fix(repo): resolve graph-client build-client sandbox violations

[polygraph-app]

Summary

Resolves Nx Atomizer sandbox violations on graph-client:build-client:release. The original report flagged ~1116 unexpected reads — the entire packages/nx source tree (965 files), packages/devkit source (80 files), graph/client-e2e Cypress files, and various eslint.config.mjs / tsconfig.spec.json / *.stories.tsx siblings across graph/* projects.

Root cause

The bare graph/ directory was registered as a webpack context dependency for the styles.css module, causing FileSystemInfo._readContextHash to recursively walk and hash every file underneath it for snapshot validation.

The trigger was a single line in graph/client/tailwind.config.js:

path.join(__dirname, '..', 'ui-*/src', glob),

The ui-* segment is a wildcard at a directory level. To resolve it, Tailwind has to readdir the parent (graph/) to enumerate which subdirs match. Tailwind reports that parent to PostCSS as a dir-dependency, which postcss-loader translates into a webpack context dependency. From there, webpack's snapshot walker:

1. Recursively walks all of graph/ — including unrelated siblings like graph/client-e2e and graph/migrate's test/eslint configs.
2. Encounters graph/ui-project-details/node_modules/@nx/devkit — a pnpm workspace symlink installed because that lib declares "@nx/devkit": "workspace:*" as a dev dep (purely for import type references).
3. Webpack's _resolveContextTimestamp follows the symlink target into packages/devkit/, then through packages/devkit/node_modules/nx → packages/nx/, hashing every file along the way (including .rs, .snap, .fixture source files that aren't part of any bundle).

Fix

Enumerate the ui-* dirs explicitly in graph/client/tailwind.config.js:

path.join(__dirname, '..', 'ui-code-block/src', glob),
path.join(__dirname, '..', 'ui-common/src', glob),
path.join(__dirname, '..', 'ui-icons/src', glob),
path.join(__dirname, '..', 'ui-project-details/src', glob),
path.join(__dirname, '..', 'ui-render-config/src', glob),

With no wildcard at a directory segment, Tailwind reports each individual src/ dir as the context dep instead of the bare graph/. Each src/ subtree contains only source files (no node_modules), so the symlink chain into packages/{nx,devkit} is unreachable, and unrelated siblings like graph/client-e2e are no longer touched.

A comment in the config explains the trap so future maintainers know to add new ui-* projects here.

Empirical results

Local trace of file reads from the webpack-cli subprocess (NODE_OPTIONS=--require trace-fs.js instrumenting fs.read*):

stage	webpack-cli workspace reads	packages/nx	packages/devkit	graph/client-e2e
baseline (before fix)	3010	2030	112	24
after fix	482	0	0	0

Bundle output is byte-identical (2,930,784 bytes for dist/apps/graph/main.js).

The remaining 482 reads are all inside dirs Tailwind legitimately scans (graph/client/src, the explicit ui-*/src list, graph/shared/src, plus actual project-graph deps like graph/migrate). The *.stories.* and *.{spec,test}.* files within those dirs are still hit by the snapshot walker but are already handled by the existing graph-client:build-client entries in .nx/workflows/sandboxing-config.yaml.

Other changes

• .nx/workflows/sandboxing-config.yaml — removed an outdated/incorrect comment block above the graph-client entry. The two existing exclude patterns (**/*.stories.*, **/*.{spec,test}.*) cover the residual noise inside the ui-*/src dirs and remain unchanged.
• nx.json — bumped bust to invalidate caches against the previous attempt.

Caveats

• New graph/ui-* projects require a manual entry in this list — the config comment calls this out. Worth a follow-up if more ui-* packages are added regularly; an alternative is to read the dir list from the workspace package map at config-eval time.
• This addresses the Tailwind-driven entry path. The underlying pattern (a workspace:* type-only dep planting a pnpm symlink that webpack's snapshot walker follows) still exists for any future build that registers an over-broad context dep. The Tailwind change closes the only currently-known entry point.

Verification

• ✅ pnpm nx run graph-client:build-client:release --skip-nx-cache → webpack compiled successfully
• ✅ Bundle byte-identical to pre-fix master
• ✅ Empirical file-read trace confirms packages/nx, packages/devkit, and graph/client-e2e are no longer walked

Test plan

• Re-run graph-client:build-client:release in CI with sandbox monitoring; confirm the Atomizer report shows the unexpected-reads count drop to roughly the count of *.stories.* / *.{spec,test}.* siblings inside the ui-* src dirs (already covered by existing sandbox excludes).
• Confirm dev-server (nx serve graph-client) still picks up Tailwind class changes in each ui-* project. The watcher now monitors each enumerated dir individually instead of via the parent glob.
• Visual smoke check that the production bundle still renders with all expected Tailwind classes from ui-* libs (no class regressions due to a missed enumeration).

---

View session information ↗

[netlify]

✅ Deploy Preview for nx-dev ready!

Name	Link
🔨 Latest commit	5d2e9f0
🔍 Latest deploy log	https://app.netlify.com/projects/nx-dev/deploys/69f9fa9b61f60a00086ae027
😎 Deploy Preview	https://deploy-preview-35522--nx-dev.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for nx-docs ready!

Name	Link
🔨 Latest commit	5d2e9f0
🔍 Latest deploy log	https://app.netlify.com/projects/nx-docs/deploys/69f9fa9a8b6ef90008503b41
😎 Deploy Preview	https://deploy-preview-35522--nx-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 5d2e9f0

Command	Status	Duration	Result
nx affected --targets=lint,test,build,e2e,e2e-c...	✅ Succeeded	1h 2m 19s	View ↗
nx run-many -t check-imports check-lock-files c...	✅ Succeeded	3s	View ↗
nx-cloud record -- pnpm nx-cloud conformance:check	✅ Succeeded	17s	View ↗
nx build workspace-plugin	✅ Succeeded	<1s	View ↗
nx-cloud record -- nx sync:check	✅ Succeeded	24s	View ↗
nx-cloud record -- nx format:check	✅ Succeeded	6s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-05-05 15:17:40 UTC

[nx-cloud]

Nx Cloud has identified a flaky task in your failed CI:

🔂 Since the failure was identified as flaky, we triggered a CI rerun by adding an empty commit to this branch.

View detailed reasoning in Nx Cloud ↗

_{🎓 Learn more about Self-Healing CI on nx.dev}