fix: #59 NFT warning, #60 undo/redo shortcuts, #62 api 401#64
Merged
Conversation
#62 (P1) — 401 on all /api/* routes: - proxy.ts: treat placeholder BETTER_AUTH_SECRET as 'auth disabled' (dev stays anonymous), add /api/health to PUBLIC_PATHS (Docker healthcheck must work) - lib/auth/better-auth.ts: trust both localhost:3000 and :3100 origins (port mapping breaks Better Auth baseURL) - app/api/health/route.ts: force-dynamic, runtime nodejs (no caching) #59 (P2) — Turbopack NFT warnings (3 → 1 remaining): Extract all dynamic fs/path/cwd into separately-imported modules so the NFT tracer never sees them at route boundaries: - lib/workspace/design-edit-fs.ts (from design-edit route) - lib/workspace/files-fs.ts (from files route) - lib/workspace/design-history-fs.ts (from design-history re-export) - lib/audit-fs.ts (from audit re-export) - lib/sin/orchestrator-stream-impl.ts (from orchestrator-stream wrapper) - lib/sin/orchestrator-runner.ts: DELETED (orphan, replaced by orchestrator-stream) - next.config.mjs: extended outputFileTracingExcludes for all new -fs files #60 (P2) — ⌘Z / ⌘⇧Z in Design Mode: - public/design-mode-agent.js: keydown listener posts design-undo / design-redo to parent (gated by 'enabled' flag, ignores editable fields) - components/workspace/preview-panel.tsx: postMessage listener calls /api/workspace/design-history POST, shows toast feedback - components/workspace/workspace-header.tsx: ⌘Z / ⌘⇧Z hint icon in Design tab #61 (P1) — CI / branch protection: verification-only, no code change. Known limitation: 1 NFT warning remains in lib/sin/* chunk (output asset trace from execFile usage in lib/sin/run.ts). Next.js 16.2.6 limitation — the NFT tracer still flags transitive node:child_process imports even behind two layers of dynamic imports. Build succeeds, runtime works. Refs: #51-#55 (closed), #59 #60 #61 #62
CEO Audit — Not applicableThis repository is a Node.js / TypeScript project. Recommended checks for this repo:
|
This was referenced Jun 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes 3 of 4 open issues end-to-end:
/api/*no longer 401s; placeholderBETTER_AUTH_SECRETtreated as "auth disabled"; health probe is public; both :3000/:3100 origins trusted.⌘Z/⌘⇧Zkeyboard shortcuts wired in Design Mode (iframe agent → postMessage →/api/workspace/design-history).Files
New (8)
lib/workspace/design-edit-fs.ts— fs/path for design-edit (fix(build): eliminate the last Turbopack NFT warning in design-edit route #59)lib/workspace/files-fs.ts— fs/path for files route (fix(build): eliminate the last Turbopack NFT warning in design-edit route #59)lib/workspace/design-history-fs.ts— fs/path for design-history (fix(build): eliminate the last Turbopack NFT warning in design-edit route #59)lib/audit-fs.ts— fs/path for audit log (fix(build): eliminate the last Turbopack NFT warning in design-edit route #59)lib/sin/orchestrator-stream-impl.ts— spawn() impl (fix(build): eliminate the last Turbopack NFT warning in design-edit route #59)lib/sin/guard.ts— guardRequest extracted from run.ts (fix(build): eliminate the last Turbopack NFT warning in design-edit route #59)lib/sin/orchestrator-stream.ts— wrapper for orchestrator-streamDeleted
lib/sin/orchestrator-runner.ts— orphan, replaced by orchestrator-streamModified
proxy.ts— placeholder secret exemption + /api/health public (fix(auth): resolve 401 on all /api/* routes after Better Auth + Kysely integration #62)lib/auth/better-auth.ts— trustedOrigins :3000 + :3100 (fix(auth): resolve 401 on all /api/* routes after Better Auth + Kysely integration #62)app/api/health/route.ts— force-dynamic, nodejs runtime (fix(auth): resolve 401 on all /api/* routes after Better Auth + Kysely integration #62)app/api/sin/orchestrator/stream/route.ts— uses guardRequest from new locationapp/api/workspace/design-edit/route.ts— dynamic import of design-edit-fsapp/api/workspace/files/route.ts— dynamic import of files-fsapp/api/settings/*/route.ts(8 files) — guardRequest import path updateapp/api/chat/route.ts,chats/*,workspace/*,sin/orchestrator/*— guardRequest import path updatelib/sin/run.ts— guardRequest extracted to guard.tslib/workspace/design-history.ts— public API delegates to design-history-fslib/audit.ts— public API delegates to audit-fsnext.config.mjs— extended outputFileTracingExcludes for all new -fs filespublic/design-mode-agent.js— ⌘Z / ⌘⇧Z keydown listener (feat(design-mode): wire ⌘Z / ⌘⇧Z keyboard shortcuts for Undo/Redo #60)components/workspace/preview-panel.tsx— undo/redo toast + postMessage listenercomponents/workspace/workspace-header.tsx— ⌘Z / ⌘⇧Z hint iconVerification
NFT count: 5 → 1 (the last is a Next 16.2.6 transitive-import limitation that affects every
child_process-using module, even behind dynamic imports).Known Limitation
lib/sin/*chunk still triggers 1 NFT warning becauselib/sin/run.tsusesexecFileand the NFT tracer follows transitive imports. Two layers of dynamic imports (run.ts → guard.tsextracted, and the chainroute → orchestrator-stream → orchestrator-stream-impl) don't fully hide it. Documented in the issue.Closes: #59, #60, #62
Refs: #51-#55 (closed), #61 (verification-only)