Skip to content

Elijah hash7/feature/mutation api observer#206

Merged
esokullu merged 11 commits into
devfrom
Elijah-hash7/feature/mutation-api-observer
Jun 27, 2026
Merged

Elijah hash7/feature/mutation api observer#206
esokullu merged 11 commits into
devfrom
Elijah-hash7/feature/mutation-api-observer

Conversation

@esokullu

@esokullu esokullu commented Jun 27, 2026

Copy link
Copy Markdown
Collaborator

No description provided.

@vercel

vercel Bot commented Jun 27, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
webbrain Ready Ready Preview, Comment Jun 27, 2026 5:49pm

@esokullu
Merge pull request #201 from webbrain-one/copilot/fix-code-review-com…
a6a5640 
…ment-200

test: add LoopDetectorShim._detectApiShortcut and unit tests for all shortcut paths
@webbrain-one webbrain-one requested a review from Copilot June 27, 2026 17:31
@esokullu

esokullu commented Jun 27, 2026

Copy link
Copy Markdown
Collaborator Author

Reviewed this branch and pushed a follow-up fix: dcadc1fb (Restrict API shortcut hints to GET requests).

What changed:

  • The API-shortcut detector now only suggests replaying repeated GET XHRs via fetch_url.
  • Repeated POST/PUT/DELETE-style requests are ignored by the shortcut, so the loop warning does not nudge the model into API mutations without the explicit /allow-api path.
  • Added regression coverage for write-method requests.

Validation:

  • npm test passed locally: 441 unit checks, 0 failed; injection corpus 59/59 passed.

Copilot AI reviewed Jun 27, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements a "mutation API observer" (issue #189) across both the Chrome and Firefox builds. A background webRequest.onBeforeRequest listener records the XHR/fetch requests each tab fires into a per-tab, in-memory buffer exposed via globalThis.__webbrainApiRequests. When the agent's loop detector flags a repeated click/click_ax, the new Agent._detectApiShortcut checks whether each click triggered the same background request and, if so, augments the [LOOP DETECTED] nudge with a suggestion to call fetch_url directly instead of clicking again.

Changes:

  • Added a per-tab API request observer (capped at 40 entries, cleaned up on tab removal) in both background scripts, plus the webRequest permission in both manifests.
  • Added Agent._detectApiShortcut and wired it into _checkLoop's repeat-loop warning in both builds.
  • Added _detectApiShortcut unit tests (and a mirrored LoopDetectorShim method) to test/run.js, including a chrome/firefox parity assertion.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
src/chrome/src/background.js Adds the per-tab webRequest observer populating globalThis.__webbrainApiRequests.
src/firefox/src/background.js Mirror of the Chrome observer using browser.webRequest.
src/chrome/src/agent/agent.js Adds _detectApiShortcut and the API-shortcut loop warning branch.
src/firefox/src/agent/agent.js Mirror of the agent change.
src/chrome/manifest.json Adds the webRequest permission.
src/firefox/manifest.json Adds the webRequest permission.
test/run.js Adds shim method + tests for _detectApiShortcut, including build parity.

The main concern is a logic flaw in _detectApiShortcut: a single recorded request can be attributed to multiple overlapping click windows, so matches can reach >= 2 from one request, producing a false-positive shortcut that contradicts the documented "strict matching only" intent (the new test passes despite counting one request three times). The same defect exists in all three mirrored copies.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/chrome/src/agent/agent.js
Comment on lines +576 to +586
let candidate = null;
let matches = 0;
for (const clickTs of clickTimes) {
const hit = apiRequests.find(r =>
r.ts >= clickTs && r.ts <= clickTs + WINDOW_MS &&
(!candidate || (r.url === candidate.url && r.method === candidate.method))
);
if (!hit) continue;
if (!candidate) candidate = { url: hit.url, method: hit.method };
matches++;
}
Comment thread src/firefox/src/agent/agent.js
Comment on lines +508 to +518
let candidate = null;
let matches = 0;
for (const clickTs of clickTimes) {
const hit = apiRequests.find(r =>
r.ts >= clickTs && r.ts <= clickTs + WINDOW_MS &&
(!candidate || (r.url === candidate.url && r.method === candidate.method))
);
if (!hit) continue;
if (!candidate) candidate = { url: hit.url, method: hit.method };
matches++;
}
Comment thread test/run.js
Comment on lines +332 to +342
let candidate = null;
let matches = 0;
for (const clickTs of clickTimes) {
const hit = apiRequests.find(r =>
r.ts >= clickTs && r.ts <= clickTs + WINDOW_MS &&
(!candidate || (r.url === candidate.url && r.method === candidate.method))
);
if (!hit) continue;
if (!candidate) candidate = { url: hit.url, method: hit.method };
matches++;
}
@esokullu

esokullu commented Jun 27, 2026

Copy link
Copy Markdown
Collaborator Author

Addressed Copilot review 4585822943 in 4c3f8d5b (Prevent API shortcut request reuse).

What changed:

  • _detectApiShortcut now consumes matched API request indexes, so one recorded request cannot satisfy multiple overlapping click windows.
  • Applied the fix in both Chrome and Firefox agent copies.
  • Updated the test shim and added a regression where a single GET after a click burst must not produce an API shortcut.

Validation:

  • git diff --check passed.
  • npm test passed locally: 442 unit checks, 0 failed; injection corpus 59/59 passed.

@esokullu

esokullu commented Jun 27, 2026

Copy link
Copy Markdown
Collaborator Author

Correction to my earlier GET-only follow-up: I pushed 558c64fe (Allow API shortcut write methods) to keep the API shortcut detector open to POST/PUT/PATCH/DELETE-style methods as intended.

Rationale:

  • The detector should surface the repeated same URL+method request pattern.
  • The existing /allow-api / UI-vs-API policy remains responsible for whether a mutating replay is allowed.
  • The request-reuse fix from 4c3f8d5b remains in place, so one captured request still cannot satisfy multiple overlapping click windows.

What changed:

  • Removed the GET-only method filter from Chrome, Firefox, and the test shim.
  • Updated the shortcut warning so it no longer says "get the next page's data" and instead points back to the UI/API mutation policy for mutating methods.
  • Replaced the old write-method rejection test with a POST eligibility regression.

Validation:

  • git diff --check passed.
  • npm test passed locally: 442 unit checks, 0 failed; injection corpus 59/59 passed.

@esokullu esokullu changed the base branch from main to dev June 27, 2026 17:50
@esokullu esokullu merged commit 80508a4 into dev Jun 27, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@esokullu @Elijah-hash7