Fix+feat Dream Server DESKTOP

[gabsprogrammer]

Summary

• Resolve Dream Server DESKTOP custom/local model endpoints before Hermes sends a turn, so stale provider defaults such as z-ai/glm4.7 are replaced with the model exposed by /v1/models.
• Bridge container calls to host-local model endpoints via host.docker.internal while preserving the user-visible localhost configuration.
• Send Qwen/llama.cpp chat-template thinking overrides for local routes when localThinkingEnabled is off, avoiding empty <think> responses.
• Add Linux-compatible host.docker.internal:host-gateway mapping for the Hermes compose fragment.

Validation

• node --test runtime/provider-routing.test.js runtime/hermes/backend.test.js
• bash tests/run-bats.sh (256/256, including _docker_cmd_arr regression)
• python scripts/audit-extensions.py --project-dir .
• bash tests/test-extension-audit.sh
• bash tests/test-extension-runtime-check.sh
• bash tests/integration-test.sh
• docker compose -f docker-compose.base.yml -f docker-compose.nvidia.yml -f extensions/services/hermes/compose.yaml -f extensions/services/litellm/compose.yaml -f extensions/services/litellm/compose.local.yaml config --quiet
• Local smoke: Dream Server DESKTOP on http://127.0.0.1:3011 responded through Qwen3.5-9B-Q4_K_M at http://127.0.0.1:11435/v1.

[Lightheartdevs]

Thanks for the submission. I don't think this is merge-ready in its current shape. The CI checks are green, but the diff changes too much global DreamServer behavior and adds a large unauthenticated local execution surface.

Blocking findings:

1. Unauthenticated Hermes API exposes mutation and execution endpoints. extensions/services/hermes/app/server.js routes every /api/* request directly through routeApi() with no auth, origin check, CSRF token, or per-session secret. readJson() parses the body regardless of content type, so browser no-cors simple POSTs can still carry JSON text. The exposed endpoints include /api/desktop/run-action and /api/code/save-file; the latter accepts absolute paths and writes them without containing the path to WORKSPACE_ROOT (server.js:332-336, 395-406, 497-535). Because the compose file passes API keys into this container and /app is writable by the service user, this needs a real local auth/origin gate plus path containment before merge.

2. Global optional-service filtering can break existing installs on update. scripts/resolve-compose-stack.sh now treats optional manifests as disabled unless DREAM_ENABLED_SERVICES explicitly lists them (resolve-compose-stack.sh:81-93, 190-192). Existing installs created before this PR will not have that variable, so after updating/regenerating compose flags they drop previously running optional services. Repro with PyYAML available: on this branch with DREAM_ENABLED_SERVICES unset, the resolver emits only base/nvidia plus core/recommended fragments; origin/main emits the full optional stack. This needs a migration/compat fallback before it can ride along with Hermes.

3. The vendored payload is too large to review or maintain as one PR. This adds 2,119 files / 826,273 lines under extensions/services/hermes/app/vendor, plus binaries/PDFs/fonts/images and multiple upstream app trees. The workflow also excludes that vendor tree from Ruff. That is a supply-chain and maintainability decision, not a normal feature diff. Please split the DreamServer integration from the third-party source drop, pin provenance/SHAs and licensing, and avoid committing unrelated upstream websites/docs/tests/assets where possible.

4. Setup diagnostics tests fail in this environment. On Windows where bash resolves to the broken WSL shim at C:\Windows\system32\bash.EXE, the PR path conversion still invokes that shim and tests/test_setup_sentinel.py fails 2/29 (PASS becomes FAIL, and expected rc 3 becomes 1). The code should choose a usable Git Bash/WSL bash explicitly or detect the broken shim before converting paths to /mnt/<drive>/....

Validation I ran:

• git diff --check origin/main...HEAD ?
• bash -n dream-cli scripts/resolve-compose-stack.sh installers/phases/03-features.sh installers/phases/06-directories.sh installers/phases/11-services.sh install-core.sh ?
• node --test runtime/provider-routing.test.js runtime/hermes/backend.test.js ?
• broader Hermes node --test runtime/*.test.js runtime/hermes/backend.test.js runtime/platform/tool-runtime.test.js ?
• docker compose --env-file .env.example -f docker-compose.base.yml -f docker-compose.nvidia.yml -f extensions/services/hermes/compose.yaml -f extensions/services/litellm/compose.yaml -f extensions/services/litellm/compose.local.yaml config --quiet ?
• python -m py_compile config.py helpers.py main.py routers/extensions.py routers/setup.py ?
• python -m pytest tests/test_config.py tests/test_setup_sentinel.py -q ?, 2 failed / 27 passed

Recommendation: split and revise. The Hermes endpoint-routing fix may be valuable, but this PR should not merge as a single 876k-line feature/vendor/global-installer change.

[gabsprogrammer]

Thanks for the submission. I don't think this is merge-ready in its current shape. The CI checks are green, but the diff changes too much global DreamServer behavior and adds a large unauthenticated local execution surface.

Blocking findings:

1. Unauthenticated Hermes API exposes mutation and execution endpoints. extensions/services/hermes/app/server.js routes every /api/* request directly through routeApi() with no auth, origin check, CSRF token, or per-session secret. readJson() parses the body regardless of content type, so browser no-cors simple POSTs can still carry JSON text. The exposed endpoints include /api/desktop/run-action and /api/code/save-file; the latter accepts absolute paths and writes them without containing the path to WORKSPACE_ROOT (server.js:332-336, 395-406, 497-535). Because the compose file passes API keys into this container and /app is writable by the service user, this needs a real local auth/origin gate plus path containment before merge.
2. Global optional-service filtering can break existing installs on update. scripts/resolve-compose-stack.sh now treats optional manifests as disabled unless DREAM_ENABLED_SERVICES explicitly lists them (resolve-compose-stack.sh:81-93, 190-192). Existing installs created before this PR will not have that variable, so after updating/regenerating compose flags they drop previously running optional services. Repro with PyYAML available: on this branch with DREAM_ENABLED_SERVICES unset, the resolver emits only base/nvidia plus core/recommended fragments; origin/main emits the full optional stack. This needs a migration/compat fallback before it can ride along with Hermes.
3. The vendored payload is too large to review or maintain as one PR. This adds 2,119 files / 826,273 lines under extensions/services/hermes/app/vendor, plus binaries/PDFs/fonts/images and multiple upstream app trees. The workflow also excludes that vendor tree from Ruff. That is a supply-chain and maintainability decision, not a normal feature diff. Please split the DreamServer integration from the third-party source drop, pin provenance/SHAs and licensing, and avoid committing unrelated upstream websites/docs/tests/assets where possible.
4. Setup diagnostics tests fail in this environment. On Windows where bash resolves to the broken WSL shim at C:\Windows\system32\bash.EXE, the PR path conversion still invokes that shim and tests/test_setup_sentinel.py fails 2/29 (PASS becomes FAIL, and expected rc 3 becomes 1). The code should choose a usable Git Bash/WSL bash explicitly or detect the broken shim before converting paths to /mnt/<drive>/....

Validation I ran:

• git diff --check origin/main...HEAD ?
• bash -n dream-cli scripts/resolve-compose-stack.sh installers/phases/03-features.sh installers/phases/06-directories.sh installers/phases/11-services.sh install-core.sh ?
• node --test runtime/provider-routing.test.js runtime/hermes/backend.test.js ?
• broader Hermes node --test runtime/*.test.js runtime/hermes/backend.test.js runtime/platform/tool-runtime.test.js ?
• docker compose --env-file .env.example -f docker-compose.base.yml -f docker-compose.nvidia.yml -f extensions/services/hermes/compose.yaml -f extensions/services/litellm/compose.yaml -f extensions/services/litellm/compose.local.yaml config --quiet ?
• python -m py_compile config.py helpers.py main.py routers/extensions.py routers/setup.py ?
• python -m pytest tests/test_config.py tests/test_setup_sentinel.py -q ?, 2 failed / 27 passed

Recommendation: split and revise. The Hermes endpoint-routing fix may be valuable, but this PR should not merge as a single 876k-line feature/vendor/global-installer change.

review done