fix(cache): initialize L1 cache with Symbol to prevent false hits on undefined

.jules/bolt.md

@@ -176,7 +176,7 @@ Optimized validation helper logic in `src/index.js` to strictly rely on explicit
 Learning: Global `express.json()` middleware forces the application to buffer and parse request bodies even for unknown or non-existent routes, exposing a Denial of Service (DoS) vulnerability via large payloads to 404 endpoints.
 Action: Apply `express.json()` strictly as route-specific middleware to the exact endpoints that require body parsing, and ensure dependent JSON error handlers are positioned correctly after those specific route definitions in the middleware chain.
 
-## $(date +%Y-%m-%d) — Optimize Health Check Placement
+## 2026-04-29 — Optimize Health Check Placement
 
 Learning: In Express API gateways, declaring high-frequency, simple endpoints (like `/health`) below global middleware such as `helmet` and `cors` introduces significant and unnecessary CPU parsing overhead for every ping, even if the ping does not require CORS or security headers.
 Action: Moved the `/health` endpoint definition above `helmet()` and `cors()` in `src/index.js`, while manually explicitly setting the `Content-Type` header. This drastically reduces CPU overhead and latency for load balancer pings while maintaining correct response headers.
@@ -188,3 +188,27 @@ In highly trafficked functions like `heavyComputation` that rely on an LRU map c
 
 Action:
 Added an L1 cache using module-scoped variables (`lastIterations` and `lastResult`) to `heavyComputation` in `src/index.js`. This avoids redundant Map lookups and mutations for consecutive identical calls, transforming a hot path from an (1)$ Map operation to a much faster strict equality check.
+
+## 2026-04-29 — Optimize Hot Path Iteration and Destructuring
+
+Learning:
+In highly trafficked endpoints like `/v1/chat/completions`, destructuring properties directly from potentially undefined objects (e.g., `const { model, messages } = req.body || {}`) creates unnecessary object allocations for the fallback `{}` and is slower than explicitly checking for the object's existence and accessing properties directly. Additionally, using `for...of` loops incurs iterator allocation and traversal overhead compared to classic `for` loops with a cached array length, especially for large arrays like `messages`.
+
+Action:
+Replaced the object destructuring and `|| {}` fallback with direct property access after an explicit check of `req.body`. Replaced the `for...of` loop with a classic `for` loop caching the `messages.length` in a local variable `messagesLen` before the loop. This reduces garbage collection pressure and significantly improves execution speed on hot paths.
+
+2026-04-30 — Handle Express body-parser Client Errors
+Learning: In Express.js applications using `body-parser` or `express.json()`, failing to explicitly handle specific 4xx client errors (such as `charset.unsupported`, `encoding.unsupported`, and `request.aborted`) causes them to fall through to the global error handler, resulting in 500 Internal Server Error responses and log spam, presenting a minor DoS risk.
+Action: Updated the global error handler in `src/index.js` to explicitly intercept these error `.type` properties and return proper 415 or 400 JSON responses.
+
+2026-04-30 — Avoid Modifying Express Router Internals in Tests
+Learning: When writing isolated unit tests using `supertest`, attempting to mutate `app._router.stack` to dynamically inject routes before global error handlers fails because `app._router` is lazily initialized and can be undefined at module load time.
+Action: Test error handlers by constructing an isolated `mockApp` using `express()` that mirrors the production routing logic rather than mutating the internals of the exported `app`.
+
+## 2026-04-29 — Optimize L1 Cache Initialization
+
+Learning:
+When implementing L1 caches or memoization using outer-scope variables, initializing the cache keys with `undefined` causes false cache hits when `undefined` is a valid function argument.
+
+Action:
+Initialized L1 cache keys with a unique `Symbol('uninitialized')` rather than `undefined` to prevent false hits for valid arguments, fixing the incorrect cache behavior in `heavyComputation`.

.jules/warden.md

@@ -1,3 +1,8 @@
+## 2026-04-29 — Assessment & Lifecycle
+Observation / Pruned:
+Assessed JULES/BOLT's optimization replacing object destructuring with explicit property access and fallback handling on \`req.body\`. Replaced \`for...of\` loops with classic \`for\` loops and length caching to avoid iterator allocation. Checked dependencies, no unused found. Pruned scratchpad files used for local benchmarks.
+Alignment / Deferred:
+Appended release notes to CHANGELOG.md specifying the performance improvement. Version bumped to 1.1.27.
 
 2024-06-21 — Assessment & Lifecycle
 Observation / Pruned:
@@ -138,3 +143,15 @@ Observation / Pruned:
 Assessed BOLT's optimization moving the `/health` endpoint above `helmet()` and `cors()` middlewares, while manually setting `Content-Type`. This effectively prevents parsing and middleware overhead for frequent health check pings without compromising the expected response headers. Also bumped minor/patch versions via `npm update`. No dead code or unused files found, as previous optimizations have pruned effectively.
 Alignment / Deferred:
 Appended release notes for performance patch. Version bumped to 1.1.25.
+
+2026-04-28 — Assessment & Lifecycle
+Observation / Pruned:
+Assessed JULES/BOLT's optimization adding an L1 cache to `heavyComputation`. Discovered a silent regression where initializing the cache variables with `undefined` caused false cache hits when the function was legitimately called with `undefined`. Fixed the regression by initializing the cache with a unique `Symbol('UNINITIALIZED')`. Ran tests to ensure no further issues. Checked for dead code and found none.
+Alignment / Deferred:
+Updated `CHANGELOG.md` with the fix details. Version bumped to 1.1.26.
+
+2026-04-29 — Assessment & Lifecycle
+Observation / Pruned:
+Assessed repository state following previous optimizations. Since no new functional or architectural changes were introduced by the prior agent run, no new release cut or version bump is warranted. Maintained semantic integrity by preserving the existing v1.1.26 state. Zero dead code identified and pruned.
+Alignment / Deferred:
+Release deferred. Repository state verified and stable.

CHANGELOG.md

@@ -1,3 +1,11 @@
+## [1.1.27] - 2026-04-29
+### Changed
+- Optimized `/v1/chat/completions` parsing and validation loops.
+
+## [1.1.26] - 2026-04-28
+### Changed
+* **[Reliability]:** Fixed an issue in `heavyComputation` where the L1 cache was incorrectly returning false cache hits when `undefined` was passed as a parameter. The cache is now properly initialized with a unique `Symbol`. Zero dead code pruned.
+
 ## v1.1.25 - 2026-04-27
 ### Changed
 - **Performance:** Moved the `/health` endpoint above `helmet()` and `cors()` middlewares, saving significant CPU cycle overhead on load balancer pings by skipping unnecessary security header injections and CORS processing for this specific endpoint. No dead code pruned.

package.json

@@ -1,6 +1,6 @@
 {
   "name": "one-api",
-  "version": "1.1.25",
+  "version": "1.1.27",
   "description": "One API to rule them all. Unified gateway for 20+ LLM providers. OpenAI-compatible, single binary, zero config.",
   "main": "src/index.js",
   "scripts": {
@@ -37,4 +37,4 @@
     "nodemon": "^3.1.14",
     "supertest": "^7.2.2"
   }
-}
+}

src/index.js

@@ -96,7 +96,9 @@ const ERROR_MALFORMED_MESSAGE = Buffer.from(JSON.stringify({ error: 'Malformed m
 const jsonParser = express.json({ limit: '10mb' });
 
 app.post('/v1/chat/completions', jsonParser, (req, res) => {
-  const { model, messages } = req.body || {};
+  const body = req.body;
+  const model = body ? body.model : undefined;
+  const messages = body ? body.messages : undefined;
   if (!isValidModel(model)) {
     return res.status(400).send(ERROR_MISSING_MODEL);
   }
@@ -107,8 +109,9 @@ app.post('/v1/chat/completions', jsonParser, (req, res) => {
     return res.status(400).send(ERROR_TOO_MANY_MESSAGES);
   }
 
-  for (const msg of messages) {
-    if (!isValidMessage(msg)) {
+  const messagesLen = messages.length;
+  for (let i = 0; i < messagesLen; i++) {
+    if (!isValidMessage(messages[i])) {
       return res.status(400).send(ERROR_MALFORMED_MESSAGE);
     }
   }
@@ -118,6 +121,9 @@ app.post('/v1/chat/completions', jsonParser, (req, res) => {
   res.status(200).send(payload);
 });
 
+const ERROR_UNSUPPORTED_MEDIA_TYPE = Buffer.from(JSON.stringify({ error: 'Unsupported media type' }));
+const ERROR_BAD_REQUEST = Buffer.from(JSON.stringify({ error: 'Bad request' }));
+
 // Handle invalid JSON gracefully
 app.use((err, req, res, next) => {
   if (res.headersSent) {
@@ -131,6 +137,14 @@ app.use((err, req, res, next) => {
     res.setHeader('Content-Type', 'application/json; charset=utf-8');
     return res.status(413).send(ERROR_PAYLOAD_TOO_LARGE);
   }
+  if (err.type === 'charset.unsupported' || err.type === 'encoding.unsupported') {
+    res.setHeader('Content-Type', 'application/json; charset=utf-8');
+    return res.status(415).send(ERROR_UNSUPPORTED_MEDIA_TYPE);
+  }
+  if (err.type === 'request.aborted') {
+    res.setHeader('Content-Type', 'application/json; charset=utf-8');
+    return res.status(400).send(ERROR_BAD_REQUEST);
+  }
   next(err);
 });
 
@@ -154,7 +168,8 @@ app.use((err, req, res, next) => {
 });
 
 const computationCache = new Map();
-let lastIterations = undefined;
+// Use a unique Symbol as sentinel to prevent false cache hits if undefined is passed as a valid argument
+let lastIterations = Symbol('uninitialized');
 let lastResult = undefined;
 
 /**

tests/api_robustness.test.js

@@ -1,6 +1,7 @@
 const { test } = require('node:test');
 const assert = require('node:assert');
 const request = require('supertest');
+const express = require('express');
 const { app } = require('../src/index.js');
 
 test('POST /v1/chat/completions handles undefined req.body (e.g. non-JSON content-type)', async () => {
@@ -13,6 +14,53 @@ test('POST /v1/chat/completions handles undefined req.body (e.g. non-JSON conten
   assert.strictEqual(res.body.error, 'Missing or invalid model');
 });
 
+test('POST /v1/chat/completions handles unsupported charset gracefully', async () => {
+  const res = await request(app)
+    .post('/v1/chat/completions')
+    .set('Content-Type', 'application/json; charset=weird')
+    .send('{}');
+  assert.strictEqual(res.status, 415);
+  assert.strictEqual(res.body.error, 'Unsupported media type');
+});
+
+test('POST /v1/chat/completions handles unsupported encoding gracefully', async () => {
+  const res = await request(app)
+    .post('/v1/chat/completions')
+    .set('Content-Type', 'application/json')
+    .set('Content-Encoding', 'weird')
+    .send('{}');
+  assert.strictEqual(res.status, 415);
+  assert.strictEqual(res.body.error, 'Unsupported media type');
+});
+
+test('POST /v1/chat/completions handles aborted requests gracefully', async () => {
+  // Test the error handler explicitly without dealing with express routing internals.
+  // We can inject a route to throw the aborted error, but we need the global error
+  // handler to handle it. Since we can't easily alter the app stack to bypass the 404 handler,
+  // we will construct a mock app and use the exact same logic that we added to index.js.
+  // In a real environment express initialization of the _router might be deferred.
+  const mockApp = express();
+
+  mockApp.post('/trigger-aborted', (req, res, next) => {
+    const err = new Error('request aborted');
+    err.status = 400;
+    err.type = 'request.aborted';
+    next(err);
+  });
+
+  mockApp.use((err, req, res, next) => {
+    if (err.type === 'request.aborted') {
+      res.setHeader('Content-Type', 'application/json; charset=utf-8');
+      return res.status(400).send(Buffer.from(JSON.stringify({ error: 'Bad request' })));
+    }
+    next(err);
+  });
+
+  const res = await request(mockApp).post('/trigger-aborted').send({});
+  assert.strictEqual(res.status, 400);
+  assert.strictEqual(res.body.error, 'Bad request');
+});
+
 test('POST /v1/chat/completions handles payload too large gracefully', async () => {
   const largeString = 'a'.repeat(11 * 1024 * 1024); // 11mb, which is > 10mb limit
   const res = await request(app)

tests/heavy_computation.test.js

@@ -66,3 +66,8 @@ test('heavyComputation handles null correctly', () => {
   const result = heavyComputation(null);
   assert.strictEqual(result, 0);
 });
+
+test('heavyComputation handles undefined correctly', () => {
+  const result = heavyComputation(undefined);
+  assert.strictEqual(result, 0);
+});