jesse/cognix
1
0
Fork 0
Code Issues 7 Pull requests Projects Releases Packages Wiki Activity Actions

feat: add dashboard thought graph viewer #73

Merged
jesse merged 3 commits from phase-8/dashboard-ui-pr4-graph into main 2026-05-11 22:36:49 +02:00
Conversation 0 Commits 3 Files changed 14 +3380 -290
jesse commented 2026-05-11 03:44:55 +02:00
Owner
Copy link

Summary

  • PR4 of the 7-PR dashboard UI stack. Renders Mermaid thought graphs from get_thought_graph for the selected session's deterministic root thought.
  • Vendors mermaid.min.js 10.9.1 (MIT, 3 335 717 B, SHA256 61b335a4…a936d6) under strict security mode with a 256 KiB source cap.
  • Adds 14 unit tests + 3 integration tests covering asset registration, SHA/byte-size pinning, security config, source cap, contract enforcement, DOM-sink ban for graph.js, and bundle-size budget.

Phase

Phase 8 — Dashboard UI

Stacked PR [4/7] — merge after #72

Test Plan

  • cargo build -p cognix-server (no UI feature) succeeds
  • cargo build -p cognix-server --features ui,sse succeeds
  • cargo test -p cognix-server --features ui,sse --lib — 381 passed
  • cargo test -p cognix-server --features ui,sse --test ui_graph_routes — 3 passed
  • cargo run -p xtask -- run-ui-tests --features ui — 26 passed across 7 suites
  • cargo clippy -p cognix-server --all-targets --features ui,sse -- -D warnings clean
  • cargo fmt --check clean
  • cargo deny check clean
  • cargo doc -p cognix-server --features ui,sse --no-deps clean
  • Live curl smoke against /ui, /ui/assets/{graph.js,mermaid.min.js,THIRD-PARTY-LICENSES.md,styles.css} — all 200, CSP header present, mermaid SHA256 matches

Self-Review Checklist

  • No hardcoded secrets
  • No unwrap() in library code
  • No println!/eprintln!/dbg!
  • Real MCP contract used (get_thought_graph({thought_id, format:'mermaid'})); no demo session_id shape
  • Mermaid securityLevel: 'strict' actually passed to mermaid.initialize
  • 256 KiB source cap checked before mermaid.render()
  • graph.js is the single reviewed exception to the no-innerHTML rule (uses DOMParser+cloneNode); PR3's test_no_dangerous_dom_sinks scan list unchanged
  • sessions.js still contains no get_thought_graph reference (PR3 invariant)
  • All authored files <400 lines (graph.js=200, app.js=245, sessions.js=397, index.html=80)
  • Empty session short-circuits to "No graph (link some thoughts first)" without calling the graph tool
  • Vendored mermaid.min.js SHA256 + byte-size pinned in THIRD-PARTY-LICENSES.md and asserted at test time

Notes

  • No new workspace Cargo deps added (PR1–PR6 rule); sha2/hex introduced as dev-dep only.
  • Bundle excluding Mermaid is 41.2 KB (well under 200 KB).
  • Independent reviewer flagged 2 LOW + 2 NIT items deferred to PR5/PR6: (1) stale-render race on rapid tab toggling, (2) defaultGetRootThoughtId regex tightening, (3) silent catch (_) {} blocks in graph.js, (4) future split of assets.rs tests by phase. None block merge.
## Summary - PR4 of the 7-PR dashboard UI stack. Renders Mermaid thought graphs from `get_thought_graph` for the selected session's deterministic root thought. - Vendors `mermaid.min.js` 10.9.1 (MIT, 3 335 717 B, SHA256 `61b335a4…a936d6`) under strict security mode with a 256 KiB source cap. - Adds 14 unit tests + 3 integration tests covering asset registration, SHA/byte-size pinning, security config, source cap, contract enforcement, DOM-sink ban for `graph.js`, and bundle-size budget. ## Phase Phase 8 — Dashboard UI ## Stacked PR [4/7] — merge after #72 ## Test Plan - [x] `cargo build -p cognix-server` (no UI feature) succeeds - [x] `cargo build -p cognix-server --features ui,sse` succeeds - [x] `cargo test -p cognix-server --features ui,sse --lib` — 381 passed - [x] `cargo test -p cognix-server --features ui,sse --test ui_graph_routes` — 3 passed - [x] `cargo run -p xtask -- run-ui-tests --features ui` — 26 passed across 7 suites - [x] `cargo clippy -p cognix-server --all-targets --features ui,sse -- -D warnings` clean - [x] `cargo fmt --check` clean - [x] `cargo deny check` clean - [x] `cargo doc -p cognix-server --features ui,sse --no-deps` clean - [x] Live curl smoke against `/ui`, `/ui/assets/{graph.js,mermaid.min.js,THIRD-PARTY-LICENSES.md,styles.css}` — all 200, CSP header present, mermaid SHA256 matches ## Self-Review Checklist - [x] No hardcoded secrets - [x] No `unwrap()` in library code - [x] No `println!`/`eprintln!`/`dbg!` - [x] Real MCP contract used (`get_thought_graph({thought_id, format:'mermaid'})`); no demo `session_id` shape - [x] Mermaid `securityLevel: 'strict'` actually passed to `mermaid.initialize` - [x] 256 KiB source cap checked **before** `mermaid.render()` - [x] `graph.js` is the single reviewed exception to the no-`innerHTML` rule (uses DOMParser+cloneNode); PR3's `test_no_dangerous_dom_sinks` scan list unchanged - [x] `sessions.js` still contains no `get_thought_graph` reference (PR3 invariant) - [x] All authored files <400 lines (graph.js=200, app.js=245, sessions.js=397, index.html=80) - [x] Empty session short-circuits to "No graph (link some thoughts first)" without calling the graph tool - [x] Vendored `mermaid.min.js` SHA256 + byte-size pinned in `THIRD-PARTY-LICENSES.md` and asserted at test time ## Notes - No new workspace Cargo deps added (PR1–PR6 rule); `sha2`/`hex` introduced as dev-dep only. - Bundle excluding Mermaid is 41.2 KB (well under 200 KB). - Independent reviewer flagged 2 LOW + 2 NIT items deferred to PR5/PR6: (1) stale-render race on rapid tab toggling, (2) defaultGetRootThoughtId regex tightening, (3) silent `catch (_) {}` blocks in graph.js, (4) future split of assets.rs tests by phase. None block merge.
feat: add dashboard thought graph viewer
All checks were successful
CI / Detect Changes (pull_request) Successful in 14s
Details
CI / Format (pull_request) Successful in 20s
Details
CI / Security Scan (pull_request) Successful in 19s
Details
CI / Integration Tests (pull_request) Has been skipped
Details
CI / Benchmarks (pull_request) Has been skipped
Details
CI / Check file lengths (pull_request) Successful in 30s
Details
CI / Conventional Validation (pull_request) Successful in 56s
Details
CI / Clean Build Sample 1 (pull_request) Has been skipped
Details
CI / Clean Build Sample 2 (pull_request) Has been skipped
Details
CI / Clean Build Sample 3 (pull_request) Has been skipped
Details
CI / Clean Build Summary (pull_request) Has been skipped
Details
CI / Documentation (pull_request) Successful in 2m20s
Details
CI / Check (linux-aarch64 compile-validation) (pull_request) Successful in 2m38s
Details
CI / Clippy (pull_request) Successful in 2m47s
Details
CI / Deny (pull_request) Successful in 5m49s
Details
CI / Audit (CVEs) (pull_request) Successful in 6m42s
Details
CI / D-02 Clean Build Gate (pull_request) Successful in 6m37s
Details
CI / Test (pull_request) Successful in 7m41s
Details
CI / Coverage (80% gate) (pull_request) Successful in 8m26s
Details
CI / RSS gate (P-15) (pull_request) Successful in 5m57s
Details
CI / Build (release) (pull_request) Successful in 7m7s
Details
CI / PR Size Check (pull_request) Successful in 10s
Details
CI / CI Report (pull_request) Successful in 4s
Details
15e46e6f12 
PR4 of the dashboard UI stack. Renders Mermaid diagrams from get_thought_graph
output for the selected session's deterministic root thought.

- Vendor mermaid.min.js (10.9.1, MIT, 3335717 B,
  SHA256 61b335a46df05a7ce1c98378f60e5f3e77a7fb608a1056997e8a649304a936d6)
- Initialize mermaid with securityLevel:'strict' and cap source at 256 KiB
- Inject SVG via DOMParser+cloneNode (no innerHTML); single reviewed
  exception to the safe-rendering ban
- Use real MCP contract: get_thought_graph({thought_id, format:'mermaid'});
  never the demo session_id shape
- Empty-session short-circuits to "No graph (link some thoughts first)"
  without calling the graph tool when no root thought exists
- Register new assets and add 14 unit tests + 3 integration tests covering
  asset registration, SHA256/byte-size pinning, security config, source cap,
  empty state, contract enforcement, DOM-sink ban for graph.js, and bundle
  size budget (excluding mermaid: 41.2 KB, well under 200 KB)
feat: improve dashboard graph viewer with robust JS comment stripping
Some checks failed
CI / Detect Changes (pull_request) Successful in 12s
Details
CI / Format (pull_request) Successful in 17s
Details
CI / Benchmarks (pull_request) Has been skipped
Details
CI / Integration Tests (pull_request) Has been skipped
Details
CI / Security Scan (pull_request) Successful in 24s
Details
CI / Conventional Validation (pull_request) Successful in 47s
Details
CI / Test (pull_request) Failing after 30s
Details
CI / Clean Build Sample 1 (pull_request) Has been skipped
Details
CI / Clean Build Sample 3 (pull_request) Has been skipped
Details
CI / Clean Build Sample 2 (pull_request) Has been skipped
Details
CI / Check file lengths (pull_request) Failing after 35s
Details
CI / Clean Build Summary (pull_request) Has been skipped
Details
CI / Documentation (pull_request) Successful in 2m5s
Details
CI / Check (linux-aarch64 compile-validation) (pull_request) Successful in 2m22s
Details
CI / Clippy (pull_request) Successful in 2m26s
Details
CI / Deny (pull_request) Successful in 5m17s
Details
CI / Audit (CVEs) (pull_request) Successful in 5m38s
Details
CI / D-02 Clean Build Gate (pull_request) Successful in 6m21s
Details
CI / Coverage (80% gate) (pull_request) Successful in 7m52s
Details
CI / RSS gate (P-15) (pull_request) Successful in 5m27s
Details
CI / Build (release) (pull_request) Successful in 6m50s
Details
CI / PR Size Check (pull_request) Successful in 13s
Details
CI / CI Report (pull_request) Successful in 4s
Details
d872679b62 
- Replace naive line-comment strip with a full state-machine parser
  (handles block comments, string literals, template literals, regex)
- Expand UI integration tests for graph routes
- Update phase-8 docs and todo with completed items
- Minor CI and HTML/JS fixes
refactor: split assets.rs test module to pass file-length gate
All checks were successful
CI / Detect Changes (pull_request) Successful in 12s
Details
CI / Security Scan (pull_request) Successful in 18s
Details
CI / Format (pull_request) Successful in 20s
Details
CI / Benchmarks (pull_request) Has been skipped
Details
CI / Integration Tests (pull_request) Has been skipped
Details
CI / Conventional Validation (pull_request) Successful in 49s
Details
CI / Check file lengths (pull_request) Successful in 35s
Details
CI / Clean Build Sample 1 (pull_request) Has been skipped
Details
CI / Clean Build Sample 2 (pull_request) Has been skipped
Details
CI / Clean Build Sample 3 (pull_request) Has been skipped
Details
CI / Clean Build Summary (pull_request) Has been skipped
Details
CI / Documentation (pull_request) Successful in 2m24s
Details
CI / Check (linux-aarch64 compile-validation) (pull_request) Successful in 2m48s
Details
CI / Clippy (pull_request) Successful in 2m57s
Details
CI / Deny (pull_request) Successful in 6m1s
Details
CI / Audit (CVEs) (pull_request) Successful in 6m50s
Details
CI / D-02 Clean Build Gate (pull_request) Successful in 6m45s
Details
CI / Test (pull_request) Successful in 7m46s
Details
CI / Coverage (80% gate) (pull_request) Successful in 8m34s
Details
CI / RSS gate (P-15) (pull_request) Successful in 5m59s
Details
CI / Build (release) (pull_request) Successful in 7m25s
Details
CI / PR Size Check (pull_request) Successful in 11s
Details
CI / CI Report (pull_request) Successful in 4s
Details
61b744c08c 
assets.rs exceeded 930 lines (hard ceiling 800) due to a large
inline test module. Move the test body to
transport/ui/tests/assets.rs (excluded from the gate by directory
name) and redirect with #[path = "tests/assets.rs"] mod tests;.
jesse merged commit d1705147ac into main 2026-05-11 22:36:49 +02:00
jesse deleted branch phase-8/dashboard-ui-pr4-graph 2026-05-11 22:36:49 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
jesse/cognix!73
No description provided.