fix: port permission idempotency model to question replies

[omercnet]

Problem

Answering a question prompt after a reconnect, process restart, or rapid double-submit could POST a reply for a request the backend no longer tracks, producing opencode's reply for unknown request warning. The reply was either silently dropped or mis-routed to a fallback (root) target.

Root cause: the question request lifecycle in the UI lacked the idempotency and stale-guard layer that the permission lifecycle already had. It reproduces even with a single root worktree (not primarily a worktree issue).

Fix

Ports the existing permission idempotency model to questions (entirely packages/ui, no opencode core changes):

• New stores/question-replies.ts ledger (markQuestionReplied / hasRepliedQuestion / pruneRepliedQuestions / clearRepliedQuestions) — a structural mirror of permission-replies.ts. No shared abstraction (YAGNI; prune semantics may diverge).
• Reconcile-before-POST: sendQuestionReply / sendQuestionReject check question.list() before POSTing. If the request is no longer pending, the UI surfaces a localized "this prompt expired — send your answer as a message instead" notice rather than POSTing to a fallback. No error-string parsing.
• syncPendingQuestions adopts the full timestamp-based prune + hasRepliedQuestion filter so replied questions are never rehydrated on reconnect.
• Ledger retired only via timestamp prune — never cleared on rehydrateInstance (only on instance removal), so in-flight stale replies can't slip through.
• Stale guards on handleQuestionAsked / handleQuestionAnswered.
• Synchronous double-submit guard at the top of handleQuestionSubmit (Enter + button can no longer both fire).
• New i18n key toolCall.question.errors.expired added to all 7 locales.

Also fixes two pre-existing module-load crashes uncovered while making the UI suite green: client-identity.ts dereferenced window storage before its typeof window guard, and server-events.ts opened an EventSource at module load without a guard. Both minimal and production-safe.

User-visible behavior

• Expired question prompts show a clear "answer as a message" notice instead of failing silently or mis-routing.
• Rapid double-submit can no longer fire two replies.
• Reconnect no longer re-surfaces an already-answered question.

Validation

• UI suite 49/49 pass (bun test --conditions browser)
• UI typecheck clean (tsc --noEmit)
• Rebased on origin/dev (upstream default branch)

[github-actions]

PR builds are available as GitHub Actions artifacts:

https://github.com/NeuralNomadsAI/CodeNomad/actions/runs/26752782315

Artifacts expire in 7 days.
Artifacts:

• pr-515-f7618722fbc94518371e09e8f2f6af5d008579c9-tauri-linux
• pr-515-f7618722fbc94518371e09e8f2f6af5d008579c9-tauri-windows
• pr-515-f7618722fbc94518371e09e8f2f6af5d008579c9-tauri-macos
• pr-515-f7618722fbc94518371e09e8f2f6af5d008579c9-electron-macos
• pr-515-f7618722fbc94518371e09e8f2f6af5d008579c9-tauri-macos-arm64
• pr-515-f7618722fbc94518371e09e8f2f6af5d008579c9-electron-windows
• pr-515-f7618722fbc94518371e09e8f2f6af5d008579c9-electron-linux

[pascalandr]

@CodeNomadBot

I want you to perform the gatekeeper checks for latest PR state

check for regressions
check for better possible implementations
Be the PR gatekeeper
Be ruthless about code quality

[codenomadbot]

Gatekeeper review for latest PR state.

Understood request: review PR #515 ruthlessly for regressions and better implementation options. Assumption: this is a review/check request only; I did not modify code.

Findings

1. Blocking: resolveQuestionReplyClient conflates question.list() failures with “question is absent/expired”.

packages/ui/src/stores/instances.ts:1096-1110

If every candidate client’s question.list() probe throws, the loop logs warnings and returns null. sendQuestionReply / sendQuestionReject then mark the question as replied, remove it from the queue, and surface the expired prompt path at packages/ui/src/stores/instances.ts:1134-1139 and packages/ui/src/stores/instances.ts:1174-1179.

That is a real regression risk: a transient proxy/network/backend error during the reconcile probe can permanently retire an active question without posting the user’s answer. The code comment says a failed lookup is non-authoritative, but the final null path treats total lookup failure as authoritative absence.

Suggested fix: track whether at least one question.list() call completed successfully. Only return null for expired when there was an authoritative successful list and no candidate contained the request. If all probes fail, throw the last/list aggregate error so the existing “unable to reply/dismiss” path keeps the prompt recoverable instead of marking it replied.

2. Test coverage gap: the new tests do not exercise the real client-resolution failure mode.

packages/ui/src/stores/question-stale-guard.test.ts:11-18 states it exercises production lifecycle behavior, but it mirrors guard expressions with local functions instead of driving resolveQuestionReplyClient / sendQuestionReply through mocked clients. That missed the all-list-fail case above. Add a focused unit around the real resolver/send path or extract the resolver behind injectable list/reply operations so the authoritative-absence vs transient-failure behavior is covered.

Quality Notes

The overall design is directionally good: the ledger mirrors the permission model, the synchronous double-submit guard is in the right place, the i18n key is present in all configured locales, and the browser-only guards in client-identity.ts / server-events.ts are minimal and sensible.

I would not broaden this PR into full multi-worktree enumeration unless required; the current bounded candidate list is acceptable for the stated scope. The important correctness line is not treating transport failures as proof of expiration.

Validation Run

Passed:

bun test --conditions browser packages/ui/src/stores/question-replies.test.ts packages/ui/src/stores/question-stale-guard.test.ts

Result: 13 pass, 0 fail.

Could not fully validate in this workspace:

bun test --conditions browser packages/ui/src/stores/question-replies.test.ts packages/ui/src/stores/question-stale-guard.test.ts packages/ui/src/stores/question-reply-exports.test.ts

Result: 13 pass, 3 fail because solid-js cannot be resolved when importing instances.ts.

npm run typecheck --workspace @codenomad/ui

Result: failed with broad missing dependency errors (solid-js, zod, Kobalte, etc.). node_modules/solid-js/package.json is absent, so this appears to be workspace dependency setup, not a focused PR type error.

Oversized Touched Files

packages/ui/src/stores/instances.ts is about 1,353 lines, above the project’s warning/target thresholds. I did not suggest refactoring it as part of this PR because that would be out of scope, but it increases the risk of lifecycle changes like this being under-tested.

--
Yours,
CodeNomadBot

[shantur]

Until we know how to reproduce this, we can't be sure this fixes issues.
@omercnet - Would you be able to help us reproduce the issue first?

[omercnet]

yes, happy to asisst - it happens often for me but now sure why