fix(banner): show correct update status on nix-built hermes (#17550)

check_for_updates() looked at __file__.parent.parent for a .git dir to diff against origin/main. A nix-built hermes lives in /nix/store with no .git there, so the check fell through to whatever editable-install dev checkout last populated ~/.hermes/.update_check, producing stale "X commits behind" warnings right after a fresh `nix run --refresh`. Embed the locked flake rev into the wrapper as HERMES_REVISION (only on clean builds — dirty refs don't represent any upstream commit). When set, banner.py compares it to upstream main via `git ls-remote` instead of inspecting a local checkout, and the cache key includes the rev so nix updates invalidate immediately. Without local history we can't count commits, so the message is a plain "update available" with no suggested command — nix users may install via `nix run`, profile, system flake, or home-manager, and we don't know which. Also bump web/package-lock.json npmDepsHash via `nix run .#fix-lockfiles`.
2026-04-29 21:33:00 -04:00
parent fc7f55f490
commit 9fc9c15b4a
6 changed files with 97 additions and 62 deletions
--- a/nix/hermes-agent.nix
+++ b/nix/hermes-agent.nix
@@ -19,6 +19,10 @@
  pyproject-nix,
  pyproject-build-systems,
  npm-lockfile-fix,
+  # Locked git revision of the flake source — embedded so banner.py can
+  # check for updates without needing a local .git directory. Null for
+  # impure / dirty builds where flakes can't determine a rev.
+  rev ? null,
  # Overridable parameters
  extraPythonPackages ? [ ],
 }:
@@ -98,6 +102,7 @@ stdenv.mkDerivation {
          --set HERMES_TUI_DIR $out/ui-tui \
          --set HERMES_PYTHON ${hermesVenv}/bin/python3 \
          --set HERMES_NODE ${nodejs_22}/bin/node \
+          ${lib.optionalString (rev != null) ''--set HERMES_REVISION ${rev} \''}
          ${lib.optionalString (extraPythonPackages != [ ]) ''--suffix PYTHONPATH : "${pythonPath}"''}
      '')
      [
--- a/nix/overlays.nix
+++ b/nix/overlays.nix
@@ -5,6 +5,7 @@
    hermes-agent = final.callPackage ./hermes-agent.nix {
      inherit (inputs) uv2nix pyproject-nix pyproject-build-systems;
      npm-lockfile-fix = inputs.npm-lockfile-fix.packages.${final.stdenv.hostPlatform.system}.default;
+      rev = inputs.self.rev or null;
    };
  };
 }
--- a/nix/packages.nix
+++ b/nix/packages.nix
@@ -7,6 +7,9 @@
      hermesAgent = pkgs.callPackage ./hermes-agent.nix {
        inherit (inputs) uv2nix pyproject-nix pyproject-build-systems;
        npm-lockfile-fix = inputs'.npm-lockfile-fix.packages.default;
+        # Only embed clean revs — dirtyRev doesn't represent any upstream
+        # commit, so comparing it would always claim "update available".
+        rev = inputs.self.rev or null;
      };
    in
    {
--- a/nix/web.nix
+++ b/nix/web.nix
@@ -4,7 +4,7 @@ let
  src = ../web;
  npmDeps = pkgs.fetchNpmDeps {
    inherit src;
-    hash = "sha256-+B2+Fe4djPzHHcUXRx+m0cuyaopAhW0PcHsMgYfV5VE=";
+    hash = "sha256-HWB1piIPglTXbzQHXFYHLgVZIbDb60esupXSQGa1+lI=";
  };

  npm = hermesNpmLib.mkNpmPassthru { folder = "web"; attr = "web"; pname = "hermes-web"; };