docs: frontend audit round-2 follow-up & validations (tracks #2575)#2577
docs: frontend audit round-2 follow-up & validations (tracks #2575)#2577rmusser01 wants to merge 3 commits into
Conversation
Tracking doc for the work following the merged audit remediation (PR #2575): the validations that need a live app/backend (WS token-out-of-URL smoke test; CSP browser check) and the deferred follow-up tickets (TS-strict migration, characterChatMode consolidation, CSP unsafe-eval, extension/routes removal). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository UI Review profile: ASSERTIVE Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
PR Summary by Qododocs: frontend audit round-2 follow-up validation checklist
AI Description
High-Level Assessment
Files changed (1)
|
There was a problem hiding this comment.
Code Review
This pull request introduces a tracking document (apps/FRONTEND_AUDIT_FOLLOWUP.md) for the validation and continued work following a frontend audit. The review feedback points out inconsistent file paths listed in the document and suggests standardizing them to be relative to the repository root.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| Files if a revert/patch is needed: `apps/packages/ui/src/services/persona-stream.ts`, | ||
| `services/tldw/voice-conversation.ts`, `hooks/useVoiceChatStream.tsx`, | ||
| `routes/hooks/usePersonaLiveSession.tsx`, `hooks/usePersonaLiveControl.tsx`, | ||
| `entries/background.ts` (STT section). |
There was a problem hiding this comment.
The file paths listed here are inconsistent. The first path (apps/packages/ui/src/services/persona-stream.ts) is relative to the repository root, whereas the subsequent paths (e.g., services/tldw/voice-conversation.ts, hooks/useVoiceChatStream.tsx) omit the apps/packages/ui/src/ prefix.\n\nTo avoid confusion and ensure consistency, all paths should be specified relative to the repository root:\n\nmarkdown\nFiles if a revert/patch is needed: `apps/packages/ui/src/services/persona-stream.ts`,\n`apps/packages/ui/src/services/tldw/voice-conversation.ts`, `apps/packages/ui/src/hooks/useVoiceChatStream.tsx`,\n`apps/packages/ui/src/routes/hooks/usePersonaLiveSession.tsx`, `apps/packages/ui/src/hooks/usePersonaLiveControl.tsx`,\n`apps/packages/ui/src/entries/background.ts` (STT section).\n
Code Review by Qodo
Context used✅ Compliance rules (platform):
74 rules 1. Wrong/ambiguous file paths
|
| Files if a revert/patch is needed: `apps/packages/ui/src/services/persona-stream.ts`, | ||
| `services/tldw/voice-conversation.ts`, `hooks/useVoiceChatStream.tsx`, | ||
| `routes/hooks/usePersonaLiveSession.tsx`, `hooks/usePersonaLiveControl.tsx`, | ||
| `entries/background.ts` (STT section). |
There was a problem hiding this comment.
1. Wrong/ambiguous file paths 🐞 Bug ⚙ Maintainability
The “Files if a revert/patch is needed” list contains truncated paths (missing apps/packages/ui/src/…) and an ambiguous entries/background.ts, which can send someone to the wrong file when reverting/patching the WS-auth changes.
Agent Prompt
### Issue description
The follow-up doc’s revert/patch file list includes incorrect/truncated paths and an ambiguous `entries/background.ts`. This undermines the doc’s main purpose (fast validation/revert guidance) because engineers may waste time searching or patching the wrong location.
### Issue Context
In this repo, the referenced hooks/services live under `apps/packages/ui/src/...`, and there are multiple `background.ts` entrypoints (extension entrypoint vs UI implementation).
### Fix Focus Areas
- apps/FRONTEND_AUDIT_FOLLOWUP.md[35-38]
### Suggested change
Update the list to fully-qualified repo paths and disambiguate background entrypoints, e.g.:
- `apps/packages/ui/src/services/persona-stream.ts`
- `apps/packages/ui/src/services/tldw/voice-conversation.ts`
- `apps/packages/ui/src/hooks/useVoiceChatStream.tsx`
- `apps/packages/ui/src/routes/hooks/usePersonaLiveSession.tsx`
- `apps/packages/ui/src/hooks/usePersonaLiveControl.tsx`
- `apps/packages/ui/src/entries/background.ts` (extension re-exports via `apps/extension/entrypoints/background.ts`)
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
…sion) A teammate independently used task-12102 on dev (character-greeting selection), colliding with the audit's TS-strict ticket. Renumber mine to 12116 and update the audit-doc references; leave the teammate's 12102 untouched. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The previous commit captured only the file rename; the id: field and the FRONTEND_AUDIT / FOLLOWUP references were missed. Update them so TASK-12116 is internally consistent and no doc still points the config ticket at 12102. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
What this is
Follow-up tracker for the frontend/extension audit remediation that landed in #2575 (merged to
dev). This PR does not change runtime behavior — it adds a checklist (apps/FRONTEND_AUDIT_FOLLOWUP.md) that makes explicit:Full details in the doc; the highlights:
devtask-12113): persona/voice/STT now send the token via the WebSocket subprotocol or a{type:"auth"}first message instead of the URL query string. Unit-tested + charset-fallback-guarded, but the handshake/timing were not validated against a running server. Smoke-test persona live, voice chat, streaming transcription, and extension STT (and confirm notoken=in the WS URL). This is the single change most likely to break a user-facing feature — validate or revert first.'unsafe-inline'(H1 /task-12093): quick browser console check on the main routes + the dev error overlay to confirm nothing legit is blocked and the theme applies without a flash.Continued work (deferred, with reasons — see the doc's table)
task-12102— TS-strict migration (blocked on ~66 pre-existing type errors; a real cleanup, not a flag flip).task-12108— consolidate the 3characterChatModecopies (the watchdog already shipped; full merge is a big refactor while chat is churning).'unsafe-eval'(needs WASM/OCR browser verification); optional HSTS/report-uri/build-time hash.task-12103— remove theextension/routesmirror (must migrate ~22 parity tests first).Not introduced here
One pre-existing
usePersonaLiveControltest failure predates all of this (confirmed on the base).Suggested order: do the voice/STT smoke test first, then decide whether to keep or revert R3 before tackling the larger deferred items.
🤖 Generated with Claude Code
Summary by cubic
Adds a checklist doc for the round-2 frontend audit follow-up. It lists the live validations (WS auth out of URL; CSP without 'unsafe-inline'), tracks deferred work (
task-12113,task-12116,task-12108,task-12103), and updates all docs to reflect the TS-strict ticket renumbering totask-12116; no runtime changes.Written for commit 5ec7168. Summary will update on new commits.