Skip to content

external docs: build pages from registered GitHub sources#152

Open
Kzoeps wants to merge 19 commits into
mainfrom
docs-refresh-registry
Open

external docs: build pages from registered GitHub sources#152
Kzoeps wants to merge 19 commits into
mainfrom
docs-refresh-registry

Conversation

@Kzoeps

@Kzoeps Kzoeps commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

check out https://hypercerts-v02-documentation-git-d-210225-hypercerts-foundation.vercel.app/architecture/epds for one of the pages dynamically rendered

Summary

  • register canonical Markdown files from trusted external repositories
  • fetch one immutable snapshot for rendering, search, raw exports, metadata, and fingerprints
  • render external content through the existing Markdoc pipeline with relative link and image handling
  • refresh deployed docs when source fingerprints change
  • run tests and a static build for relevant pull requests through Docs CI

Testing

  • npm test (24 tests passed)

Summary by CodeRabbit

  • New Features

    • Added support for displaying selected external Markdown documentation, including linked images and GitHub-based references.
    • Added Mermaid diagram rendering with light/dark theme support, loading states, and readable error details.
    • Expanded the table of contents to include fourth-level headings.
    • Updated raw Markdown, search, and last-updated information to reflect external documentation content.
  • Documentation

    • Added guidance for configuring and maintaining external documentation sources.
  • Bug Fixes

    • Improved validation and error reporting for invalid or unavailable documentation content.

@vercel

vercel Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
hypercerts-v0.2-documentation Ready Ready Preview, Comment Jul 14, 2026 4:39pm

Request Review

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds a build-time external documentation pipeline with validated GitHub sources, immutable snapshots, page integration, link/image rewriting, Mermaid rendering, deterministic fingerprints, refresh automation, and associated tests and site updates.

Changes

External documentation system

Layer / File(s) Summary
Source validation and snapshot generation
docs-sources.yml, lib/external-docs*.js, lib/generate-docs-fingerprint.js
Validates registered sources, fetches Markdown snapshots, resolves external links and images, and produces deterministic fingerprints.
External page build integration
lib/external-docs-loader.js, lib/generate-*.js, next.config.js, pages/{architecture,tools}/*, package.json
Compiles frontmatter-only external pages and uses resolved content for builds, raw exports, search indexing, metadata, and fingerprints.
Markdoc rendering and diagram support
markdoc/*, components/MermaidDiagram.js, pages/_app.js, styles/globals.css
Adds external link/image transforms, Mermaid fence rendering, custom document/image nodes, Mermaid UI states, and related styling.
Documentation CI and refresh automation
.github/workflows/*, lib/compare-docs-fingerprint.js, .gitignore
Adds PR fingerprint checks plus scheduled/manual comparison and conditional deployment-hook triggering.
Site content and navigation updates
components/CopyRawButton.js, components/TableOfContents.js, styles/globals.css
Updates raw Markdown URL handling, supports H4 table-of-contents entries, and styles Mermaid output.
External documentation validation
test/external-docs*.test.js, test/external-doc-links.test.js
Tests registry validation, snapshots, fingerprints, page compilation, link/image resolution, and stale-content rejection.

Estimated code review effort: 4 (Complex) | ~60 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 40.32% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: rendering external documentation pages from registered GitHub sources.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch docs-refresh-registry

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@socket-security

socket-security Bot commented Jul 14, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedmermaid@​11.15.07510010093100

View full report

@socket-security

socket-security Bot commented Jul 14, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm mermaid is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/mermaid@11.15.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/mermaid@11.15.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm mermaid is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/mermaid@11.15.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/mermaid@11.15.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm mermaid is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/mermaid@11.15.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/mermaid@11.15.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm robust-predicates is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/mermaid@11.15.0npm/robust-predicates@3.0.3

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/robust-predicates@3.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

🧹 Nitpick comments (1)
components/MermaidDiagram.js (1)

110-115: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Consider sanitizing SVG before dangerouslySetInnerHTML as defense-in-depth.

securityLevel: 'strict' already triggers Mermaid's internal DOMPurify pass on SVG output, so this isn't directly exploitable today. Still, since this renders content sourced from external repositories, an explicit DOMPurify.sanitize(svg) call before injection would add defense-in-depth independent of Mermaid's internal behavior (recommended by security research on diagram-renderer XSS).

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@components/MermaidDiagram.js` around lines 110 - 115, Update the render
return in MermaidDiagram to sanitize the generated svg with DOMPurify
immediately before assigning it to dangerouslySetInnerHTML. Import or reuse the
project’s existing DOMPurify integration, while preserving Mermaid’s strict
security configuration and the current diagram rendering behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/docs-ci.yml:
- Around line 38-39: Disable credential persistence for the actions/checkout
step in .github/workflows/docs-ci.yml lines 38-39 and
.github/workflows/docs-refresh.yml lines 32-33 by adding the checkout step’s
persist-credentials setting as false under with.

In @.github/workflows/docs-refresh.yml:
- Around line 110-121: Update the “Write summary” step to pass the dynamic diff
outputs and workflow values through the step’s env configuration, then reference
those environment variables inside the bash script instead of inline `${{ }}`
expansions. Preserve the existing fallback values and summary fields while
ensuring shell-safe handling of values such as reason and fingerprints.

In `@components/MermaidDiagram.js`:
- Around line 4-16: Update getMermaid so a rejected dynamic import clears
mermaidModulePromise before propagating the failure, allowing later calls to
retry the import. Preserve the existing successful-module memoization and
module.default fallback behavior.

In `@lib/external-doc-links.js`:
- Line 1: Decode the Git ref extracted from resolved.pathname in both
resolveExternalDocHref and resolveExternalDocImageSrc before reconstructing or
serializing the final GitHub URLs. Preserve the existing URL resolution and path
handling, but ensure branch names such as feature/branch are returned with
literal slashes rather than percent-encoded separators.

In `@lib/external-doc-page.js`:
- Around line 20-23: Update the frontmatter regular expression in
getMarkdownBody to accept both LF and CRLF line endings by allowing optional
carriage returns before newline characters. Preserve the existing frontmatter
matching boundaries and body-slicing behavior.

In `@lib/external-docs.js`:
- Line 147: Update the frontmatter boundary regex in lib/external-docs.js at
lines 147-147 to accept optional carriage returns before each newline,
preserving the existing capture behavior. Apply the same CRLF-aware boundary
update in lib/external-docs-loader.js at lines 10-10 so both parsing and
stripping paths handle LF and CRLF frontmatter consistently.

---

Nitpick comments:
In `@components/MermaidDiagram.js`:
- Around line 110-115: Update the render return in MermaidDiagram to sanitize
the generated svg with DOMPurify immediately before assigning it to
dangerouslySetInnerHTML. Import or reuse the project’s existing DOMPurify
integration, while preserving Mermaid’s strict security configuration and the
current diagram rendering behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c535bc07-8712-4b41-8313-08fbe5ca17ef

📥 Commits

Reviewing files that changed from the base of the PR and between 62a28b5 and 0b23a4f.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (39)
  • .github/workflows/docs-ci.yml
  • .github/workflows/docs-refresh.yml
  • .gitignore
  • components/AnnouncementBanner.js
  • components/CopyRawButton.js
  • components/MermaidDiagram.js
  • components/TableOfContents.js
  • docs-sources.yml
  • docs/remote-markdown.md
  • lib/compare-docs-fingerprint.js
  • lib/external-doc-links.js
  • lib/external-doc-page.js
  • lib/external-docs-loader.js
  • lib/external-docs-snapshot.js
  • lib/external-docs.js
  • lib/generate-docs-fingerprint.js
  • lib/generate-external-docs-manifest.js
  • lib/generate-last-updated.js
  • lib/generate-raw-pages.js
  • lib/generate-search-index.js
  • lib/navigation.js
  • markdoc/nodes/document.markdoc.js
  • markdoc/nodes/fence.markdoc.js
  • markdoc/nodes/image.markdoc.js
  • markdoc/nodes/index.js
  • markdoc/nodes/link.markdoc.js
  • markdoc/tags/br.markdoc.js
  • markdoc/tags/index.js
  • next.config.js
  • package.json
  • pages/_app.js
  • pages/architecture/epds.md
  • pages/lexicons/hypercerts-lexicons/index.md
  • pages/tools/hypercerts-agent-skills.md
  • pages/tools/hyperindex.md
  • styles/globals.css
  • test/external-doc-links.test.js
  • test/external-docs-snapshot.test.js
  • test/external-docs.test.js

Comment thread .github/workflows/docs-ci.yml
Comment thread .github/workflows/docs-refresh.yml
Comment thread components/MermaidDiagram.js
Comment thread lib/external-doc-links.js
Comment thread lib/external-doc-page.js
Comment thread lib/external-docs.js Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/docs-ci.yml (1)

65-68: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Add a timeout to the curl command to prevent hanging CI jobs.

Network calls in CI pipelines can occasionally hang indefinitely if the target server stops responding but leaves the connection open. Consider adding a timeout (e.g., --max-time 60) so the workflow fails fast rather than wasting runner minutes if the staging server is unreachable.

♻️ Proposed refactor
-          http_code=$(curl -sS -L -w "%{http_code}" \
+          http_code=$(curl -sS -L --max-time 60 -w "%{http_code}" \
             -o deployed-docs-fingerprint.json \
             "$DOCS_FINGERPRINT_URL")
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docs-ci.yml around lines 65 - 68, Add a finite timeout
option such as --max-time 60 to the curl invocation assigning http_code in the
documentation CI workflow, preserving the existing URL, output file, redirect
handling, and curl_status capture.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/docs-ci.yml:
- Around line 65-68: Add a finite timeout option such as --max-time 60 to the
curl invocation assigning http_code in the documentation CI workflow, preserving
the existing URL, output file, redirect handling, and curl_status capture.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9acab48d-7422-42d6-8077-71191f98e286

📥 Commits

Reviewing files that changed from the base of the PR and between 0b23a4f and d342a99.

📒 Files selected for processing (22)
  • .github/workflows/docs-ci.yml
  • .github/workflows/docs-refresh.yml
  • components/CopyRawButton.js
  • components/MermaidDiagram.js
  • lib/compare-docs-fingerprint.js
  • lib/external-doc-links.js
  • lib/external-doc-page.js
  • lib/external-docs-loader.js
  • lib/external-docs-snapshot.js
  • lib/external-docs.js
  • lib/generate-docs-fingerprint.js
  • lib/generate-last-updated.js
  • lib/generate-raw-pages.js
  • lib/generate-search-index.js
  • markdoc/nodes/document.markdoc.js
  • markdoc/nodes/fence.markdoc.js
  • markdoc/nodes/image.markdoc.js
  • markdoc/nodes/link.markdoc.js
  • markdoc/tags/br.markdoc.js
  • next.config.js
  • styles/globals.css
  • test/external-docs.test.js
🚧 Files skipped from review as they are similar to previous changes (20)
  • markdoc/tags/br.markdoc.js
  • markdoc/nodes/link.markdoc.js
  • markdoc/nodes/image.markdoc.js
  • next.config.js
  • markdoc/nodes/fence.markdoc.js
  • styles/globals.css
  • markdoc/nodes/document.markdoc.js
  • lib/external-doc-links.js
  • components/CopyRawButton.js
  • lib/generate-raw-pages.js
  • lib/generate-search-index.js
  • lib/external-doc-page.js
  • lib/generate-docs-fingerprint.js
  • components/MermaidDiagram.js
  • lib/external-docs.js
  • lib/external-docs-snapshot.js
  • lib/external-docs-loader.js
  • lib/compare-docs-fingerprint.js
  • test/external-docs.test.js
  • .github/workflows/docs-refresh.yml

@Kzoeps Kzoeps changed the title external-docs: simplify build-time source rendering External Repository Docs Jul 15, 2026
@Kzoeps Kzoeps changed the title External Repository Docs Dynamic external docs Jul 15, 2026
@Kzoeps Kzoeps self-assigned this Jul 15, 2026
@Kzoeps Kzoeps changed the title Dynamic external docs external docs: build pages from registered GitHub sources Jul 15, 2026

@aspiers aspiers left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Saw a few opportunities for improvement.

Comment thread docs-sources.yml
@@ -0,0 +1,12 @@
sources:
- id: epds

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- id: epds
- id: epds-tutorial

---
title: ePDS (extended PDS)
description: How the ePDS adds email/OTP login on top of AT Protocol without changing the standard OAuth flow for apps.
externalDoc: epds

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIUC, this is including the tutorial docs, which don't belong on the architecture page. (Seems it's a pre-existing problem, but this is a good opportunity to fix it.) There should be a separate section for tutorials. Is it possible to just include part of a page? Ideally we should avoid pages being too long, so splitting long pages into smaller pages would be good. If that requires splitting up doc files in the ePDS repo then we can do that. Actually maybe we should do that even if there is a way to do it with externalDoc.

Comment on lines -16 to -34
```text
Client App
-> starts AT Protocol OAuth against the PDS

PDS Core
-> remains the OAuth issuer and token endpoint
-> advertises the Auth Service as the authorization endpoint

Auth Service
-> collects the user's email or OTP
-> verifies the user
-> returns control to PDS Core via signed callback

PDS Core
-> issues a normal authorization code

Client App
-> exchanges the code for tokens
```

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The architecture page should have a Mermaid version of this, or similar. An architecture diagram is the main item which an architecture page MUST have.

Comment thread docs/remote-markdown.md
@@ -0,0 +1,65 @@
# Build-time external documentation

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great to have this, but I thought you already drew a nice diagram showing the whole flow - is that only in Linear? Would be worth having here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants