[codex] ratchet quality debt cleanup

[jscraik]

Pull request checklist

Summary

• What changed (brief): Re-enabled a tranche of Biome lint coverage, fixed the resulting quality findings across UI, widgets, scripts, and docs, refreshed generated widget manifests, added the current quality-debt burn-down report, and aligned the agent-design changed-surface CLI gate so protected surfaces remain fail-closed while warn-scope route debt stays visible without blocking non-design cleanup.
• Why this change was needed: The unslopify pass found disabled-rule and quality-evidence drift; the follow-up CLI pass fixed PR-base prepare evidence drift so this cleanup can be reviewed with accurate local gate results instead of a stale route-discovery blocker.
• Risk and rollback plan: Risk is broad but mostly mechanical because many files were touched to satisfy stricter lint rules and generated manifest freshness. The CLI gate change is narrow: explicit --surface checks and protected surfaces still fail closed, while warn-scope missing-route debt reports as warnings during changed-file discovery. Roll back by reverting commits 771d0a53c17f5bbb5542044839a8e0af1f30e0f6 and cef03fe23f351389067c0e0795f98323aa980ea5; regenerated manifests can also be refreshed with pnpm generated-source:check if follow-up source changes alter hashes.

Checklist

• I did not push directly to main; this PR is from a dedicated branch.
• Branch name follows policy (codex/* for agent-created branches).
• Required local gates run: bash scripts/validate-codestyle.sh, pnpm check, test -f memory.json && jq -e '.meta.version == "1.0" and (.preamble.bootstrap | type == "boolean") and (.preamble.search | type == "boolean") and (.entries | type == "array")' memory.json >/dev/null.
• Agent-first UI gate run when UI surfaces changed: pnpm agent-design:prepare:changed locally and/or via CI.
• CodeRabbit review completed and findings handled (or explicitly waived).
• CodeRabbit review was performed by an independent reviewer (not the coding agent).
• Codex review completed and findings handled (or explicitly waived).
• Any CodeRabbit Semgrep findings were either fixed or explicitly justified when warning-level-only.
• Merge is blocked until all required checks pass.
• I will delete branch/worktree after merge.

Testing

• verification_commands: pnpm quality-debt:test; pnpm test:drift; pnpm lint; pnpm generated-source:check; pnpm quality-debt:check; jq . docs/operations/quality-debt-radar.categories.json; bash scripts/validate-codestyle.sh; pnpm check; test -f memory.json && jq -e '.meta.version == "1.0" and (.preamble.bootstrap | type == "boolean") and (.preamble.search | type == "boolean") and (.entries | type == "array")' memory.json >/dev/null; jq . .design-system-guidance.json >/dev/null && jq . docs/design-system/AGENT_UI_ROUTING.json >/dev/null && jq . docs/design-system/COMPONENT_LIFECYCLE.json >/dev/null && git diff --check; AGENT_DESIGN_PREPARE_BASE=origin/main pnpm agent-design:prepare:changed; pnpm -C packages/cli test; pnpm design-system-guidance:ratchet; pnpm design-system-guidance:check:ci; pre-push hook via git push.
• verification_outcomes: Targeted cleanup, lint, generated-source, JSON, codestyle, check, memory, commit hooks, agent-design prepare, CLI tests, guidance ratchet, guidance CI, and unsandboxed pre-push hooks passed. AGENT_DESIGN_PREPARE_BASE=origin/main pnpm agent-design:prepare:changed now passes and reports existing warn-scope route debt as WARN while keeping protected surfaces such as settings stories and Sidebar safe/covered. pnpm design-system-guidance:check:ci exits 0 with the existing warning backlog. The first sandboxed pre-push attempts failed because Semgrep cache and Chromium needed host permissions; the same hook passed outside the sandbox before push.
• blocked_steps_reason: No current local validation step is blocked. Earlier sandboxed push attempts were blocked by /Users/jamiecraik/.cache/coding-harness/semgrep-venv-1.153.1/pyvenv.cfg access and by Chromium bootstrap_check_in ... Permission denied (1100) during Playwright e2e/a11y; the unsandboxed pre-push hook passed and the branch is pushed.
• Command: bash scripts/validate-codestyle.sh -> pass
• Command: pnpm check -> pass
• Command: test -f memory.json && jq -e '.meta.version == "1.0" and (.preamble.bootstrap | type == "boolean") and (.preamble.search | type == "boolean") and (.entries | type == "array")' memory.json >/dev/null -> pass
• Command: AGENT_DESIGN_PREPARE_BASE=origin/main pnpm agent-design:prepare:changed -> pass with warn-scope route debt reported
• Any other command(s): pnpm quality-debt:test -> pass; pnpm test:drift -> pass; pnpm lint -> pass; pnpm generated-source:check -> pass; pnpm quality-debt:check -> pass; jq . docs/operations/quality-debt-radar.categories.json -> pass; jq . .design-system-guidance.json >/dev/null && jq . docs/design-system/AGENT_UI_ROUTING.json >/dev/null && jq . docs/design-system/COMPONENT_LIFECYCLE.json >/dev/null && git diff --check -> pass; pnpm -C packages/cli test -> pass (121 tests); pnpm design-system-guidance:ratchet -> pass; pnpm design-system-guidance:check:ci -> pass with existing warnings; pre-push hook on unsandboxed git push -> pass.

Review artifacts

• CodeRabbit: Pending automated PR review on head cef03fe23f351389067c0e0795f98323aa980ea5; draft PR remains open to collect artifact.
• Independent reviewer evidence: Pending independent reviewer; coding agent has not self-approved.
• Codex: Pending independent Codex review artifact; this implementation run is not counted as independent review.
• CodeRabbit Semgrep: Local pre-push semgrep:changed reported no changed src/** implementation files for Semgrep.
• Additional evidence (if any): Commits 771d0a53c17f5bbb5542044839a8e0af1f30e0f6 and cef03fe23f351389067c0e0795f98323aa980ea5; branch codex/unslopify-quality-evidence; PR head cef03fe23f351389067c0e0795f98323aa980ea5; pre-push hook passed before the branch was updated.

Notes

This PR is a cleanup ratchet plus CLI evidence repair: it reduces disabled Biome-rule debt, fixes the newly exposed issues, keeps generated widget manifests fresh, records the current weekly quality-debt state, and makes changed-surface prepare evidence usable for mixed cleanup PRs without weakening protected-surface behavior. It should stay draft until the independent CodeRabbit/Codex review artifacts and required hosted checks are available.

[coderabbitai]

Warning

Rate limit exceeded

@jscraik has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 6 minutes and 35 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 836482d1-688d-48ba-9469-bcf9b73dba26

📥 Commits

Reviewing files that changed from the base of the PR and between 7a689bf and eb3433a.

⛔ Files ignored due to path filters (1)

• packages/widgets/src/sdk/generated/widget-manifest.js is excluded by !**/generated/**

📒 Files selected for processing (12)

• .design-system-guidance.json
• FORJAMIE.md
• docs/design-system/UPSTREAM_ALIGNMENT.md
• packages/cloudflare-template/src/worker/widget-manifest.generated.ts
• packages/tokens/src/dev-tools/token-watcher.ts
• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx
• packages/widgets/src/widgets/chat/chat-header/main.tsx
• packages/widgets/src/widgets/commerce/shopping-cart/main.tsx
• packages/widgets/src/widgets/pizzaz/pizzaz-shop/main.tsx
• platforms/web/apps/web/src/main.tsx
• scripts/check-agent-design-prepare-evidence.mjs
• scripts/test-drift.mjs

📝 Walkthrough

Walkthrough

Tightens Biome lint rules and renames “Lint suppressions” → “Disabled Biome rules”; replaces many non-null assertions with defensive checks/type guards across widgets and examples; renames several icon and Storybook exports; updates icon registry, chart style rendering, sidebar cookie persistence, scripts/tests, documentation, and generated widget manifest entries.

Changes

Quality ratchet, defensive/type-safety, and documentation refresh

Layer / File(s)	Summary
Policy / Configuration biome.json, .design-system-guidance.json	Biome rule severities tightened (multiple suspicious/a11y/complexity/security rules moved from off→error or warn); files.ignore glob adjusted; added warn-scope globs for icons/templates/widgets and expanded web globs.
Lint / Radar Metadata docs/operations/quality-debt-radar.categories.json, docs/operations/quality-debt-radar.md, scripts/quality-debt-radar.mjs, scripts/quality-debt-radar.test.mjs	Renamed category label/description from “Lint suppressions” → “Disabled Biome rules”; updated guidance text and tests to expect the new label.
Documentation / Reports / Alignment FORJAMIE.md, docs/design-system/UPSTREAM_ALIGNMENT.md, reports/qa/quality-debt-burndown-2026-W18.md, reports/qa/quality-debt-burndown-template.md	FORJAMIE updated (2026-05-03) with recent changes; upstream alignment stamp refreshed; new weekly quality-debt burndown report and template row label updated.
Core API / Icons packages/ui/src/icons/*, packages/astudio-icons/src/registry.ts, packages/ui/src/templates/.../ChatGPTIconCatalog.tsx	Renamed icon component identifiers (Error→ErrorIcon, Function→FunctionIcon) and updated registry/catalog usages; icon discovery now tests typeof Icon === "function".
Rendering / Accessibility packages/ui/src/components/ui/data-display/chart/chart.tsx, packages/ui/src/components/ui/forms/FileUpload/FileUpload.tsx, packages/ui/src/components/ui/forms/combobox/combobox.tsx	Chart CSS injection changed from dangerouslySetInnerHTML to <style>{css}</style>; FileUpload avoids ! indexing and removed aria-hidden on native input; Combobox aria-activedescendant uses optional chaining.
Sidebar persistence / Design System entries packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx, docs/design-system/AGENT_UI_ROUTING.json, docs/design-system/COMPONENT_LIFECYCLE.json, docs/design-system/AGENT_UI_ROUTING.md	Added persistSidebarState using window.cookieStore.set with document.cookie fallback; Sidebar provider updated; added Sidebar routing and lifecycle metadata.
Defensive bootstrap changes packages/widgets/**/main.tsx, platforms/web/apps/web/src/main.tsx, packages/widgets/docs/examples/*/main.tsx	Entrypoints now assign document.getElementById("root") to root, throw if missing, and call createRoot(root).render(...) instead of non-null assertions.
State updater safety packages/widgets/**/pizzaz-shop/pizzaz-shop.tsx, packages/widgets/docs/examples/*, packages/widgets/src/widgets/pizzaz/pizzaz-map/main.tsx	Replaced prev! usages with prev ?? default patterns in state updaters; pizzaz map marker logic guards missing map instance.
Tooling / Scripts / Tests scripts/check-agent-design-prepare-evidence.mjs, scripts/test-drift.mjs, scripts/migration/*.ts, scripts/quality-debt-radar.test.mjs, platforms/web/apps/storybook/scripts/interaction-coverage-gate.mjs, packages/ui/src/testing/utils/test-mocks.ts	Added JSDoc and a non-blocking-WARN classification to agent-design prepare-evidence gate; many scripts reformatted verbose logging to multi-line forEach; mock observers assigned to window.*; test expectations updated for renamed category.
Story naming consistency packages/ui/**/stories.tsx, packages/effects/stories/text.stories.tsx, packages/ui/src/storybook/_holding/*	Multiple Storybook exports renamed for clarity (e.g., various Error → ErrorState/ErrorToast/ErrorVariant, Number→NumberInput, CustomColors→GradientCustomColors); small snippet rendering fix in motion story.
Generated / Build artifacts packages/cloudflare-template/src/worker/widget-manifest.generated.ts	Widget manifest uri/hash entries updated for chat widgets, compose-view, pizzaz-shop, and search-results (build identifier refresh).
Minor logging formatting packages/tokens/src/dev-tools/token-watcher.ts, scripts/migration/*, platforms/.../interaction-coverage-gate.mjs, scripts/test-drift.mjs	Logging iteration callbacks reformatted to multi-line blocks and prefixed log labels (no behavioral change).

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• feat: add warn-first quality debt radar #154: Continues work on the quality-debt radar, reports, and related tests/docs.
• feat(design-system): complete agent-native design slices #158: Overlapping changes to agent UI routing / component lifecycle entries (Sidebar additions).
• [codex] Make prepare the UI edit contract #159: Related agent-design prepare-evidence gating and CLI/tooling updates.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 71.79% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title '[codex] ratchet quality debt cleanup' clearly describes the main change: re-enabling Biome lint rules and fixing resulting quality issues across the codebase.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, covering what changed, why it was needed, risk/rollback, testing verification, and review artifacts.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/unslopify-quality-evidence

---

_{Review rate limit: 0/5 reviews remaining, refill in 6 minutes and 35 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 11

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (9)

packages/ui/src/storybook/design-system/09_Motion/Motion.stories.tsx (1)

1-1: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

CI blocker: register an agent UI route for this Storybook surface.

The CI gate is failing with E_DESIGN_ROUTE_MISSING for this file path, so this PR cannot merge until the corresponding agent UI route/evidence mapping is added.

As per coding guidelines, "Use repository evidence first... Treat contradictions between code, docs, and workflow policy as review-worthy even when code changes look reasonable."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/ui/src/storybook/design-system/09_Motion/Motion.stories.tsx` at line
1, CI fails with E_DESIGN_ROUTE_MISSING because this Storybook surface
(Motion.stories.tsx) has no corresponding agent UI route/evidence mapping; add
an entry to the agent UI routes/evidence mapping config that registers the
Storybook route for "Motion.stories.tsx" (use the same identifier/name used by
your routes mapper) so the agent can discover this UI surface, ensuring the new
mapping follows the existing mapping shape and includes the file identifier and
any required metadata (e.g., title/route/id) used by the
registerRoute/registerEvidence functions.

packages/widgets/src/widgets/commerce/shopping-cart/main.tsx (1)

1-16: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Resolve the design-route registration gap for this widget surface.

CI is currently failing with E_DESIGN_ROUTE_MISSING for packages/widgets/src/widgets/commerce/shopping-cart/main.tsx. This surface needs to be added to the configured protected/warn/exempt route scope (or equivalent route mapping evidence) before merge.

As per coding guidelines, "Use repository evidence first... Treat contradictions between code, docs, and workflow policy as review-worthy even when code changes look reasonable."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/widgets/src/widgets/commerce/shopping-cart/main.tsx` around lines 1
- 16, CI fails with E_DESIGN_ROUTE_MISSING because the ShoppingCart widget
surface (main.tsx / ShoppingCart) isn't registered in the project's design-route
mapping; update the repository's design route registry/config (the
protected/warn/exempt route scope) to include this widget surface key (use the
same identifier used elsewhere for widgets, e.g.,
"widgets/commerce/shopping-cart" or the module name used by the registry) and
provide the appropriate scope (protected/warn/exempt) entry and any required
metadata so the route mapping recognizes main.tsx/ShoppingCart; ensure the entry
is committed and any route validation unit-test or manifest is updated to
reflect the new registration.

packages/widgets/docs/examples/enhanced-example-widget/main.tsx (1)

80-85: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Preserve interaction history in the null-prev fallback path.

Line 83 still reads from prev?.interactions, which becomes [] when prev is null and can drop existing history from currentState.

🔧 Suggested patch

       setWidgetState((prev) => ({
         ...(prev ?? currentState),
         interactions: [
-          ...(prev?.interactions || []),
+          ...(prev ?? currentState).interactions,
           `Tool called at ${new Date().toLocaleTimeString()}`,
         ],
       }));

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/widgets/docs/examples/enhanced-example-widget/main.tsx` around lines
80 - 85, The update to setWidgetState can drop existing interactions when prev
is null because it uses prev?.interactions (which becomes []), so change the
interactions source to (prev ?? currentState).interactions to preserve history
from currentState when prev is null; in the setWidgetState updater (function
named setWidgetState) replace occurrences of prev?.interactions with (prev ??
currentState).interactions and ensure you still spread into a new array before
appending the new timestamp string so existing interactions are retained.

packages/widgets/src/widgets/pizzaz/pizzaz-shop/pizzaz-shop.tsx (1)

121-127: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fix null-prev cart update path: it can wipe items.

When prev is null, Line 122 seeds defaults, but Line 123 immediately rebuilds items from prev?.items ?? [], which forces an empty cart and drops default items.

🔧 Suggested patch

   const handleQuantityChange = useCallback(
     (itemId: string, delta: number) => {
       setWidgetState((prev: ShopWidgetState | null) => ({
-        ...(prev ?? createDefaultState()),
-        items: (prev?.items ?? [])
+        ...((prev ?? createDefaultState()) as ShopWidgetState),
+        items: (prev ?? createDefaultState())
+          .items
           .map((item) =>
             item.id === itemId ? { ...item, quantity: Math.max(0, item.quantity + delta) } : item,
           )
           .filter((item) => item.quantity > 0),
       }));
     },

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/widgets/src/widgets/pizzaz/pizzaz-shop/pizzaz-shop.tsx` around lines
121 - 127, The update currently seeds defaults with createDefaultState() but
then rebuilds items from prev?.items ?? [] which yields an empty array when prev
is null and wipes default items; change the reducer in setWidgetState (the
ShopWidgetState updater) to first establish a base state (e.g., const base =
prev ?? createDefaultState()) and then compute items from base.items
(base.items.map(...).filter(...)) so you update quantities relative to the
chosen base state instead of using prev?.items ?? [].

packages/widgets/src/widgets/pizzaz/pizzaz-map/main.tsx (1)

555-555: ⚠️ Potential issue | 🟠 Major

Add surface to guidance scope classification.

Pipeline fails with E_DESIGN_SURFACE_SCOPE_UNKNOWN because packages/widgets/src/widgets/pizzaz/pizzaz-map/main.tsx matches the include patterns but is not classified in any guidance scope (protected/warn/exempt) in packages/design-system-guidance/.design-system-guidance.json. Add this surface path to one of the scopes arrays to resolve the CI blocker.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/widgets/src/widgets/pizzaz/pizzaz-map/main.tsx` at line 555, CI
fails with E_DESIGN_SURFACE_SCOPE_UNKNOWN because the pizzaz map widget (the
module that calls mountWidget(<App />) in its main component) matches the
guidance include patterns but isn't listed in any scope; fix it by adding this
widget's surface entry into one of the scopes (protected, warn, or exempt) in
the design-system-guidance.json guidance config so the classifier recognizes
it—open the guidance JSON, add the surface string for the pizzaz-map main widget
to the appropriate "scopes" array, and commit the change.

packages/ui/src/icons/ChatGPTIconCatalog.tsx (1)

62-63: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Unblock CI by registering this UI surface in the agent-design route policy.

The current branch is blocked by E_DESIGN_ROUTE_MISSING / E_DESIGN_SURFACE_SCOPE_UNKNOWN for this file (and related touched UI surfaces). Add the required agent UI route mapping (or explicit protected/warn/exempt scope entry) before merge so the evidence gate can evaluate this surface.

As per coding guidelines **: “Use repository evidence first… Treat contradictions between code, docs, and workflow policy as review-worthy even when code changes look reasonable.”

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/ui/src/icons/ChatGPTIconCatalog.tsx` around lines 62 - 63, The
ChatGPTIconCatalog UI component is not registered in the agent-design route
policy, causing E_DESIGN_ROUTE_MISSING/E_DESIGN_SURFACE_SCOPE_UNKNOWN; open the
agent-design route policy (or routes registry) and add an entry that maps the
ChatGPTIconCatalog surface (component name ChatGPTIconCatalog) to the
appropriate route and scope (or add an explicit protected/warn/exempt scope
entry) so the evidence gate can evaluate it; ensure the mapping uses the same
exported identifier ChatGPTIconCatalog and any related surfaces touched in this
PR, and commit the updated route/policy file alongside this UI change.

packages/ui/src/components/ui/forms/FileUpload/FileUpload.tsx (1)

122-157: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Removing aria-hidden exposes an unlabeled file input.

The input is now visible to assistive tech but still has no associated label/aria-label, while the outer div remains the element announcing the control. That creates two competing controls and one of them has no accessible name. Make the visible drop zone the <label> for the input, or otherwise give the native input the same accessible name/description as the visible trigger.

As per coding guidelines, "React components MUST be accessible-by-default (semantic elements first; ARIA only when needed)" and "Accessibility baseline: WCAG 2.2 AA; full keyboard operation required; screen reader compatibility required."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/ui/src/components/ui/forms/FileUpload/FileUpload.tsx` around lines
122 - 157, The native file input (ref inputRef, id inputId, onChange
handleChange) is exposed to assistive tech but lacks an accessible name,
conflicting with the visible drop zone (data-slot="file-upload") which currently
serves as the control; either make the visible drop zone the label for the input
(replace the outer div with a <label> that points to inputId or wraps the input)
or give the input an explicit accessible name/description that exactly matches
the outer trigger (e.g., add aria-label or aria-labelledby on the input tied to
the same label text or statusMessage), and ensure tabIndex/aria-disabled
behavior and click/keyboard handlers remain on the labeled element so keyboard
and screen-reader users interact with a single, named control.

packages/ui/src/components/ui/data-display/chart/chart.tsx (1)

185-202: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Register this touched packages/ui/src/components/ui/** surface in the agent-design route map.

CI currently fails agent-design:prepare:changed with E_DESIGN_ROUTE_MISSING for this file. Please land the matching route/proposal/exemption metadata alongside the code change so the touched-surface gate can reason about it.

As per coding guidelines, "Use repository evidence first: package scripts, tracked docs, harness contracts, and validation wrappers over assumptions." and "Treat contradictions between code, docs, and workflow policy as review-worthy even when code changes look reasonable."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/ui/src/components/ui/data-display/chart/chart.tsx` around lines 185
- 202, The CI is failing because the touched UI surface (the chart component
using THEMES, safeChartId, colorConfig, getSafeColor, toSafeCssVarKey) wasn't
registered in the agent-design route map; update the agent-design
route/proposal/exemption metadata to include this touched surface (the
packages/ui/src/components/ui data-display/chart area) so
agent-design:prepare:changed recognizes the change, and ensure the metadata
references the component identifiers (THEMES, safeChartId, colorConfig) and
follows the repository's route map format and validation rules before landing
the PR.

packages/ui/src/icons/platform/Function.tsx (1)

4-19: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

This icon surface still lacks agent-design route coverage.

CI is already red with E_DESIGN_ROUTE_MISSING for packages/ui/src/icons/platform/Function.tsx. Please add the matching route/proposal/exemption metadata for the icons surface before merge, or every cleanup here will keep failing agent-design:prepare:changed.

As per coding guidelines, "Use repository evidence first: package scripts, tracked docs, harness contracts, and validation wrappers over assumptions." and "Treat contradictions between code, docs, and workflow policy as review-worthy even when code changes look reasonable."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/ui/src/icons/platform/Function.tsx` around lines 4 - 19, The build
fails with E_DESIGN_ROUTE_MISSING because the icons surface for the Function
icon (FunctionIcon / displayName "Function") has no design
route/proposal/exemption metadata; add the matching metadata entry to the icons
surface design routes/manifest used by agent-design:prepare:changed (use the
component's displayName "Function" and the module export default to identify
it), declaring either a route, proposal, or an explicit exemption entry that
references this icon so CI no longer flags it as missing.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/design-system/UPSTREAM_ALIGNMENT.md`:
- Around line 1-3: Add a Table of Contents to the "Apps SDK UI Upstream
Alignment Log" markdown by scanning all section headings (## and ###) and
inserting a bullet-link ToC immediately below the title/last-updated lines;
include anchor links to each heading (e.g., using the GitHub-style slug of
headings) and group subheadings under their parent sections so readers can
navigate the long-form document easily. Ensure the ToC updates to reflect
existing H2/H3 headings and place a comment note like "<!-- TOC -->" if you want
to automate future updates.

In `@FORJAMIE.md`:
- Around line 220-221: Update the summary bullet that currently reads "19
disabled linter rules remaining" to match the actual state in biome.json (which
now has 18 rules set to "off") or, if the intended target is 19, adjust
biome.json to re-disable the missing rule; ensure the FORJAMIE.md bullet wording
and the biome.json disabled-rule count (including the breakdown: 3 suspicious,
10 a11y, 5 correctness) are consistent so the documentation reflects the real
config.

In `@packages/tokens/src/dev-tools/token-watcher.ts`:
- Around line 347-349: The tokenFiles.forEach loop currently logs each filename
without the required service identity; update the console.log inside
tokenFiles.forEach((file) => { ... }) to include the service identity token
(e.g. append `service:"tokens"` or use an existing SERVICE_NAME/SERVICE_ID
constant) so every output line becomes something like `- ${file}
service:"<service_name>"`; ensure you reference the same tokenFiles.forEach and
file variable so all watcher outputs include the mandated
service:"<service_name>" field.

In `@packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx`:
- Around line 71-89: persistSidebarState currently calls cookieStore.set(...)
and discards the returned promise, so rejections are unhandled and the
document.cookie fallback is skipped; change persistSidebarState to handle
cookieStore.set failures (e.g., call cookieStore.set(...).catch(...) or await in
a try/catch) and on any error log/contextualize it and perform the synchronous
Reflect.set(document, "cookie", ...) fallback using SIDEBAR_COOKIE_NAME and
SIDEBAR_COOKIE_MAX_AGE so the fallback path always runs when cookieStore.set
rejects.

In `@packages/widgets/src/widgets/chat/chat-header/main.tsx`:
- Around line 48-53: The entrypoint rendered by createRoot(root) in this
chat-header main.tsx is missing agent-design metadata which triggers
E_DESIGN_ROUTE_MISSING and E_DESIGN_SURFACE_SCOPE_UNKNOWN; add the required
design route and surface scope declarations for this entrypoint (e.g., export or
attach an agent-design route identifier and a surface scope string consistent
with other widgets) next to the entrypoint code (near the createRoot(...) render
or module exports) so CI can discover the route and scope for this surface and
unblock the merge.
- Around line 49-50: The thrown bootstrap error for missing DOM root (the if
(!root) block in main.tsx) must include the service identity; update the Error
message thrown where root is checked to contain service:"widgets" (or use the
existing SERVICE_NAME constant if present) so the message becomes something like
'Root element not found service:"widgets"' to satisfy traceability requirements.

In `@packages/widgets/src/widgets/commerce/shopping-cart/main.tsx`:
- Around line 8-10: The thrown Error when the DOM root is missing uses an
unscoped message; update the throw in main.tsx (the check that uses the root
variable and throws new Error("Root element not found")) to include the service
identity token e.g. append or embed service:"shopping-cart" in the error message
so it reads something like "Root element not found service:\"shopping-cart\"" to
satisfy the repo policy for traceability.

In `@packages/widgets/src/widgets/pizzaz/pizzaz-shop/main.tsx`:
- Line 9: The thrown bootstrap error message lacks the required service
identity; update the throw new Error call in main.tsx so the Error message
includes the service identifier (e.g., include service:"pizzaz-shop" in the
string) — locate the throw new Error("Root element not found") and change its
message to prepend or embed service:"pizzaz-shop" so all bootstrap errors
include the service identity.

In `@platforms/web/apps/web/src/main.tsx`:
- Around line 19-24: CI failures E_DESIGN_ROUTE_MISSING /
E_DESIGN_SURFACE_SCOPE_UNKNOWN indicate this surface
(platforms/web/apps/web/src/main.tsx — the entry that uses createRoot and the
root element) is not registered in the agent-design route/surface scope map; fix
by adding this surface's identifier to the configured design route/scope
evidence map (the central mapping object used by the design-route validation
logic, e.g., designRouteMap/surfaceScopeMap) and map the "agent-design" route
(or the appropriate design route key) to this surface so the validator
recognizes platforms/web/apps/web/src/main.tsx as an allowed surface; ensure the
same identifier is referenced where CI reads the map so E_DESIGN_* errors are
resolved.
- Around line 19-24: The bootstrap error thrown when the DOM element "root" is
missing should include the service identity tag; update the Error thrown in the
root null-check (the throw in the same block that obtains `const root =
document.getElementById("root")`) to include service:"web" (or the appropriate
service name) in the message so logs are attributable (this is the code path
before `createRoot(root).render(...)`).

In `@scripts/test-drift.mjs`:
- Around line 138-159: Update the diagnostic log lines in the block that checks
`missing`, `missingUpstream`, and `extra` so every `console.error` /
`console.warn` message is prefixed with a stable service identity marker
service:"test-drift"; locate the sections where `missing.forEach((name) => {
console.error(...) })`, `missingUpstream.forEach((row) => { console.error(...)
})`, and `extra.forEach((name) => { console.warn(...) })` are called and prepend
the string `service:"test-drift" ` to the start of each emitted message (keep
the existing message text and formatting and leave the `process.exit(1)` calls
unchanged).

---

Outside diff comments:
In `@packages/ui/src/components/ui/data-display/chart/chart.tsx`:
- Around line 185-202: The CI is failing because the touched UI surface (the
chart component using THEMES, safeChartId, colorConfig, getSafeColor,
toSafeCssVarKey) wasn't registered in the agent-design route map; update the
agent-design route/proposal/exemption metadata to include this touched surface
(the packages/ui/src/components/ui data-display/chart area) so
agent-design:prepare:changed recognizes the change, and ensure the metadata
references the component identifiers (THEMES, safeChartId, colorConfig) and
follows the repository's route map format and validation rules before landing
the PR.

In `@packages/ui/src/components/ui/forms/FileUpload/FileUpload.tsx`:
- Around line 122-157: The native file input (ref inputRef, id inputId, onChange
handleChange) is exposed to assistive tech but lacks an accessible name,
conflicting with the visible drop zone (data-slot="file-upload") which currently
serves as the control; either make the visible drop zone the label for the input
(replace the outer div with a <label> that points to inputId or wraps the input)
or give the input an explicit accessible name/description that exactly matches
the outer trigger (e.g., add aria-label or aria-labelledby on the input tied to
the same label text or statusMessage), and ensure tabIndex/aria-disabled
behavior and click/keyboard handlers remain on the labeled element so keyboard
and screen-reader users interact with a single, named control.

In `@packages/ui/src/icons/ChatGPTIconCatalog.tsx`:
- Around line 62-63: The ChatGPTIconCatalog UI component is not registered in
the agent-design route policy, causing
E_DESIGN_ROUTE_MISSING/E_DESIGN_SURFACE_SCOPE_UNKNOWN; open the agent-design
route policy (or routes registry) and add an entry that maps the
ChatGPTIconCatalog surface (component name ChatGPTIconCatalog) to the
appropriate route and scope (or add an explicit protected/warn/exempt scope
entry) so the evidence gate can evaluate it; ensure the mapping uses the same
exported identifier ChatGPTIconCatalog and any related surfaces touched in this
PR, and commit the updated route/policy file alongside this UI change.

In `@packages/ui/src/icons/platform/Function.tsx`:
- Around line 4-19: The build fails with E_DESIGN_ROUTE_MISSING because the
icons surface for the Function icon (FunctionIcon / displayName "Function") has
no design route/proposal/exemption metadata; add the matching metadata entry to
the icons surface design routes/manifest used by agent-design:prepare:changed
(use the component's displayName "Function" and the module export default to
identify it), declaring either a route, proposal, or an explicit exemption entry
that references this icon so CI no longer flags it as missing.

In `@packages/ui/src/storybook/design-system/09_Motion/Motion.stories.tsx`:
- Line 1: CI fails with E_DESIGN_ROUTE_MISSING because this Storybook surface
(Motion.stories.tsx) has no corresponding agent UI route/evidence mapping; add
an entry to the agent UI routes/evidence mapping config that registers the
Storybook route for "Motion.stories.tsx" (use the same identifier/name used by
your routes mapper) so the agent can discover this UI surface, ensuring the new
mapping follows the existing mapping shape and includes the file identifier and
any required metadata (e.g., title/route/id) used by the
registerRoute/registerEvidence functions.

In `@packages/widgets/docs/examples/enhanced-example-widget/main.tsx`:
- Around line 80-85: The update to setWidgetState can drop existing interactions
when prev is null because it uses prev?.interactions (which becomes []), so
change the interactions source to (prev ?? currentState).interactions to
preserve history from currentState when prev is null; in the setWidgetState
updater (function named setWidgetState) replace occurrences of
prev?.interactions with (prev ?? currentState).interactions and ensure you still
spread into a new array before appending the new timestamp string so existing
interactions are retained.

In `@packages/widgets/src/widgets/commerce/shopping-cart/main.tsx`:
- Around line 1-16: CI fails with E_DESIGN_ROUTE_MISSING because the
ShoppingCart widget surface (main.tsx / ShoppingCart) isn't registered in the
project's design-route mapping; update the repository's design route
registry/config (the protected/warn/exempt route scope) to include this widget
surface key (use the same identifier used elsewhere for widgets, e.g.,
"widgets/commerce/shopping-cart" or the module name used by the registry) and
provide the appropriate scope (protected/warn/exempt) entry and any required
metadata so the route mapping recognizes main.tsx/ShoppingCart; ensure the entry
is committed and any route validation unit-test or manifest is updated to
reflect the new registration.

In `@packages/widgets/src/widgets/pizzaz/pizzaz-map/main.tsx`:
- Line 555: CI fails with E_DESIGN_SURFACE_SCOPE_UNKNOWN because the pizzaz map
widget (the module that calls mountWidget(<App />) in its main component)
matches the guidance include patterns but isn't listed in any scope; fix it by
adding this widget's surface entry into one of the scopes (protected, warn, or
exempt) in the design-system-guidance.json guidance config so the classifier
recognizes it—open the guidance JSON, add the surface string for the pizzaz-map
main widget to the appropriate "scopes" array, and commit the change.

In `@packages/widgets/src/widgets/pizzaz/pizzaz-shop/pizzaz-shop.tsx`:
- Around line 121-127: The update currently seeds defaults with
createDefaultState() but then rebuilds items from prev?.items ?? [] which yields
an empty array when prev is null and wipes default items; change the reducer in
setWidgetState (the ShopWidgetState updater) to first establish a base state
(e.g., const base = prev ?? createDefaultState()) and then compute items from
base.items (base.items.map(...).filter(...)) so you update quantities relative
to the chosen base state instead of using prev?.items ?? [].

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: bc891bea-91ee-4d07-87d4-a27b75f9ae97

📥 Commits

Reviewing files that changed from the base of the PR and between 2e5423f and 771d0a5.

⛔ Files ignored due to path filters (1)

• packages/widgets/src/sdk/generated/widget-manifest.js is excluded by !**/generated/**

📒 Files selected for processing (57)

• FORJAMIE.md
• biome.json
• docs/design-system/UPSTREAM_ALIGNMENT.md
• docs/operations/quality-debt-radar.categories.json
• docs/operations/quality-debt-radar.md
• packages/astudio-icons/src/registry.ts
• packages/cloudflare-template/src/worker/widget-manifest.generated.ts
• packages/effects/stories/text.stories.tsx
• packages/skill-ingestion/src/remoteClient.ts
• packages/tokens/src/dev-tools/token-watcher.ts
• packages/ui/src/app/settings/AppsPanel/AppsPanel.stories.tsx
• packages/ui/src/app/settings/DataControlsPanel/DataControlsPanel.stories.tsx
• packages/ui/src/app/settings/ManageAppsPanel/ManageAppsPanel.stories.tsx
• packages/ui/src/app/settings/NotificationsPanel/NotificationsPanel.stories.tsx
• packages/ui/src/app/settings/SecurityPanel/SecurityPanel.stories.tsx
• packages/ui/src/components/ui/data-display/chart/chart.tsx
• packages/ui/src/components/ui/forms/FileUpload/FileUpload.tsx
• packages/ui/src/components/ui/forms/combobox/combobox.tsx
• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx
• packages/ui/src/icons/ChatGPTIconCatalog.tsx
• packages/ui/src/icons/platform/Function.tsx
• packages/ui/src/icons/settings/Error.tsx
• packages/ui/src/storybook/_holding/component-stories/Input.stories.tsx
• packages/ui/src/storybook/_holding/component-stories/Sonner.stories.tsx
• packages/ui/src/storybook/_holding/component-stories/TextLink.stories.tsx
• packages/ui/src/storybook/_holding/component-stories/Toast.stories.tsx
• packages/ui/src/storybook/design-system/09_Motion/Motion.stories.tsx
• packages/ui/src/templates/ChatGPTIconCatalog/ChatGPTIconCatalog.tsx
• packages/ui/src/testing/utils/test-mocks.ts
• packages/widgets/docs/examples/auth-demo/auth-demo.tsx
• packages/widgets/docs/examples/auth-demo/main.tsx
• packages/widgets/docs/examples/dashboard-widget/main.tsx
• packages/widgets/docs/examples/enhanced-example-widget/main.tsx
• packages/widgets/docs/examples/kitchen-sink-lite/main.tsx
• packages/widgets/src/sdk/plugins/widget-manifest.ts
• packages/widgets/src/widgets/chat/chat-header/main.tsx
• packages/widgets/src/widgets/chat/chat-input/main.tsx
• packages/widgets/src/widgets/chat/chat-messages/main.tsx
• packages/widgets/src/widgets/chat/chat-sidebar/main.tsx
• packages/widgets/src/widgets/chat/chat-template/main.tsx
• packages/widgets/src/widgets/chat/chat-view/main.tsx
• packages/widgets/src/widgets/chat/compose-view/main.tsx
• packages/widgets/src/widgets/commerce/shopping-cart/main.tsx
• packages/widgets/src/widgets/pizzaz/pizzaz-map/main.tsx
• packages/widgets/src/widgets/pizzaz/pizzaz-shop/main.tsx
• packages/widgets/src/widgets/pizzaz/pizzaz-shop/pizzaz-shop.tsx
• packages/widgets/src/widgets/pizzaz/pizzaz-table/main.tsx
• packages/widgets/src/widgets/search/search-results/main.tsx
• platforms/web/apps/storybook/scripts/interaction-coverage-gate.mjs
• platforms/web/apps/web/src/main.tsx
• reports/qa/quality-debt-burndown-2026-W18.md
• reports/qa/quality-debt-burndown-template.md
• scripts/migration/migrate-imports.ts
• scripts/migration/migrate-package-refs.ts
• scripts/quality-debt-radar.mjs
• scripts/quality-debt-radar.test.mjs
• scripts/test-drift.mjs

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (1)

packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx (1)

81-89: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Handle cookieStore.set rejections before returning.

At Line 82, the promise is intentionally detached and any rejection skips the fallback path, so state persistence can fail silently.

💡 Proposed fix

 function persistSidebarState(openState: boolean) {
   const value = String(openState);
   const cookieStore = (window as Window & { cookieStore?: CookieStoreLike }).cookieStore;
+  const writeDocumentCookie = () =>
+    Reflect.set(
+      document,
+      "cookie",
+      `${SIDEBAR_COOKIE_NAME}=${value}; path=/; max-age=${SIDEBAR_COOKIE_MAX_AGE}`,
+    );

   if (cookieStore) {
-    void cookieStore.set({
-      name: SIDEBAR_COOKIE_NAME,
-      value,
-      path: "/",
-      expires: Date.now() + SIDEBAR_COOKIE_MAX_AGE * 1000,
-    });
+    void cookieStore
+      .set({
+        name: SIDEBAR_COOKIE_NAME,
+        value,
+        path: "/",
+        expires: Date.now() + SIDEBAR_COOKIE_MAX_AGE * 1000,
+      })
+      .catch(() => {
+        writeDocumentCookie();
+      });
     return;
   }

-  Reflect.set(
-    document,
-    "cookie",
-    `${SIDEBAR_COOKIE_NAME}=${value}; path=/; max-age=${SIDEBAR_COOKIE_MAX_AGE}`,
-  );
+  writeDocumentCookie();
 }

#!/bin/bash
# Verify whether Cookie Store writes are protected with rejection handling.
rg -nP -C4 'cookieStore\.set\(' packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx
rg -nP '\.catch\s*\(' packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx

As per coding guidelines, "Never swallow errors; add context and route to logging layer."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx` around
lines 81 - 89, The detached cookieStore.set promise can reject and silently skip
the fallback path; update the code around cookieStore.set in Sidebar.tsx to
await or attach explicit rejection handling (e.g., add .catch) so any error is
logged/handled and then execute the existing fallback/state update logic;
reference the cookieStore.set call and the constants SIDEBAR_COOKIE_NAME and
SIDEBAR_COOKIE_MAX_AGE, ensure you do not return before handling rejections and
route errors to the logging layer or a provided error handler.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.design-system-guidance.json:
- Around line 127-131: The include array is missing the new warn-scope root
directories, so update the JSON "include" array to add the corresponding roots:
"packages/ui/src/icons", "packages/ui/src/templates", "packages/widgets/src",
and "platforms/web/apps/web/src"; locate the "include" array in
.design-system-guidance.json (the existing entries like
"packages/ui/src/**/*.{ts,tsx,js,jsx,css}" and others) and append these four
path strings so the new warn globs added later will be covered by the
prefiltering step.

In `@FORJAMIE.md`:
- Around line 218-223: The status date string "2026-05-02" in FORJAMIE.md (the
repository status block) is out of sync with the new changelog entry and the
`last_updated: 2026-05-03` value; update that status block date value (the
"2026-05-02" literal) to "2026-05-03" so the status header, the changelog entry
added at 2026-05-03, and the `last_updated` field are consistent.

In `@scripts/check-agent-design-prepare-evidence.mjs`:
- Around line 258-262: The current isNonBlockingWarnSurface(result) treats any
result with an open decision of E_DESIGN_ROUTE_MISSING as non-blocking even when
other decisions exist; change the logic so the WARN/exempt downgrade only
applies when the openDecisions list contains exclusively E_DESIGN_ROUTE_MISSING
(i.e., length === 1 and that decision.code === "E_DESIGN_ROUTE_MISSING"), keep
the existing explicitSurfaces and surfaceScope checks, and make the same fix in
the other analogous block (lines ~296-315) that implements the same downgrade
logic.

---

Duplicate comments:
In `@packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx`:
- Around line 81-89: The detached cookieStore.set promise can reject and
silently skip the fallback path; update the code around cookieStore.set in
Sidebar.tsx to await or attach explicit rejection handling (e.g., add .catch) so
any error is logged/handled and then execute the existing fallback/state update
logic; reference the cookieStore.set call and the constants SIDEBAR_COOKIE_NAME
and SIDEBAR_COOKIE_MAX_AGE, ensure you do not return before handling rejections
and route errors to the logging layer or a provided error handler.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: d9a095b5-e90f-46b1-b157-d3262e9ddab7

📥 Commits

Reviewing files that changed from the base of the PR and between 771d0a5 and cef03fe.

📒 Files selected for processing (7)

• .design-system-guidance.json
• FORJAMIE.md
• docs/design-system/AGENT_UI_ROUTING.json
• docs/design-system/AGENT_UI_ROUTING.md
• docs/design-system/COMPONENT_LIFECYCLE.json
• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx
• scripts/check-agent-design-prepare-evidence.mjs

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: build (ubuntu-latest)
• GitHub Check: build (macos-latest)
• GitHub Check: Analyze (javascript)

🧰 Additional context used

📓 Path-based instructions (24)

**/*.json

📄 CodeRabbit inference engine (AGENTS.md)

Always verify JSON syntax with jq or similar tool before declaring JSON fixes complete

JSON MUST be valid UTF-8; prefer machine-generated JSON for large files; minimize hand-edited large JSON

Files:

• docs/design-system/COMPONENT_LIFECYCLE.json
• docs/design-system/AGENT_UI_ROUTING.json

**/*.{js,ts,tsx,jsx,mjs,json}

📄 CodeRabbit inference engine (CODESTYLE.md)

Packages MUST target the repo baseline Node version (pinned in .mise.toml and compat.json)

Files:

• docs/design-system/COMPONENT_LIFECYCLE.json
• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx
• docs/design-system/AGENT_UI_ROUTING.json
• scripts/check-agent-design-prepare-evidence.mjs

**

⚙️ CodeRabbit configuration file

**: Use repository evidence first: package scripts, tracked docs, harness contracts, and validation wrappers over assumptions.
Treat contradictions between code, docs, and workflow policy as review-worthy even when code changes look reasonable.
Prioritize behavioral risk, missing validation, and governance drift over style-only feedback.

Files:

• docs/design-system/COMPONENT_LIFECYCLE.json
• docs/design-system/AGENT_UI_ROUTING.md
• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx
• FORJAMIE.md
• docs/design-system/AGENT_UI_ROUTING.json
• scripts/check-agent-design-prepare-evidence.mjs

**/*.md

📄 CodeRabbit inference engine (AGENTS.md)

Add a Table of Contents for documentation files

Files:

• docs/design-system/AGENT_UI_ROUTING.md
• FORJAMIE.md

**/*.{md,mdx,adoc,rst}

📄 CodeRabbit inference engine (CODESTYLE.md)

All docs and long-form prose MUST be linted with Vale (scope: **/.md, **/.mdx, **/.adoc, **/.rst)

Files:

• docs/design-system/AGENT_UI_ROUTING.md
• FORJAMIE.md

**/*.{js,ts,tsx,jsx,md,mdx,py,rs,mjs}

📄 CodeRabbit inference engine (CODESTYLE.md)

Waivers across ESLint, Vale, Semgrep, Clippy, CI checks MUST include: rule ID, reason, ticket/issue reference, expiry (date) OR ADR reference; expired waivers MUST fail CI

Files:

• docs/design-system/AGENT_UI_ROUTING.md
• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx
• FORJAMIE.md
• scripts/check-agent-design-prepare-evidence.mjs

packages/ui/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

packages/ui/src/**/*.{ts,tsx}: In packages/ui, allowed imports are UI components, icons from packages/ui/src/icons, @openai/apps-sdk-ui, and @radix-ui/* primitives (only in src/primitives directory)
In packages/ui, prohibited: window.openai, MCP logic, real network calls, direct lucide-react imports, @mui/* imports, direct @radix-ui/* imports outside src/primitives

Files:

• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Use Biome (biome.json) for JS/TS formatting and keep files formatted via pnpm format

Files:

• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx

packages/ui/src/components/**/*.{tsx,stories.tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Place React components in packages/ui/src/components/** and use *.stories.tsx naming for Storybook stories

Files:

• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx

**/*.{js,ts,tsx,jsx,py,rs,mjs,cjs}

📄 CodeRabbit inference engine (CODESTYLE.md)

**/*.{js,ts,tsx,jsx,py,rs,mjs,cjs}: Fabricated data/entropy (Math.random() without injected seed), hard-coded mock responses, TODO/FIXME/HACK comments, placeholder stubs, disabled features, or fake metrics MUST NOT exist in production code paths
Functions SHOULD be <= 40 LOC; split if readability suffers
No ambient randomness/time in core logic; inject seeds/clocks/IDs
Never swallow errors; add context and route to logging layer
Constants: UPPER_SNAKE_CASE
No hard-coded secrets; use env injection/secret manager; validate/sanitize all external inputs

Files:

• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx
• scripts/check-agent-design-prepare-evidence.mjs

**/*.{js,ts,tsx,jsx,py,rs,mjs}

📄 CodeRabbit inference engine (CODESTYLE.md)

Apps/binaries/services MUST include service identity in outputs, error messages, and logs (service:"<service_name>")

Files:

• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx
• scripts/check-agent-design-prepare-evidence.mjs

**/*.{js,ts,tsx,jsx,rs,mjs}

📄 CodeRabbit inference engine (CODESTYLE.md)

Long-running work MUST accept cancellation (AbortSignal in JS/TS; cancellation tokens/channels in Rust)

Files:

• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx
• scripts/check-agent-design-prepare-evidence.mjs

**/*.{ts,tsx,mts,mjs}

📄 CodeRabbit inference engine (CODESTYLE.md)

JSON imports MUST use import attributes (import data from "./foo.json" with { type: "json" })

Files:

• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx
• scripts/check-agent-design-prepare-evidence.mjs

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CODESTYLE.md)

**/*.{ts,tsx}: Explicit types at all public API boundaries (functions, modules, React props)
Use concrete types or unknown + narrowing instead of any (forbidden pattern: : any, as any, Promise, Record<string, any>)
Unsafe type assertions (value as unknown as T) forbidden; use type guards or schema validation instead
// @ts-ignore and // @ts-nocheck are forbidden; use // @ts-expect-error -- reason + ticket instead
Unsafe 'as SomeType' without runtime guard is forbidden; use guard function or schema validator
JSON.parse() and Response.json() return any; boundary mitigation MUST use schema validation (Zod/Valibot) or typed parser helper

Files:

• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx

**/*.{js,ts,tsx,jsx,mjs,cjs}

📄 CodeRabbit inference engine (CODESTYLE.md)

**/*.{js,ts,tsx,jsx,mjs,cjs}: ESLint-disable comments MUST include reason and ticket; expiry date optional
JavaScript/TypeScript variables/functions: camelCase

Files:

• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx
• scripts/check-agent-design-prepare-evidence.mjs

**/*.{ts,tsx,js,mjs}

📄 CodeRabbit inference engine (CODESTYLE.md)

**/*.{ts,tsx,js,mjs}: Exported async APIs that perform I/O or long work MUST accept AbortSignal
JSON inputs at boundaries in JS/TS MUST be schema-validated

Files:

• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx
• scripts/check-agent-design-prepare-evidence.mjs

**/*.{tsx,jsx}

📄 CodeRabbit inference engine (CODESTYLE.md)

**/*.{tsx,jsx}: React components MUST be accessible-by-default (semantic elements first; ARIA only when needed)
React public components MUST document props and behavior (doc comment or docs site entry)
React hooks MUST follow the Rules of Hooks; side effects only in useEffect/useLayoutEffect
React: prefer controlled components; uncontrolled only when justified
React: avoid global mutable state; state should be local, passed, or via a chosen state layer
Tailwind conditional class composition MUST be readable (prefer clsx/cva if adopted by the repo)

Files:

• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx

**/*.{tsx,jsx,html,css}

📄 CodeRabbit inference engine (CODESTYLE.md)

Tailwind: avoid "magic numbers" when theme tokens exist

Files:

• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx

**/*.{rs,ts,tsx}

📄 CodeRabbit inference engine (CODESTYLE.md)

Tauri UI-facing state MUST be deterministic and testable

Files:

• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx

**/*.{ts,tsx,jsx,js,py,rs,mjs}

📄 CodeRabbit inference engine (CODESTYLE.md)

Types/components: PascalCase

Files:

• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx
• scripts/check-agent-design-prepare-evidence.mjs

**/*.{tsx,jsx,html}

📄 CodeRabbit inference engine (CODESTYLE.md)

Accessibility baseline: WCAG 2.2 AA; full keyboard operation required; screen reader compatibility required

Files:

• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx

**/*.{ts,tsx,js,py,rs,mjs}

📄 CodeRabbit inference engine (CODESTYLE.md)

CLI/TUI: --plain / --no-color modes required

Files:

• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx
• scripts/check-agent-design-prepare-evidence.mjs

FORJAMIE.md

📄 CodeRabbit inference engine (AGENTS.md)

Maintain a detailed FORJAMIE.md at the repo root explaining the whole project in plain language for future reference

Files:

• FORJAMIE.md

**/*.{ts,js,py,rs,mjs}

📄 CodeRabbit inference engine (CODESTYLE.md)

**/*.{ts,js,py,rs,mjs}: OpenTelemetry SHOULD be used where services/CLIs exist; logs SHOULD be structured and include service at app boundaries
Streaming: default token delta streaming for CLIs, optional aggregated mode, JSON event streaming optional if supported
MCP adapters/helpers MUST not hard-code user-specific paths; health checks MUST be scriptable; egress/network policies MUST be explicit

Files:

• scripts/check-agent-design-prepare-evidence.mjs

🔍 Remote MCP Linear

Additional relevant context for PR review

• This PR aligns with a tracked initiative to build the quality-debt radar and weekly burn-down artifacts. Linear tickets show the canonical roadmap and deliverables:

  • JSC-38 — define canonical quality-debt radar spec and source-category mapping (Done).
  • JSC-39 — build freshness & failure-state semantics for debt snapshots (Done).
  • JSC-40 — implement weekly burn-down artifact generation (Done).
  • JSC-41 — integrate warn-first radar behavior into CI and release-prep parity checks (Done; defines warn-first posture and parity requirements).

• JSC-41 explicitly documents the intended “warn-first” integration posture (CI/release parity and criteria for future tightening), which directly explains why this PR treats disabled Biome rules and quality-evidence drift as tracked/warn-first evidence rather than immediate hard-fail gates.

🔇 Additional comments (4)

docs/design-system/AGENT_UI_ROUTING.md (1)

63-63: Routing guidance update is consistent with the transitional contract.

This addition is clear and aligns with the lifecycle/routing posture for the fallback Sidebar.

packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx (1)

157-157: Good move centralizing persistence through persistSidebarState.

This keeps sidebar state writes in one place and reduces drift in future updates.

docs/design-system/COMPONENT_LIFECYCLE.json (1)

103-109: Sidebar lifecycle entry is well-scoped and governance-aligned.

transitional classification and path reference are consistent with the routing/docs updates.

docs/design-system/AGENT_UI_ROUTING.json (1)

146-190: New navigation_sidebar route contract looks coherent.

The route fields are complete and consistent with the transitional Sidebar lifecycle entry and human-readable routing guidance.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

scripts/test-drift.mjs (1)

182-186: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Wrap the top-level await main() to ensure unhandled errors are service-prefixed.

Right now, thrown errors (e.g., from parseIntegrationExports() or loadCoverageMatrix()/JSON.parse) will produce raw stack traces without any service:"test-drift" marker because there’s no surrounding try/catch at the entry point. That violates the “service identity in error messages/logs” expectation for the CLI.

🛠️ Suggested patch

-await main();
+await main().catch((error) => {
+  console.error('service:"test-drift" Unhandled drift check failure:', error);
+  process.exit(1);
+});

As per coding guidelines, **/*.{js,ts,tsx,jsx,py,rs,mjs}: Apps/binaries/services MUST include service identity in outputs, error messages, and logs (service:"<service_name>").

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/test-drift.mjs` around lines 182 - 186, Wrap the top-level await
main() call in a try/catch that catches any thrown errors (from main(),
parseIntegrationExports(), loadCoverageMatrix(), JSON.parse, etc.), logs the
error with the service identity prefix service:"test-drift" (e.g.,
processLogger.error or console.error including service:"test-drift" and the
error message/stack), and exit with a non-zero status; update the final lines
around main() to perform this guarded call so all uncaught errors are
service-prefixed.

packages/tokens/src/dev-tools/token-watcher.ts (1)

338-373: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Ensure service:"tokens" is present for all watcher log lines (not just the “Watching” list).

Right now only the per-file “Watching:” entries include the required service:"tokens" marker. Other user-visible logs in this service (start/stop, validation/generation progress, token file changed, watcher error) still emit anonymous text, which can break CI attribution and the repo’s service-log contract.

🛠️ Suggested patch

 export class TokenWatcher {
+  private static readonly SERVICE_NAME = "tokens"
   private watcher: FSWatcher | null = null;
   private isGenerating = false;
   private pendingRegeneration = false;
 
   private async loadTokens(): Promise<LoadedTokens> {
@@
   private async regenerateTokens(): Promise<void> {
@@
     try {
-      console.log("\n🔄 Validating tokens...");
+      console.log(`service:"${TokenWatcher.SERVICE_NAME}"\n🔄 Validating tokens...`);
@@
       if (errors.length > 0) {
-        console.error(this.formatValidationErrors(errors));
-        console.log("⚠️  Fix validation errors before tokens can be regenerated\n");
+        console.error(`service:"${TokenWatcher.SERVICE_NAME}"`, this.formatValidationErrors(errors));
+        console.log(
+          `service:"${TokenWatcher.SERVICE_NAME}" ⚠️  Fix validation errors before tokens can be regenerated\n`,
+        );
         return;
       }
 
-      console.log("✅ Token validation passed");
-      console.log("🔨 Generating outputs...");
+      console.log(`service:"${TokenWatcher.SERVICE_NAME}" ✅ Token validation passed`);
+      console.log(`service:"${TokenWatcher.SERVICE_NAME}" 🔨 Generating outputs...`);
@@
-      console.log("✨ Token generation complete! Web previews will refresh automatically.\n");
+      console.log(
+        `service:"${TokenWatcher.SERVICE_NAME}" ✨ Token generation complete! Web previews will refresh automatically.\n`,
+      );
     } catch (error) {
-      console.error("\n❌ Token generation failed:");
-      console.error(error);
-      console.log("");
+      console.error(`service:"${TokenWatcher.SERVICE_NAME}"\n❌ Token generation failed:`);
+      console.error(error);
+      console.log(`service:"${TokenWatcher.SERVICE_NAME}" `);
     } finally {
@@
   async start(): Promise<void> {
@@
-    console.log("👀 Token watcher started");
-    console.log("   Watching:");
+    console.log(`service:"${TokenWatcher.SERVICE_NAME}" 👀 Token watcher started`);
+    console.log(`service:"${TokenWatcher.SERVICE_NAME}"    Watching:`);
     tokenFiles.forEach((file) => {
-      console.log(`service:"tokens" watched_file:"${file}"`);
+      console.log(`service:"${TokenWatcher.SERVICE_NAME}" watched_file:"${file}"`);
     });
-    console.log("\n💡 Edit token files to see instant updates in web previews\n");
+    console.log(`service:"${TokenWatcher.SERVICE_NAME}"\n💡 Edit token files to see instant updates in web previews\n`);
@@
     this.watcher.on("change", (path: string) => {
-      console.log(`\n📝 Token file changed: ${path}`);
+      console.log(`service:"${TokenWatcher.SERVICE_NAME}"\n📝 Token file changed: ${path}`);
       this.regenerateTokens();
     });
 
     this.watcher.on("error", (error: unknown) => {
-      console.error("❌ Watcher error:", error);
+      console.error(`service:"${TokenWatcher.SERVICE_NAME}" ❌ Watcher error:`, error);
     });
   }
@@
   async stop(): Promise<void> {
     if (this.watcher) {
       await this.watcher.close();
       this.watcher = null;
-      console.log("\n👋 Token watcher stopped\n");
+      console.log(`service:"${TokenWatcher.SERVICE_NAME}"\n👋 Token watcher stopped\n`);
     }
   }
 }

As per coding guidelines, **/*.{js,ts,tsx,jsx,py,rs,mjs}: Apps/binaries/services MUST include service identity in outputs, error messages, and logs (service:"<service_name>").

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/tokens/src/dev-tools/token-watcher.ts` around lines 338 - 373,
Update the logging in the start() method so every user-visible message includes
the service identity service:"tokens". Specifically, prepend or include
service:"tokens" in the initial console.log lines (the "👀 Token watcher
started", "Watching:", and the "\n💡 Edit..." message), the per-change handler
inside this.watcher.on("change", ...) that logs "📝 Token file changed:
${path}", and the this.watcher.on("error", ...) console.error call; use the same
key/value style as the existing per-file lines (e.g. service:"tokens"
watched_file:"${file}" or service:"tokens" path:"${path}" for change/error) so
all outputs conform to the repo's service-log contract.

scripts/check-agent-design-prepare-evidence.mjs (2)

87-129: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Include untracked UI files in changed-surface discovery.

gitChangedFiles() still only unions base, staged, and tracked unstaged diffs. A brand-new protected .tsx/.jsx file will not appear until it is staged, so pnpm agent-design:prepare:changed can miss the exact surface this ratchet is supposed to block.

Suggested fix

   const commands = [
+    ["ls-files", "--others", "--exclude-standard"],
     ["diff", "--name-only", "--diff-filter=ACMRT", "--cached", "HEAD"],
     ["diff", "--name-only", "--diff-filter=ACMRT", "HEAD"],
   ];

As per coding guidelines, "Use repository evidence first: package scripts, tracked docs, harness contracts, and validation wrappers over assumptions."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/check-agent-design-prepare-evidence.mjs` around lines 87 - 129,
gitChangedFiles currently only collects base, staged, and tracked unstaged
diffs, missing brand-new untracked UI files (e.g., .tsx/.jsx). Update
gitChangedFiles to also run git ls-files --others --exclude-standard -- '*.tsx'
'*.jsx' (or any other protected extensions you want) and feed that output into
addChangedFiles(files, ...) so untracked UI files are included in the returned
set; place this extra command after the existing diff commands (or before
return) and reuse the existing addChangedFiles helper to normalize the results.

---

156-185: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fail closed on malformed openDecisions entries.

validatePreparePayload() only checks that openDecisions is an array, and isNonBlockingWarnSurface() ignores malformed members when it builds decisionCodes. An incomplete payload like [{ code: "E_DESIGN_ROUTE_MISSING" }, { message: "missing code" }] still downgrades to WARN instead of failing closed.

Suggested fix

   if (!Array.isArray(data.openDecisions)) {
     return "prepare data.openDecisions must be an array";
   }
+  for (const decision of data.openDecisions) {
+    if (
+      !isObject(decision) ||
+      typeof decision.code !== "string" ||
+      typeof decision.message !== "string"
+    ) {
+      return "prepare data.openDecisions entries must be objects with string code and message";
+    }
+  }
   return "";
 }

   return (
-    decisionCodes.length > 0 && decisionCodes.every((code) => code === "E_DESIGN_ROUTE_MISSING")
+    result.openDecisions.length > 0 &&
+    decisionCodes.length === result.openDecisions.length &&
+    decisionCodes.every((code) => code === "E_DESIGN_ROUTE_MISSING")
   );
 }

As per coding guidelines, "Treat contradictions between code, docs, and workflow policy as review-worthy even when code changes look reasonable."

Also applies to: 258-267

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/check-agent-design-prepare-evidence.mjs` around lines 156 - 185,
validatePreparePayload currently only checks openDecisions is an array, allowing
malformed entries that later get ignored by isNonBlockingWarnSurface and cause
silent downgrades; update validatePreparePayload to assert each item in
data.openDecisions is an object with a present non-empty string code (and if you
expect message, validate it as a string too) and return a non-empty error reason
if any entry is malformed; also review isNonBlockingWarnSurface (and the logic
that builds decisionCodes) to assume well-formed entries (or defensively reject
malformed entries rather than ignoring them) so the system fails closed on bad
payloads.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.design-system-guidance.json:
- Around line 128-135: The warning globs include a redundant entry: remove the
narrower "platforms/web/apps/web/src/pages/**/*.{ts,tsx,js,jsx,css}" line
because it is fully covered by the broader
"platforms/web/apps/web/src/**/*.{ts,tsx,js,jsx,css}" glob; update
.design-system-guidance.json to delete the pages-specific pattern (or
alternatively implement deduplication in the consumer) so you don't produce
duplicate matches for the same files.

---

Outside diff comments:
In `@packages/tokens/src/dev-tools/token-watcher.ts`:
- Around line 338-373: Update the logging in the start() method so every
user-visible message includes the service identity service:"tokens".
Specifically, prepend or include service:"tokens" in the initial console.log
lines (the "👀 Token watcher started", "Watching:", and the "\n💡 Edit..."
message), the per-change handler inside this.watcher.on("change", ...) that logs
"📝 Token file changed: ${path}", and the this.watcher.on("error", ...)
console.error call; use the same key/value style as the existing per-file lines
(e.g. service:"tokens" watched_file:"${file}" or service:"tokens" path:"${path}"
for change/error) so all outputs conform to the repo's service-log contract.

In `@scripts/check-agent-design-prepare-evidence.mjs`:
- Around line 87-129: gitChangedFiles currently only collects base, staged, and
tracked unstaged diffs, missing brand-new untracked UI files (e.g., .tsx/.jsx).
Update gitChangedFiles to also run git ls-files --others --exclude-standard --
'*.tsx' '*.jsx' (or any other protected extensions you want) and feed that
output into addChangedFiles(files, ...) so untracked UI files are included in
the returned set; place this extra command after the existing diff commands (or
before return) and reuse the existing addChangedFiles helper to normalize the
results.
- Around line 156-185: validatePreparePayload currently only checks
openDecisions is an array, allowing malformed entries that later get ignored by
isNonBlockingWarnSurface and cause silent downgrades; update
validatePreparePayload to assert each item in data.openDecisions is an object
with a present non-empty string code (and if you expect message, validate it as
a string too) and return a non-empty error reason if any entry is malformed;
also review isNonBlockingWarnSurface (and the logic that builds decisionCodes)
to assume well-formed entries (or defensively reject malformed entries rather
than ignoring them) so the system fails closed on bad payloads.

In `@scripts/test-drift.mjs`:
- Around line 182-186: Wrap the top-level await main() call in a try/catch that
catches any thrown errors (from main(), parseIntegrationExports(),
loadCoverageMatrix(), JSON.parse, etc.), logs the error with the service
identity prefix service:"test-drift" (e.g., processLogger.error or console.error
including service:"test-drift" and the error message/stack), and exit with a
non-zero status; update the final lines around main() to perform this guarded
call so all uncaught errors are service-prefixed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8bc1980d-e7f8-43d8-ad73-9b3511f71bd7

📥 Commits

Reviewing files that changed from the base of the PR and between cef03fe and 7a689bf.

⛔ Files ignored due to path filters (1)

• packages/widgets/src/sdk/generated/widget-manifest.js is excluded by !**/generated/**

📒 Files selected for processing (11)

• .design-system-guidance.json
• FORJAMIE.md
• docs/design-system/UPSTREAM_ALIGNMENT.md
• packages/tokens/src/dev-tools/token-watcher.ts
• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx
• packages/widgets/src/widgets/chat/chat-header/main.tsx
• packages/widgets/src/widgets/commerce/shopping-cart/main.tsx
• packages/widgets/src/widgets/pizzaz/pizzaz-shop/main.tsx
• platforms/web/apps/web/src/main.tsx
• scripts/check-agent-design-prepare-evidence.mjs
• scripts/test-drift.mjs

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build (macos-latest)
• GitHub Check: build (ubuntu-latest)

🧰 Additional context used

📓 Path-based instructions (23)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Use Biome (biome.json) for JS/TS formatting and keep files formatted via pnpm format

Files:

• platforms/web/apps/web/src/main.tsx
• packages/widgets/src/widgets/chat/chat-header/main.tsx
• packages/widgets/src/widgets/commerce/shopping-cart/main.tsx
• packages/tokens/src/dev-tools/token-watcher.ts
• packages/widgets/src/widgets/pizzaz/pizzaz-shop/main.tsx
• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx

**/*.{js,ts,tsx,jsx,py,rs,mjs,cjs}

📄 CodeRabbit inference engine (CODESTYLE.md)

**/*.{js,ts,tsx,jsx,py,rs,mjs,cjs}: Fabricated data/entropy (Math.random() without injected seed), hard-coded mock responses, TODO/FIXME/HACK comments, placeholder stubs, disabled features, or fake metrics MUST NOT exist in production code paths
Functions SHOULD be <= 40 LOC; split if readability suffers
No ambient randomness/time in core logic; inject seeds/clocks/IDs
Never swallow errors; add context and route to logging layer
Constants: UPPER_SNAKE_CASE
No hard-coded secrets; use env injection/secret manager; validate/sanitize all external inputs

Files:

• platforms/web/apps/web/src/main.tsx
• packages/widgets/src/widgets/chat/chat-header/main.tsx
• packages/widgets/src/widgets/commerce/shopping-cart/main.tsx
• packages/tokens/src/dev-tools/token-watcher.ts
• packages/widgets/src/widgets/pizzaz/pizzaz-shop/main.tsx
• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx
• scripts/test-drift.mjs
• scripts/check-agent-design-prepare-evidence.mjs

**/*.{js,ts,tsx,jsx,py,rs,mjs}

📄 CodeRabbit inference engine (CODESTYLE.md)

Apps/binaries/services MUST include service identity in outputs, error messages, and logs (service:"<service_name>")

Files:

• platforms/web/apps/web/src/main.tsx
• packages/widgets/src/widgets/chat/chat-header/main.tsx
• packages/widgets/src/widgets/commerce/shopping-cart/main.tsx
• packages/tokens/src/dev-tools/token-watcher.ts
• packages/widgets/src/widgets/pizzaz/pizzaz-shop/main.tsx
• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx
• scripts/test-drift.mjs
• scripts/check-agent-design-prepare-evidence.mjs

**/*.{js,ts,tsx,jsx,rs,mjs}

📄 CodeRabbit inference engine (CODESTYLE.md)

Long-running work MUST accept cancellation (AbortSignal in JS/TS; cancellation tokens/channels in Rust)

Files:

• platforms/web/apps/web/src/main.tsx
• packages/widgets/src/widgets/chat/chat-header/main.tsx
• packages/widgets/src/widgets/commerce/shopping-cart/main.tsx
• packages/tokens/src/dev-tools/token-watcher.ts
• packages/widgets/src/widgets/pizzaz/pizzaz-shop/main.tsx
• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx
• scripts/test-drift.mjs
• scripts/check-agent-design-prepare-evidence.mjs

**/*.{js,ts,tsx,jsx,mjs,json}

📄 CodeRabbit inference engine (CODESTYLE.md)

Packages MUST target the repo baseline Node version (pinned in .mise.toml and compat.json)

Files:

• platforms/web/apps/web/src/main.tsx
• packages/widgets/src/widgets/chat/chat-header/main.tsx
• packages/widgets/src/widgets/commerce/shopping-cart/main.tsx
• packages/tokens/src/dev-tools/token-watcher.ts
• packages/widgets/src/widgets/pizzaz/pizzaz-shop/main.tsx
• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx
• scripts/test-drift.mjs
• scripts/check-agent-design-prepare-evidence.mjs

**/*.{ts,tsx,mts,mjs}

📄 CodeRabbit inference engine (CODESTYLE.md)

JSON imports MUST use import attributes (import data from "./foo.json" with { type: "json" })

Files:

• platforms/web/apps/web/src/main.tsx
• packages/widgets/src/widgets/chat/chat-header/main.tsx
• packages/widgets/src/widgets/commerce/shopping-cart/main.tsx
• packages/tokens/src/dev-tools/token-watcher.ts
• packages/widgets/src/widgets/pizzaz/pizzaz-shop/main.tsx
• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx
• scripts/test-drift.mjs
• scripts/check-agent-design-prepare-evidence.mjs

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CODESTYLE.md)

**/*.{ts,tsx}: Explicit types at all public API boundaries (functions, modules, React props)
Use concrete types or unknown + narrowing instead of any (forbidden pattern: : any, as any, Promise, Record<string, any>)
Unsafe type assertions (value as unknown as T) forbidden; use type guards or schema validation instead
// @ts-ignore and // @ts-nocheck are forbidden; use // @ts-expect-error -- reason + ticket instead
Unsafe 'as SomeType' without runtime guard is forbidden; use guard function or schema validator
JSON.parse() and Response.json() return any; boundary mitigation MUST use schema validation (Zod/Valibot) or typed parser helper

Files:

• platforms/web/apps/web/src/main.tsx
• packages/widgets/src/widgets/chat/chat-header/main.tsx
• packages/widgets/src/widgets/commerce/shopping-cart/main.tsx
• packages/tokens/src/dev-tools/token-watcher.ts
• packages/widgets/src/widgets/pizzaz/pizzaz-shop/main.tsx
• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx

**/*.{js,ts,tsx,jsx,mjs,cjs}

📄 CodeRabbit inference engine (CODESTYLE.md)

**/*.{js,ts,tsx,jsx,mjs,cjs}: ESLint-disable comments MUST include reason and ticket; expiry date optional
JavaScript/TypeScript variables/functions: camelCase

Files:

• platforms/web/apps/web/src/main.tsx
• packages/widgets/src/widgets/chat/chat-header/main.tsx
• packages/widgets/src/widgets/commerce/shopping-cart/main.tsx
• packages/tokens/src/dev-tools/token-watcher.ts
• packages/widgets/src/widgets/pizzaz/pizzaz-shop/main.tsx
• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx
• scripts/test-drift.mjs
• scripts/check-agent-design-prepare-evidence.mjs

**/*.{ts,tsx,js,mjs}

📄 CodeRabbit inference engine (CODESTYLE.md)

**/*.{ts,tsx,js,mjs}: Exported async APIs that perform I/O or long work MUST accept AbortSignal
JSON inputs at boundaries in JS/TS MUST be schema-validated

Files:

• platforms/web/apps/web/src/main.tsx
• packages/widgets/src/widgets/chat/chat-header/main.tsx
• packages/widgets/src/widgets/commerce/shopping-cart/main.tsx
• packages/tokens/src/dev-tools/token-watcher.ts
• packages/widgets/src/widgets/pizzaz/pizzaz-shop/main.tsx
• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx
• scripts/test-drift.mjs
• scripts/check-agent-design-prepare-evidence.mjs

**/*.{tsx,jsx}

📄 CodeRabbit inference engine (CODESTYLE.md)

**/*.{tsx,jsx}: React components MUST be accessible-by-default (semantic elements first; ARIA only when needed)
React public components MUST document props and behavior (doc comment or docs site entry)
React hooks MUST follow the Rules of Hooks; side effects only in useEffect/useLayoutEffect
React: prefer controlled components; uncontrolled only when justified
React: avoid global mutable state; state should be local, passed, or via a chosen state layer
Tailwind conditional class composition MUST be readable (prefer clsx/cva if adopted by the repo)

Files:

• platforms/web/apps/web/src/main.tsx
• packages/widgets/src/widgets/chat/chat-header/main.tsx
• packages/widgets/src/widgets/commerce/shopping-cart/main.tsx
• packages/widgets/src/widgets/pizzaz/pizzaz-shop/main.tsx
• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx

**/*.{tsx,jsx,html,css}

📄 CodeRabbit inference engine (CODESTYLE.md)

Tailwind: avoid "magic numbers" when theme tokens exist

Files:

• platforms/web/apps/web/src/main.tsx
• packages/widgets/src/widgets/chat/chat-header/main.tsx
• packages/widgets/src/widgets/commerce/shopping-cart/main.tsx
• packages/widgets/src/widgets/pizzaz/pizzaz-shop/main.tsx
• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx

**/*.{rs,ts,tsx}

📄 CodeRabbit inference engine (CODESTYLE.md)

Tauri UI-facing state MUST be deterministic and testable

Files:

• platforms/web/apps/web/src/main.tsx
• packages/widgets/src/widgets/chat/chat-header/main.tsx
• packages/widgets/src/widgets/commerce/shopping-cart/main.tsx
• packages/tokens/src/dev-tools/token-watcher.ts
• packages/widgets/src/widgets/pizzaz/pizzaz-shop/main.tsx
• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx

**/*.{ts,tsx,jsx,js,py,rs,mjs}

📄 CodeRabbit inference engine (CODESTYLE.md)

Types/components: PascalCase

Files:

• platforms/web/apps/web/src/main.tsx
• packages/widgets/src/widgets/chat/chat-header/main.tsx
• packages/widgets/src/widgets/commerce/shopping-cart/main.tsx
• packages/tokens/src/dev-tools/token-watcher.ts
• packages/widgets/src/widgets/pizzaz/pizzaz-shop/main.tsx
• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx
• scripts/test-drift.mjs
• scripts/check-agent-design-prepare-evidence.mjs

**/*.{tsx,jsx,html}

📄 CodeRabbit inference engine (CODESTYLE.md)

Accessibility baseline: WCAG 2.2 AA; full keyboard operation required; screen reader compatibility required

Files:

• platforms/web/apps/web/src/main.tsx
• packages/widgets/src/widgets/chat/chat-header/main.tsx
• packages/widgets/src/widgets/commerce/shopping-cart/main.tsx
• packages/widgets/src/widgets/pizzaz/pizzaz-shop/main.tsx
• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx

**/*.{ts,tsx,js,py,rs,mjs}

📄 CodeRabbit inference engine (CODESTYLE.md)

CLI/TUI: --plain / --no-color modes required

Files:

• platforms/web/apps/web/src/main.tsx
• packages/widgets/src/widgets/chat/chat-header/main.tsx
• packages/widgets/src/widgets/commerce/shopping-cart/main.tsx
• packages/tokens/src/dev-tools/token-watcher.ts
• packages/widgets/src/widgets/pizzaz/pizzaz-shop/main.tsx
• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx
• scripts/test-drift.mjs
• scripts/check-agent-design-prepare-evidence.mjs

**/*.{js,ts,tsx,jsx,md,mdx,py,rs,mjs}

📄 CodeRabbit inference engine (CODESTYLE.md)

Waivers across ESLint, Vale, Semgrep, Clippy, CI checks MUST include: rule ID, reason, ticket/issue reference, expiry (date) OR ADR reference; expired waivers MUST fail CI

Files:

• platforms/web/apps/web/src/main.tsx
• packages/widgets/src/widgets/chat/chat-header/main.tsx
• docs/design-system/UPSTREAM_ALIGNMENT.md
• packages/widgets/src/widgets/commerce/shopping-cart/main.tsx
• packages/tokens/src/dev-tools/token-watcher.ts
• packages/widgets/src/widgets/pizzaz/pizzaz-shop/main.tsx
• FORJAMIE.md
• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx
• scripts/test-drift.mjs
• scripts/check-agent-design-prepare-evidence.mjs

**

⚙️ CodeRabbit configuration file

**: Use repository evidence first: package scripts, tracked docs, harness contracts, and validation wrappers over assumptions.
Treat contradictions between code, docs, and workflow policy as review-worthy even when code changes look reasonable.
Prioritize behavioral risk, missing validation, and governance drift over style-only feedback.

Files:

• platforms/web/apps/web/src/main.tsx
• packages/widgets/src/widgets/chat/chat-header/main.tsx
• docs/design-system/UPSTREAM_ALIGNMENT.md
• packages/widgets/src/widgets/commerce/shopping-cart/main.tsx
• packages/tokens/src/dev-tools/token-watcher.ts
• packages/widgets/src/widgets/pizzaz/pizzaz-shop/main.tsx
• FORJAMIE.md
• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx
• scripts/test-drift.mjs
• scripts/check-agent-design-prepare-evidence.mjs

**/*.md

📄 CodeRabbit inference engine (AGENTS.md)

Add a Table of Contents for documentation files

Files:

• docs/design-system/UPSTREAM_ALIGNMENT.md
• FORJAMIE.md

**/*.{md,mdx,adoc,rst}

📄 CodeRabbit inference engine (CODESTYLE.md)

All docs and long-form prose MUST be linted with Vale (scope: **/.md, **/.mdx, **/.adoc, **/.rst)

Files:

• docs/design-system/UPSTREAM_ALIGNMENT.md
• FORJAMIE.md

**/*.{ts,js,py,rs,mjs}

📄 CodeRabbit inference engine (CODESTYLE.md)

**/*.{ts,js,py,rs,mjs}: OpenTelemetry SHOULD be used where services/CLIs exist; logs SHOULD be structured and include service at app boundaries
Streaming: default token delta streaming for CLIs, optional aggregated mode, JSON event streaming optional if supported
MCP adapters/helpers MUST not hard-code user-specific paths; health checks MUST be scriptable; egress/network policies MUST be explicit

Files:

• packages/tokens/src/dev-tools/token-watcher.ts
• scripts/test-drift.mjs
• scripts/check-agent-design-prepare-evidence.mjs

FORJAMIE.md

📄 CodeRabbit inference engine (AGENTS.md)

Maintain a detailed FORJAMIE.md at the repo root explaining the whole project in plain language for future reference

Files:

• FORJAMIE.md

packages/ui/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

packages/ui/src/**/*.{ts,tsx}: In packages/ui, allowed imports are UI components, icons from packages/ui/src/icons, @openai/apps-sdk-ui, and @radix-ui/* primitives (only in src/primitives directory)
In packages/ui, prohibited: window.openai, MCP logic, real network calls, direct lucide-react imports, @mui/* imports, direct @radix-ui/* imports outside src/primitives

Files:

• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx

packages/ui/src/components/**/*.{tsx,stories.tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Place React components in packages/ui/src/components/** and use *.stories.tsx naming for Storybook stories

Files:

• packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx

🔍 Remote MCP Linear

Additional relevant facts for reviewing PR #162

• JSC-38 ("Define the canonical quality-debt radar spec and source-category mapping") is marked Done and includes deliverables/evidence relevant to this PR (radar contract, source mappings, related PR link to feat: add warn-first quality debt radar) — useful to confirm this PR’s changes align with the canonical radar spec.,

• JSC-39 ("Build freshness and failure-state semantics for debt snapshots") is marked Done and documents the freshness/unavailable/stale semantics the PR relies on for warn-first reporting and weekly burndown continuity. This supports the PR's treatment of disabled Biome rules and quality-evidence drift as warn-scope evidence rather than hard-fail.,

Sources:

• Linear issue search and issue fetches for JSC-38 and JSC-39.,

🔇 Additional comments (14)

docs/design-system/UPSTREAM_ALIGNMENT.md (1)

1-12: LGTM — ToC added with correct anchors and placement.

The document now includes a Table of Contents placed immediately after the title/“Last updated” line, and the bullet links match the corresponding ## section headings (including the Alignment Stamp (CI-Managed) slug).

packages/widgets/src/widgets/pizzaz/pizzaz-shop/main.tsx (1)

7-12: Bootstrap guard and service-tagged error look correct.

Good change: this removes the unsafe non-null assertion and fails closed with a service-identified error before mounting.

As per coding guidelines, Apps/binaries/services MUST include service identity in outputs, error messages, and logs (service:"<service_name>").

packages/widgets/src/widgets/chat/chat-header/main.tsx (1)

48-53: Root bootstrap guard is solid and traceable.

Good change: the explicit root null-check avoids unsafe non-null assertions, and the thrown error includes service/surface identity for diagnostics.

As per coding guidelines, "Apps/binaries/services MUST include service identity in outputs, error messages, and logs (service:"<service_name>")."

packages/widgets/src/widgets/commerce/shopping-cart/main.tsx (1)

7-12: Entry-point hardening looks correct.

The guard prevents invalid createRoot usage, and the error string is properly scoped with service identity.

As per coding guidelines, "Apps/binaries/services MUST include service identity in outputs, error messages, and logs (service:"<service_name>")."

platforms/web/apps/web/src/main.tsx (1)

19-24: Web bootstrap update is correct and policy-aligned.

Nice improvement replacing non-null assertion with an explicit runtime guard; error messaging is traceable with service identity included.

As per coding guidelines, "Apps/binaries/services MUST include service identity in outputs, error messages, and logs (service:"<service_name>")."

.design-system-guidance.json (2)

8-19: Approve: include now covers the new warn-scope roots.

The include list additions (platforms/web/apps/web/src, packages/ui/src/icons, packages/ui/src/templates, packages/widgets/src) line up with the newly added scopes.warn globs, so the prefiltering step shouldn’t accidentally exclude these files anymore.

---

126-137: Approve: new warn globs for icons/templates/widgets look consistent.

Adding:

• packages/ui/src/icons/**/*.tsx
• packages/ui/src/templates/**/*.tsx
• packages/widgets/src/**/*.tsx

fits the intended “warn-scope” behavior for changed-file discovery and should keep these areas non-blocking while still reporting drift.

packages/tokens/src/dev-tools/token-watcher.ts (1)

345-350: LGTM — watched-file listing now includes service:"tokens" consistently.

The tokenFiles.forEach output is now structured as service:"tokens" watched_file:"<file>", which matches the service-log contract.

scripts/test-drift.mjs (3)

98-123: LGTM — service-prefixed failure in loadUpstreamExports() catch block.

The catch block already emits service:"test-drift" and exits, which preserves CI attribution for upstream enumeration failures.

---

140-158: LGTM — missing/missingUpstream diagnostics are now service-prefixed per entry.

Both the section headers and the per-row/per-name lines emitted by forEach include service:"test-drift" as required.

---

160-180: LGTM — extra + radix_fallback replacement candidate warnings are service-prefixed.

The console.warn outputs now include service:"test-drift" for both the summary and each individual warning line.

packages/ui/src/components/ui/navigation/sidebar/fallback/Sidebar.tsx (3)

38-40: Typed CookieStoreLike shim looks good.

This keeps optional window.cookieStore usage explicit and avoids unsafe non-null assumptions.

---

71-107: Cookie Store rejection handling is now robust.

Great fix: rejected cookieStore.set(...) now logs contextual service info and reliably falls back to document.cookie.

---

167-167: Good centralization in setOpen.

Using persistSidebarState(openState) here removes duplicated write logic and keeps persistence behavior consistent.

[chatgpt-codex-connector]

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.