The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Apr 18, 2026 3:52am

PR Summary

Medium Risk
Touches security-sensitive surfaces by loosening frame-src CSP to include blob: and by adding new authenticated endpoints that execute user-supplied code in the sandbox; failures could impact preview isolation or CSP protections.

Overview
Adds missing document preview API endpoints for PDF and DOCX and refactors the existing PPTX preview handler to reuse a shared createDocumentPreviewRoute factory.

The shared route enforces consistent auth + workspace membership checks, JSON/code validation, and a new 1MB MAX_DOCUMENT_PREVIEW_CODE_BYTES limit before calling runSandboxTask, and streams back the generated binary with correct MIME types.

Updates CSP frame-src to allow blob: (to support iframe-based PDF previews) and adds Vitest coverage for the three preview routes plus the new CSP expectation.

^{Reviewed by Cursor Bugbot for commit ef2b8b2. Configure here.}

bugbot run

@greptile

Greptile Summary

This PR adds the missing PDF preview API endpoint (/api/workspaces/[id]/pdf/preview) and refactors the shared document-preview logic (PDF, DOCX, PPTX) into a single factory function createDocumentPreviewRoute. It also adds blob: to the frame-src CSP directive to unblock iframe-based PDF preview rendering, with a matching test asserting its presence.

The refactoring is clean: auth, membership verification, JSON parsing, code validation, size guard, and sandbox dispatch are all handled once in create-preview-route.ts, and each per-format route file reduces to a one-liner config call.

Confidence Score: 5/5

Safe to merge — clean refactor with comprehensive test coverage and no functional regressions.

All changed files follow project conventions (toError, createLogger, absolute imports, vi.hoisted mocking). The shared factory eliminates duplication across three routes. Test suites cover every response branch including auth failures previously flagged in review. The CSP change (blob: in frame-src) is the minimum required to unblock iframe PDF rendering and is acceptable since blob URLs are inherently same-origin. No P0 or P1 issues found.

No files require special attention.

Important Files Changed

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[POST to document preview endpoint] --> B[createDocumentPreviewRoute factory]
    B --> C{Authenticated?}
    C -- No --> D[401 Unauthorized]
    C -- Yes --> E{Workspace member?}
    E -- No --> F[403 Insufficient permissions]
    E -- Yes --> G{Valid JSON body?}
    G -- No --> H[400 Invalid JSON]
    G -- Yes --> I{code present and non-empty?}
    I -- No --> J[400 code is required]
    I -- Yes --> K{code within 1 MB?}
    K -- No --> L[413 code exceeds maximum size]
    K -- Yes --> M[runSandboxTask with ownerKey and abort signal]
    M -- Success --> N[200 binary document response]
    M -- Error --> O[500 with error message]

_{Reviews (2): Last reviewed commit: "follow nextjs route gen strat" | Re-trigger Greptile}

bugbot run

@greptile