sync: dev to extern-contrib

[github-actions]

sync-branches: New code has just landed in dev, so let's bring extern-contrib up to speed!

Summary by Sourcery

Bug Fixes:

• Ensure API, WebSocket, and image asset requests target the versioned /v1 service paths.

---

Summary by cubic

Syncs extern-contrib with dev by reverting the /v1 endpoint migration and fixing the loginpage.php redirect loop. Bumps to 3.4.5 (prerelease) and aligns API, WebSocket, and asset routes with the backend.

• Bug Fixes

  • Prevent login redirect loop by checking loginpage.php response and gating AutoLogin/profile redirects.

• Refactors

  • Revert /v1 paths for API, image assets, and notifications WebSocket.
  • Set version to 3.4.5 in XMOJ.user.js and package.json; update Update.json with prerelease entries for 3.4.3–3.4.5.

^{Written for commit 45c56a2. Summary will update on new commits.}

[cloudflare-workers-and-pages]

Deploying xmoj-script-dev-channel with    Cloudflare Pages

Latest commit:	45c56a2
Status:	✅  Deploy successful!
Preview URL:	https://4e9555a6.xmoj-script-dev-channel.pages.dev

View logs

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Aligns extern-contrib with dev by bumping the script/package version and routing all API, WebSocket, and asset/image requests through the new /v1 backend paths.

Sequence diagram for image upload using v1 backend

sequenceDiagram
    actor User
    participant Browser
    participant XMOJUserScript
    participant BackendAPI_v1 as BackendAPI_v1
    participant AssetsService_v1 as AssetsService_v1

    User->>Browser: Select image to upload
    Browser->>XMOJUserScript: change event with File
    XMOJUserScript->>XMOJUserScript: FileReader.readAsDataURL
    XMOJUserScript->>BackendAPI_v1: POST https://api.xmoj-bbs.me/v1/UploadImage
    activate BackendAPI_v1
    BackendAPI_v1-->>XMOJUserScript: { Success, Data.ImageID }
    deactivate BackendAPI_v1

    XMOJUserScript->>XMOJUserScript: Build markdown
    Note over XMOJUserScript: ![](https://assets.xmoj-bbs.me/v1/GetImage?ImageID=ImageID)

    XMOJUserScript->>Browser: Update textarea value
    Browser->>AssetsService_v1: GET https://assets.xmoj-bbs.me/v1/GetImage?ImageID=ImageID
    AssetsService_v1-->>Browser: Image content
    Browser-->>User: Render image in markdown preview

Loading

Architecture diagram for script routing to v1 services

flowchart LR
    subgraph Client
      U[User]
      B[Browser]
      S[XMOJUserScript]
    end

    subgraph ProdBackend
      APIv1[api.xmoj-bbs.me/v1]
      WSv1[api.xmoj-bbs.me/v1/ws/notifications]
      ASSETv1[assets.xmoj-bbs.me/v1/GetImage]
    end

    subgraph LocalDebug
      APIv1_local[127.0.0.1:8787/v1]
      WSv1_local[ws://127.0.0.1:8787/v1/ws/notifications]
    end

    U --> B --> S

    S -->|HTTP API requests| APIv1
    S -->|WebSocket notifications| WSv1
    S -->|Markdown image URLs| ASSETv1

    S -->|SuperDebug HTTP API| APIv1_local
    S -->|SuperDebug WebSocket| WSv1_local

Loading

File-Level Changes

Change	Details	Files
Update request endpoints to use versioned /v1 REST and WebSocket APIs.	Adjust RequestAPI base URL to append /v1/ in both debug and production modes Update WebSocket notification endpoint to include /v1/ws path segment Update asset/image markdown URLs to use /v1/GetImage on the assets domain	XMOJ.user.js messages.html
Bump script/package version to reflect the new backend API versioning.	Increment UserScript @Version header from 3.4.2 to 3.4.3 Increment npm package.json version field from 3.4.2 to 3.4.3 Ensure Update.json reflects the new release metadata if applicable	XMOJ.user.js package.json Update.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The /v1/ API and asset path segments are now hardcoded in multiple places (user script, messages.html, markdown insertions); consider centralizing these into shared constants/helpers so future version bumps only require a single change point.
• The various image URL templates for markdown insertion are duplicated across several content-editing code paths; it may be worth extracting a small utility to generate the asset URL to reduce the risk of inconsistencies on future changes.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `/v1/` API and asset path segments are now hardcoded in multiple places (user script, messages.html, markdown insertions); consider centralizing these into shared constants/helpers so future version bumps only require a single change point.
- The various image URL templates for markdown insertion are duplicated across several content-editing code paths; it may be worth extracting a small utility to generate the asset URL to reduce the risk of inconsistencies on future changes.

## Individual Comments

### Comment 1
<location path="XMOJ.user.js" line_range="646" />
<code_context>
         }

-        let wsUrl = (UtilityEnabled("SuperDebug") ? "ws://127.0.0.1:8787" : "wss://api.xmoj-bbs.me") + "/ws/notifications?SessionID=" + Session;
+        let wsUrl = (UtilityEnabled("SuperDebug") ? "ws://127.0.0.1:8787" : "wss://api.xmoj-bbs.me") + "/v1/ws/notifications?SessionID=" + Session;

         if (UtilityEnabled("DebugMode")) {
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Consider URL-encoding `Session` when building the WebSocket URL.

If `Session` can contain reserved URL characters (like `?` or `&`), concatenating it directly into the query string may produce an invalid URL. Using `encodeURIComponent(Session)` will make the URL construction robust while preserving current behavior for simple tokens.

```suggestion
        let wsUrl = (UtilityEnabled("SuperDebug") ? "ws://127.0.0.1:8787" : "wss://api.xmoj-bbs.me") + "/v1/ws/notifications?SessionID=" + encodeURIComponent(Session);
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion (bug_risk): Consider URL-encoding Session when building the WebSocket URL.

If Session can contain reserved URL characters (like ? or &), concatenating it directly into the query string may produce an invalid URL. Using encodeURIComponent(Session) will make the URL construction robust while preserving current behavior for simple tokens.

Suggested change

	let wsUrl = (UtilityEnabled("SuperDebug") ? "ws://127.0.0.1:8787" : "wss://api.xmoj-bbs.me") + "/v1/ws/notifications?SessionID=" + Session;
	let wsUrl = (UtilityEnabled("SuperDebug") ? "ws://127.0.0.1:8787" : "wss://api.xmoj-bbs.me") + "/v1/ws/notifications?SessionID=" + encodeURIComponent(Session);

[cubic-dev-ai]

1 issue found across 4 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="Update.json">

<violation number="1" location="Update.json:3551">
P3: Fix the malformed release-note description to include the intended route path (likely `/v1`).</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}