> For the complete documentation index, see [llms.txt](https://ai-os-and-trend-finder.gitbook.io/ai-os-and-trend-finder-docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ai-os-and-trend-finder.gitbook.io/ai-os-and-trend-finder-docs/.spec_system/archive/sessions/phase40-session04-chat-overrides-and-runtime/code-review.md).

# Code Review and Repair Report

**Session ID**: `phase40-session04-chat-overrides-and-runtime` **Reviewed**: 2026-07-03 **Base Commit**: `991444067326cc8cada6e19fd3b94c9459e1564b` **Scope**: All changes since the base commit (uncommitted work plus mid-session commits) **Result**: RESOLVED

## Review Surface

**Files reviewed** (all changes since the base commit):

* `.spec_system/state.json` - tracked-modified
* `.spec_system/specs/phase40-session04-chat-overrides-and-runtime/spec.md` - untracked session artifact
* `.spec_system/specs/phase40-session04-chat-overrides-and-runtime/tasks.md` - untracked session artifact
* `.spec_system/specs/phase40-session04-chat-overrides-and-runtime/implementation-notes.md` - untracked session artifact
* `.spec_system/specs/phase40-session04-chat-overrides-and-runtime/code-review.md` - untracked review report
* `scripts/lib/hermes-admin-bridge.ts` - tracked-modified
* `scripts/lib/__tests__/hermes-admin-bridge.test.ts` - tracked-modified
* `src/components/hermes/chat/chat-types.ts` - tracked-modified
* `src/hooks/use-hermes-admin.ts` - tracked-modified
* `src/hooks/__tests__/use-hermes-admin.test.tsx` - tracked-modified
* `src/lib/hermes-admin-types.ts` - tracked-modified
* `src/lib/__tests__/hermes-admin-types.test.ts` - tracked-modified
* `src/lib/hermes-intelligence-events.ts` - tracked-modified
* `src/lib/__tests__/hermes-intelligence-events.test.ts` - tracked-modified

**Inventory commands**: `git status`, `git log --oneline "$BASE"..HEAD`, `git diff "$BASE"`, `git diff --cached "$BASE"`, `git ls-files --others --exclude-standard`

No mid-session commits were present after the base commit.

## Findings by Severity

### Critical

No findings.

### High

No findings.

### Medium

* `scripts/lib/hermes-admin-bridge.ts:566` - Model override validation allowed path/URL-shaped values such as `openai/../../secret` because slash and colon were valid model-ID characters. The session edge cases require path-shaped model values to be rejected before spawn. | Fix: Added targeted path/URL-shape rejection to server and client model validation while preserving normal IDs such as `openai/gpt-5.5`; added bridge and hook regression coverage. | Status: FIXED

### Low

* `src/hooks/use-hermes-admin.ts:400` - Client-side validation allowed `provider: "moa"` without a preset model, leaving a known invalid combination to fail only at the server boundary. The session requires client and server validation for MoA preset sends. | Fix: Added browser-side rejection for `provider: "moa"` without `model`, with a focused hook test asserting no request is sent. | Status: FIXED

## Assumptions and Deliberate Non-Fixes

* The post-output idle success window remains the implemented 5 second default. This matches the session scope for post-output idle success and is covered by bridge tests; no change was made.
* `bun run format:check` still fails on pre-existing Markdown files outside this review surface. The two review-surface Markdown files it flagged were formatted, and a review-surface-only Prettier check passes.

## Behavior Changes

* Invalid path/URL-shaped model overrides now fail client and server validation instead of reaching Hermes argv construction.
* `provider: "moa"` without a model override now fails in the hook before fetch dispatch, matching the bridge authority check.

## Verification

* Tests: `bunx vitest run scripts/lib/__tests__/hermes-admin-bridge.test.ts src/hooks/__tests__/use-hermes-admin.test.tsx src/lib/__tests__/hermes-admin-types.test.ts src/lib/__tests__/hermes-intelligence-events.test.ts` - PASS - 4 files, 87 tests
* Linter: `bun run lint` - PASS - ESLint completed with no findings after formatting one hook signature
* Formatter: `bun run format:check` - FAIL - 33 pre-existing out-of-scope Markdown files reported by the global check
* Formatter: `bunx prettier --write src/hooks/use-hermes-admin.ts .spec_system/specs/phase40-session04-chat-overrides-and-runtime/spec.md .spec_system/specs/phase40-session04-chat-overrides-and-runtime/implementation-notes.md` - PASS - formatted review-surface files that needed it
* Formatter: `bunx prettier --check [review-surface files]` - PASS - all review-surface files use Prettier style
* Type checker: `bun run typecheck:scripts` - PASS - script TypeScript check completed
* Type checker: `bun run typecheck` - PASS - app TypeScript check completed
* Whitespace: `git diff --check` - PASS - no whitespace errors
* ASCII scan: `rg -nP "[^\\x00-\\x7F]" [review-surface files]` - PASS - no matches
* Final diff re-read: PASS - reviewed final status, tracked diff inventory, and untracked session artifact inventory

## Summary

1. Reviewed 14 files in the session surface: 10 tracked modified files, 3 untracked session artifacts, and this review report.
2. Findings: 0 critical, 0 high, 1 medium, 1 low; all fixed with focused tests.
3. Deliberately not fixed: the configured post-output idle window, because it matches the session runtime safeguard behavior and existing tests.
4. Verification passed for focused tests, lint, script typecheck, app typecheck, review-surface formatting, whitespace, and ASCII checks. The global Prettier check remains blocked by existing out-of-scope Markdown formatting drift.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://ai-os-and-trend-finder.gitbook.io/ai-os-and-trend-finder-docs/.spec_system/archive/sessions/phase40-session04-chat-overrides-and-runtime/code-review.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
