fix: docs search, and allow scalar to send requests to api.dw

AGENTS.md

@@ -106,7 +106,7 @@ All redirects live in `next.config.ts` under `async redirects()`. Add to the app
 
 - **[`doublewordai/batch-skill`](https://github.com/doublewordai/skill)** (agents skill): `SKILL.md` contains explicit links to doc pages. Grep it for the affected slug and update.
 - **`llms.txt`**: Auto-generated from Sanity by `src/app/llms.txt/route.ts`. No manual action, but sanity-check the output after the change.
-- **Search index**: Rebuilt at build time by `scripts/build-search-index.mjs`. No manual action.
+- **Search index**: Rebuilt at build time by `scripts/build-search-index.mjs`, which the `build` script runs **explicitly** before `next build` (do not move it back to a `prebuild` hook — `.npmrc` sets `ignore-scripts=true`, so npm/pnpm pre/post lifecycle hooks no longer run). The generated `public/search-index.json` is bundled into the `/api/search` serverless function via `outputFileTracingIncludes` in `next.config.ts`; reading it from `public/` at runtime fails on Vercel without that. No manual action.
 - **External SDK docs and blog posts**: Search the `doublewordai` org on GitHub for the old slug. Update or rely on the redirect.
 - **Sitemap**: Auto-generated by `src/app/sitemap.ts`.
 - **Marketing site / blog**: Check `doubleword.ai` and `blog.doubleword.ai` for inbound links.

next.config.ts

@@ -27,6 +27,17 @@ const securityHeaders = [
 const nextConfig: NextConfig = {
   reactCompiler: true,
 
+  // The /api/search route reads public/search-index.json at runtime with fs
+  // (see src/lib/search-index.ts). On Vercel, files under public/ are deployed
+  // as CDN static assets and are NOT included in a route handler's serverless
+  // function bundle, so the runtime read throws ENOENT and the route 500s with
+  // an empty body. Force Next's output file tracing to bundle the generated
+  // index (written by the build script, which runs build-search-index.mjs
+  // before `next build`) into the search function.
+  outputFileTracingIncludes: {
+    '/api/search': ['./public/search-index.json'],
+  },
+
   // Apply security response headers to every route.
   async headers() {
     return [

package.json

@@ -4,8 +4,8 @@
   "private": true,
   "scripts": {
     "dev": "next dev",
-    "prebuild": "node scripts/build-search-index.mjs",
-    "build": "next build",
+    "build:search-index": "node scripts/build-search-index.mjs",
+    "build": "node scripts/build-search-index.mjs && next build",
     "start": "next start",
     "lint": "eslint",
     "test": "vitest",

src/app/control-layer/api-reference/route.ts

@@ -7,6 +7,9 @@ import { withCspNonce } from "@/lib/scalar-api-reference";
 export const GET = withCspNonce(
   ApiReference({
     url: "/api/control-layer-openapi",
+    // See inference-api/api-reference: avoid the Google Fonts load blocked by
+    // our `font-src 'self' data:` CSP.
+    withDefaultFonts: false,
     metaData: {
       title: "API Reference | Control Layer | Doubleword Docs",
       description: "Complete API reference for the Doubleword Control Layer API",

src/app/inference-api/api-reference/route.ts

@@ -7,6 +7,10 @@ import { withCspNonce } from "@/lib/scalar-api-reference";
 export const GET = withCspNonce(
   ApiReference({
     url: "/api/openapi",
+    // Scalar otherwise loads its default web fonts from Google Fonts, which our
+    // `font-src 'self' data:` CSP blocks ("Refused to load the font"). Use the
+    // system font stack instead of allowlisting an external font host.
+    withDefaultFonts: false,
     metaData: {
       title: "API Reference | Doubleword Inference API | Doubleword Docs",
       description: "Complete API reference for the Doubleword API",

src/lib/scalar-api-reference.test.ts

@@ -10,6 +10,8 @@ vi.mock("next/headers", () => ({
 }));
 
 import { withCspNonce } from "./scalar-api-reference";
+import { GET as inferenceApiReference } from "@/app/inference-api/api-reference/route";
+import { GET as controlLayerApiReference } from "@/app/control-layer/api-reference/route";
 
 const NONCE = "test-nonce-Zm9vYmFy";
 
@@ -81,3 +83,19 @@ describe("withCspNonce", () => {
     expect(html).not.toContain("nonce=");
   });
 });
+
+// Scalar's client otherwise pulls its default web fonts from Google Fonts, which
+// our `font-src 'self' data:` CSP blocks ("Refused to load the font"). Both
+// API-reference routes must opt out (`withDefaultFonts: false`) so Scalar uses
+// the system font stack instead of an external font host. Scalar serializes the
+// config as JSON into its inline init script, so the flag appears verbatim in the
+// rendered HTML.
+describe("Scalar API-reference routes opt out of external fonts", () => {
+  it.each([
+    ["inference-api", inferenceApiReference],
+    ["control-layer", controlLayerApiReference],
+  ])("%s reference disables Scalar's default fonts", async (_name, handler) => {
+    const html = await (await handler()).text();
+    expect(html).toContain('"withDefaultFonts": false');
+  });
+});

src/middleware.test.ts

@@ -0,0 +1,56 @@
+import { describe, expect, it } from "vitest";
+import { NextRequest } from "next/server";
+import { middleware } from "./middleware";
+
+// Pull the CSP off the response middleware emits for a normal document request.
+function cspFor(
+  url = "https://docs.doubleword.ai/inference-api/api-reference",
+): string {
+  const res = middleware(new NextRequest(url));
+  return res.headers.get("content-security-policy") ?? "";
+}
+
+// Return the directive (e.g. "connect-src ...") as a single trimmed string.
+function directive(csp: string, name: string): string {
+  return (
+    csp
+      .split(";")
+      .map((d) => d.trim())
+      .find((d) => d === name || d.startsWith(`${name} `)) ?? ""
+  );
+}
+
+describe("CSP middleware", () => {
+  it("allows the inference API host so Scalar's Test Request works", () => {
+    // The OpenAPI spec's server is https://api.doubleword.ai/v1, so Scalar fires
+    // its try-it fetch at that host from the browser. Without this entry the
+    // request is blocked and the user sees "Failed to fetch".
+    expect(directive(cspFor(), "connect-src")).toContain(
+      "https://api.doubleword.ai",
+    );
+  });
+
+  it("keeps the other connect-src allowances intact", () => {
+    const connectSrc = directive(cspFor(), "connect-src");
+    expect(connectSrc).toContain("'self'"); // PostHog via /ingest rewrite
+    expect(connectSrc).toContain("https://app.doubleword.ai"); // SSO session check
+    expect(connectSrc).toContain("https://status.doubleword.ai"); // StatusWidget
+  });
+
+  it("does not allowlist a font host — fonts stay self/data only", () => {
+    // We fixed the Scalar font violation by disabling its default fonts, not by
+    // opening font-src. Guard against a future regression that re-opens it.
+    expect(directive(cspFor(), "font-src")).toBe("font-src 'self' data:");
+  });
+
+  it("emits a per-request nonce in script-src", () => {
+    expect(cspFor()).toMatch(/script-src[^;]*'nonce-[^']+'/);
+  });
+
+  it("uses a unique nonce per response", () => {
+    const first = cspFor().match(/'nonce-([^']+)'/)?.[1];
+    const second = cspFor().match(/'nonce-([^']+)'/)?.[1];
+    expect(first).toBeTruthy();
+    expect(first).not.toBe(second);
+  });
+});

src/middleware.ts

@@ -24,6 +24,12 @@ import {NextRequest, NextResponse} from 'next/server'
 //     `credentials: 'include'` to verify the SSO session. CORS is already
 //     allowed on the control-layer side (see
 //     internal/values/control-layer.yaml `allowed_origins`).
+//   - `https://api.doubleword.ai` for the Scalar API-reference "Test Request"
+//     feature at /inference-api/api-reference. The OpenAPI spec's server is
+//     `https://api.doubleword.ai/v1`, so Scalar fires the try-it `fetch` at that
+//     host from the browser; without it CSP blocks the request ("Failed to
+//     fetch"). CORS is already allowed on the api side — docs.doubleword.ai is
+//     in the same `allowed_origins` list (which covers the api proxy too).
 //   - `https://status.doubleword.ai` for the StatusWidget component, which
 //     fetches `/api/v1/summary` from the public status page to render
 //     live incident status inline in docs pages.
@@ -35,7 +41,7 @@ function buildCsp(nonce: string): string {
     "style-src 'self' 'unsafe-inline'",
     "img-src 'self' data: blob: https://cdn.sanity.io",
     "font-src 'self' data:",
-    "connect-src 'self' https://app.doubleword.ai https://status.doubleword.ai",
+    "connect-src 'self' https://app.doubleword.ai https://api.doubleword.ai https://status.doubleword.ai",
     'frame-src https://www.youtube.com https://www.youtube-nocookie.com https://player.vimeo.com',
     "worker-src 'self' blob:",
     "frame-ancestors 'none'",