feat: add ai search in docs

[DarkPhoenix2704]

No description provided.

[github-actions]

✅ Build Status: Success!

• ✅ Build completed successfully
• 🚀 Ready for review

📝 Latest commit: fce833e
⏰ Updated: 2025-10-16 15:44:23 UTC

[DarkPhoenix2704]

@claude Review

[claude]

Claude finished @DarkPhoenix2704's task —— View job

---

Code Review Complete ✅

I've reviewed the AI search feature implementation. This is a substantial addition that integrates OpenAI's GPT-4 with Typesense search to provide intelligent documentation assistance. Below is my detailed feedback:

---

🎯 Overview

The PR successfully adds an AI-powered search interface that:

• Uses GPT-4 to answer documentation questions
• Searches and fetches relevant docs via Typesense
• Provides a clean chat UI with markdown rendering
• Tracks analytics events for user interactions

---

🔴 Critical Issues

1. Hardcoded API Key in Production Code 🚨

File: lib/ai-tools/search-and-fetch.ts:9

apiKey: process.env.TYPESENSE_API_KEY || 'lNKDTZdJrE76Sg8WEyeN9mXT29l1xq7Q',

Issue: The fallback API key should never be hardcoded. This is a security vulnerability.

Recommendation:

const apiKey = process.env.TYPESENSE_API_KEY;
if (!apiKey) {
  throw new Error('TYPESENSE_API_KEY environment variable is required');
}

2. Missing Environment Variable Validation

File: app/api/chat/route.ts:7-9

The OpenAI API key has no fallback handling. If OPENAI_API_KEY is missing, the error will be cryptic.

Recommendation: Add validation at module level or in the route handler:

if (!process.env.OPENAI_API_KEY) {
  console.error('Missing OPENAI_API_KEY environment variable');
}

3. Unprotected API Route

File: app/api/chat/route.ts:11

The /api/chat endpoint has no authentication, rate limiting, or input validation.

Issues:

• Anyone can call this endpoint and consume OpenAI credits
• No rate limiting to prevent abuse
• No input validation on reqJson.messages

Recommendations:

export async function POST(req: Request) {
  // 1. Add rate limiting (e.g., using Vercel Edge Config or Redis)
  // 2. Validate request body
  const reqJson = await req.json();
  
  if (!reqJson.messages || !Array.isArray(reqJson.messages)) {
    return new Response('Invalid request body', { status: 400 });
  }
  
  // 3. Consider adding API key authentication or using Next.js middleware
  // to protect this route from unauthorized access
  
  // ... rest of handler
}

---

⚠️ Important Issues

4. Silent Error Handling

File: lib/ai-tools/search-and-fetch.ts:119-121, 132-137

Empty catch blocks swallow errors without logging, making debugging impossible.

Current:

} catch {
  // Continue with next page
}

Recommended:

} catch (error) {
  console.error(`Failed to fetch page content for ${pageUrl}:`, error);
  // Continue with next page
}

5. Missing Error Boundaries in UI

File: components/search.tsx

The chat component lacks error handling for failed API calls. Users won't see helpful error messages if the API fails.

Recommendation: Add error state handling in the useChat hook:

const chat = useChat({
  id: "search",
  transport: new DefaultChatTransport({
    api: "/api/chat",
  }),
  onError: (error) => {
    console.error('Chat error:', error);
    // Show user-friendly error message
  },
});

6. Model Version Hardcoded

File: app/api/chat/route.ts:15

model: openai('gpt-4.1-2025-04-14'),

This specific model version may be deprecated. Consider making it configurable via environment variable:

model: openai(process.env.OPENAI_MODEL || 'gpt-4-turbo'),

7. Unbounded Token Usage

File: app/api/chat/route.ts:21

The searchAndFetchDocs function fetches full page content with no token/size limits. This could:

• Exceed context windows
• Increase costs significantly
• Cause slow responses

Recommendation: Add a max token limit or truncate content:

const { markdown, links } = await searchAndFetchDocs(query, 3);
// Truncate markdown if too long
const maxChars = 10000; // or calculate based on tokens
const truncatedMarkdown = markdown.length > maxChars 
  ? markdown.substring(0, maxChars) + '\n\n[Content truncated...]'
  : markdown;

---

🟡 Moderate Issues

8. Type Safety Concerns

File: components/search.tsx:232-233

if (part.type === "tool-provideLinks" && part.input) {
  links = (part.input as z.infer<typeof ProvideLinksToolSchema>).links;
}

Using type assertions without validation. Consider using Zod's safeParse:

const parsed = ProvideLinksToolSchema.safeParse(part.input);
if (parsed.success) {
  links = parsed.data.links;
}

9. Memory Leak Potential

File: components/markdown.tsx:114

const cache = new Map<string, Promise<ReactNode>>();

The cache grows unbounded. Consider using an LRU cache or clearing it periodically.

10. Analytics Hook Called Inside Effect

File: components/Analytics.tsx:46

useEffect(() => {
  // ... 
}, [trackEvent]);

trackEvent is recreated on every render (it's not memoized in useAnalytics). This could cause the effect to re-run unnecessarily.

Recommendation in hooks/useAnalytics.ts:

const trackEvent = useCallback((event: AnalyticsEvent) => {
  if (pushRef.current) {
    pushRef.current({
      $current_url: window.location.href,
      path: window.location.pathname,
      hash: window.location.hash,
      ...event,
    });
  }
}, []);

11. Inconsistent Error Messages

File: lib/ai-tools/search-and-fetch.ts:74, 125, 134

Generic error messages don't help users understand what went wrong:

• "No relevant documentation found" - Could mean search failed or truly no results
• "Could not fetch documentation content" - Doesn't explain why
• "An error occurred while searching" - Too vague

---

💡 Suggestions & Best Practices

12. CLI Config File Purpose Unclear

File: cli.json

This file was added but it's not clear what CLI tool uses it. Consider adding a comment or README section explaining its purpose.

13. Accessibility Improvements

File: components/search.tsx

• The close button (<X />) lacks an aria-label
• The AI input should have proper ARIA attributes for screen readers
• Keyboard navigation could be improved with proper focus management

Recommendations:

<button
 
  className={cn(...)}
  onClick={() => setOpen(false)}
>
  <X />
</button>

14. Performance: Auto-scroll on Every Resize

File: components/search.tsx:155-176

The ResizeObserver triggers scroll on every size change, which could be expensive. Consider debouncing or using requestAnimationFrame.

15. Hard-coded Width Values

File: components/search.tsx:334, 348

max-w-[600px] min-w-[600px]
w-[min(600px,90vw)]

Consider making these configurable or using CSS custom properties for easier theming.

16. Step Count Limit

File: app/api/chat/route.ts:33

stopWhen: stepCountIs(10),

This limits tool calls to 10, which might not be enough for complex queries. Consider:

• Making this configurable
• Adding comments explaining why 10 was chosen
• Implementing better termination logic based on answer completeness

---

✅ Positive Aspects

1. Well-structured prompting - The system prompt in lib/searchPrompt.ts is comprehensive and includes good examples
2. Clean separation of concerns - AI tools, UI components, and API routes are well organized
3. Analytics integration - Good tracking of user interactions for product insights
4. Markdown rendering - Nice implementation with code highlighting and animations
5. TypeScript usage - Generally good type safety throughout
6. Reusable analytics hook - The useAnalytics hook centralizes tracking logic well

---

📋 Testing Recommendations

Since I cannot run the build or tests, please ensure:

1. Environment variables are documented (add .env.example)
2. API route is tested with:
   • Missing messages
   • Malformed messages
   • Very long messages
   • Missing API keys
3. Error scenarios are handled gracefully in the UI
4. Rate limiting is tested to prevent abuse
5. Cost monitoring is set up for OpenAI API usage

---

📝 Documentation Needed

Consider adding:

1. README section explaining:

   • How to set up OpenAI API key
   • How the AI search feature works
   • Cost implications
   • Rate limiting strategy

2. .env.example with required variables:

   OPENAI_API_KEY=your_key_here
   OPENAI_MODEL=gpt-4-turbo
   TYPESENSE_API_KEY=your_key_here
   TYPESENSE_HOST=your_host_here
   

3. Inline comments in complex areas like the markdown processor

---

🎯 Summary

This is a solid implementation of an AI search feature with good UX and clean architecture. However, the security issues (hardcoded API key, unprotected endpoint) must be addressed before merging to production. The error handling and rate limiting should also be improved to prevent abuse and provide better user experience.

Priority fixes:

1. Remove hardcoded Typesense API key (CRITICAL)
2. Add authentication/rate limiting to /api/chat (CRITICAL)
3. Improve error handling and logging (HIGH)
4. Add environment variable validation (HIGH)
5. Consider token limits for cost control (MEDIUM)

---

Job: [View run](https://github.com/nocodb/noco-docs-v2/actions/runs/${{ github.run_id }})
Branch: fix-blogs

[rameshmane7218]

@claude review this pr again

[claude]

Claude finished @rameshmane7218's task —— View job

---

Code Review: AI Search in Docs - Follow-up Review

I've completed a thorough re-review of this PR. Let me provide my findings on what's been addressed and what still needs attention.

---

Summary of Changes Since Last Review

The team has made significant improvements to address the previous critical security and quality issues:

✅ Fixed:

• Rate limiting has been implemented (utils/rateLimit.ts)
• Error handling improved with toast notifications
• .env.example added with clear documentation
• Multiple AI provider support added (OpenAI, Google, OpenRouter)
• Analytics hook properly memoized with useCallback
• Better error logging (though some areas still need work)

⚠️ Still Outstanding:

• CRITICAL: Hardcoded Typesense API key still present
• Input validation still missing
• Token limits not implemented

---

🔴 CRITICAL Issues (Must Fix Before Merge)

1. Hardcoded Typesense API Key 🚨

File: lib/ai-tools/search-and-fetch.ts:9-10

const typesenseClient = new Client({
  apiKey: 'lNKDTZdJrE76Sg8WEyeN9mXT29l1xq7Q',
  nodes: [
    {
      host: 'rqf5uvajyeczwt3xp-1.a1.typesense.net',
      port: 443,
      protocol: 'https',
    },
  ],
});

Status: ❌ NOT FIXED - This is the exact same issue from the previous review.

Issue: The Typesense API key and host are hardcoded in the source code. This is a severe security vulnerability.

Impact:

• Exposes your Typesense credentials publicly in the repository
• Anyone can use this key to access/query/modify your search index
• Could lead to unauthorized data access or service abuse

Required Fix:

const typesenseClient = new Client({
  apiKey: process.env.TYPESENSE_API_KEY || '',
  nodes: [
    {
      host: process.env.TYPESENSE_HOST || '',
      port: 443,
      protocol: 'https',
    },
  ],
});

if (!process.env.TYPESENSE_API_KEY || !process.env.TYPESENSE_HOST) {
  throw new Error('TYPESENSE_API_KEY and TYPESENSE_HOST environment variables are required');
}

Then add to .env.example:

# Typesense Configuration
TYPESENSE_API_KEY=your_typesense_key_here
TYPESENSE_HOST=your_typesense_host_here

Priority: 🚨 BLOCKER - This must be fixed before merging to production.

---

2. Missing Input Validation

File: app/api/chat/route.ts:13-17

let reqJson;
try {
  reqJson = await req.json();
} catch {
  return new Response('Invalid request', { status: 400 });
}

Status: ⚠️ Partially Addressed - Now catches JSON parse errors, but doesn't validate the shape/content.

Issue: No validation that reqJson.messages exists or is properly formatted.

Risk: Could cause crashes if malformed data is sent.

Recommended Fix:

let reqJson;
try {
  reqJson = await req.json();
  
  // Validate request structure
  if (!reqJson.messages || !Array.isArray(reqJson.messages)) {
    return new Response('Invalid request: messages array required', { status: 400 });
  }
  
  if (reqJson.messages.length === 0) {
    return new Response('Invalid request: messages cannot be empty', { status: 400 });
  }
} catch {
  return new Response('Invalid JSON request body', { status: 400 });
}

Priority: 🔴 HIGH - Should be fixed before production deployment.

---

3. Unbounded Token Usage

File: lib/ai-tools/search-and-fetch.ts:64-140

Status: ❌ NOT FIXED - No limits on content size.

Issue: The function fetches complete page content with no truncation or token limits:

const pageContent = await getLLMText(page);
markdown += `${pageContent}\n\n[${linkIndex}]\n\n---\n\n`;

Impact:

• Could exceed context windows for LLMs
• Unpredictable and potentially high API costs
• Slow response times

Recommended Fix:

const MAX_CHARS_PER_PAGE = 8000; // ~2000 tokens
const MAX_TOTAL_CHARS = 20000;   // ~5000 tokens total

let totalChars = 0;

for (const [pageUrl] of uniquePages) {
  try {
    const page = getPageFromUrl(pageUrl);
    
    if (page) {
      let pageContent = await getLLMText(page);
      
      // Truncate individual page if too long
      if (pageContent.length > MAX_CHARS_PER_PAGE) {
        pageContent = pageContent.substring(0, MAX_CHARS_PER_PAGE) + '\n\n[Content truncated...]';
      }
      
      // Stop if we've reached total limit
      if (totalChars + pageContent.length > MAX_TOTAL_CHARS) {
        break;
      }
      
      markdown += `${pageContent}\n\n[${linkIndex}]\n\n---\n\n`;
      totalChars += pageContent.length;
      
      links.push({
        url: page.url,
        title: page.data.title,
        label: linkIndex.toString(),
      });
      
      linkIndex++;
    }
  } catch(e) {
    console.error(e);
  }
}

Priority: 🔴 HIGH - Important for cost control and performance.

---

✅ Issues Successfully Addressed

1. Rate Limiting Implemented ✅

File: utils/rateLimit.ts

Great work! The rate limiting implementation is solid:

• In-memory rate limiter with configurable limits
• Proper cleanup mechanism
• Standard rate limit headers
• Default of 10 requests per minute

Quality: Excellent. The implementation follows best practices.

Note: This is an in-memory solution, so it resets on server restart and won't work in multi-instance deployments. For production with multiple servers, consider Redis-based rate limiting.

---

2. Error Handling with User Feedback ✅

File: components/search.tsx:278-281

onError: (error) => {
  toast.error("Something went wrong! Please try again later");
  console.error(error);
},

Status: ✅ FIXED - Users now see friendly error messages via toast notifications.

---

3. Environment Variables Documented ✅

File: .env.example:1-15

Status: ✅ FIXED - Clear documentation of required environment variables with examples.

Quality: Well done. The comments explain each provider and include example model IDs.

Still Missing: Typesense environment variables (see Critical Issue #1).

---

4. Multiple AI Provider Support ✅

File: lib/ai-models.ts

Status: ✅ EXCELLENT ADDITION - The code now supports OpenAI, Google, and OpenRouter.

Quality: Very well implemented with:

• Clear abstraction via createModel()
• Optional custom API keys
• Sensible defaults
• Good error messages

This is a great improvement that adds flexibility.

---

5. Analytics Hook Memoization ✅

File: hooks/useAnalytics.ts:25-34

const trackEvent = useCallback((event: AnalyticsEvent) => {
  if (pushRef.current) {
    pushRef.current({
      $current_url: window.location.href,
      path: window.location.pathname,
      hash: window.location.hash,
      ...event,
    });
  }
}, []);

Status: ✅ FIXED - trackEvent is now memoized with useCallback.

---

⚠️ Moderate Issues

6. Error Logging Improvements Needed

Files: lib/ai-tools/search-and-fetch.ts:119-121, 133-135

Status: 🟡 Partially Improved - Now logs errors with console.error(e), but could be more descriptive.

Current:

} catch(e) {
  console.error(e);
  // Continue with next page
}

Better:

} catch(e) {
  console.error(`Failed to fetch page content for ${pageUrl}:`, e);
  // Continue with next page
}

Priority: 🟡 MEDIUM - Would help with debugging in production.

---

7. Unbounded Cache Growth

File: components/markdown.tsx:114

const cache = new Map<string, Promise<ReactNode>>();

Status: ❌ NOT ADDRESSED - Cache still grows unbounded.

Issue: The cache could grow indefinitely in a long-running session.

Impact: Memory leak potential, though realistically limited by conversation length.

Recommended Fix: Implement an LRU cache with a reasonable max size (e.g., 50-100 entries).

Priority: 🟡 MEDIUM - Low risk but good hygiene.

---

8. Hard-coded Width Values

File: components/search.tsx:339, 353

<div className="flex max-w-[600px] min-w-[600px] mx-auto flex-col gap-4">

Status: ❌ NOT ADDRESSED

Issue: Fixed pixel widths make theming/customization harder.

Recommendation: Extract to CSS custom properties or config.

Priority: 🟢 LOW - Nice to have, not critical.

---

9. Accessibility Improvements

File: components/search.tsx:322-330

<button
  className={cn(
    "rounded-full bg-nc-background-grey-light cursor-pointer p-2 hover:bg-nc-background-grey-medium",
    "border-1"
  )}
  onClick={() => setOpen(false)}
>
  <X />
</button>

Status: ❌ NOT ADDRESSED - Missing aria-label.

Recommendation:

<button
 
  className={cn(...)}
  onClick={() => setOpen(false)}
>
  <X />
</button>

Priority: 🟡 MEDIUM - Important for accessibility.

---

💡 Additional Observations

10. Excellent System Prompt

File: lib/searchPrompt.ts

Observation: The system prompt is comprehensive and well-structured:

• Clear role definition
• Detailed tool usage guidelines
• Excellent examples
• Critical rules section

This should lead to good AI assistant behavior. Well done!

---

11. Good Code Organization

Observation: The code is well-organized with clear separation of concerns:

• Tools in lib/ai-tools/
• Components in components/
• Utilities in utils/
• Hooks in hooks/

This makes the codebase maintainable.

---

12. Rate Limit Configuration

File: app/api/chat/route.ts:10

const rateLimitError = validateRateLimit(req);

Observation: Uses default rate limit (10 requests/minute). This seems reasonable for an AI chat endpoint, but consider:

• Is this limit per IP or per user?
• Do you want different limits for authenticated vs. anonymous users?
• Should there be a daily limit as well?

Recommendation: Consider making limits configurable via environment variables:

const rateLimitError = validateRateLimit(req, {
  limit: parseInt(process.env.AI_RATE_LIMIT || '10'),
  interval: parseInt(process.env.AI_RATE_LIMIT_WINDOW || '60000'),
});

---

📋 Testing Recommendations

Since I cannot run the build or tests, please verify:

1. ✅ Rate limiting works correctly across multiple requests
2. ✅ Error states display properly in the UI
3. ✅ All AI providers work (OpenAI, Google, OpenRouter)
4. ❌ Environment variable validation catches missing configs
5. ❌ Input validation rejects malformed requests
6. ❌ Token limits prevent excessive API costs

---

📊 Review Summary

Category	Status	Count
🔴 Critical Issues	Must Fix	3
⚠️ Important Issues	Should Fix	0
🟡 Moderate Issues	Nice to Fix	4
✅ Fixed Issues	Resolved	5
💡 Positive Notes	N/A	3

---

🎯 Verdict

Status: ⚠️ NOT READY FOR MERGE - Critical issues must be addressed.

Reason: The hardcoded Typesense API key is a security vulnerability that must be fixed before merging.

Required Actions Before Merge:

1. 🚨 Remove hardcoded Typesense credentials and use environment variables
2. 🔴 Add input validation to the API route
3. 🔴 Implement token/content limits for cost control

Recommended Actions:
4. 🟡 Improve error logging with context
5. 🟡 Add accessibility attributes
6. 🟡 Consider LRU cache for markdown rendering

---

👏 Positive Progress

The team has done an excellent job addressing most of the previous review feedback:

• Rate limiting implementation is solid
• Error handling is much improved
• Multi-provider support adds great flexibility
• Documentation is clear
• Code organization is excellent

With the critical security issue fixed, this will be a strong feature addition!

---

Branch: fix-blogs