fix(app): separate session and execution scopes

[Astro-Han]

Summary

• Adds explicit SessionScope, ExecutionScope, PromptRouteScope, and submit/follow-up readiness helpers.
• Migrates timeline cache, follow-up persistence/action state, prompt rollback, revert, review/VCS, and artifact history to scoped ownership.
• Adds a diagnostics-backed E2E regression for the real enter-worktree -> exit-worktree -> follow-up path with a long rendered timeline.

Why

#441 requires session identity and execution directory to be modeled separately. The old code mixed bare sessionID, route directory, and async result ownership in several places, which could reuse timeline/follow-up/review state across the wrong server or execution context and could collapse long timelines after worktree execution changes.

Related Issue

Closes #441.

Human Review Status

Pending. A human should make the final merge decision after reviewing the final diff and verification evidence.

Review Focus

• packages/app/src/pages/session/use-session-timeline-data.ts: last-good timeline cache now follows durable SessionScope.
• packages/app/src/pages/session/use-session-followups.ts: v2 scoped queue plus scoped failed/paused/edit/busy/mutation state.
• packages/app/src/components/prompt-input/submit.ts: command hydration gates slash text without blocking shell /bin/..., and rollback uses captured prompt route scope.
• packages/app/src/pages/session/use-session-review-state.ts and use-session-revert.ts: stale async results are guarded by ExecutionScope.
• packages/app/e2e/session/session-renderer-diagnostics.spec.ts: long timeline regression should prove no remount, no rendered-count reset, no post-follow-up top jump, and correct post-exit send directory.

Risk Notes

• This touches shared session wiring and persistence keys. The follow-up queue uses session-followup.v2; old v1 unscoped queued drafts are intentionally not auto-migrated.
• Manual Electron smoke was not run in this Codex environment. The original [Bug] exit-worktree triggers full session view teardown/rebuild, causing timeline flash, layout shift, and scroll-to-top #432/[Task] Stage 2: separate session identity from execution directory #441 long-timeline path is covered by the focused Playwright diagnostics E2E.

How To Verify

Focused scope/unit tests: 40 passed
Typecheck: ok
Focused diagnostics E2E: 2 passed
Full app unit suite: 998 passed
Diff check: no whitespace errors
Follow-up old-key grep: no stale sessionID keying matches

Long-timeline E2E evidence:

Path: real enter-worktree -> exit-worktree -> follow-up
Timeline mount count: 1
Timeline unmount count: 0
Post-follow-up rendered count: >= 80
Post-follow-up near-top scroll samples: none
Follow-up send directory after exit-worktree: project root

Screenshots or Recordings

Not included. This PR changes session state ownership and scroll behavior; the visible regression is covered by diagnostics-backed E2E rather than a static screenshot.

Checklist

• Human review status is stated above as pending, approved, or not required
• I linked the related issue, or stated why there is no issue
• This PR has type, primary area, and priority labels, or I requested maintainer labeling
• I described the review focus and any meaningful risks
• I listed the relevant verification steps and the key result for each
• I did not introduce unrelated refactors, dependencies, generated files, or file changes beyond the stated scope
• I manually checked visible UI or copy changes when needed, with screenshots or recordings
• I considered macOS and Windows impact for platform, packaging, updater, signing, paths, shell, or permissions changes
• I called out docs, release notes, dependencies, permissions, credentials, deletion behavior, generated content, or local file changes when relevant
• I reviewed the final diff for unrelated changes and suspicious dependency changes
• I am targeting dev, and my PR title and commit messages use Conventional Commits in English

Summary by CodeRabbit

• New Features

  • Added command readiness gating; prompts now wait for command availability before submission
  • Introduced execution scope tracking across servers and directories for improved multi-server session management
  • Enhanced follow-up behavior with scope-aware submission control

• Improvements

  • Improved timeline stability across worktree transitions and directory changes
  • Better session state recovery with scope-based revert snapshots preventing stale operations
  • Refined scroll-resume behavior after composer submission

[coderabbitai]

Warning

Rate limit exceeded

@Astro-Han has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 33 minutes and 14 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 8c3c38b2-016c-4514-908f-826283452175

📥 Commits

Reviewing files that changed from the base of the PR and between 84109e9 and 7f04bcd.

📒 Files selected for processing (6)

• packages/app/e2e/session/session-renderer-diagnostics.spec.ts
• packages/app/src/context/global-sync/bootstrap.test.ts
• packages/app/src/pages/session/session-layout.test.ts
• packages/app/src/pages/session/session-layout.ts
• packages/app/src/pages/session/use-session-followups.test.ts
• packages/app/src/pages/session/use-session-followups.ts

📝 Walkthrough

Walkthrough

This PR implements Stage 2 of session identity and execution scope separation. It introduces SessionScope (serverKey + sessionID) to key timeline/followup identity and ExecutionScope (serverKey + directory + epoch) to gate async mutation results. Command-readiness state gating prevents slash-command submission until command hydration completes. Follow-ups are persisted and validated by scope; revert/restore/review results are rejected when scope is stale. A comprehensive e2e test verifies long-timeline stability across worktree entry/exit.

Changes

Session & Execution Scope Separation

Layer / File(s)	Summary
Scope Types src/pages/session/session-scope.ts, src/pages/session/execution-scope.ts, src/pages/session/prompt-route-scope.ts	Introduces SessionScope (serverKey + sessionID), ExecutionScope (serverKey + directory + epoch), and PromptRouteScope; provides serialization, comparison, and equality helpers.
Command Readiness State src/context/global-sync/types.ts, src/context/global-sync/bootstrap.ts, src/context/global-sync/child-store.ts	Adds command_ready: boolean to sync State; initializes to false during bootstrap, sets to true on successful command list fetch, false on error.
Action Readiness Gating src/pages/session/session-action-readiness.ts, src/components/prompt-input/submit.ts	Introduces readiness helpers that gate prompt/followup submission on command hydration; blocks "normal" mode slash commands until command_ready; exports followupCommandText helper.
Timeline Identity src/pages/session/session-view-controller.ts, src/pages/session/use-session-timeline-data.ts	Refactors session identity from sessionID-based to SessionScope-based; compares scopes for same-session detection; derives timeline identity from scope key.
Scope-Aware Mutations src/pages/session/use-session-followups.ts, src/pages/session/use-session-revert.ts, src/pages/session/use-session-review-state.ts	Stores source scope with followup drafts, validates before sending; gates revert/restore by execution scope equality; gates VCS diffs and artifact history by scope.
Layout & Routing src/pages/session/session-layout.ts, src/pages/session/file-tabs.tsx, src/pages/session/message-timeline.tsx, src/pages/session/session-side-panel.tsx, src/pages/session/composer/session-composer-region.tsx	Introduces sessionRouteLayoutKey and useSessionRouteKey; updates layout memoization and session handoff to use route-derived layout keys.
Session Page Integration src/pages/session.tsx	Threads serverKey into timeline data; creates execution scope tracker; passes execution scope to review state; adds scroll-resume-if-following helper; threads session scope into followups.
Unit Tests src/pages/session/*.test.ts, src/context/global-sync/*.test.ts, src/components/prompt-input/submit.test.ts	Comprehensive unit tests for scope types, readiness gating, scope-aware mutations, stale-result rejection, command-hydration blocking, and cross-server scope separation.
E2E Regression packages/app/e2e/session/session-renderer-diagnostics.spec.ts	Tests long-timeline stability across worktree entry/exit; verifies rendered counts remain stable, follow-up sends to correct directory, timeline events are correct, and no scroll-jump pattern occurs.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~70 minutes

Possibly related issues

• Astro-Han/pawwork#441: This PR directly implements the Stage 2 task objectives—separating session identity from execution directory, defining SessionScope and ExecutionScope, blocking slash-command submit on command readiness, gating async mutations by scope, and adding a long-timeline regression test.

Possibly related PRs

• Astro-Han/pawwork#436: Both PRs refactor session timeline identity, followup/revert scoping, and readiness gating; overlapping changes in session-view-controller, use-session-followups, use-session-timeline-data, and execution/session scope utilities.
• Astro-Han/pawwork#424: Both PRs modify session view/state logic (session-view-controller, session page visibility) and session opening behavior.
• Astro-Han/pawwork#313: Both PRs touch session timeline identity and visibility logic to prevent blank/unmounted timelines during scope transitions.

Suggested labels

bug

---

🐰 In scope-lands new and bright,
Sessions dance by server key's light,
Epochs tick, old results fall away,
Stale mutations dare not stay—
Worktrees wend, timelines stay strong,
Follow-ups find their rightful home. 🏡

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 1.64% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix(app): separate session and execution scopes' clearly and concisely summarizes the main change, following Conventional Commits format and directly reflecting the primary objective.
Description check	✅ Passed	The PR description is comprehensive and follows the template structure with all major sections: Summary, Why, Related Issue, Human Review Status, Review Focus, Risk Notes, How To Verify, and Checklist completed.
Linked Issues check	✅ Passed	The code changes comprehensively implement the requirements from issue #441: defines SessionScope and ExecutionScope types, migrates timeline cache/follow-ups/revert/review to scoped ownership, gates command submission on command readiness, and adds diagnostics-backed E2E regression for long-timeline path.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with #441 scope: introducing scope types, migrating session/execution state to scoped ownership, adding readiness gates, and including the long-timeline E2E regression test. No unrelated refactors or extraneous changes detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/i441-session-execution-scope

[gemini-code-assist]

Code Review

This pull request implements a comprehensive scoping system for sessions and execution environments, introducing ExecutionScope and SessionScope to track server, directory, and epoch changes. Key improvements include blocking slash command submissions until command hydration is complete and ensuring that follow-ups, reverts, and review states are correctly scoped to prevent stale data application during context shifts like worktree transitions. Review feedback suggests removing trimStart() from the command detection logic to maintain consistency with actual submission behavior and updating a mock signature in tests for better alignment with the new API.

[coderabbitai]

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/app/src/pages/session/use-session-followups.ts (1)

147-176: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Track pending sends independently of useMutation.variables.

This busy check is unsafe when multiple sessions have concurrent follow-up sends. TanStack Query v5 allows overlapping mutateAsync() calls on the same mutation instance to run in parallel, and the variables field only reflects the last call. If a user sends a follow-up in Session A (isPending=true, variables.key="A"), then quickly switches to Session B and sends there (variables.key becomes "B"), the check at line 231 (followupBusy(key) for A) will return false even though A's mutation is still in flight. This allows duplicate sends.

Maintain a local pending-by-key set or use useMutationState with mutationKey to track all in-flight mutations independently of the single variables object. Alternatively, serialize follow-up sends globally via the mutation's scope option.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/app/src/pages/session/use-session-followups.ts` around lines 147 -
176, The busy check using followupMutation.isPending and
followupMutation.variables is unsafe for concurrent sends; update followupBusy
to track in-flight sends per session key instead of relying on
useMutation.variables by adding a local Set (e.g., pendingFollowups) or using
useMutationState/mutationKey to record each mutateAsync start and finish for
followupMutation; ensure followupMutation's mutationFn (and callers) add the
params.key to pendingFollowups before sending and remove it on both success and
error, and change followupBusy(key) to check pendingFollowups.has(key) (or use
the per-mutation state) so concurrent sends for different keys are tracked
independently from followupMutation.variables.

🧹 Nitpick comments (1)

packages/app/src/context/global-sync/bootstrap.test.ts (1)

372-428: ⚡ Quick win

Add a rejection-path test for command hydration.

This test covers the pending/success path well, but not the failure path where bootstrap should keep command_ready === false and clear command. Adding that assertion would lock in the error-handling contract from bootstrapDirectory.

Proposed test addition

+  test("keeps command readiness false and clears commands when command list fails", async () => {
+    const directory = "/tmp/project"
+    const queryClient = new QueryClient()
+    const [store, setStore] = createStore(createState())
+    setStore("command", [{ name: "stale" }] as State["command"])
+    const commandError = new Error("command list failed")
+
+    const sdk = {
+      app: { agents: async () => ({ data: [] }) },
+      config: { get: async () => ({ data: {} as Config }) },
+      session: { status: async () => ({ data: {} }), get: async () => ({ data: undefined }) },
+      project: { current: async () => ({ data: { id: "project-1" } }) },
+      path: { get: async () => ({ data: { state: "", config: "", worktree: "", directory, home: "" } as Path }) },
+      vcs: { get: async () => ({ data: undefined }) },
+      command: { list: async () => { throw commandError } },
+      permission: { list: async () => ({ data: [] }) },
+      question: { list: async () => ({ data: [] }) },
+      blocker: { list: async () => ({ data: [] }) },
+      mcp: { status: async () => ({ data: {} }) },
+      provider: { list: async () => ({ data: { all: [], connected: [], default: {} } }) },
+    } as any
+
+    await bootstrapDirectory({
+      directory,
+      sdk,
+      store,
+      setStore,
+      vcsCache: createVcsCache(),
+      loadSessions: () => undefined,
+      translate: (key) => key,
+      global: {
+        config: {} as Config,
+        path: { state: "", config: "", worktree: "", directory: "", home: "" } as Path,
+        project: [] as Project[],
+        provider: { all: [], connected: [], default: {} },
+      },
+      queryClient,
+    })
+
+    await waitFor(() => store.command_ready === false)
+    expect(store.command).toEqual([])
+  })

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/app/src/context/global-sync/bootstrap.test.ts` around lines 372 -
428, Add a new test in the same suite that simulates the command.list rejecting:
reuse the same setup from the "resets command readiness until command list
hydrates" test (the deferred command and sdk.command.list) but instead of
resolving the deferred call command.reject(new Error("...")); after
bootstrapDirectory has started, then assert that store.command_ready remains
false and store.command is cleared/empty (matching how bootstrapDirectory should
handle errors). Ensure you reference the existing deferred variable named
command, the bootstrapDirectory call, and the store properties command_ready and
command so the test targets the rejection path and verifies the error-handling
contract.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/app/e2e/session/session-renderer-diagnostics.spec.ts`:
- Around line 311-338: Before sending the follow-up, call readPromptSent() and
store its value, then after sendVisiblePrompt({ page, text: followupText })
re-call readPromptSent() and assert that the relevant counter/sequence field
(the property that indicates progression in the returned object from
readPromptSent()) has advanced and still matches session.id and
project.directory; update the assertions around sent to compare the "before" and
"after" results to ensure the follow-up caused a new send rather than reading
stale metadata from the prior "exit diagnostics worktree" submit, referencing
readPromptSent, sendVisiblePrompt, session.id and project.directory to locate
the checks.
- Around line 158-174: The helper expandRenderedTimeline uses a fixed sleep
(page.waitForTimeout(100)) which makes the test timing-dependent; remove that
sleep and instead wait for observable state after the wheel action by polling
the count of sessionMessageItemSelector until it increases (e.g., capture the
previous count, call page.mouse.wheel(0, -2400), then use expect.poll or a
locator.waitFor pattern to wait until
page.locator(sessionMessageItemSelector).count() is > previousCount or >=
target); update the loop in expandRenderedTimeline (which references
scrollViewportSelector and sessionMessageItemSelector) to rely solely on polling
the message count after the wheel event rather than a fixed timeout.

In `@packages/app/src/pages/session/execution-scope.ts`:
- Around line 3-7: ExecutionScope currently only tracks serverKey, directory and
epoch which allows stale async tasks to appear current if client/store/setter
instances change; add an explicit owner identity field (e.g., ownerId or
executionOwner) to the ExecutionScope type and populate it wherever
ExecutionScope instances are created, then update shouldApplyExecutionResult to
compare this owner field in addition to serverKey/directory/epoch so late work
cannot write into the wrong owner; alternatively, if you prefer not to add a
field, ensure every code path that recreates client/store/setter reliably
increments epoch whenever those references change and update all places that
construct ExecutionScope and call shouldApplyExecutionResult accordingly.

In `@packages/app/src/pages/session/session-layout.test.ts`:
- Around line 7-10: Add a test case that passes dir: undefined to
sessionRouteLayoutKey to ensure the function doesn't produce the string
"undefined"; specifically update the test in session-layout.test.ts to call
sessionRouteLayoutKey({ dir: undefined, id: "ses_1" }) (and optionally { dir:
undefined, id: undefined }) and assert the expected fallback key (e.g., "ses_1"
for the first case) so the layout key behavior is locked down for undefined dir
values.

In `@packages/app/src/pages/session/session-layout.ts`:
- Around line 6-8: sessionRouteLayoutKey is producing the string "undefined"
when params.dir is undefined; change the function to coalesce params.dir to an
empty string (e.g. use params.dir ?? "" or String(params.dir || "")) before
building the key so you never stringify undefined, and keep the existing id
concatenation (use params.id ? "/" + params.id : "") so keys become "" or "/id"
instead of "undefined" or "undefined/id".

---

Outside diff comments:
In `@packages/app/src/pages/session/use-session-followups.ts`:
- Around line 147-176: The busy check using followupMutation.isPending and
followupMutation.variables is unsafe for concurrent sends; update followupBusy
to track in-flight sends per session key instead of relying on
useMutation.variables by adding a local Set (e.g., pendingFollowups) or using
useMutationState/mutationKey to record each mutateAsync start and finish for
followupMutation; ensure followupMutation's mutationFn (and callers) add the
params.key to pendingFollowups before sending and remove it on both success and
error, and change followupBusy(key) to check pendingFollowups.has(key) (or use
the per-mutation state) so concurrent sends for different keys are tracked
independently from followupMutation.variables.

---

Nitpick comments:
In `@packages/app/src/context/global-sync/bootstrap.test.ts`:
- Around line 372-428: Add a new test in the same suite that simulates the
command.list rejecting: reuse the same setup from the "resets command readiness
until command list hydrates" test (the deferred command and sdk.command.list)
but instead of resolving the deferred call command.reject(new Error("..."));
after bootstrapDirectory has started, then assert that store.command_ready
remains false and store.command is cleared/empty (matching how
bootstrapDirectory should handle errors). Ensure you reference the existing
deferred variable named command, the bootstrapDirectory call, and the store
properties command_ready and command so the test targets the rejection path and
verifies the error-handling contract.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: d9f1026e-9daa-4ff7-9302-0e5592e57578

📥 Commits

Reviewing files that changed from the base of the PR and between 0b2d670 and 84109e9.

📒 Files selected for processing (34)

• packages/app/e2e/session/session-renderer-diagnostics.spec.ts
• packages/app/src/components/prompt-input/submit.test.ts
• packages/app/src/components/prompt-input/submit.ts
• packages/app/src/context/global-sync/bootstrap.test.ts
• packages/app/src/context/global-sync/bootstrap.ts
• packages/app/src/context/global-sync/child-store.ts
• packages/app/src/context/global-sync/event-reducer.test.ts
• packages/app/src/context/global-sync/types.ts
• packages/app/src/pages/session.tsx
• packages/app/src/pages/session/composer/session-composer-region.tsx
• packages/app/src/pages/session/execution-scope.test.ts
• packages/app/src/pages/session/execution-scope.ts
• packages/app/src/pages/session/file-tabs.tsx
• packages/app/src/pages/session/message-timeline.tsx
• packages/app/src/pages/session/prompt-route-scope.test.ts
• packages/app/src/pages/session/prompt-route-scope.ts
• packages/app/src/pages/session/session-action-readiness.test.ts
• packages/app/src/pages/session/session-action-readiness.ts
• packages/app/src/pages/session/session-layout.test.ts
• packages/app/src/pages/session/session-layout.ts
• packages/app/src/pages/session/session-scope.test.ts
• packages/app/src/pages/session/session-scope.ts
• packages/app/src/pages/session/session-side-panel.test.tsx
• packages/app/src/pages/session/session-side-panel.tsx
• packages/app/src/pages/session/session-view-controller.test.ts
• packages/app/src/pages/session/session-view-controller.ts
• packages/app/src/pages/session/use-session-followups.test.ts
• packages/app/src/pages/session/use-session-followups.ts
• packages/app/src/pages/session/use-session-revert.test.ts
• packages/app/src/pages/session/use-session-revert.ts
• packages/app/src/pages/session/use-session-review-state.test.ts
• packages/app/src/pages/session/use-session-review-state.ts
• packages/app/src/pages/session/use-session-timeline-data.test.ts
• packages/app/src/pages/session/use-session-timeline-data.ts

[Astro-Han]

CodeRabbit non-inline follow-up handled in 7f04bcd:

• Outside diff: replaced follow-up busy/sending state based on useMutation.variables with a local pending-by-scoped-key map, and added coverage for duplicate sends while a scoped key is pending.
• Nitpick: added a command-list rejection test proving command_ready remains false and stale commands are cleared.
• Inline threads: fixed the two diagnostics E2E assertions and the session route layout key fallback; left the ExecutionScope owner suggestion out with the technical reason in-thread.

Verification run:

• bun test --preload ./happydom.ts src/pages/session/use-session-followups.test.ts src/context/global-sync/bootstrap.test.ts src/pages/session/session-layout.test.ts src/pages/session/execution-scope.test.ts
• bun run typecheck from packages/app
• bun run test:e2e -- e2e/session/session-renderer-diagnostics.spec.ts from packages/app
• git diff --check