fix(build): suppress Turbopack over-bundling warning from agentSkills generator (#6582)

generator.ts builds outputBase from a non-literal outputDir parameter, so
Turbopack's file-tracing analyzer can't narrow it and emits an "Overly broad
patterns" warning per entry point that imports the module (603 warnings on
v3.8.46, up from 379). The fs access is legitimate and bounded, so
next.config.mjs now suppresses this specific diagnostic via turbopack.ignoreIssue,
mirroring the existing webpack.ignoreWarnings precedent in the same file.
This commit is contained in:
Diego Rodrigues de Sa e Souza 2026-07-09 04:49:28 -03:00
parent f4fb0d310b
commit af31b56fbc
3 changed files with 36 additions and 0 deletions

View file

@ -14,6 +14,7 @@ _Living section — bullets land here as PRs merge into `release/v3.8.47` (paral
### 🐛 Bug Fixes
- **fix(build):** Turbopack production build emitted an "Overly broad patterns can lead to build performance issues" warning per entry point importing `src/lib/agentSkills/generator.ts` (603 warnings reported on v3.8.46, up from 379 on v3.8.45) ([#6582](https://github.com/diegosouzapw/OmniRoute/issues/6582)) — `generator.ts`'s `outputBase` is built as `path.isAbsolute(outputDir) ? outputDir : path.join(process.cwd(), outputDir)`, where `outputDir` is a runtime function parameter, not a compile-time literal, so Turbopack's build-time file-tracing analyzer can't statically narrow the several dynamic `readdirSync`/`rmSync`/`readFileSync`/`writeFileSync` call sites a few lines below and falls back to a project-wide glob; #6366's commit message claimed to "anchor the base path with a literal" but the shipped code never did. Since this fs access is legitimate and bounded (`skills/<id>/SKILL.md`, ~48 known IDs), `next.config.mjs`'s `turbopack.ignoreIssue` (Next.js 16.2+) now suppresses this specific, known-benign diagnostic, mirroring the existing `webpack.ignoreWarnings`/`isNextIntlExtractorDynamicImportWarning` precedent already in the same file for the webpack path. Regression guard: `tests/unit/next-config.test.ts` (asserts the `turbopack.ignoreIssue` rule shape targeting `src/lib/agentSkills/**`).
- **fix(auth):** an API key restricted via `allowedModels`/`allowedCombos` could bypass that restriction entirely over the Codex Responses-over-WebSocket bridge ([#6564](https://github.com/diegosouzapw/OmniRoute/issues/6564)) — `prepare()` in `src/app/api/internal/codex-responses-ws/route.ts` authenticated the WS bridge's API key (`authenticate()`/`authorizeWebSocketHandshake()`) and honored `allowedConnections`, but never called `enforceApiKeyPolicy()`, the same model/combo policy gate the HTTP `/v1/responses` path enforces via `handleChat()` — so a key scoped to e.g. `combo/model-1.0` could still reach a direct Codex model like `gpt-5.5` through this transport, as long as an eligible Codex OAuth connection existed. The bridge's WS auth token arrives via query params (`api_key`/`token`/`access_token`), not a normal `Authorization` header, so a new `enforceCodexWsApiKeyPolicy()` builds an equivalent `Request` carrying an explicit `Authorization: Bearer <apiKey>` header and calls `enforceApiKeyPolicy()` against the CLIENT-requested model, before any Codex-specific model remapping or credential selection. Regression guard: `tests/unit/codex-ws-policy-enforcement-6564.test.ts` (a model-restricted key is rejected 403 before reaching credential selection; a combo-restricted key is rejected 403 requesting a disallowed combo; a key that DOES allow the requested model still proceeds past policy).
- **fix(security):** loopback-gate `/api/middleware/*` so a leaked JWT over a tunnel can't install or trigger a middleware hook — middleware hooks compile + run arbitrary JS via `new vm.Script` on the request hot path (`src/lib/middleware/registry.ts`), the same RCE class as the already-gated `/api/plugins/*`; `/api/middleware/` is now in `LOCAL_ONLY_API_PREFIXES` so loopback enforcement runs unconditionally before any auth check (Hard Rules #15 + #17). Regression guard: `tests/unit/route-guard-middleware-local-only.test.ts`. ([#6541](https://github.com/diegosouzapw/OmniRoute/pull/6541)) — see PR. (thanks @developerjillur)
- **fix(startup):** AgentBridge's MITM server no longer fails to start with `ROUTER_API_KEY is required` on a normal install ([#6403](https://github.com/diegosouzapw/OmniRoute/issues/6403)) — `POST /api/tools/agent-bridge/server` resolved the spawned MITM child's router key from only an explicit `apiKey` body field (never sent by the AgentBridge UI — the schema has no such field) and the `ROUTER_API_KEY` env var (unset by default), so `startMitm()` always received `""` and the child hard-exited, even though OmniRoute already had a usable API key in its own DB. A new `resolveRouterApiKey()` now falls back to `pickApiKeyForInternalUse()` (the same DB-backed selector the combo-health-check / cloud-sync internal probes use), resolving in order: explicit key → `ROUTER_API_KEY` env → an existing DB key. Regression guard: `tests/unit/agentbridge-mitm-router-key-6403.test.ts`.

View file

@ -116,6 +116,24 @@ const nextConfig = {
...mitmManagerAliasFor(process.env),
...minimalBuildAliases,
},
// src/lib/agentSkills/generator.ts builds its fs base path from a runtime
// `outputDir` parameter (`path.join(process.cwd(), outputDir)`), which is
// NOT a compile-time literal, so Turbopack's build-time file-tracing
// analyzer can't statically narrow the several dynamic readdirSync/rmSync/
// readFileSync/writeFileSync call sites a few lines below and falls back
// to an "Overly broad patterns... matches N files" warning — once per
// Next.js entry point that imports the module (/api/agent-skills/generate,
// /api/cli-tools/pi-settings). The fs access is legitimate and bounded
// (skills/<id>/SKILL.md, ~48 known IDs), so this is a known-benign,
// expected diagnostic — suppress it here rather than fight the analyzer,
// mirroring the isNextIntlExtractorDynamicImportWarning precedent below
// for the webpack path. (#6582)
ignoreIssue: [
{
path: "**/src/lib/agentSkills/**",
description: /Overly broad patterns can lead to build performance issues/,
},
],
},
output: "standalone",
compress: true,

View file

@ -271,6 +271,23 @@ test("next-intl webpack hook preserves caller config and filters known extractor
);
});
test("turbopack.ignoreIssue suppresses the agentSkills over-bundling warning (#6582)", async () => {
// src/lib/agentSkills/generator.ts joins process.cwd() with a runtime
// `outputDir` parameter — not a compile-time literal — so Turbopack's
// file-tracing analyzer can't narrow it and emits an "Overly broad
// patterns..." warning per entry point importing the module. The fs access
// is legitimate and bounded, so it's suppressed via turbopack.ignoreIssue
// rather than fought. This guards the config shape so the suppression rule
// isn't silently dropped in a future edit.
const { default: nextConfig } = await loadNextConfig("ignore-issue");
const rules = nextConfig.turbopack?.ignoreIssue;
assert.ok(Array.isArray(rules), "expected turbopack.ignoreIssue to be an array");
const agentSkillsRule = rules.find((rule) => String(rule.path).includes("agentSkills"));
assert.ok(agentSkillsRule, "expected an ignoreIssue rule targeting src/lib/agentSkills/**");
assert.match(String(agentSkillsRule.description), /Overly broad patterns/);
});
test("optimizePackageImports excludes the internal @omniroute/open-sse workspace (build-OOM guard)", async () => {
// Regression guard: adding the internal `@omniroute/open-sse` workspace to
// optimizePackageImports makes Next.js resolve its entire barrel at build