jamdesk 1.1.6 → 1.1.8

package/vendored/lib/openapi/index.ts

@@ -22,7 +22,7 @@ export type {
   OpenApiErrorType,
   OpenApiValidationError,
   ValidationResult,
-  CodeExamples,
+  CodeExample,
   GeneratedPage,
   CachedSpec,
 } from './types';
@@ -58,9 +58,17 @@ export {
 // Code Examples
 export type { AuthMethod, CodeExampleConfig } from './code-examples';
 export {
+  DEFAULT_LANGUAGES,
+  SUPPORTED_LANGUAGES,
   generateCurlExample,
   generatePythonExample,
   generateJsExample,
+  generateGoExample,
+  generateRubyExample,
+  generateCsharpExample,
+  generateJavaExample,
+  generateRustExample,
+  generatePhpExample,
   generateCodeExamples,
 } from './code-examples';
 

package/vendored/lib/openapi/types.ts

@@ -6,9 +6,11 @@
  */
 
 import type { OpenAPI, OpenAPIV3, OpenAPIV3_1 } from 'openapi-types';
+import type { AuthMethod } from './code-examples';
 
 // Re-export for convenience
 export type { OpenAPI, OpenAPIV3, OpenAPIV3_1 };
+export type { AuthMethod };
 
 /**
  * JSON Schema type (simplified for our use case)
@@ -201,12 +203,17 @@ export interface ValidationResult {
 }
 
 /**
- * Generated code examples
+ * Single code example for a specific language
  */
-export interface CodeExamples {
-  curl: string;
-  python: string;
-  javascript: string;
+export interface CodeExample {
+  /** Language identifier (e.g., 'curl', 'python', 'go') */
+  id: string;
+  /** Display label for the tab (e.g., 'cURL', 'Python', 'Go') */
+  label: string;
+  /** Shiki language ID for syntax highlighting (e.g., 'bash', 'python', 'go') */
+  language: string;
+  /** Generated code string */
+  code: string;
 }
 
 /**
@@ -230,3 +237,20 @@ export interface CachedSpec {
   version: '2.0' | '3.0' | '3.1';
   timestamp: number;
 }
+
+/**
+ * User-supplied values from the API playground form.
+ * Passed to generateCodeExamplesFromValues to produce live code previews.
+ */
+export interface PlaygroundValues {
+  /** Raw credential value (token, key, base64 credentials) */
+  auth?: string;
+  /** Auth scheme from docs.json api.mdx.auth.method */
+  authMethod?: AuthMethod;
+  /** Custom header name for 'key' auth method, from docs.json api.mdx.auth.name */
+  authHeaderName?: string;
+  pathParams: Record<string, string>;
+  queryParams: Record<string, string>;
+  headerParams: Record<string, string>;
+  body: Record<string, unknown>;
+}

package/vendored/lib/preprocess-mdx.ts

@@ -317,8 +317,9 @@ export function ensureBlankLinesInJsx(content: string): string {
     // Check it's not an HTML element or self-closing tag
     if (/^<[a-z]/.test(trimmed)) return false;
 
-    // Check it's not a code fence
-    if (/^```/.test(trimmed)) return false;
+    // Code fences need blank line separation from JSX tags too — without it,
+    // MDX doesn't transition to markdown mode and the fence can be misinterpreted
+    if (/^```/.test(trimmed)) return true;
 
     // Check it's not frontmatter
     if (/^---/.test(trimmed)) return false;
@@ -409,6 +410,8 @@ export function normalizeJsxIndentation(content: string): string {
   let baseIndent = 0; // The indentation of the outermost JSX opening tag
   // Track if we're inside a fenced code block (``` ... ```)
   let insideCodeFence = false;
+  // How many spaces to strip from code fence content (computed from fence marker normalization)
+  let fenceIndentShift = 0;
 
   for (let i = 0; i < lines.length; i++) {
     let line = lines[i];
@@ -418,12 +421,38 @@ export function normalizeJsxIndentation(content: string): string {
     // Must check BEFORE any other processing to preserve code block content
     if (trimmed.startsWith('```')) {
       insideCodeFence = !insideCodeFence;
+      if (!insideCodeFence) {
+        // Closing fence: normalize its indentation, then reset shift
+        if (jsxDepth > 0 && fenceIndentShift > 0) {
+          const currentIndent = line.match(/^(\s*)/)?.[1].length ?? 0;
+          const newIndent = Math.max(0, currentIndent - fenceIndentShift);
+          line = ' '.repeat(newIndent) + trimmed;
+        }
+        fenceIndentShift = 0;
+      } else if (jsxDepth > 0) {
+        // Opening fence: normalize indentation and compute shift for content
+        const currentIndent = line.match(/^(\s*)/)?.[1].length ?? 0;
+        const excessIndent = currentIndent - baseIndent;
+        if (excessIndent >= 4) {
+          const newIndent = baseIndent + 2;
+          fenceIndentShift = currentIndent - newIndent;
+          line = ' '.repeat(newIndent) + trimmed;
+        } else {
+          fenceIndentShift = 0;
+        }
+      }
       result.push(line);
       continue;
     }
 
-    // If inside a code fence, preserve the line exactly as-is
+    // If inside a code fence, apply the same indent shift as the fence marker
+    // to preserve relative indentation within the code block
     if (insideCodeFence) {
+      if (fenceIndentShift > 0) {
+        const currentIndent = line.match(/^(\s*)/)?.[1].length ?? 0;
+        const newIndent = Math.max(0, currentIndent - fenceIndentShift);
+        line = ' '.repeat(newIndent) + line.trimStart();
+      }
       result.push(line);
       continue;
     }
@@ -700,6 +729,48 @@ export function transformImageDimensions(content: string): string {
   return transformOutsideCodeBlocks(content, transformImageDimensionsInText);
 }
 
+// Keep in sync with VIDEO_EXTENSIONS in components/mdx/Video.tsx
+const VIDEO_EXTENSIONS = ['.mp4', '.webm'];
+
+/** Asset directory prefixes handled by path transforms */
+const ASSET_DIRECTORIES = ['images', 'videos'] as const;
+
+/**
+ * Convert markdown video syntax to <Video> JSX component.
+ *
+ * Converts:
+ * - ![alt](/videos/demo.mp4) -> <Video src="/videos/demo.mp4" title="alt" />
+ * - ![](/videos/demo.webm)   -> <Video src="/videos/demo.webm" />
+ *
+ * This must run BEFORE path transforms so the <Video> src attribute gets
+ * rewritten by transformRelativeImagePaths. Converting to JSX also avoids
+ * the <p><video> hydration error — MDX wraps markdown images in <p>, but
+ * JSX components get their own block context.
+ */
+function transformMarkdownVideos(content: string): string {
+  return transformOutsideCodeBlocks(content, transformMarkdownVideosInText);
+}
+
+function transformMarkdownVideosInText(text: string): string {
+  // Same pattern as markdown images: ![alt](url)
+  const pattern = /!\[([^\]]*)\]\(([^)\s]+)(\s+["'][^"']*["'])?\)/g;
+
+  return text.replace(pattern, (match, alt, url) => {
+    const urlStr = url as string;
+    // Skip external URLs and data URIs — only convert local video paths
+    if (urlStr.startsWith('http://') || urlStr.startsWith('https://') || urlStr.startsWith('data:')) {
+      return match;
+    }
+    const pathOnly = urlStr.split('?')[0].toLowerCase();
+    if (!VIDEO_EXTENSIONS.some(ext => pathOnly.endsWith(ext))) {
+      return match; // Not a video — leave as markdown image
+    }
+    const escapedAlt = (alt as string).replace(/"/g, '&quot;');
+    const titleAttr = escapedAlt ? ` title="${escapedAlt}"` : '';
+    return `<Video src="${urlStr}"${titleAttr} />`;
+  });
+}
+
 /**
  * Transform Markdown image paths to use the Jamdesk asset prefix.
  *
@@ -735,20 +806,11 @@ function normalizeMarkdownImageUrl(url: string, assetVersion?: string): string |
     return null;
   }
 
-  if (url.startsWith(`${ASSET_PREFIX}/images/`)) {
-    return null;
-  }
-
-  if (url.startsWith('/images/')) {
-    return appendAssetVersion(`${ASSET_PREFIX}${url}`, assetVersion);
-  }
-
-  if (url.startsWith('./images/')) {
-    return appendAssetVersion(`${ASSET_PREFIX}/${url.slice(2)}`, assetVersion);
-  }
-
-  if (url.startsWith('images/')) {
-    return appendAssetVersion(`${ASSET_PREFIX}/${url}`, assetVersion);
+  for (const dir of ASSET_DIRECTORIES) {
+    if (url.startsWith(`${ASSET_PREFIX}/${dir}/`)) return null;
+    if (url.startsWith(`/${dir}/`)) return appendAssetVersion(`${ASSET_PREFIX}${url}`, assetVersion);
+    if (url.startsWith(`./${dir}/`)) return appendAssetVersion(`${ASSET_PREFIX}/${url.slice(2)}`, assetVersion);
+    if (url.startsWith(`${dir}/`)) return appendAssetVersion(`${ASSET_PREFIX}/${url}`, assetVersion);
   }
 
   return null;
@@ -800,24 +862,23 @@ export function transformRelativeImagePaths(content: string, assetVersion?: stri
   let result = content;
 
   for (const prop of IMAGE_PATH_PROPS) {
-    // Shared replacement: rewrites the captured image path under ASSET_PREFIX
-    const rewrite = (_match: string, quote: string, imgPath: string): string =>
-      `${prop}=${quote}${appendAssetVersion(`${ASSET_PREFIX}/${imgPath}`, assetVersion)}${quote}`;
+    for (const dir of ASSET_DIRECTORIES) {
+      const rewrite = (_match: string, quote: string, assetPath: string): string =>
+        `${prop}=${quote}${appendAssetVersion(`${ASSET_PREFIX}/${assetPath}`, assetVersion)}${quote}`;
 
-    // ./images/... -> /_jd/images/...?v=xxx
-    result = result.replace(
-      new RegExp(`${prop}=(["'])\\./(images/[^"']+)\\1`, 'g'), rewrite,
-    );
-
-    // images/... -> /_jd/images/...?v=xxx (skip URLs, data URIs, and paths starting with /)
-    result = result.replace(
-      new RegExp(`${prop}=(["'])(?!/|https?://|data:)(images/[^"']+)\\1`, 'g'), rewrite,
-    );
-
-    // /images/... -> /_jd/images/...?v=xxx
-    result = result.replace(
-      new RegExp(`${prop}=(["'])/(images/[^"']+)\\1`, 'g'), rewrite,
-    );
+      // ./{dir}/... -> /_jd/{dir}/...
+      result = result.replace(
+        new RegExp(`${prop}=(["'])\\./(${dir}/[^"']+)\\1`, 'g'), rewrite,
+      );
+      // {dir}/... -> /_jd/{dir}/... (skip URLs, data URIs, paths starting with /)
+      result = result.replace(
+        new RegExp(`${prop}=(["'])(?!/|https?://|data:)(${dir}/[^"']+)\\1`, 'g'), rewrite,
+      );
+      // /{dir}/... -> /_jd/{dir}/...
+      result = result.replace(
+        new RegExp(`${prop}=(["'])/(${dir}/[^"']+)\\1`, 'g'), rewrite,
+      );
+    }
   }
 
   return result;
@@ -863,8 +924,9 @@ export function containsView(content: string): boolean {
  * 6. Un-indents JSX blocks that follow list items (prevents list context errors)
  * 7. Ensures blank lines around markdown in JSX components
  * 8. Normalizes indentation inside JSX components (prevents code block interpretation)
- * 9. Transforms Markdown image dimension syntax to HTML img tags
- * 10. Transforms relative image paths to absolute paths
+ * 9. Converts markdown video syntax ![alt](video.mp4) to <Video> JSX
+ * 10. Transforms Markdown image dimension syntax to HTML img tags
+ * 11. Transforms relative image/video paths to absolute paths
  *
  * @param content - Raw MDX content
  * @returns Preprocessed MDX content
@@ -901,6 +963,11 @@ export function preprocessMdx(content: string, options?: { assetVersion?: string
   // 4+ space indentation from being interpreted as code blocks
   processed = normalizeJsxIndentation(processed);
 
+  // Convert markdown video syntax ![alt](/videos/x.mp4) to <Video> JSX.
+  // Must run BEFORE transformImageDimensions and path transforms so the
+  // <Video> src attribute gets rewritten correctly.
+  processed = transformMarkdownVideos(processed);
+
   // Transform Markdown images with dimension syntax to HTML img tags
   // Must run BEFORE transformRelativeImagePaths (which works on src= attributes)
   processed = transformImageDimensions(processed);

package/vendored/lib/process-mdx-with-exports.ts

@@ -13,6 +13,8 @@ import remarkMdx from 'remark-mdx';
 import { VFile } from 'vfile';
 import { remarkExtractExports } from './remark-extract-exports';
 import { compileInlineComponents } from './mdx-inline-components';
+import { remarkExtractParamFields } from './remark-extract-param-fields';
+import type { ExtractedParam } from './remark-extract-param-fields';
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 type AnyComponent = React.ComponentType<any>;
@@ -20,8 +22,17 @@ type AnyComponent = React.ComponentType<any>;
 interface ProcessResult {
   inlineComponents: Record<string, AnyComponent>;
   hasInlineExports: boolean;
+  paramFields: ExtractedParam[];
 }
 
+// Build the unified processor once at module level (frozen + reusable).
+// This avoids re-creating the pipeline on every ISR page request.
+const mdxProcessor = unified()
+  .use(remarkParse)
+  .use(remarkMdx)
+  .use(remarkExtractExports)
+  .use(remarkExtractParamFields);
+
 /**
  * Extract and compile inline components from MDX source.
  *
@@ -35,29 +46,25 @@ export async function extractInlineComponents(
 ): Promise<ProcessResult> {
   // Defensive: return empty if source is not a valid string
   if (!source || typeof source !== 'string') {
-    return { inlineComponents: {}, hasInlineExports: false };
+    return { inlineComponents: {}, hasInlineExports: false, paramFields: [] };
   }
 
-  // Quick check: if no "export const" in source, skip processing
-  if (!source.includes('export const')) {
-    return { inlineComponents: {}, hasInlineExports: false };
+  // Fast-path: skip remark pipeline when neither inline exports nor ParamFields exist
+  if (!source.includes('export const') && !source.includes('ParamField')) {
+    return { inlineComponents: {}, hasInlineExports: false, paramFields: [] };
   }
 
   try {
-    const processor = unified().use(remarkParse).use(remarkMdx).use(remarkExtractExports);
-
-    // Create VFile to hold the content and collect metadata
     const inputFile = new VFile({ value: source });
+    const tree = mdxProcessor.parse(inputFile);
+    await mdxProcessor.run(tree, inputFile);
 
-    // Parse and run the transforms
-    const tree = processor.parse(inputFile);
-    await processor.run(tree, inputFile);
-
+    const paramFields: ExtractedParam[] = inputFile.data.paramFields ?? [];
     const inlineExports = inputFile.data.inlineExports || {};
 
-    // No exports found
+    // No exports found — still return paramFields
     if (Object.keys(inlineExports).length === 0) {
-      return { inlineComponents: {}, hasInlineExports: false };
+      return { inlineComponents: {}, hasInlineExports: false, paramFields };
     }
 
     // Compile with access to built-in MDX components
@@ -66,10 +73,11 @@ export async function extractInlineComponents(
     return {
       inlineComponents,
       hasInlineExports: Object.keys(inlineExports).length > 0,
+      paramFields,
     };
   } catch (error) {
     // Log but don't fail the build - return empty components
     console.warn('[MDX] Failed to extract inline components:', error instanceof Error ? error.message : error);
-    return { inlineComponents: {}, hasInlineExports: false };
+    return { inlineComponents: {}, hasInlineExports: false, paramFields: [] };
   }
 }

package/vendored/lib/remark-extract-param-fields.ts

@@ -0,0 +1,134 @@
+/**
+ * Remark plugin to extract <ParamField> data from MDX AST.
+ *
+ * Visits mdxJsxFlowElement nodes named 'ParamField' and extracts
+ * the param metadata (name, location, type, required, default) into
+ * file.data.paramFields for use by the API playground.
+ *
+ * ParamField syntax mirrors Mintlify's convention:
+ *   <ParamField body="name" type="string" required>...</ParamField>
+ * The attribute name (body/query/path/header) determines the param location,
+ * and its string value is the param name.
+ */
+
+import type { Root } from 'mdast';
+import type { MdxJsxFlowElement } from 'mdast-util-mdx-jsx';
+import { visit } from 'unist-util-visit';
+import type { VFile } from 'vfile';
+
+export interface ExtractedParam {
+  name: string;
+  in: 'body' | 'query' | 'path' | 'header';
+  type?: string;
+  required: boolean;
+  default?: unknown;
+}
+
+declare module 'vfile' {
+  interface DataMap {
+    paramFields?: ExtractedParam[];
+  }
+}
+
+const LOCATION_ATTRS = ['body', 'query', 'path', 'header'] as const;
+type ParamLocation = (typeof LOCATION_ATTRS)[number];
+
+/**
+ * Parse the raw value of a default attribute.
+ *
+ * Expression defaults like `default={1}` have their inner text as the raw
+ * value. We try JSON.parse first (handles numbers, booleans, quoted strings)
+ * and fall back to returning the raw string.
+ */
+function parseDefaultValue(raw: string): unknown {
+  try {
+    return JSON.parse(raw);
+  } catch {
+    return raw;
+  }
+}
+
+export function remarkExtractParamFields() {
+  return (tree: Root, file: VFile) => {
+    const params: ExtractedParam[] = [];
+
+    visit(tree, 'mdxJsxFlowElement', (node: MdxJsxFlowElement) => {
+      if (node.name !== 'ParamField') return;
+
+      let paramName: string | undefined;
+      let paramIn: ParamLocation | undefined;
+      let paramType: string | undefined;
+      let paramRequired = false;
+      let paramDefault: unknown = undefined;
+
+      for (const attr of node.attributes) {
+        // Only process standard JSX attributes (not spread attributes)
+        if (attr.type !== 'mdxJsxAttribute') continue;
+
+        const attrName = attr.name as string;
+        const attrValue = attr.value;
+
+        // Location attribute: name is the location, value is the param name
+        if ((LOCATION_ATTRS as ReadonlyArray<string>).includes(attrName)) {
+          paramIn = attrName as ParamLocation;
+          // Value must be a plain string for the param name
+          if (typeof attrValue === 'string') {
+            paramName = attrValue;
+          }
+          continue;
+        }
+
+        if (attrName === 'type') {
+          if (typeof attrValue === 'string') {
+            paramType = attrValue;
+          }
+          continue;
+        }
+
+        if (attrName === 'required') {
+          if (attrValue === null) {
+            // Boolean attribute without value: <ParamField required>
+            paramRequired = true;
+          } else if (
+            typeof attrValue === 'object' &&
+            attrValue.type === 'mdxJsxAttributeValueExpression'
+          ) {
+            // Expression syntax: required={true} or required={false}
+            paramRequired = parseDefaultValue(attrValue.value) === true;
+          }
+          continue;
+        }
+
+        if (attrName === 'default') {
+          if (typeof attrValue === 'string') {
+            // Plain string default: default="created_at"
+            paramDefault = attrValue;
+          } else if (
+            attrValue != null &&
+            typeof attrValue === 'object' &&
+            attrValue.type === 'mdxJsxAttributeValueExpression'
+          ) {
+            // Expression default: default={1}
+            paramDefault = parseDefaultValue(attrValue.value);
+          }
+          continue;
+        }
+      }
+
+      // Only emit a param if we found a valid location + name pair
+      if (paramName !== undefined && paramIn !== undefined) {
+        params.push({
+          name: paramName,
+          in: paramIn,
+          type: paramType,
+          required: paramRequired,
+          default: paramDefault,
+        });
+      }
+    });
+
+    if (params.length > 0) {
+      file.data.paramFields = params;
+    }
+  };
+}

package/vendored/lib/shiki-client.ts

@@ -27,6 +27,12 @@ const CLIENT_LANGUAGES: BundledLanguage[] = [
   'bash',
   'json',
   'shell',
+  'go',
+  'ruby',
+  'csharp',
+  'java',
+  'rust',
+  'php',
 ];
 
 // Dual themes for light/dark mode support
@@ -63,6 +69,12 @@ async function getHighlighter(): Promise<HighlighterCore> {
           import('shiki/langs/bash.mjs'),
           import('shiki/langs/json.mjs'),
           import('shiki/langs/shell.mjs'),
+          import('shiki/langs/go.mjs'),
+          import('shiki/langs/ruby.mjs'),
+          import('shiki/langs/csharp.mjs'),
+          import('shiki/langs/java.mjs'),
+          import('shiki/langs/rust.mjs'),
+          import('shiki/langs/php.mjs'),
         ],
         engine: createJavaScriptRegexEngine(),
       });

package/vendored/lib/static-artifacts.ts

@@ -164,6 +164,8 @@ Disallow: /
   return `User-agent: *
 Allow: /
 
+Disallow: /_next/
+
 Sitemap: ${sitemapUrl || defaultSitemapUrl}
 `;
 }

package/vendored/lib/static-file-route.ts

@@ -25,7 +25,7 @@ export const STATIC_REVALIDATION_PATHS = STATIC_FILE_NAMES.flatMap(
 const CONTENT_TYPES: Record<string, string> = {
   '.xml': 'application/xml',
   '.json': 'application/json',
-  '.txt': 'text/plain',
+  '.txt': 'text/plain; charset=utf-8',
 };
 
 /**

package/vendored/lib/url-safety.ts

@@ -0,0 +1,122 @@
+// DO NOT EDIT — this file is auto-synced from shared/. Edit the source in shared/ and run ./scripts/sync-shared.sh
+
+/**
+ * SSRF protection: check if a URL is safe to proxy/fetch.
+ * Blocks private IPs, loopback, link-local, and metadata endpoints.
+ * Supports decimal, hex, octal, and mixed IP encodings (SSRF bypass vectors).
+ *
+ * Unlike sanitize-url.ts (proxy), this allows both HTTP and HTTPS
+ * since API playground requests may target staging/dev APIs over HTTP.
+ */
+
+/**
+ * Parse a hostname as an IPv4 address in any encoding.
+ * Handles dotted decimal, decimal integer, hex, octal, and mixed formats.
+ * Returns the 32-bit unsigned long, or null if not an IP.
+ */
+function parseIPv4ToLong(hostname: string): number | null {
+  // Pure decimal integer (e.g., 2130706433 = 127.0.0.1)
+  if (/^\d+$/.test(hostname)) {
+    const val = Number(hostname);
+    if (val >= 0 && val <= 0xFFFFFFFF) return val;
+  }
+
+  // Hex integer (e.g., 0x7f000001 = 127.0.0.1)
+  if (/^0x[0-9a-f]+$/i.test(hostname)) {
+    const val = parseInt(hostname, 16);
+    if (val >= 0 && val <= 0xFFFFFFFF) return val;
+  }
+
+  // Dotted notation (decimal, octal, or hex parts)
+  const parts = hostname.split('.');
+  if (parts.length < 1 || parts.length > 4) return null;
+
+  const parsed: number[] = [];
+  for (const part of parts) {
+    if (!part) return null;
+    let val: number;
+    if (/^0x[0-9a-f]+$/i.test(part)) {
+      val = parseInt(part, 16);
+    } else if (/^0\d+$/.test(part)) {
+      // Octal (e.g., 0177 = 127)
+      val = parseInt(part, 8);
+    } else if (/^\d+$/.test(part)) {
+      val = parseInt(part, 10);
+    } else {
+      return null; // Not a numeric IP
+    }
+    if (isNaN(val) || val < 0) return null;
+    parsed.push(val);
+  }
+
+  // Convert to 32-bit long based on part count (matches BSD socket behavior)
+  if (parsed.length === 1) return parsed[0];
+  if (parsed.length === 2) {
+    if (parsed[0] > 0xFF || parsed[1] > 0xFFFFFF) return null;
+    return (parsed[0] << 24) | parsed[1];
+  }
+  if (parsed.length === 3) {
+    if (parsed[0] > 0xFF || parsed[1] > 0xFF || parsed[2] > 0xFFFF) return null;
+    return (parsed[0] << 24) | (parsed[1] << 16) | parsed[2];
+  }
+  if (parsed.length === 4) {
+    if (parsed.some(p => p > 0xFF)) return null;
+    return (parsed[0] << 24) | (parsed[1] << 16) | (parsed[2] << 8) | parsed[3];
+  }
+  return null;
+}
+
+/**
+ * Check if an IPv4 long integer falls in a private/reserved range.
+ */
+function isPrivateIPv4(ip: number): boolean {
+  // Use unsigned right-shift to ensure correct comparison for high addresses
+  const uip = ip >>> 0;
+  return (
+    (uip >>> 24) === 0 ||            // 0.0.0.0/8
+    (uip >>> 24) === 10 ||           // 10.0.0.0/8
+    (uip >>> 24) === 127 ||          // 127.0.0.0/8 (loopback)
+    (uip >>> 20) === 0xAC1 ||        // 172.16.0.0/12
+    (uip >>> 16) === 0xC0A8 ||       // 192.168.0.0/16
+    (uip >>> 16) === 0xA9FE ||       // 169.254.0.0/16 (link-local/metadata)
+    uip === 0xFFFFFFFF               // 255.255.255.255 (broadcast)
+  );
+}
+
+/**
+ * Returns true if the URL is safe to fetch (not an internal/private address).
+ * Both HTTP and HTTPS are allowed — API playground may target dev APIs over HTTP.
+ * Returns false for invalid URLs, private IPs, localhost, and link-local addresses.
+ */
+export function isUrlSafe(rawUrl: string): boolean {
+  if (!rawUrl) return false;
+  try {
+    const url = new URL(rawUrl);
+
+    // Only allow HTTP and HTTPS schemes
+    if (url.protocol !== 'http:' && url.protocol !== 'https:') return false;
+
+    const hostname = url.hostname.toLowerCase();
+
+    // Block localhost by name
+    if (hostname === 'localhost') return false;
+
+    // Block ALL IPv6 addresses (bracketed hostnames).
+    // IPv6-embedded IPv4 (e.g. ::127.0.0.1 → ::7f00:1) bypasses prefix-based
+    // checks. Legitimate API endpoints virtually never use raw IPv6 literals,
+    // so blocking all bracketed hostnames is the safest approach.
+    if (hostname.startsWith('[')) {
+      return false;
+    }
+
+    // Parse as IPv4 (handles dotted, decimal, octal, hex, and mixed encodings)
+    const ipLong = parseIPv4ToLong(hostname);
+    if (ipLong !== null) {
+      if (isPrivateIPv4(ipLong)) return false;
+    }
+
+    return true;
+  } catch {
+    return false;
+  }
+}

package/vendored/next.config.js

@@ -14,6 +14,13 @@
 const nextConfig = {
   // Hide dev indicator (floating icon in bottom-left)
   devIndicators: false,
+  // Rewrite /_jd/ asset paths to public/ in dev (ISR middleware handles this in production)
+  async rewrites() {
+    return [
+      { source: '/_jd/images/:path*', destination: '/images/:path*' },
+      { source: '/_jd/videos/:path*', destination: '/videos/:path*' },
+    ];
+  },
   // Allow /_jd/ image paths with ?v= cache-busting query strings in <Image>
   images: {
     localPatterns: [