Review — end-to-end ✅ (clean approve, behavioural harness confirms regex match)

Self-built PR closing #1618 (reported by @Zixim) and superseding #1463's prior CSS-only attempt at #1516 (v0.50.279). YAML, JSON, and diff/patch fenced code blocks have been rendering flattened to a single line since v0.50.237 — the previous CSS-only fix targeted the wrong layer (Prism token white-space) when the bug actually lived earlier in the regex pipeline. One-character regex relax in static/ui.js.

What this ships

• static/ui.js:1914-1925 — _pre_stash regex relaxed from <pre> to <pre[^>]*>. Pulls JSON's <pre class="tree-raw-view"> and diff's <pre class="diff-block"> (both introduced by #484 / v0.50.237) into the stash so the paragraph-wrap pass can't replace their \n with <br>. Bash/Python/Go (bare <pre>) unaffected — same regex still matches them.
• tests/test_issue1618_yaml_json_diff_newline_preserve.py — 9 new regression tests (2 source-string + 7 behavioral via node-driver against actual static/ui.js renderMd()).
• tests/test_745_code_block_newlines.py — three pre-existing window-scan assertions widened from 400 → 1500 chars (the new explanatory comment block pushed the regex past the previous scan window — pytest-pitfalls § D pattern).

Traced against upstream hermes-agent

Webui-only — renderMd() is the frontend's markdown renderer; the agent doesn't render markdown server-side. No cross-tool surface. ✅

Behavioural harness — regex match verification

Ran old vs new regex against the five <pre>/<div> shapes that flow through _pre_stash:

OLD regex / NEW regex matches:
  ✓ / ✓  bare <pre> (bash, python)
  ✗ / ✓  <pre class=tree-raw-view> (yaml/json)        ← the bug
  ✗ / ✓  <pre class=diff-block> (diff/patch)          ← the bug
  ✓ / ✓  <div class=pre-header><pre>
  ✓ / ✓  <div class=mermaid-block>

Confirms:

1. Pre-fix: YAML/JSON tree-viewer (<pre class="tree-raw-view">) and diff/patch coloring (<pre class="diff-block">) — both introduced by #484 — were silently slipping past the stash. The paragraph-wrap pass converted their \n to <br> inside <code>, leaving Prism with no newlines to highlight against.
2. Post-fix: all three <pre> shapes (bare, tree-raw-view, diff-block) caught by the relaxed regex. Bash/Python/Go pass-through preserved. Mermaid/katex alternation untouched.

End-to-end trace

Pre-fix flow (Zixim's case):

1. User pastes ```yaml\nfoo:\n bar: 1\n```.
2. renderMd() runs Prism, which produces <div class="code-tree-wrap"><div class="pre-header">yaml</div><pre class="tree-raw-view"><code class="language-yaml">foo:\n bar: 1\n</code></pre></div>.
3. _pre_stash regex at line 1914 (old) only matches <pre> — <pre class="tree-raw-view"> does NOT match → fall-through.
4. Paragraph-wrap pass runs on the un-stashed content → \n → <br> inside <code>.
5. Prism re-tokenizes → builds spans from a single-line string → CSS white-space: pre rule has nothing to preserve.
6. User sees: foo: bar: 1 (single line). ❌

Post-fix flow:
1-2. Same.
3. _pre_stash regex (new, <pre[^>]*>) matches <pre class="tree-raw-view"> → stashed with token \x00E0\x00.
4. Paragraph-wrap pass operates on the un-stashed content but the <pre> block is now opaque (replaced by token).
5. Stash restoration replaces token with original <pre class="tree-raw-view"><code>foo:\n bar: 1\n</code></pre> — newlines intact.
6. Prism tokenizes the multi-line string → spans built per-line → CSS rule preserves them. User sees multi-line YAML. ✅

Security audit

• ✅ One-character regex change in pure markdown processing — no XSS surface added (the regex was always there to MATCH, the change just widens what it matches).
• ✅ No new endpoints, no auth changes, no config.yaml writes.
• ✅ The [^>]* between <pre and > matches any char except >, which is the standard "anything inside the tag" idiom — won't match nested < or escape its boundary.
• ✅ The match is greedy on [\s\S]*? (non-greedy) up to </pre> — same lazy-match shape as before, no ReDoS surface introduced.

Race / state analysis

renderMd is a pure JS string transformation — no shared state, no async. Single-threaded JS execution. ✓

Edge-case trace

Tests

• tests/test_issue1618_yaml_json_diff_newline_preserve.py — 9/9 pass:
  • Source: test_pre_stash_regex_matches_pre_with_attributes, test_pre_stash_still_captures_pre_header_and_optional_div
  • Behavioral (node-driver): test_yaml_block_preserves_newlines, test_json_block_preserves_newlines, test_diff_block_preserves_newlines, test_yaml_block_renders_multiline_html_shape, test_yml_alias_already_worked_still_works, test_bash_block_unaffected_baseline, test_mermaid_block_unaffected_by_regex_relaxation
• tests/test_745_code_block_newlines.py — 9/9 pass with the widened scan window. Pure window adjustment, no behavior change.
• PR description claims 6/9 behavioral tests fail on master pre-fix — the right kind of "the test would have caught the bug" verification.
• Full suite: 4199 passed, 57 skipped, 3 xpassed, 0 failed in 32.12s on the PR branch (PR description claims 4254; counting drift consistent with prior batches).
• CI: all 3 (3.11/3.12/3.13) green ✅.

Other audit — things that are correct already

• ✅ The 7-line explanatory comment above the relaxed regex correctly documents the bug class (every stash regex must match the union of HTML shapes the upstream pipeline emits, not just the original shape).
• ✅ The test driver pattern uses node to spawn against the actual static/ui.js renderMd — that's the right level of behavioral test for a JS regex fix. Source-presence assertions alone (which is what #1516 had) are insufficient.
• ✅ The PR description honestly acknowledges the previous diagnosis (maintainer reply on #1618 saying the fix had landed) was wrong, with apology to @Zixim. Good external-contributor handling.
• ✅ The CSS rule from #1516 is intentionally left in place as defense-in-depth. With the regex fix, newlines reach Prism intact and the rule's white-space preservation is now redundant-but-idempotent.
• ✅ Reporter (@Zixim) attribution preserved.

Minor observations (non-blocking)

• The regex relax is a one-character net change but the diff is +9/-1 lines because the contributor added an explanatory comment block. That comment block is the right kind of documentation — anchors the fix to the reasoning so future contributors understand why the regex must accept attributes.

• The 400 → 1500 widening in test_745_code_block_newlines.py is a pure scan-window fix, not a behavior change. Worth a future cleanup that anchors the test on actual symbols (e.g. re.search(...) for the regex pattern) rather than character offsets. Not blocking.

• <pre[^>]*> matches even malformed cases like <preen attribute> — but </pre> is required for the lazy match to terminate, and HTML parsers are extremely lenient about this. Practical concern is zero; flagging for completeness.

• PR description test count off by ~55 (4254 claimed vs 4199 local). Consistent with prior batches.

• CHANGELOG provisionally stamped [v0.50.295] which the PR description acknowledges as a release-agent boundary call. Not a review concern.

Recommendation

✅ Approved. Surgical one-character regex fix targeting the exact layer where the bug actually lived. Behavioral harness verifies the OLD regex misses YAML/JSON/diff while the NEW regex catches them — and bash/python/mermaid/katex shapes still match identically. The 6-of-9-tests-fail-on-master verification confirms the regression coverage actually catches the bug.

PR description honestly corrects the previous misdiagnosis on #1618. Test driver pattern (node-against-actual-renderMd) is the right level of behavioral test for a JS regex fix — source-presence alone (#1516's mistake) was insufficient.

Cross-tool safe (webui-only). 9/9 PR tests + full-suite green on all 3 Python versions. The CSS rule from #1516 stays in place as defense-in-depth.

Parked at approval — ready for the release agent's merge/tag pipeline.