Module Generation Orchestration for Themis Workflow

[JasonWarrenUK]

Overview

Implements step 5 of the Themis workflow: module generation orchestration. Users can now generate individual modules or entire courses with AI, tracking progress in real-time. Each module is generated with full course context (narratives, arc themes, preceding modules) to ensure thematic coherence and avoid content repetition.

Tip

No additional setup required. The feature uses existing Metis generation infrastructure with course-awareness extensions.

Changes

Component: ModuleGenerationList (857 lines)

Complete module generation orchestration interface with:

• Arc-grouped display: Collapsible sections showing modules organized by thematic arc
• Progress tracking: Real-time statistics (completed/total, generating, errors) with visual progress bar
• Generation controls: Individual module generation, bulk "Generate All", and per-arc generation
• Status management: Visual indicators (planned, generating, complete, error) with colour coding
• Module preview: Modal for viewing generated XML content
• Export integration: Theia export button for downloading course structure at any time
• Error handling: Inline error messages with retry capability
• Responsive design: Mobile-friendly layout with stacked elements

API Endpoint: /api/themis/module (168 lines)

Course-aware module generation API that:

• Accepts module slot data with full course context (narratives, arc theme, preceding modules)
• Converts Themis requests to Metis-compatible format via synthetic XML generation
• Supports SSE streaming for real-time progress updates
• Implements Zod validation for type-safe requests/responses
• Reuses existing Metis generation pipeline with course awareness layer

Prompt Enhancement

File: src/lib/factories/prompts/metisPromptFactory.ts (+75 lines)

Added buildCourseAwareModulePrompt() function that:

• Injects course context after the overview section of base prompts
• Includes course narrative, progression narrative, and overall goals
• Adds arc theme and progression for thematic consistency
• Lists preceding module titles to avoid content repetition
• Provides integration guidelines for maintaining course coherence

Maintains full backward compatibility with standalone Metis generation.

Schema & Validation

File: src/lib/schemas/apiValidator.ts (+60 lines)

New schemas for type-safe API contracts:

• CourseContextSchema: Course narrative, progression, arc theme, preceding modules
• ModuleSlotSchema: Module data structure with status tracking
• ModuleGenerationRequestSchema: Request validation with course context
• ModuleGenerationResponseSchema: Response validation with XML content

All schemas provide full TypeScript type inference via Zod.

Workflow Integration

File: src/routes/themis/generate/+page.svelte (+15 lines)

• Added step 5 event handlers (handleModuleGenerationSubmit, handleModuleGenerationBack)
• Integrated ModuleGenerationList component into workflow
• Navigation flow: Structure Review → Module Generation → Course Overview
• Auto-save functionality via existing persisted stores

Documentation

File: docs/dev/status/Themis-MVP.md

Updated status tracking to reflect milestone 2.7 progress.

---

Summary

This PR is like hiring a master chef who not only knows every recipe in the cookbook (Metis), but also understands the entire dinner party menu (course structure), remembers which dishes have already been served (preceding modules), and adjusts each course to complement the overall culinary narrative (arc themes). Instead of cooking each dish in isolation, the chef ensures every module fits perfectly into the multi-course meal, avoiding repetitive flavours whilst maintaining thematic coherence from appetizer to dessert. And they've got a live video feed showing exactly what's simmering on each burner (SSE streaming).

[claude]

Summary

This PR implements module generation orchestration for the Themis workflow with comprehensive SSE streaming, state management, and course context integration. The architecture reuses existing Metis infrastructure while adding course-awareness through synthetic XML conversion. The code follows established patterns well, with strong type safety via Zod schemas. However, there are several areas requiring attention: race conditions in sequential generation, error handling edge cases, potential memory concerns with large courses, and missing test coverage.

Critical Issues Found:

1. Course-aware prompt builder is imported but never used
2. Race condition in generateAll() polling loop
3. SSE stream memory leak on component unmount
4. XML injection vulnerability (no character escaping)
5. No test coverage for 1175 lines of new code

See full review details below.

[claude]

Code Quality and Best Practices

Excellent Patterns

✅ Architectural Reuse - Clean Themis-to-Metis adapter pattern via convertToMetisFormat(), maintaining single responsibility while avoiding code duplication.

✅ Type Safety - Comprehensive Zod schemas with full TypeScript inference and proper validation boundaries at API entry points.

✅ Reactive State Management - Good use of Svelte reactive declarations with proper derived state from stores.

Critical Issue: Missing Prompt Builder Integration

Location: src/routes/api/themis/module/+server.ts:62-65

The API endpoint imports buildCourseAwareModulePrompt but never uses it. The code passes the converted body directly to createSSEStream, which uses the standard buildGenerationPrompt internally. This means all 75 lines of course context injection code in metisPromptFactory.ts is currently unused.

Recommendation: Update SSEStreamConfig type to accept optional promptBuilder function, then use it in retryHandler.ts. Otherwise, modules are being generated without course awareness.

Other Improvements Needed

• Component Size (ModuleGenerationList.svelte - 855 lines): Handles too many responsibilities (SSE parsing, state mutations, progress tracking, UI rendering, modal preview). Suggest breaking into 5 smaller components.

• Hardcoded Values (src/routes/api/themis/module/+server.ts:150-163): cohortSize: 12 and experience values should come from courseContext.

• Alert Usage (ModuleGenerationList.svelte:174): Using native alert() breaks the elegant UI. Use toast notifications.

• British English: Per CLAUDE.md, ensure British spellings throughout.

[claude]

Potential Issues

Critical Issues

1. Race Condition in Sequential Generation (ModuleGenerationList.svelte:218-235)

The generateAll function uses setInterval polling to check if generation is complete. Problems:

• ❌ Polling anti-pattern (checks every 1 second)
• ❌ No timeout (infinite loop if generatingModuleId never becomes null)
• ❌ Race condition between check and assignment
• ❌ No error propagation (continues after failures)

Fix: Refactor generateModule to return a Promise that resolves on completion.

2. SSE Stream Memory Leak (ModuleGenerationList.svelte:99-123)

If component unmounts while stream is active, the reader is never cancelled. Stream continues consuming memory in background.

Fix: Add onDestroy cleanup with activeReader tracking and cancellation.

3. Buffer Handling Edge Case (ModuleGenerationList.svelte:113-114)

If server never sends \n\n delimiters, buffer grows indefinitely.

Fix: Add MAX_BUFFER_SIZE constant (e.g., 10MB) and throw error if exceeded.

4. Store Mutation Without Immutability (ModuleGenerationList.svelte:61-68)

Direct mutation: targetModule.status = 'generating' violates immutability principles. Use spread operators for proper immutable updates.

5. XML Injection Vulnerability (src/routes/api/themis/module/+server.ts:96-138)

No escaping for XML special characters. If module title contains <, >, &, produces invalid XML.

Fix: Create escapeXml utility function.

Medium Priority Issues

• Missing Error Boundaries: No try-catch around SSE JSON parsing (line 119). Malformed JSON crashes component.
• Module Finding Logic Duplication: Nested loop pattern appears multiple times. Extract to updateModuleById utility.
• Inconsistent Error Recovery: Network errors, timeouts, and parsing errors all get generic treatment.

[claude]

Performance Considerations

Course Data Serialisation Cost (ModuleGenerationList.svelte:81-92)

Entire courseData object is stringified for every module generation. For a 10-module course with 50KB context, that's 500KB of redundant data sent over network.

Solution: Cache course context on server side with session/course ID, or memoize the context string.

Store Update Frequency

Three currentCourse.update() calls per module trigger:

• Store serialisation to localStorage
• All derived store recalculations
• Component re-renders

For 20-module course = 40+ localStorage writes.

Solution: Batch updates or debounce localStorage writes.

getPrecedingModuleTitles Complexity (ModuleGenerationList.svelte:197-216)

Time complexity O(n) called once per module generation. Could be memoized since it only depends on course structure.

Arc Expansion State (ModuleGenerationList.svelte:30-34)

Expanding first arc by default immediately renders all module cards. Consider virtual scrolling or default to collapsed state.

Modal Re-rendering (ModuleGenerationList.svelte:419-440)

flatMap + find runs on every component update. Move to reactive declaration to avoid unnecessary computation.

Positive Aspects

✅ Efficient derived stores with flatMap + reduce
✅ SSE streaming avoids polling
✅ Status-based conditional rendering

[claude]

Security Concerns

1. No Request Rate Limiting (src/routes/api/themis/module/+server.ts)

User can spam "Generate All" button, potentially:

• Exhausting Anthropic API credits
• Overloading server with SSE connections
• Creating self-inflicted DoS

Fix: Add rate limiting (recommend 5 requests per minute per IP using Upstash, Redis, or in-memory).

2. Unbounded Input Sizes (src/lib/schemas/apiValidator.ts:176-227)

Schemas validate types but not sizes. courseNarrative could be 10MB of text.

Fix: Add max length constraints:

• title: 200 chars
• narratives: 10,000 chars
• precedingModules: max 100 items, 200 chars each

3. XML Injection Vulnerability

User-controlled data flows into XML templates without escaping. Example attack:

Module title: "></Description><MaliciousTag>Injected</MaliciousTag><Description x="

While not XSS, could break validation, cause parsing errors, or pollute content.

4. Error Messages Leak Implementation Details (src/routes/api/themis/module/+server.ts:74-84)

Detailed errors reveal internal architecture. Sanitise based on NODE_ENV.

5. No CORS Configuration

Ensure appropriate origin restrictions.

Positive Security Practices

✅ Zod validation at API boundary
✅ API key in environment variables
✅ SSE-only endpoint rejects non-streaming clients
✅ Type safety reduces injection surface

[claude]

Test Coverage

Current State: NO TESTS ❌

This is the most critical gap in the PR. For 1,175 lines of new code touching core generation logic, API endpoints, and complex state management, the lack of tests is concerning.

Immediate Priority (Block Merge)

Before this PR can be merged, add at minimum:

1. API endpoint validation tests

   • Invalid request body → 400 error
   • Missing Accept header → 400 error
   • Missing ANTHROPIC_API_KEY → 500 error
   • Valid request → SSE stream with correct headers

2. convertToMetisFormat tests

   • Valid XML structure generation
   • Special character escaping (currently broken)
   • Empty/null field handling
   • Course context inclusion

3. Store derived value tests

   • moduleStatusCounts accuracy
   • allModulesComplete logic
   • Edge cases (empty arcs, all statuses)

4. Component mount/unmount tests

   • SSE reader cleanup (catch memory leaks)
   • Store subscription cleanup
   • Event listener cleanup

Recommended Full Test Suite

Unit Tests:

• buildCourseAwareModulePrompt (inject context, preceding modules)
• getPrecedingModuleTitles (edge cases: first module, single arc, multiple arcs)
• Pure utility functions

Integration Tests:

• Full API endpoint flow with mocked Claude client
• SSE event streaming and parsing
• Error scenarios and retry logic

Component Tests:

• Render arcs/modules with various states
• Generate button triggers correct fetch
• SSE event handling (progress, complete, error)
• Preview modal open/close
• Navigation and form submission

Test Infrastructure Needed

• vitest.config.ts configuration
• Package.json scripts (test, test:ui, test:coverage)
• Dependencies: vitest, @testing-library/svelte, jsdom, @vitest/ui
• Mock helpers for SSE streams and API responses

Coverage Goals

• Unit tests: 90%+ on pure functions
• Integration: All API paths with success/error cases
• Component: Critical user flows (generate, retry, preview)
• E2E (optional): Full workflow from structure to export

[claude]

Recommendations Priority

🔴 CRITICAL (Block Merge)

1. Fix course-aware prompt not being used (+server.ts:62-65)

   • Import is there, implementation is missing
   • All course context injection code currently unused

2. Fix race condition in generateAll() polling loop

   • Replace setInterval with Promise-based approach
   • Add timeout protection

3. Add SSE stream cleanup on component unmount

   • Implement onDestroy with activeReader cancellation
   • Prevent memory leaks

4. Add XML escaping to prevent injection

   • Create escapeXml utility function
   • Apply to all user-controlled strings in XML templates

5. Add basic test coverage

   • Minimum: API validation tests
   • Recommended: convertToMetisFormat + store tests
   • Critical: component mount/unmount tests

🟡 HIGH PRIORITY (Address Soon)

6. Refactor ModuleGenerationList to smaller components
7. Fix store immutability violations (use spread operators)
8. Add request rate limiting to API endpoint
9. Add input size constraints to Zod schemas
10. Replace alert() with proper toast notifications

🟢 MEDIUM PRIORITY (Nice to Have)

11. Optimise localStorage write batching
12. Memoize getPrecedingModuleTitles
13. Add comprehensive test suite
14. Extract hardcoded cohort defaults from course context
15. Add virtual scrolling for large module lists

---

Final Thoughts

This is a solid feature implementation that follows project patterns well. The architecture is clean, type safety is excellent, and the SSE streaming approach is the right choice.

However, the 5 critical issues (especially the unused prompt builder and missing tests) must be addressed before merge. The race condition and memory leak could cause production issues.

Once these are fixed, this will be production-ready! 🚀

Looking forward to seeing the updates. Happy to review again once changes are made.

[claude]

Summary

This PR successfully implements module generation orchestration for the Themis workflow with excellent architecture. The implementation follows established patterns, properly reuses existing infrastructure, and introduces a clean separation between Themis course context and Metis generation logic. The code is well-structured with strong typing and comprehensive SSE streaming support. However, there are several areas that need attention: the generateAll function has a problematic polling mechanism, error handling could be more robust, and there's no test coverage for this critical feature.

[claude]

🎯 Code Quality & Best Practices

Excellent Patterns

1. Architecture & Reusability ✅

• Brilliant reuse of Metis generation infrastructure through convertToMetisFormat() (src/routes/api/themis/module/+server.ts:103-178)
• Clean extension of RetryConfig and SSEStreamConfig with optional promptBuilder parameter (src/lib/types/agent.ts:52)
• Proper separation of concerns: Themis handles orchestration, Metis handles generation

2. Type Safety ✅

• Comprehensive Zod schemas for API validation (src/lib/schemas/apiValidator.ts:175-226)
• Strong TypeScript typing throughout with proper type inference
• Consistent use of discriminated unions for status tracking

3. Prompt Engineering ✅

• buildCourseAwareModulePrompt() properly extends base prompts without duplication (src/lib/factories/prompts/metisPromptFactory.ts:196-258)
• Course context injection is clean and maintains backward compatibility
• Integration guidelines clearly communicate expectations to the AI

4. User Experience ✅

• SSE streaming provides real-time feedback
• Progress tracking with visual indicators
• Arc-grouped display with collapsible sections
• Export functionality available at any time

Areas for Improvement

1. Component Size ⚠️

• ModuleGenerationList.svelte is 855 lines (src/lib/components/themis/ModuleGenerationList.svelte)
• Consider extracting into smaller components: ModuleCard.svelte, ArcSection.svelte, ProgressSummary.svelte, ModulePreviewModal.svelte

2. Magic Numbers ⚠️

• Hardcoded cohortSize: 12 (src/routes/api/themis/module/+server.ts:160)
• Hardcoded timeouts: 300000/120000ms (src/routes/api/themis/module/+server.ts:51)
• Consider extracting to configuration constants

3. Code Duplication ⚠️

• Similar arc/module iteration logic in getPrecedingModuleTitles() and handleGenerationComplete() (src/lib/components/themis/ModuleGenerationList.svelte:197-215, 152-168)
• Consider a utility function: findModule(courseData, moduleId)

4. British English Consistency ✅

• Code correctly uses narrative and Preceding (good British spelling)
• Comments and strings follow British conventions as per CLAUDE.md

[claude]

🐛 Potential Issues

Critical Issues

1. Race Condition in generateAll() 🔴

Problem at src/lib/components/themis/ModuleGenerationList.svelte:218-235 - Polling generatingModuleId every second is inefficient and could miss rapid state changes.

Solution: Return a Promise from generateModule() that resolves when complete instead of polling.

2. Unbounded Interval in Error Cases 🔴

• If generateModule() fails to set generatingModuleId = null, the interval runs forever
• No cleanup mechanism if component unmounts during generation
• Memory leak potential

3. Missing SSE Error Handling 🟡

At src/lib/components/themis/ModuleGenerationList.svelte:105-123, JSON.parse could throw if SSE data is malformed.

Solution: Wrap in try-catch for safe parsing.

4. Synthetic XML Escaping 🟡

At src/routes/api/themis/module/+server.ts:107-148, user input (title, description) is directly interpolated into XML without escaping.

Risk: Malicious input could break XML structure or inject unintended content.

Solution: Add XML escaping utility function.

Minor Issues

5. Type Safety with any 🟡

• handleSSEEvent(moduleId: string, event: any) - should use typed SSE event (src/lib/components/themis/ModuleGenerationList.svelte:131)
• convertToMetisFormat(request: ModuleGenerationRequest): any - should return typed GenerateRequest (src/routes/api/themis/module/+server.ts:103)

6. Missing Configuration 🟡
Consider making enableResearch configurable via props or course settings.

7. State Management Redundancy 🟡

• Both generatingModuleId (local) and module.status === generating (store) track the same thing
• Could simplify by deriving generatingModuleId from the store

[claude]

⚡ Performance Considerations

Current Performance

1. SSE Streaming ✅

• Excellent use of SSE for real-time feedback
• Proper chunking and buffer management
• Non-blocking UI updates

2. Sequential Generation ✅

• generateAll() correctly generates modules sequentially
• Ensures preceding modules are available for context
• Prevents API rate limiting issues

Potential Optimizations

1. Large Course Scaling 🟡

• For courses with 20+ modules, the generateAll() loop could take hours
• Consideration: Add pause/resume functionality
• Consideration: Allow configurable concurrency (e.g., generate 2-3 modules in parallel from different arcs)

2. Store Update Efficiency 🟡
Full store update triggers all subscribers, even for single module change. Consideration: Use immer for structural sharing or more granular stores per arc.

3. XML Preview Rendering 🟡

• Large XML files (5000+ lines) could slow modal rendering
• Consideration: Add syntax highlighting with code splitting (e.g., Prism.js)
• Consideration: Virtualize long content

4. Memory Management 🟡

• All generated XML stored in memory (src/lib/types/themis.ts:54-58)
• For 15 modules with 200KB XML each = 3MB in localStorage + memory
• Consideration: Add compression for localStorage persistence

[claude]

🔒 Security Concerns

High Priority

1. XML Injection 🔴

• User input directly interpolated into XML without escaping (src/routes/api/themis/module/+server.ts:107-148)
• Risk: Malicious input could break XML structure or inject unintended content
• Fix: Implement XML escaping utility

2. API Key Exposure ✅

• Properly uses env.ANTHROPIC_API_KEY (src/routes/api/themis/module/+server.ts:24)
• Key is server-side only (not exposed to client)
• Good error handling for missing key

Medium Priority

3. Client-Side State Tampering 🟡

• Course data stored in localStorage can be modified by user
• Risk: Low (users can only harm their own data)

4. SSE Stream Injection 🟡

• No validation of SSE event types/structure before processing
• Fix: Add Zod schema validation for SSE events

Low Priority

5. CSRF Protection ✅

• SvelteKit provides CSRF protection by default

6. Rate Limiting ⚠️

• No rate limiting on /api/themis/module endpoint
• Consideration: Add rate limiting middleware if this becomes public

[claude]

✅ Test Coverage

Current State

No test files found ❌

This is a significant gap for a feature this critical. The PR adds 1,197 lines of code with complex state management, async operations, and API interactions—all without automated tests.

Recommended Test Coverage

1. Unit Tests Needed

• API Endpoint (src/routes/api/themis/module/+server.ts)
• Prompt Factory buildCourseAwareModulePrompt
• convertToMetisFormat function (especially XML escaping)

2. Integration Tests Needed

• ModuleGenerationList component behavior
• Store integration (moduleStatusCounts, allModulesComplete)

3. E2E Tests Needed

• Complete Themis module generation flow
• Single and batch generation
• Retry on failure
• Module preview and export

Testing Priority

1. Critical: XML escaping in convertToMetisFormat (security issue)
2. High: SSE stream parsing and error handling (most complex logic)
3. High: getPrecedingModuleTitles (business logic correctness)
4. Medium: Component state management (user experience)
5. Medium: API endpoint validation (API contract)

Test Infrastructure

The project appears to have no test infrastructure set up. Recommended setup:

• Unit/Integration: Vitest (fast, Vite-native)
• Component: Svelte Testing Library
• E2E: Playwright (SvelteKit recommended)
• Mocking: MSW for API mocking

[claude]

---

Overall Assessment

Strengths:

• Excellent architecture following established patterns
• Strong type safety and validation
• Great UX with SSE streaming and progress tracking
• Proper separation of concerns

Critical Issues:

• generateAll() polling mechanism needs refactoring
• Missing XML escaping (security issue)
• Zero test coverage

Recommendation: Request changes for critical issues before merging. The polling mechanism and XML escaping must be addressed. Test coverage should be added before or immediately after merge.

[claude]

Summary

This PR implements the module generation orchestration (step 5) of the Themis workflow, enabling course-aware module generation with real-time progress tracking. The implementation is architecturally sound, reuses existing Metis infrastructure effectively, and includes excellent XML injection protection. However, there are several areas requiring attention: concurrency management in the UI, error handling completeness, memory management concerns, and the absence of automated tests.

🎯 Code Quality & Best Practices

Strengths

Excellent Architecture & Reuse

• Clean separation of concerns between UI (ModuleGenerationList), API layer (themis/module/+server.ts), and generation logic
• Smart reuse of Metis generation pipeline via convertToMetisFormat() at src/routes/api/themis/module/+server.ts:104
• Custom prompt builder pattern (PromptBuilder type) enables course-aware generation without duplicating retry logic
• XML escaping utility (src/lib/utils/xml/xmlEscape.ts) follows security best practices

Type Safety

• Comprehensive Zod validation schemas in src/lib/schemas/apiValidator.ts:168-226
• Strong TypeScript types throughout (CourseContext, ModuleSlotData, etc.)
• Proper use of discriminated unions for event types

Code Style

• Consistent with project conventions from CLAUDE.md
• Clear, descriptive naming conventions
• Good documentation in JSDoc comments

Areas for Improvement

1. Concurrency Management in UI Component

The generatingModuleId state variable at src/lib/components/themis/ModuleGenerationList.svelte:16 only tracks a single module generation, but the generateAll() function at line 261 attempts sequential generation.

Issue: If a user clicks "Generate All" and then clicks an individual "Generate" button, the UI may display inconsistent state.

Recommendation: Consider using a Set to track multiple generating modules OR disable all buttons when batch generation is active with a separate flag isBatchGenerating.

2. Promise Resolution Pattern

At src/lib/components/themis/ModuleGenerationList.svelte:87-101, the handleComplete function is only called inside the SSE event loop, but if the stream closes without sending a complete or error event, the promise may never resolve/reject, causing generateAll() to hang indefinitely.

Recommendation: Add a timeout or ensure the promise resolves in the finally block if not already resolved.

🐛 Potential Issues

Critical Issues

1. Reader Cleanup Race Condition

At src/lib/components/themis/ModuleGenerationList.svelte:137-162, reader.cancel() calls are not awaited, so if unmount happens while a reader is mid-operation, the cleanup might not complete before the component is destroyed.

Recommendation: Track promise rejectors alongside readers to ensure promises are rejected on cleanup. Consider using AbortController pattern for cleaner cancellation propagation.

2. JSON.parse Error Handling

At src/lib/components/themis/ModuleGenerationList.svelte:154, SSE data is parsed without error handling. Malformed SSE data will throw an uncaught exception, breaking the entire generation flow.

Recommendation: Wrap in try-catch and log/handle parsing errors gracefully.

3. Module State Mutation

The currentCourse.update() calls mutate module objects directly. While Svelte will detect the change, this pattern is fragile and may cause issues if the store implementation changes.

Recommendation: Consider creating new objects instead of mutating existing ones, following immutable update patterns.

Minor Issues

4. Type Safety

• src/routes/api/themis/module/+server.ts:104: convertToMetisFormat returns any
• src/lib/components/themis/ModuleGenerationList.svelte:95 and 174: event: any

Recommendation: Define explicit types for better type safety and IntelliSense support.

⚡ Performance Considerations

1. Memory Usage with Long Responses

At src/lib/components/themis/ModuleGenerationList.svelte:140-150, the SSE stream accumulates chunks in a buffer with string concatenation. If module generation produces large XML outputs (multiple MB), this could cause performance degradation.

Recommendation: Monitor buffer size and add a maximum size check.

2. Sequential Generation

The generateAll() function processes modules sequentially. For a course with 10 modules taking 2 minutes each, this would require 20 minutes total.

Recommendation: Document this design decision in code comments. This may be intentional to avoid rate limits, reduce costs, or maintain coherence.

🔒 Security Concerns

Strengths

Excellent XML Injection Protection ✅

The new xmlEscape.ts utility properly escapes all XML special characters and is correctly used throughout convertToMetisFormat().

Areas for Improvement

1. Server-Side Input Validation

While Zod validation is present, consider adding length limits for string fields to prevent excessive memory usage:

courseNarrative: z.string().max(10000, 'Course narrative too long')

2. Error Message Information Disclosure

At src/routes/api/themis/module/+server.ts:86-94, detailed error messages are returned to the client. Depending on the error, this could expose internal implementation details.

Recommendation: Use generic error messages for production, but keep detailed logging server-side.

3. Rate Limiting Consideration

The generateAll() function can trigger multiple expensive API calls. Consider implementing client-side throttling to prevent accidental rapid-fire requests.

✅ Test Coverage

Critical Gap: No Automated Tests

The codebase currently has no test files, as confirmed by glob searches. This PR adds 1,300+ lines of complex functionality without any automated test coverage.

Recommended Test Coverage

Unit Tests Needed

1. xmlEscape.ts - Essential security functionality
2. convertToMetisFormat() - Core transformation logic
3. buildCourseAwareModulePrompt() - Prompt construction

Integration Tests Needed

1. API Endpoint (/api/themis/module) - Test successful generation, validation errors, SSE streaming
2. Component Interaction - Test module status updates, SSE event handling, error states

Recommendation

Given the complexity of this feature and its critical role in the Themis workflow, strongly recommend adding at least:

1. Unit tests for xmlEscape.ts (security-critical)
2. Unit tests for convertToMetisFormat() (transformation logic)
3. Integration test for the API endpoint with mocked Anthropic client

Consider setting up a testing framework (Vitest for unit tests, Playwright for E2E) as a follow-up task.

---

Summary

This is a well-architected feature that thoughtfully extends the existing Metis infrastructure for course-aware generation. The code quality is generally high with good separation of concerns and strong type safety. The XML escaping implementation is particularly commendable.

Before merging, please address:

1. ✅ Add JSON.parse error handling in SSE stream processing
2. ✅ Document the sequential generation design decision in generateAll()
3. ✅ Add types to replace any usage
4. ⚠️ Consider the promise resolution timeout issue
5. ⚠️ Consider adding basic tests for xmlEscape.ts at minimum

Follow-up recommendations:

• Set up automated testing infrastructure
• Add memory usage monitoring for large module generations
• Document concurrency handling decisions for future developers

Great work overall! The course narrative integration is elegant and the real-time progress tracking will provide excellent UX.

[JasonWarrenUK]

Code Review Fixes - Critical Issues Resolved

Addressed all 4 CRITICAL priority issues from code review:

✅ Fixed: Course-Aware Prompt Not Being Used (76e451c)

Problem: buildCourseAwareModulePrompt was imported but never actually called - all generation used default Metis prompt without course context.

Solution:

• Added PromptBuilder type to agent.ts
• Updated RetryConfig and SSEStreamConfig interfaces to accept optional promptBuilder parameter
• Modified retryHandler.ts to use custom or default prompt builder
• Modified sseHandler.ts to pass through the promptBuilder
• Wired buildCourseAwareModulePrompt into API endpoint

Impact: Course narratives, arc themes, and preceding module context now properly injected into AI generation prompts.

---

✅ Fixed: Race Condition in generateAll() (bb0f6ab)

Problem: Used setInterval to poll generatingModuleId every 1s with no timeout protection - classic race condition pattern.

Solution:

• Converted generateModule() to return Promise<void>
• Promise resolves when SSE stream sends 'complete' or 'error' event
• generateAll() now uses clean sequential await instead of polling
• Proper error handling - failed modules don't block subsequent ones

Impact: No more race conditions, proper sequential execution, clean Promise-based flow.

---

✅ Fixed: Missing SSE Stream Cleanup (e382863)

Problem: ReadableStream readers kept running after component unmount, causing memory leaks.

Solution:

• Track active readers in Set<ReadableStreamDefaultReader>
• Add reader to set when SSE stream starts
• Remove from set in finally block when stream completes
• Cancel all active readers in onDestroy lifecycle hook

Impact: Proper resource cleanup on component unmount, no memory leaks from abandoned SSE connections.

---

✅ Fixed: XML Injection Vulnerability (d9d608c)

Problem: User-controlled data directly interpolated into XML without escaping (e.g., ${moduleSlot.title}).

Solution:

• Created reusable utility: src/lib/utils/xml/xmlEscape.ts
  • escapeXml() - Escapes &, <, >, ", '
  • escapeXmlArray() - Batch escape for arrays
• Applied to all user data in convertToMetisFormat():
  • Module titles, descriptions, objectives, topics
  • Course titles, narratives, progressions
  • Arc narratives and progressions
  • Preceding module titles

Impact: Prevents XML/XSS injection attacks. Example:

• Input: AI & ML: <script>alert('xss')</script>
• Output: AI & ML: <script>alert('xss')</script>

---

Remaining Tasks (Lower Priority)

HIGH Priority:

• Fix store immutability violations (use spread operators)
• Replace alert() with toast notifications

MEDIUM Priority:

• Add basic test coverage (API validation, Zod schemas)

These can be addressed in a follow-up PR or before merge if preferred.

[claude]

Summary

This PR successfully implements course-aware module generation for the Themis workflow, building on the existing Metis infrastructure. The implementation is architecturally sound, properly reuses existing patterns (factories, SSE streaming, retry logic), and includes good security practices (XML escaping). However, there are some areas for improvement around error handling, SSE stream cleanup, and test coverage. The code is production-ready with the suggested refinements.

🎯 Code Quality & Best Practices

Strengths

Architecture & Reuse

• ✅ Excellent reuse of existing Metis infrastructure via synthetic XML conversion (src/routes/api/themis/module/+server.ts:104)
• ✅ Proper use of factory patterns for prompts (buildCourseAwareModulePrompt)
• ✅ Follows established SSE streaming patterns consistently
• ✅ Good separation of concerns: API endpoint, prompt factory, component logic

Code Organization

• ✅ ModuleGenerationList.svelte is well-structured with clear sections
• ✅ Proper use of Svelte lifecycle hooks (onMount, onDestroy)
• ✅ Good reactive state management with derived stores
• ✅ TypeScript types properly enforced throughout

Documentation

• ✅ Functions have clear JSDoc comments
• ✅ Inline comments explain non-obvious logic
• ✅ PR description is comprehensive and well-organised

Areas for Improvement

1. Component Size
ModuleGenerationList.svelte is 895 lines - consider splitting into smaller components:

• ArcSection.svelte (arc header + module list)
• ModuleCard.svelte (individual module with status/actions)
• ModulePreviewModal.svelte (preview functionality)
• ProgressSummary.svelte (statistics and progress bar)

This would improve maintainability and testability.

2. Duplicate Store Updates
The pattern of finding and updating modules is repeated multiple times (lines 74-82, 195-211, 221-236). Consider extracting to a utility:

function updateModuleInCourse(
  moduleId: string, 
  updater: (module: ModuleSlot) => void
) {
  currentCourse.update(course => {
    if (!course) return course;
    for (const arc of course.arcs) {
      const module = arc.modules.find(m => m.id === moduleId);
      if (module) {
        updater(module);
        break;
      }
    }
    return course;
  });
}

3. British English Consistency
Per CLAUDE.md guidelines, consider changing:

• "Canceled" → "Cancelled" in SSE cleanup code (line 44)

4. Magic Numbers
Timeout values (src/routes/api/themis/module/+server.ts:52) should be extracted to constants:

const RESEARCH_TIMEOUT_MS = 300000; // 5 minutes
const STANDARD_TIMEOUT_MS = 120000; // 2 minutes

🐛 Potential Issues

Critical

1. Race Condition in SSE Stream Cleanup
In ModuleGenerationList.svelte:160-162, the reader is removed from activeReaders in a finally block, but if onDestroy runs concurrently with a completing stream, the reader.cancel() call might fail or leave streams in an inconsistent state.

Recommendation: Use a cancellation flag:

let cancelled = false;

onDestroy(() => {
  cancelled = true;
  activeReaders.forEach(reader => reader.cancel());
});

// In stream processing:
if (cancelled) break;

2. SSE Parsing Vulnerability
Line 154: JSON.parse(line.slice(6)) will throw if the server sends malformed JSON. This could crash the entire generation flow.

Recommendation: Wrap in try-catch:

try {
  const data = JSON.parse(line.slice(6));
  handleSSEEvent(module.id, data);
  handleComplete(data);
} catch (err) {
  console.error('Invalid SSE data:', line, err);
  // Handle gracefully - maybe continue or trigger error state
}

3. Missing Error Handling in generateAll
Line 265-267: The function continues generating after errors without checking if a critical failure occurred. If the API endpoint is down, it will attempt to generate all remaining modules.

Recommendation: Add circuit breaker logic:

let consecutiveErrors = 0;
const MAX_CONSECUTIVE_ERRORS = 3;

for (const module of arc.modules) {
  try {
    await generateModule(module, arc);
    consecutiveErrors = 0; // Reset on success
  } catch (error) {
    consecutiveErrors++;
    if (consecutiveErrors >= MAX_CONSECUTIVE_ERRORS) {
      alert('Multiple generation failures. Stopping batch generation.');
      return;
    }
  }
}

Moderate

4. Memory Leak Potential
The completionHandlers object (lines 89-92) creates a closure that captures the promise resolve/reject, but if the component unmounts before generation completes, these handlers remain in memory.

Recommendation: Clear handlers on cleanup or use AbortController pattern.

5. Alert() Usage
Lines 217, 298: Using alert() is not user-friendly and blocks the UI. Consider using a toast notification system or modal.

6. Type Safety Gap
Line 174: event: any loses type safety. Define a proper SSE event type union:

type SSEEvent = 
  | { type: 'complete'; xmlContent: string }
  | { type: 'error'; message: string }
  | { type: 'progress'; stage: string }
  | { type: 'validation_started' }
  | { type: 'validation_success' };

Minor

7. Console Logs in Production
Line 175: console.log('SSE Event:', event) should be conditional on environment or removed for production.

8. Empty Confirm Dialog
Line 294: The confirm message could be more descriptive about what "proceed anyway" means.

⚡ Performance Considerations

Good Practices

• ✅ Reactive computations are properly optimised with Svelte's $: syntax
• ✅ SSE streaming prevents blocking while waiting for long-running generations
• ✅ Store updates trigger minimal re-renders due to proper reactivity

Optimisation Opportunities

1. Sequential Module Generation
The generateAll function (line 261) generates modules sequentially with await. For courses with many modules, this could take hours.

Recommendation: Consider controlled concurrency:

async function generateAll(concurrency = 2) {
  const queue = courseData.arcs.flatMap(arc => 
    arc.modules.filter(m => m.status !== 'complete')
      .map(m => ({ module: m, arc }))
  );
  
  while (queue.length > 0) {
    const batch = queue.splice(0, concurrency);
    await Promise.allSettled(
      batch.map(({ module, arc }) => generateModule(module, arc))
    );
  }
}

Trade-off: More concurrent requests increase API costs and may hit rate limits. Document this clearly for users.

2. Re-render Optimisation
Each store update triggers re-render of the entire ModuleGenerationList. With 20+ modules, this could feel sluggish.

Recommendation: Use {#key moduleId} blocks or extract ModuleCard to a separate component with export let module to leverage Svelte's granular reactivity.

3. Large XML Preview
The modal (line 406) renders the entire XML content with no virtualisation. For large modules (10KB+), this could cause jank.

Recommendation: Consider syntax highlighting with lazy loading, or limit preview to first 5000 characters with a "show more" button.

4. LocalStorage Performance
The currentCourse store persists on every update via persistedStore. With rapid status updates during generation, this could cause unnecessary I/O.

Recommendation: Debounce persistence or only persist on specific events (generation complete, navigation away).

🔒 Security Concerns

Strengths

• ✅ Excellent XML escaping implementation (src/lib/utils/xml/xmlEscape.ts)
• ✅ All user input is properly escaped before XML injection (src/routes/api/themis/module/+server.ts:108-118)
• ✅ Zod validation prevents malformed requests
• ✅ Proper error handling prevents information leakage

Areas for Attention

1. XSS in Error Messages
ModuleGenerationList.svelte:377-379 renders module.errorMessage directly in HTML. If the API returns user-controlled content in error messages, this could be an XSS vector.

Recommendation: Sanitise error messages or use {@text} instead of {@html}:

<div class="error-message">
  <strong>Error:</strong> {@text module.errorMessage}
</div>

Note: Currently safe because error messages come from server code, but defensive programming is recommended.

2. XML Escaping Edge Case
The escapeXml function (src/lib/utils/xml/xmlEscape.ts:24-35) correctly handles standard XML entities, but doesn't handle Unicode control characters (U+0000-U+001F except tab/newline/carriage return) which are invalid in XML.

Recommendation: Add control character filtering:

.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F]/g, '');

3. Rate Limiting
No client-side rate limiting for the "Generate All" button. A user could trigger 50+ concurrent API requests.

Recommendation: Already partially addressed by sequential generation, but consider adding a cooldown or request queuing on the backend.

4. CORS and API Key Exposure
The API endpoint uses env.ANTHROPIC_API_KEY correctly on the server side (not exposed to client). However, confirm that CORS headers are properly configured to prevent cross-origin abuse.

✅ Test Coverage

Current State

❌ No tests found - This is a significant gap for a feature with complex async logic and state management.

Recommended Test Coverage

Unit Tests Needed

1. XML Escaping (src/lib/utils/xml/xmlEscape.ts)

   describe('escapeXml', () => {
     it('escapes XML special characters', () => {
       expect(escapeXml('a & b < c > d "e" \'f\'')).toBe('a &amp; b &lt; c &gt; d &quot;e&quot; &apos;f&apos;');
     });
     
     it('handles null/undefined', () => {
       expect(escapeXml(null)).toBe('');
       expect(escapeXml(undefined)).toBe('');
     });
   });

2. Prompt Factory (src/lib/factories/prompts/metisPromptFactory.ts)

   • Test that course context is properly injected
   • Test with/without preceding modules
   • Test validation error handling

3. API Request Conversion (src/routes/api/themis/module/+server.ts:104)

   • Test convertToMetisFormat with various inputs
   • Verify all fields are properly escaped
   • Test edge cases (empty arrays, special characters)

Integration Tests Needed

1. API Endpoint (src/routes/api/themis/module/+server.ts)

   it('rejects requests without SSE support', async () => {
     const response = await POST({ request: new Request('http://localhost', {
       method: 'POST',
       headers: { 'content-type': 'application/json' },
       body: JSON.stringify(validRequest)
     })});
     expect(response.status).toBe(400);
   });
   
   it('validates request schema', async () => {
     // Test with invalid moduleSlot
   });
   
   it('handles streaming correctly', async () => {
     // Test SSE stream format
   });

2. Store Logic (src/lib/stores/themisStores.ts)

   • Test moduleStatusCounts derivation
   • Test allModulesComplete edge cases (empty arcs, mixed statuses)
   • Test backward compatibility migration (lines 23-39)

Component Tests Needed

1. ModuleGenerationList.svelte

   describe('ModuleGenerationList', () => {
     it('expands first arc on mount', () => { /* ... */ });
     
     it('updates status during generation', () => { /* ... */ });
     
     it('handles SSE errors gracefully', () => { /* ... */ });
     
     it('cancels active streams on unmount', () => { /* ... */ });
     
     it('disables generation when another module is generating', () => { /* ... */ });
   });

E2E Tests Needed

1. Full workflow: Structure review → Generate module → View preview → Export
2. Error recovery: Failed generation → Retry → Success
3. Batch generation: "Generate All" → Monitor progress → Complete

Testing Recommendations

• Use Vitest for unit/integration tests (fast, well-integrated with Vite)
• Use Playwright or Testing Library for component tests
• Mock the Anthropic API responses for reliable tests
• Add GitHub Actions workflow to run tests on PR

Priority

🔴 High Priority: API endpoint tests, XML escaping tests, store logic tests
🟡 Medium Priority: Component tests for core generation logic
🟢 Low Priority: E2E tests (can be added incrementally)

---

Recommendations Summary

Must Fix Before Merge

1. Add try-catch around SSE JSON parsing (line 154)
2. Fix potential race condition in stream cleanup
3. Improve generateAll error handling with circuit breaker

Should Fix Before Merge

4. Extract magic numbers to constants
5. Replace alert() with proper UI notifications
6. Add basic unit tests for XML escaping and API conversion

Nice to Have (Follow-up PR)

7. Split large component into smaller pieces
8. Add test coverage (especially integration tests)
9. Implement concurrent module generation with configurable concurrency
10. Add Unicode control character filtering to XML escaping

---

Overall Assessment: This is solid work that follows the project's established patterns. The course-aware generation approach is elegant, and the reuse of Metis infrastructure is exemplary. With the critical fixes applied, this is ready to merge. 🚀

[claude]

Summary

Excellent implementation of the Themis module generation orchestration feature. The code demonstrates strong architectural consistency by reusing established patterns (factories, SSE streaming, validation) and properly handling course context for coherent multi-module generation. The XML escaping utility addresses a critical security concern. Minor improvements suggested around error handling, race conditions in concurrent generation, and potential performance optimisations for large courses.

---

Full review with collapsible sections posted separately due to length constraints...

[claude]

🎯 Code Quality & Best Practices

Strengths

1. Architectural Consistency ✅

• Excellent reuse of established patterns (factories, SSE streaming, retry logic)
• convertToMetisFormat() in src/routes/api/themis/module/+server.ts:104-192 elegantly bridges Themis and Metis without duplicating generation logic
• Proper use of Zod schemas for type-safe API boundaries

2. State Management ✅

• Clean reactive patterns in ModuleGenerationList.svelte using Svelte stores
• Proper resource cleanup with onDestroy() cancelling active SSE readers (lines 40-48)

3. Separation of Concerns ✅

• UI component handles orchestration and display
• API endpoint handles conversion and validation
• Prompt factory extends base functionality cleanly with buildCourseAwareModulePrompt()

Suggestions

1. Magic Numbers - src/routes/api/themis/module/+server.ts:174
cohortSize: 12 should be extracted to a config constant or derived from course data

2. Type Safety - ModuleGenerationList.svelte:95,174
handleComplete and handleSSEEvent use 'any' types. Consider defining explicit SSE event union types

3. Hard-coded Experience Levels - src/routes/api/themis/module/+server.ts:176-178
prereq and focus values should come from courseContext or be configurable per module

4. Console Logging - ModuleGenerationList.svelte:175
console.log('SSE Event:', event) could leak sensitive course data to console. Remove or use logging utility with redaction.

[claude]

🐛 Potential Issues

Critical

1. Race Condition in generateAll() - ModuleGenerationList.svelte:261-275

The component only tracks a single generatingModuleId. Line 344 disables Generate All when ANY module is generating, but if a user manually triggers individual module generation while Generate All is paused, UI state could become confused.

Recommendation: Either make generatingModuleId a Set to track multiple concurrent generations, or add explicit UI state to distinguish bulk vs single generation.

2. Missing Error Boundary in Modal - ModuleGenerationList.svelte:459-480

The preview modal doesn't verify xmlContent is non-empty. A module could have moduleData: {} with no xmlContent.

Recommendation: Add optional chaining and fallback display

Medium Priority

3. Promise Rejection in Async IIFE - ModuleGenerationList.svelte:103-170

The async IIFE inside generateModule() could fail without being caught by outer promise handlers if an error occurs during stream reading setup. Attach .catch() to the IIFE.

4. Incomplete getPrecedingModuleTitles() Logic - ModuleGenerationList.svelte:240-259

Doesn't account for modules that might have failed generation. Consider filtering by status to only include completed modules.

5. No Timeout Handling - ModuleGenerationList.svelte:106-124

API has timeouts (2-5min) but component doesn't handle timeout errors specially. Users might see generic Generation failed message.

[claude]

⚡ Performance Considerations

Current Performance Profile

Good: Sequential generation prevents API rate limiting and manages resource usage effectively.

Potential Optimisations

1. Large Course Handling - ModuleGenerationList.svelte:23-25

For courses with 20+ modules, progress calculations run on every store update. totalModules is constant after mount, so calculate it once instead of on every reactive update.

2. Nested Store Updates - ModuleGenerationList.svelte:194-211

handleGenerationComplete() uses nested loops to find modules. For large courses, this is O(n*m). Consider maintaining a Map<moduleId, {arcIndex, moduleIndex}> for O(1) lookups.

3. Modal Rendering - ModuleGenerationList.svelte:459-480

The modal searches for the preview module on every render using flatMap and find. Compute this once when opening the modal instead.

4. SSE Buffer Management - ModuleGenerationList.svelte:140-159

String concatenation in SSE decoder is generally fine for typical payloads, but could be optimized with TextDecoderStream API for very large responses (though probably overkill here).

Memory Management ✅

Excellent: Proper cleanup of SSE readers in onDestroy() prevents memory leaks.

[claude]

🔒 Security Concerns

Strengths ✅

1. XML Injection Prevention - src/lib/utils/xml/xmlEscape.ts

The new escapeXml() utility is critical and correctly implemented with proper escaping order (ampersand first), handling all five XML special characters, and null/undefined safety.

2. Comprehensive Escaping in API - src/routes/api/themis/module/+server.ts:108-119

All user-provided data is properly escaped before XML embedding. This is excellent security practice.

Concerns

1. XSS in Module Preview Modal - ModuleGenerationList.svelte:472

Risk Level: Low (Svelte escapes by default, XML is validated before storage)

The XML preview renders raw content. While Svelte escapes by default, XML comes from AI generation and could theoretically contain malicious content if AI is compromised or prompt-injected.

Recommendation: Add Content Security Policy headers to prevent any script execution.

2. Course Context Data in Console Logs - ModuleGenerationList.svelte:175

SSE events may contain course narratives and sensitive educational content. This could leak proprietary curriculum data.

Recommendation: Remove or use logging library with redaction for production builds.

3. Client-Side Course Data Exposure - ModuleGenerationList.svelte:112-123

Risk Level: Low (depends on business requirements)

Entire courseContext is sent in request body. Course structure is fully exposed in browser network logs. If proprietary content, consider using session-based course IDs or request signing.

Validation ✅

Strong validation with Zod schemas ensures type safety and prevents malformed data from reaching the generation pipeline.

[claude]

✅ Test Coverage

Current State

No new test files were added in this PR. Given the scope (895-line component + API endpoint + utilities), this is a significant gap.

Recommended Test Coverage

1. Unit Tests for xmlEscape.ts ⭐ HIGH PRIORITY

This is security-critical code that MUST be tested. Recommended tests:

• Escapes ampersands correctly
• Escapes less-than and greater-than
• Escapes quotes (double and single)
• Handles multiple special characters
• Handles null and undefined
• Critical: Escapes ampersand BEFORE other characters (catches common escape order bug)

2. Unit Tests for convertToMetisFormat()

Test the XML generation and proper escaping of special characters in synthesized XML.

3. Integration Tests for API Endpoint

Test the full request/response cycle with mocked Claude client.

4. Component Tests for ModuleGenerationList.svelte

Using @testing-library/svelte:

• Test module status transitions
• Test arc expansion/collapse
• Test generateAll() behavior
• Test error display
• Test preview modal

5. E2E Tests (Lower priority)

Full workflow test: configure course → generate structure → generate modules → export

Coverage Metrics

Suggested minimum coverage for this PR:

• xmlEscape.ts: 100% (security-critical)
• convertToMetisFormat(): 90%
• API endpoint: 80%
• Component: 60% (focus on critical paths)

[claude]

Additional Notes

Excellent Decisions ✅

1. Proper async/await in generateAll() - Sequential generation with proper error handling prevents race conditions
2. SSE streaming reuse - Leveraging existing infrastructure rather than reinventing
3. Separation of course context injection - buildCourseAwareModulePrompt() extends rather than replaces base prompts
4. Memory management - Proper cleanup of SSE readers prevents memory leaks

Documentation

The PR description is exemplary with clear breakdown of changes. Consider adding:

• JSDoc comments to ModuleGenerationList.svelte component props
• Usage example in component docstring

Migration Path

No breaking changes detected. The feature integrates cleanly with existing workflows. ✅

---

Overall Assessment: Strong implementation that maintains architectural consistency while adding significant new functionality. Main gaps are around test coverage (especially for security-critical XML escaping) and some edge case error handling. The code is production-ready pending tests.

Recommendation: Approve with minor revisions - add tests for xmlEscape.ts before merging, and consider addressing the race condition and modal error boundary issues.