fix: stabilize viewer navigation and timeline layout

[flamerged]

Summary

• Keep the viewer header, tabs, and feature flag banner from shrinking or overlapping page content.
• Add hash routes for viewer tabs and make the top-left brand link back to the dashboard.
• Constrain timeline observation cards so long tool names, JSON payloads, and file paths wrap or truncate inside their parent card.
• Add an AM favicon and allow data-image favicons in the viewer CSP.
• Keep feature-flag dismissals page-local so warnings can be closed until refresh without persisting stale localStorage state.

Root Cause

The viewer is a single HTML/CSS/JS surface, and several fixed UI rows were normal flex children that could shrink under tall view content. Timeline cards also used an unconstrained flex header and preformatted payloads, so long tool names and JSON strings could overflow their card and push the metadata controls out of place.

Validation

• node --check on the extracted viewer script
• git diff --check -- src/viewer/index.html src/auth.ts test/viewer-security.test.ts
• ../agentmemory/node_modules/.bin/vitest run test/viewer-security.test.ts
• npm run build from the worktree using the existing local node_modules install
• Manual preview through the real viewer proxy on a separate local port

Follow-up

The viewer remains hard to develop locally because the frontend is tightly coupled to the Node viewer proxy and REST port assumptions. This PR keeps the fix scoped, but a cleaner frontend/backend dev split would make these UI changes much easier to test.

Summary by CodeRabbit

• New Features

  • Route-based tab navigation using URL history for improved navigation experience
  • Added favicon to viewer
  • Feature-flag dismissals now update immediately (dismissals held in-memory)

• Style

  • Enhanced UI styling for headers, tabs, and timeline observation cards
  • Redesigned feature-flag banner presentation and layout
  • Improved text wrapping and truncation in observation cards

• Security

  • Content Security Policy updated to allow image loading from data: URLs

• Tests

  • Updated security tests to verify the new image loading policy

[vercel]

@flamerged is attempting to deploy a commit to the rohitg00's projects Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b136239b-f376-4443-866a-2db46fea695e

📥 Commits

Reviewing files that changed from the base of the PR and between 56ab412 and 0f68f93.

📒 Files selected for processing (1)

• src/viewer/index.html

🚧 Files skipped from review as they are similar to previous changes (1)

• src/viewer/index.html

---

📝 Walkthrough

Walkthrough

Adds data: to viewer CSP img-src, implements hash-driven tab routing with URL/history sync, refactors header/observation card layout and CSS, and migrates feature-flag dismissal to an in-memory state with updated banner markup and styling.

Changes

Viewer Routing, UI Refinements, and Feature Flags

Layer / File(s)	Summary
CSP Image Loading Security src/auth.ts, test/viewer-security.test.ts	CSP img-src directive updated to allow data: URLs in addition to 'self'; security test verifies the directive.
Header, favicon, and basic UI styling src/viewer/index.html	Adds favicon, makes header brand a linked route target, updates brand hover/focus styling, adjusts tab-bar z-index/flex, and prevents timeline-item overflow.
Observation card layout and long-text handling src/viewer/index.html	Refactors .obs-card to grid for title/meta rows, constrains card widths/overflow, truncates long titles/tags, and improves .obs-narrative/pre wrapping rules.
Feature-flag banners and dismissal UI src/viewer/index.html	Restyles .flag-banners, updates banner/button/close markup and CSS, and embeds escaped dismissal keys in data-* attributes for the new dismissal flow.
Tab routing, route helpers, and in-memory flag state src/viewer/index.html	Introduces TAB_IDS, normalizeTab, tabFromRoute, updateTabRoute, state.flagsDismissed, and upgrades switchTab(tab, opts) to normalize/validate tabs, optionally update URL history, set aria-current, re-render banners, wire click handlers, sync on hashchange/popstate, and initialize active tab from the route.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• rohitg00/agentmemory#108: Also modifies viewer CSP construction and related directives.
• rohitg00/agentmemory#69: Related viewer CSP changes and how the server exposes the CSP.

Poem

🐰 I hopped through hashes, tabs in tow,
Favicon shining, cards in a row,
Flags now fleeting, kept in RAM,
Images sip data: like a charm,
The viewer hums — hop, tap, and go!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'fix: stabilize viewer navigation and timeline layout' directly corresponds to the main objectives: stabilizing navigation (hash routes, tab routing) and timeline layout (constraining observation cards). However, it omits significant changes like CSP updates for data images and feature-flag dismissal logic.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

src/viewer/index.html (2)

1178-1183: 💤 Low value

Optional: set aria-current on the active tab for screen-reader navigation.

switchTab toggles the visual .active class on the matching [data-tab] button but does not surface that state to assistive tech. Reflecting it via aria-current="page" (or aria-selected if you want true tablist semantics) lets screen-reader users perceive the current tab.

♻️ Proposed refactor

       document.querySelectorAll('.tab-bar button').forEach(function(b) {
-        b.classList.toggle('active', b.dataset.tab === tab);
+        var isActive = b.dataset.tab === tab;
+        b.classList.toggle('active', isActive);
+        if (isActive) b.setAttribute('aria-current', 'page');
+        else b.removeAttribute('aria-current');
       });

Also applies to: 948-961

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/viewer/index.html` around lines 1178 - 1183, The tab-switching code
currently only toggles the visual .active class; update the logic in the
function that contains the shown selectors (the switchTab handler that queries
'.tab-bar button' and '.view') to also set aria-current="page" on the active
button and remove that attribute from all other buttons (or use
aria-selected="true"/"false" if you adopt full tablist semantics); ensure you
set aria-current only when b.dataset.tab === tab and explicitly remove the
attribute for non-active buttons so screen readers receive the current-tab
state.

---

3418-3423: ⚡ Quick win

Preserve modifier/middle-click new-tab behavior on [data-tab-link].

The brand link is now a real <a href="#dashboard">, but the handler always calls e.preventDefault(). That suppresses Ctrl/Cmd/middle-click "open in new tab" semantics — clicking with a modifier will just toggle the dashboard tab in the current view instead of opening a new tab at #dashboard. Letting modified clicks pass through preserves expected anchor behavior while keeping plain clicks SPA-style.

♻️ Proposed refactor

     document.querySelectorAll('[data-tab-link]').forEach(function(link) {
       link.addEventListener('click', function(e) {
+        // Let users open the link in a new tab/window with modifier or middle-click.
+        if (e.defaultPrevented || e.button !== 0 || e.metaKey || e.ctrlKey || e.shiftKey || e.altKey) return;
         e.preventDefault();
         switchTab(link.getAttribute('data-tab-link'));
       });
     });

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/viewer/index.html` around lines 3418 - 3423, The click handler on
elements selected by document.querySelectorAll('[data-tab-link]') always calls
e.preventDefault(), which breaks modifier/middle-click behavior; update the
handler so it only prevents default and runs
switchTab(link.getAttribute('data-tab-link')) for unmodified left-clicks.
Concretely, detect modified clicks (e.metaKey || e.ctrlKey || e.shiftKey ||
e.altKey) and middle/right buttons (e.button !== 0 or e.button === 1 for middle)
and early-return without calling e.preventDefault(), otherwise call
e.preventDefault() and switchTab as before.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/viewer/index.html`:
- Around line 2411-2421: The obs-title span currently renders the truncated
title text without a tooltip; update the HTML generation where the span is
created (the line producing '<span class="obs-title">' + esc(title) + '</span>')
to include a title attribute set to the full escaped title (e.g., '<span
class="obs-title" title="' + esc(title) + '">' + esc(title) + '</span>'); apply
the same change to the other occurrence of the obs-title span around lines
474-483 so long titles show the full text on hover while preserving the existing
ellipsis styling.

---

Nitpick comments:
In `@src/viewer/index.html`:
- Around line 1178-1183: The tab-switching code currently only toggles the
visual .active class; update the logic in the function that contains the shown
selectors (the switchTab handler that queries '.tab-bar button' and '.view') to
also set aria-current="page" on the active button and remove that attribute from
all other buttons (or use aria-selected="true"/"false" if you adopt full tablist
semantics); ensure you set aria-current only when b.dataset.tab === tab and
explicitly remove the attribute for non-active buttons so screen readers receive
the current-tab state.
- Around line 3418-3423: The click handler on elements selected by
document.querySelectorAll('[data-tab-link]') always calls e.preventDefault(),
which breaks modifier/middle-click behavior; update the handler so it only
prevents default and runs switchTab(link.getAttribute('data-tab-link')) for
unmodified left-clicks. Concretely, detect modified clicks (e.metaKey ||
e.ctrlKey || e.shiftKey || e.altKey) and middle/right buttons (e.button !== 0 or
e.button === 1 for middle) and early-return without calling e.preventDefault(),
otherwise call e.preventDefault() and switchTab as before.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4e007d40-a422-4b6d-8917-b421f42eb147

📥 Commits

Reviewing files that changed from the base of the PR and between 22df145 and 56ab412.

📒 Files selected for processing (3)

• src/auth.ts
• src/viewer/index.html
• test/viewer-security.test.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• test/viewer-security.test.ts
• src/auth.ts