Add structured meta-chat workflow with feedback, events, and landing page updates

[kinwo]

Summary

• add a structured meta-chat workflow with task classification, planner/critic passes, and richer message metadata
• add chat feedback and events APIs, storage helpers, and supporting tests for history, sessions, contracts, and tracking
• update the chat UI to show meta state, feedback controls, improved thread handling, and related end-to-end coverage
• refresh the landing page and product docs to reflect the current meta-thinking product direction
• update project configuration and example environment setup to support the new chat and telemetry flow

Testing

• npm run ts-check
• npm run build
• app and route unit tests updated
• e2e coverage updated for landing page and chat flows

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
secondorder-web	Building	Preview, Comment	Mar 28, 2026 10:54pm

[claude]

PR Review

Overall this is a clean, well-scoped addition. A few things worth addressing before merge:

---

Security — securityLevel: 'loose' + dangerouslySetInnerHTML

components/marketing/mermaid-diagram.tsx lines 121, 193

securityLevel: 'loose',   // disables Mermaid's built-in XSS sanitisation
htmlLabels: true,

dangerouslySetInnerHTML={{ __html: svg }}

'loose' turns off Mermaid's HTML sanitisation so that raw HTML in node labels is rendered as-is. That output then goes straight into dangerouslySetInnerHTML. The diagram content here is hardcoded, so there is no immediate XSS risk — but this is a footgun: if MermaidDiagram is ever reused with dynamic or user-supplied content, it becomes an XSS vector.

Recommended fix: use securityLevel: 'strict' (the default) and replace <br/> in the diagram strings with \n or a Mermaid line-break (<br/>). With strict, Mermaid sanitises SVG output before returning it, making dangerouslySetInnerHTML safe for its own rendered output.

---

Bug — hardcoded local absolute paths in docs

docs/architecture-overview.md lines 84–89

- UI: [`app/page.tsx`](/Users/henry/workspace/secondorder-web/app/page.tsx)

These are absolute paths on the author's machine — they will 404 for everyone else on GitHub. Replace with repo-relative paths:

- UI: [`app/page.tsx`](../app/page.tsx)

---

Minor — module-level singleton blocks re-initialisation

components/marketing/mermaid-diagram.tsx line 101

let hasInitializedMermaid = false;

mermaid.initialize() can only be called once per page load with this guard. That is fine for now, but any future need (e.g. dark/light theme switching) would require a more flexible approach. Not blocking, but worth a comment or TODO so the constraint is visible.

---

Minor — magic number for loading placeholder height

components/marketing/mermaid-diagram.tsx line 200

<div className="flex min-h-[420px] items-center justify-center ...">

The hardcoded 420px will cause a layout shift when the rendered diagram is taller or shorter. Consider deriving it from the rendered diagram's natural height, or accepting it as a prop so callers can tune it.

---

Nit — mermaid is a heavy dependency

Mermaid adds roughly 1–2 MB to the JS bundle (minified). The dynamic import('mermaid') is the right call for lazy-loading, but it is worth confirming that Next.js is not accidentally pulling it into the server bundle. A quick check with ANALYZE=true npm run build (if bundle analysis is wired up) would confirm the chunk is client-only.

---

The architecture doc and the landing page section are a nice addition. Fixing the security level and the broken doc links are the main things I would address before merging.