feat: add core JavaScript modules for website functionality (Fortress PR #190-B)

[uelkerd]

🚨 FORTRESS STRATEGY IMPLEMENTED - PR SUPERSEDED

⚠️ This PR Has Been Successfully Split

Original Problem: This PR contained 13 files - a massive fortress compliance violation that made it difficult to review and prone to integration issues.

Solution Implemented: Hybrid Fortress Strategy - Split by system boundaries while respecting fortress file limits.

🏰 Fortress Compliance Transformation

Before (VIOLATION):

❌ 1 PR with 13 files (massive fortress breach)

• Complex, interdependent changes across multiple systems
• Overwhelming code review burden
• High integration risk
• Difficult rollback scenarios

After (COMPLIANT):

✅ 3 PRs with 4, 5, and 4 files respectively

• PR feat: add Platform Foundation infrastructure (Hybrid Fortress PR #201-A) #203: Platform Foundation (4 files) - Infrastructure ✅
• PR feat: add UI System Components (Hybrid Fortress PR #201-B) #204: UI System Components (5 files) - Core modules ✅
• PR feat: add Audio & Integration system (Hybrid Fortress PR #201-C) #205: Audio & Integration (4 files) - Complete system ✅

📋 Root Cause Analysis

The Real Problem:

This wasn't just a file count issue - it was a systems architecture problem disguised as a file management problem.

What Went Wrong:

1. Dependency Web Explosion: JavaScript modules became interdependent during development
2. Scope Creep: Testing infrastructure and notification systems added mid-development
3. Architecture Shift: Transformed from simple scripts to complex module system
4. Fortress Mismatch: Applied file-based fortress to system-based architecture

Critical Learning:

• File-based fortress ≠ System-based fortress
• Dependencies matter more than file counts
• Runtime integration requires careful boundary planning

🎯 Hybrid Fortress Strategy Applied

System Boundary Approach:

Instead of arbitrary file splitting, we split by functional system boundaries:

1. Platform Foundation (PR feat: add Platform Foundation infrastructure (Hybrid Fortress PR #201-A) #203): Package management + testing infrastructure
2. UI System (PR feat: add UI System Components (Hybrid Fortress PR #201-B) #204): Layout management + notifications + tests
3. Audio & Integration (PR feat: add Audio & Integration system (Hybrid Fortress PR #201-C) #205): Voice recording + configuration + demo

Benefits Achieved:

✅ Fortress Compliance: All PRs ≤ 5 files
✅ System Coherence: Each PR represents a complete, testable subsystem
✅ Review Quality: Focused reviews by system expertise
✅ Integration Safety: Clear dependencies and merge order
✅ Rollback Safety: Independent rollback of each subsystem

🔄 Migration Path

Merge Order (Dependencies):

1. First: PR feat: add Platform Foundation infrastructure (Hybrid Fortress PR #201-A) #203 (Platform Foundation) - Enables testing for others
2. Second: PR feat: add UI System Components (Hybrid Fortress PR #201-B) #204 (UI System) - Provides UI components
3. Final: PR feat: add Audio & Integration system (Hybrid Fortress PR #201-C) #205 (Audio & Integration) - Completes the system

Validation Strategy:

• Each PR passes fortress guard independently
• Contract testing between modules
• End-to-end integration testing after all merges
• Comprehensive rollback procedures documented

📊 Success Metrics

Fortress Compliance:

• Before: 1 PR × 13 files = 🚨 VIOLATION
• After: 3 PRs × (4+5+4) files = ✅ COMPLIANT

Review Efficiency:

• Before: 1 massive review covering 5+ domains
• After: 3 focused reviews by system specialization

Integration Risk:

• Before: All-or-nothing integration with 13-file failure risk
• After: Staged integration with isolated rollback capability

🛡️ Risk Mitigation Achieved

Technical Risks Eliminated:

• Merge Conflicts: Reduced through clean system boundaries
• Integration Failures: Staged approach with contract validation
• Review Fatigue: Focused, manageable review scope per PR
• Rollback Complexity: Independent component rollback capability

Process Improvements:

• Dependency Clarity: Clear merge order and requirements
• Testing Strategy: System-specific validation approaches
• Documentation: Complete strategy documentation for future reference

🎉 Final Outcome

This PR is now SUPERSEDED by:

• PR feat: add Platform Foundation infrastructure (Hybrid Fortress PR #201-A) #203: feat: add Platform Foundation infrastructure (Hybrid Fortress PR #201-A) #203 ✅
• PR feat: add UI System Components (Hybrid Fortress PR #201-B) #204: feat: add UI System Components (Hybrid Fortress PR #201-B) #204 ✅
• PR feat: add Audio & Integration system (Hybrid Fortress PR #201-C) #205: feat: add Audio & Integration system (Hybrid Fortress PR #201-C) #205 ✅

Next Steps:

1. ✅ Review and merge PR feat: add Platform Foundation infrastructure (Hybrid Fortress PR #201-A) #203 (Platform Foundation)
2. ✅ Review and merge PR feat: add UI System Components (Hybrid Fortress PR #201-B) #204 (UI System Components)
3. ✅ Review and merge PR feat: add Audio & Integration system (Hybrid Fortress PR #201-C) #205 (Audio & Integration)
4. ✅ Validate complete end-to-end system functionality
5. ✅ Document lessons learned for future fortress strategy application

📚 Lessons for Future Development

Fortress Strategy Evolution:

• Traditional Fortress: File count limits
• Hybrid Fortress: System boundary limits with file count compliance
• Future Application: Plan system boundaries BEFORE development begins

Architecture Planning:

• Consider runtime dependencies in fortress planning
• Design system boundaries for independent testing
• Plan testing infrastructure as separate fortress unit
• Document integration contracts between system boundaries

---

🏰 Fortress Strategy Successfully Applied
✅ 13-file violation → 3 compliant PRs
✅ System integrity maintained
✅ Review quality improved
✅ Integration risk minimized

🤖 Generated with Claude Code

Co-Authored-By: Claude noreply@anthropic.com

[sourcery-ai]

Sorry @uelkerd, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Adds multiple frontend modules (config, layout manager, notification manager, voice recorder), test harness and Vitest config, and a package.json. Also injects notification-manager.js twice into comprehensive-demo.html (one in <head>, one before </body>).

Changes

Cohort / File(s)	Summary of Changes
HTML script includes website/comprehensive-demo.html	Adds two <script> tags for js/notification-manager.js: one after js/config.js in the <head> and another after Bootstrap JS near the end of <body>, resulting in the module being loaded twice.
Configuration website/js/config.js	Replaces/expands window.SAMO_CONFIG with BASE_URL, restructured ENDPOINTS (EMOTION, SUMMARIZE, JOURNAL, VOICE_JOURNAL, READY, TRANSCRIBE, OPENAI_PROXY, HEALTH), OPENAI, EXTERNAL, ENVIRONMENT, DEBUG, FEATURES; adds getApiUrl and getWebSocketUrl, deepMerge, redactSensitiveValues, server-injection via window.SAMO_SERVER_CONFIG, localhost dev overrides, and conditional redacted debug logging.
Layout manager website/js/layout-manager.js	New LayoutManager global handling processing lifecycle, concurrency guards, active request tracking, watchdog/reset logic, UI state transitions (input/processing/loading/results), progress-step APIs, debug toggle, and global wrappers processTextWithStateManagement / clearAllWithStateManagement.
Notification system website/js/notification-manager.js	New NotificationManager class and singleton at window.NotificationManager providing capped concurrent toasts (default max 3), type themes, auto-dismiss, close button, animations, queue/ignore behavior when full, clearAll, getActiveCount, and legacy wrappers window.showSuccess/Error/Info/Warning.
Voice recording website/js/voice-recorder.js	New VoiceRecorder class exposing window.voiceRecorder: getUserMedia + MediaRecorder capture, chunking, blob→File conversion, integration hook apiClient.transcribeAudio, UI bindings, timers/status, error handling, and use of LayoutManager/NotificationManager where available.
Tests & test config website/test/*, website/test/setup.js, website/vitest.config.js	Adds Vitest config and test setup; new unit tests for config, layout-manager, notification-manager. Mocks media/fetch for tests and config scaffolding for test environment.
Package manifest website/package.json	New frontend package manifest with devDependencies (vitest, jsdom, eslint), scripts for test/lint, type: "module", and node engine constraint.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor User
  participant UI as UI (Buttons/Indicators)
  participant VR as VoiceRecorder
  participant MR as MediaRecorder
  participant API as API Client (transcribeAudio)
  participant LM as LayoutManager
  participant NM as NotificationManager

  User->>UI: Click "Record"
  UI->>VR: startRecording()
  VR->>VR: navigator.mediaDevices.getUserMedia()
  VR->>MR: new MediaRecorder(stream)
  UI->>VR: show recording indicator
  MR-->>VR: dataavailable (chunks)
  User->>UI: Click "Stop"
  UI->>VR: stopRecording()
  MR-->>VR: stop + final data
  VR->>VR: Build Blob -> File
  VR->>LM: showProcessingState() [optional]
  VR->>API: transcribeAudio(file)
  alt Success
    API-->>VR: transcription
    VR->>UI: display transcription
    VR->>LM: showResultsState()
    VR->>NM: success(...)
  else Error
    API--x VR: error
    VR->>LM: resetToInitialState()
    VR->>NM: error(...)
  end

Loading

sequenceDiagram
  autonumber
  participant App as Application
  participant LM as LayoutManager
  participant API as API Requests
  participant UI as Views

  App->>LM: canStartProcessing()
  alt allowed
    LM->>LM: startProcessing()
    LM->>UI: showProcessingState()
    par request tracking
      LM->>LM: addActiveRequest(ctrl)
      App->>API: send requests
    and watchdog
      LM->>LM: monitor maxProcessingTime
    end
    API-->>App: response/error
    App->>LM: removeActiveRequest(ctrl)
    alt all done
      LM->>UI: showResultsState()
      LM->>LM: endProcessing()
    else still in-flight
      LM->>LM: wait or cancelActiveRequests()
    end
  else blocked
    LM-->>App: deny start
  end

Loading

sequenceDiagram
  autonumber
  participant Any as Any Module
  participant NM as NotificationManager
  participant DOM as Toast Container

  Any->>NM: show(type,message,duration)
  alt active < max
    NM->>DOM: create toast element
    NM->>DOM: animate in
    Note right of NM: auto-dismiss timer / close button
    DOM-->>NM: timeout or close clicked
    NM->>DOM: animate out and remove
  else at limit
    NM-->>Any: ignore new toast (log warning)
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Possibly related PRs

• Website Demo Page from PR #169 (Part 2/4) #192: Modifies website/comprehensive-demo.html script includes and introduces modular frontend scripts — strong overlap in HTML/script changes.
• feat: enhance website HTML files and configuration (Fortress PR #190-A) #200: Adjusts comprehensive-demo.html script ordering around js/config.js, likely related to script-load sequencing and config injection.

Poem

I thump my paws—new scripts arrive,
Toasts hop out, three at a time alive.
Configs burrow deep and flags abide,
Layouts steady-state, requests they guide.
I sip the mic—record, transcribe, delight! 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title succinctly summarizes the key change—adding core JavaScript modules for website functionality—and correctly uses a conventional “feat:” prefix to denote a feature addition while avoiding vague or overly detailed phrasing. It aligns with the content of the pull request and clearly conveys the main focus to reviewers.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/website-js-core

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @uelkerd, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request is the second part of a larger initiative to refactor the website's JavaScript into a modular, 'fortress-compliant' architecture. It focuses on establishing foundational client-side capabilities by introducing dedicated modules for managing application configuration, orchestrating UI states and transitions, and enabling advanced voice recording features. These changes lay the groundwork for subsequent integrations and enhance the overall maintainability and scalability of the frontend.

Highlights

• Centralized Configuration: Introduced config.js to centralize API endpoints, OpenAI settings, external service URLs, and environment-specific flags, including utility functions for deep merging and sensitive data redaction.
• UI Layout and State Management: Added layout-manager.js which provides a LayoutManager object to control UI states (initial, processing, results), manage concurrent operations, track active API requests, and handle smooth UI transitions and progress step updates.
• Voice Recording Functionality: Implemented voice-recorder.js with a VoiceRecorder class that manages microphone access, audio recording using the MediaRecorder API, and processing recorded audio for transcription, including robust error handling and UI feedback.
• Modular Design and Error Handling: All new modules are designed with a clean separation of concerns, utilizing ES6 modules where appropriate, and include comprehensive error handling mechanisms to improve robustness and maintainability.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[deepsource-io]

Here's the code health analysis summary for commits af71436..729bd41. View details on DeepSource ↗.

Analysis Summary

Analyzer	Status	Summary	Link
Test coverage	⚠️ Artifact not reported	Timed out: Artifact was never reported	View Check ↗
Python	✅ Success		View Check ↗
Terraform	✅ Success		View Check ↗
Secrets	✅ Success		View Check ↗
Shell	✅ Success		View Check ↗
Docker	✅ Success		View Check ↗

---

💡 If you’re a repository administrator, you can configure the quality gates from the settings.

[Copilot]

Pull Request Overview

This PR adds core JavaScript modules for the SAMO website, providing foundational functionality including configuration management, layout state management, and voice recording capabilities. This is part 2 of a 3-part fortress strategy to split a larger PR.

Key changes include:

• Centralized configuration system with environment-specific settings and API endpoint definitions
• Comprehensive layout manager for UI state transitions and processing flow control
• Advanced voice recording module with MediaRecorder API integration and transcription workflow

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
website/js/config.js	Centralized configuration with API endpoints, environment detection, and security redaction
website/js/layout-manager.js	UI state management, processing flow control, and progress tracking
website/js/voice-recorder.js	Audio recording functionality with error handling and transcription integration

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[gemini-code-assist]

Code Review

This pull request introduces three core JavaScript modules for configuration, layout management, and voice recording. The code is generally well-structured and includes robust features like state management and error handling. However, I've identified a critical security vulnerability in config.js related to the potential exposure of API keys on the client side. Additionally, both layout-manager.js and voice-recorder.js exhibit tight coupling with global objects and the DOM, which negatively impacts maintainability and testability. My review includes specific suggestions to address these issues by improving security, using dependency injection, and better separating concerns.

[gemini-code-assist]

The resetToInitialState function is tightly coupled to the application's HTML structure and global scope. It directly manipulates numerous DOM elements by their hardcoded IDs (e.g., textInput, resultsLayout) and calls global functions (clearAllResultContent, updateElement).

This approach makes the LayoutManager brittle, difficult to test in isolation, and not reusable. Any changes to the HTML structure or function names in other files will break this module.

A better approach is to use dependency injection. The LayoutManager should receive references to the elements and functions it needs to control, or it should emit events that other parts of the application can listen to. While refactoring the entire module is a larger task, I'm highlighting this function as a key example of the architectural issue.

[coderabbitai]

Actionable comments posted: 8

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

website/comprehensive-demo.html (1)

469-486: Bug: event.target can be the icon; use currentTarget to set active tab

Clicking the icon applies the class to , not the button, breaking active styles.

-            event.target.classList.add('active');
+            (event.currentTarget || event.target).classList.add('active');

🧹 Nitpick comments (16)

website/js/config.js (4)

20-46: Add explicit endpoint for voice transcription to match client usage

The app calls /transcribe/voice (see comprehensive-demo.html), but ENDPOINTS only defines TRANSCRIBE = '/transcribe'. Add a dedicated key for clarity and consistency.

       ENDPOINTS: {
         EMOTION: '/analyze/emotion',
         SUMMARIZE: '/analyze/summarize',
         JOURNAL: '/analyze/journal',
         VOICE_JOURNAL: '/analyze/voice-journal',
         HEALTH: '/health',
         READY: '/ready',
-        TRANSCRIBE: '/transcribe',
+        TRANSCRIBE: '/transcribe',
+        TRANSCRIBE_VOICE: '/transcribe/voice',
         OPENAI_PROXY: '/proxy/openai',

Please confirm which path your API actually exposes so the HTML can be updated to use getApiUrl(SAMO_CONFIG.API.ENDPOINTS.TRANSCRIBE_VOICE).

---

128-139: Fix contradictory comment and broaden localhost detection

The comment says “USE DEPLOYED API FOR DEVELOPMENT” but the code points to a local server. Also include IPv6 localhost.

-// Environment-specific overrides - USE DEPLOYED API FOR DEVELOPMENT
+// Environment-specific overrides - Localhost development
-if (window.location.hostname === 'localhost' || window.location.hostname === '127.0.0.1') {
+if (['localhost', '127.0.0.1', '::1'].includes(window.location.hostname)) {
     window.SAMO_CONFIG.ENVIRONMENT = 'development';
     window.SAMO_CONFIG.DEBUG = true;

     // Use local unified API server (has the correct /analyze/emotion endpoints)
     // This server has the exact endpoints the frontend expects
     window.SAMO_CONFIG.API.BASE_URL = 'https://localhost:8002';
     // Note: ENDPOINTS remain unchanged from production config (no override needed)

-    console.log('🔧 Running in localhost development mode - using local API server at https://localhost:8002');
+    console.log('🔧 Running in localhost development mode - using local API server at https://localhost:8002');
 }

Note: Ensure a trusted cert for https://localhost:8002 to avoid TLS errors, or use a remote dev API to prevent mixed content.

---

141-154: Harden getApiUrl for absolute URLs and normalize input

Guard for fully-qualified endpoints and avoid double slashes.

 window.SAMO_CONFIG.getApiUrl = function(endpoint) {
   const baseUrl = this.API.BASE_URL;
+  if (typeof endpoint === 'string' && /^https?:\/\//i.test(endpoint)) {
+    return endpoint;
+  }
   if (!baseUrl) {
     console.warn('SAMO_CONFIG.API.BASE_URL is not set. Please configure your API endpoint.');
     return null;
   }

   // Remove trailing slash from base URL and leading slash from endpoint
   const cleanBaseUrl = baseUrl.replace(/\/$/, '');
-  const cleanEndpoint = endpoint.startsWith('/') ? endpoint : '/' + endpoint;
+  const cleanEndpoint = ('/' + String(endpoint || '').replace(/^\/+/, ''));
   return cleanBaseUrl + cleanEndpoint;
 };

---

156-172: Mirror getWebSocketUrl behavior for absolute ws URLs and normalization

This allows passing a full ws/wss endpoint and avoids malformed URLs.

 window.SAMO_CONFIG.getWebSocketUrl = function(endpoint) {
   const baseUrl = this.API.BASE_URL;
+  if (typeof endpoint === 'string' && /^wss?:\/\//i.test(endpoint)) {
+    return endpoint;
+  }
   if (!baseUrl) {
     console.warn('SAMO_CONFIG.API.BASE_URL is not set. Cannot create WebSocket URL.');
     return null;
   }

   // Convert HTTPS to WSS
   let wsUrl = baseUrl.replace(/^https:/, 'wss:').replace(/^http:/, 'ws:');

   // Remove trailing slash from base URL and leading slash from endpoint
   wsUrl = wsUrl.replace(/\/$/, '');
-  const cleanEndpoint = endpoint.startsWith('/') ? endpoint : '/' + endpoint;
+  const cleanEndpoint = ('/' + String(endpoint || '').replace(/^\/+/, ''));
   return wsUrl + cleanEndpoint;
 };

website/comprehensive-demo.html (4)

407-417: Centralize API calls via SAMO_CONFIG helpers and ENDPOINTS

Multiple hard-coded paths duplicate config and risk drift. Use SAMO_CONFIG.getApiUrl() and named endpoints. Also prefer getWebSocketUrl() over buildWsUrl.

Examples:

-const API_BASE_URL = window.SAMO_CONFIG?.API?.BASE_URL || 'https://samo-unified-api-frrnetyhfa-uc.a.run.app';
+const API_BASE_URL = window.SAMO_CONFIG?.API?.BASE_URL || '';

 // Emotion
-const response = await fetch(`${API_BASE_URL}/analyze/journal`, {
+const response = await fetch(
+  window.SAMO_CONFIG.getApiUrl(window.SAMO_CONFIG.API.ENDPOINTS.JOURNAL),
+{
   method: 'POST',
   headers: { 'Content-Type': 'application/json' },
   body: JSON.stringify({ text, generate_summary: false })
 });

 // Chat HTTP
-const resp = await fetch(`${API_BASE_URL}/chat`, {
+const resp = await fetch(
+  window.SAMO_CONFIG.getApiUrl('/chat'),
+{
   method: 'POST',
   headers: { 'Content-Type': 'application/json', 'Authorization': `Bearer ${AUTH_TOKEN}` },
   body: JSON.stringify({ text, summarize: true, model: 't5-small' })
 });

- function buildWsUrl(path) {
-   if (!API_BASE_URL.startsWith('https://')) return null;
-   return API_BASE_URL.replace('https://', 'wss://') + path;
- }
+ // Prefer config helper; no local builder needed.

-const url = buildWsUrl(`/ws/chat?token=${encodeURIComponent(AUTH_TOKEN)}`);
+const url = window.SAMO_CONFIG.getWebSocketUrl(`/ws/chat?token=${encodeURIComponent(AUTH_TOKEN)}`);

 // Summary
-response = await fetch(`${API_BASE_URL}/analyze/journal`, {
+response = await fetch(
+  window.SAMO_CONFIG.getApiUrl(window.SAMO_CONFIG.API.ENDPOINTS.JOURNAL),
+{
   ...
});

 // Voice transcription
-response = await fetch(`${API_BASE_URL}/transcribe/voice`, {
+response = await fetch(
+  window.SAMO_CONFIG.getApiUrl(
+    window.SAMO_CONFIG.API.ENDPOINTS.TRANSCRIBE_VOICE || '/transcribe/voice'
+  ),
+{
   method: 'POST',
   body: formData,
   signal: controller.signal
});

Please replicate this pattern across the file (batch, auth, etc.) to eliminate stringly-typed URLs and ensure env overrides apply everywhere.

Also applies to: 502-506, 657-661, 673-683, 973-982, 775-779

---

770-787: Use central TIMEOUTS from config instead of hard-coded values

Replace the literal 30000/15000 with SAMO_CONFIG.API.TIMEOUTS.LONG_RUNNING or .DEFAULT so tuning is centralized.

-const timeoutId = setTimeout(() => controller.abort(), 30000);
+const timeoutId = setTimeout(
+  () => controller.abort(),
+  (window.SAMO_CONFIG?.API?.TIMEOUTS?.LONG_RUNNING ?? 30000)
+);

-const emotionTimeout = setTimeout(() => emotionController.abort(), 15000);
+const emotionTimeout = setTimeout(
+  () => emotionController.abort(),
+  (window.SAMO_CONFIG?.API?.TIMEOUTS?.DEFAULT ?? 10000)
+);

-const timeoutId = setTimeout(() => controller.abort(), 30000);
+const timeoutId = setTimeout(
+  () => controller.abort(),
+  (window.SAMO_CONFIG?.API?.TIMEOUTS?.LONG_RUNNING ?? 30000)
+);

Also applies to: 819-841, 968-989

---

604-621: Minor: Prefer notifications over alert/inline status strings for UX consistency

Consider using NotificationManager for login success/failure to match the rest of the app feedback.

---

1198-1219: Optional: soften rate-limit test to avoid accidental load spikes

Firing 10 concurrent POSTs at a prod API can be noisy. Add a feature flag and/or throttle, and display a clear “demo-only” note.

website/js/voice-recorder.js (1)

365-383: Processing-state API: consider calling endProcessing() when done

You currently switch to results state; if LayoutManager tracks a processing semaphore, explicitly ending processing may be needed for consistency.

website/js/notification-manager.js (3)

20-24: Consider queueing instead of dropping when maxToasts is reached.

Silently ignoring notifications can hide important messages. A small FIFO queue (size 10) improves UX.

Would you like a minimal queue implementation?

---

173-180: Make singleton idempotent to tolerate double script inclusion.

Guard against reinitialization and avoid overwriting existing globals.

-// Create global instance
-window.NotificationManager = new NotificationManager();
+// Create global instance (idempotent)
+window.NotificationManager = window.NotificationManager || new NotificationManager();
 
-// Legacy compatibility - expose common methods globally
-window.showSuccess = (message) => window.NotificationManager.success(message);
-window.showError = (message) => window.NotificationManager.error(message);
-window.showInfo = (message) => window.NotificationManager.info(message);
-window.showWarning = (message) => window.NotificationManager.warning(message);
+// Legacy compatibility - expose common methods globally (don’t overwrite if present)
+window.showSuccess = window.showSuccess || ((m) => window.NotificationManager.success(m));
+window.showError = window.showError || ((m) => window.NotificationManager.error(m));
+window.showInfo = window.showInfo || ((m) => window.NotificationManager.info(m));
+window.showWarning = window.showWarning || ((m) => window.NotificationManager.warning(m));

---

182-182: Reduce console noise in production.

Gate the log behind a debug flag or remove.

-console.log('🔔 Notification Manager loaded successfully');
+if (window.DEBUG) console.log('🔔 Notification Manager loaded successfully');

website/js/layout-manager.js (4)

373-399: Deduplicate UI logic; reuse showProcessingState and remove unused variable.

processTextWithStateManagement re-implements transitions and leaves an unused originalFunc. Call the canonical helper instead.

-    // Set processing state and update UI
-    LayoutManager.currentState = 'processing';
-
-    // IMMEDIATELY clear all result content to prevent remnants during processing
-    if (typeof clearAllResultContent === 'function') {
-        clearAllResultContent();
-    }
-
-    // Hide input layout with smooth transition
-    const inputLayout = document.getElementById('inputLayout');
-    if (inputLayout) {
-        inputLayout.style.opacity = '0';
-        setTimeout(() => {
-            inputLayout.style.display = 'none';
-        }, 300);
-    }
-
-    // Show processing layout
-    const processingLayout = document.getElementById('processingLayout');
-    if (processingLayout) {
-        processingLayout.style.display = 'block';
-        processingLayout.style.opacity = '0';
-        setTimeout(() => {
-            processingLayout.style.opacity = '1';
-        }, 50);
-    }
-
-    // Update progress steps
-    LayoutManager.updateProgressStep(1, 'active');
+    // Transition via the canonical helper
+    LayoutManager.showProcessingState();
+    LayoutManager.updateProgressStep(1, 'active');

-        // Set up a promise to handle the transition to results
-        const originalFunc = processText;
+        // Set up a promise to handle the transition to results

Also applies to: 400-404, 404-423

---

96-105: Force reset should also normalize the UI.

forceResetProcessing flips state flags but leaves the UI as-is. Delegate to resetToInitialState for a full recovery.

     forceResetProcessing() {
         console.warn('🚨 Force resetting processing state and cancelling all requests...');
         this.cancelActiveRequests();
-        this.isProcessing = false;
-        this.processingStartTime = null;
-        this.currentState = 'initial';
-        console.log('✅ Force reset completed');
+        this.isProcessing = false;
+        this.processingStartTime = null;
+        this.currentState = 'initial';
+        this.resetToInitialState();
+        console.log('✅ Force reset completed');
     },

---

319-352: toggleDebugSection: fragile use of lastChild.

lastChild can be null or a non-text node. Guard and/or target a dedicated label span.

-                const textNode = toggleBtn.lastChild;
+                let textNode = toggleBtn.querySelector('.label-text') || toggleBtn.lastChild;
+                if (!textNode) {
+                    textNode = document.createElement('span');
+                    textNode.className = 'label-text';
+                    toggleBtn.appendChild(textNode);
+                }

Also applies to: 338-340

---

14-21: Run a safety reset on DOMContentLoaded.

Ensures clean initial state on first load.

 // Safety reset to ensure clean state on page load
 resetProcessingState() {

Additional (outside this block):

document.addEventListener('DOMContentLoaded', () => {
  if (window.LayoutManager && typeof LayoutManager.resetProcessingState === 'function') {
    LayoutManager.resetProcessingState();
  }
});

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between af71436 and c4d2fb5.

📒 Files selected for processing (5)

• website/comprehensive-demo.html (1 hunks)
• website/js/config.js (6 hunks)
• website/js/layout-manager.js (1 hunks)
• website/js/notification-manager.js (1 hunks)
• website/js/voice-recorder.js (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

website/js/notification-manager.js (1)

website/js/layout-manager.js (1)

• textNode (339-339)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Sourcery review

🔇 Additional comments (8)

website/js/config.js (3)

174-191: Deep merge utility: sane approach and scoped usage

Recursively merging plain objects and replacing arrays is appropriate for config overlays. LGTM.

---

198-236: Redacted debug logging is a good safety measure

The recursive redaction and debug-gated logging reduce accidental exposure in consoles. LGTM.

---

113-116: Critical: Disable direct client-side OpenAI usage; route via server proxy

ENABLE_OPENAI is true and OPENAI.API_URL is exposed. This invites leaking secrets and misuse from the browser. Use your /proxy/openai backend instead and keep any API keys server-side.

Apply this diff to flip the flag now:

-    ENABLE_OPENAI: true, // Enabled - direct OpenAI API calls
+    ENABLE_OPENAI: false, // Disabled: always route via backend proxy (/proxy/openai)

If any client code currently calls OpenAI directly, switch it to SAMO_CONFIG.getApiUrl(SAMO_CONFIG.API.ENDPOINTS.OPENAI_PROXY).

website/js/voice-recorder.js (3)

169-171: Use a timestamped filename to aid debugging and avoid collisions

[ suggest_optional_refactor ]

-            const audioFile = new File([audioBlob], `recording.${extension}`, {
+            const audioFile = new File([audioBlob], `recording-${Date.now()}.${extension}`, {
                 type: audioBlob.type
             });

---

173-188: Invert dependency: don’t construct SAMOAPIClient inside the recorder

Creating dependencies internally couples the class to globals and hinders testing. Accept an apiClient via constructor or setter; fall back to a well-documented global only.

Minimal change (stop auto-constructing, surface a clear error):

-            let apiClient = window.apiClient;
-            if (!apiClient) {
-                console.log('⚠️ Global API client not available, creating new instance...');
-                try {
-                    // Try to create a new SAMOAPIClient instance
-                    if (typeof SAMOAPIClient !== 'undefined') {
-                        apiClient = new SAMOAPIClient();
-                        console.log('✅ Created new API client instance');
-                    } else {
-                        throw new Error('SAMOAPIClient class not available');
-                    }
-                } catch (createError) {
-                    throw new Error(`Unable to create API client: ${createError.message}`);
-                }
-            }
+            const apiClient = this.apiClient || window.apiClient;
+            if (!apiClient) {
+                throw new Error('API client not available');
+            }

Preferred refactor (constructor injection):

-class VoiceRecorder {
-    constructor() {
+class VoiceRecorder {
+    constructor({ apiClient } = {}) {
+        this.apiClient = apiClient || window.apiClient || null;

And allow a setter if needed:

+    setApiClient(client) {
+        this.apiClient = client;
+    }

---

28-56: Init flow degrades gracefully when UI hooks are missing

Good checks and disabling behavior. LGTM.

website/comprehensive-demo.html (1)

403-405: No duplicate inclusion of notification-manager.js detected
A global search across all HTML files shows only this single <script src="js/notification-manager.js"></script> in website/comprehensive-demo.html (lines 403–405), so there’s no risk of double initialization.

website/js/layout-manager.js (1)

381-388: Prefer class-based visibility toggles over inline style/display.

Inline display/opacity manipulations are mixed with classList usage elsewhere. Stick to a consistent class approach (e.g., d-none + CSS transitions).

Example (illustrative):

-    inputLayout.style.opacity = '0';
-    setTimeout(() => { inputLayout.style.display = 'none'; }, 300);
+    inputLayout.classList.add('fade-out');
+    setTimeout(() => { inputLayout.classList.add('d-none'); inputLayout.classList.remove('fade-out'); }, 300);

-    processingLayout.style.display = 'block';
-    processingLayout.style.opacity = '0';
-    setTimeout(() => { processingLayout.style.opacity = '1'; }, 50);
+    processingLayout.classList.remove('d-none');
+    processingLayout.classList.add('fade-in');
+    setTimeout(() => { processingLayout.classList.remove('fade-in'); }, 200);

-    if (loadingSection) { loadingSection.style.display = 'block'; }
+    if (loadingSection) { loadingSection.classList.remove('d-none'); }

-    if (loadingSection) { loadingSection.style.display = 'none'; }
+    if (loadingSection) { loadingSection.classList.add('d-none'); }

Also applies to: 392-398, 237-250, 253-258

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Avoid InvalidStateError when stopping an already-stopped recorder

Check state before calling stop().

     stopRecording() {
-        if (this.mediaRecorder && this.isRecording) {
+        if (this.mediaRecorder && this.isRecording && this.mediaRecorder.state !== 'inactive') {
             this.mediaRecorder.stop();
             this.isRecording = false;

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	stopRecording() {
	if (this.mediaRecorder && this.isRecording) {
	this.mediaRecorder.stop();
	this.isRecording = false;
	// Stop all tracks
	if (this.stream) {
	this.stream.getTracks().forEach(track => track.stop());
	this.stream = null;
	}
	// Update UI
	this.updateRecordingUI(false);
	this.stopRecordingTimer();
	console.log('🛑 Recording stopped');
	}
	}
	stopRecording() {
	if (this.mediaRecorder && this.isRecording && this.mediaRecorder.state !== 'inactive') {
	this.mediaRecorder.stop();
	this.isRecording = false;
	// Stop all tracks
	if (this.stream) {
	this.stream.getTracks().forEach(track => track.stop());
	this.stream = null;
	}
	// Update UI
	this.updateRecordingUI(false);
	this.stopRecordingTimer();
	console.log('🛑 Recording stopped');
	}
	}

🤖 Prompt for AI Agents

In website/js/voice-recorder.js around lines 105 to 122, calling
this.mediaRecorder.stop() can throw InvalidStateError if the recorder is already
stopped; check the recorder state before calling stop() (e.g., ensure
this.mediaRecorder.state !== 'inactive' or === 'recording') and/or wrap the stop
call in a try/catch to safely handle spurious calls, then proceed to clear
tracks, null the stream, update UI and timers only after a successful stop.

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (18)

website/package.json (3)

2-4: Mark package as private to prevent accidental publish.

Avoids accidental npm publish of this app scaffold.

 {
   "name": "samo-dl-website",
   "version": "1.0.0",
+  "private": true,
   "description": "SAMO-DL emotion detection platform frontend",

---

11-11: Broaden lint target to include nested files.

Covers subfolders under website/js.

-    "lint": "eslint js/*.js",
+    "lint": "eslint \"js/**/*.js\"",

---

14-19: Align Vitest-related devDependencies to major version 3.x
All Vitest packages (@vitest/ui, vitest, @vitest/coverage-v8) should share the same major; the current stable is 3.2.4 and mismatches can cause runtime errors. Update them to “^3.2.4” (or “^3.x”), or add a comment if you intentionally need to remain on v1.x.

website/js/config.js (7)

130-141: Fix contradictory comment and broaden localhost detection.

Comment says “USE DEPLOYED API” but code points to local server. Also include IPv6 localhost (::1).

-// Environment-specific overrides - USE DEPLOYED API FOR DEVELOPMENT
+// Environment-specific overrides - USE LOCAL API FOR DEVELOPMENT
-if (window.location.hostname === 'localhost' || window.location.hostname === '127.0.0.1') {
+if (['localhost', '127.0.0.1', '::1'].includes(window.location.hostname)) {

---

144-156: Avoid fragile this binding in helpers.

These methods break if de-structured (e.g., const { getApiUrl } = SAMO_CONFIG). Reference the global directly.

-window.SAMO_CONFIG.getApiUrl = function(endpoint) {
-  const baseUrl = this.API.BASE_URL;
+window.SAMO_CONFIG.getApiUrl = (endpoint) => {
+  const baseUrl = window.SAMO_CONFIG?.API?.BASE_URL;
   if (!baseUrl) {
     console.warn('SAMO_CONFIG.API.BASE_URL is not set. Please configure your API endpoint.');
     return null;
   }
   // Remove trailing slash from base URL and leading slash from endpoint
   const cleanBaseUrl = baseUrl.replace(/\/$/, '');
   const cleanEndpoint = endpoint.startsWith('/') ? endpoint : '/' + endpoint;
   return cleanBaseUrl + cleanEndpoint;
-};
+};

---

158-174: Same here for WebSocket helper.

Mirror the binding-safe approach.

-window.SAMO_CONFIG.getWebSocketUrl = function(endpoint) {
-  const baseUrl = this.API.BASE_URL;
+window.SAMO_CONFIG.getWebSocketUrl = (endpoint) => {
+  const baseUrl = window.SAMO_CONFIG?.API?.BASE_URL;
   if (!baseUrl) {
     console.warn('SAMO_CONFIG.API.BASE_URL is not set. Cannot create WebSocket URL.');
     return null;
   }
   // Convert HTTPS to WSS
   let wsUrl = baseUrl.replace(/^https:/, 'wss:').replace(/^http:/, 'ws:');
   // Remove trailing slash from base URL and leading slash from endpoint
   wsUrl = wsUrl.replace(/\/$/, '');
   const cleanEndpoint = endpoint.startsWith('/') ? endpoint : '/' + endpoint;
   return wsUrl + cleanEndpoint;
-};
+};

---

176-194: Harden deepMerge property checks.

Use Object.prototype.hasOwnProperty.call to avoid shadowing.

 function deepMerge(target, source) {
     const result = { ...target };
 
     for (const key in source) {
-        if (source.hasOwnProperty(key)) {
+        if (Object.prototype.hasOwnProperty.call(source, key)) {
             if (source[key] && typeof source[key] === 'object' && !Array.isArray(source[key])) {
                 // Recursively merge objects
                 result[key] = deepMerge(target[key] || {}, source[key]);
             } else {
                 // Replace primitives and arrays
                 result[key] = source[key];
             }
         }
     }
 
     return result;
 }

---

195-199: Apply server-injected config before local overrides.

Prevents server injection from unintentionally overriding localhost settings during development.

+// Server-side configuration injection (if available) — do this before env overrides
+if (window.SAMO_SERVER_CONFIG) {
+    window.SAMO_CONFIG = deepMerge(window.SAMO_CONFIG, window.SAMO_SERVER_CONFIG);
+}
 
-// Server-side configuration injection (if available)
-if (window.SAMO_SERVER_CONFIG) {
-    window.SAMO_CONFIG = deepMerge(window.SAMO_CONFIG, window.SAMO_SERVER_CONFIG);
-}

Move the added block to just after the SAMO_CONFIG object (before the localhost override).

Also applies to: 130-141

---

60-65: Clarify/retire legacy keys to avoid conflicts.

API.TIMEOUTS.DEFAULT (10s) vs legacy API.TIMEOUT (45s) can confuse consumers. Either map legacy keys to new ones or mark as deprecated in comments and avoid divergent values.

Also applies to: 112-121

---

235-238: Optional: Freeze config in production.

Prevents runtime mutation by third-party scripts.

 if (window.SAMO_CONFIG && window.SAMO_CONFIG.DEBUG) {
     const sanitizedConfig = redactSensitiveValues(window.SAMO_CONFIG);
     console.log('🔧 SAMO Configuration loaded (debug mode):', sanitizedConfig);
 }
+
+// Lock down in production
+if (window.SAMO_CONFIG?.ENVIRONMENT === 'production') {
+  Object.freeze(window.SAMO_CONFIG);
+}

website/test/setup.js (1)

46-49: Also restore all mocks between tests.

Ensures spies/stubs are fully reset.

 afterEach(() => {
   vi.clearAllMocks();
+  vi.restoreAllMocks();
   document.body.innerHTML = '';
 });

website/test/notification-manager.test.js (2)

11-21: Reset module cache and legacy globals before re-import.

Guarantees fresh side-effect init each test and avoids stale global wrappers.

   beforeEach(async () => {
     // Clean up DOM
     document.body.innerHTML = '';
 
-    // Reset the global instance
+    // Reset module cache and globals
+    vi.resetModules();
     delete window.NotificationManager;
+    delete window.showSuccess;
+    delete window.showError;
+    delete window.showInfo;
+    delete window.showWarning;
 
     // Import fresh instance
     await import('../js/notification-manager.js');
     notificationManager = window.NotificationManager;
   });

---

70-80: Use fake timers for deterministic auto-removal timing.

Removes flakiness from real-time waits.

-    it('should remove toast after duration', async () => {
-      notificationManager.show('Test message', 'info', 100);
-      const toast = document.querySelector('.notification-toast');
-      expect(toast).toBeTruthy();
-      // Wait for auto-removal
-      await new Promise(resolve => setTimeout(resolve, 200));
-      expect(document.querySelector('.notification-toast')).toBeFalsy();
-    });
+    it('should remove toast after duration', async () => {
+      vi.useFakeTimers();
+      notificationManager.show('Test message', 'info', 100);
+      const toast = document.querySelector('.notification-toast');
+      expect(toast).toBeTruthy();
+      vi.advanceTimersByTime(150);
+      expect(document.querySelector('.notification-toast')).toBeFalsy();
+      vi.useRealTimers();
+    });

website/js/voice-recorder.js (1)

187-191: Avoid logging full responses in production

Gate verbose result logging behind DEBUG to reduce PII leakage.

Apply this diff:

-                console.log('✅ Transcription successful:', result);
+                if (window.SAMO_CONFIG?.DEBUG) {
+                    console.debug('Transcription result:', result);
+                } else {
+                    console.log('✅ Transcription successful');
+                }

website/js/layout-manager.js (4)

152-165: Use injected dependency for clearing results (avoid global)

Call the injected clearAllResultContent for testability/consistency.

Apply this diff:

-        // IMMEDIATELY clear all result content to prevent remnants during processing
-        if (typeof clearAllResultContent === 'function') {
-            clearAllResultContent();
-        }
+        // IMMEDIATELY clear all result content to prevent remnants during processing
+        if (this.dependencies.clearAllResultContent) {
+            this.dependencies.clearAllResultContent();
+        }

---

331-336: Avoid hard-coding 4 progress steps

Derive the number of steps from the DOM (e.g., querySelectorAll('[id^="step"][id$="-icon"]').length or a data attribute) to prevent drift.

---

364-379: Avoid lastChild text updates (fragile)

Use a dedicated span (e.g., .toggle-text) or set toggleBtn.dataset/state; lastChild can be whitespace or an icon wrapper.

---

431-435: Remove unused variable

originalFunc is assigned but unused.

Apply this diff:

-        const originalFunc = processText;
-        const maybe = processText(true);  // Skip state check since we handle it here
+        const maybe = processText(true);  // Skip state check since we handle it here

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c4d2fb5 and a2760e9.

⛔ Files ignored due to path filters (2)

• package-lock.json is excluded by !**/package-lock.json
• website/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (9)

• website/js/config.js (5 hunks)
• website/js/layout-manager.js (1 hunks)
• website/js/voice-recorder.js (1 hunks)
• website/package.json (1 hunks)
• website/test/config.test.js (1 hunks)
• website/test/layout-manager.test.js (1 hunks)
• website/test/notification-manager.test.js (1 hunks)
• website/test/setup.js (1 hunks)
• website/vitest.config.js (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• website/test/layout-manager.test.js

🧰 Additional context used

🧬 Code graph analysis (1)

website/test/config.test.js (1)

website/js/config.js (1)

• wsUrl (167-167)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Sourcery review

🔇 Additional comments (10)

website/vitest.config.js (1)

4-22: LGTM on Vitest config.

Environment, setupFiles, include/exclude, and coverage look correct for this layout.

website/js/voice-recorder.js (6)

133-141: Use actual recorder mimeType for the Blob

Match the Blob type to MediaRecorder.mimeType; fall back only if absent.
[ suggest_recommended_refactor ]

Apply this diff:

-            const audioBlob = new Blob(this.audioChunks, {
-                type: this.getSupportedMimeType()
-            });
+            const chosenType = (this.mediaRecorder && typeof this.mediaRecorder.mimeType === 'string')
+              ? this.mediaRecorder.mimeType
+              : this.getSupportedMimeType();
+            const audioBlob = new Blob(this.audioChunks, { type: chosenType });

---

151-163: Handle MIME types with codec parameters when deriving extensions

Strip parameters like “;codecs=opus” before lookup.

Apply this diff:

-    getExtensionFromMimeType(mimeType) {
-        const mimeToExt = {
+    getExtensionFromMimeType(mimeType) {
+        const baseType = String(mimeType || '').split(';', 1)[0].toLowerCase();
+        const mimeToExt = {
             'audio/webm': 'webm',
             'audio/mp4': 'mp4',
             'audio/wav': 'wav',
             'audio/mpeg': 'mp3',
             'audio/ogg': 'ogg'
         };
-        return mimeToExt[mimeType] || 'audio';
+        return mimeToExt[baseType] || 'audio';
     }

---

170-174: Prefer unique filenames for uploads

Include a timestamp/UUID to aid debugging and avoid collisions.

Apply this diff:

-            const audioFile = new File([audioBlob], `recording.${extension}`, {
+            const audioFile = new File([audioBlob], `recording-${Date.now()}.${extension}`, {
                 type: audioBlob.type
             });

---

274-283: LGTM: pretty-printed JSON fallback improves UX

Nice improvement over raw JSON.

---

6-18: Good: dependency injection for apiClient

Constructor injection decouples VoiceRecorder from globals.

---

108-124: Guard against InvalidStateError when stopping recorder

Stopping an already inactive recorder throws; check state before stop.

Apply this diff:

-    stopRecording() {
-        if (this.mediaRecorder && this.isRecording) {
-            this.mediaRecorder.stop();
+    stopRecording() {
+        if (this.mediaRecorder && this.isRecording) {
+            try {
+                if (this.mediaRecorder.state !== 'inactive') {
+                    this.mediaRecorder.stop();
+                }
+            } catch (e) {
+                console.warn('Recorder stop ignored:', e);
+            }
             this.isRecording = false;

website/js/layout-manager.js (3)

64-92: LGTM: added guard for missing processingStartTime and stuck processing

This resolves prior NaN risk and fail-fast behavior.

---

312-320: LGTM: fixed “pending” class retention on step elements

Now clears pending on both element and icon before applying new state.

---

158-166: Consistent class-based visibility instead of inline styles

Mixing inline styles with Bootstrap classes can cause specificity conflicts. Prefer toggling utility classes (e.g., d-none, fade/fade-show) for input/results/loading transitions.

I can propose a small CSS helper class set and minimal JS changes if you want it in this PR.

Also applies to: 183-195, 237-245, 265-276, 280-285, 408-415

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

This test doesn’t assert redaction; it’s effectively a no-op

Either expose a redaction helper from config.js for direct testing or verify observable behavior (e.g., logged redacted output in DEBUG). As-is, it only checks SAMO_CONFIG exists.

I can draft a minimal export (e.g., export function redact(obj){...}) and update the test—want me to propose the patch?

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (10)

website/js/voice-recorder.js (5)

302-317: Broaden MIME support and prioritize Safari/Firefox codecs.

Add common codec-qualified types to improve compatibility.

Apply:

-        const types = [
-            'audio/webm;codecs=opus',
-            'audio/webm',
-            'audio/mp4',
-            'audio/wav'
-        ];
+        const types = [
+            'audio/mp4;codecs=mp4a.40.2', // Safari/iOS
+            'audio/mp4',
+            'audio/ogg;codecs=opus',      // Firefox
+            'audio/webm;codecs=opus',
+            'audio/webm',
+            'audio/wav'
+        ];

---

279-281: Reference global via window to avoid shadowing/import issues.

Safer in modular contexts.

Apply:

-                if (typeof displayAnalysisResults === 'function') {
-                    displayAnalysisResults(result.emotion_analysis, result.summary);
+                if (typeof window.displayAnalysisResults === 'function') {
+                    window.displayAnalysisResults(result.emotion_analysis, result.summary);

---

200-218: Prefer status-based error handling over string matching.

Check error.response?.status when available; keep message fallbacks.

Apply:

-            } else if (error.message.includes('400')) {
+            } else if ((error.response && String(error.response.status).startsWith('4')) || error.message.includes('400')) {
                 userMessage = 'Invalid audio format. Please try recording again.';
-            } else if (error.message.includes('500')) {
+            } else if ((error.response && String(error.response.status).startsWith('5')) || error.message.includes('500')) {
                 userMessage = 'Server error. Please try again in a moment.';

---

133-150: Release references after processing to reduce memory footprint.

Null recorder and clear chunks once onRecordingStop work completes.

Apply:

     async onRecordingStop() {
         try {
@@
             await this.processRecordedAudio(audioBlob);
+            // Free resources
+            this.mediaRecorder = null;
+            this.audioChunks = [];

---

31-47: Make init idempotent to avoid duplicate listeners.

Set an initialized flag and short‑circuit if already initialized.

Apply:

 class VoiceRecorder {
     constructor(apiClient = null) {
@@
+        this.initialized = false;
     }
@@
     async init() {
         try {
+            if (this.initialized) return true;
@@
             // Add event listeners
             this.recordBtn.addEventListener('click', this.startRecording);
             this.stopBtn.addEventListener('click', this.stopRecording);
@@
             this.recordBtn.disabled = false;
             console.log('✅ Voice recorder initialized successfully');
+            this.initialized = true;
             return true;

Also applies to: 55-58

website/vitest.config.js (2)

10-11: Tighten test file glob to the canonical pattern

Use Vitest’s widely used brace for CJS/ESM/TSX variants. Functionally equivalent but clearer and future‑proof with fast-glob.

Apply this diff:

-    include: ['**/*.{test,spec}.{js,mjs,cjs,ts,mts,cts,jsx,tsx}'],
+    include: ['**/*.{test,spec}.?(c|m)[jt]s?(x)'],

---

5-22: Improve test isolation defaults

Add auto‑cleanup between tests to reduce leakage from spies/mocks.

Apply this diff:

   test: {
     environment: 'jsdom',
     globals: true,
     setupFiles: ['./test/setup.js'],
     include: ['**/*.{test,spec}.?(c|m)[jt]s?(x)'],
     exclude: ['node_modules', 'dist', '**/*.backup.*'],
+    clearMocks: true,
+    restoreMocks: true,
     coverage: {
       provider: 'v8',
       reporter: ['text', 'json', 'html'],

Coverage provider ‘v8’ is a good default in Vitest v3+. (main.vitest.dev)

website/test/config.test.js (3)

99-114: Make URL builder tests independent of prior state

These assertions currently rely on whatever BASE_URL previous tests left behind. Set a known BASE_URL (via server config + reload) inside each test, then assert. Keeps tests order‑independent.

Apply this diff in each test before calling the builder:

+      window.SAMO_SERVER_CONFIG = { API: { BASE_URL: 'https://example.com' } };
+      vi.resetModules();
+      delete window.SAMO_CONFIG;
+      await import('../js/config.js');

---

6-6: Import only what you use from Vitest

If you adopt the diffs above, vi and async beforeEach will be used; otherwise, drop unused imports to keep tests tidy.

---

1-159: Add explicit redaction assertion
Expose and import redactSensitiveValues, then assert sensitive keys (e.g. password, api_key) are replaced with 'REDACTED' (e.g. expect(redactSensitiveValues({password:'pass'}).password).toBe('REDACTED')). I can open a follow-up commit to apply this if desired.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a2760e9 and ba635df.

📒 Files selected for processing (5)

• website/js/notification-manager.js (1 hunks)
• website/js/voice-recorder.js (1 hunks)
• website/test/config.test.js (1 hunks)
• website/test/notification-manager.test.js (1 hunks)
• website/vitest.config.js (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• website/test/notification-manager.test.js

🚧 Files skipped from review as they are similar to previous changes (1)

• website/js/notification-manager.js

🧰 Additional context used

🧬 Code graph analysis (1)

website/test/config.test.js (1)

website/js/config.js (1)

• wsUrl (167-167)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Sourcery review

🔇 Additional comments (11)

website/js/voice-recorder.js (6)

7-8: Good move to dependency injection (DI).

Constructor accepts apiClient and DOM bootstrap passes it in. This decouples the recorder from globals and improves testability.

Also applies to: 15-17, 466-476

---

175-179: Use a timestamped filename to avoid collisions and aid debugging.

Keep derived extension; add ISO timestamp sanitized for filesystem safety.

Apply:

-            const audioFile = new File([audioBlob], `recording.${extension}`, {
+            const ts = new Date().toISOString().replace(/[:.]/g, '-');
+            const audioFile = new File([audioBlob], `recording-${ts}.${extension}`, {
                 type: audioBlob.type
             });

---

136-140: Nice: correct MIME on Blob and robust extension mapping.

Using mediaRecorder.mimeType and stripping codec params fixes downstream handling.

Also applies to: 156-166

---

108-125: Stop safety: avoid InvalidStateError when recorder already inactive.

Check mediaRecorder.state and wrap stop() in try/catch.

Apply:

-    stopRecording() {
-        if (this.mediaRecorder && this.isRecording) {
-            this.mediaRecorder.stop();
-            this.isRecording = false;
+    stopRecording() {
+        if (!this.mediaRecorder) return;
+        try {
+            if (this.isRecording && this.mediaRecorder.state !== 'inactive') {
+                this.mediaRecorder.stop();
+            }
+        } catch (e) {
+            console.warn('Recorder stop() failed or already inactive:', e);
+        } finally {
+            this.isRecording = false;

---

439-478: Remove duplicate-init guard suggestion – no other initializations found
Search for new VoiceRecorder across the repo only returns the two instances in this file, so there’s no duplicate bootstrap to guard against. The proposed guard can be dropped.

Likely an incorrect or invalid review comment.

---

221-225: LayoutManager API usage is consistent—no changes needed. showResultsState() invokes endProcessing() internally, and explicit endProcessing() on error is appropriate.

website/test/config.test.js (5)

37-54: This “redaction” test asserts nothing about redaction

Either expose a redaction helper from config.js for direct testing, or assert observable behavior (e.g., spy on console in DEBUG mode and verify redacted values).

If you expose a helper, I can wire an assertion-based test update. Based on learnings.

---

8-10: Top-level require caches the module; switch to per-test dynamic import after vi.resetModules()

As written, config is loaded once and never reinitialized; later tests mutate globals against a cached module. Replace top-level require with a per‑test reset+dynamic import.

Apply this diff:

-// Load config using require to avoid ES module issues
-require('../js/config.js');
+// Load config per test after resetting module cache in beforeEach

And update hooks (see next comment for full beforeEach).
Vitest: top‑level imports won’t be re‑evaluated; use vi.resetModules() + dynamic import(). (main.vitest.dev)

---

12-19: Reset module cache and reload config in beforeEach; clean globals in afterEach

Ensure each test starts from a fresh config instance.

Apply this diff:

-describe('SAMO Configuration', () => {
-  beforeEach(() => {
-    // Clean up before each test
-    delete window.SAMO_SERVER_CONFIG;
-  });
-
-  afterEach(() => {
-    delete window.SAMO_SERVER_CONFIG;
-  });
+describe('SAMO Configuration', () => {
+  beforeEach(async () => {
+    vi.resetModules();
+    delete window.SAMO_SERVER_CONFIG;
+    delete window.SAMO_CONFIG;
+    await import('../js/config.js');
+  });
+
+  afterEach(() => {
+    delete window.SAMO_SERVER_CONFIG;
+    delete window.SAMO_CONFIG;
+  });

Doc: vi.resetModules() clears cache; re‑import re‑evaluates the module. (main.vitest.dev)

---

56-79: Don’t re‑implement env detection; stub location, then reload config

Manually setting SAMO_CONFIG defeats the purpose of the test. Stub window.location first, reset modules, then import config and assert results.

Apply this diff:

-    // Re-run the environment detection logic from config.js
-    if (window.location.hostname === 'localhost' || window.location.hostname === '127.0.0.1') {
-      window.SAMO_CONFIG.ENVIRONMENT = 'development';
-      window.SAMO_CONFIG.DEBUG = true;
-      window.SAMO_CONFIG.API.BASE_URL = 'https://localhost:8002';
-    }
+    // Reload config to execute its env detection against stubbed location
+    vi.resetModules();
+    delete window.SAMO_CONFIG;
+    await import('../js/config.js');

Note: keep the existing restore of window.location at the end of the test. vi.resetModules guidance: re‑import to re‑evaluate. (main.vitest.dev)

---

117-151: Exercise real merge path; remove inline deepMerge and reload config after injecting SAMO_SERVER_CONFIG

Inline merging tests your test code, not the module. Inject, reset, re‑import, then assert.

Apply this diff:

-      // Re-run the server config merging logic from config.js
-      if (window.SAMO_SERVER_CONFIG) {
-        // Deep merge function (simplified for test)
-        function deepMerge(target, source) {
-          const result = { ...target };
-          for (const key in source) {
-            if (source[key] && typeof source[key] === 'object' && !Array.isArray(source[key])) {
-              result[key] = deepMerge(target[key] || {}, source[key]);
-            } else {
-              result[key] = source[key];
-            }
-          }
-          return result;
-        }
-        window.SAMO_CONFIG = deepMerge(window.SAMO_CONFIG, window.SAMO_SERVER_CONFIG);
-      }
+      // Reload module so its merge logic runs
+      vi.resetModules();
+      delete window.SAMO_CONFIG;
+      await import('../js/config.js');

Vitest module cache reset is required for re‑execution. (main.vitest.dev)

[uelkerd]

🏰 Fortress Strategy Successfully Implemented

This PR has been superseded by the Hybrid Fortress Strategy implementation:

✅ PR #203: Platform Foundation (4 files) - #203
✅ PR #204: UI System Components (5 files) - #204
✅ PR #205: Audio & Integration (4 files) - #205

Result: Transformed 1 massive 13-file fortress violation into 3 fortress-compliant PRs while maintaining complete system functionality.

The three replacement PRs provide:

• Better code review quality through focused system boundaries
• Safer integration with staged merge approach
• Independent rollback capability for each subsystem
• Complete preservation of all original functionality

Please review and merge the three replacement PRs in dependency order: #203 → #204 → #205.

🤖 Fortress Strategy by Claude Code