jamdesk 1.1.41 → 1.1.42

package/vendored/lib/r2-content.ts

@@ -15,19 +15,7 @@ export const R2_NOT_FOUND_ERROR_NAMES: ReadonlySet<string> = new Set([
 ]);
 export const R2_NOT_FOUND_MESSAGE_PREFIX = 'Page not found';
 
-export function evictOldest<K, V>(cache: Map<K, V>, maxSize: number): void {
-  if (cache.size <= maxSize) return;
-  const toDelete = cache.size - maxSize;
-  let count = 0;
-  for (const key of cache.keys()) {
-    if (count >= toDelete) break;
-    cache.delete(key);
-    count++;
-  }
-}
-
 export function clearConfigCache(_projectSlug?: string): void {}
-export function getConfigCacheSize(): number { return 0; }
 
 export function isR2NotFound(_err: unknown): boolean { return false; }
 
@@ -54,18 +42,6 @@ export async function fetchOpenApiFile(_projectSlug: string, _specPath: string):
 
 export async function listAllPaths(_projectSlug: string): Promise<string[]> { return []; }
 
-export interface Manifest {
-  version: number;
-  timestamp: string;
-  projectSlug?: string;
-  files: Record<string, { hash: string; size?: number }>;
-  snippets?: Record<string, { hash: string }>;
-  openapi?: Record<string, { hash: string }>;
-  configHash?: string;
-}
-
-export async function fetchManifest(_projectSlug: string): Promise<Manifest | null> { return null; }
-
 export interface AssetResult {
   body: Uint8Array;
   contentType: string;

package/vendored/lib/r2-manifest.ts

@@ -10,6 +10,7 @@ import {
   S3Client,
   GetObjectCommand,
 } from '@aws-sdk/client-s3';
+import { isR2NotFound } from './r2-content.js';
 
 // R2 configuration from environment variables
 const R2_CONFIG = {
@@ -52,12 +53,20 @@ export interface Manifest {
   projectSlug?: string;
   files: Record<string, { hash: string; size?: number }>;
   snippets?: Record<string, { hash: string }>;
+  openapi?: Record<string, { hash: string }>;
   assets?: Record<string, { hash: string }>;
+  staticFiles?: Record<string, { hash: string }>;
   configHash?: string;
 }
 
 /**
- * Fetch project manifest from R2 (for cache invalidation)
+ * Fetch project manifest from R2.
+ *
+ * Returns null only when the manifest object truly doesn't exist (NoSuchKey/404 —
+ * legitimate first build). Throws on transient R2 errors so the caller can
+ * distinguish a real first build versus a lost-state hiccup — silently treating
+ * a transient error as null causes the cleanup-removed-keys step to be skipped
+ * and forces a project-wide revalidation that wasn't actually warranted.
  */
 export async function fetchManifest(
   projectSlug: string
@@ -79,7 +88,8 @@ export async function fetchManifest(
 
     const text = await response.Body.transformToString();
     return JSON.parse(text);
-  } catch {
-    return null;
+  } catch (err) {
+    if (isR2NotFound(err)) return null;
+    throw err;
   }
 }

package/vendored/lib/revalidation-helpers.ts

@@ -13,6 +13,7 @@ import { clearProjectCache as clearMcpProjectCache, clearCache as clearMcpCache
 import { clearNavigationCache } from './navigation-resolver';
 import { STATIC_REVALIDATION_PATHS } from './static-file-route';
 import { clearRedirectCache } from './redirect-matcher';
+import { mdxCacheTag, projectCacheTag } from './cache-tags';
 
 /**
  * Validate the revalidation secret using constant-time comparison.
@@ -119,15 +120,35 @@ export async function executeRevalidation(
 ): Promise<RevalidateResult> {
   const revalidated: string[] = [];
 
-  // Clear all caches for project
-  if (request.project) {
-    clearConfigCache(request.project);
-    clearSnippetCache(request.project);
-    clearOpenApiCache(request.project);
-    clearMcpProjectCache(request.project);
-    await clearRedirectCache(request.project);
+  // Whole-project clear: only when a project is named and the caller gave us
+  // nothing to scope on. A targeted request (tags or paths supplied) must NOT
+  // run the project-wide shims — clearConfigCache emits a revalidateTag that
+  // would silently widen the caller's surgical invalidation to bust unrelated
+  // cache namespaces, and the in-memory clears would discard parsed data the
+  // caller never asked to invalidate.
+  const isWholeProjectClear = Boolean(
+    request.project && request.tags.length === 0 && request.paths.length === 0
+  );
+
+  if (isWholeProjectClear) {
+    const project = request.project!;
+    clearConfigCache(project);
+    clearSnippetCache(project);
+    clearOpenApiCache(project);
+    clearMcpProjectCache(project);
+    await clearRedirectCache(project);
     clearNavigationCache(); // Navigation cache keys include project name, clear all for simplicity
-    revalidated.push(`cache:${request.project}`);
+    revalidated.push(`cache:${project}`);
+    request.tags = [projectCacheTag(project)];
+  }
+
+  // Auto-add per-path mdx tags when paths are supplied with a project.
+  if (request.project && request.paths.length > 0) {
+    const pathTags = request.paths.map((p) => {
+      const normalized = p.replace(/^\//, '').replace(/\.mdx$/, '');
+      return mdxCacheTag(request.project!, normalized);
+    });
+    request.tags = [...request.tags, ...pathTags];
   }
 
   // Revalidate specific paths
@@ -143,10 +164,15 @@ export async function executeRevalidation(
     }
   }
 
-  // Revalidate by tag
+  // Revalidate by tag.
+  // `{ expire: 0 }` forces immediate purge — the next reader pays a fresh fetch
+  // rather than getting stale-while-revalidate content. Required for the
+  // publish→view loop: an author who just hit Publish must see their changes
+  // on first load, not on the second. The `'max'` profile would silently serve
+  // stale content to whoever loads the page first after a build.
   if (request.tags.length > 0 && revalidateTag) {
     for (const tag of request.tags) {
-      revalidateTag(tag);
+      revalidateTag(tag, { expire: 0 });
       revalidated.push(`tag:${tag}`);
     }
   } else if (request.tags.length > 0) {
@@ -158,7 +184,11 @@ export async function executeRevalidation(
 
   // Revalidate everything
   if (request.all) {
-    clearConfigCache();
+    // Bare {all: true} (no project scope) must also flush the in-memory parsed
+    // snippet/openapi caches — they store data in module-level Maps that
+    // revalidatePath alone won't invalidate. (clearConfigCache is per-project
+    // by design; admins running bare-all rely on the next reader hitting the
+    // unstable_cache TTL or use a follow-up project-scoped revalidate.)
     clearSnippetCache();
     clearOpenApiCache();
     clearMcpCache();

package/vendored/lib/revalidation-trigger.ts

@@ -147,61 +147,140 @@ async function purgeCloudflareCache(projectSlug: string): Promise<void> {
 
 export interface Manifest {
   files: Record<string, { hash: string }>;
+  snippets?: Record<string, { hash: string }>;
   openapi?: Record<string, { hash: string }>;
+  assets?: Record<string, { hash: string }>;
+  staticFiles?: Record<string, { hash: string }>;
   configHash?: string;
 }
 
-/** Compare manifests and return paths that changed (without .mdx extension). */
-export function getChangedPaths(
+function getMdxChangedPaths(
   oldManifest: Manifest | null,
   newManifest: Manifest
 ): string[] {
   if (!oldManifest) {
-    // All files are new - return all paths
     return Object.keys(newManifest.files).map(path => path.replace('.mdx', ''));
   }
 
+  // Past the threshold the decision escalates to project-wide and the array
+  // is discarded, so cap collection at threshold+1 to avoid building huge
+  // path lists for bulk edits (e.g., 5k-page Prettier sweeps).
+  const cap = MANY_MDX_THRESHOLD + 1;
   const changed: string[] = [];
 
-  // Check for new or modified files
   for (const [path, info] of Object.entries(newManifest.files)) {
+    if (changed.length >= cap) return changed;
     const oldInfo = oldManifest.files[path];
     if (!oldInfo || oldInfo.hash !== info.hash) {
       changed.push(path.replace('.mdx', ''));
     }
   }
 
-  // Check for deleted files
   for (const path of Object.keys(oldManifest.files)) {
+    if (changed.length >= cap) return changed;
     if (!(path in newManifest.files)) {
       changed.push(path.replace('.mdx', ''));
     }
   }
 
-  // When config or OpenAPI specs changed (no MDX changes), revalidate all pages.
-  // Config changes (e.g., _hasCustomJs flag) affect every page's layout.
-  // OpenAPI changes can affect any endpoint page.
-  if (changed.length === 0 &&
-    (oldManifest.configHash !== newManifest.configHash ||
-     hasOpenapiChanges(oldManifest, newManifest))) {
-    return Object.keys(newManifest.files).map(p => p.replace('.mdx', ''));
-  }
-
   return changed;
 }
 
+function hasConfigChanges(oldManifest: Manifest, newManifest: Manifest): boolean {
+  return oldManifest.configHash !== newManifest.configHash;
+}
+
+function hasHashMapChanges(
+  oldRecords: Record<string, { hash: string }> | undefined,
+  newRecords: Record<string, { hash: string }> | undefined
+): boolean {
+  const oldEntries = oldRecords || {};
+  const newEntries = newRecords || {};
+
+  for (const [path, info] of Object.entries(newEntries)) {
+    if (!oldEntries[path] || oldEntries[path].hash !== info.hash) return true;
+  }
+  for (const path of Object.keys(oldEntries)) {
+    if (!(path in newEntries)) return true;
+  }
+  return false;
+}
+
 /** Check if any OpenAPI spec hashes changed between manifests. */
 function hasOpenapiChanges(oldManifest: Manifest, newManifest: Manifest): boolean {
-  const oldSpecs = oldManifest.openapi || {};
-  const newSpecs = newManifest.openapi || {};
+  return hasHashMapChanges(oldManifest.openapi, newManifest.openapi);
+}
+
+function hasSnippetChanges(oldManifest: Manifest, newManifest: Manifest): boolean {
+  return hasHashMapChanges(oldManifest.snippets, newManifest.snippets);
+}
+
+function hasStaticFileChanges(oldManifest: Manifest, newManifest: Manifest): boolean {
+  return hasHashMapChanges(oldManifest.staticFiles, newManifest.staticFiles);
+}
 
-  for (const [path, info] of Object.entries(newSpecs)) {
-    if (!oldSpecs[path] || oldSpecs[path].hash !== info.hash) return true;
+function hasAssetChanges(oldManifest: Manifest, newManifest: Manifest): boolean {
+  return hasHashMapChanges(oldManifest.assets, newManifest.assets);
+}
+
+export type RevalidationReason =
+  | 'first_build'
+  | 'mdx'
+  | 'many_mdx'
+  | 'config'
+  | 'openapi'
+  | 'snippets'
+  | 'static'
+  | 'assets';
+
+export interface RevalidationDecision {
+  changedPaths: string[];
+  all: boolean;
+  reasons: RevalidationReason[];
+}
+
+/**
+ * Above this number of MDX path changes we escalate to a project-wide
+ * invalidation rather than firing one revalidatePath per file. The current
+ * value is a heuristic — re-tune if production data shows a better tradeoff
+ * between per-call cost and Data Cache thrash for large bulk edits.
+ */
+const MANY_MDX_THRESHOLD = 50;
+
+export function getRevalidationDecision(
+  oldManifest: Manifest | null,
+  newManifest: Manifest
+): RevalidationDecision {
+  if (!oldManifest) {
+    return { changedPaths: [], all: true, reasons: ['first_build'] };
   }
-  for (const path of Object.keys(oldSpecs)) {
-    if (!(path in newSpecs)) return true;
+
+  const changedPaths = getMdxChangedPaths(oldManifest, newManifest);
+  const reasons: RevalidationReason[] = [];
+  if (changedPaths.length > MANY_MDX_THRESHOLD) {
+    reasons.push('many_mdx');
+  } else if (changedPaths.length > 0) {
+    reasons.push('mdx');
   }
-  return false;
+  if (hasConfigChanges(oldManifest, newManifest)) reasons.push('config');
+  if (hasOpenapiChanges(oldManifest, newManifest)) reasons.push('openapi');
+  if (hasSnippetChanges(oldManifest, newManifest)) reasons.push('snippets');
+  if (hasStaticFileChanges(oldManifest, newManifest)) reasons.push('static');
+  if (hasAssetChanges(oldManifest, newManifest)) reasons.push('assets');
+
+  // Operator-side rollback: if the targeted decision misbehaves in production
+  // (under-revalidates and serves stale content), set REVALIDATION_FORCE_ALL=true
+  // to escalate every non-empty change set to project-wide invalidation. The
+  // env-var check is per-build, so toggling on Cloud Run is a config update,
+  // not a redeploy.
+  const forceAll = process.env.REVALIDATION_FORCE_ALL === 'true' && reasons.length > 0;
+  const all = forceAll || reasons.some((reason) => reason !== 'mdx');
+
+  return {
+    changedPaths: all ? [] : changedPaths,
+    all,
+    reasons,
+  };
 }
 
 /** Trigger revalidation for changed files between manifests. */
@@ -210,19 +289,16 @@ export async function triggerRevalidationForChanges(
   oldManifest: Manifest | null,
   newManifest: Manifest
 ): Promise<void> {
-  const changedPaths = getChangedPaths(oldManifest, newManifest);
+  const decision = getRevalidationDecision(oldManifest, newManifest);
 
-  if (changedPaths.length === 0) {
+  if (decision.reasons.length === 0) {
     log('info', 'No changes detected, skipping revalidation', { projectSlug });
     return;
   }
 
-  // If more than 50 paths changed, just revalidate all
-  const shouldRevalidateAll = changedPaths.length > 50;
-
   await triggerRevalidation({
     projectSlug,
-    changedPaths: shouldRevalidateAll ? undefined : changedPaths,
-    all: shouldRevalidateAll,
+    changedPaths: decision.changedPaths,
+    all: decision.all,
   });
 }

package/vendored/lib/scanner-blocklist.ts

@@ -0,0 +1,256 @@
+// DO NOT EDIT — this file is auto-synced from shared/. Edit the source in shared/ and run ./scripts/sync-shared.sh
+
+/**
+ * Scanner probe blocklist.
+ *
+ * Returns a category tag for request paths that match well-known security-
+ * scanner patterns (.git, .env, wp-admin, phpmyadmin, etc.), or null for
+ * legitimate paths. Both Vercel proxies (build-service + proxy) use this
+ * as the first check in their middleware to short-circuit these requests
+ * with a 404 before any I/O — preventing the catch-all docs renderer / R2
+ * lookup from spending CPU on garbage traffic.
+ *
+ * The category is included in the proxy log line so we can rank patterns
+ * by volume (see scripts/analyze-scanner-blocks.sh) and promote the top
+ * ones to Vercel WAF rules at the network edge.
+ *
+ * Log-shape contract: each proxy emits a single-line JSON record formatted
+ * as `[middleware] scanner-block {"pathname":"...","category":"...","host":"...","clientIp":"...","clientIpSource":"..."}`.
+ * `clientIp` is sourced from `x-real-ip` (Vercel's edge sets it to the
+ * observed TCP peer — not spoofable from outside Vercel) with first-hop
+ * `x-forwarded-for` as a fallback for non-Vercel deploys / local dev.
+ * `clientIpSource` records WHICH header produced the value so the analyzer
+ * can filter to unspoofable IPs when promoting to a Vercel WAF block list —
+ * `x-real-ip` is trustworthy on Vercel; `x-forwarded-for` is attacker-
+ * controllable (Vercel preserves client-supplied XFF). Values:
+ * `x-real-ip` | `x-forwarded-for` | `none`. The analyzer's regex extractor
+ * (`"pathname":"[^"]+"`) assumes pathname/IP do NOT contain quote characters
+ * — true for IPs and real-world scanner probes, which use unescaped ASCII.
+ * If you extend the record to include fields that legitimately can contain
+ * quotes (user-agent, referer, query strings), update
+ * analyze-scanner-blocks.sh's regex to handle JSON-escaped quotes (`\"`)
+ * or it will silently truncate at the first one.
+ *
+ * Carve-out: /.well-known/* (with trailing slash) is always allowed for
+ * Let's Encrypt ACME, security.txt, app-site-association, etc.
+ *
+ * Case-insensitive: bots often randomize case to evade naive matchers.
+ *
+ * Defensive against // path traversal: even though Next.js normalizes
+ * pathname, we strip leading multiple slashes before matching.
+ *
+ * URL-encoding caveat: percent-encoded probes are NOT classified. Next.js's
+ * `request.nextUrl.pathname` preserves the percent-encoded form (per URL
+ * spec) — e.g. `/%2egit/config` arrives as `/%2egit/config`, not `/.git/config`,
+ * so the dotfile regex doesn't match. Same for double-encoding (`/%252egit/...`).
+ * In practice an encoded probe still 404s — the path doesn't exist — but it
+ * bypasses our fast-path 404 and pays full router fall-through. This is an
+ * intentional gap; the mitigation is Vercel WAF rules at the network edge,
+ * which decode before pattern-matching. Real-world scanners overwhelmingly
+ * use unencoded paths, so the helper's coverage is good in practice.
+ */
+
+export type ScannerCategory =
+  | 'dotfile'        // /.git, /.env, /.aws, /.ssh, /.htaccess, /.idea, etc.
+  | 'wordpress'      // /wp-admin, /wp-login.php, /wp-config.php, /xmlrpc.php
+  | 'phpmyadmin'     // /phpmyadmin, /pma
+  | 'apache-status'  // /server-status, /server-info
+  | 'php-config';    // /config.php, /configuration.php, /web.config, /adminer.php
+
+// Exact-match → category (lowercase keys).
+const SCANNER_EXACT: ReadonlyMap<string, ScannerCategory> = new Map([
+  ['/wp-login.php', 'wordpress' as const],
+  ['/wp-config.php', 'wordpress' as const],
+  ['/wp-config.php.bak', 'wordpress' as const],
+  ['/xmlrpc.php', 'wordpress' as const],
+  ['/adminer.php', 'php-config' as const],
+  ['/config.php', 'php-config' as const],
+  ['/configuration.php', 'php-config' as const],
+  ['/web.config', 'php-config' as const],
+  ['/server-status', 'apache-status' as const],
+  ['/server-info', 'apache-status' as const],
+]);
+
+// Prefix-match → category (lowercase). Matches the exact prefix OR `${prefix}/...`.
+const SCANNER_PREFIXES: ReadonlyArray<readonly [string, ScannerCategory]> = [
+  ['/wp-admin', 'wordpress'],
+  ['/wp-content', 'wordpress'],
+  ['/wp-includes', 'wordpress'],
+  ['/phpmyadmin', 'phpmyadmin'],
+  ['/pma', 'phpmyadmin'],
+];
+
+export function classifyScannerProbe(pathname: string): ScannerCategory | null {
+  if (!pathname || pathname === '/') return null;
+
+  // Defensive: collapse leading multiple slashes so //.git/config → /.git/config.
+  // Next.js normalizes pathname, but this keeps the helper safe to call from
+  // anywhere.
+  const normalized = pathname.replace(/^\/+/, '/');
+  const lower = normalized.toLowerCase();
+
+  // Carve-out: legitimate /.well-known/* paths (ACME, security.txt, etc.).
+  // Note: requires trailing slash — bare /.well-known with no segment is
+  // still treated as a scanner probe (no real path is exactly /.well-known).
+  if (lower.startsWith('/.well-known/')) return null;
+
+  // Any root dotfile or dot-dir: /.git, /.env, /.aws/credentials, etc.
+  // Regex: starts with "/." followed by a non-slash char.
+  if (/^\/\.[^/]/.test(lower)) return 'dotfile';
+
+  const exactCategory = SCANNER_EXACT.get(lower);
+  if (exactCategory) return exactCategory;
+
+  for (const [prefix, category] of SCANNER_PREFIXES) {
+    if (lower === prefix || lower.startsWith(`${prefix}/`)) return category;
+  }
+
+  return null;
+}
+
+const LOG_PREFIX = '[middleware] scanner-block';
+
+export type ClientIpSource = 'x-real-ip' | 'x-forwarded-for' | 'none';
+
+export interface ScannerBlockLogPayload {
+  pathname: string;
+  category: ScannerCategory;
+  host: string;
+  clientIp: string;
+  clientIpSource: ClientIpSource;
+}
+
+// Source tag lets the analyzer drop x-forwarded-for IPs (spoofable on Vercel)
+// before WAF promotion — see file header for the full rationale.
+export function clientIpFromHeaders(
+  xRealIp: string | null | undefined,
+  xForwardedFor: string | null | undefined,
+): Pick<ScannerBlockLogPayload, 'clientIp' | 'clientIpSource'> {
+  const real = xRealIp?.trim();
+  if (real) return { clientIp: real, clientIpSource: 'x-real-ip' };
+  const xff = xForwardedFor?.split(',')[0]?.trim();
+  if (xff) return { clientIp: xff, clientIpSource: 'x-forwarded-for' };
+  return { clientIp: '', clientIpSource: 'none' };
+}
+
+// Single-line JSON so `scripts/analyze-scanner-blocks.sh` can grep cleanly;
+// `console.log(prefix, obj)` gets pretty-printed by Node and breaks the regex.
+export function formatScannerBlockLog(payload: ScannerBlockLogPayload): string {
+  return `${LOG_PREFIX} ${JSON.stringify(payload)}`;
+}
+
+export function parseScannerBlockLog(line: string): ScannerBlockLogPayload {
+  const expectedPrefix = `${LOG_PREFIX} `;
+  if (!line.startsWith(expectedPrefix)) {
+    throw new Error(`expected log line to start with "${expectedPrefix}"`);
+  }
+  return JSON.parse(line.slice(expectedPrefix.length)) as ScannerBlockLogPayload;
+}
+
+// ── Persistence (Upstash Redis) ────────────────────────────────────────
+//
+// Edge middleware on each surface persists every blocked probe to a
+// dedicated Upstash sorted set so the Mon/Thu digest can read the last
+// 96 hours in one ZRANGEBYSCORE call. Score = unix ms timestamp; member
+// = JSON-stringified ScannerBlockLogPayload. Retention is enforced
+// prune-on-write (ZREMRANGEBYSCORE in the same pipeline as ZADD) so the
+// set never exceeds 7 days even if the digest job stops.
+
+export interface UpstashCreds {
+  /** Upstash REST API URL, e.g. https://xxxxxx.upstash.io */
+  url: string;
+  /** Upstash REST API bearer token. */
+  token: string;
+}
+
+/** Sorted-set key in Upstash. Single namespace shared across all three
+ *  proxies. */
+export const SCANNER_BLOCK_KEY = 'scanner-blocks';
+
+/** Retention window. Prune-on-write trims anything older. */
+export const SCANNER_BLOCK_RETENTION_MS = 7 * 24 * 60 * 60 * 1000;
+
+/**
+ * Best-effort write of a scanner-block event to Upstash, plus a prune of
+ * entries older than 7 days. Pipelined into a single round-trip. NEVER
+ * throws — middleware's primary job is the 404, persistence is a bonus.
+ *
+ * Use with `event.waitUntil()` from edge middleware so the 404 response
+ * is not blocked on this network call.
+ */
+export async function recordScannerBlock(
+  payload: ScannerBlockLogPayload,
+  creds: UpstashCreds,
+  now: number = Date.now(),
+): Promise<void> {
+  try {
+    const member = JSON.stringify(payload);
+    const cutoff = now - SCANNER_BLOCK_RETENTION_MS;
+    const body = JSON.stringify([
+      ['ZADD', SCANNER_BLOCK_KEY, String(now), member],
+      ['ZREMRANGEBYSCORE', SCANNER_BLOCK_KEY, '-inf', String(cutoff)],
+    ]);
+    await fetch(`${creds.url}/pipeline`, {
+      method: 'POST',
+      headers: {
+        Authorization: `Bearer ${creds.token}`,
+        'Content-Type': 'application/json',
+      },
+      body,
+    });
+  } catch {
+    // Swallow. Middleware must not fail because Upstash is flaky. The
+    // existing console.log emit still goes to Vercel logs, so
+    // analyze-scanner-blocks.sh keeps working as a fallback signal.
+  }
+}
+
+/**
+ * Read all scanner-block events recorded since `sinceMs`. Throws on
+ * Upstash error — the digest job SHOULD fail loud if it can't reach
+ * storage; partial-data emails are misleading.
+ */
+export async function readScannerBlocks(
+  creds: UpstashCreds,
+  sinceMs: number,
+): Promise<ScannerBlockLogPayload[]> {
+  const body = JSON.stringify([
+    'ZRANGEBYSCORE',
+    SCANNER_BLOCK_KEY,
+    String(sinceMs),
+    '+inf',
+  ]);
+  const res = await fetch(creds.url, {
+    method: 'POST',
+    headers: {
+      Authorization: `Bearer ${creds.token}`,
+      'Content-Type': 'application/json',
+    },
+    body,
+  });
+  if (!res.ok) {
+    const errBody = await res.text();
+    throw new Error(`Upstash ZRANGEBYSCORE failed: ${res.status} ${errBody}`);
+  }
+  const data = (await res.json()) as { result?: unknown };
+  const members = Array.isArray(data.result) ? (data.result as string[]) : [];
+  const events: ScannerBlockLogPayload[] = [];
+  for (const m of members) {
+    try {
+      const parsed = JSON.parse(m) as Partial<ScannerBlockLogPayload>;
+      if (
+        parsed &&
+        typeof parsed.pathname === 'string' &&
+        typeof parsed.category === 'string' &&
+        typeof parsed.host === 'string' &&
+        typeof parsed.clientIp === 'string' &&
+        typeof parsed.clientIpSource === 'string'
+      ) {
+        events.push(parsed as ScannerBlockLogPayload);
+      }
+    } catch {
+      // skip malformed entries
+    }
+  }
+  return events;
+}

package/vendored/lib/snippet-compiler-isr.ts

@@ -77,9 +77,12 @@ export async function compileSnippetIsr(
 }
 
 /**
- * Clear snippet cache.
+ * Clear the in-memory compiled-snippet Map for a project (or all projects).
  *
- * @param projectSlug - Optional project to clear. If not provided, clears all.
+ * Does NOT touch the unstable_cache layer that wraps fetchSnippet — emitting a
+ * project: tag here would discard config/mdx/openapi/static cache entries
+ * unrelated to snippets. Callers needing that scope should dispatch the
+ * project tag themselves (executeRevalidation does this).
  */
 export function clearSnippetCache(projectSlug?: string): void {
   if (projectSlug) {

package/vendored/scripts/validate-links.cjs

@@ -217,6 +217,16 @@ function generateSlug(text) {
     .replace(/^-+|-+$/g, '');
 }
 
+/**
+ * Mirrors uniquifySlug in lib/heading-extractor.ts. First occurrence keeps the
+ * bare slug; later collisions get -2, -3, ... suffixes in source order.
+ */
+function uniquifySlug(seen, base) {
+  const count = seen.get(base) || 0;
+  seen.set(base, count + 1);
+  return count === 0 ? base : `${base}-${count + 1}`;
+}
+
 /**
  * Extract heading slugs from MDX content.
  * Includes markdown headings, <Update label="..."> anchors, and
@@ -229,6 +239,7 @@ function generateSlug(text) {
  */
 function extractHeadingSlugs(content) {
   const slugs = new Set();
+  const seen = new Map();
   const lines = content.split('\n');
   let inCodeBlock = false;
   let fencePattern = '';
@@ -264,20 +275,20 @@ function extractHeadingSlugs(content) {
 
     const headingMatch = line.match(/^#{1,6}\s+(.+)$/);
     if (headingMatch) {
-      const slug = generateSlug(headingMatch[1].trim());
-      if (slug) slugs.add(slug);
+      const base = generateSlug(headingMatch[1].trim());
+      if (base) slugs.add(uniquifySlug(seen, base));
     }
 
     const updateMatch = line.match(/<Update\s+label=["']([^"']+)["']/);
     if (updateMatch) {
-      const slug = generateSlug(updateMatch[1]);
-      if (slug) slugs.add(slug);
+      const base = generateSlug(updateMatch[1]);
+      if (base) slugs.add(uniquifySlug(seen, base));
     }
 
     if (inStepsBlock) {
       for (const match of line.matchAll(STEP_TITLE_REGEX)) {
-        const slug = generateSlug(match[1] ?? match[2]);
-        if (slug) slugs.add(slug);
+        const base = generateSlug(match[1] ?? match[2]);
+        if (base) slugs.add(uniquifySlug(seen, base));
       }
     }