server-side enforcement, browser-side preflight checks, and archive extraction safety limits drift out of sync.

Problem

Today, upload-related limits are tied to fixed values in multiple layers:

  • the backend enforces a default 20 MB upload cap
  • the browser preflight logic assumes the same fixed limit
  • archive extraction safety uses a derived cap that is not driven by a single runtime configuration source

As a result, operators who need to support larger uploads (for example logs, bundles, or archives) have to patch code instead of setting configuration. It also increases the chance of inconsistent behavior between the UI and the backend.

Expected behavior

Hermes WebUI should expose a single runtime setting, such as HERMES_WEBUI_MAX_UPLOAD_MB, that:

  • controls the server-side upload size limit
  • drives the browser-side preflight limit and user-facing validation message
  • scales archive extraction protection from the effective upload limit
  • falls back safely to the default limit when the env var is unset or invalid

Why this matters

  • avoids code changes for common deployment needs
  • keeps operator configuration simple and predictable
  • prevents UI/backend mismatches around upload rejection
  • preserves zip/tar bomb protection when the upload limit changes

Acceptance criteria

  • HERMES_WEBUI_MAX_UPLOAD_MB overrides the default 20 MB upload limit
  • accepted values include plain integers and common suffix forms such as 200, 200MB, and 200MiB
  • invalid or non-positive values fall back to the default and emit a warning
  • the browser receives the effective upload limit at runtime instead of relying on a hard-coded constant
  • archive extraction safety scales from the effective upload limit
  • tests cover config parsing, client preflight wiring, and extraction-limit scaling
Assessmentadvisory
feature●● medium95% confidence

Runtime-configurable upload limits require coordinated changes across backend API, browser preflight logic, and archive extraction.

Likely files
  • api/server.py
  • static/ui.js
  • api/extraction.py
  • bootstrap.py
  • .env.example
Create the request

This opens a fresh agent run and a draft PR for issue #2284.

Cancel