jamdesk 1.1.71 → 1.1.73

package/vendored/app/layout.tsx

@@ -23,6 +23,15 @@ import { fetchCustomCss, fetchCustomJs } from '@/lib/r2-content';
 import { DocsChrome, getLocalFileContent } from '@/lib/layout-helpers';
 
 export async function generateMetadata(): Promise<Metadata> {
+  // The placeholder shell would otherwise render with the paused
+  // project's title/favicon (and pay an R2 round-trip for it) — the
+  // nested (jd-system)/jd-inactive layout supplies neutral metadata.
+  if (isIsrMode()) {
+    const placeholderCheck = await headers();
+    if (placeholderCheck.get('x-jd-layout') === 'placeholder') {
+      return {robots: {index: false, follow: false}};
+    }
+  }
   let config: DocsConfig;
   if (isIsrMode()) {
     const headersList = await headers();
@@ -58,6 +67,33 @@ export default async function RootLayout({
 }) {
   const headersList = await headers();
 
+  // Placeholder short-circuit: proxy sets x-jd-layout=placeholder when
+  // rewriting an inactive site to /jd-inactive. Skip docs chrome (would
+  // otherwise leak the customer's nav, search, sidebar around our
+  // paused-site placeholder) and render a minimal dark shell.
+  if (headersList.get('x-jd-layout') === 'placeholder') {
+    return (
+      <html lang="en" suppressHydrationWarning>
+        <head>
+          <meta name="viewport" content="width=device-width, initial-scale=1" />
+          <meta name="robots" content="noindex, nofollow" />
+          <meta name="theme-color" content="#0a0a0d" />
+        </head>
+        <body
+          style={{
+            margin: 0,
+            minHeight: '100vh',
+            backgroundColor: '#0a0a0d',
+            colorScheme: 'dark',
+          }}
+          suppressHydrationWarning
+        >
+          {children}
+        </body>
+      </html>
+    );
+  }
+
   // Unlock-mode short-circuit: middleware sets x-jd-unlock-mode when
   // rewriting to /jd/unlock. Skip docs chrome — the unlock page renders
   // its own minimal shell via app/(unlock)/jd/unlock/page.tsx.

package/vendored/components/navigation/Header.tsx

@@ -59,8 +59,10 @@ export function Header({ config, layout = 'header-logo', tabsPosition: tabsPosit
   // Determine effective tabsPosition (same logic as Sidebar)
   const themeConfig = getTheme(config.theme);
 
-  // Nebula theme uses compact search (icon only) instead of full search bar
-  const useCompactSearch = config.theme === 'nebula';
+  // Nebula theme uses compact search (icon only) instead of full search bar.
+  // Read from `themeConfig.name` (canonical-case from registry) rather than
+  // `config.theme` so uppercase docs.json values like "NEBULA" still match.
+  const useCompactSearch = themeConfig.name === 'nebula';
   const effectiveTabsPosition: TabsPosition = config.tabsPosition || tabsPositionProp || themeConfig.defaultTabsPosition;
   const showTabsInHeader = effectiveTabsPosition === 'top';
   

package/vendored/lib/build/error-parser.ts

@@ -1,5 +1,6 @@
 import type { ErrorDetails } from '../../shared/types.js';
 import { DEPRECATED_COMPONENTS } from '../deprecated-components.js';
+import { MIGRATION_DOCS_URL } from '../validate-config.js';
 
 /** Format: ERR-XXXXXXXX (first 8 chars of buildId, uppercase) */
 export function generateErrorRef(buildId: string): string {
@@ -108,6 +109,31 @@ export function parseErrorDetails(
   // Extract error source information upfront - used by multiple error types
   const errorSource = extractErrorSource(output, pageToFileMap);
 
+  // Mintlify migration needed — must come before the generic config_error branch
+  // so the migrate-specific suggestion wins. We match on the migration docs URL
+  // (which every Mintlify-detection branch in validate-config embeds) rather than
+  // a prose phrase, so future copy edits can't silently break the contract.
+  if (message.includes(MIGRATION_DOCS_URL)) {
+    return {
+      type: 'config_error',
+      message: 'Mintlify config detected — migration needed',
+      details: message,
+      suggestion:
+        'Your docs.json is still configured for Mintlify. Jamdesk includes a ' +
+        'tool that converts Mintlify projects automatically.\n\n' +
+        'From your project\'s root directory, run:\n\n' +
+        '  npm install -g jamdesk\n' +
+        '  jamdesk migrate\n\n' +
+        'The migration will:\n' +
+        '• Convert mint.json / docs.json to the Jamdesk format\n' +
+        '• Update the theme to "jam"\n' +
+        '• Convert Mintlify-only MDX components (e.g. <CardGroup> → <Columns>)\n' +
+        '• Rewrite parent-relative snippet imports\n\n' +
+        'Then commit the changes and push — the next build will pick them up.\n\n' +
+        'Full guide: https://jamdesk.com/docs/setup/migration',
+    };
+  }
+
   // Configuration validation errors (from validate phase)
   if (message.includes('Missing docs.json') || message.includes('Invalid docs.json')) {
     return {

package/vendored/lib/docs-isr.ts

@@ -12,6 +12,7 @@
 
 import fs from 'fs';
 import path from 'path';
+import { cache } from 'react';
 import {
   fetchDocsConfig,
   fetchMdxContent,
@@ -72,17 +73,19 @@ function walkMdx(dir: string): string[] {
   return out;
 }
 
-/**
- * Get docs.json configuration for a project.
- *
- * In ISR mode, fetches from R2 with in-memory caching (1 minute TTL).
- * Throws an error if the project doesn't exist.
- *
- * @param projectSlug - The project identifier (e.g., 'acme')
- * @returns Parsed docs.json configuration
- * @throws Error if project doesn't exist in R2
- */
-export async function getDocsConfig(projectSlug: string): Promise<DocsConfig> {
+// React cache() — request-scoped memoization. Layered on top of Next.js
+// Data Cache (which fetchDocsConfig already wraps via unstable_cache) so
+// repeated calls within the same render pass don't re-enter the Data Cache
+// either. Production fra1 logs showed 3 R2 fetches per request from
+// layout.generateMetadata + layout render + content-loader.getConfig — when
+// they all hit a Data Cache miss simultaneously (fresh region/cold cache),
+// each pays a cross-continent round-trip (~300ms each). cache() collapses
+// these to one in-flight promise.
+//
+// Caveat: cache() is documented to dedupe across generateMetadata + page
+// render in the same request, but historical Next.js bugs (#50080, #67133)
+// occasionally split contexts. In the worst case this still reduces 3→2.
+async function getDocsConfigUncached(projectSlug: string): Promise<DocsConfig> {
   requireIsrMode();
   const config = await fetchDocsConfig(projectSlug);
   if (config) return config;
@@ -99,6 +102,14 @@ export async function getDocsConfig(projectSlug: string): Promise<DocsConfig> {
   throw new Error(`Project not found in R2: ${projectSlug}`);
 }
 
+/**
+ * Get docs.json configuration for a project.
+ *
+ * Request-scoped (React cache) on top of Next.js Data Cache. Same projectSlug
+ * within one render → one R2 fetch.
+ */
+export const getDocsConfig = cache(getDocsConfigUncached);
+
 /**
  * Get all document paths for a project.
  *
@@ -114,14 +125,7 @@ export async function getAllDocPaths(projectSlug: string): Promise<string[]> {
   return listAllPaths(projectSlug);
 }
 
-/**
- * Get raw MDX content for a page.
- *
- * @param projectSlug - The project identifier
- * @param pagePath - Path to the page (e.g., 'api/auth')
- * @returns Raw MDX content string
- */
-export async function getMdxContent(
+async function getMdxContentUncached(
   projectSlug: string,
   pagePath: string
 ): Promise<string> {
@@ -141,6 +145,16 @@ export async function getMdxContent(
   }
 }
 
+/**
+ * Get raw MDX content for a page.
+ *
+ * Request-scoped (React cache) so generateMetadata's frontmatter read and
+ * the subsequent page render share one R2 fetch instead of paying it twice.
+ * Production fra1 logs showed every page making 2× fetchMdxContent calls
+ * for the same path (~600ms duplicated work per request).
+ */
+export const getMdxContent = cache(getMdxContentUncached);
+
 /**
  * Get snippet content.
  *

package/vendored/lib/docs-types.ts

@@ -758,7 +758,7 @@ export interface SpellcheckConfig {
 export interface PasswordAuthConfig {
   /** Opt in to password protection. Site is only gated when this is true AND a password has been set in the dashboard. */
   enabled?: boolean;
-  /** Optional hint shown on the unlock page (e.g., "Ask your account manager"). Plain text, no HTML. */
+  /** Optional hint shown on the unlock page (e.g., "Ask #docs-access on Slack"). Plain text, no HTML. */
   hint?: string;
   /** Paths or globs that bypass the password check. Supports '*' (one path segment) and '**' (recursive). */
   public?: string[];

package/vendored/lib/email-notifier.ts

@@ -38,7 +38,7 @@ export async function sendInternalBuildFailureEmail(info: BuildFailureEmailInfo)
     const result = await resend.emails.send({
       from: 'Jamdesk <no-reply@mail.jamdesk.com>',
       to: reportEmail,
-      subject: `[Jamdesk] Build Failed: ${info.projectName || info.projectId}`,
+      subject: `Jamdesk build failed: ${info.projectName || info.projectId}`,
       html,
       text,
     });

package/vendored/lib/isr-build-executor.ts

@@ -294,7 +294,7 @@ export const ISR_PHASES = {
   optimize_images: { label: 'Optimizing images...', weight: 5 },
   r2_upload: { label: 'Uploading to CDN...', weight: 35 },
   embeddings: { label: 'Indexing AI search + chat...', weight: 5 },
-  vercel_purge: { label: 'Refreshing cache...', weight: 20 },
+  vercel_purge: { label: 'Refreshing cache...', weight: 10 },
   cleanup: { label: 'Cleaning up...', weight: 5 },
 } as const;
 

package/vendored/lib/layout-helpers.tsx

@@ -26,6 +26,31 @@ import { LinkPrefixProvider } from '@/lib/link-prefix-context';
 import { ProjectSlugProvider } from '@/lib/project-slug-context';
 import { getAnalyticsScript } from '@/lib/analytics-script';
 
+const scrollLockBootstrap = `
+(function() {
+  try {
+    if ('scrollRestoration' in history) history.scrollRestoration = 'manual';
+    var unlocked = false;
+    function unlock() {
+      if (unlocked) return;
+      unlocked = true;
+      var el = document.getElementById('content-scroll-container');
+      if (el) el.scrollTop = 0;
+      document.documentElement.removeAttribute('data-scroll-locked');
+    }
+    function ready() {
+      requestAnimationFrame(function() { requestAnimationFrame(unlock); });
+    }
+    if (document.readyState === 'loading') {
+      document.addEventListener('DOMContentLoaded', ready, { once: true });
+    } else {
+      ready();
+    }
+    setTimeout(unlock, 2000);
+  } catch (e) {}
+})();
+`;
+
 // Pre-load fonts at module scope — Next.js requires this for static analysis.
 export const inter = Inter({
   subsets: ['latin'],
@@ -216,7 +241,10 @@ export async function DocsChrome({
   customJs,
   children,
 }: DocsChromeProps): Promise<React.ReactElement> {
-  const themeName = config.theme as ThemeName | undefined;
+  // Lowercase to match docs-config canonical case — `data-theme="nebula"` CSS
+  // selectors are case-sensitive, so `theme: "NEBULA"` from disk would silently
+  // skip every theme-scoped rule without this normalization.
+  const themeName = (config.theme?.toLowerCase() as ThemeName | undefined) ?? undefined;
   const themeCss = themeName && themeName !== 'jam' ? getThemeCssContent(themeName) : null;
   const fontClassName = getFontClassName(themeName, config.fonts);
 
@@ -259,8 +287,32 @@ export async function DocsChrome({
   preload('/_jd/fonts/fontawesome/webfonts/fa-brands-400.woff2', { as: 'font', type: 'font/woff2', crossOrigin: 'anonymous' });
 
   return (
-    <html lang={lang} dir={dir} suppressHydrationWarning data-scroll-behavior="smooth">
+    <html lang={lang} dir={dir} suppressHydrationWarning data-scroll-behavior="smooth" data-scroll-locked="true">
       <head>
+        {/*
+          SSR scroll lock — prevents Chrome's same-tab cross-origin "preserve
+          scroll" heuristic from scrolling #content-scroll-container on first
+          paint. Custom inner-scroll layout (body{overflow:hidden} +
+          #content-scroll-container{overflow-y:auto}) means body.scrollY=0 but
+          the inner container inherits the previous origin's scroll ratio.
+          history.scrollRestoration='manual' doesn't suppress this code path.
+          Solution: ship overflow-y:hidden on the container via a CSS rule
+          gated on html[data-scroll-locked], release it on DOMContentLoaded +
+          2 frames so Chrome's restore attempts hit a structurally
+          non-scrollable element (scrollTop pinned to 0).
+        */}
+        <script
+          dangerouslySetInnerHTML={{
+            __html: scrollLockBootstrap,
+          }}
+        />
+        {/* JS-off fallback — bootstrap can't unlock, so override the rule. */}
+        <noscript
+          dangerouslySetInnerHTML={{
+            __html:
+              '<style>html[data-scroll-locked] #content-scroll-container{overflow-y:auto !important;}</style>',
+          }}
+        />
         <meta name="viewport" content="width=device-width, initial-scale=1" />
         {config.fonts && (
           <>

package/vendored/lib/middleware-helpers.ts

@@ -13,7 +13,7 @@ import {
   getProjectConfig,
   isSubdomain,
 } from './project-resolver';
-import { redis } from './redis';
+import { redis, getProjectInactive } from './redis';
 import { getForwardedHosts, isJamdeskDomain } from './domain-helpers';
 import { getRedirects, matchRedirect, mergeQueryStrings, isInvalidDestination } from './redirect-matcher';
 import { ASSET_PREFIX } from './docs-types';
@@ -46,6 +46,20 @@ export interface ProjectResolutionResult {
   skip?: boolean;
   /** Domain verification status */
   domainStatus?: string;
+  /**
+   * Project owner's subscription is inactive — proxy rewrites to the
+   * `/jd-inactive` placeholder instead of serving real content. Set by
+   * Stripe webhook propagation (canceled/past_due/incomplete_expired)
+   * and cleared on successful payment.
+   */
+  inactive?: boolean;
+  /**
+   * True when the project resolved via the custom-domain branch
+   * (i.e., a user's own domain pointing at our CNAME), vs via the
+   * subdomain branch (slug.jamdesk.app). Used by the branded inactive
+   * page to show owner-sign-in hints only to real customers.
+   */
+  customDomain?: boolean;
 }
 
 /**
@@ -127,24 +141,33 @@ export async function handleProjectResolution(
       const customForwardedHost = forwardedHosts.find(h => !isJamdeskDomain(h));
 
       if (customForwardedHost) {
-        // Resolve hostAtDocs from custom domain config
-        const customResolution = await resolveCustomDomain(customForwardedHost);
+        // Resolve hostAtDocs from custom domain config (batched with
+        // inactive flag — both are Redis reads off the resolved slug).
+        const [customResolution, inactive] = await Promise.all([
+          resolveCustomDomain(customForwardedHost),
+          getProjectInactive(projectSlug),
+        ]);
         log('info', 'Project resolved from subdomain with forwarded custom domain', {
           hostname,
           projectSlug,
           forwardedHost: customForwardedHost,
           hostAtDocs: customResolution.hostAtDocs,
+          inactive,
         });
         return {
           projectSlug,
           hostAtDocs: customResolution.hostAtDocs,
+          inactive,
         };
       }
 
-      // No forwarded custom domain - use project config
-      const config = await getProjectConfig(projectSlug);
-      log('info', 'Project resolved from subdomain', { hostname, projectSlug });
-      return { projectSlug, hostAtDocs: config.hostAtDocs };
+      // No forwarded custom domain — batch config + inactive lookup.
+      const [config, inactive] = await Promise.all([
+        getProjectConfig(projectSlug),
+        getProjectInactive(projectSlug),
+      ]);
+      log('info', 'Project resolved from subdomain', { hostname, projectSlug, inactive });
+      return { projectSlug, hostAtDocs: config.hostAtDocs, inactive };
     }
   }
 
@@ -171,11 +194,17 @@ export async function handleProjectResolution(
     };
   }
 
-  log('info', 'Project resolved from custom domain', { hostname, projectSlug: resolution.projectSlug });
+  // Piggyback inactive read on the custom-domain resolution path. Single
+  // extra Redis GET per request; the proxy reads .inactive to rewrite.
+  const inactive = await getProjectInactive(resolution.projectSlug);
+
+  log('info', 'Project resolved from custom domain', { hostname, projectSlug: resolution.projectSlug, inactive });
   return {
     projectSlug: resolution.projectSlug,
     hostAtDocs: resolution.hostAtDocs,
     domainStatus: resolution.domainStatus,
+    inactive,
+    customDomain: true,
   };
 }
 
@@ -558,6 +587,15 @@ const TRUSTED_PROXY_HEADERS = [
   'x-host-at-docs',
   'x-jd-language',
   'x-jd-unlock-mode',
+  // Placeholder branch — set by the inactive rewrite. The layout
+  // gate (`x-jd-layout: placeholder`) controls whether the chrome is
+  // skipped, and a forged `x-jd-custom-domain: 1` would let an
+  // attacker on a subdomain ALSO toggle the "owner can sign in"
+  // copy. Strip them all from the inbound request.
+  'x-jd-layout',
+  'x-jd-custom-domain',
+  'x-jd-project-name',
+  'x-jd-project-logo',
 ] as const;
 
 /**

package/vendored/lib/preprocess-mdx.ts

@@ -39,31 +39,37 @@ const JSX_CONTENT_COMPONENTS = [
   'Visibility',
 ] as const;
 
+// Match a fenced code block (``` or ~~~), used to mask code-block content
+// before scanning for top-level snippet imports — otherwise import lines
+// inside docs-on-snippets code examples are treated as real imports and
+// trigger 5+ failing R2 fetches per page render.
+const FENCED_CODE_BLOCK_RE =
+  /^( *)(```+|~~~+)[^\n]*\n([\s\S]*?)\n\1\2\s*$/gm;
+
 /**
  * Strip snippet import statements from MDX content.
  *
- * Removes import statements that reference the /snippets/ directory:
- * - import { Component } from "/snippets/file.mdx"
- * - import { Component } from '../snippets/file.mdx'
- * - import Component from "/snippets/file.mdx"
- *
- * Note: Relative MDX imports (./file.mdx, ../folder/file.mdx) that DON'T
- * reference /snippets/ are NOT stripped. These need to be handled by MDX
- * compiler or will fail at build time with a helpful error.
+ * Imports inside fenced code blocks are preserved (documentation examples).
  *
  * @param content - Raw MDX content
  * @returns MDX content with snippet imports removed
  */
 export function stripSnippetImports(content: string): string {
-  // Only strip imports from /snippets/ directory
   const snippetsPattern = /^import\s+(?:(?:\{[^}]*\}|\*\s+as\s+\w+|\w+)\s+from\s+)?["'](?:\.\.\/)*\/?snippets\/[^"']+["'];?\s*$/gm;
-
-  return content.replace(snippetsPattern, '');
+  const codeBlocks: string[] = [];
+  const masked = content.replace(FENCED_CODE_BLOCK_RE, (match) => {
+    const idx = codeBlocks.length;
+    codeBlocks.push(match);
+    return '\0CB' + idx + '\0';
+  });
+  const stripped = masked.replace(snippetsPattern, '');
+  return stripped.replace(/\0CB(\d+)\0/g, (_, idx) => codeBlocks[Number(idx)]);
 }
 
 /**
  * Extract snippet import information from MDX content.
- * Only matches imports from /snippets/ directory.
+ *
+ * Imports inside fenced code blocks are ignored (documentation examples).
  *
  * @param content - Raw MDX content
  * @returns Array of import info objects
@@ -74,12 +80,11 @@ export function extractSnippetImports(content: string): Array<{
   path: string;
 }> {
   const results: Array<{ statement: string; imports: string[]; path: string }> = [];
-
-  // Match import statements from /snippets/
+  const scanContent = content.replace(FENCED_CODE_BLOCK_RE, '');
   const importPattern = /^(import\s+(?:(?:\{([^}]*)\}|(\w+)|\*\s+as\s+(\w+))\s+from\s+)?["']((?:\.\.\/)*\/?snippets\/[^"']+)["'];?\s*)$/gm;
 
   let match;
-  while ((match = importPattern.exec(content)) !== null) {
+  while ((match = importPattern.exec(scanContent)) !== null) {
     const [, statement, namedImports, defaultImport, namespaceImport, importPath] = match;
 
     const imports: string[] = [];

package/vendored/lib/redis.ts

@@ -115,3 +115,89 @@ export async function deleteDomainAuthSecret(
   if (!kvUrl || !kvToken) return;
   await upstashCommand(kvUrl, kvToken, 'DEL', `domainAuthSecret:${hostname}`);
 }
+
+// ---------------------------------------------------------------------------
+// Project inactive flag.
+// Set when the project owner's subscription is canceled, past_due, or
+// incomplete_expired. Read by builder/proxy middleware to serve the
+// inactive placeholder instead of the real site. No TTL — the flag lives
+// until explicitly cleared by a successful payment webhook.
+// Fails open (returns false) both when Redis is not configured AND when
+// the underlying GET throws (network blip, Upstash outage). Availability
+// wins over the inactive-site gate — a flaky Redis shouldn't 500 every
+// request on every docs site.
+// ---------------------------------------------------------------------------
+
+const PROJECT_INACTIVE_PREFIX = 'projectInactive:';
+
+// Key shape: projectInactive:<slug>. The project ID is NOT the edge
+// key — callers with a projectId must resolve via the dashboard's
+// `writeProjectInactiveBySlug` helper first.
+export async function getProjectInactive(slug: string): Promise<boolean> {
+  if (!redis) return false;
+  try {
+    // Upstash SDK auto-parses the body as JSON, so the stored string
+    // "1" comes back as the number 1. Accept either to keep the gate
+    // honest regardless of how the value round-trips.
+    const value = await redis.get<string | number>(
+      `${PROJECT_INACTIVE_PREFIX}${slug}`,
+    );
+    return value === '1' || value === 1;
+  } catch (err) {
+    console.warn('[redis] getProjectInactive failed, failing open:', {
+      slug,
+      error: (err as Error).message,
+    });
+    return false;
+  }
+}
+
+export async function setProjectInactive(
+  slug: string,
+  inactive: boolean,
+): Promise<void> {
+  if (!redis) return;
+  const key = `${PROJECT_INACTIVE_PREFIX}${slug}`;
+  if (inactive) {
+    await redis.set(key, '1');
+  } else {
+    await redis.del(key);
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Project meta (display name + logo) for the inactive placeholder.
+// Mirrored to Redis at the same write site as projectInactive so the edge
+// brand mark renders without a Firestore or R2 round trip. Lifecycle is
+// 1:1 with projectInactive — written when the flag is set, deleted when
+// it's cleared. Optional logoUrl tracks docs.json `logo` (single string
+// only; theme-variant maps degrade to the name-only brand mark).
+// ---------------------------------------------------------------------------
+
+const PROJECT_META_PREFIX = 'projectMeta:';
+
+export interface ProjectMeta {
+  name: string;
+  logoUrl?: string;
+}
+
+export async function getProjectMeta(
+  slug: string,
+): Promise<ProjectMeta | null> {
+  if (!redis) return null;
+  try {
+    const value = await redis.get<ProjectMeta>(
+      `${PROJECT_META_PREFIX}${slug}`,
+    );
+    if (!value || typeof value.name !== 'string' || !value.name) {
+      return null;
+    }
+    return value;
+  } catch (err) {
+    console.warn('[redis] getProjectMeta failed, returning null:', {
+      slug,
+      error: (err as Error).message,
+    });
+    return null;
+  }
+}

package/vendored/lib/revalidation-trigger.ts

@@ -19,7 +19,13 @@ export interface RevalidationOptions {
 export async function triggerRevalidation(options: RevalidationOptions): Promise<void> {
   const { projectSlug, changedPaths, all } = options;
 
-  const isrAppUrl = process.env.ISR_APP_URL || process.env.VERCEL_DEPLOYMENT_URL || 'https://docs.jamdesk.app';
+  // Fail loud if unset — the previous default `https://docs.jamdesk.app` is an
+  // orphan domain whose cert silently expired (May 2026 incident); falling back
+  // to it produced "fetch failed" with no clue to the cause.
+  const isrAppUrl = (process.env.ISR_APP_URL || process.env.VERCEL_DEPLOYMENT_URL || '').trim();
+  if (!isrAppUrl) {
+    throw new Error('Revalidation failed: ISR_APP_URL not configured');
+  }
   const secret = (process.env.REVALIDATE_SECRET || '').trim();
 
   const body: Record<string, unknown> = {
@@ -55,22 +61,30 @@ async function revalidateIsrApp(
   secret: string,
   body: Record<string, unknown>,
 ): Promise<{ ok: boolean; status?: number; error?: string; revalidated?: string[] }> {
-  const response = await fetch(`${isrAppUrl}/api/revalidate`, {
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/json',
-      'x-revalidate-secret': secret,
-    },
-    body: JSON.stringify(body),
-  });
+  // Wrap fetch in try/catch so network-level failures (DNS, TLS, ECONNREFUSED)
+  // surface through the same { ok: false } path as HTTP errors. Without this,
+  // a raw `TypeError: fetch failed` escapes to the build error handler with no
+  // hint that revalidation was the failing step (May 2026 incident).
+  try {
+    const response = await fetch(`${isrAppUrl}/api/revalidate`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'x-revalidate-secret': secret,
+      },
+      body: JSON.stringify(body),
+    });
 
-  if (!response.ok) {
-    const error = await response.text();
-    return { ok: false, status: response.status, error };
-  }
+    if (!response.ok) {
+      const error = await response.text();
+      return { ok: false, status: response.status, error };
+    }
 
-  const result = (await response.json()) as { success: boolean; revalidated?: string[] };
-  return { ok: true, revalidated: result.revalidated };
+    const result = (await response.json()) as { success: boolean; revalidated?: string[] };
+    return { ok: true, revalidated: result.revalidated };
+  } catch (err) {
+    return { ok: false, error: `${(err as Error).message} (url=${isrAppUrl})` };
+  }
 }
 
 /** Purge the proxy's Vercel CDN cache. Non-fatal on failure. */