mirror of
https://github.com/nesquena/hermes-webui.git
synced 2026-07-04 06:30:29 +00:00
da5bf69aee
* fix(sidebar): hoist _sessionAttentionState to top-level scope (#3696) _sessionAttentionState was declared inside renderSessionListFromCache() and relied on function hoisting, but the top-level function _sidebarRowHasVisible Messages (reached via renderSessionListFromCache -> _partitionSidebarSessionRows) called it bare. Hoisting is scoped to the enclosing function, so every sidebar cache-render threw 'ReferenceError: _sessionAttentionState is not defined' and the session list went blank. Regressed in #3672 (v0.51.269) when _sidebarRow HasVisibleMessages was extracted to top level. Fix: move _sessionAttentionState to top-level scope (it is pure — only uses its arg plus the i18n global t), so both the visibility predicate and the nested per-row renderer can reach it. Prevention (the durable half): add scripts/scope_undef_gate.py — models the classic-<script> shared global scope (union of all static files' top-level symbols) and runs ESLint no-undef per file, flagging a function defined nested but called from a sibling scope. Wired into CI (.github/workflows/tests.yml lint job) alongside the existing no-const-assign runtime gate, plus an in-suite test (test_static_js_scope_undef.py) and a focused structural regression test (test_issue3696_session_attention_scope.py). RED/GREEN-validated against the broken tree. * fix(streaming): thread source param into stale-stream bailout; tighten scope gate Opus review of #3698 found the new scope_undef_gate's 'source' allowlist entry was masking a real same-class bug: _bailOutOfTerminalEventsFromStaleStream (declared inside attachLiveStream, params activeSid/streamId/uploaded/options) called _closeSource(source) against a 'source' not in its lexical scope. All 5 call sites are inside _wireSSE(source), but JS scope is lexical not dynamic, so the helper would throw ReferenceError: source is not defined on the stale-stream terminal-event path (user back in an active session whose old stream finalizes late). Fix: thread source as an explicit parameter (declaration + all 5 call sites), the same make-the-dependency-explicit fix as #3696 — and REMOVE the 'source' allowlist entry so the gate stays gated against that name (it now passes because the bug is fixed, not because it's allowlisted). Added the documented false-negative classes from Opus's review to the gate docstring (name-collision shadowing, destructuring-regex gap, exposure escape hatches, name-keyed allowlist) and a focused regression test. This is the prevention gate catching a real latent bug on its first outing. --------- Co-authored-by: nesquena-hermes <nesquena-hermes@users.noreply.github.com>