Skip to content

Chat improvements#30

Merged
ScriptSmith merged 5 commits into
mainfrom
chat-improvements
Apr 25, 2026
Merged

Chat improvements#30
ScriptSmith merged 5 commits into
mainfrom
chat-improvements

Conversation

@ScriptSmith

@ScriptSmith ScriptSmith commented Apr 25, 2026

Copy link
Copy Markdown
Member

No description provided.

@greptile-apps

greptile-apps Bot commented Apr 25, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR ships three improvements: (1) a custom link-safety modal that portals to document.body (fixing scroll-behind-modal on the chat history), with trusted-domain persistence and hardened getDomain against userinfo bypass; (2) an inline display directive on artifact-producing tools so the model can auto-display results without a follow-up display_artifacts call; and (3) a min-w-0 flexbox fix to prevent long code lines from overflowing the chat bubble.

All issues from the previous review round have been addressed: the userinfo (@-syntax) bypass is rejected in getDomain, the setTimeout is cleared via copyTimerRef on unmount, duplicate artifact IDs in getDisplaySelectionForRound are deduplicated with Set, and LLM-controlled regex is guarded by safe-regex with a length cap before execution.

Confidence Score: 5/5

Safe to merge — all prior security and logic findings have been remediated and no new P0/P1 issues were found.

Every issue flagged in the previous review round (userinfo URL bypass, setTimeout leak, duplicate artifact IDs, ReDoS) has been directly addressed in this PR. The new inline-display feature is well-structured: the display argument is stripped before MCP forwarding, built-in executors ignore it safely, safe-regex guards the if_output_matches path, and the sub-agent executor destructures only { task } so the field is never forwarded to the API.

No files require special attention.

Important Files Changed

Filename Overview
ui/src/components/Markdown/linkSafety.tsx New link-safety module with custom modal, trusted-domain localStorage, userinfo bypass fix, and setTimeout cleanup — all prior review concerns addressed
ui/src/pages/chat/utils/toolExecutors.ts Adds DISPLAY_PARAMETER_SCHEMA, applyInlineDisplay, and stripDisplayArg; ReDoS guard via safe-regex with length cap addresses prior finding; subAgentExecutor correctly ignores the display field
ui/src/components/MultiModelResponse/MultiModelResponse.tsx getDisplaySelectionForRound now merges display_selection artifacts from all executions with deduplication via Set, fixing the previous duplicate-ID concern
ui/src/pages/chat/useChat.ts Injects DISPLAY_PARAMETER_SCHEMA into all artifact-producing tool schemas (built-in and MCP); MCP injection handles missing/null properties safely
ui/src/components/ChatMessage/ChatMessage.tsx Adds min-w-0 to flex containers to prevent long code lines from overflowing the 85% max-width bubble
ui/src/components/ChatMessage/ChatMessage.stories.tsx Adds WithLongCodeLine regression story with play-function assertions to verify code block stays within bubble bounds
ui/src/components/Markdown/Markdown.tsx Wires linkSafety into the static Markdown renderer via the Streamdown linkSafety prop
ui/src/components/StreamingMarkdown/StreamingMarkdown.tsx Wires linkSafety into the streaming Markdown renderer; linkSafety object is module-level so no re-render churn
ui/package.json Adds safe-regex and @types/safe-regex dependencies for ReDoS guard
ui/pnpm-lock.yaml Lockfile updated with safe-regex@2.1.1 and regexp-tree@0.1.27 resolution snapshots

Sequence Diagram

sequenceDiagram
    participant Model
    participant executeToolCalls
    participant Executor as Tool Executor (built-in / MCP)
    participant applyInlineDisplay
    participant MultiModelResponse

    Model->>executeToolCalls: tool_call { name, arguments: { ...params, display: { when, match, layout } } }
    executeToolCalls->>Executor: toolCall (MCP: stripDisplayArg strips display first)
    Executor-->>executeToolCalls: ToolExecutionResult { success, artifacts[] }
    executeToolCalls->>applyInlineDisplay: (toolCall, result)
    note over applyInlineDisplay: Reads display directive from toolCall.arguments<br/>Runs safeRegex + length cap for if_output_matches<br/>Appends display_selection artifact if condition met
    applyInlineDisplay-->>executeToolCalls: result (with optional display_selection artifact)
    executeToolCalls-->>MultiModelResponse: results map
    MultiModelResponse->>MultiModelResponse: getDisplaySelectionForRound merges all display_selection artifacts, deduplicates IDs via Set
    MultiModelResponse-->>Model: rendered artifact panel
Loading

Reviews (2): Last reviewed commit: "Review fixes" | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Apr 25, 2026
View reviewed changes
Comment thread ui/src/components/Markdown/linkSafety.tsx
Comment thread ui/src/pages/chat/utils/toolExecutors.ts
Comment thread ui/src/components/MultiModelResponse/MultiModelResponse.tsx
Comment thread ui/src/components/Markdown/linkSafety.tsx
@ScriptSmith

ScriptSmith commented Apr 25, 2026

Copy link
Copy Markdown
Member Author

@greptile-apps

@ScriptSmith ScriptSmith merged commit 654a47a into main Apr 25, 2026
20 checks passed
@ScriptSmith ScriptSmith deleted the chat-improvements branch May 30, 2026 12:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ScriptSmith