tests/test_session_lineage_collapse.py invokes 'node -e <source>' where
<source> embeds the entire static/sessions.js content. Linux's
MAX_ARG_STRLEN is 131,072 bytes per argv arg; sessions.js plus the test
scaffolding now exceeds that limit, producing OSError(Argument list too
long).
Switching to 'node' with source via stdin removes the limit. No behavioral
change to the tests themselves — they still exercise the same JS functions
on the same input data.
Per Opus advisor on stage-299:
1. Bounded WIKI_PATH walk + forbidden-root guard (api/routes.py)
- _LLM_WIKI_MAX_FILES = 10000 caps rglob iteration (prevents hangs on
symlink loops or pathologically-large trees)
- _LLM_WIKI_FORBIDDEN_ROOTS blocklist refuses '/' '/etc' '/usr' '/var'
'/opt' '/sys' '/proc' even if WIKI_PATH is misconfigured to point
at them
- Self-DoS prevention: /api/wiki/status fires on every Insights tab
open via Promise.all, and unbounded rglob would block the endpoint
2. URL-scheme guard for docs_url interpolation (static/panels.js)
- rawDocsUrl is regex-validated against /^https?:\/\//i before being
interpolated into the <a href=> attribute
- esc() HTML-escapes but doesn't validate URL scheme; docs_url is
server-controlled today but the contributor scaffolded it for
potential config-driven use, so future-proof against javascript:
scheme XSS
6 regression tests in tests/test_stage299_opus_fixes.py pin both fixes.
PR #1669 added DOM virtualization to renderSessionListFromCache() with two issues
for lists below the virtualization threshold (≤80 rows):
1. The unconditional scroll listener triggered renderSessionListFromCache() on
every rAF, rebuilding the entire list DOM on every scroll event.
2. After each rebuild, scrollTop was only restored when virtualWindow.virtualized
was true (i.e. total > 80). For lists ≤ 80 rows, scrollTop dropped to 0 on
every scroll event, producing a 'scroll keeps jumping back' feel.
Fix:
- Always restore scrollTop after re-render when listScrollTopBeforeRender > 0
(regardless of virtualized flag).
- Short-circuit _scheduleSessionVirtualizedRender when total <=
SESSION_VIRTUAL_THRESHOLD_ROWS (saves wasteful rebuild on small lists).
Live verified on a 56-session sidebar: scrollTop holds across animation frames.
3 regression tests pin the fix shape.
CHANGELOG.md: full v0.51.1 entry covering all 11 constituent PRs
ROADMAP.md: bump version + test count to 4429
TESTING.md: bump version + test count to 4429
Independent review: Opus advisor on stage-298 diff (4749 LOC).
6/6 security/correctness questions verified clean. Verdict: SHIP.
0 MUST-FIX, 0 SHOULD-FIX. Two polish notes deferred to follow-up.
Nathan Esquenazi