Move nock to dev deps and include the route only for dev/test builds

[fangpenlin]

We had problem with nock module in the production build. It turned out that importing the nock module and not even using it causes it to intercepts all the outgoing requests (while doing nothing about them) and increase the memory footprint a lot. We commented out the route for nock. This PR brought back the nock route with the following measurements to make sure it won't be included in the production build:

• The BDD route for nock is now imported via @bdd_routes/bdd-nock-router and mapped to backend/src/server/routes/bdd/bdd-nock-router.ts by default.
• We added a tsconfig.dev.json mapping @bdd_routes/bdd-nock-router to @bdd_routes/bdd-nock-router.dev.ts instead. This TS config will only be used in dev environments
• We added node environment checks, just importing bdd-nock-router.dev.ts in production should now crash the app so that Kubernetes won't be able to roll it out due to bad readiness/healthy check
• The nock module is now loaded lazily, even if we somehow included in the production build. In theory, the module won't be loaded until any of the nock route called, but they are disabled in the production by extra environment checks

To test this PR, one can run

npm run build

To see if the dist folder includes the dev version of nock route. One can also check dist/server/routes/bdd/bdd-nock-router.mjs's content to see if the production one is included.

For the dev environment, we have replaced all the tsc or similar command to use the dev version of tsconfig. Otherwise CI won't even pass.

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Summary

• Moves nock from production to devDependencies and refactors BDD test mock API to use conditional file aliasing (*.dev.ts excluded from production builds)
• Changes isBddNockApiEnabled from dev-only to non-production (NODE_ENV !== "production"), exposing the test API to test environments

Confidence Score: 1/5

• This PR contains critical security vulnerabilities that must be fixed before merging.
• Score reflects multiple high-severity security issues: environment check bypass via raw process.env, critical ReDoS vulnerability from user-controlled regex without re2 package (violates Rule 1), unsafe type casting, and misaligned build configuration that could cause runtime failures.
• Pay critical attention to backend/src/server/routes/bdd/bdd-nock-router.dev.ts which contains multiple security vulnerabilities including ReDoS attack vector and environment bypass flaw.

Important Files Changed

Filename	Overview
backend/src/server/routes/bdd/bdd-nock-router.dev.ts	New dev-only nock router with critical security issues: environment check bypassed via raw process.env, unmitigated ReDoS vulnerability from user-controlled regex, unsafe type casting without validation.
backend/tsconfig.dev.json	New TypeScript config for dev builds with path alias pointing to .dev.ts file, but misaligned with tsup exclusion pattern creating potential runtime resolution issues.
backend/src/lib/config/env.ts	Changed isBddNockApiEnabled condition from NODE_ENV === "development" to NODE_ENV !== "production", allowing test environment access.

[greptile-apps]

_{1 file reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[fangpenlin]

@greptile-apps review again

[greptile-apps]

_{1 file reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

_{17 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile
React with 👍 or 👎 to share your feedback on this new summary format}