v0.51.2 — 3-PR follow-up + sidebar scroll hotfix#1682
Merged
Conversation
…1669 follow-up PR #1669 added DOM virtualization to renderSessionListFromCache() with two issues for lists below the virtualization threshold (≤80 rows): 1. The unconditional scroll listener triggered renderSessionListFromCache() on every rAF, rebuilding the entire list DOM on every scroll event. 2. After each rebuild, scrollTop was only restored when virtualWindow.virtualized was true (i.e. total > 80). For lists ≤ 80 rows, scrollTop dropped to 0 on every scroll event, producing a 'scroll keeps jumping back' feel. Fix: - Always restore scrollTop after re-render when listScrollTopBeforeRender > 0 (regardless of virtualized flag). - Short-circuit _scheduleSessionVirtualizedRender when total <= SESSION_VIRTUAL_THRESHOLD_ROWS (saves wasteful rebuild on small lists). Live verified on a 56-session sidebar: scrollTop holds across animation frames. 3 regression tests pin the fix shape.
Per Opus advisor on stage-299:
1. Bounded WIKI_PATH walk + forbidden-root guard (api/routes.py)
- _LLM_WIKI_MAX_FILES = 10000 caps rglob iteration (prevents hangs on
symlink loops or pathologically-large trees)
- _LLM_WIKI_FORBIDDEN_ROOTS blocklist refuses '/' '/etc' '/usr' '/var'
'/opt' '/sys' '/proc' even if WIKI_PATH is misconfigured to point
at them
- Self-DoS prevention: /api/wiki/status fires on every Insights tab
open via Promise.all, and unbounded rglob would block the endpoint
2. URL-scheme guard for docs_url interpolation (static/panels.js)
- rawDocsUrl is regex-validated against /^https?:\/\//i before being
interpolated into the <a href=> attribute
- esc() HTML-escapes but doesn't validate URL scheme; docs_url is
server-controlled today but the contributor scaffolded it for
potential config-driven use, so future-proof against javascript:
scheme XSS
6 regression tests in tests/test_stage299_opus_fixes.py pin both fixes.
CHANGELOG.md: full v0.51.2 entry covering 3 PRs + sidebar scroll hotfix ROADMAP.md: bump version + test count to 4457 TESTING.md: bump version + test count to 4457 Independent review: Opus advisor on stage-299 diff (1336 LOC). 6/6 verification questions verified clean. Verdict: SHIP. 0 MUST-FIX, 2 SHOULD-FIX absorbed in-release (bounded WIKI walk + URL scheme guard).
This was referenced May 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
v0.51.2 — 3-PR follow-up batch + #1669 scroll hotfix
P0 fix included: PR #1669 (sidebar virtualization in v0.51.0) introduced a regression where lists ≤80 sessions reset
scrollTopto 0 on every scroll event. Live-confirmed broken on production v0.51.1 today; fix verified working on stage-299. 3 regression tests pin the fix.Constituent PRs
These 3 were deferred from v0.51.1 yesterday because their branches predated the v0.51.0 Kanban v1 merge, producing multi-region conflicts in panels.js + style.css. All conflicts resolved surgically this release; both #1664 and #1662 rebased branches force-pushed back to contributor's fork preserving Co-authored-by attribution.
Pre-release verification
.jsfiles all parse clean..pyfiles all compile clean./healthprobe — ALL CHECKS PASSED._isCliSessioncorrect across 6 input cases. Path traversal?file=../../etc/passwdreturns HTTP 400.Opus-applied fixes (absorbed in stage-299)
api/routes.py—_LLM_WIKI_MAX_FILES = 10000cap onrglobiteration +_LLM_WIKI_FORBIDDEN_ROOTSblocklist (/,/etc,/usr,/var,/opt,/sys,/proc)static/panels.js— URL-scheme guard fordocs_url(/^https?:\/\//i.test(rawDocsUrl)) before interpolation into<a href=>Surgical conflict resolution highlights
_renderInsights(with v0.51.1 chart enhancements from feat(insights): add daily token trends and model usage costs #1668), modified signature to addwikiStatusparam, AND inserted contributor's two new wiki helper functions before it. Single_renderInsightsdefinition verified.'kanban'AND'logs'. Big additive region kept both master's Kanban switcher block AND contributor's Logs panel block._isReadOnlySession/_sourceKeyForSessionAND contributor's new_isCliSession.Closes the gap from v0.51.1 deferrals.