fix: docs search, and allow scalar to send requests to api.dw

[hachall]

No description provided.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
documentation	Ready	Preview, Comment	Jun 11, 2026 9:15am

[Copilot]

Pull request overview

This PR updates the docs site’s security/runtime configuration so Scalar’s interactive API reference works correctly under the site’s strict CSP, and fixes production search failures on Vercel by ensuring the generated search index is bundled into the /api/search function.

Changes:

• Allow browser fetch from docs pages to https://api.doubleword.ai via the CSP connect-src directive (enables Scalar “Test Request”).
• Configure Scalar API reference routes to disable default Google Fonts usage (withDefaultFonts: false) to comply with font-src 'self' data:.
• Ensure /api/search can read the generated public/search-index.json at runtime on Vercel via outputFileTracingIncludes, and add targeted tests for CSP/Scalar behavior.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/middleware.ts	Extends CSP connect-src to include https://api.doubleword.ai and documents why.
src/middleware.test.ts	Adds tests asserting CSP contains the expected directives (connect-src, font-src, nonce behavior).
src/lib/scalar-api-reference.test.ts	Adds assertions that both Scalar API-reference routes disable default fonts.
src/app/inference-api/api-reference/route.ts	Disables Scalar default fonts for inference API reference route.
src/app/control-layer/api-reference/route.ts	Disables Scalar default fonts for control-layer API reference route.
next.config.ts	Bundles public/search-index.json into /api/search serverless output via outputFileTracingIncludes.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated no new comments.

[doubleword-code]

Summary

This PR addresses two distinct issues: (1) fixes the docs search functionality by ensuring the generated search index is bundled into the /api/search serverless function on Vercel, and (2) allows Scalar's API reference "Test Request" feature to reach https://api.doubleword.ai by updating the CSP middleware. The changes are well-reasoned and include appropriate tests.

Verdict: Approved with one blocking issue to address.

Research notes

I reviewed:

• Vercel output file tracing behavior: The outputFileTracingIncludes pattern in next.config.ts is the documented approach for bundling files that serverless functions read at runtime via fs. Without it, files under public/ are deployed as CDN assets only, causing ENOENT errors in route handlers.
• CSP connect-src directive: Controls which URLs can be fetched via fetch(), XMLHttpRequest, EventSource, and WebSocket. Adding https://api.doubleword.ai is the correct approach for allowing Scalar's client-side fetch to the API.
• Scalar configuration: The withDefaultFonts: false option is documented in Scalar's configuration reference and prevents loading fonts from Google Fonts, which would be blocked by the existing font-src 'self' data: CSP.

Suggested next steps

1. Blocking: Remove the redundant https://status.doubleword.ai entry from the connect-src directive (it appears twice after this change).
2. Verify the build script ordering works correctly in CI/CD (the inline && in build script should work, but ensure .npmrc ignore-scripts=true doesn't interfere with the explicit node scripts/build-search-index.mjs call).
3. Consider documenting the CSP allowlist growth pattern in middleware.ts comments to prevent future accumulation of duplicate entries.

General findings

Search index build script error handling

The improved error handling in scripts/build-search-index.mjs is appropriate. Gracefully degrading when model artifacts cannot be fetched (due to network/WAF issues in the Vercel build environment) ensures the core search index still builds. This is a sensible trade-off.

Test coverage

The new tests in src/middleware.test.ts and src/lib/scalar-api-reference.test.ts are well-structured and test the right behaviors:

• CSP directive parsing is tested correctly
• Nonce uniqueness is verified
• Font-src regression guard is in place
• Scalar font opt-out is verified in rendered HTML

One minor gap: the middleware tests do not cover edge cases like malformed URLs or missing headers, but this is acceptable for a CSP-focused test suite.

Package.json script change

Moving from prebuild to an explicit inline && chain in the build script is correct given the .npmrc ignore-scripts=true setting. However, note that npm lifecycle hooks like prebuild are skipped when ignore-scripts=true, so the old approach was already broken. The new approach is explicit and works regardless of npm settings.

---

Inline comments

General findings (auto-demoted from inline due to pre-validation)

• Non-blocking package.json:7 — Inline script chaining is correct but consider shell compatibility.
  • (demoted: code self-check failed at package.json:7: diff has "build:search-index": "node scripts/build-search-index.mjs",, model claimed "build": "node scripts/build-search-index.mjs && next build",)
• Non-blocking src/middleware.test.ts:45 — Good regression guard, but consider testing the full CSP string.
  • (demoted: code self-check failed at src/middleware.test.ts:45: diff has ``, model claimed expect(directive(cspFor(), "font-src")).toBe("font-src 'self' data:");)

[doubleword-code]

Blocking: Duplicate https://status.doubleword.ai entry.

Why it matters: The previous version already had https://status.doubleword.ai in the connect-src directive (visible in git show origin/main:src/middleware.ts). This line now lists it twice—once from the original and once from the new addition. While browsers tolerate duplicates, this indicates the diff was not carefully reviewed and creates technical debt for future maintainers who may add more hosts without checking for existing entries.

Suggested fix: Deduplicate the list:

"connect-src 'self' https://app.doubleword.ai https://api.doubleword.ai https://status.doubleword.ai",

(Keep only one https://status.doubleword.ai.)

[doubleword-code]

Nit: Consider logging the full error stack for debugging.

Why it matters: When the fetch fails in CI/CD, err.message alone may not provide enough context (e.g., is it a timeout? TLS error? DNS failure?). A stack trace or at least the error name would help diagnose production build failures.

Suggested fix:

console.warn(`Skipping model artifacts: ${err.name}: ${err.message}`);

Or log console.trace() if you want the full stack.

[doubleword-code]

Summary

This PR makes three distinct but related changes:

1. Scalar API Reference font fix: Both /inference-api/api-reference and /control-layer/api-reference routes now set withDefaultFonts: false to prevent Scalar from loading Google Fonts, which would be blocked by the existing font-src 'self' data: CSP directive.

2. CSP middleware update: Added https://api.doubleword.ai to the connect-src directive so Scalar's "Test Request" feature can successfully make fetch calls to the API endpoint without being blocked by CSP (the error would manifest as "Failed to fetch" in the browser).

3. Search index build fix: Moved the search index generation from an npm prebuild hook into the build script itself (node scripts/build-search-index.mjs && next build), with corresponding documentation in AGENTS.md explaining why this is necessary (.npmrc sets ignore-scripts=true, so lifecycle hooks don't run). Also added outputFileTracingIncludes in next.config.ts to ensure the generated public/search-index.json is bundled into the /api/search serverless function on Vercel.

Verdict: Changes are well-reasoned, properly tested, and address real production issues. The PR is ready to approve pending one minor clarification on the control-layer API reference.

Research notes

• CSP and 'strict-dynamic': The current CSP uses script-src 'self' 'nonce-...' 'strict-dynamic', which means scripts without the nonce are blocked. This is the correct containment pattern for XSS prevention.
• Scalar API Reference configuration: The withDefaultFonts option is documented in Scalar's configuration reference. When enabled (default), Scalar loads fonts from Google Fonts CDN; when disabled, it falls back to system fonts.
• Vercel outputFileTracing: Next.js on Vercel uses output file tracing to determine which files to include in each serverless function bundle. Files under public/ are deployed as static CDN assets and are not automatically included in function bundles — explicit inclusion via outputFileTracingIncludes is required for runtime fs.readFileSync() calls to succeed.
• npm lifecycle hooks and ignore-scripts: When .npmrc contains ignore-scripts=true, npm/pnpm do not run pre* or post* lifecycle hooks. Moving the search index build into the explicit build script command ensures it runs regardless of this setting.

Suggested next steps

1. Merge this PR — all changes are sound and tested.
2. Verify in production that:
   • The Scalar API reference pages render fonts correctly (system font stack)
   • The "Test Request" button in /inference-api/api-reference successfully makes API calls
   • Search functionality works post-deploy (search index is bundled correctly)
3. Monitor Vercel deployment logs for any outputFileTracing warnings related to the search index bundling.

General findings

No blocking issues found. The code is well-commented, tests are comprehensive, and the changes follow established patterns in the codebase.

[doubleword-code]

Non-blocking: Consider adding a comment inline here (similar to lines 27–32) explaining why https://api.doubleword.ai is needed — specifically that it's for Scalar's "Test Request" feature firing fetches to the OpenAPI spec's server URL. This would help future reviewers understand the rationale without needing to trace back through git history.

Why it matters: Six months from now, someone auditing the CSP might wonder why this external host is allowlisted and whether it can be removed. An inline comment prevents accidental regression.

Suggested fix: Add a brief comment near line 32 or directly above line 44:

//   - `https://api.doubleword.ai` for Scalar's Test Request feature (see line 44)

or expand the existing comment block.

[doubleword-code]

Non-blocking: The comment references inference-api/api-reference but doesn't explain why Control Layer needs this too. Since Control Layer has hideTestRequestButton: true (line 18), it's worth clarifying whether the font issue affects both endpoints equally.

Why it matters: A future maintainer might assume Control Layer doesn't need withDefaultFonts: false since it hides the Test Request button, and remove this line — only to discover the page still tries to load Google Fonts and fails under CSP.

Suggested fix: Expand the comment slightly:

// Scalar loads its default web fonts from Google Fonts for both Inference and
// Control Layer API references, which our `font-src 'self' data:` CSP blocks.
// Use the system font stack instead of allowlisting an external font host.
withDefaultFonts: false,

[doubleword-code]

Non-blocking: Consider using && vs ; carefully here — if the search index build fails, next build won't run, which is probably desired. However, there's no error handling if next build fails after a successful index build (edge case, but worth noting).

Why it matters: If the search index takes significant time to generate and next build fails partway through, the index will be stale on the next run. This is likely acceptable given the rebuild frequency, but teams should be aware.

Suggested fix: No change needed — this is fine as-is. Just documenting the trade-off: failing fast on index errors is correct, and Next.js handles its own failures appropriately.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 11 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 13 out of 14 changed files in this pull request and generated no new comments.