Fix subprocess env leak, unbounded preview spawning, and dead code

- pptx-vm: pass minimal env to worker subprocess so it cannot inherit
  DB URLs, API keys, or other secrets from the Next.js process on a
  vm.createContext escape
- PptxPreview: add AbortController so in-flight preview fetch is
  cancelled when the effect re-runs (e.g. next SSE update), preventing
  unbounded concurrent subprocesses; add 500ms debounce on streaming
  renders to reduce subprocess churn during rapid AI generation
- file-reader: remove dead code — the `if (!isReadableType)` guard on
  line 110 was always true (all readable types returned earlier at
  line 76), making the subsequent `return null` unreachable

Author: waleedlatif1

apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/file-viewer.tsx

@@ -544,8 +544,11 @@ function PptxPreview({
 
   useEffect(() => {
     let cancelled = false
+    const controller = new AbortController()
+    let debounceTimer: ReturnType<typeof setTimeout> | null = null
 
     async function render() {
+      if (cancelled) return
       try {
         setRendering(true)
         setRenderError(null)
@@ -555,6 +558,7 @@ function PptxPreview({
             method: 'POST',
             headers: { 'Content-Type': 'application/json' },
             body: JSON.stringify({ code: streamingContent }),
+            signal: controller.signal,
           })
           if (!response.ok) {
             const err = await response.json().catch(() => ({ error: 'Preview failed' }))
@@ -596,7 +600,7 @@ function PptxPreview({
           pptxCacheSet(cacheKey, images)
         }
       } catch (err) {
-        if (!cancelled) {
+        if (!cancelled && !(err instanceof DOMException && err.name === 'AbortError')) {
           const msg = err instanceof Error ? err.message : 'Failed to render presentation'
           logger.error('PPTX render failed', { error: msg })
           setRenderError(msg)
@@ -606,9 +610,18 @@ function PptxPreview({
       }
     }
 
-    render()
+    // Debounce streaming renders so rapid SSE updates don't spawn a subprocess
+    // per event. Non-streaming renders (file load / cache) run immediately.
+    if (streamingContent !== undefined) {
+      debounceTimer = setTimeout(render, 500)
+    } else {
+      render()
+    }
+
     return () => {
       cancelled = true
+      if (debounceTimer) clearTimeout(debounceTimer)
+      controller.abort()
     }
   }, [fileData, dataUpdatedAt, streamingContent, cacheKey, workspaceId])
 

apps/sim/lib/copilot/vfs/file-reader.ts

@@ -107,14 +107,10 @@ export async function readFileRecord(record: WorkspaceFileRecord): Promise<FileR
       }
     }
 
-    if (!isReadableType(record.type)) {
-      return {
-        content: `[Binary file: ${record.name} (${record.type}, ${record.size} bytes). Cannot display as text.]`,
-        totalLines: 1,
-      }
+    return {
+      content: `[Binary file: ${record.name} (${record.type}, ${record.size} bytes). Cannot display as text.]`,
+      totalLines: 1,
     }
-
-    return null
   } catch (err) {
     logger.warn('Failed to read workspace file', {
       fileName: record.name,

apps/sim/lib/execution/pptx-vm.ts

@@ -74,6 +74,10 @@ export async function generatePptxFromCode(code: string, workspaceId: string): P
       proc = spawn('node', [WORKER_PATH], {
         stdio: ['ignore', 'pipe', 'pipe', 'ipc'],
         serialization: 'json',
+        // Prevent the subprocess from inheriting secrets (DB URL, API keys, etc.)
+        // from the parent Next.js process. pptxgenjs only needs PATH to resolve
+        // its own require() calls.
+        env: { PATH: process.env.PATH ?? '' } as unknown as NodeJS.ProcessEnv,
       })
     } catch (err) {
       done(err instanceof Error ? err : new Error(String(err)))