v1.13.19-html-artifact-panes: pane-based artifact viewer with on-request HTML

Every assistant message gets an "Open in pane" affordance that opens the
message in the workspace splitter — Markdown pane (Copy + Download .md) by
default; HTML pane (Download .html only) when the model emits a self-contained
<!DOCTYPE html> or fenced ```html artifact. BOOCHAT.md rule keeps Markdown
default at every length; HTML opt-in on explicit user request.

Backend: services/artifacts.ts (slug derivation + write helpers with
symlink-escape guard via realpath-after-mkdir), routes/artifacts.ts (POST
download + GET stream with nosniff + CSP sandbox defense-in-depth), HTML
detection in finalizeCompletion writing a new message_parts.kind='html_artifact'
row (schema CHECK extended via v1.13.13 pattern), graceful 1MB cap via the
pure decideHtmlArtifactWrite helper. PartKind union extended.

Frontend: MarkdownRenderer.tsx extracted from MessageBubble's inline
MarkdownBody for reuse; MarkdownArtifactPane.tsx + HtmlArtifactPane.tsx with
loading/error states; pane state is reference-only ({chat_id, message_id,
title}) — content fetched on mount to keep workspace_panes jsonb small and
avoid 1MB blobs riding session_workspace_updated frames. iframe sandbox
locked to allow-scripts allow-clipboard-write allow-downloads with no
allow-same-origin, srcDoc not src. openInPane discriminates 404 (expected
fallback) from real errors (toast + bail). PanelRightOpen icon button with
mobile 44px tap-target.

31 new server unit tests including a real-symlink filesystem case; 332/332
server tests passing, tsc clean both sides, pnpm -C apps/web build green.
Smoke deferred to first deploy.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/server/src/services/__tests__/artifacts.test.ts

@@ -0,0 +1,261 @@
+import { mkdtemp, mkdir, readFile, rm, symlink } from 'node:fs/promises';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { afterEach, beforeEach, describe, expect, it } from 'vitest';
+import {
+  decideHtmlArtifactWrite,
+  deriveHtmlSlug,
+  deriveHtmlTitle,
+  deriveMarkdownSlug,
+  detectHtmlArtifact,
+  HTML_ARTIFACT_MAX_BYTES,
+  writeHtmlArtifact,
+  writeMarkdownArtifact,
+} from '../artifacts.js';
+import { PathScopeError } from '../path_guard.js';
+
+describe('deriveMarkdownSlug', () => {
+  it('uses the first # heading when present', () => {
+    expect(deriveMarkdownSlug('# Hello World\n\nbody')).toBe('hello-world');
+  });
+
+  it('falls back to first 6 words', () => {
+    const s = deriveMarkdownSlug('the quick brown fox jumps over the lazy dog');
+    expect(s).toBe('the-quick-brown-fox-jumps-over');
+  });
+
+  it('returns "artifact" for empty input', () => {
+    expect(deriveMarkdownSlug('')).toBe('artifact');
+  });
+
+  it('caps at 60 chars and lowercases', () => {
+    const long = '# ' + 'A'.repeat(200);
+    const s = deriveMarkdownSlug(long);
+    expect(s.length).toBeLessThanOrEqual(60);
+    expect(s).toMatch(/^[a-z0-9-]+$/);
+  });
+
+  it('strips trailing punctuation', () => {
+    expect(deriveMarkdownSlug('# Hello, World!!!')).toBe('hello-world');
+  });
+});
+
+describe('deriveHtmlSlug', () => {
+  it('prefers payload.title when set', () => {
+    expect(
+      deriveHtmlSlug({ html_content: '<html></html>', title: 'My Title' }),
+    ).toBe('my-title');
+  });
+
+  it('falls back to <title> tag', () => {
+    expect(
+      deriveHtmlSlug({
+        html_content: '<html><head><title>Page Title</title></head></html>',
+        title: null,
+      }),
+    ).toBe('page-title');
+  });
+
+  it('falls back to first <h1> when no <title>', () => {
+    expect(
+      deriveHtmlSlug({
+        html_content: '<html><body><h1>Heading One</h1></body></html>',
+        title: null,
+      }),
+    ).toBe('heading-one');
+  });
+
+  it('falls back to inner text words', () => {
+    expect(
+      deriveHtmlSlug({
+        html_content: '<div>one two three four five six seven</div>',
+        title: null,
+      }),
+    ).toBe('one-two-three-four-five-six');
+  });
+});
+
+describe('deriveHtmlTitle', () => {
+  it('returns <title> content', () => {
+    expect(deriveHtmlTitle('<html><head><title>T</title></head></html>')).toBe('T');
+  });
+
+  it('falls back to <h1>', () => {
+    expect(deriveHtmlTitle('<body><h1>H</h1></body>')).toBe('H');
+  });
+
+  it('falls back to first 80 chars of inner text', () => {
+    const html = '<div>' + 'x '.repeat(100) + '</div>';
+    const t = deriveHtmlTitle(html);
+    expect(t).not.toBeNull();
+    expect(t!.length).toBeLessThanOrEqual(80);
+  });
+
+  it('returns null for empty html', () => {
+    expect(deriveHtmlTitle('')).toBeNull();
+  });
+});
+
+describe('detectHtmlArtifact', () => {
+  it('detects <!DOCTYPE html> prefix case-insensitively', () => {
+    const html = '<!doctype HTML><html><body>x</body></html>';
+    expect(detectHtmlArtifact(html)).toBe(html);
+  });
+
+  it('strips leading/trailing whitespace before matching', () => {
+    const html = '\n\n<!DOCTYPE html>\n<html></html>\n';
+    expect(detectHtmlArtifact(html)).toBe(html.trim());
+  });
+
+  it('detects fenced ```html block wrapping entire message', () => {
+    const wrapped = '```html\n<!DOCTYPE html>\n<html></html>\n```';
+    expect(detectHtmlArtifact(wrapped)).toContain('<!DOCTYPE html>');
+  });
+
+  it('rejects plain markdown', () => {
+    expect(detectHtmlArtifact('# heading\n\nsome text')).toBeNull();
+  });
+
+  it('rejects message with prose before the doctype', () => {
+    expect(
+      detectHtmlArtifact('Here you go: <!DOCTYPE html><html></html>'),
+    ).toBeNull();
+  });
+
+  it('rejects empty input', () => {
+    expect(detectHtmlArtifact('')).toBeNull();
+    expect(detectHtmlArtifact('   \n  ')).toBeNull();
+  });
+
+  it('rejects fenced block without doctype/<html>', () => {
+    expect(detectHtmlArtifact('```html\n<div>x</div>\n```')).toBeNull();
+  });
+
+  it('accepts fenced block containing <html> tag (no doctype)', () => {
+    const r = detectHtmlArtifact('```html\n<html><body>x</body></html>\n```');
+    expect(r).toContain('<html>');
+  });
+});
+
+describe('writeMarkdownArtifact / writeHtmlArtifact', () => {
+  let projectRoot: string;
+  beforeEach(async () => {
+    projectRoot = await mkdtemp(join(tmpdir(), 'artifacts-test-'));
+  });
+  afterEach(async () => {
+    await rm(projectRoot, { recursive: true, force: true });
+  });
+
+  it('writes a markdown artifact under .boocode/artifacts/', async () => {
+    const result = await writeMarkdownArtifact(
+      { content: '# Hello\n\nbody' },
+      { projectId: 'pid', projectRoot },
+    );
+    expect(result.path).toMatch(/\.boocode\/artifacts\/hello-\d+\.md$/);
+    expect(result.url).toMatch(/^\/api\/projects\/pid\/artifacts\/hello-\d+\.md$/);
+    const written = await readFile(result.path, 'utf8');
+    expect(written).toBe('# Hello\n\nbody');
+  });
+
+  it('writes an html artifact', async () => {
+    const result = await writeHtmlArtifact(
+      {
+        html_content: '<!DOCTYPE html><html><head><title>X</title></head></html>',
+        char_count: 56,
+        title: 'X',
+      },
+      { projectId: 'pid', projectRoot },
+    );
+    expect(result.path).toMatch(/\.boocode\/artifacts\/x-\d+\.html$/);
+    const written = await readFile(result.path, 'utf8');
+    expect(written).toContain('<!DOCTYPE html>');
+  });
+
+  it('creates the artifacts directory if absent', async () => {
+    // Confirm the writer mkdir-recursive's the artifacts dir on first call.
+    const result = await writeMarkdownArtifact(
+      { content: '# T' },
+      { projectId: 'pid', projectRoot },
+    );
+    expect(result.path).toContain('.boocode/artifacts');
+  });
+});
+
+describe('1MB cap behavior', () => {
+  it('reports the correct byte threshold', () => {
+    expect(HTML_ARTIFACT_MAX_BYTES).toBe(1_048_576);
+  });
+
+  it('exceeds threshold for oversize payload', () => {
+    const oversize = '<!DOCTYPE html>' + 'A'.repeat(HTML_ARTIFACT_MAX_BYTES);
+    expect(Buffer.byteLength(oversize, 'utf8')).toBeGreaterThan(
+      HTML_ARTIFACT_MAX_BYTES,
+    );
+  });
+
+  it('detectHtmlArtifact still returns content above the cap (cap is checked by caller)', () => {
+    // Detection is content-shape; the cap check lives in finalizeCompletion
+    // (error-handler.ts). This test pins that contract: the helper does not
+    // silently drop oversize payloads on the floor.
+    const big = '<!DOCTYPE html>' + 'x'.repeat(2_000_000);
+    expect(detectHtmlArtifact(big)).not.toBeNull();
+  });
+});
+
+describe('decideHtmlArtifactWrite', () => {
+  // Pure helper extracted from finalizeCompletion's cap-skip branch. Pins
+  // the warn-and-skip decision without mocking the full InferenceContext.
+  it('returns write=true for payloads under the cap', () => {
+    const html = '<!DOCTYPE html><html></html>';
+    const decision = decideHtmlArtifactWrite(html);
+    expect(decision.write).toBe(true);
+    expect(decision.byteLen).toBe(Buffer.byteLength(html, 'utf8'));
+  });
+
+  it('returns write=false with cap_exceeded reason for oversize payloads', () => {
+    const big = '<!DOCTYPE html>' + 'x'.repeat(HTML_ARTIFACT_MAX_BYTES);
+    const decision = decideHtmlArtifactWrite(big);
+    expect(decision.write).toBe(false);
+    if (!decision.write) {
+      expect(decision.reason).toBe('cap_exceeded');
+      expect(decision.byteLen).toBeGreaterThan(HTML_ARTIFACT_MAX_BYTES);
+    }
+  });
+
+  it('accepts payload exactly at the cap (boundary)', () => {
+    // byteLen === cap should write; only strictly greater skips.
+    const exact = 'x'.repeat(HTML_ARTIFACT_MAX_BYTES);
+    const decision = decideHtmlArtifactWrite(exact);
+    expect(decision.write).toBe(true);
+    expect(decision.byteLen).toBe(HTML_ARTIFACT_MAX_BYTES);
+  });
+});
+
+describe('symlink escape protection', () => {
+  // Closes the gap where `.boocode/artifacts` is a symlink pointing
+  // outside the project root. The lexical prefix check on the resolved
+  // candidate path passes (it's under projectRoot textually), but the
+  // post-mkdir realpath verification must catch the escape.
+  let projectRoot: string;
+  let outside: string;
+  beforeEach(async () => {
+    projectRoot = await mkdtemp(join(tmpdir(), 'artifacts-symlink-root-'));
+    outside = await mkdtemp(join(tmpdir(), 'artifacts-symlink-outside-'));
+  });
+  afterEach(async () => {
+    await rm(projectRoot, { recursive: true, force: true });
+    await rm(outside, { recursive: true, force: true });
+  });
+
+  it('throws PathScopeError when .boocode/artifacts is a symlink to outside the project', async () => {
+    // Create .boocode dir, then make `artifacts` a symlink pointing outside.
+    await mkdir(join(projectRoot, '.boocode'), { recursive: true });
+    await symlink(outside, join(projectRoot, '.boocode', 'artifacts'));
+    await expect(
+      writeMarkdownArtifact(
+        { content: '# Hello' },
+        { projectId: 'pid', projectRoot },
+      ),
+    ).rejects.toBeInstanceOf(PathScopeError);
+  });
+});

apps/server/src/services/artifacts.ts

@@ -0,0 +1,255 @@
+// v1.14.x-html-artifact-panes: artifact writer + slug derivation.
+//
+// Writes Markdown and HTML artifacts to `<projectRoot>/.boocode/artifacts/`
+// as plain files. Returns `{path, url}` where:
+//   - path is the absolute on-disk path
+//   - url is a project-scoped REST URL pointing at the GET download route
+//     registered in routes/artifacts.ts. The route streams the file with
+//     Content-Disposition: attachment.
+//
+// Path safety: we do NOT use path_guard.ts (it realpaths and throws ENOENT
+// for files that don't exist yet, which artifact creation requires).
+// Instead we mirror the v1.13.18 codecontext_client.ts pattern: resolve
+// the candidate path against the realpath'd projectRoot, then verify the
+// result starts with projectRoot + sep (or equals projectRoot).
+
+import { mkdir, realpath, writeFile } from 'node:fs/promises';
+import { resolve, sep } from 'node:path';
+import { PathScopeError } from './path_guard.js';
+import type { Message } from '../types/api.js';
+
+export interface HtmlArtifactPayload {
+  html_content: string;
+  char_count: number;
+  title: string | null;
+}
+
+export interface ArtifactWriteResult {
+  path: string;
+  url: string;
+}
+
+const ARTIFACT_SUBDIR = '.boocode/artifacts';
+
+// ---- slug helpers ----
+
+// Lowercase, replace non-alnum runs with '-', trim leading/trailing '-',
+// collapse repeated '-', cap at 60 chars. Empty → 'artifact'.
+function slugify(input: string): string {
+  const cleaned = input
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, '-')
+    .replace(/^-+|-+$/g, '')
+    .replace(/-{2,}/g, '-')
+    .slice(0, 60)
+    .replace(/^-+|-+$/g, '');
+  return cleaned || 'artifact';
+}
+
+function firstHeading(md: string): string | null {
+  // Match the first `# ` ATX heading at the start of a line.
+  const m = md.match(/^[ \t]*#[ \t]+(.+?)\s*$/m);
+  if (!m) return null;
+  const text = m[1]?.trim() ?? '';
+  return text.length > 0 ? text : null;
+}
+
+function firstNWords(s: string, n: number): string {
+  const words = s.trim().split(/\s+/).filter(Boolean).slice(0, n);
+  return words.join(' ');
+}
+
+export function deriveMarkdownSlug(messageContent: string): string {
+  const heading = firstHeading(messageContent);
+  if (heading) return slugify(heading);
+  const sixWords = firstNWords(messageContent, 6);
+  return slugify(sixWords);
+}
+
+// Strip HTML tags for inner-text extraction. Crude but sufficient for slug
+// derivation — we're not rendering, just finding readable words.
+function stripTags(html: string): string {
+  return html
+    .replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, ' ')
+    .replace(/<style\b[^<]*(?:(?!<\/style>)<[^<]*)*<\/style>/gi, ' ')
+    .replace(/<[^>]+>/g, ' ')
+    .replace(/\s+/g, ' ')
+    .trim();
+}
+
+function extractTitleTag(html: string): string | null {
+  const m = html.match(/<title[^>]*>([\s\S]*?)<\/title>/i);
+  if (!m) return null;
+  const text = stripTags(m[1] ?? '').trim();
+  return text.length > 0 ? text : null;
+}
+
+function extractH1(html: string): string | null {
+  const m = html.match(/<h1[^>]*>([\s\S]*?)<\/h1>/i);
+  if (!m) return null;
+  const text = stripTags(m[1] ?? '').trim();
+  return text.length > 0 ? text : null;
+}
+
+export function deriveHtmlSlug(payload: {
+  html_content: string;
+  title: string | null;
+}): string {
+  if (payload.title && payload.title.trim().length > 0) {
+    return slugify(payload.title);
+  }
+  const title = extractTitleTag(payload.html_content);
+  if (title) return slugify(title);
+  const h1 = extractH1(payload.html_content);
+  if (h1) return slugify(h1);
+  const inner = stripTags(payload.html_content);
+  return slugify(firstNWords(inner, 6));
+}
+
+// Derive title for the html_artifact part payload: <title> → first <h1> →
+// first 80 chars of inner text. Returns null if nothing useful is found.
+export function deriveHtmlTitle(html: string): string | null {
+  const t = extractTitleTag(html);
+  if (t) return t;
+  const h1 = extractH1(html);
+  if (h1) return h1;
+  const inner = stripTags(html);
+  if (inner.length === 0) return null;
+  return inner.slice(0, 80);
+}
+
+// ---- HTML detection (B4) ----
+
+// Returns the inner HTML content if `text` is a recognised HTML artifact:
+//   - starts with <!DOCTYPE html> (case-insensitive, whitespace-trimmed), OR
+//   - wrapped entirely in a fenced ```html ... ``` block.
+// Returns null if neither matches.
+export function detectHtmlArtifact(text: string): string | null {
+  const trimmed = text.trim();
+  if (trimmed.length === 0) return null;
+  if (/^<!doctype\s+html/i.test(trimmed)) {
+    return trimmed;
+  }
+  // Fenced ```html block consuming the entire (trimmed) message. Allow an
+  // optional trailing newline before the closing fence.
+  const fence = trimmed.match(/^```html\s*\n([\s\S]*?)\n?```\s*$/i);
+  if (fence) {
+    const inner = fence[1] ?? '';
+    if (/^\s*<!doctype\s+html/i.test(inner) || /<html[\s>]/i.test(inner)) {
+      return inner.trim();
+    }
+  }
+  return null;
+}
+
+// ---- path resolution ----
+
+// Resolve `<projectRoot>/.boocode/artifacts/<filename>` and verify the
+// result stays under projectRoot. Mirrors the v1.13.18 codecontext_client.ts
+// approach: realpath projectRoot first, then prefix-check the candidate.
+// Throws on escape.
+async function resolveArtifactPath(
+  projectRoot: string,
+  filename: string,
+): Promise<{ resolvedRoot: string; artifactsDir: string; absPath: string }> {
+  const resolvedRoot = await realpath(projectRoot);
+  const artifactsDir = resolve(resolvedRoot, ARTIFACT_SUBDIR);
+  const absPath = resolve(artifactsDir, filename);
+  // Lexical prefix check on the resolved candidates. (The `!== resolvedRoot`
+  // branch was dead — ARTIFACT_SUBDIR is non-empty so artifactsDir always
+  // differs from resolvedRoot.)
+  if (!artifactsDir.startsWith(resolvedRoot + sep)) {
+    throw new PathScopeError(
+      `artifacts dir escapes project root: ${artifactsDir}`,
+    );
+  }
+  if (!absPath.startsWith(artifactsDir + sep)) {
+    throw new PathScopeError(
+      `artifact filename escapes artifacts dir: ${filename}`,
+    );
+  }
+  return { resolvedRoot, artifactsDir, absPath };
+}
+
+// After mkdir, realpath the artifacts dir and re-verify it stays under
+// resolvedRoot. Closes the symlink-escape gap: if `.boocode/artifacts` (or
+// any ancestor below resolvedRoot) is a symlink pointing outside the
+// project, the lexical check in resolveArtifactPath passes but the actual
+// write lands outside the sandbox. Throws PathScopeError on escape.
+async function assertArtifactsDirSafe(
+  artifactsDir: string,
+  resolvedRoot: string,
+): Promise<void> {
+  const realDir = await realpath(artifactsDir);
+  if (realDir !== resolvedRoot && !realDir.startsWith(resolvedRoot + sep)) {
+    throw new PathScopeError(
+      `artifacts dir resolves outside project root: ${realDir}`,
+    );
+  }
+}
+
+// Pure decision helper for whether finalizeCompletion should write the
+// `html_artifact` part. Exported for unit testing the cap-skip branch.
+// Returns `{write: true, byteLen}` when the payload is under the cap, or
+// `{write: false, byteLen, reason: 'cap_exceeded'}` when oversize.
+export type HtmlArtifactDecision =
+  | { write: true; byteLen: number }
+  | { write: false; byteLen: number; reason: 'cap_exceeded' };
+
+export function decideHtmlArtifactWrite(
+  htmlContent: string,
+): HtmlArtifactDecision {
+  const byteLen = Buffer.byteLength(htmlContent, 'utf8');
+  if (byteLen > HTML_ARTIFACT_MAX_BYTES) {
+    return { write: false, byteLen, reason: 'cap_exceeded' };
+  }
+  return { write: true, byteLen };
+}
+
+function buildUrl(projectId: string, filename: string): string {
+  return `/api/projects/${projectId}/artifacts/${encodeURIComponent(filename)}`;
+}
+
+export interface WriteContext {
+  projectId: string;
+  projectRoot: string;
+}
+
+export async function writeMarkdownArtifact(
+  message: Pick<Message, 'content'>,
+  ctx: WriteContext,
+): Promise<ArtifactWriteResult> {
+  const slug = deriveMarkdownSlug(message.content);
+  const filename = `${slug}-${Date.now()}.md`;
+  const { resolvedRoot, artifactsDir, absPath } = await resolveArtifactPath(
+    ctx.projectRoot,
+    filename,
+  );
+  await mkdir(artifactsDir, { recursive: true });
+  await assertArtifactsDirSafe(artifactsDir, resolvedRoot);
+  await writeFile(absPath, message.content, 'utf8');
+  return { path: absPath, url: buildUrl(ctx.projectId, filename) };
+}
+
+export async function writeHtmlArtifact(
+  payload: HtmlArtifactPayload,
+  ctx: WriteContext,
+): Promise<ArtifactWriteResult> {
+  const slug = deriveHtmlSlug(payload);
+  const filename = `${slug}-${Date.now()}.html`;
+  const { resolvedRoot, artifactsDir, absPath } = await resolveArtifactPath(
+    ctx.projectRoot,
+    filename,
+  );
+  await mkdir(artifactsDir, { recursive: true });
+  await assertArtifactsDirSafe(artifactsDir, resolvedRoot);
+  await writeFile(absPath, payload.html_content, 'utf8');
+  return { path: absPath, url: buildUrl(ctx.projectId, filename) };
+}
+
+// 1MB cap on HTML artifacts (proposal S6). Larger payloads are not written
+// to the `html_artifact` part — the assistant text lands as plain content
+// and a warning is logged. Streaming abort was considered but the graceful
+// "no artifact, plain text falls back" path is simpler and lossless from
+// the user's perspective.
+export const HTML_ARTIFACT_MAX_BYTES = 1_048_576;

apps/server/src/services/inference/error-handler.ts

@@ -1,7 +1,14 @@
 import type { MessageMetadata, Session } from '../../types/api.js';
+import {
+  decideHtmlArtifactWrite,
+  detectHtmlArtifact,
+  deriveHtmlTitle,
+  HTML_ARTIFACT_MAX_BYTES,
+} from '../artifacts.js';
 import * as modelContext from '../model-context.js';
 import { maybeFlagForCompaction } from './payload.js';
 import { insertParts, partsFromAssistantMessage } from './parts.js';
+import type { PartInsert } from './parts.js';
 import type { InferenceContext, StreamResult, TurnArgs } from './turn.js';
 
 export async function handleAbortOrError(
@@ -120,17 +127,42 @@ export async function finalizeCompletion(
   // a kind='reasoning' part alongside the text.
   // TODO(v1.13.1): wrap the UPDATE above and this insertParts in a single
   // sql.begin before flipping read authority to message_parts.
-  await insertParts(
-    ctx.sql,
-    partsFromAssistantMessage({
-      content,
-      tool_calls: null,
-      reasoning: result.reasoning,
-    }).map((p) => ({
-      ...p,
-      message_id: assistantMessageId,
-    })),
-  );
+  const baseParts: PartInsert[] = partsFromAssistantMessage({
+    content,
+    tool_calls: null,
+    reasoning: result.reasoning,
+  }).map((p) => ({
+    ...p,
+    message_id: assistantMessageId,
+  }));
+  // v1.14.x-html-artifact-panes: opportunistic HTML detection. Adds a
+  // SIBLING html_artifact part — never replaces the text part. 1MB cap is
+  // graceful: oversized payloads are skipped and the assistant message
+  // lands as plain content (warn logged).
+  const htmlContent = detectHtmlArtifact(content);
+  if (htmlContent !== null) {
+    const decision = decideHtmlArtifactWrite(htmlContent);
+    if (!decision.write) {
+      ctx.log.warn(
+        { assistantMessageId, byteLen: decision.byteLen, cap: HTML_ARTIFACT_MAX_BYTES },
+        'html_artifact exceeded 1MB cap; skipping artifact part',
+      );
+    } else {
+      const title = deriveHtmlTitle(htmlContent);
+      const nextSeq = baseParts.reduce((m, p) => Math.max(m, p.sequence), -1) + 1;
+      baseParts.push({
+        message_id: assistantMessageId,
+        sequence: nextSeq,
+        kind: 'html_artifact',
+        payload: {
+          html_content: htmlContent,
+          char_count: htmlContent.length,
+          title,
+        },
+      });
+    }
+  }
+  await insertParts(ctx.sql, baseParts);
   // v1.11: flag for compaction on the terminal turn too. Catches the common
   // case of a turn that hit the limit without invoking tools.
   await maybeFlagForCompaction(ctx, chatId, updated);

apps/server/src/services/inference/parts.ts

@@ -11,13 +11,16 @@ import type { ToolCall, ToolResult } from '../../types/api.js';
 // (schema.sql adds 'synthesis' to message_parts_kind_chk on startup). The
 // dispatch's claim that no schema migration was needed assumed kind was a
 // bare text column — it isn't; the constraint enumerates allowed values.
+// v1.14.x-html-artifact-panes: 'html_artifact' added. Schema CHECK constraint
+// in schema.sql updated in lockstep.
 export type PartKind =
   | 'text'
   | 'tool_call'
   | 'tool_result'
   | 'reasoning'
   | 'step_start'
-  | 'synthesis';
+  | 'synthesis'
+  | 'html_artifact';
 
 export interface PartInsert {
   message_id: string;