> For the complete documentation index, see [llms.txt](https://ai-os-and-trend-finder.gitbook.io/ai-os-and-trend-finder-docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ai-os-and-trend-finder.gitbook.io/ai-os-and-trend-finder-docs/.spec_system/archive/sessions/phase38-session05-runtime-bridge-hardening/code-review.md).

# Code Review and Repair Report

**Session ID**: `phase38-session05-runtime-bridge-hardening` **Reviewed**: 2026-06-29 **Scope**: All uncommitted changes in the working tree **Result**: RESOLVED

## Review Surface

**Files reviewed** (all uncommitted changes):

* `.spec_system/state.json` - tracked-modified
* `.spec_system/specs/phase38-session05-runtime-bridge-hardening/spec.md` - untracked
* `.spec_system/specs/phase38-session05-runtime-bridge-hardening/tasks.md` - untracked
* `.spec_system/specs/phase38-session05-runtime-bridge-hardening/implementation-notes.md` - untracked
* `.spec_system/specs/phase38-session05-runtime-bridge-hardening/code-review.md` - untracked review artifact
* `scripts/lib/local-control-plane-guard.ts` - untracked
* `scripts/lib/__tests__/local-control-plane-guard.test.ts` - untracked
* `scripts/lib/tool-detection.ts` - tracked-modified
* `scripts/lib/__tests__/tool-detection.test.ts` - tracked-modified
* `scripts/lib/hermes-admin-bridge.ts` - tracked-modified
* `scripts/lib/__tests__/hermes-admin-bridge.test.ts` - tracked-modified
* `scripts/lib/__tests__/hermes-dev-bridge.test.ts` - tracked-modified
* `scripts/lib/knowledge-graph-admin-bridge.ts` - tracked-modified
* `scripts/lib/__tests__/knowledge-graph-admin-bridge.test.ts` - tracked-modified
* `vite.config.ts` - tracked-modified

**Inventory commands**: `git status`, `git diff HEAD`, `git diff --cached`, `git ls-files --others --exclude-standard`

## Findings by Severity

### Critical

* No findings.

### High

* No findings.

### Medium

* `scripts/lib/local-control-plane-guard.ts:47` - Present but malformed Host values could pass the new exact-local guard: an empty or whitespace-only Host was treated like an absent Host, and bracketed non-IPv6 forms such as `[localhost]` and `[127.0.0.1]` were accepted. This weakened the session's exact Host-header validation requirement. | Fix: Reject present empty Host values and allow bracket syntax only for `[::1]`; added regression cases for empty, whitespace-only, `[localhost]`, and `[127.0.0.1]`. | Status: FIXED

### Low

* `.spec_system/specs/phase38-session05-runtime-bridge-hardening/implementation-notes.md:138` - The implementation notes still said empty Host headers were allowed after the guard was tightened. | Fix: Updated the evidence text to say absent Host is allowed and empty, whitespace, and malformed bracketed Host values are rejected. | Status: FIXED

## Assumptions and Deliberate Non-Fixes

* `bun run format:check` still reports formatting warnings in 10 unchanged historical `.spec_system` Markdown files: `.spec_system/CONSIDERATIONS.md`, `.spec_system/PRD/phase_38/PRD_phase_38.md`, `.spec_system/PRD/phase_38/session_04_dream_scheduling_and_setup.md`, `.spec_system/PRD/PRD.md`, `.spec_system/SECURITY-COMPLIANCE.md`, and five completed phase 38 session 02/03 report files. These files were already committed and outside the uncommitted review scope, so they were not modified. The current session review surface passes a targeted Prettier check.

## Behavior Changes

* Present empty or whitespace-only Host headers are now rejected instead of being treated as internal requests without a Host header.
* Bracketed Host syntax is now accepted only for `[::1]` and `[::1]:port`; bracketed `localhost` and `127.0.0.1` are rejected as malformed.
* Absent Host remains allowed for internal middleware calls, preserving the intended local control-plane behavior.

## Verification

* Tests: `bun run test -- scripts/lib/__tests__/local-control-plane-guard.test.ts` - PASS - 5 tests passed after the repair.
* Tests: `bun run test` - PASS - 392 test files passed, 4523 tests passed.
* Linter: `bun run lint` - PASS - ESLint exited 0.
* Formatter: `bunx prettier --write [review surface]` - PASS - formatter completed.
* Formatter: `bunx prettier --check [review surface]` - PASS - all matched review-surface files use Prettier style.
* Formatter: `bun run format:check` - FAIL - full repo check still reports 10 unchanged historical `.spec_system` Markdown files outside this review scope.
* Type checker: `bun run typecheck:scripts` - PASS - script TypeScript project compiled with no emit.
* Type checker: `bun run typecheck` - PASS - app TypeScript project compiled with no emit.
* Whitespace: `git diff --check HEAD` - PASS - no diff whitespace errors.
* Encoding: `perl -ne ... [review surface]` - PASS - no non-ASCII or CRLF findings.
* Final diff re-read: no remaining review-scope issues.

## Summary

1. Reviewed 15 uncommitted files covering the session spec artifacts, local Host guard, runtime CLI resolver, Hermes and Graphify bridge wiring, bridge tests, and Vite loopback wiring.
2. Findings: 0 critical, 0 high, 1 medium, 1 low; both fixed with focused code, tests, and evidence updates.
3. Deliberately not fixed: 10 unchanged historical `.spec_system` Markdown formatting warnings from the full repo Prettier check, because they are outside this uncommitted review scope.
4. Verification passed for tests, lint, type checks, targeted formatting, whitespace, encoding, and final diff review.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://ai-os-and-trend-finder.gitbook.io/ai-os-and-trend-finder-docs/.spec_system/archive/sessions/phase38-session05-runtime-bridge-hardening/code-review.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
