* Add-on iframe: delegate microphone + camera Permissions Policy
The add-on ingress iframe in ``ha-panel-app.ts`` ships without an
``allow=`` attribute, so the Permissions Policy default of *deny*
applies for ``microphone`` and ``camera`` on the cross-origin
iframe. An add-on that wants to call ``getUserMedia`` — voice
notes, dictation, video calls, photo capture — fails silently with
``NotAllowedError`` before the browser even surfaces the permission
prompt.
The failure is most visible on the Android Companion app, where
there's no "open in a new tab" escape: the user presses the mic
button and nothing happens, no toast, no logs.
Delegate ``microphone``, ``camera``, and ``clipboard-write`` to the
add-on iframe. Add-ons are first-party software the user explicitly
installs, and Chrome's runtime permission prompt still gates the
hardware access — the ``allow=`` attribute just lets the iframe
*request* the prompt instead of being blocked at the policy layer.
``clipboard-write`` is bundled in because the next-most-frequent
silent-fail in add-on land is ``navigator.clipboard.writeText`` for
"copy link" / "copy code" affordances, blocked by the same
mechanism.
* Sandbox add-on ingress iframe without allow-same-origin
Split IFRAME_SANDBOX into two constants: IFRAME_SANDBOX (without
allow-same-origin) for add-on ingress iframes that need origin
isolation, and IFRAME_SANDBOX_SAME_ORIGIN for external iframes
that need same-origin access.
This ensures add-on iframes can't inherit camera/microphone
permissions already granted to the Home Assistant origin, and
prevents same-origin iframes from removing their own sandbox.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Paulus Schoutsen <balloob@gmail.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* Setup add to area page
* Remove 3 buttons, move to single add to button next to add a picture button
* Use normal size buttons
* Restructure layout with picture
* Remove div when both conditions are met
* Use mixin
* Fix imports
Some environments (e.g. Android WebView/emulator) return a UTC offset like
"+00:00" from Intl.DateTimeFormat().resolvedOptions().timeZone instead of an
IANA zone name. Submitting that to saveCoreConfig fails with "invalid time
zone", leaving users stuck on the country step.
Detect this by checking the resolved value against the google-timezones-json
list used by ha-timezone-picker, and surface the picker on the core-config
step when no IANA zone could be detected from the browser or the location
detect API.
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* Add to for devices page
* Rename and reuse original dialogs, drop popover
* Reduce
* Lazy context
* Direct access lazy context
* Default width
* Merge automations and scripts cards
* Format
* Loading state
* Rename key
* Tooltip and move key
* Copy icons used in more info
* Sort
* Merge scenes into one "Related" card
* Adjust
* Fix no labs
* Use same wording for device actions
* Cleanup
* Comments for removal
* Cleanup
* Type check
* Template literals
* Add padding
* Rework weather forecast card features
* Add show labels option
* Some fixes
* Fixes and cleaning
* Update palette
* Add reference floor to precipitation bar scale
Light drizzle no longer fills the bar when it's also the period max.
Observed values above the floor still drive the scale (storms read full).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* Feedbacks
* Use weather unit
* Force celcius for gradient
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* Allow previews to use a domain
* Allow previews to specify preview entity domain
* Allow repair_flow to use previews
* Pull recent changes
* Add domain to previews for TemplatePreview
* first rough draft of Z-Wave credential mangement
* separate user and credentials, error handling, dialog tweaks
* align with upstream API changes, improve error handling
* align more with Matter, use lock entity for services
* remove get_credential_status service
* address review feedback, clarify user types
* user_index -> user_id, fix some pending states
* address review feedback
* clean up unused code, strongly type credential types
* Clear -> Delete, drop icons
* Simplify flow to 1 PIN/Password credential per user
* cleanup, comments, etc.
* address review feedback
* do not show existing credential data
* fix lint errors after branch update
* ignore non-enterable credential types when editing user
* refactor: use separate storage and display filters in backup page
Apply the two-lists pattern in backup page: _filters (@state, display only) +
_storageFilters (@storage sessionStorage, state: false). _storageFilters
is only updated when not in URL mode (_fromUrl flag). Init moved from
connectedCallback to willUpdate(!hasUpdated).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* refactor: use separate storage and display filters in scenes page
Apply the two-lists pattern in scenes page: _filters (@state, display only) +
_storageFilters (@storage sessionStorage, state: false, with
serializer/deserializer). _storageFilters is only updated when not in
URL mode (_fromUrl flag). Init moved from firstUpdated to
willUpdate(!hasUpdated). The existing updated() hook already calls
_applyFilters() when _entityReg changes, covering the reconnect case.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* refactor: use separate storage and display filters in automations page
Apply the two-lists pattern in automations page: _filters (@state, display only) +
_storageFilters (@storage sessionStorage, state: false, with
serializer/deserializer). _storageFilters is only updated when not in
URL mode (_fromUrl flag). _fromUrl is set before the await in the async
_filterBlueprint() to prevent any user change during the fetch from
persisting. Init moved from firstUpdated to willUpdate(!hasUpdated).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* refactor: use separate storage and display filters in scripts page
Apply the two-lists pattern in scripts page: _filters (@state, display only) +
_storageFilters (@storage sessionStorage, state: false, with
serializer/deserializer). _storageFilters is only updated when not in
URL mode (_fromUrl flag). _fromUrl is set before the await in the async
_filterBlueprint() to prevent any user change during the fetch from
persisting. Init moved from firstUpdated to willUpdate(!hasUpdated).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: don't mix URL filters with storage filters in automation,script and scene pages
When URL params are present, _filters starts empty so URL methods build
from scratch. Previously, _filters was pre-populated from _storageFilters
and the spread in _filterLabel()/_filterBlueprint() would merge storage
filters into the URL-injected ones.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* Update src/panels/config/backup/ha-config-backup-backups.ts
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Simon Lamon <32477463+silamon@users.noreply.github.com>
* fix(helpers): clear URL-injected filters on leaving helpers dashboard
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(helpers): restore previous filters after URL-injected navigation
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* refactor: use separate storage and display filters
Apply the same pattern as devices and entities pages: split _filters into
a display-only @state and a _storageFilters persisted to sessionStorage.
_storageFilters is only updated when not in URL mode (_fromUrl flag), so
URL-injected filters never persist to storage.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: reapply filters when helper entities load on reconnect
_applyFilters() was never called when _filters was restored from
sessionStorage, leaving _filteredHelperEntityIds undefined and the
table appearing empty. Call it whenever _helperEntities updates and
active filters are present.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* Setup default add to actions
* Setup default add to actions
* Move event into external only
* Split into sections
* Padding
* Refactor to single type and adapt app interface to frontend style and vice versa
* Refactor to single type and adapt app interface to frontend style and vice versa
* Condition action and navigation actions
* Open dialogs with trigger, condition, action dialogs
* Add divider before add to
* Move add to to the top
* Action
* Triggers and conditions labs feature check
* Suggestion
* Keep query state
* Change to automation_trigger
* Use typed key instead of finding with icon
* Apply suggestions from code review
Co-authored-by: Wendelin <12148533+wendevlin@users.noreply.github.com>
* Finish
* Reset state
* Fix navigation resets
* stated
Co-authored-by: Wendelin <12148533+wendevlin@users.noreply.github.com>
* Split
* Add import, sort imports
---------
Co-authored-by: Wendelin <12148533+wendevlin@users.noreply.github.com>
The arrow-right icon next to the alert icon was decorative noise.
With automation comments (#52090) adding yet another icon, simplify
to a single mdiAlertCircleCheck indicator.
Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
* Show both power buttons for assumed-state media players when unknown
Media players with assumed state report an unknown state when their
actual power state can't be determined. In that case the entity row and
more info should still expose both turn on and turn off controls so the
user can operate the device.
https://claude.ai/code/session_01JyZojNPCCY65HmRVQaASkG
* Treat media player unknown state like off instead of unavailable
The media player controls lumped the "unknown" state in with
"unavailable" and hid all controls. An unknown state is closer to "off":
the device exists but its power state isn't reported, which is common
for assumed-state players. Only "unavailable" should hide the controls,
so an unknown-state player now shows the turn on button (and both power
buttons when it has an assumed state) in the entity row and more info.
https://claude.ai/code/session_01JyZojNPCCY65HmRVQaASkG
* Adjust comments and variable placement for media player state check
https://claude.ai/code/session_01JyZojNPCCY65HmRVQaASkG
---------
Co-authored-by: Claude <noreply@anthropic.com>
* fix(entities): clear URL-injected filters on leaving entities dashboard
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(entities): restore previous filters after URL-injected navigation
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* refactor: use separate storage and display filters
Apply the same pattern as devices page: split _filters into a display-only
@state and a _storageFilters persisted to sessionStorage. _storageFilters
is only updated when not in URL mode (_fromUrl flag), so URL-injected
filters never persist to storage.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(devices): clear URL-injected filters on leaving devices dashboard
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(devices): restore previous filters after URL-injected navigation
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* refactor(devices): use separate storage and display filters
Replace the disconnect-callback approach with two distinct filter states:
- _storageFilters: persisted to sessionStorage, updated only when not in
URL mode (manual filter changes and clear)
- _filters: display-only state, initialized from _storageFilters on first
render, overwritten by URL params without touching storage
_storageFilters is frozen while _fromUrl is true, preserving the user's
previous manual filters for the next normal visit.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Pascal Vizeli
Wendelin
Jan-Philipp Benecke
Aidan Timson
pcan08
Stefan Agner
karwosts
Joakim Plate
Paul Bottein
iluvdata
AlCalzone
markvp
Ben Hamilton (Ben Gertzfield)
Marcin Bauer
Petar Petrov
Paulus Schoutsen
Simon Lamon