Review — end-to-end ✅ (approved after stale-response race fix pushed)

What this ships

v0.50.229 — absorbing @jasonjcwu's PR #1158 with integration fixes:

Performance: parallelize the session switch hot path

• Promise.all() for expanded-dir pre-fetches in loadDir() (N×RTT → 1×RTT) at static/workspace.js:62-79
• ThreadPoolExecutor(max_workers=3) for git status / rev-list ahead / rev-list behind subprocess calls at api/workspace.py:609-628
• loadDir() dispatched concurrently with highlightCode() on the idle path at static/sessions.js:269-273

Message pagination for long conversations

• ?msg_limit=N&msg_before=I query params on /api/session at api/routes.py:775-794
• Initial load: last 30 messages (_INITIAL_MSG_LIMIT)
• Scroll-to-top triggers _loadOlderMessages with msg_before cursor (index-based, not timestamp)
• All undo/retry/compress/done paths reset _messagesTruncated

Traced against upstream hermes-agent

Pulled fresh nousresearch/hermes-agent tarball.

Backend changes touch api/routes.py and api/workspace.py. The _messages_truncated and _messages_offset response fields are WebUI-internal (added to the JSON shape on top of the agent's session). The agent doesn't read these — s.compact() does NOT include them, they're only set by the route handler. Cross-tool risk = zero.

git_info_for_workspace is purely workspace.py — agent doesn't read git status. Threading is safe (subprocess calls block on pipes, not GIL).

What I caught — stale-response race in _loadOlderMessages

The PR's cancellation guard at static/sessions.js:373 (pre-fix):

if (!data || !data.session || (_loadingSessionId !== null && _loadingSessionId !== sid)) return;

This catches the mid-switch case (new session load in progress when older-messages returns). It misses the post-switch case:

1. User on session A, _loadOlderMessages issues fetch (sid = A)
2. User clicks session B → loadSession(B) completes → _loadingSessionId = null (sessions.js:141)
3. Older-messages response for A returns → guard evaluates (null !== null) && ... = false → guard does NOT bail
4. S.messages = [...olderMsgs, ...S.messages] prepends A's older messages onto B's S.messages → corruption

The reset block at sessions.js:117-122 clears _loadingOlder = false; _messagesTruncated = false; _oldestIdx = 0 on switch — but those are state for FUTURE calls. The in-flight promise is unaffected.

What I pushed — d974388

Tightened the guard to ALSO compare S.session.session_id !== sid:

if (!data || !data.session) return;
if (!S.session || S.session.session_id !== sid) return;
if (_loadingSessionId !== null && _loadingSessionId !== sid) return;

Both layers together cover both windows (mid-switch and post-switch). The S.session.session_id check is the authoritative "is this still the active session?" — _loadingSessionId is only meaningful while a load is in progress.

Plus a regression test (test_load_older_compares_against_active_session_id) that asserts:

• S.session.session_id !== sid is present in _loadOlderMessages body
• The check appears BEFORE the S.messages = [...olderMsgs, ...S.messages] mutation

CI re-ran green on d974388: 3.11 ✅, 3.12 ✅, 3.13 ✅.

End-to-end trace

Backend pagination math

api/routes.py:802-820:

• Initial load (no msg_before): _truncated_msgs = _all_msgs[-msg_limit:] (last N)
• Cursor paging (msg_before=I): _slice = _all_msgs[:_before_idx] (everything before cursor), then _slice[-msg_limit:] (last N before cursor)
• Bounds: _before_idx = max(0, min(int(msg_before), len(_all_msgs))) — clamped at both ends
• Truncation flag: len(_slice) > msg_limit for cursor path; len(_all_msgs) > msg_limit for initial path
• Offset (cursor): _before_idx - len(_truncated_msgs) — index of first returned message in full array
• Offset (initial): len(_all_msgs) - len(_truncated_msgs) — same semantics

Walked through with N=100, msg_limit=30:

• Initial: returns msgs[70:100], offset=70, truncated=True ✅
• msg_before=70, msg_limit=30: returns msgs[40:70], offset=40, truncated=True (40 > 0) ✅
• msg_before=30, msg_limit=30: returns msgs[0:30], offset=0, truncated=False ✅
• msg_before=10, msg_limit=30: returns msgs[0:10] (clamped by slice), offset=0, truncated=False ✅

git_info_for_workspace parallelization

api/workspace.py:618-628 — ThreadPoolExecutor(max_workers=3) per call. Each git subprocess blocks on the pipe, not the GIL. The with block ensures the pool is shut down after each call.

Cost: 3 thread creates per call. Trade-off vs the ~50-200ms wall-clock saving (subprocess.run timeouts can stack). Acceptable.

Frontend cancellation matrix (after my fix)

done SSE handler resetting _messagesTruncated

api/streaming.py:1964: raw_session = s.compact() | {'messages': s.messages, 'tool_calls': tool_calls} — emits the FULL session, no _messages_truncated field. So static/messages.js:762's _messagesTruncated = !!d.session._messages_truncated evaluates !!undefined = false. Correctly resets the flag. ✅

_ensureAllMessagesLoaded for export/undo

static/sessions.js:400-407 fetches the full session WITHOUT msg_limit so cmdRetry/cmdUndo/manual compression always operate on the complete history. cmdRetry/cmdUndo/_runManualCompression also reset _messagesTruncated = false after the reload — locking in the new full-history state.

Edge-case trace

Tests

• PR's targeted tests: 32/32 in test_parallel_session_switch.py. Plus my new test = 33/33.
• Local full suite: 2629 passed, 47 skipped, 1 PR-unrelated pre-existing failure (test_sprint3.py::test_workspace_add_rejects_system_paths — macOS-only).
• CI on PR after my push: ✅ test (3.11), ✅ test (3.12), ✅ test (3.13).
• Behavioural verification: manual trace through bound clamping, truncation flag math, and cancellation matrix above.

Other audit — confirmed correct

• i18n coverage: load_older_messages added in all 7 locales (en, ru, es, de, zh, zh-Hant, ko).
• CSS: .load-older-indicator is a focused single-rule class. No specificity conflicts.
• S._expandedDirs||new Set() fallback: was ||[] originally, fixed during integration. Set has .size and is iterable — works with [...expanded] spread. ✅
• Index-based cursor (not timestamp): avoids issues with messages that have _ts=0 or duplicate timestamps. The PR description explicitly calls out the 827-msg dataset that motivated this change.
• JS syntax: node --check passes on all touched files.

Minor observations (non-blocking)

• The _INITIAL_MSG_LIMIT = 30 constant is hard-coded. Could be a per-user setting in the future (especially for power users with very long histories who want bigger initial loads). Out of scope.
• The done event handler resets _messagesTruncated = !!d.session._messages_truncated — the done event always emits the full session, but if a future change ever adds _messages_truncated to the SSE payload, this would silently flip the flag. Not currently a risk since the field is only set in routes.py.
• Per-call ThreadPoolExecutor(max_workers=3) has thread-creation overhead (~ms per call). For workspaces hit by every session list refresh, a module-level pool would be cheaper. Acceptable for now since git_info is gated by is_git.

Recommendation

Approved (after race-fix push). Three independent perf optimizations + a substantial pagination feature, all wired correctly and well-tested. The cancellation race I caught is a real corruption window — the PR's own test suite covered the mid-switch case but not the post-switch case. Tightened the guard with an S.session.session_id !== sid check and added a regression test that locks the new invariant. CI green; full suite 2629 passed; no agent coupling. Parked at approval — ready for the release agent's merge/tag pipeline.