fix: validate bundle export params and quiet Next build warning

[charlesrhoward]

Summary

• validate /api/bundles/me/[id] format query values and return 400 on unsupported formats
• validate strokeWidth query values (> 0 and <= 10) and return 400 for invalid input
• use nullish coalescing for effective bundle stroke width to avoid dropping configured values
• set outputFileTracingRoot in Next config to remove workspace root inference warnings in builds
• add route tests covering invalid format and invalid stroke width cases

Verification

• pnpm test -- 'src/app/api/bundles/me/[id]/route.test.ts'
• pnpm test
• pnpm typecheck
• pnpm build

---

Note

Medium Risk
Moderate risk because it changes request validation/behavior for a public API route (new 400s for invalid query params) and adjusts build/dependency overrides; failures could impact clients or builds, but the changes are scoped and covered by new tests.

Overview
Hardens GET /api/bundles/me/[id] by validating format (only react/svg/json) and strokeWidth (numeric, >0 and <=10), returning 400 errors for invalid inputs.

Fixes stroke-width precedence by using bundle.target_stroke_width ?? strokeWidth consistently for normalization and code generation, and adds Vitest coverage for invalid query cases.

Quietly addresses build tooling issues by setting outputFileTracingRoot in next.config.ts and tightening pnpm overrides for minimatch, rollup, and serialize-javascript (lockfile updated accordingly).

^{Written by Cursor Bugbot for commit e787c02. This will update automatically on new commits. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
unicon	Ready	Preview, Comment	Mar 2, 2026 1:18pm

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c95c346cae

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Guard against zero target width when choosing export stroke width

Using bundle.target_stroke_width ?? strokeWidth lets a persisted target_stroke_width of 0 override the request/default width, which makes stroked icons export with strokeWidth=0 (effectively invisible). This is reachable because bundle create/update endpoints currently pass target_stroke_width through without validation (src/app/api/bundles/route.ts and src/app/api/bundles/[id]/route.ts), so malformed or legacy rows can trigger it; before this change, || fell back to a usable width in that case.

Useful? React with 👍 / 👎.