jamdesk 1.1.129 → 1.1.130

package/vendored/lib/risky-expression-scanner.ts

@@ -0,0 +1,221 @@
+/**
+ * Risky-expression scanner
+ *
+ * Best-effort BUILD-TIME detector for MDX expressions that reference an
+ * undefined identifier and would therefore throw `ReferenceError` at render —
+ * the `{x, y}` class of bug (an author writes literal-looking braces in prose;
+ * MDX evaluates `{…}` as JavaScript). At render those throws are now neutralized
+ * by `recmaGuardExpressions` (silent drop, never a 500); this scanner exists
+ * only to TELL THE AUTHOR which expressions were dropped, via the
+ * `risky_expression` build warning.
+ *
+ * PRECISION over recall, by design. Runtime correctness is owned by the recma
+ * guard, so this scanner is purely advisory:
+ *   - A false negative (missed risky expression) is harmless — the guard still
+ *     drops it at render, no 500.
+ *   - A false positive (warning on a valid expression) is annoying noise.
+ * So it only flags an expression when a free identifier is PROVABLY unbound, and
+ * it SKIPS any expression containing a function/arrow (whose params introduce
+ * local bindings this scanner deliberately does not model).
+ *
+ * Cloud Run does not compile MDX (ISR compiles on demand at request time), so
+ * this runs a lightweight `remark-parse` + `remark-mdx` parse to recover the
+ * expression and ESM (import/export) nodes with their attached estree.
+ */
+import { unified } from 'unified';
+import remarkParse from 'remark-parse';
+import remarkMdx from 'remark-mdx';
+import { visit as visitMdast } from 'unist-util-visit';
+import { visit as visitEstree } from 'estree-util-visit';
+import type { Node as EsNode } from 'estree-jsx';
+
+/** A single risky MDX expression found on a page. */
+export interface RiskyExpressionIssue {
+  /** The expression source between the braces, e.g. `"x, y"`. */
+  expression: string;
+  /** The undefined identifier names that make it throw, e.g. `["x", "y"]`. */
+  undefinedRefs: string[];
+  /** Author-facing guidance — identical between build and CLI. */
+  message: string;
+}
+
+/**
+ * Identifiers always available to an MDX expression at render that are NOT
+ * file-level bindings: JS globals plus the MDX-provided scope. Whitelisted so a
+ * valid `{Math.max(…)}` / `{props.x}` / `{frontmatter.title}` never false-warns.
+ */
+const ALWAYS_IN_SCOPE = new Set<string>([
+  // MDX render scope
+  'props', 'frontmatter', 'arguments', 'undefined', 'null', 'this',
+  // value globals
+  'NaN', 'Infinity', 'globalThis', 'console',
+  'Math', 'JSON', 'Date', 'Object', 'Array', 'String', 'Number', 'Boolean',
+  'RegExp', 'Map', 'Set', 'WeakMap', 'WeakSet', 'Symbol', 'Promise', 'Proxy',
+  'Reflect', 'BigInt', 'Error', 'Intl', 'URL', 'URLSearchParams',
+  // function globals
+  'parseInt', 'parseFloat', 'isNaN', 'isFinite', 'String', 'Number',
+  'encodeURIComponent', 'decodeURIComponent', 'encodeURI', 'decodeURI',
+  'structuredClone', 'fetch', 'atob', 'btoa',
+]);
+
+/** Recursively collect bound names from a destructuring/identifier pattern. */
+function collectPatternNames(pattern: EsNode | null | undefined, out: Set<string>): void {
+  if (!pattern || typeof (pattern as EsNode).type !== 'string') return;
+  const node = pattern as Record<string, unknown> & { type: string };
+  switch (node.type) {
+    case 'Identifier':
+      out.add(node.name as string);
+      break;
+    case 'ObjectPattern':
+      for (const prop of (node.properties as EsNode[]) || []) {
+        const p = prop as Record<string, unknown> & { type: string };
+        if (p.type === 'RestElement') collectPatternNames(p.argument as EsNode, out);
+        else collectPatternNames(p.value as EsNode, out);
+      }
+      break;
+    case 'ArrayPattern':
+      for (const el of (node.elements as (EsNode | null)[]) || []) collectPatternNames(el, out);
+      break;
+    case 'RestElement':
+      collectPatternNames(node.argument as EsNode, out);
+      break;
+    case 'AssignmentPattern':
+      collectPatternNames(node.left as EsNode, out);
+      break;
+  }
+}
+
+/** Names that `import …`/`export …` introduce into expression scope. */
+function collectBindingsFromEsm(estree: EsNode, out: Set<string>): void {
+  visitEstree(estree as never, (node) => {
+    const n = node as Record<string, unknown> & { type: string };
+    if (n.type === 'ImportDeclaration') {
+      for (const spec of (n.specifiers as EsNode[]) || []) {
+        const s = spec as unknown as { local?: { name?: string } };
+        if (s.local?.name) out.add(s.local.name);
+      }
+    } else if (n.type === 'ExportNamedDeclaration' || n.type === 'ExportDefaultDeclaration') {
+      const decl = n.declaration as (Record<string, unknown> & { type: string }) | undefined;
+      if (!decl) return;
+      if (decl.type === 'VariableDeclaration') {
+        for (const d of (decl.declarations as EsNode[]) || []) {
+          collectPatternNames((d as unknown as { id?: EsNode }).id, out);
+        }
+      } else if (
+        (decl.type === 'FunctionDeclaration' || decl.type === 'ClassDeclaration') &&
+        (decl.id as { name?: string } | undefined)?.name
+      ) {
+        out.add((decl.id as { name: string }).name);
+      }
+    }
+  });
+}
+
+/** True when the estree contains any function/arrow (→ skip: local scopes). */
+function containsFunction(estree: EsNode): boolean {
+  let found = false;
+  visitEstree(estree as never, (node) => {
+    const t = (node as EsNode).type;
+    if (
+      t === 'FunctionDeclaration' ||
+      t === 'FunctionExpression' ||
+      t === 'ArrowFunctionExpression'
+    ) {
+      found = true;
+    }
+  });
+  return found;
+}
+
+/**
+ * Collect the free identifier names *referenced* by a function-free expression.
+ * Excludes non-reference positions: non-computed member `.property`, non-shorthand
+ * object keys, and labels.
+ */
+function collectReferencedNames(estree: EsNode): string[] {
+  const names = new Set<string>();
+  visitEstree(estree as never, (node, _key, _index, ancestors) => {
+    if ((node as EsNode).type !== 'Identifier') return;
+    const name = (node as { name: string }).name;
+    const parent = ancestors[ancestors.length - 1] as
+      | (Record<string, unknown> & { type: string })
+      | undefined;
+    if (parent) {
+      // `a.b` — `b` is a property name, not a reference (unless computed `a[b]`).
+      if (parent.type === 'MemberExpression' && parent.computed === false && parent.property === node) {
+        return;
+      }
+      // `{ a: x }` — `a` is a key, not a reference (shorthand `{a}` IS a ref).
+      if (
+        parent.type === 'Property' &&
+        parent.computed === false &&
+        parent.key === node &&
+        parent.shorthand === false
+      ) {
+        return;
+      }
+    }
+    names.add(name);
+  });
+  return Array.from(names);
+}
+
+/**
+ * Scan a page's MDX `content` for expressions that reference undefined
+ * identifiers and would throw at render (now silently dropped by the recma
+ * guard). Returns one issue per risky expression.
+ *
+ * @param content  Raw MDX source of the page.
+ * @param pagePath Page path relative to the docs root (used in messages).
+ */
+export function findRiskyExpressions(content: string, pagePath: string): RiskyExpressionIssue[] {
+  let tree: ReturnType<ReturnType<typeof unified>['parse']>;
+  try {
+    tree = unified().use(remarkParse).use(remarkMdx).parse(content);
+  } catch {
+    // Malformed MDX (a true syntax error) is handled by the separate
+    // pre-compile guard; the scanner must never crash a build over a parse.
+    return [];
+  }
+
+  // Pass 1: file-level bindings from every import/export block.
+  const bindings = new Set<string>();
+  visitMdast(tree as never, 'mdxjsEsm', (node: { data?: { estree?: EsNode } }) => {
+    if (node.data?.estree) collectBindingsFromEsm(node.data.estree, bindings);
+  });
+
+  // Pass 2: each text/flow expression — flag provably-unbound references.
+  const issues: RiskyExpressionIssue[] = [];
+  const expressionTypes = new Set(['mdxTextExpression', 'mdxFlowExpression']);
+  visitMdast(tree as never, (node: { type: string; value?: string; data?: { estree?: EsNode } }) => {
+    if (!expressionTypes.has(node.type)) return;
+    const estree = node.data?.estree;
+    if (!estree) return;
+    // Empty `{}` or comment-only `{/* … */}` expressions have no statement.
+    const body = (estree as { body?: EsNode[] }).body;
+    if (!body || body.length === 0) return;
+    if (containsFunction(estree)) return; // precision: don't model local scopes
+
+    const referenced = collectReferencedNames(estree);
+    const undefinedRefs = referenced.filter(
+      (name) => !bindings.has(name) && !ALWAYS_IN_SCOPE.has(name),
+    );
+    if (undefinedRefs.length === 0) return;
+
+    const expr = (node.value ?? '').trim();
+    const refList = undefinedRefs.map((r) => `\`${r}\``).join(', ');
+    // Backtick-wrap so the message renders cleanly as Markdown in the dashboard
+    // + build-warnings email (a bare `{x}` would be dropped as unknown HTML).
+    issues.push({
+      expression: expr,
+      undefinedRefs,
+      message:
+        `\`{${expr}}\` in \`${pagePath}\` references undefined ${refList}. ` +
+        `MDX evaluates \`{…}\` as JavaScript, so this expression was dropped to ` +
+        `avoid a render error. If you meant literal braces, escape them as ` +
+        `\`\\{${expr}\\}\` or write \`{'{${expr}}'}\`.`,
+    });
+  });
+
+  return issues;
+}

package/vendored/lib/snippet-scanner.ts

@@ -0,0 +1,237 @@
+/**
+ * Snippet Scanner
+ *
+ * Pure scanner for author snippet-usage issues in MDX pages.
+ * Returns neutral SnippetIssue objects — no build-service-specific types —
+ * so the CLI (Task 3.4) can import this module directly without pulling in
+ * the rest of isr-build-executor (fast-glob, openapi validator, etc.).
+ *
+ * SINGLE SOURCE OF TRUTH: this module is re-exported from isr-build-executor.ts
+ * and synced to cli/src/lib/snippet-scanner.ts by vendor.js.
+ * Do NOT duplicate this logic elsewhere.
+ *
+ * IMPORTANT: This module must remain import-free (zero `import` statements).
+ * The CLI imports it directly to avoid pulling in heavy deps.
+ */
+
+/**
+ * Strip fenced code blocks, inline code spans, YAML frontmatter, and HTML
+ * comments from MDX content so that examples demonstrating `<Snippet>` syntax
+ * do not trigger false-positive warnings.
+ *
+ * Four passes, applied in order:
+ *
+ * 0a. **YAML frontmatter** — ONLY when `content` begins at the very start of
+ *    the string with a `---` fence line.  Strips from that opening `---`
+ *    through the matching closing `---` line.  The regex is anchored to the
+ *    string start so a `---` thematic-break (horizontal rule) in the middle
+ *    of the body is NOT mistaken for frontmatter — body content after a
+ *    mid-document `---` remains scannable.
+ *
+ * 0b. **HTML comments** — strips `<!--…-->` (non-greedy, multi-line) globally.
+ *    An unterminated `<!--` with no closing `-->` does NOT match (conservative
+ *    — leaves following content scannable).
+ *
+ * 1. **Fenced code blocks** — line-based state machine.  A line whose
+ *    trimmed-left text starts with three or more backticks (``` ` ```) or
+ *    three or more tildes (`~~~`), with an optional language/info string after
+ *    the opening fence, toggles fence state.  Lines inside a fence are
+ *    replaced with empty lines (newline structure is preserved so nothing on
+ *    adjacent lines accidentally concatenates across a stripped region).
+ *
+ * 2. **Inline code spans** — a simple global replace of `` `…` `` (single-
+ *    backtick spans, not crossing line boundaries) with a single space.
+ *    Applied after fence removal so fence bodies are already gone.
+ *
+ * Pure function — zero imports, no side effects.
+ */
+function stripCodeRegions(content: string): string {
+  // Pass 0a: strip YAML frontmatter — ONLY when anchored at string start.
+  // The regex anchors at ^ (start of string, not start of line) so a `---`
+  // horizontal-rule in the middle of the body is never treated as frontmatter.
+  // Replacement is a single newline so that line offsets for subsequent passes
+  // are not dramatically shifted (body content stays intact).
+  let stripped = content.replace(/^---\r?\n[\s\S]*?\r?\n---[ \t]*\r?\n?/, '\n');
+
+  // Pass 0b: strip HTML comments (non-greedy, multi-line).
+  // `[\s\S]*?` matches across newlines; non-greedy ensures each `-->` closes
+  // its nearest preceding `<!--`.  An unterminated `<!--` with no `-->` leaves
+  // the rest of the content scannable (no match → no removal).
+  stripped = stripped.replace(/<!--[\s\S]*?-->/g, ' ');
+
+  // Pass 1: strip fenced code blocks via a line-based state machine.
+  const lines = stripped.split('\n');
+  let inFence = false;
+  let fenceChar = '';   // '`' or '~'
+  let fenceLen = 0;     // length of opening fence run (≥3)
+
+  for (let i = 0; i < lines.length; i++) {
+    const trimmed = lines[i].trimStart();
+    // Detect a fence marker: 3+ identical backticks or tildes at line start.
+    const fenceMatch = /^(`{3,}|~{3,})/.exec(trimmed);
+    if (fenceMatch) {
+      const ch = fenceMatch[1][0];
+      const len = fenceMatch[1].length;
+      if (!inFence) {
+        // Opening fence — enter fenced state; blank this line.
+        inFence = true;
+        fenceChar = ch;
+        fenceLen = len;
+        lines[i] = '';
+      } else if (ch === fenceChar && len >= fenceLen) {
+        // Closing fence — exit fenced state; blank this line.
+        inFence = false;
+        fenceChar = '';
+        fenceLen = 0;
+        lines[i] = '';
+      } else {
+        // A fence-like line INSIDE a fence (e.g. nested backticks in a tilde
+        // fence) — treat as content and blank it.
+        lines[i] = '';
+      }
+    } else if (inFence) {
+      // Inside a fence — blank the content line.
+      lines[i] = '';
+    }
+    // Outside a fence: leave the line unchanged.
+  }
+
+  // An unterminated fence intentionally strips to EOF: if the loop ends with
+  // `inFence` still true, the author opened a fence and never closed it. Per
+  // CommonMark §4.5 (which micromark/MDX implement) an unterminated fence
+  // extends to the end of the document, so the renderer treats ALL post-fence
+  // content — including any <Snippet> — as literal code text. It never renders
+  // as a live component and cannot throw, so it genuinely is not live and must
+  // not warn. Restoring those post-fence lines would diverge from the renderer
+  // and reintroduce exactly the false-positive class this stripper fixes.
+
+  const withoutFences = lines.join('\n');
+
+  // Pass 2: strip inline code spans (single-backtick, no newlines).
+  return withoutFences.replace(/`[^`\n]+`/g, ' ');
+}
+
+/**
+ * Normalize a `/snippets/…` import path or a snippet filename (from
+ * `collectSnippetFiles`) to a consistent, extensionless key used for
+ * membership lookups.
+ *
+ * Strips, in order:
+ *   1. A leading `/snippets/` segment (import paths from author MDX).
+ *   2. Any remaining leading `/` (defensive — collectSnippetFiles returns
+ *      relative paths without a leading slash, but import paths vary).
+ *   3. The file extension (`.mdx`, `.tsx`, `.jsx`), so a file on disk at
+ *      `snippets/shared/card.tsx` (key `"shared/card"`) matches an import
+ *      written as `/snippets/shared/card.mdx` (also normalizes to
+ *      `"shared/card"`).
+ *
+ * SINGLE SOURCE OF TRUTH for import-path → key derivation — mirrors the role
+ * of `normalizeOpenApiRefKey` for OpenAPI refs. The build and CLI (Task 3.4)
+ * both call this so the matching logic can never drift.
+ */
+export function normalizeSnippetRef(ref: string): string {
+  return ref
+    .replace(/^\/snippets\//, '') // strip /snippets/ prefix (import paths)
+    .replace(/^\//, '')           // strip any remaining leading /
+    .replace(/\.(mdx|tsx|jsx)$/, ''); // strip recognized extensions
+}
+
+/**
+ * A single author-facing issue found on a docs page relating to snippets.
+ * Intentionally NOT a `BuildWarning` — keeping the scanner pure (string in,
+ * issues out) lets the CLI (Task 3.4) map issues to its own output format
+ * without importing build-service-specific types.
+ */
+export interface SnippetIssue {
+  /** Discriminates the two warning variants. */
+  variant: 'unsupported_tag' | 'missing_import';
+  /**
+   * The file reference extracted from the tag's `file=` attr or the import
+   * path.  `null` when a bare `<Snippet/>` with no `file=` attribute is used.
+   */
+  ref: string | null;
+  /**
+   * Author-facing guidance message — identical between build and CLI so both
+   * surfaces give consistent advice.
+   */
+  message: string;
+}
+
+/**
+ * Scan a single page's MDX `content` and return every snippet-related author
+ * mistake as a `SnippetIssue`.
+ *
+ * Fenced code blocks (``` ``` ``` and `~~~`) and inline code spans are stripped
+ * from `content` before scanning, so examples in documentation that demonstrate
+ * `<Snippet>` syntax do not produce false-positive warnings.
+ *
+ * Two distinct variants are detected:
+ *
+ * 1. **`unsupported_tag`** — `<Snippet …/>` JSX tag usage.  Mintlify supports
+ *    this mechanism; Jamdesk does not.  Our renderer replaces every `<Snippet>`
+ *    with an inline error placeholder REGARDLESS of whether the referenced file
+ *    exists — so the tag is always broken for the reader and always warnable.
+ *    (An existence check here would wrongly suppress the common case where the
+ *    author copied a Mintlify doc and the snippet file happens to exist.)
+ *
+ * 2. **`missing_import`** — `import X from '/snippets/…'` where the normalized
+ *    target is NOT found among the project's snippet files.  The supported
+ *    pattern for importing snippets; only warn when the file is absent.
+ *
+ * @param content     - Raw MDX source of the page being scanned.
+ * @param pagePath    - Page path relative to the docs root (used in messages).
+ * @param snippetKeys - Extensionless snippet keys already reduced via
+ *                      `normalizeSnippetRef`; built ONCE by the caller from
+ *                      `collectSnippetFiles(…).map(normalizeSnippetRef)`.
+ */
+export function findSnippetIssues(
+  content: string,
+  pagePath: string,
+  snippetKeys: Set<string>,
+): SnippetIssue[] {
+  const issues: SnippetIssue[] = [];
+
+  // Strip fenced code blocks and inline code spans so that documentation
+  // examples demonstrating <Snippet> syntax do not trigger false positives.
+  const scannableContent = stripCodeRegions(content);
+
+  // — Variant 1: <Snippet …> tag (unsupported, always warn) ——————————————
+  const tagRe = /<Snippet\b[^>]*>/g;
+  let tagMatch: RegExpExecArray | null;
+  while ((tagMatch = tagRe.exec(scannableContent)) !== null) {
+    const tagSrc = tagMatch[0];
+    // Try to extract the file= attribute value (single or double quotes).
+    const fileAttrMatch = /file=["']([^"']+)["']/.exec(tagSrc);
+    const ref = fileAttrMatch ? fileAttrMatch[1] : null;
+    // Backtick-wrap the leading `<Snippet>` token: these messages render as
+    // Markdown/HTML in the dashboard + build-warnings email, where a bare
+    // <Snippet> would be parsed as an unknown HTML tag and silently dropped.
+    const message = ref
+      ? `\`<Snippet>\` is not supported — convert to an import: \`import X from '/snippets/${ref}'\` then \`<X/>\`.`
+      : `\`<Snippet>\` is not supported — convert to an import: \`import X from '/snippets/<file>'\` then \`<X/>\`.`;
+    issues.push({ variant: 'unsupported_tag', ref, message });
+  }
+
+  // — Variant 2: import … from '/snippets/…' with a missing target ————————
+  // Absolute /snippets/ only: Jamdesk imports are root-relative
+  // (next-mdx-remote only resolves `/snippets/<name>`). Anchoring the capture
+  // at `/snippets/` rejects `./snippets/foo` / `../snippets/foo` — those would
+  // survive normalizeSnippetRef's strip and produce a spurious missing_import.
+  const importRe = /import\s+[^'"]*from\s+['"](\/snippets\/[^'"]+)['"]/g;
+  let importMatch: RegExpExecArray | null;
+  while ((importMatch = importRe.exec(scannableContent)) !== null) {
+    const importPath = importMatch[1];
+    const key = normalizeSnippetRef(importPath);
+    if (!snippetKeys.has(key)) {
+      // Extract just the filename for the "checked" hint in the message.
+      const fileName = importPath.replace(/^.*\/snippets\//, '');
+      issues.push({
+        variant: 'missing_import',
+        ref: importPath,
+        message: `Snippet \`${fileName}\` imported in \`${pagePath}\` was not found; checked \`snippets/${fileName}\`.`,
+      });
+    }
+  }
+
+  return issues;
+}

package/vendored/lib/static-artifacts.ts

@@ -157,7 +157,12 @@ export interface LlmsTxtOptions {
   pages: PageMetadata[];
   /** Whether docs are hosted at /docs path */
   hostAtDocs?: boolean;
-  /** Block all crawlers - generates empty llms.txt */
+  /**
+   * Site-level noindex flag (from seo.metatags.robots). Passed through for
+   * interface parity with other artifact options but NOT used to blank the
+   * output — AI agents fetch llms.txt directly and do not honor robots
+   * directives. Per-page filtering (hidden / noindex frontmatter) still applies.
+   */
   noindex?: boolean;
   /**
    * Visibility inputs from lib/visibility.ts. When provided, filtering
@@ -177,11 +182,12 @@ export interface LlmsTxtOptions {
  * @returns Plain text string
  */
 export function generateLlmsTxt(options: LlmsTxtOptions): string {
-  const { name, description, baseUrl, pages, hostAtDocs = false, noindex = false, visibility } = options;
+  const { name, description, baseUrl, pages, hostAtDocs = false, visibility } = options;
 
-  if (noindex) {
-    return '';
-  }
+  // NOTE: noindex is intentionally NOT respected here. AI agents fetch llms.txt
+  // directly and do not honor robots directives, so this file is generated
+  // regardless of the site's indexing state. Per-page hidden/noindex filtering
+  // (via isPageMetadataIncluded below) still applies.
 
   const urlPrefix = hostAtDocs ? '/docs' : '';
 
@@ -354,7 +360,12 @@ export interface LlmsFullTxtOptions {
   name: string;
   /** Pages with full content */
   pages: LlmsFullPageInfo[];
-  /** Block all crawlers - generates empty file */
+  /**
+   * Site-level noindex flag (from seo.metatags.robots). Passed through for
+   * interface parity with other artifact options but NOT used to blank the
+   * output — AI agents fetch llms-full.txt directly and do not honor robots
+   * directives. Per-page filtering (hidden / noindex frontmatter) still applies.
+   */
   noindex?: boolean;
   /**
    * Visibility inputs from lib/visibility.ts. When provided, filtering
@@ -372,11 +383,12 @@ export interface LlmsFullTxtOptions {
  * giving consistent hidden/orphan/searchable handling across all artifacts.
  */
 export function generateLlmsFullTxt(options: LlmsFullTxtOptions): string {
-  const { name, pages, noindex = false, visibility } = options;
+  const { name, pages, visibility } = options;
 
-  if (noindex) {
-    return '';
-  }
+  // NOTE: noindex is intentionally NOT respected here. AI agents fetch
+  // llms-full.txt directly and do not honor robots directives, so this file is
+  // generated regardless of the site's indexing state. Per-page hidden/noindex
+  // filtering (via computePageVisibility/frontmatter checks below) still applies.
 
   const visiblePages = pages.filter(p => {
     const path = p.path.replace(/\.mdx?$/, '');

package/vendored/lib/static-file-route.ts

@@ -37,6 +37,12 @@ const CONTENT_TYPES: Record<string, string> = {
  * (`x-jd-noindex: true`). These advertise the project's URL inventory and
  * have no business being served from a non-canonical host.
  *
+ * `x-jd-noindex: true` is set by `proxy.ts` (`projectHeaderOptsForCanonical`)
+ * when a project uses `hostAtDocs` WITHOUT a custom domain — i.e. its public
+ * face is the raw `<slug>.jamdesk.app` subdomain with no canonical elsewhere.
+ * Once a custom domain is registered, the header is replaced by a canonical-
+ * host override and noindex is no longer set.
+ *
  * `robots.txt` is handled separately — it returns a Disallow-all directive,
  * not a 404, so crawlers get an explicit "don't crawl" signal.
  *
@@ -45,20 +51,25 @@ const CONTENT_TYPES: Record<string, string> = {
  *
  * `changelog.json` is intentionally NOT in this list either, and must stay out:
  * the embeddable widget always fetches it from `<slug>.jamdesk.app` (custom
- * domains can't serve the `?embed=1` render), and that subdomain carries
- * `x-jd-noindex: true` whenever the project has a custom domain. Suppressing it
- * here would 404 the metadata fetch and permanently break the widget's unread
- * dot for every custom-domain customer. It's a deliberately public artifact
- * (served with `Access-Control-Allow-Origin: *`), not a URL-inventory file.
+ * domains can't serve the `?embed=1` render), so suppressing it here would 404
+ * the metadata fetch and permanently break the widget's unread dot for every
+ * custom-domain customer. It's a deliberately public artifact (served with
+ * `Access-Control-Allow-Origin: *`), not a URL-inventory file.
+ *
+ * `llms.txt` and `llms-full.txt` are intentionally NOT in this list: AI agents
+ * (ChatGPT, Perplexity, Claude, etc.) fetch these files directly and do not
+ * honor robots directives. Suppressing them would silently exclude noindex
+ * projects from AI-agent discovery entirely, with no benefit to crawl hygiene.
  */
 const NOINDEX_SUPPRESSED_FILES = new Set([
-  'sitemap.xml', 'llms.txt', 'llms-full.txt', 'feed.xml',
+  'sitemap.xml', 'feed.xml',
 ]);
 
 /**
  * Build a no-store synthetic response for direct upstream subdomain hits, or
  * return null if this filename should fall through to the R2 fetch even when
- * `x-jd-noindex: true` is set (i.e., `search-data.json`).
+ * `x-jd-noindex: true` is set (i.e., `search-data.json`, `changelog.json`,
+ * `llms.txt`, `llms-full.txt` — see `NOINDEX_SUPPRESSED_FILES` for the why).
  *
  * Cache-Control: no-store — the noindex flag flips off the moment a project
  * registers a customDomain; CDN edge caching would lock new customers out
@@ -168,7 +179,7 @@ export function createStaticFileHandler(
     try {
       const content = await fetchStaticFile(projectSlug, filename);
 
-      if (!content) {
+      if (content === null) {
         log('warn', `${label} not found in R2`, { projectSlug });
         return new NextResponse(`${label} not found`, { status: 404 });
       }

package/vendored/shared/status-reporter.ts

@@ -22,7 +22,7 @@ export interface ProgressUpdate {
 }
 
 /** Warning types that can occur during builds (non-blocking) */
-export type BuildWarningType = 'broken_link' | 'auto_migrate' | 'missing_asset' | 'missing_page' | 'missing_openapi_ref' | 'inline_code_on_api_page' | 'invalid_openapi_spec';
+export type BuildWarningType = 'broken_link' | 'auto_migrate' | 'missing_asset' | 'missing_page' | 'missing_openapi_ref' | 'inline_code_on_api_page' | 'invalid_openapi_spec' | 'missing_snippet' | 'risky_expression';
 
 /** Build warning structure */
 export interface BuildWarning {

package/vendored/workspace-package-lock.json

@@ -61,7 +61,7 @@
         "shiki": "^4.0.1",
         "tailwindcss": "^4.2.4",
         "typescript": "^6.0.3",
-        "unified": "^11.0.0",
+        "unified": "^11.0.5",
         "unist-util-visit": "^5.1.0"
       }
     },
@@ -2938,15 +2938,15 @@
       "license": "MIT"
     },
     "node_modules/electron-to-chromium": {
-      "version": "1.5.366",
-      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.366.tgz",
-      "integrity": "sha512-OlRuhb688YTCzzU3gXPLn6nGyd+F+53INE1qaKKlu6kETErE8FYsyDh0XqXEU+uBRn0MpCzz2vfNwORhkap8qg==",
+      "version": "1.5.367",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.367.tgz",
+      "integrity": "sha512-4Mk/mrynCNQ+atY40D3UpmhLWB6AHMbYMlIrPhHcMF6x0L7O0b052FCAsxw1LlaR++UFuNg3D/A6XCuGDa0guQ==",
       "license": "ISC"
     },
     "node_modules/enhanced-resolve": {
-      "version": "5.22.1",
-      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.22.1.tgz",
-      "integrity": "sha512-6QEuw3zoX1SJQc7b87aBXke/no+mG2bTBgw29gWMQonLmpEkWoCAVkl+M49e48AZlWzxiDzDZzYdp6kobcyLww==",
+      "version": "5.22.2",
+      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.22.2.tgz",
+      "integrity": "sha512-0rxICaFZ7NQho/sHely2bvOPRP0Eu2B0NZ9zM54YvRvWMn7jfz3DmnOZDR9LlXDdDcqntAVc6Hfy4gr/tdH/Ag==",
       "license": "MIT",
       "dependencies": {
         "graceful-fs": "^4.2.4",

package/dist/__tests__/unit/dev-workspace-symlinks.test.d.ts

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=dev-workspace-symlinks.test.d.ts.map

package/dist/__tests__/unit/dev-workspace-symlinks.test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"dev-workspace-symlinks.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/unit/dev-workspace-symlinks.test.ts"],"names":[],"mappings":""}