> For the complete documentation index, see [llms.txt](https://ai-os-and-trend-finder.gitbook.io/ai-os-and-trend-finder-docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ai-os-and-trend-finder.gitbook.io/ai-os-and-trend-finder-docs/.spec_system/archive/sessions/phase38-session05-runtime-bridge-hardening/tasks.md).

# Task Checklist

**Session ID**: `phase38-session05-runtime-bridge-hardening` **Total Tasks**: 20 **Estimated Duration**: 3-4 hours **Created**: 2026-06-29

***

Legend: `[x]` completed; `[ ]` pending; `[P]` parallelizable; `[SNNMM]` session ref; `TNNN` task ID.

***

## Progress Summary

| Metric              | Value     |
| ------------------- | --------- |
| Tasks Completed     | 20 / 20   |
| Estimated Remaining | 3-4 hours |
| Blockers            | 0         |

***

## Setup (3 tasks)

* [x] T001 \[S3805] Verify upstream runtime CLI and Host-header hunk behavior against current AI OS bridge boundaries (`/home/aiwithapex/projects/claudeos/claude-os-v2.8.1/vite.config.ts`, `scripts/lib/hermes-admin-bridge.ts`, `scripts/lib/knowledge-graph-admin-bridge.ts`)
* [x] T002 \[S3805] Characterize current Hermes, Graphify, Dream, token, refresh, and read-only Hermes status guard paths before edits (`vite.config.ts`, `scripts/lib/hermes-dev-bridge.ts`)
* [x] T003 \[S3805] Create the implementation evidence file and record selected runtime bridge hardening targets (`.spec_system/specs/phase38-session05-runtime-bridge-hardening/implementation-notes.md`)

***

## Foundation (5 tasks)

* [x] T004 \[S3805] \[P] Create a pure local control-plane guard for loopback socket and exact Host-header validation (`scripts/lib/local-control-plane-guard.ts`)
* [x] T005 \[S3805] \[P] Extend shared runtime CLI resolution only where live Hermes and Graphify bridge wiring exposes configured-candidate or source-label gaps (`scripts/lib/tool-detection.ts`)
* [x] T006 \[S3805] \[P] Add guard and CLI resolver tests for valid local hosts, hostile hosts, Windows `.cmd`, configured candidates, and missing commands (`scripts/lib/__tests__/local-control-plane-guard.test.ts`, `scripts/lib/__tests__/tool-detection.test.ts`)
* [x] T007 \[S3805] \[P] Preserve platform helper coverage for Windows app-data npm, local programs, PATHEXT expansion, and venv `Scripts` candidates (`scripts/lib/__tests__/platform.test.ts`)
* [x] T008 \[S3805] Wire Vite `isLoopback` through the local control-plane guard while preserving existing loopback behavior for callers without Host headers (`vite.config.ts`)

***

## Implementation (7 tasks)

* [x] T009 \[S3805] Update Hermes chat command resolution to use platform `venvBin` and shared wrapper lookup with timeout and failure-path handling preserved (`scripts/lib/hermes-admin-bridge.ts`)
* [x] T010 \[S3805] Add Hermes admin bridge tests for Windows source `Scripts/python.exe`, `%APPDATA%\npm\hermes.cmd`, configured `HERMES_BIN`, graph/yolo arg preservation, and sanitized failures (`scripts/lib/__tests__/hermes-admin-bridge.test.ts`)
* [x] T011 \[S3805] Update Graphify admin status and ingest command resolution to use shared configured, venv, PATH, PATHEXT, and `.cmd` candidate lookup (`scripts/lib/knowledge-graph-admin-bridge.ts`)
* [x] T012 \[S3805] Add Knowledge Graph admin bridge tests for Graphify configured/path/missing states, Windows `.cmd` candidates, ingest command selection, and private-path redaction (`scripts/lib/__tests__/knowledge-graph-admin-bridge.test.ts`)
* [x] T013 \[S3805] Apply Host-header hardening through existing Vite bridge registrations and run-control endpoints without weakening token, admin, method, body-size, or path checks (`vite.config.ts`)
* [x] T014 \[S3805] Add representative hostile-Host regression scenarios for Hermes, Graphify, Dream, token, and refresh guard behavior (`scripts/lib/__tests__/local-control-plane-guard.test.ts`, `scripts/lib/__tests__/hermes-admin-bridge.test.ts`, `scripts/lib/__tests__/knowledge-graph-admin-bridge.test.ts`)
* [x] T015 \[S3805] Confirm read-only Hermes status remains filesystem-based and contract-stable while receiving Host hardening from Vite (`scripts/lib/__tests__/hermes-dev-bridge.test.ts`)

***

## Testing (5 tasks)

* [x] T016 \[S3805] Run local guard and shared CLI helper tests (`bun run test -- scripts/lib/__tests__/local-control-plane-guard.test.ts scripts/lib/__tests__/platform.test.ts scripts/lib/__tests__/tool-detection.test.ts`)
* [x] T017 \[S3805] Run Hermes and Knowledge Graph bridge regression tests (`bun run test -- scripts/lib/__tests__/hermes-admin-bridge.test.ts scripts/lib/__tests__/hermes-dev-bridge.test.ts scripts/lib/__tests__/knowledge-graph-admin-bridge.test.ts`)
* [x] T018 \[S3805] Run Dream run-control and scheduler-adjacent regressions affected by Vite guard changes (`bun run test -- src/lib/__tests__/use-dream-run.test.tsx scripts/lib/__tests__/dream-execution.test.ts`)
* [x] T019 \[S3805] Run TypeScript checks for script and app boundaries touched by Vite and bridge imports (`bun run typecheck:scripts`, `bun run typecheck`)
* [x] T020 \[S3805] Validate ASCII/LF requirements and record Host-header, Windows harness, POSIX, bridge, and typecheck evidence (`.spec_system/specs/phase38-session05-runtime-bridge-hardening/implementation-notes.md`)

***

## Completion Checklist

* [x] All tasks marked `[x]`
* [x] All tests and checks passing
* [x] All files ASCII-encoded with LF line endings
* [x] implementation-notes.md updated
* [x] Ready for `creview` to continue the implement -> creview -> validate sequence

***

## Next Steps

Run the `creview` workflow step.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://ai-os-and-trend-finder.gitbook.io/ai-os-and-trend-finder-docs/.spec_system/archive/sessions/phase38-session05-runtime-bridge-hardening/tasks.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
