fix: ignore stale output comment bridge readiness

[PerishCode]

Closes #4126

Why

A Discord report suggested that commenting on generated outputs could be broken in 0.9.0. The output viewer can URL-load HTML artifacts and rely on an injected selection bridge for comments. A late od:url-selection-bridge-ready message from an older raw output URL could mark the current output as comment-ready before its own bridge had responded, leaving Comment mode on the URL-loaded iframe without a live selection bridge.

What users will see

Commenting on generated HTML outputs should reliably fall back to the srcDoc comment bridge until the current URL-loaded output reports that its own selection bridge is ready.

Surface area

• UI — new page / dialog / panel / menu item / setting / empty state in apps/web or apps/desktop (including Electron menu bar)
• Keyboard shortcut — new or changed
• CLI / env var — new od subcommand or flag, new tools-dev / tools-pack / tools-pr flag, or new OD_* env var
• API / contract — new /api/* endpoint, new SSE event, or changed shape in packages/contracts
• Extension point — new entry under skills/, design-systems/, design-templates/, or craft/, or change to the skills protocol
• i18n keys — added new translation keys (see TRANSLATIONS.md for the locale workflow)
• New top-level dependency — adding any new entry to the root package.json (dependencies or devDependencies); workspace-package package.json files are out of scope. Include a paragraph on what we get vs. what bytes we ship (see CONTRIBUTING.md → Code style)
• Default behavior change — changes what existing users experience without opting in (default model, default setting, file/SQLite schema, auto-network on startup, auto-install)
• None — internal refactor, docs, tests, or translation update only

Screenshots

Not applicable; no visual UI change.

Bug fix verification

• Test path that reproduces the bug: apps/web/tests/components/FileViewer.test.tsx (ignores stale URL selection bridge readiness after the output URL changes)
• Did the test go red on main and green on this branch? Not run locally; this environment does not have node, pnpm, npm, or mise on PATH. The test is written to fail before the href check because a stale ready message would keep comments on URL-load instead of falling back to srcDoc.

Validation

• git diff --check
• Attempted pnpm --filter @open-design/web test -- FileViewer.test.tsx file-viewer-render-mode.test.ts (blocked: pnpm: command not found)
• Attempted pnpm --filter @open-design/daemon test -- project-file-range.test.ts (blocked: pnpm: command not found)
• Attempted node --version, corepack --version, mise --version (blocked: commands not found)

_{🔁 Powered by Looper · runner=worker · agent=codex · An autonomous AI dev team for your GitHub repos.}

[lefarcen]

🧪 This PR changes a user-facing commenting flow, so it needs a manual QA pass before merge — please hold off self-merging for now; we'll loop QA in once it's merge-ready.

[github-actions]

Visual regression review

Head: 5ce880c · Base: 48da58f

6 changed · 32 unchanged · 0 missing baseline · 0 failed

Changed cases

Case	Main	PR	Diff
visual-avatar-local-agent-list
visual-integrations-use-everywhere
visual-settings-byok
visual-settings-byok-model-dropdown
visual-settings-byok-openai
visual-settings-local-cli

Unchanged cases

Case	Main	PR	Diff
visual-avatar-menu
visual-critical-settings
visual-critical-workspace
visual-critical-workspace-preview
visual-design-system-detail
visual-design-systems
visual-home
visual-home-catalog
visual-home-context-picker
visual-home-plugin-filter
visual-home-plugin-use-staged
visual-home-plugin-use-with-query
visual-home-staged-attachment
visual-integrations
visual-integrations-mcp
visual-new-project-modal
visual-onboarding-runtime
visual-plugin-details
visual-plugin-share-menu
visual-plugins

Visual diff is advisory only and does not block merging.

[nettee]

@PerishCode I verified the stale od:url-selection-bridge-ready race fix across the daemon bridge, the FileViewer readiness guard, and the new regression test covering a URL change mid-session. The href handshake matches the existing iframe lifecycle here, the changed ranges look internally consistent, and the PR checks are green; I couldn't rerun the focused Vitest locally in this worktree because node_modules are missing and vitest is not installed in the checkout. Nice, tight fix for a subtle timing bug in the comment transport.

_{🔁 Powered by Looper · runner=reviewer · agent=codex · An autonomous AI dev team for your GitHub repos.}