✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

✅ PR preview is ready!

📈 Frontend coverage change detected

The frontend unit test (vitest) coverage has increased by 0.1800%

• Current PR: 86.6900% (13901 lines, 1850 missed)
• Latest develop: 86.5100% (13875 lines, 1871 missed)

🎉 Great job on improving test coverage!

📊 View detailed coverage comparison

Summary

This PR extends the existing SEND_APP_HEARTBEAT mechanism to include server acknowledgments. When the frontend sends an app_heartbeat BackMsg, the server now responds with a heartbeat_ack ForwardMsg. The frontend tracks these acks and triggers a websocket reconnect if an ack isn't received within 29 seconds (1 second shorter than the expected 30s heartbeat interval in hosted environments).

Main changes:

• Added heartbeat_ack field (field 26) to ForwardMsg.proto
• Backend: _handle_app_heartbeat_request() now enqueues a heartbeat_ack ForwardMsg
• Frontend: ConnectionManager tracks heartbeat timeouts and triggers reconnects on timeout
• Frontend: WebsocketConnection added reconnect() method that transitions FSM to PINGING_SERVER
• Frontend: App.tsx handles heartbeatAck messages and notifies ConnectionManager

Code Quality

The code is well-structured and follows existing patterns in the codebase.

Strengths:

• Clear separation of concerns: ConnectionManager handles timeout tracking, WebsocketConnection handles FSM transitions
• Proper cleanup in disconnect() to prevent memory leaks (line 227 in ConnectionManager.ts)
• Good defensive programming with isConnected() check before reconnect (line 250 in ConnectionManager.ts)
• Well-documented constants with rationale (HEARTBEAT_ACK_TIMEOUT_MS in constants.ts:76-83)
• Clean docstrings following numpydoc style in the Python code

Minor observations:

• The awaitingHeartbeatAck flag (line 104 in ConnectionManager.ts) is technically redundant since heartbeatAckTimeoutId !== undefined serves the same purpose, but it adds clarity and is an acceptable defensive pattern.

Test Coverage

Test coverage is comprehensive and follows best practices.

Python tests (app_session_test.py:1279-1291):

• Tests that heartbeat_ack ForwardMsg is enqueued with correct type
• Includes negative assertion (WhichOneof("type") == "heartbeat_ack") to verify correct message type

Frontend tests:

1. ConnectionManager.test.ts (new file, 194 lines):

   • Tests timeout starting when heartbeat is sent
   • Tests reconnect triggered on timeout
   • Tests timeout clearing when new heartbeat sent (proper debounce)
   • Tests timeout clearing on ack received
   • Tests no error when ack received without pending heartbeat
   • Tests timeout cleared on disconnect
   • Tests no reconnect attempt when already disconnected
   • Good use of vi.useFakeTimers() for deterministic timing tests

2. WebsocketConnection.test.tsx (lines 1018-1032):

   • Tests reconnect() transitions to PINGING_SERVER when connected
   • Tests reconnect() does nothing when not connected (negative assertion)

3. App.test.tsx (lines 4590-4606):

   • Tests onHeartbeatSent called on SEND_APP_HEARTBEAT message
   • Tests onHeartbeatAckReceived called on heartbeatAck ForwardMsg

E2E test infrastructure:

• Updated hostframe.html with "Send Heartbeat" button for manual testing

Backwards Compatibility

Fully backwards compatible:

• Proto field 26 is purely additive; old clients ignore unknown fields
• In OSS Streamlit, SEND_APP_HEARTBEAT is never sent by hosts, so this code path is never executed
• Old servers won't send heartbeat_ack, but this only matters in hosted environments that would update both client and server together
• The reconnect() method uses existing FSM transitions (PINGING_SERVER), not new states

Security & Risk

No security concerns identified:

• No new attack vectors introduced
• Heartbeat mechanism doesn't expose sensitive information
• No new authentication or authorization paths

Risk assessment:

• Low risk: The feature is opt-in (only triggered by hosted environments sending SEND_APP_HEARTBEAT)
• Graceful degradation: If server doesn't respond with ack, worst case is a reconnect attempt
• Timeout value: 29s timeout assumes 30s heartbeat interval. If configured differently, could cause unnecessary reconnects, but this is documented and acceptable for hosted use cases

Recommendations

No blocking issues found. The implementation is clean, well-tested, and follows established patterns.

Optional consideration (non-blocking):

1. The timeout constant HEARTBEAT_ACK_TIMEOUT_MS = 29 * 1000 assumes a 30s heartbeat interval. If this interval ever becomes configurable per-deployment, consider making the timeout configurable as well. This is documented in the code comments and acceptable for current use cases.

Verdict

APPROVED: This is a well-implemented feature with comprehensive test coverage, proper cleanup handling, and full backwards compatibility. The code follows existing patterns and best practices, and the PR description clearly explains the motivation and testing approach.

This is an automated AI review using opus-4.5-thinking. Please verify the feedback and use your judgment.

@sfc-gh-bnisco thanks for the review / sorry for the slow turnaround on my side!

I've addressed your PR feedback + also had a realization that we'll want some way to control the rollout from the SiS side, so I made another change adding a new expectAck field to the SEND_APP_HEARTBEAT message type so that we can control whether the OSS side uses the new reconnect behavior from an app's host.

Summary

This PR extends the existing SEND_APP_HEARTBEAT host communication mechanism to support server-side acknowledgment and connection health monitoring. When a host (e.g., SiS, Community Cloud) sends a heartbeat, the server now responds with a heartbeat_ack ForwardMsg. The host can optionally specify an ackTimeoutMilliseconds value; if an ack is not received within that window, the frontend will proactively close and reconnect its WebSocket, enabling faster detection of broken connections.

Key changes across the stack:

• Proto: New bool heartbeat_ack = 26 field in ForwardMsg.
• Python backend: _handle_app_heartbeat_request now enqueues a heartbeat_ack ForwardMsg instead of being a noop.
• Frontend host comm: SEND_APP_HEARTBEAT gains an optional ackTimeoutMilliseconds field.
• Frontend App: Dispatches heartbeatAck messages and passes timeout to ConnectionManager.
• Frontend ConnectionManager: New heartbeat timeout tracking with onHeartbeatSent / onHeartbeatAckReceived, plus a private reconnect() method.
• Frontend WebsocketConnection: New public reconnect() method that closes the connection and transitions the FSM to PINGING_SERVER.

Code Quality

The code is well-structured and follows existing patterns throughout the codebase.

Strengths:

• Clean separation of concerns: WebsocketConnection.reconnect() handles the FSM transition, ConnectionManager handles the timeout logic, and App wires the dispatch.
• Good defensive programming: the isConnected() guard inside the timeout callback prevents reconnect attempts on already-disconnected sockets; clearHeartbeatAckTimeout() is called from all appropriate teardown paths (disconnect, reconnect, state change).
• The setConnectionState callback correctly clears stale timeouts when transitioning away from CONNECTED, preventing misleading log messages.
• Optional chaining (this.connectionManager?.onHeartbeatSent(...)) is used consistently.
• JSDoc comments are thorough and explain the "why" behind the timeout mechanism.

Minor observations:

1. In ConnectionManager.onHeartbeatSent (line 237-249 of ConnectionManager.ts), inside the setTimeout callback, this.heartbeatAckTimeoutId is set to undefined before calling this.reconnect(), which itself calls clearHeartbeatAckTimeout(). This is harmless (the clear method checks for undefined), but the manual assignment on line 241 is slightly redundant since reconnect() will clear it anyway.

2. The guard if (!ackTimeoutMilliseconds) in onHeartbeatSent (line 233) correctly handles 0, NaN, and undefined. Note that a negative value would pass this guard (since -1 is truthy) and create a near-immediate timeout. This is extremely unlikely since the host controls this value, but worth being aware of.

Test Coverage

Test coverage is thorough and follows best practices.

Python tests (app_session_test.py):

• test_app_heartbeat_sends_ack properly verifies the ForwardMsg is enqueued with the correct type field (WhichOneof("type") == "heartbeat_ack"). Good negative assertion pattern.

Frontend - ConnectionManager.test.ts (new file, 241 lines):

• Comprehensive coverage of all heartbeat timeout scenarios: start/clear timeout, reconnect on timeout, timer reset on new heartbeat, ack clears timeout, no-error on spurious ack, disconnect cleanup, no reconnect when already disconnected, timeout cleared on state transition.
• Uses vi.useFakeTimers() appropriately with proper cleanup in afterEach.

Frontend - App.test.tsx:

• Tests for SEND_APP_HEARTBEAT with and without ackTimeoutMilliseconds.
• Tests that heartbeatAck ForwardMsg triggers onHeartbeatAckReceived.
• Each test includes a complementary negative assertion (e.g., sending heartbeat doesn't trigger ack handler, and vice versa).

Frontend - HostCommunicationManager.test.tsx:

• Existing test updated and new test added for ackTimeoutMilliseconds passthrough.

Frontend - WebsocketConnection.test.tsx:

• reconnect() tested for both connected and non-connected states.

E2E:

• hostframe.html updated with a "Send Heartbeat" button and button count incremented in the test. Updated snapshots provided.

Overall, the test coverage is excellent for this feature.

Backwards Compatibility

This change is fully backwards compatible:

1. Host communication: ackTimeoutMilliseconds is optional in the SEND_APP_HEARTBEAT message type and defaults to 0 when absent (message.ackTimeoutMilliseconds ?? 0). When 0, no timeout is started, preserving existing behavior.
2. Server-side: The server now always responds with heartbeat_ack, even for existing hosts that don't monitor for it. The frontend ignores it unless a timeout is pending. The heartbeat_ack message is a single boolean and has negligible bandwidth impact.
3. OSS usage: In the OSS world, SEND_APP_HEARTBEAT messages are never sent, so none of this new code is ever invoked.
4. sendAppHeartbeat signature change: The function signature changes from () => void to (ackTimeoutMilliseconds: number) => void. The AppNavigation.test.ts mock is updated, and the HostCommunicationProps interface is updated. All callers go through the host communication manager which defaults the value to 0.

Security & Risk

• Low risk: The feature is opt-in (host must send a non-zero ackTimeoutMilliseconds). The worst case for a misbehaving host sending a very small timeout is extra reconnection cycles, which is bounded by the existing reconnection logic.
• No new user inputs are processed; the ackTimeoutMilliseconds comes from the trusted host frame.
• The heartbeat_ack proto field is a simple boolean with no payload, posing no deserialization risk.
• No credentials, tokens, or sensitive data are involved in this flow.

Accessibility

This PR has no user-facing UI changes. The only frontend-visible change is a new "Send Heartbeat" button in the test-only hostframe.html file, which is not user-facing. No accessibility concerns.

Recommendations

No blocking issues found. Minor suggestions for consideration:

1. Consider validating ackTimeoutMilliseconds: In ConnectionManager.onHeartbeatSent, you could add a guard for negative values (e.g., if (ackTimeoutMilliseconds <= 0) return). While unlikely to be sent by a host, negative values would create a near-immediate timeout leading to a reconnect cycle. This is a very minor hardening suggestion.

2. Redundant cleanup in timeout callback: In ConnectionManager.ts line 241, this.heartbeatAckTimeoutId = undefined is set before this.reconnect(), which also calls clearHeartbeatAckTimeout(). This is harmless but could be simplified by removing the manual assignment and letting reconnect() handle it. Very minor, not blocking.

Verdict

APPROVED: Well-designed, backwards-compatible extension of the heartbeat mechanism with comprehensive test coverage across all layers. The opt-in approach with host-configurable timeout is a clean design. No blocking issues identified.

This is an automated AI review using opus-4.6-thinking. Please verify the feedback and use your judgment.