feat: add spec pages, catalog, and interactive views

[MarkusNeusinger]

Summary

• Spec Pages (/:specId/:library): Individual pages for each spec/library with code, specification, implementation, and quality tabs
• Catalog Page (/catalog): Alphabetically sorted list of all specs with thumbnail rotation
• Interactive Page (/interactive/:specId/:library): Fullscreen interactive HTML view with auto-scaling
• HTML Proxy (/proxy/html): Backend endpoint to inject size reporting script into HTML plots
• Layout Component: Shared layout with breadcrumb navigation and persistent state across pages
• Analytics: Pageview tracking for catalog/interactive, tab click events
• Sitemap Update: New URL structure (/, /catalog, /{spec_id})
• Cleanup: Removed dead FullscreenModal code, fixed TypeScript/Ruff issues, updated tests

New Components

• SpecPage.tsx - Main spec detail view with image, tabs, and library pills
• CatalogPage.tsx - Alphabetical spec listing with rotating thumbnails
• InteractivePage.tsx - Fullscreen interactive plot viewer
• SpecTabs.tsx - Code/Spec/Impl/Quality tabbed content
• LibraryPills.tsx - Horizontal scrollable library selector
• Layout.tsx - Shared layout with data providers

Test plan

• TypeScript compiles without errors
• Ruff linting passes
• All unit tests pass
• Manual testing of new pages

🤖 Generated with Claude Code

[Copilot]

Pull request overview

This PR implements a complete routing overhaul, transitioning from a modal-based single-page application to a multi-page architecture using react-router-dom. It adds three main pages (spec details, catalog, and interactive viewer), removes the fullscreen modal component, introduces persistent state management for navigation preservation, and adds a backend HTML proxy endpoint for interactive plot rendering with auto-scaling support.

Key Changes:

• Replaced modal-based spec viewing with dedicated spec detail pages (/:specId/:library)
• Added catalog page (/catalog) with alphabetically sorted specs and thumbnail rotation
• Implemented fullscreen interactive HTML viewer (/interactive/:specId/:library) with auto-scaling
• Created shared Layout component with global data providers and persistent home state

Reviewed changes

Copilot reviewed 24 out of 26 changed files in this pull request and generated 14 comments.

Show a summary per file

File	Description
app/src/router.tsx	Defines new route structure with Layout wrapper and separate interactive route
app/src/main.tsx	Updates entry point to use AppRouter instead of App component
app/src/pages/SpecPage.tsx	New spec detail page with tabs for code/spec/implementation/quality
app/src/pages/CatalogPage.tsx	New alphabetical spec listing with image rotation and navigation
app/src/pages/InteractivePage.tsx	New fullscreen interactive plot viewer with iframe scaling
app/src/pages/HomePage.tsx	Refactored to use router navigation and persistent state context
app/src/components/Layout.tsx	Shared layout with AppDataProvider and HomeState context for persistence
app/src/components/SpecTabs.tsx	Tabbed interface for spec details with syntax highlighting
app/src/components/LibraryPills.tsx	Horizontal library selector carousel with quality scores
app/src/components/FilterBar.tsx	Added catalog link and sticky header styling
app/src/components/SpecAccordions.tsx	Accordion-based spec viewer (appears unused)
app/src/hooks/useFilterState.ts	Enhanced with persistent state and deterministic shuffling
app/src/hooks/useAnalytics.ts	Added urlOverride parameter for custom pageview tracking
app/src/components/FullscreenModal.tsx	Removed - replaced by dedicated pages
api/routers/proxy.py	New HTML proxy endpoint that injects size reporting script
api/routers/specs.py	Added review fields to spec detail response
api/routers/seo.py	Updated sitemap to new URL structure (/, /catalog, /{spec_id})
api/schemas.py	Extended schemas with review and timestamp fields
tests/unit/api/test_routers.py	Updated tests for new URL format and mock data types

Comments suppressed due to low confidence (1)

app/src/pages/HomePage.tsx:72

• The scroll restoration effect lacks proper cleanup and has a potential memory leak. If the component unmounts before requestAnimationFrame executes, the callback will still attempt to execute with stale data. Add a cleanup function to cancel the animation frame and add a mounted ref to prevent state updates after unmount.

[Copilot]

The postMessage uses '*' as the target origin, which allows any website to receive the size data if it embeds this iframe. This is a security risk as it could leak information about plot dimensions to malicious sites. Consider using a specific origin (e.g., window.location.origin or a configured allowed origin) instead of the wildcard.

Suggested change

	// Send to parent
	if (width > 0 && height > 0) {
	window.parent.postMessage({
	type: 'pyplots-size',
	width: Math.ceil(width),
	height: Math.ceil(height)
	}, '*');
	// Determine the target origin for postMessage: prefer parent page origin from document.referrer
	var targetOrigin = window.location.origin;
	if (document.referrer) {
	try {
	var refUrl = new URL(document.referrer);
	targetOrigin = refUrl.origin;
	} catch (e) {
	// If parsing fails, keep the safer default of window.location.origin
	}
	}
	// Send to parent
	if (width > 0 && height > 0) {
	window.parent.postMessage({
	type: 'pyplots-size',
	width: Math.ceil(width),
	height: Math.ceil(height)
	}, targetOrigin);

[Copilot]

Missing validation for the message origin in the event handler. An attacker could send spoofed size messages from a malicious website. Add origin validation by checking that event.origin matches the expected API URL before processing the message data.

[Copilot]

The SpecAccordions.tsx component is defined but never appears to be used in the codebase. This is dead code that should either be removed or integrated into the application. The newer SpecTabs.tsx component seems to serve a similar purpose and is actually being used in the SpecPage.

[Copilot]

The image click handler in the catalog stops event propagation when the description is not expanded, but this prevents the navigation to the spec page that's defined on the parent Link element. Users who click on a collapsed description expecting to navigate to the spec page will instead just expand the description, which breaks the expected navigation behavior. Consider using separate clickable areas for expand vs navigate, or allow both actions.

Suggested change

	onClick={(e) => {
	if (!expandedDescs[spec.id]) {
	e.preventDefault();
	e.stopPropagation();
	onClick={() => {
	if (!expandedDescs[spec.id]) {

[Copilot]

The timeout value of 30 seconds for fetching HTML from GCS is quite long and could lead to poor user experience if the storage is slow or unavailable. Most interactive HTML files should load much faster. Consider reducing this to 10 seconds or making it configurable. Also consider adding retry logic for transient failures.

[Copilot]

The persistent state restoration logic has a race condition. The state is initialized from homeStateRef.current.initialized, but this ref is updated asynchronously via useEffect in the Layout component. If the HomePage mounts before the Layout's effect runs, the state won't be properly restored. Consider using a synchronous initialization pattern or adding guards to ensure the ref is updated before child components attempt to read from it.

[Copilot]

The HTML proxy endpoint only validates that URLs start with the allowed bucket path, but this doesn't prevent path traversal attacks. An attacker could craft a URL like https://storage.googleapis.com/pyplots-images/../other-bucket/malicious.html which would pass the validation but potentially access files outside the intended bucket. Consider using URL parsing to validate the bucket name more strictly.

[Copilot]

The Layout component combines both a data provider (AppDataProvider) and a layout component (Layout) with the same name prefix, which could be confusing. The AppDataProvider is actually wrapping the entire router (including InteractivePage which is outside Layout), while Layout is only for standard pages. Consider renaming for clarity, e.g., AppDataProvider → GlobalDataProvider and Layout → StandardPageLayout.

[Copilot]

The seeded random number generator implementation has a potential issue. The seed is modified in place with seed +=, which means the function returns a closure that maintains state between calls. However, if the same seed is used to create multiple generators, they will all share the same state due to the closure over the same seed variable. Consider using a local variable copy to avoid unintended state sharing.

[Copilot]

Inconsistent indentation detected. Lines 118-125 use 12-space indentation while the rest of the file uses consistent formatting. This appears to be a formatting error that should be fixed by running the linter.

[codecov]

Codecov Report

❌ Patch coverage is 38.88889% with 33 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
api/routers/proxy.py	25.00%	33 Missing ⚠️

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

Copilot reviewed 23 out of 25 changed files in this pull request and generated 14 comments.

[Copilot]

Missing accessibility attributes for the breadcrumb navigation. The breadcrumb should include ARIA attributes like aria-label="Breadcrumb" on the container and potentially aria-current="page" on the last item to help screen reader users understand the navigation hierarchy.

[Copilot]

The image click handler in the catalog lacks keyboard accessibility. Users navigating with keyboard cannot trigger the rotation functionality. Add keyboard event handlers (onKeyDown/onKeyPress) to support Enter and Space keys for rotation, and ensure the element has a proper role and tabindex for keyboard focus.

[Copilot]

The description expansion click handler prevents default behavior and stops propagation, but this element is nested inside a Link component. When the description is not expanded, clicking it should both expand the description AND prevent navigation. However, the current implementation may have unexpected behavior.

Consider restructuring so the clickable description area is not nested within the Link, or ensure the event handling logic is clear about the intended UX flow.

[Copilot]

Using Math.random() for selecting the initial library implementation creates non-deterministic behavior that makes the page non-cacheable and difficult to test. Consider using a deterministic selection method (e.g., first alphabetically sorted implementation) or deriving the selection from the spec_id hash for consistency across page loads.

Suggested change

	// Pick random implementation
	const randomIdx = Math.floor(Math.random() * data.implementations.length);
	const randomLib = data.implementations[randomIdx].library_id;
	setSelectedLibrary(randomLib);
	// Update URL to include the library (without adding to history)
	if (!urlLibrary) {
	navigate(`/${specId}/${randomLib}`, { replace: true });
	// Pick deterministic implementation: first by alphabetical library_id
	const sortedImplementations = [...data.implementations].sort((a, b) =>
	a.library_id.localeCompare(b.library_id),
	);
	const defaultLib = sortedImplementations[0].library_id;
	setSelectedLibrary(defaultLib);
	// Update URL to include the library (without adding to history)
	if (!urlLibrary) {
	navigate(`/${specId}/${defaultLib}`, { replace: true });

[Copilot]

The search input is missing a label element. While it has a placeholder and aria-label, best practice for accessibility is to also include a visible or visually-hidden label element associated with the input via the htmlFor attribute pointing to the input's id.

[Copilot]

The safe character validation allows the "+" character but this may not be intended for GCS URLs. The comment says "alphanumeric, hyphens, underscores, dots, slashes" but the actual check includes "+". This could be a security issue if "+" has special meaning in URL contexts that could be exploited.

Either remove "+" from the allowed characters or update the comment to document why it's included.

Suggested change

	# Validate path contains only safe characters (alphanumeric, hyphens, underscores, dots, slashes)
	# Validate path contains only safe characters (alphanumeric, hyphens, underscores, dots, slashes, plus)

[Copilot]

Missing accessibility attributes for the breadcrumb navigation. The breadcrumb should include ARIA attributes like aria-label="Breadcrumb" on the container and potentially aria-current="page" on the last item to help screen reader users understand the navigation hierarchy.

[Copilot]

Missing accessibility attributes for the breadcrumb navigation. The breadcrumb should include ARIA attributes like aria-label="Breadcrumb" on the container and potentially aria-current="page" on the last item to help screen reader users understand the navigation hierarchy.

[Copilot]

The persistent state restoration logic could lead to stale data being displayed. The state is only skipped on the first mount if filters match, but if the user navigates away and back, the data could be outdated. Consider adding a timestamp to the persisted state and invalidating it after a certain period, or refetch in the background to ensure data freshness.

[Copilot]

The deterministic shuffle seed is based on a hash of the filter state JSON, but object property order in JavaScript objects is not guaranteed in older implementations. While modern JS engines maintain insertion order, using JSON.stringify for hashing could produce different results for semantically identical filter states with different property orders.

Consider sorting the object keys before stringifying or using a more robust serialization method to ensure consistent hashing across different scenarios.