feat: auto display labels, billing, login UX, and popover scroll fixes

[bensonwong]

Summary

• Auto display labels: When visible citation text differs from anchorText, automatically set displayLabel so the popover shows what the user actually sees (582250f)
• Billing & usage warnings: Add PaymentRequiredError, usage-warning checks, billing CLI command, extract BILLING_URL constant (0cc5d2a, 04dadda, 02def0b, ad060ae)
• Login UX: Terminal key-paste fallback + cancel for login command; print free-tier welcome on browser OAuth (65498c4, 3c798ee)
• OCR hull-merge: Merge fragmented anchor-text bounding rects for OCR-split items so highlight overlays cover the full phrase (c2531b0)
• Popover scroll stability: Portal popover into the trigger's scroll-root ancestor (Radix ScrollArea viewport or nearest overflow:scroll/auto parent) using position:absolute instead of position:fixed. The popover now scrolls with page content, fixing scroll-eating in apps with body { overflow: hidden }. Applied to both React and vanilla CDN runtimes (5adacdd, 4953a1e, a91a344, 72267ef, 8a76476)
• Focus-trap fix: Rewrite inert focus-trap to walk from popover up to <body>, inerting siblings at each level — handles the popover now being inside <main> via the scroll container portal

Test plan

• Verify popover scrolls with page content (not fixed to viewport)
• Verify popover positions correctly on open in a Radix ScrollArea consumer
• Verify keyboard focus trap works — Tab stays within popover when opened via keyboard
• Verify billing CLI command opens billing URL
• Verify login command with terminal key-paste fallback
• Verify OCR-fragmented citation highlights cover the full anchor text
• Verify display labels auto-set when visible text differs from anchorText
• Run bun run test — 1713 tests pass
• Run bun run lint — no errors (warnings pre-existing)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

4 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
agui-chat-deepcitation	Ignored	Preview	Mar 31, 2026 11:43am
deepcitation-langchain-rag-chat	Ignored	Preview	Mar 31, 2026 11:43am
mastra-rag-deepcitation	Ignored	Preview	Mar 31, 2026 11:43am
nextjs-ai-sdk-deepcitation	Ignored	Preview	Mar 31, 2026 11:43am

[github-actions]

✅ Playwright Test Report

Status: Tests passed

📊 Download Report & Snapshots (see Artifacts section)

What's in the Visual Snapshots

The gallery includes visual snapshots for:

• 🖥️ Desktop showcase (all variants × all states)
• 📱 Mobile showcase (iPhone SE viewport)
• 📟 Tablet showcase (iPad viewport)
• 🔍 Popover states (verified, partial, not found)
• 🔗 URL citation variants

---

Run ID: 23795512476

[claude]

PR Review: feat: auto display labels, billing, login UX, and popover scroll fixes

This is a substantial PR bundling five feature areas. The OCR hull-merge, fuzzy anchor tests, and focus-trap generalization are solid. Below is a prioritized list of issues to address before merge.

---

Bugs

[HIGH] Double printFreeTierWelcome() on terminal-paste login path

src/cli.ts — saveApiKey() already calls printFreeTierWelcome() internally (~line 956). The login function then calls it again unconditionally after the if/else block (~line 1091). Users who paste a key in the terminal will see the welcome message printed twice.

Fix: Call printFreeTierWelcome() only in the winner.from === "browser" branch, or remove the call inside saveApiKey when invoked from login.

[MEDIUM] Stale position:fixed comment in positioning.ts

src/vanilla/runtime/positioning.ts lines 30-31 still say the wrapper uses position:fixed. The wrapper is now position:absolute inside a scroll container (as set in cdn.ts). The math is correct, but the comment is actively misleading. Please update it.

[MEDIUM] Fragile string comparison for cancel detection

src/cli.ts ~line 1093:

if ((err as Error).message === "Login cancelled") return;

This couples login() to the exact string in auth.ts's cancel(). If that message ever changes, the catch silently stops working. Use a dedicated CancelledError class or a sentinel Symbol.

[LOW] Nested-element regex can match inner closing tag

src/cli.ts ~line 603 uses [\s\S]*? non-greedy across element content. For an annotated <span> containing a nested <span>, it captures the inner close tag, producing a truncated visibleText and wrong displayLabel. The 80-char length guard reduces impact but does not eliminate the bug.

---

Security

[MEDIUM] Incomplete HTML attribute escaping in auto display label injection

src/cli.ts ~line 615:

const escaped = visibleText.replace(/"/g, """);

Only " is escaped. Single quotes, <, and > are not. Use a proper HTML attribute escaper covering &, <, >, ", and ' — consistent with the safeReplace() pattern used elsewhere.

[claude]

---

Code Quality

[LOW] BILLING_URL constant bypassed in warnUsage()

warnUsage() hardcodes ${BASE_URL}/api#billing directly at two call sites (~lines 277, 291) instead of using the BILLING_URL constant. Use BILLING_URL consistently.

[LOW] Unnecessary local alias in openBillingDashboard

const url = BILLING_URL;  // redundant — use BILLING_URL directly

[LOW] Inline as-cast on raw API response data

The inject logic casts verifications (raw API JSON) via an inline as { citation?: { anchorText?: string } }. Use a type guard or a properly-typed verifications type instead.

[claude]

---

Test Coverage

[MEDIUM] PaymentRequiredError has no unit test

src/__tests__/client/errors.test.ts covers AuthenticationError, NetworkError, RateLimitError, and ValidationError but not PaymentRequiredError. Add cases verifying billingCode, retryable, and httpStatus.

[MEDIUM] createApiError 402-branch has no test

The existing client.test.ts suite covers 401, 429, 422, and 500 responses but not 402.

[MEDIUM] onUsageWarning callback has no test

No test for: callback fires with correct used/limit values; callback does NOT fire when headers are absent; NaN-guarded case when header value is malformed.

[LOW] Auto display label injection not tested

No tests in cliInject.test.ts for the new auto-fix path: happy path, skip when label already present, length-guard (>80 chars), skip when visible text is already a substring of anchorText.

[claude]

---

Stale Test Comment

tests/playwright/specs/popoverScrollStability.spec.tsx lines 1-12 describe the old position:fixed behavior. The test body validates the new scroll-with-container behavior. Please update the comment.

---

Informational

USAGE_WARN_PCT and USAGE_CRITICAL_PCT are exported from src/index.ts, making them public API. If these are internal CLI thresholds, remove from the public export. If intentional, add JSDoc clarifying SDK consumer use cases.

---

Positives

• OCR hull-merge cleanly replaces gap-fill and correctly handles character-level fragmentation.
• fuzzyAnchor.test.ts is thorough: 60% threshold, OCR word-split artifacts, edge cases, known limitation pinned.
• The inert focus-trap rewrite (walking from popover to <body>) correctly handles portalling inside <main>.
• cancel() in startCallbackServer is a clean API — promise rejected, server and timeout both cleaned up.
• checkUsageWarning correctly gates on response.ok and uses Number.isNaN for header-absence detection.

---

Summary: The double-welcome-message bug (HIGH), incomplete HTML attribute escaping (MEDIUM/Security), and three missing billing/usage tests (MEDIUM) should be resolved before merge. The other items are lower-risk but worth addressing while the code is fresh.

[claude]

PR Review: feat: auto display labels, billing, login UX, and popover scroll fixes

This is a substantial PR bundling five feature areas. The OCR hull-merge, fuzzy anchor tests, and focus-trap generalization are solid. Below is a prioritized list of issues to address before merge.

---

Bugs

[HIGH] Double printFreeTierWelcome() on terminal-paste login path

src/cli.ts — saveApiKey() already calls printFreeTierWelcome() internally (~line 956). The login function then calls it again unconditionally after the if/else block (~line 1091). Users who paste a key in the terminal will see the welcome message printed twice.

Fix: Call printFreeTierWelcome() only in the winner.from === "browser" branch, or remove the call inside saveApiKey when invoked from login.

[MEDIUM] Stale position:fixed comment in positioning.ts

src/vanilla/runtime/positioning.ts lines 30-31 still say the wrapper uses position:fixed. The wrapper is now position:absolute inside a scroll container (as set in cdn.ts). The math is correct, but the comment is actively misleading. Please update it.

[MEDIUM] Fragile string comparison for cancel detection

src/cli.ts ~line 1093:

if ((err as Error).message === "Login cancelled") return;

This couples login() to the exact string in auth.ts's cancel(). If that message ever changes, the catch silently stops working. Use a dedicated CancelledError class or a sentinel Symbol.

[LOW] Nested-element regex can match inner closing tag

src/cli.ts ~line 603 uses [\s\S]*? non-greedy across element content. For an annotated <span> containing a nested <span>, it captures the inner close tag, producing a truncated visibleText and wrong displayLabel. The 80-char length guard reduces impact but does not eliminate the bug.

---

Security

[MEDIUM] Incomplete HTML attribute escaping in auto display label injection

src/cli.ts ~line 615:

const escaped = visibleText.replace(/"/g, """);

Only " is escaped. Single quotes, <, and > are not. Use a proper HTML attribute escaper covering &, <, >, ", and ' — consistent with the safeReplace() pattern used elsewhere.

---

Code Quality

[LOW] BILLING_URL constant bypassed in warnUsage()

warnUsage() hardcodes ${BASE_URL}/api#billing directly at two call sites (~lines 277, 291) instead of using the BILLING_URL constant. Use BILLING_URL consistently.

[LOW] Unnecessary local alias in openBillingDashboard

const url = BILLING_URL;  // redundant — use BILLING_URL directly

[LOW] Inline as-cast on raw API response data

The inject logic casts verifications (raw API JSON) via an inline as { citation?: { anchorText?: string } }. Use a type guard or a properly-typed verifications type instead.

---

Test Coverage

[MEDIUM] PaymentRequiredError has no unit test

src/__tests__/client/errors.test.ts covers AuthenticationError, NetworkError, RateLimitError, and ValidationError but not PaymentRequiredError. Add cases verifying billingCode, retryable, and httpStatus.

[MEDIUM] createApiError 402-branch has no test

The existing client.test.ts suite covers 401, 429, 422, and 500 responses but not 402.

[MEDIUM] onUsageWarning callback has no test

No test for: callback fires with correct used/limit values; callback does NOT fire when headers are absent; NaN-guarded case when header value is malformed.

[LOW] Auto display label injection not tested

No tests in cliInject.test.ts for the new auto-fix path: happy path, skip when label already present, length-guard (>80 chars), skip when visible text is already a substring of anchorText.

---

Stale Test Comment

tests/playwright/specs/popoverScrollStability.spec.tsx lines 1-12 describe the old position:fixed behavior. The test body validates the new scroll-with-container behavior. Please update the comment.

---

Informational

USAGE_WARN_PCT and USAGE_CRITICAL_PCT are exported from src/index.ts, making them public API. If these are internal CLI thresholds, remove from the public export. If intentional, add JSDoc clarifying SDK consumer use cases.

---

Positives

• OCR hull-merge cleanly replaces gap-fill and correctly handles character-level fragmentation.
• fuzzyAnchor.test.ts is thorough: 60% threshold, OCR word-split artifacts, edge cases, known limitation pinned.
• The inert focus-trap rewrite (walking from popover to <body>) correctly handles portalling inside <main>.
• cancel() in startCallbackServer is a clean API — promise rejected, server and timeout both cleaned up.
• checkUsageWarning correctly gates on response.ok and uses Number.isNaN for header-absence detection.

---

Summary: The double-welcome-message bug (HIGH), incomplete HTML attribute escaping (MEDIUM/Security), and three missing billing/usage tests (MEDIUM) should be resolved before merge. The other items are lower-risk but worth addressing while the code is fresh.