fix(web): hubSettings lazy sections — per-section minH for CLS prevention

[Skords-01]

Summary

Set per-section minH values on the Suspense fallback skeletons in HubSettingsPage.tsx to match each section's default-expanded height, preventing Cumulative Layout Shift when the lazy chunk resolves. Also updated JSDoc comments on SectionSkeletonProps.minH and SettingsSection.lazy to say "default-expanded height" instead of "collapsed-state height".

Affected sections (all were minH: 72):

• fizruk → 168 (1 SubGroup)
• finyk → 248 (3 SubGroups)
• routine → 248 (3 SubGroups, nested cards)
• nutrition → 280 (4 SubGroups, 1 defaultOpen with form fields)

Closes MEDIUM #2 from HubSettings CLS + chunk-load audit. MEDIUM #1 (ChunkErrorBoundary) was already shipped.

Governing Skill

• Primary skill: sergeant-web-ui

Playbook

• Primary playbook: none (small UI fix, no matching playbook)
• Why this playbook: per-section height tuning is a targeted CLS fix, not a feature/migration/deploy task

Verification

pnpm --filter @sergeant/web typecheck  # ✅ 0 errors
pnpm --filter @sergeant/web exec vitest run src/core/hub/ChunkErrorBoundary.test.tsx  # ✅ 3/3 passed
pnpm lint (turbo)  # ✅ 0 errors (3 pre-existing server warnings)

Additional checks:

• Local smoke / manual validation — values are heuristic estimates based on code analysis; exact heights should be verified via DevTools on pnpm dev:web at /hub#settings
• Surface-specific checks — typecheck clean for apps/web

Docs and Governance

• I updated docs that changed with the behavior, contract, workflow, or rollout.
• I checked whether AGENTS.md needed an update — no change needed.
• I checked whether a playbook or skill needed an update — no change needed.
• I checked whether governance docs or review docs needed an update — no change needed.

Updated docs:

• docs/90-work/audits/2026-05-25-hubsettings-cls-chunk-load.md — Status updated, MEDIUM feat(fizruk): refresh dashboard hero with greeting & insights #2 marked as addressed, per-section values documented

Risk and Rollout

• User-visible risk: Low — skeleton height change only affects the brief loading state before lazy chunk paints. If a value is too tall, the skeleton is slightly oversized (cosmetic, not functional). If too small, the original CLS still occurs (but reduced).
• Rollout / deploy order: standard merge-to-main
• Backout plan: revert PR; all minH values return to 72

Hard Rule #15

• I read AGENTS.md before coding.
• Internal docs I touched are in Ukrainian.
• I did not use --no-verify.

Reviewer Notes

• Per-section minH values are heuristic estimates based on component structure analysis (SubGroup count × ~40px header + SettingsGroup header ~56px + padding/gaps). Recommend verifying with DevTools measurements on pnpm dev:web at /hub#settings — if actual heights differ by >24px, adjust.
• Pre-existing format:check failure on docs/90-work/initiatives/0021-react-hooks-v7-cleanup.md (not touched by this PR) blocks pnpm check full gate.

---

Summary by cubic

Prevents CLS in Hub Settings by matching each lazy section’s skeleton to its default-expanded height. Also expands CI security by adding a Trivy scan for the OpenClaw image and updating security docs.

• Bug Fixes

  • Set per-section minH in HubSettingsPage.tsx to default-expanded height: fizruk 168, finyk 248, routine 248, nutrition 280 (all were 72).
  • Updated JSDoc on SectionSkeletonProps.minH and SettingsSection.lazy.minH to say “default-expanded height.”

• New Features

  • Added Trivy scan job for Dockerfile.openclaw (linux/amd64 guard, SARIF trivy-image-openclaw) alongside the API job; widened PR triggers.
  • Synced security docs to reflect coverage for both images and the platform invariant; refreshed OpenClaw branding in plop templates; expanded tests for ESLint rules and shared utils.

^{Written for commit 088674b. Summary will update on new commits.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
sergeant	Ready	Preview, Comment	Jun 9, 2026 6:08pm

[coderabbitai]

Warning

Review limit reached

@Skords-01, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 6 minutes and 47 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 4c95449c-19a0-4259-a564-6e78fd961af4

📥 Commits

Reviewing files that changed from the base of the PR and between d0c1f53 and 088674b.

📒 Files selected for processing (10)

• apps/web/src/core/hub/HubSettingsPage.tsx
• apps/web/src/core/settings/SettingsPrimitives.tsx
• docs/04-governance/security/README.md
• docs/04-governance/security/container-scan.md
• docs/04-governance/security/distroless-upgrade-plan.md
• docs/04-governance/security/threat-model.md
• docs/90-work/audits/2026-05-25-hubsettings-cls-chunk-load.md
• docs/90-work/audits/2026-06-08-codebase-cleanup-audit.md
• docs/90-work/initiatives/0021-react-hooks-v7-cleanup.md
• docs/90-work/initiatives/stack-pulse-2026-05/pr-30-dockerfile-cleanup-cve.md

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/hub-settings-cls-error-boundary

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

⏱️ CI Pipeline Duration Report

Based on the last 50 successful runs on the default branch.

Overall Pipeline

Metric	Value
p50	6m 26s
p95	7m 55s
p99	9m 3s
Current run	12m 38s
vs p95	+59.6%

Trend (last 20 runs): ▃▃▁▂▃▃▃▂▃▃▂▂▄▃▃▆▅▄█▆

Per-Job Breakdown

Job	p50	p95	p99	Current	vs p95
Accessibility (axe-core)	2m 5s	2m 21s	2m 23s	0s	-100.0%
Commit messages (commitlint)	0s	0s	0s	27s	N/A
Critical-flow E2E (Playwright)	1m 36s	1m 44s	1m 44s	2m 32s	+46.2%
Migration lint (AGENTS rule	0s	0s	0s	9s	N/A
Pipeline duration (p95 trend)	26s	27s	27s	—	—
Secret scan (gitleaks)	8s	11s	11s	15s	+36.4%
Smoke E2E (Playwright)	1m 26s	1m 40s	1m 40s	—	—
Test coverage (vitest)	2m 4s	2m 33s	2m 33s	11m 42s	+358.8%
Workflow lint (actionlint)	7s	7s	7s	7s	+0.0%
check	4m 12s	4m 54s	5m 6s	40s	-86.4%
tsconfig strict guard (PR-1.A)	5s	14s	14s	9s	-35.7%

⚠️ Warning: Current run (12m 38s) exceeds p95 + 20% threshold (9m 30s). Consider reviewing slow jobs.