Fix: Address potential bugs and improve error handling by PeterDaveHello · Pull Request #863 · ChatGPTBox-dev/chatGPTBox

PeterDaveHello · 2025-06-07T14:02:01Z

User description

It's a large patch, and I'm unsure if we can get it merged. It's generated by Google's Jules Agent, which serves as a trial run and test lab. We can also review the feedback from other agents.

Jule's commit message:

This commit includes the following changes:

In src/background/index.mjs:

Ensured that port.proxy.postMessage({ session }) is called in executeApi even if port.proxy already exists, to prevent requests from not being sent to the ChatGPT tab.

Added comprehensive try...catch blocks and detailed logging for better error diagnosis and stability.

Added 'blocking' to onBeforeSendHeaders listener options as it modifies request headers.

In src/content-script/index.jsx:

Refactored prepareForForegroundRequests to manageChatGptTabState to ensure the port listener for ChatGPT Web models is dynamically and correctly (re-)registered when you change model configurations.

Added comprehensive try...catch blocks and detailed logging throughout the script to improve robustness and debuggability.

These changes aim to improve the overall stability and reliability of the extension. Manual testing is recommended to verify all scenarios, aided by the new logging.

GitHub Copilot's summary:

This pull request enhances logging and error handling in the src/background/index.mjs file to improve debugging and reliability. Key changes include adding detailed debug and error logs, handling potential exceptions in asynchronous operations, and improving the robustness of listener callbacks.

Enhanced Logging:

Added extensive console.debug statements to provide detailed insights into function calls, message handling, and API usage, including model-specific logs in executeApi and message type logs in Browser.runtime.onMessage.addListener. [1] [2] [3]

Improved logging for onBeforeRequest and onBeforeSendHeaders listeners to capture header modifications and request details.

Error Handling Improvements:

Wrapped critical operations in try-catch blocks to prevent runtime errors from impacting the application, including in listener callbacks and asynchronous API calls. Errors are logged with detailed context for easier debugging. [1] [2] [3] [4]

Enhanced error responses for specific operations, such as returning structured error objects in the FETCH message handler.

Reliability Enhancements:

Added reconnection logic in setPortProxy to handle proxy tab disconnections gracefully, ensuring the application can recover from unexpected disconnects.

Improved robustness of Browser.tabs.onUpdated listener by checking for valid URLs before performing side panel updates.

Code Organization:

Consolidated error handling in initialization functions (registerPortListener, registerCommands, refreshMenu) to ensure proper logging and fallback behavior during setup.

PR Type

Enhancement, Bug fix

Description

Major refactor to improve error handling and logging throughout background and content scripts.
- Added comprehensive try/catch blocks and detailed debug/error logs.
- Improved robustness of asynchronous operations and event listeners.
Enhanced communication and state management between background and content scripts.
- Refactored ChatGPT tab state management for reliability.
- Improved port listener registration and message handling.
Improved web request interception and header modification logic.
- Added 'blocking' to onBeforeSendHeaders for correct header modification.
- Enhanced error handling in webRequest listeners.
Refined UI mounting and selection tool logic in the content script.
- Added robust checks, logging, and error handling for DOM operations.
- Improved floating toolbar and static card rendering logic.

Changes walkthrough 📝

Relevant files

Enhancement

index.mjs `Robust error handling and logging in background script` src/background/index.mjs Added extensive try/catch blocks and detailed logging for all major functions and listeners. Improved port proxy setup and ensured messages are always sent to the ChatGPT tab. Enhanced webRequest listeners with robust error handling and correct use of 'blocking' for header modification. Refactored message handling with better diagnostics and error responses. Improved registration and error handling for port listeners, commands, and menu refresh.	+400/-202
index.jsx `Refactor content script for reliability and diagnostics` src/content-script/index.jsx Refactored and renamed foreground request management to manageChatGptTabState with robust error handling. Added comprehensive logging and try/catch blocks throughout all async and event-driven logic. Improved UI mounting, selection tools, and static card logic with better DOM checks and error diagnostics. Enhanced runtime message and storage change handling for dynamic configuration updates. Improved port listener registration and ChatGPT Web model handling.	+799/-329

Need help?
Type /help how to ... in the comments thread for any questions about Qodo Merge usage.
Check out the documentation for more information.

Summary by CodeRabbit

New Features
- Jump-back notifications, static inline cards, enhanced selection tools and right‑click menu, plus broader in‑site model/session support and tab-state orchestration.
Bug Fixes & Reliability
- More resilient reconnection, redaction and token/session handling; safer message proxying, guarded UI mounting with cross‑browser fallbacks; hardened request/tab listeners and richer diagnostics.
Chores
- Manifest updated to enable stronger request handling (webRequest blocking).

coderabbitai · 2025-06-07T14:02:09Z

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

@coderabbitai resume to resume automatic reviews.
@coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

▶️ Resume reviews
🔍 Trigger review

📝 Walkthrough

Walkthrough

Added centralized redaction and reconnection in the background service; hardened messaging, webRequest/tab listeners, and side-panel handling. Content script gains idempotent mounting, multi-source token management (Claude/Kimi/ChatGPT), selection/UI tooling, and new run/manage utilities with extensive logging and error guards.

Changes

Cohort / File(s)	Summary
Background Service `src/background/index.mjs`	Introduces `RECONNECT_CONFIG`, `SENSITIVE_KEYWORDS`, `redactSensitiveFields`. Replaces port proxy wiring with `setPortProxy` (listener cleanup, reconnect timers, redacted logging). Expands `executeApi` dispatch and instrumentation; hardens runtime messaging, webRequest/tab listeners, side-panel updates, and registration logging.
Content Script — UI & Token Orchestration `src/content-script/index.jsx`	Reworks mounting with guarded retries and container cleanup. Adds robust `getInput`, idempotent selection tools, touch/right-click flows, static card/site-adapter logic, guarded `overwriteAccessToken`, new `getClaudeSessionKey`, `prepareForJumpBackNotification`, `manageChatGptTabState`, and `run`. Adds idempotent port listener registration, pervasive try/catch logging, and defensive checks.
Manifest / Permissions `src/manifest.v2.json`	Adds `webRequestBlocking` permission.

Sequence Diagram(s)

sequenceDiagram
    participant Port as Background Port
    participant Manager as Reconnect Manager
    participant Handler as Message Handler
    participant Redactor as Redaction Layer
    participant API as API Executor

    Port->>Manager: open connection
    Manager->>Handler: forward incoming message
    Handler->>Redactor: redact sensitive fields
    Redactor-->>Handler: redacted payload
    Handler->>API: executeApi(request)
    API-->>Handler: response / error
    Handler->>Port: send response

    alt Connection lost
        Port--xManager: disconnect
        Manager->>Manager: schedule reconnect (backoff)
        Manager->>Port: attempt reconnect
    end

sequenceDiagram
    participant Runtime as Browser Runtime
    participant Script as Content Script
    participant TokenMgr as Token Manager
    participant Claude as Claude Service
    participant UI as UI Components

    Runtime->>Script: inject / start
    Script->>Script: run()
    Script->>TokenMgr: detect / overwrite tokens
    TokenMgr->>Claude: request sessionKey
    Claude-->>TokenMgr: sessionKey or null
    Script->>Script: mountComponent (retry)
    Script->>UI: init selection tools / static card

    alt Jump-back required
        Script->>TokenMgr: poll token readiness
        TokenMgr-->>Script: token ready
        Script->>UI: render WebJumpBackNotification
    end

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐇 I hop through ports with careful paws,

I hush the secrets and mend the flaws,
I fetch the keys, I mount the view,
I stitch reconnects and scrub what's new,
A tiny rabbit makes systems true.

🚥 Pre-merge checks | ✅ 2 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 6.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'Fix: Address potential bugs and improve error handling' is vague and generic, using non-descriptive terms that don't convey meaningful information about the specific changes in this large-scale refactor.	Provide a more specific title that highlights the primary change, such as 'Refactor: Add comprehensive error handling and logging to background and content scripts' or identify the most impactful specific fix.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into `master`

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment
Commit unit tests in branch bugfix/general-fixes

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

qodo-code-review · 2025-06-07T14:02:42Z

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 4 🔵🔵🔵🔵⚪
🧪 No relevant tests
🔒 Security concerns Sensitive information exposure: The code previously had a commented out line that would log the access token (line 613). While it's currently commented out with a warning, the presence of this code suggests a risk of accidentally exposing sensitive tokens in logs. Additionally, the code handles various authentication tokens (ChatGPT, Claude, Kimi) and should ensure these are never logged or exposed, even in debug statements.
⚡ Recommended focus areas for review Reconnection Logic The reconnection logic in setPortProxy may cause an infinite loop if the proxy tab consistently fails to connect. There's no retry limit or backoff strategy. console.warn(`[background] Proxy tab ${proxyTabId} disconnected. Attempting to reconnect.`) port.proxy = null // Clear the old proxy // Potentially add a delay or retry limit here setPortProxy(port, proxyTabId) // Reconnect Promise Rejection The Promise for waiting for Claude session key has a timeout but the rejection might not be properly handled in all code paths, potentially causing hanging operations. setTimeout(() => { clearInterval(timer); if (!claudeSession) { console.warn("[content] Timed out waiting for Claude session key."); reject(new Error("Timed out waiting for Claude session key.")); } }, 30000); // 30 second timeout }).catch(err => { // Catch rejection from the Promise itself (e.g. timeout) console.error("[content] Failed to get Claude session key for jump back notification:", err); // Do not proceed to render if session key is critical and not found return; }); Duplicate Code Similar timeout and polling logic is duplicated between Claude and Kimi authentication flows. This could be refactored into a shared utility function. await new Promise((resolve, reject) => { const timer = setInterval(async () => { try { claudeSession = await getClaudeSessionKey() if (claudeSession) { clearInterval(timer) console.log('[content] Claude session key found after waiting.') resolve() } } catch (err) { // This inner catch is for getClaudeSessionKey failing during setInterval console.error('[content] Error polling for Claude session key:', err) // Optionally, clearInterval and reject if it's a persistent issue. } }, 500) // Timeout for waiting setTimeout(() => { clearInterval(timer); if (!claudeSession) { console.warn("[content] Timed out waiting for Claude session key."); reject(new Error("Timed out waiting for Claude session key.")); } }, 30000); // 30 second timeout }).catch(err => { // Catch rejection from the Promise itself (e.g. timeout) console.error("[content] Failed to get Claude session key for jump back notification:", err); // Do not proceed to render if session key is critical and not found return; }); } else { console.log('[content] Claude session key found immediately.') } } if (location.hostname === 'kimi.moonshot.cn') { console.debug('[content] On kimi.moonshot.cn, checking login status.') if (!window.localStorage.refresh_token) { console.log('[content] Kimi refresh token not found, attempting to trigger login.') setTimeout(() => { try { document.querySelectorAll('button').forEach((button) => { if (button.textContent === '立即登录') { console.log('[content] Clicking Kimi login button.') button.click() } }) } catch (err_click) { console.error('[content] Error clicking Kimi login button:', err_click) } }, 1000) await new Promise((resolve, reject) => { const timer = setInterval(async () => { try { const token = window.localStorage.refresh_token if (token) { clearInterval(timer) console.log('[content] Kimi refresh token found after waiting.') await setUserConfig({ kimiMoonShotRefreshToken: token }) console.log('[content] Kimi refresh token saved to config.') resolve() } } catch (err_set) { console.error('[content] Error setting Kimi refresh token from polling:', err_set) } }, 500) setTimeout(() => { clearInterval(timer); if (!window.localStorage.refresh_token) { console.warn("[content] Timed out waiting for Kimi refresh token."); reject(new Error("Timed out waiting for Kimi refresh token.")); } }, 30000); // 30 second timeout }).catch(err => { console.error("[content] Failed to get Kimi refresh token for jump back notification:", err); return; // Do not proceed });

qodo-code-review · 2025-06-07T14:03:51Z

PR Code Suggestions ✨

Latest suggestions up to 3fbed97

Category	Suggestion	Impact
Incremental ^[*]	Handle array form values The code assumes that `details.requestBody.formData[k]` is a single value, but it could be an array of values. When appending form data, you should handle the case where the value is an array by iterating through each value. src/background/index.mjs [556-560] if (details.requestBody?.formData) { // Optional chaining for (const k in details.requestBody.formData) { - formData.append(k, details.requestBody.formData[k]) + const values = details.requestBody.formData[k]; + if (Array.isArray(values)) { + for (const value of values) { + formData.append(k, value); + } + } else { + formData.append(k, values); + } } } Apply / Chat Suggestion importance[1-10]: 6 __ Why: Valid improvement as `formData` values can be arrays according to the Chrome extension API. The suggestion properly handles this edge case.	Low
	Handle undefined array elements The function doesn't handle the case where an array element is `undefined`. This could cause issues when processing arrays with sparse elements or undefined values. Add a specific check for undefined values to handle them properly. src/background/index.mjs [89-108] if (Array.isArray(obj)) { const redactedArray = []; for (let i = 0; i < obj.length; i++) { const item = obj[i]; - if (item !== null && typeof item === 'object') { + if (item === undefined) { + redactedArray[i] = undefined; + } else if (item !== null && typeof item === 'object') { redactedArray[i] = redactSensitiveFields(item, recursionDepth + 1, maxDepth, seen); } else if (typeof item === 'string') { let isItemSensitive = false; const lowerItem = item.toLowerCase(); for (const keyword of SENSITIVE_KEYWORDS) { if (lowerItem.includes(keyword)) { isItemSensitive = true; break; } } redactedArray[i] = isItemSensitive ? 'REDACTED' : item; } else { redactedArray[i] = item; } } return redactedArray; } Apply / Chat Suggestion importance[1-10]: 4 __ Why: The current code already handles `undefined` values correctly in the `else` branch. Adding explicit `undefined` handling would improve code clarity but is not necessary.	Low
	Fix race condition The error handling for Claude session key polling has a potential race condition. If the error occurs after promiseSettled has been set to true elsewhere but before this check runs, it will incorrectly set promiseSettled again and call cleanup() a second time. Add a check to verify promiseSettled is still false before proceeding with error handling. src/content-script/index.jsx [679-683] -if ((errMsg.includes('network') \|\| errMsg.includes('permission')) && !promiseSettled) { +if (!promiseSettled && (errMsg.includes('network') \|\| errMsg.includes('permission'))) { promiseSettled = true; cleanup(); reject(new Error(`Failed to get Claude session key due to: ${err.message}`)); } Apply / Chat Suggestion importance[1-10]: 4 __ Why: The suggestion improves code readability by checking `!promiseSettled` first, but the original code already prevents the race condition with the `&& !promiseSettled` check.	Low
	Remove development comment There's a comment "Example error check" left in the production code which suggests this error handling might be incomplete or was meant to be revised. Remove the comment and ensure the error conditions are properly defined for production use. src/content-script/index.jsx [751] const errMsg = err_set.message.toLowerCase(); -if ((errMsg.includes('network') \|\| errMsg.includes('storage')) && !promiseSettled) { // Example error check +if ((errMsg.includes('network') \|\| errMsg.includes('storage')) && !promiseSettled) { promiseSettled = true; cleanup(); reject(new Error(`Failed to process Kimi token: ${err_set.message}`)); } `[To ensure code accuracy, apply this suggestion manually]` Suggestion importance[1-10]: 3 __ Why: Valid cleanup suggestion to remove leftover development comment, but has minimal impact on functionality.	Low
Possible issue	Handle special object types The redaction function doesn't handle primitive objects like Date, RegExp, or Map/Set, which could lead to errors when logging. These objects are typeof 'object' but need special handling to avoid errors when iterating through their properties. src/background/index.mjs [76-87] function redactSensitiveFields(obj, recursionDepth = 0, maxDepth = 5, seen = new WeakSet()) { if (recursionDepth > maxDepth) { return 'REDACTED_TOO_DEEP'; } if (obj === null \|\| typeof obj !== 'object') { return obj; } + // Handle special object types + if (obj instanceof Date \|\| obj instanceof RegExp \|\| + obj instanceof Error \|\| obj instanceof URL) { + return obj.toString(); + } + + if (obj instanceof Map \|\| obj instanceof Set) { + return `[${obj.constructor.name}]`; + } + if (seen.has(obj)) { return 'REDACTED_CIRCULAR_REFERENCE'; } seen.add(obj); Apply / Chat Suggestion importance[1-10]: 6 __ Why: Good suggestion to improve the robustness of the `redactSensitiveFields` function by handling special object types like Date, RegExp, Map, and Set that could cause errors during property iteration.	Low
Possible issue	Add retry limit for polling The interval continues running indefinitely if no session key is found and no error occurs. Add a maximum retry count or timeout mechanism to prevent an infinite polling loop that could cause memory leaks or excessive resource usage. src/content-script/index.jsx [659-685] +let retryCount = 0; +const MAX_RETRIES = 60; // 30 seconds at 500ms intervals + await new Promise((resolve, reject) => { timerId = setInterval(async () => { if (promiseSettled) { console.warn('[content] Promise already settled but Claude interval still running. This indicates a potential cleanup issue.'); cleanup() return } + + retryCount++; + if (retryCount >= MAX_RETRIES) { + if (!promiseSettled) { + promiseSettled = true; + cleanup(); + reject(new Error('Maximum retry count reached while polling for Claude session key.')); + return; + } + } + try { claudeSession = await getClaudeSessionKey() if (claudeSession) { if (!promiseSettled) { promiseSettled = true cleanup() console.log('[content] Claude session key found after waiting.') resolve() } } } catch (err) { console.error('[content] Error polling for Claude session key:', err) const errMsg = err.message.toLowerCase(); if ((errMsg.includes('network') \|\| errMsg.includes('permission')) && !promiseSettled) { promiseSettled = true; cleanup(); reject(new Error(`Failed to get Claude session key due to: ${err.message}`)); } } }, 500) Apply / Chat Suggestion importance[1-10]: 4 __ Why: The suggestion overlooks that there's already a timeout mechanism (30 seconds) in place to prevent infinite polling. However, adding a retry count could still provide an additional safeguard.	Low
Update

Previous suggestions

✅ Suggestions up to commit 0b5e7a4

Category	Suggestion	Impact
Security	✅ ~~Fix array handling in redaction~~ Suggestion Impact: The commit implemented the core idea of the suggestion by adding special handling for arrays. It now properly checks array items for sensitive content, particularly string values, which was the main security concern raised in the suggestion. code diff: - const redactedObj = Array.isArray(obj) ? [] : {}; - for (const key in obj) { - if (Object.prototype.hasOwnProperty.call(obj, key)) { - const lowerKey = key.toLowerCase(); - let isSensitive = false; - for (const keyword of SENSITIVE_KEYWORDS) { - if (lowerKey.includes(keyword)) { - isSensitive = true; - break; - } - } - if (isSensitive) { - redactedObj[key] = 'REDACTED'; - } else if (obj[key] !== null && typeof obj[key] === 'object') { // Added obj[key] !== null check - redactedObj[key] = redactSensitiveFields(obj[key], recursionDepth + 1, maxDepth, seen); + if (Array.isArray(obj)) { + const redactedArray = []; + for (let i = 0; i < obj.length; i++) { + const item = obj[i]; + if (item !== null && typeof item === 'object') { + redactedArray[i] = redactSensitiveFields(item, recursionDepth + 1, maxDepth, seen); + } else if (typeof item === 'string') { + let isItemSensitive = false; + const lowerItem = item.toLowerCase(); + for (const keyword of SENSITIVE_KEYWORDS) { + if (lowerItem.includes(keyword)) { + isItemSensitive = true; + break; + } + } + redactedArray[i] = isItemSensitive ? 'REDACTED' : item; } else { - redactedObj[key] = obj[key]; - } - } + redactedArray[i] = item; + } + } + return redactedArray; + } else { + const redactedObj = {}; + for (const key in obj) { + if (Object.prototype.hasOwnProperty.call(obj, key)) { + const lowerKey = key.toLowerCase(); + let isKeySensitive = false; + for (const keyword of SENSITIVE_KEYWORDS) { + if (lowerKey.includes(keyword)) { + isKeySensitive = true; + break; + } + } + if (isKeySensitive) { + redactedObj[key] = 'REDACTED'; + } else if (obj[key] !== null && typeof obj[key] === 'object') { + redactedObj[key] = redactSensitiveFields(obj[key], recursionDepth + 1, maxDepth, seen); + } else { + redactedObj[key] = obj[key]; + } + } + } + return redactedObj; } The function doesn't properly handle sensitive values in arrays. When iterating through object keys, array indices are converted to strings, but the function doesn't check array values directly. This could lead to sensitive data leakage when redacting arrays containing sensitive strings or objects. src/background/index.mjs [76-110] function redactSensitiveFields(obj, recursionDepth = 0, maxDepth = 5, seen = new WeakSet()) { if (recursionDepth > maxDepth) { return 'REDACTED_TOO_DEEP'; } if (obj === null \|\| typeof obj !== 'object') { return obj; } if (seen.has(obj)) { return 'REDACTED_CIRCULAR_REFERENCE'; } seen.add(obj); const redactedObj = Array.isArray(obj) ? [] : {}; - for (const key in obj) { - if (Object.prototype.hasOwnProperty.call(obj, key)) { - const lowerKey = key.toLowerCase(); - let isSensitive = false; - for (const keyword of SENSITIVE_KEYWORDS) { - if (lowerKey.includes(keyword)) { - isSensitive = true; - break; + + if (Array.isArray(obj)) { + for (let i = 0; i < obj.length; i++) { + if (obj[i] !== null && typeof obj[i] === 'object') { + redactedObj[i] = redactSensitiveFields(obj[i], recursionDepth + 1, maxDepth, seen); + } else if (typeof obj[i] === 'string') { + let isSensitive = false; + for (const keyword of SENSITIVE_KEYWORDS) { + if (obj[i].toLowerCase().includes(keyword)) { + isSensitive = true; + break; + } } + redactedObj[i] = isSensitive ? 'REDACTED' : obj[i]; + } else { + redactedObj[i] = obj[i]; } - if (isSensitive) { - redactedObj[key] = 'REDACTED'; - } else if (obj[key] !== null && typeof obj[key] === 'object') { // Added obj[key] !== null check - redactedObj[key] = redactSensitiveFields(obj[key], recursionDepth + 1, maxDepth, seen); - } else { - redactedObj[key] = obj[key]; + } + } else { + for (const key in obj) { + if (Object.prototype.hasOwnProperty.call(obj, key)) { + const lowerKey = key.toLowerCase(); + let isSensitive = false; + for (const keyword of SENSITIVE_KEYWORDS) { + if (lowerKey.includes(keyword)) { + isSensitive = true; + break; + } + } + if (isSensitive) { + redactedObj[key] = 'REDACTED'; + } else if (obj[key] !== null && typeof obj[key] === 'object') { + redactedObj[key] = redactSensitiveFields(obj[key], recursionDepth + 1, maxDepth, seen); + } else { + redactedObj[key] = obj[key]; + } } } } return redactedObj; } `[Suggestion processed]` Suggestion importance[1-10]: 7 __ Why: The suggestion enhances security by adding explicit handling for sensitive string values within arrays. While the existing code handles array structure, it doesn't check for sensitive keywords in array string values, which could lead to data leakage. This is a meaningful security improvement.	Medium
Possible issue	Check port connection before messaging The code attempts to send a message to the port after potentially removing event listeners, which could lead to a race condition. If the port is already disconnected, the postMessage call will fail. Add a check to verify the port is still connected before attempting to send the error message. src/background/index.mjs [171-185] if (port._reconnectAttempts > RECONNECT_CONFIG.MAX_ATTEMPTS) { console.error(`[background] Max reconnect attempts (${RECONNECT_CONFIG.MAX_ATTEMPTS}) reached for tab ${proxyTabId}. Giving up.`); if (port._portOnMessage) { try { port.onMessage.removeListener(port._portOnMessage); } catch(e) { console.warn("[background] Error removing _portOnMessage on max retries:", e); } } if (port._portOnDisconnect) { // Cleanup _portOnDisconnect as well try { port.onDisconnect.removeListener(port._portOnDisconnect); } catch(e) { console.warn("[background] Error removing _portOnDisconnect on max retries:", e); } } try { // Notify user about final connection failure - port.postMessage({ error: `Connection to ChatGPT tab lost after ${RECONNECT_CONFIG.MAX_ATTEMPTS} attempts. Please refresh the page.` }); + if (port.onMessage) { // Check if port is still connected + port.postMessage({ error: `Connection to ChatGPT tab lost after ${RECONNECT_CONFIG.MAX_ATTEMPTS} attempts. Please refresh the page.` }); + } } catch(e) { console.warn("[background] Error sending final error message on max retries:", e); } return; } Suggestion importance[1-10]: 6 __ Why: The suggestion addresses a potential race condition where the `port.postMessage` could fail if the port is disconnected. Adding a check for `port.onMessage` before posting messages is a reasonable defensive programming practice that prevents unnecessary errors.	Low
Possible issue	✅ ~~Handle consecutive polling failures~~ Suggestion Impact: The commit implemented error handling for Claude session key polling, but used a different approach. Instead of counting consecutive errors, it checks for specific error types (network or permission errors) and rejects the promise immediately when those occur. code diff: @@ -679,12 +675,12 @@ } } catch (err) { console.error('[content] Error polling for Claude session key:', err) - // Example for Qodo: Stop on specific error - // if (err.message.includes('NetworkError') && !promiseSettled) { - // promiseSettled = true; - // cleanup(); - // reject(new Error(`Failed to get Claude session key: ${err.message}`)); - // } + const errMsg = err.message.toLowerCase(); + if ((errMsg.includes('network') \|\| errMsg.includes('permission')) && !promiseSettled) { + promiseSettled = true; + cleanup(); + reject(new Error(`Failed to get Claude session key due to: ${err.message}`)); + } } The interval continues running even if there's an error, but there's no mechanism to reject the promise on repeated failures. Add a counter to track consecutive errors and reject the promise after a certain threshold to prevent infinite polling when the service is unavailable. src/content-script/index.jsx [663-689] let promiseSettled = false let timerId = null let timeoutId = null +let errorCount = 0 +const MAX_CONSECUTIVE_ERRORS = 5 const cleanup = () => { if (timerId) clearInterval(timerId) if (timeoutId) clearTimeout(timeoutId) } await new Promise((resolve, reject) => { timerId = setInterval(async () => { if (promiseSettled) { console.warn('[content] Promise already settled but Claude interval still running. This indicates a potential cleanup issue.'); cleanup() return } try { claudeSession = await getClaudeSessionKey() + errorCount = 0 // Reset error count on successful call if (claudeSession) { if (!promiseSettled) { promiseSettled = true cleanup() console.log('[content] Claude session key found after waiting.') resolve() } } } catch (err) { - console.error('[content] Error polling for Claude session key:', err) + errorCount++ + console.error(`[content] Error polling for Claude session key (${errorCount}/${MAX_CONSECUTIVE_ERRORS}):`, err) + if (errorCount >= MAX_CONSECUTIVE_ERRORS && !promiseSettled) { + promiseSettled = true + cleanup() + reject(new Error(`Failed to get Claude session key after ${MAX_CONSECUTIVE_ERRORS} consecutive errors`)) + } } }, 500) Suggestion importance[1-10]: 6 __ Why: The suggestion improves error handling by adding a mechanism to stop infinite polling after consecutive failures. This prevents the code from getting stuck in an endless loop when the service is consistently unavailable, which is a good defensive programming practice.	Low
Incremental ^[*]	✅ ~~Properly handle HTTP errors~~ Suggestion Impact: The commit implemented a different approach to handle HTTP errors. Instead of using an early return, it created a responseObject with error information when response is not OK, which achieves the same goal of properly handling HTTP errors. code diff: @@ -466,22 +510,21 @@ try { const response = await fetch(message.data.input, message.data.init) const text = await response.text() - if (!response.ok) { // Added check for HTTP error statuses + const responseObject = { // Defined for clarity before conditional error property + body: text, + ok: response.ok, + status: response.status, + statusText: response.statusText, + headers: Object.fromEntries(response.headers), + }; + if (!response.ok) { + responseObject.error = `HTTP error ${response.status}: ${response.statusText}`; console.warn(`[background] FETCH received error status: ${response.status} for ${message.data.input}`); } console.debug( `[background] FETCH successful for ${message.data.input}, status: ${response.status}`, ) - return [ - { - body: text, - ok: response.ok, // Added ok status - status: response.status, - statusText: response.statusText, - headers: Object.fromEntries(response.headers), - }, - null, - ] + return [responseObject, null]; The code logs a warning for non-OK HTTP responses but doesn't handle the error condition properly. Since the response is still processed as if it were successful, this could lead to unexpected behavior when API calls fail. src/background/index.mjs [469-471] if (!response.ok) { // Added check for HTTP error statuses console.warn(`[background] FETCH received error status: ${response.status} for ${message.data.input}`); + return [ + { + body: text, + ok: response.ok, + status: response.status, + statusText: response.statusText, + headers: Object.fromEntries(response.headers), + error: `HTTP error: ${response.status} ${response.statusText}` + }, + null, + ] } Suggestion importance[1-10]: 3 __ Why: The current implementation correctly includes `ok: response.ok` in the response, allowing callers to handle HTTP errors appropriately. The suggested early return would change the API behavior and might break existing code expecting response bodies for error statuses.	Low

✅ Suggestions up to commit a986d2e

Category	Suggestion	Impact
Possible issue	✅ ~~Clean up all event listeners~~ Suggestion Impact: The commit implemented the suggestion by adding code to clean up the port._portOnDisconnect listener when max reconnect attempts are reached, along with additional error handling to notify the user about the connection failure code diff: + if (port._portOnDisconnect) { // Cleanup _portOnDisconnect as well + try { port.onDisconnect.removeListener(port._portOnDisconnect); } + catch(e) { console.warn("[background] Error removing _portOnDisconnect on max retries:", e); } + } The code is missing cleanup for port._portOnDisconnect listener when max reconnect attempts are reached. This can lead to memory leaks and potential errors if the port is later reused. Add code to remove this listener as well. src/background/index.mjs [156-164] port._reconnectAttempts = (port._reconnectAttempts \|\| 0) + 1; if (port._reconnectAttempts > RECONNECT_CONFIG.MAX_ATTEMPTS) { console.error(`[background] Max reconnect attempts (${RECONNECT_CONFIG.MAX_ATTEMPTS}) reached for tab ${proxyTabId}. Giving up.`); if (port._portOnMessage) { try { port.onMessage.removeListener(port._portOnMessage); } catch(e) { console.warn("[background] Error removing _portOnMessage on max retries:", e); } } + if (port._portOnDisconnect) { + try { port.onDisconnect.removeListener(port._portOnDisconnect); } + catch(e) { console.warn("[background] Error removing _portOnDisconnect on max retries:", e); } + } return; } `[Suggestion processed]` Suggestion importance[1-10]: 7 __ Why: This addresses a potential memory leak by ensuring `port._portOnDisconnect` listener is also removed when max reconnect attempts are reached, preventing orphaned event listeners.	Medium
Possible issue	✅ ~~Fix null object handling~~ Suggestion Impact: The commit implemented the exact suggestion by adding a null check before the typeof check in the redactSensitiveFields function, preventing potential runtime errors when obj[key] is null code diff: - } else if (typeof obj[key] === 'object') { + } else if (obj[key] !== null && typeof obj[key] === 'object') { // Added obj[key] !== null check The redactSensitiveFields function doesn't handle null values correctly. When obj[key] is null, the typeof check will return 'object', but null can't be processed recursively. Add a specific check for null values. src/background/index.mjs [97-98] function redactSensitiveFields(obj, recursionDepth = 0, maxDepth = 5, seen = new WeakSet()) { if (recursionDepth > maxDepth) { return 'REDACTED_TOO_DEEP'; } if (obj === null \|\| typeof obj !== 'object') { return obj; } if (seen.has(obj)) { return 'REDACTED_CIRCULAR_REFERENCE'; } seen.add(obj); const redactedObj = Array.isArray(obj) ? [] : {}; for (const key in obj) { if (Object.prototype.hasOwnProperty.call(obj, key)) { const lowerKey = key.toLowerCase(); let isSensitive = false; for (const keyword of SENSITIVE_KEYWORDS) { if (lowerKey.includes(keyword)) { isSensitive = true; break; } } if (isSensitive) { redactedObj[key] = 'REDACTED'; - } else if (typeof obj[key] === 'object') { + } else if (obj[key] !== null && typeof obj[key] === 'object') { redactedObj[key] = redactSensitiveFields(obj[key], recursionDepth + 1, maxDepth, seen); } else { redactedObj[key] = obj[key]; } } } return redactedObj; } Suggestion importance[1-10]: 6 __ Why: This prevents potential runtime errors when `obj[key]` is `null` by adding an explicit null check before recursive calls, improving the function's defensive programming.	Low
General	Improve login button detection The code uses a fixed selector to find the login button by its text content '立即登录', but this approach is brittle and may fail if the UI changes or is localized. Use a more reliable selector or add a fallback mechanism. src/content-script/index.jsx [702-717] if (location.hostname === 'kimi.moonshot.cn') { console.debug('[content] On kimi.moonshot.cn, checking login status.') if (!window.localStorage.refresh_token) { console.log('[content] Kimi refresh token not found, attempting to trigger login.') setTimeout(() => { try { + // Try to find by text content first + let loginButton = null; document.querySelectorAll('button').forEach((button) => { - if (button.textContent === '立即登录') { - console.log('[content] Clicking Kimi login button.') - button.click() + if (button.textContent === '立即登录' \|\| + button.textContent.toLowerCase().includes('login') \|\| + button.getAttribute('data-testid') === 'login-button') { + loginButton = button; + console.log('[content] Found Kimi login button:', button.textContent); } - }) + }); + + if (loginButton) { + console.log('[content] Clicking Kimi login button.'); + loginButton.click(); + } else { + console.warn('[content] Could not find Kimi login button.'); + } } catch (err_click) { console.error('[content] Error clicking Kimi login button:', err_click) } }, 1000) Suggestion importance[1-10]: 4 __ Why: The suggestion improves robustness by adding fallback mechanisms for button detection, but the current hardcoded approach is functional and this is primarily a maintainability enhancement.	Low
Security	✅ ~~Enhance security redaction coverage~~ Suggestion Impact: The commit directly implemented the suggestion by adding all the suggested sensitive keywords ('jwt', 'session', 'access', 'private', 'oauth') to the SENSITIVE_KEYWORDS array exactly as recommended code diff: 'credential', + 'jwt', + 'session', + 'access', + 'private', + 'oauth', The SENSITIVE_KEYWORDS array is missing common sensitive terms like 'jwt', 'session', and 'access'. Add these terms to ensure comprehensive redaction of all sensitive information in logs. src/background/index.mjs [60-69] const SENSITIVE_KEYWORDS = [ 'apikey', 'token', 'secret', 'password', 'kimimoonshotrefreshtoken', 'auth', 'key', 'credential', + 'jwt', + 'session', + 'access', + 'private', + 'oauth' ]; `[Suggestion processed]` Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies missing sensitive keywords like `jwt`, `session`, and `oauth` that should be redacted for better security coverage in logs.	Medium
Possible issue	✅ ~~Improve HTTP error handling~~ Suggestion Impact: The commit implemented the suggestion by adding a check for response.ok and including the ok property in the returned object. The implementation is slightly different from the suggestion but achieves the same goal. code diff: try { const response = await fetch(message.data.input, message.data.init) const text = await response.text() + if (!response.ok) { // Added check for HTTP error statuses + console.warn(`[background] FETCH received error status: ${response.status} for ${message.data.input}`); + } console.debug( `[background] FETCH successful for ${message.data.input}, status: ${response.status}`, ) return [ { body: text, + ok: response.ok, // Added ok status status: response.status, statusText: response.statusText, headers: Object.fromEntries(response.headers), The fetch operation doesn't handle non-network errors properly. If the response is received but has an error status code (e.g., 404, 500), it will still be treated as a success. Add status code checking to properly handle HTTP error responses. src/background/index.mjs [433-451] try { const response = await fetch(message.data.input, message.data.init) const text = await response.text() console.debug( - `[background] FETCH successful for ${message.data.input}, status: ${response.status}`, + `[background] FETCH for ${message.data.input}, status: ${response.status}`, ) + if (!response.ok) { + console.warn(`[background] FETCH received error status: ${response.status} for ${message.data.input}`) + } return [ { body: text, status: response.status, statusText: response.statusText, headers: Object.fromEntries(response.headers), + ok: response.ok }, null, ] } catch (error) { console.error(`[background] FETCH error for ${message.data.input}:`, error) return [null, { message: error.message, stack: error.stack }] } `[Suggestion processed]` Suggestion importance[1-10]: 6 __ Why: The suggestion correctly identifies that HTTP error status codes (4xx, 5xx) are currently treated as successful responses. Adding `response.ok` checking and including the `ok` property improves error handling for the caller.	Low
Possible issue	✅ ~~Prevent property access errors~~ Suggestion Impact: The commit implemented the suggestion's intent by adding try-catch blocks around port.proxy.postMessage calls in multiple places (lines 99-108, 133-159), which provides more robust error handling when accessing port.proxy properties. This achieves the same goal as the suggested code changes, though with a different implementation approach. code diff: - port.proxy.postMessage(msg) + try { + port.proxy.postMessage(msg) + } catch (e) { + console.error('[background] Error posting message to proxy tab in _portOnMessage:', e, msg); + try { + port.postMessage({ error: 'Failed to forward message to target tab. Tab might be closed or an extension error occurred.' }); + } catch (notifyError) { + console.error('[background] Error sending forwarding failure notification back to original sender:', notifyError); + } + } } else { console.warn('[background] Port proxy not available to send message:', msg) } @@ -159,6 +196,15 @@ if (port._portOnMessage) { try { port.onMessage.removeListener(port._portOnMessage); } catch(e) { console.warn("[background] Error removing _portOnMessage on max retries:", e); } + } + if (port._portOnDisconnect) { + try { port.onDisconnect.removeListener(port._portOnDisconnect); } + catch(e) { console.warn("[background] Error removing _portOnDisconnect from main port on max retries:", e); } + } + try { + port.postMessage({ error: `Connection to ChatGPT tab lost after ${RECONNECT_CONFIG.MAX_ATTEMPTS} attempts. Please refresh the page.` }); + } catch(e) { + console.warn("[background] Error sending final error message on max retries:", e); } return; } @@ -270,11 +316,42 @@ } if (port.proxy) { console.debug('[background] Posting message to proxy tab:', { session }) - port.proxy.postMessage({ session }) + try { + port.proxy.postMessage({ session }) + } catch (e) { + console.warn('[background] Error posting message to existing proxy tab in executeApi (ChatGPT Web Model):', e, '. Attempting to reconnect.', { session }); + setPortProxy(port, tabId); // Attempt to re-establish the connection + if (port.proxy) { + console.debug('[background] Proxy re-established. Attempting to post message again.'); + try { + port.proxy.postMessage({ session }); + console.info('[background] Successfully posted session after proxy reconnection.'); + } catch (e2) { + console.error('[background] Error posting message even after proxy reconnection:', e2, { session }); + try { + port.postMessage({ error: 'Failed to communicate with ChatGPT tab after reconnection attempt. Try refreshing the page.' }); + } catch (notifyError) { + console.error('[background] Error sending final communication failure notification back:', notifyError); + } + } + } else { + console.error('[background] Failed to re-establish proxy connection. Cannot send session.'); + try { + port.postMessage({ error: 'Could not re-establish connection to ChatGPT tab. Try refreshing the page.' }); + } catch (notifyError) { + console.error('[background] Error sending re-establishment failure notification back:', notifyError); + } + } + } The code doesn't check if port.proxy is valid before accessing its properties. If port.proxy exists but is in an invalid state (e.g., disconnected or destroyed), accessing its properties could throw errors. Add a more robust check to prevent potential runtime errors. src/background/index.mjs [111-118] if (port.proxy) { try { - if (port._proxyOnMessage) port.proxy.onMessage.removeListener(port._proxyOnMessage); - if (port._proxyOnDisconnect) port.proxy.onDisconnect.removeListener(port._proxyOnDisconnect); + if (port._proxyOnMessage && port.proxy.onMessage) port.proxy.onMessage.removeListener(port._proxyOnMessage); + if (port._proxyOnDisconnect && port.proxy.onDisconnect) port.proxy.onDisconnect.removeListener(port._proxyOnDisconnect); } catch(e) { console.warn('[background] Error removing old listeners from previous port.proxy instance:', e); } } Suggestion importance[1-10]: 4 __ Why: The suggestion adds additional safety checks before accessing `port.proxy` properties, which could prevent runtime errors. However, the existing code already has try-catch protection, making this a minor defensive improvement.	Low
Possible issue	✅ ~~Fix Manifest V3 compatibility~~ Suggestion Impact: The commit implemented the exact suggestion by replacing the static ['blocking', 'requestHeaders'] with a conditional expression that only includes 'blocking' for Manifest V2, ensuring compatibility with Manifest V3 browsers code diff: - ['blocking', 'requestHeaders'], + ['requestHeaders', ...(Browser.runtime.getManifest().manifest_version < 3 ? ['blocking'] : [])], The 'blocking' option in the webRequest API is deprecated in Manifest V3 and will cause errors in browsers that enforce V3 compatibility. This will prevent header modifications from working correctly for Bing API requests. src/background/index.mjs [530-566] Browser.webRequest.onBeforeSendHeaders.addListener( (details) => { try { console.debug('[background] onBeforeSendHeaders triggered for URL:', details.url) const headers = details.requestHeaders let modified = false for (let i = 0; i < headers.length; i++) { if (headers[i]) { const headerNameLower = headers[i].name?.toLowerCase(); if (headerNameLower === 'origin') { headers[i].value = 'https://www.bing.com' modified = true } else if (headerNameLower === 'referer') { headers[i].value = 'https://www.bing.com/search?q=Bing+AI&showconv=1&FORM=hpcodx' modified = true } } } if (modified) { console.debug('[background] Modified headers for Bing:', headers) } return { requestHeaders: headers } } catch (error) { console.error( '[background] Error in onBeforeSendHeaders listener callback:', error, details, ) return { requestHeaders: details.requestHeaders } } }, { urls: ['wss://sydney.bing.com/', 'https://www.bing.com/'], types: ['xmlhttprequest', 'websocket'], }, - ['blocking', 'requestHeaders'], + ['requestHeaders', ...(Browser.runtime.getManifest().manifest_version < 3 ? ['blocking'] : [])], ) `[Suggestion processed]` Suggestion importance[1-10]: 7 __ Why: Important compatibility fix for Manifest V3 where the `blocking` option is deprecated. The conditional inclusion based on manifest version ensures the extension works correctly across different browser versions and future-proofs the code.	Medium
	✅ ~~Prevent infinite polling loops~~ Suggestion Impact: The commit implemented a commented-out example of the suggested error handling pattern. While not directly implementing the suggestion, it shows the developer acknowledged the issue and provided a template for how to handle specific errors to prevent infinite polling. code diff: + // Example for Qodo: Stop on specific error + // if (err.message.includes('NetworkError') && !promiseSettled) { + // promiseSettled = true; + // cleanup(); + // reject(new Error(`Failed to get Claude session key: ${err.message}`)); + // } The polling interval doesn't handle errors properly. If an exception occurs during getClaudeSessionKey(), the interval continues running indefinitely without resolving or rejecting the promise. Add error handling to prevent infinite polling on persistent errors. src/content-script/index.jsx [664-683] let timerId = setInterval(async () => { if (promiseSettled) { console.warn('[content] Promise already settled but Claude interval still running. This indicates a potential cleanup issue.'); cleanup() return } try { claudeSession = await getClaudeSessionKey() if (claudeSession) { if (!promiseSettled) { promiseSettled = true cleanup() console.log('[content] Claude session key found after waiting.') resolve() } } } catch (err) { console.error('[content] Error polling for Claude session key:', err) + // Prevent infinite polling on persistent errors + if (err.message && (err.message.includes('network') \|\| err.message.includes('permission'))) { + promiseSettled = true + cleanup() + reject(new Error(`Failed to get Claude session key: ${err.message}`)) + } } }, 500) Suggestion importance[1-10]: 6 __ Why: Good suggestion to prevent infinite polling when persistent errors occur. The improved error handling checks for specific error types and properly rejects the promise, preventing resource waste and potential memory leaks.	Low
	✅ ~~Handle message serialization errors~~ Suggestion Impact: The commit implemented the suggested try-catch block around port.proxy.postMessage(msg) with error handling, though with slightly different error message text and additional nested try-catch for the error notification code diff: port._portOnMessage = (msg) => { console.debug('[background] Message to proxy tab:', msg) if (port.proxy) { - port.proxy.postMessage(msg) + try { + port.proxy.postMessage(msg) + } catch (e) { + console.error('[background] Error posting message to proxy tab in _portOnMessage:', e, msg); + try { // Attempt to notify the original sender about the failure + port.postMessage({ error: 'Failed to forward message to target tab. Tab might be closed or an extension error occurred.' }); + } catch (notifyError) { + console.error('[background] Error sending forwarding failure notification back to original sender:', notifyError); + } + } } else { The code attempts to send a message to port.proxy without checking if the message is serializable. Non-serializable objects (like functions, circular references) will cause postMessage to throw errors. Add a try-catch block to handle potential serialization errors. src/background/index.mjs [130-137] port._portOnMessage = (msg) => { console.debug('[background] Message to proxy tab:', msg) if (port.proxy) { - port.proxy.postMessage(msg) + try { + port.proxy.postMessage(msg) + } catch (error) { + console.error('[background] Failed to send message to proxy tab:', error) + port.postMessage({ error: 'Failed to forward message to target tab' }) + } } else { console.warn('[background] Port proxy not available to send message:', msg) } } `[Suggestion processed]` Suggestion importance[1-10]: 5 __ Why: Valid suggestion to add error handling for `postMessage` serialization failures. This prevents potential crashes when non-serializable objects are sent through the message port, improving robustness.	Low
Possible issue	✅ ~~Handle message serialization errors~~ Suggestion Impact: The commit implemented the suggested try-catch block around port.proxy.postMessage(msg) with error handling, though with slightly different error message text and additional nested try-catch for the error notification code diff: port._portOnMessage = (msg) => { console.debug('[background] Message to proxy tab:', msg) if (port.proxy) { - port.proxy.postMessage(msg) + try { + port.proxy.postMessage(msg) + } catch (e) { + console.error('[background] Error posting message to proxy tab in _portOnMessage:', e, msg); + try { // Attempt to notify the original sender about the failure + port.postMessage({ error: 'Failed to forward message to target tab. Tab might be closed or an extension error occurred.' }); + } catch (notifyError) { + console.error('[background] Error sending forwarding failure notification back to original sender:', notifyError); + } + } } else { The code doesn't handle potential errors when posting a message to the proxy tab. If the session object contains circular references or non-serializable data, postMessage will throw an error that's not caught. Add a try-catch block to handle this scenario gracefully. src/background/index.mjs [271-278] if (port.proxy) { console.debug('[background] Posting message to proxy tab:', { session }) - port.proxy.postMessage({ session }) + try { + port.proxy.postMessage({ session }) + } catch (error) { + console.error('[background] Error posting message to proxy tab:', error) + port.postMessage({ error: 'Failed to communicate with ChatGPT tab. Try refreshing the page.' }) + } } else { console.error( '[background] Failed to send message: port.proxy is still not available after setPortProxy.', ) } Suggestion importance[1-10]: 6 __ Why: Valid suggestion to add error handling for `postMessage` which can throw serialization errors, though the impact is moderate since it addresses an edge case.	Low
Possible issue	✅ ~~Notify user on connection failure~~ Suggestion Impact: The suggestion was implemented in the commit. Lines 60-64 of the diff show the exact implementation of the suggested code that notifies users when connection is permanently lost after max reconnection attempts. code diff: + try { // Notify user about final connection failure + port.postMessage({ error: `Connection to ChatGPT tab lost after ${RECONNECT_CONFIG.MAX_ATTEMPTS} attempts. Please refresh the page.` }); + } catch(e) { + console.warn("[background] Error sending final error message on max retries:", e); } When giving up on reconnection attempts, the code should send a notification to the client that the connection has been permanently lost. This would provide better user experience by informing them of the connection failure rather than silently failing. src/background/index.mjs [157-164] if (port._reconnectAttempts > RECONNECT_CONFIG.MAX_ATTEMPTS) { console.error(`[background] Max reconnect attempts (${RECONNECT_CONFIG.MAX_ATTEMPTS}) reached for tab ${proxyTabId}. Giving up.`); if (port._portOnMessage) { try { port.onMessage.removeListener(port._portOnMessage); } catch(e) { console.warn("[background] Error removing _portOnMessage on max retries:", e); } } + try { + port.postMessage({ error: `Connection to ChatGPT tab lost after ${RECONNECT_CONFIG.MAX_ATTEMPTS} attempts. Please refresh the page.` }); + } catch(e) { + console.warn("[background] Error sending final error message on max retries:", e); + } return; } `[Suggestion processed]` Suggestion importance[1-10]: 7 __ Why: Good user experience improvement by notifying users when connection fails permanently. However, the impact is moderate since this is error handling for an edge case.	Medium
Possible issue	Prevent timer resource leaks The cleanup function is defined but not called if an error occurs during the promise setup. Add a try-catch block around the entire promise creation to ensure cleanup is always called, preventing potential memory leaks from lingering intervals and timeouts. src/content-script/index.jsx [658-665] let promiseSettled = false let timerId = null let timeoutId = null const cleanup = () => { if (timerId) clearInterval(timerId) if (timeoutId) clearTimeout(timeoutId) } +try { + await new Promise((resolve, reject) => { + // Promise implementation... + }).catch((err) => { + console.error('[content] Failed to get Claude session key for jump back notification:', err) + return + }); +} catch (error) { + console.error('[content] Unexpected error in Claude session handling:', error); + cleanup(); // Ensure cleanup happens even if promise setup fails +} + Suggestion importance[1-10]: 2 __ Why: The `existing_code` doesn't match the actual implementation in the diff. The code already has proper `.catch()` error handling, making this suggestion less relevant.	Low
Security	Detect encoded sensitive data The redaction function doesn't handle Base64 encoded secrets or API keys. Add detection for common Base64 patterns to prevent leaking sensitive information in logs that might be encoded rather than in plain text. src/background/index.mjs [60-69] const SENSITIVE_KEYWORDS = [ 'apikey', 'token', 'secret', 'password', 'kimimoonshotrefreshtoken', 'auth', 'key', 'credential', ]; +const BASE64_PATTERNS = [ + /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==\|[A-Za-z0-9+/]{3}=)?$/, + /^[A-Za-z0-9_-]{21,22}$/, // URL-safe base64 without padding +]; + Suggestion importance[1-10]: 1 __ Why: Just adding `BASE64_PATTERNS` without integrating them into the `redactSensitiveFields` function provides no benefit. The improved code doesn't show how these patterns would be used.	Low

✅ Suggestions up to commit 789d8fe

Category	Suggestion	Impact
Incremental ^[*]	✅ ~~Fix potential null reference~~ Suggestion Impact: The commit implemented the suggestion by adding a check for headers[i] existence before accessing its properties, but with a slightly different implementation approach. Instead of adding the check to each condition, the code was restructured to wrap all header operations in a single if(headers[i]) check. code diff: - const headerNameLower = headers[i]?.name?.toLowerCase(); // Apply optional chaining - if (headerNameLower === 'origin') { - headers[i].value = 'https://www.bing.com' - modified = true - } else if (headerNameLower === 'referer') { - headers[i].value = 'https://www.bing.com/search?q=Bing+AI&showconv=1&FORM=hpcodx' - modified = true + if (headers[i]) { + const headerNameLower = headers[i].name?.toLowerCase(); + if (headerNameLower === 'origin') { + headers[i].value = 'https://www.bing.com' + modified = true + } else if (headerNameLower === 'referer') { + headers[i].value = 'https://www.bing.com/search?q=Bing+AI&showconv=1&FORM=hpcodx' + modified = true + } } After using optional chaining for `headers[i]?.name`, you should verify that `headers[i]` exists before attempting to modify its value property. Otherwise, if a header entry is undefined but has a name property that matches, the code will throw an error when trying to set the value. src/background/index.mjs [543-550] const headerNameLower = headers[i]?.name?.toLowerCase(); // Apply optional chaining -if (headerNameLower === 'origin') { +if (headers[i] && headerNameLower === 'origin') { headers[i].value = 'https://www.bing.com' modified = true -} else if (headerNameLower === 'referer') { +} else if (headers[i] && headerNameLower === 'referer') { headers[i].value = 'https://www.bing.com/search?q=Bing+AI&showconv=1&FORM=hpcodx' modified = true } `[Suggestion processed]` Suggestion importance[1-10]: 8 __ Why: This is a valid bug fix - using optional chaining on `headers[i]?.name` but not checking if `headers[i]` exists before setting its `value` property could cause runtime errors.	Medium
	✅ ~~Enhance sensitive data detection~~ Suggestion Impact: The commit implemented exactly the suggested enhancement by adding the three recommended keywords ('auth', 'key', 'credential') to the SENSITIVE_KEYWORDS array, improving the detection of sensitive information in the application. code diff: const SENSITIVE_KEYWORDS = [ - 'apikey', // Covers apiKey, customApiKey, claudeApiKey, etc. - 'token', // Covers accessToken, refreshToken, etc. + 'apikey', + 'token', 'secret', 'password', 'kimimoonshotrefreshtoken', + 'auth', + 'key', + 'credential', ]; The SENSITIVE_KEYWORDS array should include more comprehensive patterns to catch all potential sensitive information. Currently, it might miss some common sensitive data patterns like 'auth', 'key', 'credential', etc. src/background/index.mjs [60-66] const SENSITIVE_KEYWORDS = [ 'apikey', // Covers apiKey, customApiKey, claudeApiKey, etc. 'token', // Covers accessToken, refreshToken, etc. 'secret', 'password', 'kimimoonshotrefreshtoken', + 'auth', // Covers authorization, oauth, etc. + 'key', // Catches generic keys + 'credential', ]; `[Suggestion processed]` Suggestion importance[1-10]: 6 __ Why: Adding more comprehensive keywords like `auth`, `key`, and `credential` would improve the security redaction function, though the current implementation already covers the most common patterns.	Low
	✅ ~~Improve cross-browser compatibility~~ Suggestion Impact: The commit implemented a robust fallback mechanism for the Browser.sidePanel API by adding chrome.sidePanel as a fallback option, along with better error handling and checking if functions exist before calling them. code diff: Browser.tabs.onUpdated.addListener(async (tabId, info, tab) => { + const outerTryCatchError = (error) => { // Renamed to avoid conflict with inner error + console.error('[background] Error in tabs.onUpdated listener callback (outer):', error, tabId, info); + }; try { - // Refined condition: Ensure URL exists and tab loading is complete. if (!tab.url \|\| (info.status && info.status !== 'complete')) { console.debug( `[background] Skipping side panel update for tabId: ${tabId}. Tab URL: ${tab.url}, Info Status: ${info.status}`, - ) - return + ); + return; } console.debug( `[background] tabs.onUpdated event for tabId: ${tabId}, status: ${info.status}, url: ${tab.url}. Proceeding with side panel update.`, - ) - // Use Browser.sidePanel from webextension-polyfill for consistency and cross-browser compatibility - if (Browser.sidePanel) { - await Browser.sidePanel.setOptions({ - tabId, - pat...

coderabbitai

Actionable comments posted: 3

🧹 Nitpick comments (3)

src/background/index.mjs (1)
433-439: Returning {} on failure drops request headers

If an exception occurs we currently return an empty object, which strips all headers and can break the request:
-        return {} // Return empty object or original headers on error?
+        return { requestHeaders: details.requestHeaders }
src/content-script/index.jsx (2)
622-627: Dead code triggers “defined but never used” lint warning

prepareForForegroundRequests is kept as a no-op placeholder but still defined.
Either delete it or export it for tests to silence the linter.

🧰 Tools

🪛 GitHub Check: tests

[failure] 622-622:
'prepareForForegroundRequests' is defined but never used

878-916: Risk of multiple registerPortListener registrations

registerPortListener is invoked every page load; if the script is injected twice (e.g. SPA navigation) duplicate listeners will accumulate.

Guard with a module-level flag:
+if (!window.__chatgptboxPortListenerRegistered) {
   registerPortListener(…)
+  window.__chatgptboxPortListenerRegistered = true
+}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 705e961 and cc2b4fe.

📒 Files selected for processing (2)

src/background/index.mjs (2 hunks)
src/content-script/index.jsx (2 hunks)

🧰 Additional context used

🪛 Biome (1.9.4)

src/background/index.mjs

[error] 380-380: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

[error] 459-459: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

src/content-script/index.jsx

[error] 265-265: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

[error] 326-326: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

[error] 367-367: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

[error] 410-410: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

[error] 530-530: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

[error] 581-581: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

[error] 610-610: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

🪛 GitHub Check: tests

src/background/index.mjs

[failure] 460-460:
'chrome' is not defined

src/content-script/index.jsx

[failure] 622-622:
'prepareForForegroundRequests' is defined but never used

🪛 GitHub Actions: pr-tests

src/background/index.mjs

[error] 460-460: ESLint: 'chrome' is not defined. (no-undef)

coderabbitai

Actionable comments posted: 1

♻️ Duplicate comments (4)

src/background/index.mjs (4)
72-88: ⚠️ Potential issue

Proxy reconnection still risks infinite recursion & listener leaks

proxyOnDisconnect invokes setPortProxy unconditionally and immediately, without:

Removing the listeners attached to the previous proxy port.

Capping the retry count / adding back-off delay.

The exact same concerns were raised in the previous review but remain unaddressed.
Leaving this as-is can snow-ball into dozens of lingering listeners and a tight retry loop on a flapping tab.
See the earlier suggestion for a bounded retry counter + exponential back-off.

103-104: ⚠️ Potential issue

Sensitive configuration is still dumped to the console

console.debug('[background] Full config details:', config) will happily print API keys, custom URLs and tokens.
The prior review already flagged this leakage – please remove or redact before shipping.
-  console.debug('[background] Full config details:', config)
+  // Avoid leaking secrets – only log non-sensitive fields
+  console.debug('[background] Config loaded. modelName:', config.modelName)
432-439: 🛠️ Refactor suggestion

Returning {} on error strips all request headers

If an exception bubbles up we return an empty object, which drops every header and can break the request completely.
Safer fall-back: return the original headers so the request proceeds unchanged.
-        return {} // Return empty object or original headers on error?
+        return { requestHeaders: details.requestHeaders }
458-459: ⚠️ Potential issue

chrome global is still unguarded – breaks Firefox & eslint

Accessing chrome.sidePanel without a typeof chrome !== 'undefined' guard triggers no-undef and fails on Firefox where chrome is absent.
-      if (chrome && chrome.sidePanel) {
+      if (typeof chrome !== 'undefined' && chrome?.sidePanel) {
🧰 Tools

🪛 Biome (1.9.4)

[error] 458-458: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cc2b4fe and 3191f53.

📒 Files selected for processing (4)

.eslintrc.json (1 hunks)
package.json (1 hunks)
src/background/index.mjs (2 hunks)
src/content-script/index.jsx (1 hunks)

✅ Files skipped from review due to trivial changes (2)

.eslintrc.json
package.json

🧰 Additional context used

🪛 Biome (1.9.4)

src/background/index.mjs

[error] 380-380: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

[error] 458-458: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

src/content-script/index.jsx

[error] 265-265: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

[error] 326-326: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

[error] 367-367: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

[error] 410-410: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

[error] 530-530: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

[error] 581-581: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

[error] 610-610: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

coderabbitai

Actionable comments posted: 2

♻️ Duplicate comments (2)

src/background/index.mjs (1)
545-556: ⚠️ Potential issue

Chrome global usage still present despite past review feedback.

This code still uses the unguarded chrome global that was flagged in previous reviews as causing ESLint errors and Firefox compatibility issues.

The pipeline error persists due to unguarded chrome usage. Apply the fix from the past review:
-// eslint-disable-next-line no-undef
-if (chrome && chrome.sidePanel) {
-  // eslint-disable-next-line no-undef
-  await chrome.sidePanel.setOptions({
+if (typeof chrome !== 'undefined' && chrome?.sidePanel) {
+  await chrome.sidePanel.setOptions({
     tabId,
     path: 'IndependentPanel.html',
     enabled: true,
   })
-  console.debug(`[background] Side panel options set for tab ${tabId} using chrome.sidePanel`)
+  console.debug(`[background] Side panel options set for tab ${tabId} using chrome.sidePanel`)
 } else {
-  console.debug('[background] chrome.sidePanel API also not available.')
+  console.debug('[background] chrome.sidePanel API also not available.')
 }
🧰 Tools

🪛 Biome (1.9.4)

[error] 546-546: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)
src/content-script/index.jsx (1)

719-758: 🛠️ Refactor suggestion

Kimi token polling has the same race condition issue.

The same timeout/polling race condition exists in the Kimi refresh token logic.

Apply the same cleanup pattern as suggested for the Claude session key polling logic above.

🧹 Nitpick comments (5)

src/background/index.mjs (3)
64-69: Previous listener cleanup logic has improved but could be more robust.

The cleanup logic for old listeners is better than before, but there's still a potential issue: if port._proxyOnMessage or port._proxyOnDisconnect are undefined, the removeListener calls will silently fail rather than throwing the expected error that the try-catch handles.

Consider checking for listener existence before removal:
 if (port.proxy) {
     try {
-        if (port._proxyOnMessage) port.proxy.onMessage.removeListener(port._proxyOnMessage);
-        if (port._proxyOnDisconnect) port.proxy.onDisconnect.removeListener(port._proxyOnDisconnect);
+        if (port._proxyOnMessage && port.proxy.onMessage.hasListener?.(port._proxyOnMessage)) {
+            port.proxy.onMessage.removeListener(port._proxyOnMessage);
+        }
+        if (port._proxyOnDisconnect && port.proxy.onDisconnect.hasListener?.(port._proxyOnDisconnect)) {
+            port.proxy.onDisconnect.removeListener(port._proxyOnDisconnect);
+        }
     } catch(e) {
93-124: Exponential backoff implementation is well-designed but could benefit from configuration.

The reconnection logic with exponential backoff and retry limits addresses the infinite loop concerns from past reviews effectively. The implementation is solid with proper cleanup and error handling.

Consider making the retry configuration more visible:
+const RECONNECT_CONFIG = {
+  MAX_ATTEMPTS: 5,
+  BASE_DELAY_MS: 1000,
+  BACKOFF_MULTIPLIER: 2
+};
+
-const MAX_RECONNECT_ATTEMPTS = 5;
+const MAX_RECONNECT_ATTEMPTS = RECONNECT_CONFIG.MAX_ATTEMPTS;
...
-const delay = Math.pow(2, port._reconnectAttempts - 1) * 1000;
+const delay = Math.pow(RECONNECT_CONFIG.BACKOFF_MULTIPLIER, port._reconnectAttempts - 1) * RECONNECT_CONFIG.BASE_DELAY_MS;
488-503: Header modification logic is correct but could use optional chaining.

The header modification logic is functionally correct, but Biome suggests using optional chaining for cleaner code.

Apply the static analysis suggestion:
-for (let i = 0; i < headers.length; i++) {
-  if (headers[i].name.toLowerCase() === 'origin') {
+for (let i = 0; i < headers?.length; i++) {
+  if (headers[i]?.name?.toLowerCase() === 'origin') {
     headers[i].value = 'https://www.bing.com'
     modified = true
-  } else if (headers[i].name.toLowerCase() === 'referer') {
+  } else if (headers[i]?.name?.toLowerCase() === 'referer') {
     headers[i].value = 'https://www.bing.com/search?q=Bing+AI&showconv=1&FORM=hpcodx'
     modified = true
   }
 }
src/content-script/index.jsx (2)
264-276: Selection element containment check could use optional chaining.

The logic is correct but could benefit from the optional chaining suggested by static analysis tools.
-if (toolbarContainer && toolbarContainer.contains(e.target)) {
+if (toolbarContainer?.contains(e.target)) {
   console.debug('[content] Mouseup inside toolbar, ignoring.')
   return
 }
 const selectionElement =
   window.getSelection()?.rangeCount > 0 &&
   window.getSelection()?.getRangeAt(0).endContainer.parentElement
-if (toolbarContainer && selectionElement && toolbarContainer.contains(selectionElement)) {
+if (toolbarContainer?.contains(selectionElement)) {
   console.debug('[content] Mouseup selection is inside toolbar, ignoring.')
   return
 }
🧰 Tools

🪛 Biome (1.9.4)

[error] 265-265: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

810-822: Storage change listener could be more specific.

The storage change listener correctly handles config changes but could be more efficient by checking specific config keys that affect ChatGPT tab state.
-if (areaName === 'local' && (changes.userConfig || changes.config)) {
+if (areaName === 'local' && 
+    (changes.userConfig?.newValue?.modelName !== changes.userConfig?.oldValue?.modelName ||
+     changes.userConfig?.newValue?.apiMode !== changes.userConfig?.oldValue?.apiMode ||
+     changes.config)) {
   console.log(
     '[content] User config changed in storage, re-evaluating ChatGPT tab state.',
   )
   await manageChatGptTabState()
 }

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3191f53 and d174940.

📒 Files selected for processing (2)

src/background/index.mjs (2 hunks)
src/content-script/index.jsx (1 hunks)

🧰 Additional context used

🪛 Biome (1.9.4)

src/background/index.mjs

[error] 169-169: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

[error] 452-452: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

[error] 546-546: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

src/content-script/index.jsx

[error] 265-265: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

[error] 326-326: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

[error] 367-367: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

[error] 410-410: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

[error] 530-530: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

[error] 581-581: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

[error] 610-610: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

🔇 Additional comments (6)

src/background/index.mjs (2)

450-461: Request body handling uses optional chaining correctly.

The requestBody handling logic properly checks for existence before accessing properties, addressing potential null pointer issues.

🧰 Tools

🪛 Biome (1.9.4)

[error] 452-452: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

566-598: Try-catch blocks for initialization provide good error isolation.

The wrapping of initialization functions (registerPortListener, registerCommands, refreshMenu) in separate try-catch blocks is a good practice for preventing one failure from affecting others.

src/content-script/index.jsx (4)

44-78: Retry logic for element detection is well-implemented.

The retry mechanism with URL change detection prevents infinite loops and provides good user feedback through logging. The logic properly handles the case where elements aren't found after all retries.

862-872: Textarea value vs textContent issue has been properly fixed.

The code now correctly uses input.value instead of input.textContent for the textarea element, which addresses the focus hack issue identified in past reviews.

896-947: Port listener registration logic is well-designed.

The global flag to prevent duplicate port listener registration is a good pattern, and the error handling around the registration is comprehensive.

838-892: ChatGPT tab state management function is well-structured.

The manageChatGptTabState function properly handles the ChatGPT-specific logic with appropriate guards and error handling. The textarea manipulation using value instead of textContent is correctly implemented.

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (7)

src/background/index.mjs (3)
497-497: Apply optional chaining as suggested by static analysis.

The code can be simplified using optional chaining to safely access nested properties.
-          if (details.requestBody && details.requestBody.formData) {
+          if (details.requestBody?.formData) {
🧰 Tools

🪛 Biome (1.9.4)

[error] 497-497: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

216-223: Consider reducing log verbosity for production environments.

The extensive debug logging, while helpful for development, may impact performance and expose sensitive information in production environments. Consider implementing log level controls or environment-based logging.
+  const isDebugMode = process.env.NODE_ENV === 'development' || userConfig?.debugMode;
+  
-  console.debug('[background] Full session details (redacted):', redactSensitiveFields(session))
-  console.debug('[background] Full config details (redacted):', redactSensitiveFields(config))
-  if (session.apiMode) {
-    console.debug('[background] Session apiMode details (redacted):', redactSensitiveFields(session.apiMode))
-  }
+  if (isDebugMode) {
+    console.debug('[background] Full session details (redacted):', redactSensitiveFields(session))
+    console.debug('[background] Full config details (redacted):', redactSensitiveFields(config))
+    if (session.apiMode) {
+      console.debug('[background] Session apiMode details (redacted):', redactSensitiveFields(session.apiMode))
+    }
+  }
54-58: Document reconnection configuration constants.

The reconnection constants lack documentation about their purpose and impact on user experience.
+/**
+ * Configuration for exponential backoff reconnection strategy
+ * @constant {Object} RECONNECT_CONFIG
+ * @property {number} MAX_ATTEMPTS - Maximum reconnection attempts before giving up
+ * @property {number} BASE_DELAY_MS - Initial delay between reconnection attempts 
+ * @property {number} BACKOFF_MULTIPLIER - Multiplier for exponential backoff calculation
+ */
 const RECONNECT_CONFIG = {
   MAX_ATTEMPTS: 5,
-  BASE_DELAY_MS: 1000, // Base delay in milliseconds
-  BACKOFF_MULTIPLIER: 2, // Multiplier for exponential backoff
+  BASE_DELAY_MS: 1000,
+  BACKOFF_MULTIPLIER: 2,
 };
src/content-script/index.jsx (4)
529-529: Apply optional chaining as suggested by static analysis.

The nested property access can be simplified using optional chaining.
-        if (siteAdapterAction && siteAdapterAction.init) {
+        if (siteAdapterAction?.init) {
🧰 Tools

🪛 Biome (1.9.4)

[error] 529-529: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

580-580: Apply optional chaining as suggested by static analysis.

The property access can be simplified using optional chaining.
-        if (preElement && preElement.textContent) {
+        if (preElement?.textContent) {
🧰 Tools

🪛 Biome (1.9.4)

[error] 580-580: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

609-609: Apply optional chaining as suggested by static analysis.

The nested property access can be simplified using optional chaining.
-    if (data && data.accessToken) {
+    if (data?.accessToken) {
🧰 Tools

🪛 Biome (1.9.4)

[error] 609-609: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

38-41: Consider reducing debug log verbosity in production.

Similar to the background script, the extensive debug logging may impact performance in production environments. Consider implementing environment-based logging controls.
+  const isDebugMode = process.env.NODE_ENV === 'development';
+  
-  console.debug('[content] mountComponent called with siteConfig:', siteConfig)
+  if (isDebugMode) {
+    console.debug('[content] mountComponent called with siteConfig:', siteConfig)
+  }

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d174940 and a986d2e.

📒 Files selected for processing (2)

src/background/index.mjs (2 hunks)
src/content-script/index.jsx (1 hunks)

🧰 Additional context used

🪛 Biome (1.9.4)

src/background/index.mjs

[error] 497-497: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

src/content-script/index.jsx

[error] 529-529: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

[error] 580-580: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

[error] 609-609: Change to an optional chain.

Unsafe fix: Change to an optional chain.

(lint/complexity/useOptionalChain)

🔇 Additional comments (5)

src/background/index.mjs (1)

108-213: Excellent error handling and reconnection logic implementation.

The setPortProxy function demonstrates comprehensive error handling with proper listener cleanup, exponential backoff, and detailed logging. The implementation correctly addresses the infinite reconnection loop issues identified in previous reviews.

src/content-script/index.jsx (4)

44-79: Robust retry logic with proper URL change detection.

The retry mechanism for element detection is well-implemented with proper checks for URL changes during retries, preventing unnecessary work when navigation occurs.

655-697: Excellent promise timeout cleanup implementation.

The Claude session key polling logic properly addresses the memory leak issues identified in previous reviews with proper cleanup of both timers and settled promise protection.

861-873: Correct textarea value manipulation.

The code correctly uses the value property instead of textContent for textarea elements, addressing the issue identified in previous reviews.

895-946: Well-designed global port listener registration.

The port listener registration includes proper guards to prevent duplicate registration and comprehensive error handling for the ChatGPT Web model processing.

coderabbitai

Actionable comments posted: 0

♻️ Duplicate comments (1)

src/background/index.mjs (1)
658-673: Chrome global usage still needs proper guarding despite ESLint disable.

While the ESLint disable comment addresses the linting error, the code still has the underlying compatibility issue with Firefox. The chrome global should be properly guarded.

The existing review comment about this issue is still valid. Replace the ESLint disable approach with proper runtime checking:
-      if (!sidePanelSet) {
-        // eslint-disable-next-line no-undef
-        if (typeof chrome !== 'undefined' && chrome.sidePanel && typeof chrome.sidePanel.setOptions === 'function') {
+      if (!sidePanelSet && typeof chrome !== 'undefined' && chrome?.sidePanel?.setOptions) {

🧹 Nitpick comments (3)

src/background/index.mjs (1)

76-133: Review the redactSensitiveFields function for potential edge cases and optimization.

The function has good protection against circular references and deep recursion, but there are a few potential issues:

The seen WeakSet is passed by reference through recursive calls, which could cause issues if the same object appears in different branches of the recursion tree.
String value checking in arrays (lines 96-104) iterates through all sensitive keywords for every string, which could be inefficient for large arrays.

Consider these optimizations:

function redactSensitiveFields(obj, recursionDepth = 0, maxDepth = 5, seen = new WeakSet()) {
  if (recursionDepth > maxDepth) {
    return 'REDACTED_TOO_DEEP';
  }
  if (obj === null || typeof obj !== 'object') {
    return obj;
  }

  if (seen.has(obj)) {
    return 'REDACTED_CIRCULAR_REFERENCE';
  }
  seen.add(obj);

+  // Pre-compile sensitive keyword regex for better performance
+  const sensitiveRegex = new RegExp(SENSITIVE_KEYWORDS.join('|'), 'i');
+  
+  const checkSensitive = (str) => sensitiveRegex.test(str.toLowerCase());

  if (Array.isArray(obj)) {
    const redactedArray = [];
    for (let i = 0; i < obj.length; i++) {
      const item = obj[i];
      if (item !== null && typeof item === 'object') {
        redactedArray[i] = redactSensitiveFields(item, recursionDepth + 1, maxDepth, seen);
      } else if (typeof item === 'string') {
-        let isItemSensitive = false;
-        const lowerItem = item.toLowerCase();
-        for (const keyword of SENSITIVE_KEYWORDS) {
-          if (lowerItem.includes(keyword)) {
-            isItemSensitive = true;
-            break;
-          }
-        }
-        redactedArray[i] = isItemSensitive ? 'REDACTED' : item;
+        redactedArray[i] = checkSensitive(item) ? 'REDACTED' : item;
      } else {
        redactedArray[i] = item;
      }
    }
+    seen.delete(obj); // Clean up after processing
    return redactedArray;
  } else {
    const redactedObj = {};
    for (const key in obj) {
      if (Object.prototype.hasOwnProperty.call(obj, key)) {
        const lowerKey = key.toLowerCase();
-        let isKeySensitive = false;
-        for (const keyword of SENSITIVE_KEYWORDS) {
-          if (lowerKey.includes(keyword)) {
-            isKeySensitive = true;
-            break;
-          }
-        }
-        if (isKeySensitive) {
+        if (checkSensitive(key)) {
          redactedObj[key] = 'REDACTED';
        } else if (obj[key] !== null && typeof obj[key] === 'object') {
          redactedObj[key] = redactSensitiveFields(obj[key], recursionDepth + 1, maxDepth, seen);
        } else {
          redactedObj[key] = obj[key];
        }
      }
    }
+    seen.delete(obj); // Clean up after processing
    return redactedObj;
  }
}

src/content-script/index.jsx (2)

37-79: Retry mechanism in mountComponent could be optimized.

The retry loop is well-implemented but could benefit from early termination on certain conditions and better performance:

async function mountComponent(siteConfig) {
  console.debug('[content] mountComponent called with siteConfig:', siteConfig)
  try {
    const userConfig = await getUserConfig()
    console.debug('[content] User config in mountComponent:', userConfig)

    if (!userConfig.alwaysFloatingSidebar) {
      const retry = 10
      let oldUrl = location.href
      let elementFound = false
+      const selectors = [
+        ...(siteConfig ? [siteConfig.sidebarContainerQuery, siteConfig.appendContainerQuery, siteConfig.resultsContainerQuery].filter(Boolean) : []),
+        userConfig.prependQuery,
+        userConfig.appendQuery
+      ].filter(Boolean);
+      
      for (let i = 1; i <= retry; i++) {
        console.debug(`[content] mountComponent retry ${i}/${retry} for element detection.`)
        if (location.href !== oldUrl) {
          console.log('[content] URL changed during retry, stopping mountComponent.')
          return
        }
-        const e =
-          (siteConfig &&
-            (getPossibleElementByQuerySelector(siteConfig.sidebarContainerQuery) ||
-              getPossibleElementByQuerySelector(siteConfig.appendContainerQuery) ||
-              getPossibleElementByQuerySelector(siteConfig.resultsContainerQuery))) ||
-          getPossibleElementByQuerySelector([userConfig.prependQuery]) ||
-          getPossibleElementByQuerySelector([userConfig.appendQuery])
+        const e = getPossibleElementByQuerySelector(selectors);
        if (e) {
          console.log('[content] Element found for mounting component:', e)
          elementFound = true
          break
        } else {
          console.debug(`[content] Element not found on retry ${i}.`)
          if (i === retry) {
            console.warn('[content] Element not found after all retries for mountComponent.')
            return
          }
-          await new Promise((r) => setTimeout(r, 500))
+          // Progressive delay: 500ms, 750ms, 1000ms, etc.
+          await new Promise((r) => setTimeout(r, 500 + (i - 1) * 250))
        }
      }

721-770: Duplicate polling logic for Kimi token - consider extracting to utility function.

The Kimi refresh token polling logic is nearly identical to the Claude session key polling, leading to code duplication.

Consider extracting the polling logic into a reusable utility function:

async function pollForCondition(conditionFn, options = {}) {
  const {
    interval = 500,
    timeout = 30000,
    errorHandler = null,
    onSuccess = null
  } = options;
  
  let promiseSettled = false;
  let timerId = null;
  let timeoutId = null;
  
  const cleanup = () => {
    if (timerId) clearInterval(timerId);
    if (timeoutId) clearTimeout(timeoutId);
  };

  return new Promise((resolve, reject) => {
    timerId = setInterval(async () => {
      if (promiseSettled) {
        cleanup();
        return;
      }
      
      try {
        const result = await conditionFn();
        if (result) {
          if (!promiseSettled) {
            promiseSettled = true;
            cleanup();
            if (onSuccess) await onSuccess(result);
            resolve(result);
          }
        }
      } catch (err) {
        if (errorHandler && await errorHandler(err) && !promiseSettled) {
          promiseSettled = true;
          cleanup();
          reject(err);
        }
      }
    }, interval);

    timeoutId = setTimeout(() => {
      if (!promiseSettled) {
        promiseSettled = true;
        cleanup();
        reject(new Error('Polling timeout exceeded'));
      }
    }, timeout);
  }).catch((err) => {
    cleanup();
    throw err;
  });
}

Then use it for both Claude and Kimi polling.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0b5e7a4 and 3fbed97.

📒 Files selected for processing (3)

.eslintrc.json (1 hunks)
src/background/index.mjs (2 hunks)
src/content-script/index.jsx (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

.eslintrc.json

🔇 Additional comments (5)

src/background/index.mjs (2)

135-259: LGTM! The setPortProxy function addresses previous infinite loop concerns.

The extensive rewrite successfully addresses the past review comments about infinite reconnect loops and listener leaks by:

Implementing proper retry limits with exponential backoff

Cleaning up old listeners before adding new ones

Using named listener functions stored on the port object for easier removal

Comprehensive error handling with try-catch blocks around cleanup operations

The reconnection logic is now robust and prevents resource leaks.

271-391: Enhanced executeApi function improves observability and error handling.

The additions provide excellent debugging capabilities with redacted logging and comprehensive model support. The error handling ensures that failures are properly communicated back to the caller.
src/content-script/index.jsx (3)

868-887: Textarea manipulation logic addresses previous textContent issue.

The fix correctly uses the value property instead of textContent for textarea elements, which resolves the previous issue where the focus hack wasn't working properly.

903-954: Global port listener registration is well-structured.

The approach of moving the port listener registration outside the run function and using a global flag to prevent duplicate registration is a good design pattern. The comprehensive error handling ensures robustness.

651-698: 🛠️ Refactor suggestion

Potential cleanup issue in Claude session key polling.

The promise polling logic has improved cleanup but there's still a potential race condition where the cleanup function might not be called if an exception occurs during the interval callback.
          await new Promise((resolve, reject) => {
            timerId = setInterval(async () => {
              if (promiseSettled) {
                console.warn('[content] Promise already settled but Claude interval still running. This indicates a potential cleanup issue.');
                cleanup()
                return
              }
              try {
                claudeSession = await getClaudeSessionKey()
                if (claudeSession) {
                  if (!promiseSettled) {
                    promiseSettled = true
                    cleanup()
                    console.log('[content] Claude session key found after waiting.')
                    resolve()
                  }
                }
              } catch (err) {
                console.error('[content] Error polling for Claude session key:', err)
                const errMsg = err.message.toLowerCase();
                if ((errMsg.includes('network') || errMsg.includes('permission')) && !promiseSettled) {
                  promiseSettled = true;
                  cleanup();
                  reject(new Error(`Failed to get Claude session key due to: ${err.message}`));
+                } else if (!promiseSettled) {
+                  // For non-critical errors, continue polling but log the issue
+                  console.debug('[content] Non-critical error in Claude polling, continuing...');
                }
              }
            }, 500)

            timeoutId = setTimeout(() => {
              if (!promiseSettled) {
                promiseSettled = true
                cleanup()
                console.warn('[content] Timed out waiting for Claude session key.')
                reject(new Error('Timed out waiting for Claude session key.'))
              }
            }, 30000)
-          }).catch((err) => {
+          })
+          .catch((err) => {
+            // Ensure cleanup happens even if promise chain fails
+            cleanup();
            console.error('[content] Failed to get Claude session key for jump back notification:', err)
            return
          })
Likely an incorrect or invalid review comment.

PeterDaveHello · 2025-06-08T09:31:54Z

@coderabbitai review

coderabbitai · 2025-06-08T09:31:59Z

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

Copilot

Pull Request Overview

This PR enhances the extension’s stability and robustness by improving error handling, logging, and development tooling.

Updated ESLint commands in package.json to use npx, ensuring the local version of ESLint is used.
Modified ESLint configuration by adding webextensions support and Node-specific overrides for build and script files.

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
package.json	Updated lint commands to use npx for consistent, local dependency usage.
.eslintrc.json	Added the webextensions environment and Node overrides to better target files.

Comments suppressed due to low confidence (2)

package.json:8

Using 'npx' ensures that the project's local ESLint version is used. Consider updating the development documentation to note that npx is required to run these lint commands.

"lint": "npx eslint --ext .js,.mjs,.jsx .",

.eslintrc.json:8

[nitpick] Review the Node-specific override configuration to ensure it aligns with the intended setup for build and script files. It might be helpful to document how these overrides interact with the base config.

"overrides": [

PeterDaveHello · 2025-06-08T17:49:30Z

@coderabbitai review

coderabbitai · 2025-06-08T17:49:41Z

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

Copilot

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot · 2026-02-15T18:14:06Z

+      } catch (e) {
+        console.warn(
+          '[background] Error removing old listeners from previous port.proxy instance:',
+          e,
+        )


When switching/recreating port.proxy, the old proxy port is only detached from listeners but never disconnected. If setPortProxy is called multiple times (e.g., when chatgptTabId changes or reconnect logic runs), this can leave orphaned Port connections alive in the target tab and waste resources. Consider explicitly calling port.proxy.disconnect() (in a try/catch) before overwriting it, and then nulling out the reference once disconnected.

Suggested change

} catch (e) {

console.warn(

'[background] Error removing old listeners from previous port.proxy instance:',

e,

)

if (typeof port.proxy.disconnect === 'function') {

port.proxy.disconnect()

}

} catch (e) {

console.warn(

'[background] Error cleaning up previous port.proxy instance:',

e,

)

} finally {

port.proxy = null

Copilot · 2026-02-15T18:14:07Z

+  console.log(
+    `[background] executeApi called for model: ${session.modelName}, apiMode: ${session.apiMode}`,
+  )
+  const redactedSession = redactSensitiveFields(session)
+  const redactedConfig = redactSensitiveFields(config)
+  console.debug('[background] Full session details (redacted):', redactedSession)
+  console.debug('[background] Full config details (redacted):', redactedConfig)


redactSensitiveFields does not treat user prompt fields (e.g., question, prompt, selectionText) as sensitive, so the redacted session/config logs can still include the full user query/prompt text. This can inadvertently expose user content in extension logs. Consider expanding the sensitive-keyword list (or doing field-specific redaction) so prompts/questions are either omitted or replaced with length/summary metadata.

Copilot · 2026-02-15T18:14:07Z

+        const preferredLanguage = await getPreferredLanguage()
+        const replyPromptBelow = `Reply in ${preferredLanguage}. Regardless of the language of content I provide below. !!This is very important!!`
+        const replyPromptAbove = `Reply in ${preferredLanguage}. Regardless of the language of content I provide above. !!This is very important!!`
+        const result = `${replyPromptBelow}\n\n${input}\n\n${replyPromptAbove}`
+        console.debug('[content] getInput from function result:', result)
+        return result


This debug log prints the full generated prompt (including the user’s input/query text) to the console. That can leak sensitive user content into extension logs and can also be extremely large. Consider logging only non-sensitive metadata (e.g., whether input was found + character count) or gating the full prompt behind an explicit dev/debug flag.

Copilot · 2026-02-15T18:14:07Z

+            .trim()
+            .replace(/^-+|-+$/g, '')
+          if (selection) {
+            console.debug('[content] Text selected:', selection)


This debug log prints the full selected text from the page into the console. Selections often contain sensitive data (emails, keys, private text). Consider logging only that a selection occurred and its length, or removing the raw selection from logs to avoid accidental disclosure.

Suggested change

console.debug('[content] Text selected:', selection)

const selectionLength = selection.length

console.debug('[content] Text selected. Length:', selectionLength)

chatgpt-codex-connector · 2026-02-15T18:16:24Z

Codex Review: Didn't find any major issues. Keep it up!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

PeterDaveHello · 2026-02-15T19:29:52Z

@codex review

Copilot

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot · 2026-02-15T19:35:18Z

+const createSelectionTools = async (toolbarContainerElement, selection) => {
+  console.debug(
+    '[content] createSelectionTools called with selection:',
+    selection,
+    'and container:',
+    toolbarContainerElement,
  )


createSelectionTools logs the full selected text to the console. Selected text can be sensitive (passwords, emails, private content), so logging it verbatim is a privacy risk. Prefer logging only selection length or a redacted/truncated preview behind a debug flag.

Copilot · 2026-02-15T19:35:18Z

+          const selection = window
+            .getSelection()
+            ?.toString()
+            .trim()
+            .replace(/^-+|-+$/g, '')
+          if (selection) {
+            console.debug('[content] Text selected via touch:', selection)
+            const touch = e.changedTouches[0]
+            toolbarContainer = createElementAtPosition(touch.pageX + 20, touch.pageY + 20)
+            await createSelectionTools(toolbarContainer, selection)
+          } else {


This debug statement logs the full touch-selected text (selection) to the console. Since this can contain private user content, avoid logging it verbatim; log only length/metadata or redact/truncate behind an explicit debug setting.

Copilot · 2026-02-15T19:35:19Z

+      console.log('[content] Received CREATE_CHAT message:', message)
+      try {
+        const data = message.data
+        let prompt = ''
+        if (data.itemId in toolsConfig) {
+          console.debug('[content] Generating prompt from toolsConfig for item:', data.itemId)
+          prompt = await toolsConfig[data.itemId].genPrompt(data.selectionText)
+        } else if (data.itemId in menuConfig) {
+          console.debug('[content] Generating prompt from menuConfig for item:', data.itemId)
+          const menuItem = menuConfig[data.itemId]
+          if (!menuItem.genPrompt) {
+            console.warn('[content] No genPrompt for menu item:', data.itemId)
+            return
+          }
+          prompt = await menuItem.genPrompt()
+          if (prompt) {
+            const preferredLanguage = await getPreferredLanguage()
+            prompt = await cropText(`Reply in ${preferredLanguage}.\n` + prompt)
+          }
+        } else {
+          console.warn('[content] Unknown itemId for CREATE_CHAT:', data.itemId)
+          return
+        }
+        console.debug('[content] Generated prompt:', prompt)


The CREATE_CHAT handler logs the full incoming message and the generated prompt. These can include user selection text and other sensitive data. Avoid logging raw prompt/selection content; log only itemId/lengths or redact/truncate, ideally behind a debug flag.

Copilot · 2026-02-15T19:35:19Z

+    port._proxyOnMessage = (msg) => {
+      const redactedMsg = redactSensitiveFields(msg)
+      console.debug('[background] Message from proxy tab (redacted):', redactedMsg)
+      if (port._reconnectAttempts) {


redactSensitiveFields is used before logging proxy messages, but it does not treat response content keys like answer (and potentially body, text, etc.) as sensitive. As a result, console.debug can still print full model outputs / user content to the background console. Consider expanding redaction to include common payload keys (e.g. answer, body, text) or truncating long strings before logging.

Copilot · 2026-02-15T19:35:19Z

+      console.debug('[content] Getting input from siteConfig.inputQuery')
+      question = await getInput(siteConfig.inputQuery)
+    }
+    console.debug('[content] Question for component:', question)


The debug log prints the full derived question prompt content to the console. This can include sensitive user queries/page content and can leak PII in logs. Consider logging only metadata (e.g., presence/length) or gating prompt/selection logging behind an explicit debug flag/config toggle.

Suggested change

console.debug('[content] Question for component:', question)

console.debug(

'[content] Question for component:',

question ? `{present, length=${question.length}}` : 'none',

)

chatgpt-codex-connector · 2026-02-15T19:36:52Z

Codex Review: Didn't find any major issues. Keep them coming!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

PeterDaveHello · 2026-02-15T20:10:21Z

@codex review

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0c6a1098a0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

chatgpt-codex-connector · 2026-02-15T20:17:07Z

+      port._reconnectAttempts = (port._reconnectAttempts || 0) + 1
+      if (port._reconnectAttempts >= RECONNECT_CONFIG.MAX_ATTEMPTS) {


Reset reconnect counter on successful proxy connect

setPortProxy increments port._reconnectAttempts on every proxy disconnect, but it only resets the counter when a message is later received from the proxy. If the ChatGPT tab disconnects/reloads while idle, reconnects can succeed without any incoming message, so the counter keeps growing across otherwise successful reconnects until MAX_ATTEMPTS is hit, after which forwarding is disabled for that still-open conversation port.

Useful? React with 👍 / 👎.

Copilot

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot · 2026-02-15T20:17:31Z

+      if (!sidePanelSet) {
+        console.debug('[background] Attempting chrome.sidePanel.setOptions as fallback.')
+        const chromeApi = globalThis.chrome
+        if (chromeApi?.sidePanel && typeof chromeApi.sidePanel.setOptions === 'function') {
+          try {
+            await chromeApi.sidePanel.setOptions({
+              tabId,
+              path: 'IndependentPanel.html',
+              enabled: true,
+            })
+            console.debug(
+              `[background] Side panel options set for tab ${tabId} using chrome.sidePanel`,
+            )
+            sidePanelSet = true
+          } catch (chromeError) {
+            console.error(
+              '[background] chrome.sidePanel.setOptions also failed:',
+              chromeError.message,
+            )
+          }
+        }


The Browser.sidePanel and chrome.sidePanel fallback logic attempts to handle cross-browser compatibility, but accessing globalThis.chrome directly without checking if it's defined could throw errors in non-Chrome browsers. While the try-catch will handle it, this approach is fragile. Consider checking for API availability before attempting to use it, or use feature detection consistently.

Copilot · 2026-02-15T20:17:31Z

+function ensureChatGptPortListenerRegistered() {
+  if (chatGPTBoxPortListenerRegistered) {
+    console.log('[content] Port listener already registered, skipping.')
+    return
+  }
+
+  if (location.hostname !== 'chatgpt.com' || location.pathname === '/auth/login') {
+    console.debug(
+      '[content] Not on chatgpt.com or on login page, skipping port listener registration.',
+    )
    return
  }

-  const url = new URL(window.location.href)
-  if (url.searchParams.has('chatgptbox_notification')) {
-    if (location.hostname === 'claude.ai' && !(await getClaudeSessionKey())) {
-      console.log('claude not logged in')
-
-      await new Promise((resolve) => {
-        const timer = setInterval(async () => {
-          const token = await getClaudeSessionKey()
-          if (token) {
-            clearInterval(timer)
-            resolve()
+  try {
+    console.log('[content] Attempting to register port listener for chatgpt.com.')
+    registerPortListener(async (session, port) => {
+      console.debug(
+        `[content] Port listener callback triggered. Session model: ${session?.modelName}, Port: ${port.name}`,
+      )
+      try {
+        if (isUsingChatgptWebModel(session)) {
+          console.log(
+            '[content] Session is for ChatGPT Web Model, processing request for question:',
+            session.question,
+          )
+          const accessToken = await getChatGptAccessToken()
+          if (!accessToken) {
+            console.warn('[content] No ChatGPT access token available for web API call.')
+            port.postMessage({ error: 'Missing ChatGPT access token.' })
+            return
          }
-        }, 500)
+          await generateAnswersWithChatgptWebApi(port, session.question, session, accessToken)
+          console.log('[content] generateAnswersWithChatgptWebApi call completed.')
+        } else {
+          console.debug(
+            '[content] Session is not for ChatGPT Web Model, skipping processing in this listener.',
+          )
+        }
+      } catch (e) {
+        console.error('[content] Error in port listener callback:', e, 'Session:', session)
+        try {
+          port.postMessage({
+            error: e.message || 'An unexpected error occurred in content script port listener.',
+          })
+        } catch (postError) {
+          console.error('[content] Error sending error message back via port:', postError)
+        }
+      }
+    })
+    console.log('[content] Generic port listener registered successfully for chatgpt.com pages.')
+    chatGPTBoxPortListenerRegistered = true
+  } catch (error) {
+    console.error('[content] Error registering global port listener:', error)
+  }
+}
+
+async function run() {
+  console.log('[content] Script run started.')
+  try {
+    ensureChatGptPortListenerRegistered()


The ensureChatGptPortListenerRegistered function is called in the run() function, but it doesn't guarantee that the port listener is registered before manageChatGptTabState sends the SET_CHATGPT_TAB message. If there's any delay or error in registering the port listener, the background script might set the chatgptTabId but no listener would be ready to handle messages from that tab. Consider awaiting the port listener registration or handling this race condition explicitly.

Copilot · 2026-02-15T20:17:32Z

+    if (toolbarContainer && toolbarContainer.className === 'chatgptbox-toolbar-container') {
+      console.debug('[content] Deleting toolbar:', toolbarContainer)
+      toolbarContainer.remove()
+      toolbarContainer = null


Line 232 sets toolbarContainer = null after removal, but the deleteToolbar function is called from multiple places including event listeners that may have already captured the toolbarContainer reference. This could lead to cases where the local reference in an event handler still points to the removed element while the module-level variable is null, causing inconsistent state. Consider whether this nullification is necessary or if it should be handled differently.

Suggested change

toolbarContainer = null

Copilot · 2026-02-15T20:17:32Z

+async function manageChatGptTabState() {
+  if (manageChatGptTabStatePromise) {
+    console.debug('[content] manageChatGptTabState already running, waiting for in-flight call.')
+    return manageChatGptTabStatePromise
+  }

-  await overwriteAccessToken()
-  await prepareForForegroundRequests()
+  manageChatGptTabStatePromise = (async () => {
+    console.debug('[content] manageChatGptTabState called. Current location:', location.href)
+    try {
+      if (location.hostname !== 'chatgpt.com' || location.pathname === '/auth/login') {
+        console.debug(
+          '[content] Not on main chatgpt.com page, skipping manageChatGptTabState logic.',
+        )
+        return
+      }
+
+      const userConfig = await getUserConfig()
+      const isThisTabDesignatedForChatGptWeb = chatgptWebModelKeys.some((model) =>
+        getApiModesStringArrayFromConfig(userConfig, true).includes(model),
+      )
+      console.debug(
+        '[content] Is this tab designated for ChatGPT Web:',
+        isThisTabDesignatedForChatGptWeb,
+      )
+
+      if (isThisTabDesignatedForChatGptWeb) {
+        if (location.pathname === '/') {
+          console.debug('[content] On chatgpt.com root path.')
+          const input = document.querySelector('#prompt-textarea')
+          if (!chatGptPromptTextareaPoked && input && input.value === '') {
+            console.log('[content] Manipulating #prompt-textarea for focus.')
+            if (document.activeElement === input) {
+              console.debug('[content] #prompt-textarea already focused; skipping injection.')
+            } else {
+              const injectedValue = ' '
+              chatGptPromptTextareaPoked = true
+              input.value = injectedValue
+              input.dispatchEvent(new Event('input', { bubbles: true }))
+              setTimeout(() => {
+                const currentInput = document.querySelector('#prompt-textarea')
+                if (!currentInput?.isConnected) {
+                  console.warn(
+                    '[content] #prompt-textarea no longer available in setTimeout callback.',
+                  )
+                  return
+                }
+                if (document.activeElement === currentInput) {
+                  console.debug('[content] #prompt-textarea focused; skipping injection cleanup.')
+                  return
+                }
+                if (currentInput.value === injectedValue) {
+                  currentInput.value = ''
+                  currentInput.dispatchEvent(new Event('input', { bubbles: true }))
+                  console.debug('[content] #prompt-textarea manipulation complete.')
+                } else if (currentInput.value.startsWith(injectedValue)) {
+                  currentInput.value = currentInput.value.slice(injectedValue.length)
+                  currentInput.dispatchEvent(new Event('input', { bubbles: true }))
+                  console.debug('[content] Removed injected leading space from #prompt-textarea.')
+                }
+              }, 300)
+            }
+          } else {
+            console.debug(
+              '[content] #prompt-textarea not found, not empty (value: "' +
+                input?.value +
+                '"), or not on root path for manipulation.',
+            )
+          }
+        }
+
+        console.log('[content] Sending SET_CHATGPT_TAB message.')
+        await Browser.runtime.sendMessage({
+          type: 'SET_CHATGPT_TAB',
+          data: {},
+        })
+        console.log('[content] SET_CHATGPT_TAB message sent successfully.')
+      } else {
+        console.log('[content] This tab is NOT configured for ChatGPT Web model processing.')
+      }
+    } catch (error) {
+      console.error('[content] Error in manageChatGptTabState:', error)
+    }
+  })()

-  prepareForSelectionTools()
-  prepareForSelectionToolsTouch()
-  prepareForStaticCard()
-  prepareForRightClickMenu()
-  prepareForJumpBackNotification()
+  try {
+    await manageChatGptTabStatePromise
+  } finally {
+    manageChatGptTabStatePromise = null
+  }


The manageChatGptTabState function uses a promise singleton pattern to prevent concurrent execution, but the promise is stored in a module-level variable. If manageChatGptTabState is called while a previous call is still pending, the second call will await the first call's promise. However, if the first call encounters an error and throws, the second caller will also receive that error even though it might succeed if retried. Consider whether each caller should get independent execution or if error handling should be improved.

Copilot · 2026-02-15T20:17:32Z

+        try {
+          const response = await fetch(validatedUrl, message.data?.init)


The FETCH handler validates that the URL uses http or https protocols, but it doesn't validate or sanitize the init parameter (message.data.init) that's passed directly to fetch(). An attacker could potentially inject malicious headers, credentials, or other fetch options. Consider validating or sanitizing the init parameter, especially the headers, method, and credentials fields.

Copilot · 2026-02-15T20:17:32Z

+    }
+
+    port.proxy.onMessage.addListener(port._proxyOnMessage)
+    port.onMessage.addListener(port._portOnMessage)
+    port.proxy.onDisconnect.addListener(port._proxyOnDisconnect)
+    port.onDisconnect.addListener(port._portOnDisconnect)


The setPortProxy function cleans up and re-establishes listeners every time it's called, but it doesn't check if the listeners were already added. This could lead to duplicate listener registration if setPortProxy is called multiple times with the same proxy connection due to an error scenario. Consider tracking listener registration state to prevent duplicates.

Suggested change

}

port.proxy.onMessage.addListener(port._proxyOnMessage)

port.onMessage.addListener(port._portOnMessage)

port.proxy.onDisconnect.addListener(port._proxyOnDisconnect)

port.onDisconnect.addListener(port._portOnDisconnect)

// Mark proxy listeners as no longer registered after cleanup.

port._proxyListenersRegistered = false

}

// Avoid registering duplicate listeners for the same proxy connection.

if (port._proxyListenersRegistered && port.proxy === proxyRef) {

console.debug(

'[background] Proxy listeners already registered for this connection; skipping re-registration.',

)

} else {

port.proxy.onMessage.addListener(port._proxyOnMessage)

port.onMessage.addListener(port._portOnMessage)

port.proxy.onDisconnect.addListener(port._proxyOnDisconnect)

port.onDisconnect.addListener(port._portOnDisconnect)

port._proxyListenersRegistered = true

}

PeterDaveHello · 2026-02-16T08:13:11Z

@codex review

chatgpt-codex-connector · 2026-02-16T08:20:49Z

Codex Review: Didn't find any major issues. 👍

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Copilot

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot · 2026-02-16T08:20:54Z

+      port._reconnectAttempts = (port._reconnectAttempts || 0) + 1
+      if (port._reconnectAttempts >= RECONNECT_CONFIG.MAX_ATTEMPTS) {
+        console.error(
+          `[background] Max reconnect attempts (${RECONNECT_CONFIG.MAX_ATTEMPTS}) reached for tab ${proxyTabId}. Giving up.`,
+        )


port._reconnectAttempts is never reset when starting a fresh setPortProxy() connection, and it also isn’t reset after hitting the max-attempts “giving up” path. That means a port that previously exhausted retries can immediately hit the max-attempts branch on the very next disconnect, preventing recovery unless the main port is closed/reopened. Consider resetting _reconnectAttempts when initiating a new explicit connection (e.g. at the top of setPortProxy when proxyTabId changes) and/or when max attempts are reached (so later user-initiated requests can retry).

PeterDaveHello requested a review from Copilot June 7, 2025 14:02

qodo-code-review Bot added the Review effort 4/5 label Jun 7, 2025

This comment was marked as outdated.

Sign in to view

coderabbitai Bot reviewed Jun 7, 2025

View reviewed changes

Comment thread src/background/index.mjs Outdated

Comment thread src/background/index.mjs Outdated

Comment thread src/background/index.mjs Outdated

coderabbitai Bot reviewed Jun 7, 2025

View reviewed changes

Comment thread src/content-script/index.jsx Outdated

PeterDaveHello requested a review from Copilot June 7, 2025 18:19

This comment was marked as outdated.

Sign in to view

coderabbitai Bot reviewed Jun 7, 2025

View reviewed changes

Comment thread src/background/index.mjs Outdated

Comment thread src/content-script/index.jsx Outdated

PeterDaveHello requested a review from Copilot June 7, 2025 19:08

This comment was marked as outdated.

Sign in to view

coderabbitai Bot reviewed Jun 7, 2025

View reviewed changes

PeterDaveHello requested a review from Copilot June 7, 2025 19:31

This comment was marked as outdated.

Sign in to view

PeterDaveHello requested a review from Copilot June 8, 2025 06:19

This comment was marked as outdated.

Sign in to view

coderabbitai Bot reviewed Jun 8, 2025

View reviewed changes

PeterDaveHello requested a review from Copilot June 8, 2025 08:24

This comment was marked as outdated.

Sign in to view

PeterDaveHello requested a review from Copilot June 8, 2025 09:29

This comment was marked as outdated.

Sign in to view

PeterDaveHello requested a review from Copilot June 8, 2025 10:30

Copilot AI reviewed Jun 8, 2025

View reviewed changes

josStorer force-pushed the master branch from 5d81453 to ffad115 Compare July 26, 2025 10:14

Copilot started reviewing on behalf of PeterDaveHello February 15, 2026 18:09 View session

Copilot AI reviewed Feb 15, 2026

View reviewed changes

PeterDaveHello force-pushed the bugfix/general-fixes branch from 98c5f41 to 0cfcb28 Compare February 15, 2026 19:26

PeterDaveHello requested a review from Copilot February 15, 2026 19:30

Copilot started reviewing on behalf of PeterDaveHello February 15, 2026 19:31 View session

Copilot AI reviewed Feb 15, 2026

View reviewed changes

PeterDaveHello force-pushed the bugfix/general-fixes branch from 0cfcb28 to 0c6a109 Compare February 15, 2026 20:10

PeterDaveHello requested a review from Copilot February 15, 2026 20:11

Copilot started reviewing on behalf of PeterDaveHello February 15, 2026 20:11 View session

chatgpt-codex-connector Bot reviewed Feb 15, 2026

View reviewed changes

Copilot AI reviewed Feb 15, 2026

View reviewed changes

PeterDaveHello added 8 commits February 16, 2026 16:01

Improve background script error handling

7b7896d

Improve content script stability

650e565

Authorize GET_COOKIE sender

4804351

Guard custom api mode overrides

0aa0019

Validate GET_COOKIE payload

f5d8d8c

Make static card init non-blocking

96561ec

Guard proxy message forwarding

1ed304a

Validate cookie protocol and header names

d4fe6c0

PeterDaveHello force-pushed the bugfix/general-fixes branch from 0c6a109 to d4fe6c0 Compare February 16, 2026 08:10

PeterDaveHello requested a review from Copilot February 16, 2026 08:13

Copilot AI reviewed Feb 16, 2026

View reviewed changes

This was referenced Feb 28, 2026

Unify OpenAI-compatible providers and custom provider flow #930

Open

test: expand unit test coverage across utils, APIs, and services #934

Merged

	console.debug('[content] Text selected:', selection)
	const selectionLength = selection.length
	console.debug('[content] Text selected. Length:', selectionLength)

		port._reconnectAttempts = (port._reconnectAttempts \|\| 0) + 1
		if (port._reconnectAttempts >= RECONNECT_CONFIG.MAX_ATTEMPTS) {

		try {
		const response = await fetch(validatedUrl, message.data?.init)

Conversation

PeterDaveHello commented Jun 7, 2025 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

User description

Enhanced Logging:

Error Handling Improvements:

Reliability Enhancements:

Code Organization:

PR Type

Description

Changes walkthrough 📝

Summary by CodeRabbit

Uh oh!

coderabbitai Bot commented Jun 7, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reviews paused

Walkthrough

Changes

Sequence Diagram(s)

Estimated code review effort

Poem

Uh oh!

qodo-code-review Bot commented Jun 7, 2025

PR Reviewer Guide 🔍

Uh oh!

This comment was marked as outdated.

Uh oh!

qodo-code-review Bot commented Jun 7, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

PR Code Suggestions ✨

Previous suggestions

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

This comment was marked as outdated.

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

This comment was marked as outdated.

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

This comment was marked as outdated.

Uh oh!

This comment was marked as outdated.

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

This comment was marked as outdated.

Uh oh!

This comment was marked as outdated.

Uh oh!

PeterDaveHello commented Jun 8, 2025

Uh oh!

coderabbitai Bot commented Jun 8, 2025

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull Request Overview

Reviewed Changes

Uh oh!

PeterDaveHello commented Jun 8, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

coderabbitai Bot commented Jun 8, 2025

Uh oh!

Copilot AI left a comment

PeterDaveHello commented Jun 7, 2025 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented Jun 7, 2025 •

edited

Loading

qodo-code-review Bot commented Jun 7, 2025 •

edited

Loading

PeterDaveHello commented Jun 8, 2025 •

edited

Loading