Task 06: Reader Pipeline Workflow

[nonnil]

Summary

Implements the /memories/:id reader workflow for TRA-7:

• Adds a server-side reader loader that reads SQLite metadata and CONTENT.md through the existing repository/store contracts.
• Adds a curated markdown rendering pipeline with sanitized HTML output and table-of-contents metadata.
• Adds a read-only Solid reader route and reader component styling.
• Adds focused renderer/page-data tests plus a Playwright smoke fixture for the reader route.

Markdown libraries chosen

• markdown-it for Markdown/GFM-style tables, strikethrough, lists, links, and code fences.
• markdown-it-footnote for footnote syntax.
• markdown-it-anchor for deterministic heading IDs.
• highlight.js for fenced-code syntax highlighting.
• sanitize-html for the final HTML allowlist.

Sanitization allowlist

The renderer allows common Markdown output tags, heading id attributes, safe link/image attributes, code highlighting classes, footnote classes, and persisted highlight markers via mark[data-highlight-id].

Controlled embeds are limited to HTTPS iframe sources from YouTube/YouTube NoCookie and Vimeo embed hosts. Scripts, event handlers, javascript: URLs, and non-allowlisted iframe sources are removed.

E2E fixture

The Playwright reader smoke uses fixture memory 018f04a2-3c6f-7c88-9a8b-8c99a9b7f101 and writes its ignored config/store/database under .trauma/e2e before visiting /memories/:id.

Validation

• TMPDIR=$PWD/.tmp/bun-tmp BUN_INSTALL_CACHE_DIR=$PWD/.tmp/bun-cache MISE_TRUSTED_CONFIG_PATHS=$PWD/mise.toml mise exec -C . -- bun run typecheck - passed.
• TMPDIR=$PWD/.tmp/bun-tmp BUN_INSTALL_CACHE_DIR=$PWD/.tmp/bun-cache MISE_TRUSTED_CONFIG_PATHS=$PWD/mise.toml mise exec -C . -- bun run test - passed, 6 files / 31 tests.
• TMPDIR=$PWD/.tmp/bun-tmp BUN_INSTALL_CACHE_DIR=$PWD/.tmp/bun-cache MISE_TRUSTED_CONFIG_PATHS=$PWD/mise.toml mise exec -C . -- bun run build - passed.
• git diff --check - passed.
• TMPDIR=$PWD/.tmp/bun-tmp BUN_INSTALL_CACHE_DIR=$PWD/.tmp/bun-cache MISE_TRUSTED_CONFIG_PATHS=$PWD/mise.toml mise exec -C . -- bun run test:e2e - blocked by sandbox before page load: Chromium fails to launch with bootstrap_check_in org.chromium.Chromium.MachPortRendezvousServer... Permission denied (1100).

Pre-push also reran typecheck, test, and build successfully.

Summary by CodeRabbit

Release Notes

• New Features

  • Added reader mode for viewing formatted memory content with syntax highlighting and syntax highlighting
  • Added memory detail pages with table of contents navigation
  • Implemented content sanitization for safe HTML rendering

• Tests

  • Added comprehensive end-to-end and unit tests for reader functionality

[coderabbitai]

Warning

Rate limit exceeded

@nonnil has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 40 minutes and 13 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0f81f2bb-d893-4abc-b028-143b0355ecde

📥 Commits

Reviewing files that changed from the base of the PR and between 0c82991 and ee397cc.

📒 Files selected for processing (17)

• docs/references/coding-standards/drizzle-sqlite.md
• docs/references/coding-standards/review-learnings.md
• docs/references/coding-standards/security-boundaries.md
• docs/references/coding-standards/solidstart-ui.md
• e2e/reader.spec.ts
• src/components/reader/MemoryReader.tsx
• src/components/reader/route-state.ts
• src/routes/memories/[id].tsx
• src/server/db/bundled-migrations.ts
• src/server/db/connection.ts
• src/server/reader/markdown-renderer.ts
• src/server/reader/page-data.ts
• src/styles/app.css
• src/types/raw-assets.d.ts
• tests/server/db/schema.test.ts
• tests/server/reader/markdown-renderer.test.ts
• tests/server/reader/route-state.test.ts

📝 Walkthrough

Walkthrough

This PR introduces a complete "Reader mode" feature for viewing archived memories. It adds server-side Markdown rendering with HTML sanitization, table-of-contents generation, a new route to display individual memories, UI components with responsive styling, and comprehensive tests including end-to-end verification.

Changes

Memory Reader Feature

Layer / File(s)	Summary
Reader Types & Contracts src/server/reader/page-data.ts, src/server/reader/markdown-renderer.ts	Exports ReaderMemoryResult discriminated union, ReaderMemory shape, LoadReaderMemoryOptions, RenderedMemoryMarkdown, and ReaderTocEntry to define contracts for loading and rendering memories.
Markdown Rendering & Sanitization src/server/reader/markdown-renderer.ts	Configures markdown-it with syntax highlighting via highlight.js, footnotes, heading anchors, and task-list plugin. Sanitizes HTML via sanitize-html with custom transformers for links, iframes, images, task checkboxes, and highlight marks. Validates iframe sources against an approved hostname list.
Database Connection & Memory Loading src/server/db/connection.ts, src/server/reader/page-data.ts, tests/server/reader/page-data.test.ts	Updates migrations folder resolution to check runtime availability via defaultMigrationsFolder(). loadReaderMemory fetches memory from database, reads markdown content, renders it, and returns typed success/error results with proper error handling and connection cleanup. Test suite validates success, not found, missing content, and unavailable states.
Route State Helpers src/routes/memories/reader-route-state.ts, tests/server/reader/route-state.test.ts	titleForReaderResult formats page titles from memory metadata. readerHttpStatusCode maps reader error statuses to HTTP codes (404 for not found/missing content, 503 for unavailable). Test cases cover default titles, composed titles, and status code mappings.
URL Safety Utilities src/components/reader/source-url.ts, tests/server/reader/source-url.test.ts	toSafeReaderSourceHref validates memory source URLs, allowing only http:// and https:// protocols. Test cases verify safe URLs pass through and unsafe/invalid inputs return undefined.
Memory Reader Route src/routes/memories/[id].tsx	Dynamic route that loads memory via server query getReaderMemory, sets document title conditionally, renders HTTP status codes when applicable, and displays reader body with loading fallback.
Reader UI Components src/components/reader/MemoryReader.tsx	MemoryReader conditionally renders loading/error state or ready view. ReadyMemoryReader displays title, optional safe source link, table of contents, and rendered HTML. ReaderState shows error messages. ReaderToc renders navigable heading list.
Reader Page Styling src/styles/app.css	Complete reader layout CSS: two-column grid with sticky TOC, responsive collapse below 920px to single column, full content typography (headings, links, images, tables, code, marks), and reduced padding below 640px.
Configuration & Dependencies app.config.ts, package.json, playwright.config.ts	app.config.ts adds Bun/Drizzle module tracing. package.json adds highlight.js, markdown-it, markdown-it-anchor, markdown-it-footnote, sanitize-html and type packages. playwright.config.ts configures test server to use built output with PORT and TRAUMA_CONFIG_PATH environment variables.
End-to-End Test e2e/reader.spec.ts	Creates reader fixture by spawning Bun to generate config, initialize database, insert memory, and write markdown with highlight markup. Navigates to reader page, verifies UI elements, clicks "Details" link, and asserts highlight content is rendered.
Markdown Rendering Tests tests/server/reader/markdown-renderer.test.ts	Validates TOC and markdown-to-HTML features (links, strikethrough, task lists, tables, code highlighting, footnotes). Asserts security sanitization removes unsafe HTML while preserving highlight <mark> tags. Ensures only approved iframe embeds are rendered.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• hauntedfail/Trauma#1: Both PRs modify the database initialization and migrations folder resolution in src/server/db/connection.ts.

Poem

🐰 A reader shows the archived way,
With markdown bold and highlights' sway,
The table hops from top to base,
While sanitized content finds its place,
Memory dancing through HTML's grace! ✨

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'Task 06: Reader Pipeline Workflow' is vague and process-oriented, referring to a task identifier rather than describing the actual change being made.	Consider revising to a more specific title that describes the core feature, such as 'Add reader view for archived memories' or 'Implement /memories/:id reader route with markdown rendering'.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch symphony/tra-7-reader-pipeline

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 67490eb2a1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 96eecb98a6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (5)

tests/server/reader/route-state.test.ts (1)

36-56: ⚡ Quick win

Consider adding a test case for the ready state.

The test suite covers error states returning HTTP status codes, but doesn't verify that a "ready" result returns undefined (no error status). While not critical, it would complete the coverage.

📝 Suggested additional test case

  it("maps reader error results to HTTP status codes", () => {
    expect(readerHttpStatusCode(undefined)).toBeUndefined();
+   expect(
+     readerHttpStatusCode({
+       status: "ready",
+       memory: { /* minimal ready result */ },
+       content: { relativePath: "..." },
+       rendered: { html: "", toc: [] },
+     }),
+   ).toBeUndefined();
    expect(
      readerHttpStatusCode({

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/server/reader/route-state.test.ts` around lines 36 - 56, Add a test
asserting that a successful/ready reader result maps to no HTTP error: call
readerHttpStatusCode with a result object whose status is "ready" (include a
representative message or metadata) and expect the return to be undefined;
update the test in route-state.test.ts alongside the existing cases so
readerHttpStatusCode({ status: "ready", message: "Ready for reading." }) is
asserted toBeUndefined().

e2e/reader.spec.ts (2)

24-145: ⚡ Quick win

Consider extracting the shared Bun-resolution helpers.

resolveBunExecutable, isBunExecutable, and canAccess are duplicated between this file and tests/server/reader/page-data.test.ts. A small shared helper module (e.g., tests/_helpers/bun-executable.ts) would prevent the two copies from drifting (the constants/paths already differ slightly between them).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@e2e/reader.spec.ts` around lines 24 - 145, Extract the duplicated Bun
resolver helpers into a single shared module and update both specs to import
them: move resolveBunExecutable, isBunExecutable, and canAccess (and any
candidate paths/constants like the bun install path or BUN_EXECUTABLE handling)
into a new tests/_helpers/bun-executable.ts, export those functions, and replace
the local implementations in e2e/reader.spec.ts and
tests/server/reader/page-data.test.ts with imports from that helper so both
files use the same logic.

---

122-145: 💤 Low value

Dead code in resolveBunExecutable candidates list (mirrors tests/server/reader/page-data.test.ts).

Same issue: line 129 (process.versions.bun !== undefined ? process.execPath : undefined) is unreachable because of the early return at lines 123-125.

♻️ Proposed cleanup

   const candidates = [
     process.env.BUN_EXECUTABLE,
-    process.versions.bun !== undefined ? process.execPath : undefined,
     `${homedir()}/.local/share/mise/installs/bun/1.3.13/bin/bun`,
     process.env.npm_execpath,
     "bun",
   ];

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@e2e/reader.spec.ts` around lines 122 - 145, The candidates array in
resolveBunExecutable contains a redundant entry "process.versions.bun !==
undefined ? process.execPath : undefined" that is unreachable because
resolveBunExecutable already returns early when process.versions.bun is defined;
remove that ternary element from the candidates list so the array only contains
viable alternatives (e.g., process.env.BUN_EXECUTABLE, the homedir path,
process.env.npm_execpath, and "bun"), keeping the early-return logic in
resolveBunExecutable unchanged.

tests/server/reader/page-data.test.ts (1)

190-213: 💤 Low value

Dead code in resolveBunExecutable candidates list.

Line 197 (process.versions.bun !== undefined ? process.execPath : undefined) is unreachable: the early return at lines 191-193 already covers that condition, so by the time we build candidates we know process.versions.bun === undefined, making this entry always undefined.

♻️ Proposed cleanup

   const candidates = [
     process.env.BUN_EXECUTABLE,
-    process.versions.bun !== undefined ? process.execPath : undefined,
     join(homedir(), ".local/share/mise/installs/bun/1.3.13/bin/bun"),
     process.env.npm_execpath,
     "bun",
   ];

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/server/reader/page-data.test.ts` around lines 190 - 213, The candidates
array in resolveBunExecutable contains a redundant entry "process.versions.bun
!== undefined ? process.execPath : undefined" which is unreachable because the
function already returns when process.versions.bun !== undefined; remove that
conditional entry from the candidates list (keep other candidates like
process.env.BUN_EXECUTABLE, the homedir path, process.env.npm_execpath, and
"bun") and ensure the rest of the logic (find, isBunExecutable, canAccess, and
the final throw) remains unchanged.

src/server/reader/markdown-renderer.ts (1)

292-307: 💤 Low value

Optional: tighten the Vimeo embed path check.

For www.youtube.com/www.youtube-nocookie.com the pathname is required to start with /embed/, but player.vimeo.com is allowed on any path. Since player.vimeo.com is dedicated to embeds in practice, this is acceptable, but adding url.pathname.startsWith("/video/") || url.pathname.startsWith("/event/") for Vimeo would mirror the YouTube tightness and reject anomalous paths.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/server/reader/markdown-renderer.ts` around lines 292 - 307, The
isAllowedIframeSource function currently allows player.vimeo.com on any path;
tighten it by requiring Vimeo embed paths to match expected prefixes: change the
return condition in isAllowedIframeSource (referencing ALLOWED_IFRAME_HOSTNAMES
and url.hostname) so that for www.youtube.com and www.youtube-nocookie.com you
still require url.pathname.startsWith("/embed/"), and for player.vimeo.com
require the pathname to start with one of the valid Vimeo embed prefixes (e.g.
url.pathname.startsWith("/embed/") || url.pathname.startsWith("/video/") ||
url.pathname.startsWith("/event/")), returning false otherwise.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@app.config.ts`:
- Around line 3-18: The config uses an invalid Solid Start option
server.externals.traceInclude; replace it with the appropriate supported option
depending on intent: if you want Rollup to treat drizzle-orm/bun-sqlite as
external (prevent bundling), move the array into server.rollupConfig.external;
if you want Nitro to include/traces those deps during build, move the array into
server.traceDeps; update the property name(s) and keep the same string patterns
(originally listed under server.externals.traceInclude) so the
drizzle-orm/bun-sqlite entries are recognized by Solid Start.

In `@src/server/reader/page-data.ts`:
- Around line 72-98: The catch is too broad because the `error instanceof Error`
branch swallows every unexpected failure; update the catch to only handle known
types (`MemoryContentStoreError` with `code === "missing_content"` and
`TraumaConfigError` and other specific MemoryContentStoreError cases) and remove
the `error instanceof Error` arm so unknown errors propagate; for unexpected
values, log the full error (e.g., via your logger or `console.error`) including
message and stack before rethrowing to preserve diagnostics; keep the existing
`finally { connection?.close(); }` behavior.

In `@src/styles/app.css`:
- Around line 293-296: The font-family declaration in the .reader-content code
selector uses quoted SFMono-Regular which violates the font-family-name-quotes
rule; update the font-family value for the .reader-content code rule to remove
the quotes around SFMono-Regular (leave other family names and the monospace
fallback unchanged) so it becomes SFMono-Regular, Consolas, "Liberation Mono",
monospace.

---

Nitpick comments:
In `@e2e/reader.spec.ts`:
- Around line 24-145: Extract the duplicated Bun resolver helpers into a single
shared module and update both specs to import them: move resolveBunExecutable,
isBunExecutable, and canAccess (and any candidate paths/constants like the bun
install path or BUN_EXECUTABLE handling) into a new
tests/_helpers/bun-executable.ts, export those functions, and replace the local
implementations in e2e/reader.spec.ts and tests/server/reader/page-data.test.ts
with imports from that helper so both files use the same logic.
- Around line 122-145: The candidates array in resolveBunExecutable contains a
redundant entry "process.versions.bun !== undefined ? process.execPath :
undefined" that is unreachable because resolveBunExecutable already returns
early when process.versions.bun is defined; remove that ternary element from the
candidates list so the array only contains viable alternatives (e.g.,
process.env.BUN_EXECUTABLE, the homedir path, process.env.npm_execpath, and
"bun"), keeping the early-return logic in resolveBunExecutable unchanged.

In `@src/server/reader/markdown-renderer.ts`:
- Around line 292-307: The isAllowedIframeSource function currently allows
player.vimeo.com on any path; tighten it by requiring Vimeo embed paths to match
expected prefixes: change the return condition in isAllowedIframeSource
(referencing ALLOWED_IFRAME_HOSTNAMES and url.hostname) so that for
www.youtube.com and www.youtube-nocookie.com you still require
url.pathname.startsWith("/embed/"), and for player.vimeo.com require the
pathname to start with one of the valid Vimeo embed prefixes (e.g.
url.pathname.startsWith("/embed/") || url.pathname.startsWith("/video/") ||
url.pathname.startsWith("/event/")), returning false otherwise.

In `@tests/server/reader/page-data.test.ts`:
- Around line 190-213: The candidates array in resolveBunExecutable contains a
redundant entry "process.versions.bun !== undefined ? process.execPath :
undefined" which is unreachable because the function already returns when
process.versions.bun !== undefined; remove that conditional entry from the
candidates list (keep other candidates like process.env.BUN_EXECUTABLE, the
homedir path, process.env.npm_execpath, and "bun") and ensure the rest of the
logic (find, isBunExecutable, canAccess, and the final throw) remains unchanged.

In `@tests/server/reader/route-state.test.ts`:
- Around line 36-56: Add a test asserting that a successful/ready reader result
maps to no HTTP error: call readerHttpStatusCode with a result object whose
status is "ready" (include a representative message or metadata) and expect the
return to be undefined; update the test in route-state.test.ts alongside the
existing cases so readerHttpStatusCode({ status: "ready", message: "Ready for
reading." }) is asserted toBeUndefined().

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5d3ae12c-72de-42ad-aad3-31f541c1b6a2

📥 Commits

Reviewing files that changed from the base of the PR and between 9efd0f1 and 0c82991.

⛔ Files ignored due to path filters (1)

• bun.lock is excluded by !**/*.lock

📒 Files selected for processing (16)

• app.config.ts
• e2e/reader.spec.ts
• package.json
• playwright.config.ts
• src/components/reader/MemoryReader.tsx
• src/components/reader/source-url.ts
• src/routes/memories/[id].tsx
• src/routes/memories/reader-route-state.ts
• src/server/db/connection.ts
• src/server/reader/markdown-renderer.ts
• src/server/reader/page-data.ts
• src/styles/app.css
• tests/server/reader/markdown-renderer.test.ts
• tests/server/reader/page-data.test.ts
• tests/server/reader/route-state.test.ts
• tests/server/reader/source-url.test.ts

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fb35791886

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 178ffde0d2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[nonnil]

There are issues, but since we’re getting nowhere, we’ll handle them all together in a different task.