Add Claude Code session imports

[Michaelyklam]

Thinking Path

• Hermes WebUI already has a CLI-session bridge, so Claude Code history can fit that pattern without a new import wizard.
• Issue feat(import): import sessions from other agents — Claude Code, Codex, Cursor, Aider #674 calls out Claude Code phase 1 as a high-value slice because its JSONL history maps cleanly into role/content messages.
• The risky parts are filesystem scanning and mutation semantics: imports should be bounded, fixture-testable, and read-only.
• This PR keeps the scope to Claude Code JSONL discovery/parsing, read-only session presentation, and backend/UI guards.
• Users can browse Claude Code history in WebUI with clear source labeling without accidentally modifying external agent history.

What Changed

• Added Claude Code JSONL discovery/parsing in api/models.py with safe caps for file count, file size, message count, content size, malformed lines, and symlinks.
• Exposed Claude Code sessions through the existing CLI-session listing/message bridge with source_tag: claude_code, source_label: Claude Code, session_source: external_agent, and read_only: true.
• Updated import/session/delete/archive paths so read-only external sessions return view payloads without persisting or allowing destructive mutations.
• Added frontend read-only guards: no sidebar select checkbox, no rename/action menu, blocked composer send, active sidebar badge, and app titlebar Claude Code · read-only badge.
• Added fixture-only regression coverage in tests/test_claude_code_session_import.py; tests use explicit temp paths and disable default real-home scanning under test state.
• Added UI evidence under docs/pr-media/674/claude-code-import-readonly.png.

Why It Matters

Claude Code conversations are useful context, but they live outside Hermes WebUI. This lets users browse those histories alongside Hermes sessions while preserving source clarity and preventing accidental edits/deletes to externally-owned JSONL history.

Verification

env -u HERMES_CONFIG_PATH /home/michael/.hermes/hermes-agent/venv/bin/python -m pytest tests/test_claude_code_session_import.py -q

env -u HERMES_CONFIG_PATH /home/michael/.hermes/hermes-agent/venv/bin/python -m pytest \
  tests/test_claude_code_session_import.py \
  tests/test_session_import_cli_fallback_model.py \
  tests/test_issue569_579.py \
  -q

node --check static/messages.js
node --check static/sessions.js
node --check static/ui.js
node --check static/panels.js

git diff --check

HERMES_WEBUI_TEST_STATE_DIR=/tmp/hermes-webui-kanban/t_21ed1788/full-suite-state-<timestamp> \
HERMES_WEBUI_TEST_PORT=28767 \
env -u HERMES_CONFIG_PATH \
/home/michael/.hermes/hermes-agent/venv/bin/python -m pytest tests/ -q

Result:

5 passed in 1.55s
20 passed in 1.66s
node --check passed for changed JS files
git diff --check passed
4288 passed, 2 skipped, 1 xfailed, 2 xpassed, 1 warning, 8 subtests passed in 392.37s (0:06:32)

Manual verification:

• Ran an isolated local WebUI server with synthetic HERMES_WEBUI_CLAUDE_PROJECTS_DIR fixture JSONL and show_cli_sessions: true.
• Verified /api/sessions returned one read_only: true Claude Code session with source_label: "Claude Code".
• Opened the imported session in browser QA and verified imported user/assistant messages render, the active sidebar badge shows CLAUDE CODE, there is no session action menu, the app titlebar shows Claude Code · read-only, and composer send is blocked with the read-only toast.

UI media:

Risks / Follow-ups

• Refs feat(import): import sessions from other agents — Claude Code, Codex, Cursor, Aider #674. This completes the Claude Code read-only phase 1 slice; generic import endpoints, Codex/Cursor/Aider adapters, and an import wizard remain follow-up scope.
• The scanner is deliberately conservative: symlinked project roots/files and oversized JSONL files are skipped rather than partially imported.
• Imported Claude Code sessions are view-only; future work should decide whether any explicit “copy into Hermes” flow should create editable duplicates.

Model Used

AI assisted.

• Provider: openai-codex
• Model: gpt-5.5
• Notable tool use: Hermes terminal/file/browser tools, pytest, Node syntax checks, git/gh, isolated WebUI browser QA.

[nesquena-hermes]

Closed by the v0.51.1 release in PR #1681 (merged at e23ba59). Massive thanks @Michaelyklam — this is now 19 merged PRs across the v0.50.292–v0.51.1 release window, an extraordinary contribution rate. Each PR was per-claim-vs-diff verified against your description and every security-relevant code path checked under independent review (Opus advisor, 6/6 questions clean). Your closes #N references are all accurate, your Thinking Path / What Changed / Why It Matters body template is consistently helpful, and your test coverage is solid behavioral scope (not source-string scaffolding) on every PR.

Live on production: https://github.com/nesquena/hermes-webui/releases/tag/v0.51.1

🚀