Review — end-to-end ✅ (clean approve)

What this ships

@bergeouss's fix for #1154 — large tool outputs containing fenced diff/patch/log content corrupting subsequent message rendering. Stray </pre>, <ul><li> injected inside <pre><code>, multiple copy buttons, malformed layout.

The bug

renderMd() rendered fenced code blocks to <pre><code> HTML EARLY in the pipeline (right after the fence stash restore), then exposed that HTML to the list/heading/table regexes. Lines inside code blocks that look like markdown — diff hunks (- removed, + added), bash globs (* foo), markdown headings (# title) — got matched by those regexes and had <ul>/<li>/<h1> injected inside <pre>. The injected tags broke the </pre> closure, the SAFE_TAGS escape pass turned the malformed </pre> into </pre>, and the rest of the message rendered inside a broken block.

The fix

Split the fence stash into two phases (static/ui.js:825-841):

1. Fenced blocks (\x00P): converted to <pre><code> HTML inside the stash callback (content escaped via esc()), then kept stashed as \x00P<n>\x00 tokens through ALL markdown passes. Restored at ui.js:1002, AFTER lists/headings/tables/links — so those regexes can never see the rendered HTML.
2. Inline backticks (\x00F): converted to <code> tags in the callback, restored before bold/italic so ** `code` ** still works.

Mermaid handling moved from a separate post-pass into the fence stash callback (detects mermaid language tag, emits <div class="mermaid-block"> instead of <pre>).

Traced against upstream hermes-agent

Pure WebUI renderer change. The agent emits text/markdown, never raw HTML — so the rendering pipeline is downstream of the agent. Zero cross-tool coupling.

Bug-confirmed-on-master harness

Built a behavioural harness covering the exact issue scenarios. 8/10 pass on master, 10/10 pass on the PR. The two master failures show the bug shape directly:

FAIL [Diff -line with leading space inside code]:
  out: <pre><code class="language-diff">- removed line<br><ul><li>added line</code>&lt;/pre&gt;</li></ul>
                                                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

FAIL [Heading inside fenced block stays literal]:
  out: <pre><code class="language-markdown"># fake heading<br><h2>also fake</code>&lt;/pre&gt;</h2>
                                                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Exactly the issue #1154 symptom: "stray literal </pre> rendered in the page" — the SAFE_TAGS pass escapes the now-malformed closing tag because <ul> was injected into the <pre>.

Post-fix output is correct: <pre><code>- removed line\n+ added line</code></pre> with no <ul>/<li> and balanced <pre>/</pre> count.

End-to-end trace

Token namespace check

Existing tokens: \x00F (inline code, repurposed), \x00M (math), \x00R (raw <pre>), \x00C (inline code stash inside inlineMd), \x00G (img), \x00L (link), \x00O (outer <code>), \x00A (anchor), \x00B (block-element-line), \x00E (rendered pre stash for paragraph splitting). New: \x00P (rendered fenced block, late-restored). No collision. ✅

Stash/restore ordering

The critical move is step 10: fenced HTML is reintroduced AFTER lists/headings/tables run. The downstream \x00E stash at line 1008 then captures the now-restored <pre> blocks before paragraph splitting (so newlines inside code don't get <br>'d) — that pipeline is unchanged.

Mermaid integration

Pre-fix: separate post-pass s.replace(/```mermaid\n?(.*?)```/g, ...) after fence restore.

Post-fix: detected inside the fence stash callback via m[1].trim().toLowerCase() === 'mermaid'. Emits <div class="mermaid-block" data-mermaid-id="...">...</div> directly into _preBlock_stash. The id is generated the same way (Math.random().toString(36).slice(2,10)).

The downstream \x00E stash at line 1008 already includes mermaid via the regex <div class="(mermaid-block|katex-block)".... So mermaid blocks survive paragraph splitting just like before. ✅

Edge-case trace

Tests

• PR's 14 new tests in tests/test_issue1154_fenced_code_leak.py: pass.
• PR's targeted updates in test_issue347.py (variable-rename: fence_stash.push(m) → fence_stash.push() and test_issue_code_syntax_highlight.py (normalizedLang → lang): both correct, same intent preserved.
• Local full suite: 2651 passed, 47 skipped, 1 PR-unrelated pre-existing failure (test_sprint3.py::test_workspace_add_rejects_system_paths — the macOS-only quirk that PR #1186 fixes; this PR is on top of master before #1186 lands).
• CI on PR: ✅ test (3.11), ✅ test (3.12), ✅ test (3.13).
• My behavioural harness: 10/10 on PR, 8/10 on master (2 failures match issue symptoms exactly).
• All 25 test_renderer_js_behaviour tests: pass — the existing renderer test suite that locks blockquote/list/heading/etc. invariants still passes, confirming no regression in the core rendering paths.

Other audit — confirmed correct

• JS syntax: node --check passes.
• Language detection: new regex ^(\w[\w+-]*)\n?([\s\S]*)$ — same coverage as the original [\w+-]*\n? (zero-or-more word chars + optional newline). Empty-language case handled at lines 833-834 (m may be null → lang='', code=raw.replace(/^\n?/,'')). ✅
• esc() on code content: still escapes <, >, &, ", ' via the same esc() function — no XSS surface change.
• Compatible with rawPreStash (#1172): the rawPreStash captures pre-existing <pre> HTML in the input; this PR's fence stash captures markdown fenced blocks. Different sources, different tokens (\x00R vs \x00P), no overlap.
• Inline backtick semantics: new pass s.replace(/\([^\`\n]+)`/g, ...)` is identical regex to the inline part of the original combined pattern. Same behaviour. ✅

Minor observations (non-blocking)

• The new \x00P stash adds one more token to an already token-heavy renderer. The stash family (F, M, R, P, C, G, L, O, A, B, E) is now 11 tokens — worth a future cleanup pass that consolidates them, but the current per-token comment + restore order is well-documented and traceable.
• The mermaid id generator (Math.random().toString(36).slice(2,10)) is the same as before, so existing mermaid post-processing keyed on that id format keeps working.
• The PR description's "All 2667 tests pass" — local count for me was 2651 passed (different test selection because of macOS skips). Same effective signal.

Recommendation

Approved. Principled fix at the right layer: the rendering pipeline now keeps fenced HTML stashed past every dangerous markdown pass, eliminating the entire class of "code block content matches markdown regex and corrupts the page" bugs. Behavioural harness directly confirms the master bug and the post-fix correctness. CI green on 3.11/3.12/3.13. Existing 71 renderer tests still pass. Parked at approval — ready for the release agent's merge/tag pipeline.