fix(packages/cli): watch top-level root dirs in diff command

[zrosenbauer]

Summary

• The zpress diff command now watches top-level root directories (e.g. docs/) in addition to specific subdirectories from section includes, so asset/image changes are detected
• Updates vercel.json ignoreCommand to use pnpm zpress diff instead of a hardcoded file list

Changes

• packages/cli/src/commands/diff.ts — Added toTopLevelRoot helper that extracts the first path segment from include directories. collectWatchPaths now includes these roots so sibling dirs (like docs/.assets/) are covered.
• vercel.json — Replaced manual git diff path list with pnpm zpress diff in ignoreCommand
• .changeset/diff-watch-asset-roots.md — Patch changeset for @zpress/cli

Testing

• Verified pnpm zpress diff --pretty detects changes in docs/.assets/ (previously missed)
• Verified config file changes are still detected
• Verified standard doc file changes still work
• Watch count increased from 65 to 68 paths (3 new top-level roots added)

Summary by CodeRabbit

• New Features

  • Enhanced diff command now monitors top-level root directories to detect asset and image changes more comprehensively.

• Chores

  • Updated JSON schema to v0.4.0.
  • VSCode extension is now published.
  • Updated deployment configuration to use improved change detection.

[changeset-bot]

🦋 Changeset detected

Latest commit: ddbaca7

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages

Name	Type
@zpress/cli	Patch
@zpress/kit	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
oss-zpress	Ready	Preview, Comment	Mar 21, 2026 6:23am

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c70145ef-d259-404e-b87d-041e370c4d81

📥 Commits

Reviewing files that changed from the base of the PR and between fea8bfd and ddbaca7.

⛔ Files ignored due to path filters (19)

• examples/kitchen-sink/.zpress/public/banner.svg is excluded by !**/*.svg
• examples/kitchen-sink/.zpress/public/icons/guides.svg is excluded by !**/*.svg
• examples/kitchen-sink/.zpress/public/icons/reference.svg is excluded by !**/*.svg
• examples/kitchen-sink/.zpress/public/icons/security.svg is excluded by !**/*.svg
• examples/kitchen-sink/.zpress/public/icons/standards.svg is excluded by !**/*.svg
• examples/kitchen-sink/.zpress/public/logo.svg is excluded by !**/*.svg
• examples/kitchen-sink/.zpress/public/logos/blaxel.png is excluded by !**/*.png
• examples/kitchen-sink/.zpress/public/logos/nango.svg is excluded by !**/*.svg
• examples/kitchen-sink/.zpress/public/logos/trigger.svg is excluded by !**/*.svg
• examples/kitchen-sink/.zpress/public/logos/vercel.svg is excluded by !**/*.svg
• examples/simple/.zpress/public/icons/guides.svg is excluded by !**/*.svg
• examples/simple/.zpress/public/icons/reference.svg is excluded by !**/*.svg
• examples/simple/.zpress/public/icons/security.svg is excluded by !**/*.svg
• examples/simple/.zpress/public/icons/standards.svg is excluded by !**/*.svg
• examples/simple/.zpress/public/logo.svg is excluded by !**/*.svg
• examples/simple/.zpress/public/logos/blaxel.png is excluded by !**/*.png
• examples/simple/.zpress/public/logos/nango.svg is excluded by !**/*.svg
• examples/simple/.zpress/public/logos/trigger.svg is excluded by !**/*.svg
• examples/simple/.zpress/public/logos/vercel.svg is excluded by !**/*.svg

📒 Files selected for processing (2)

• examples/kitchen-sink/.zpress/README.md
• examples/simple/.zpress/README.md

💤 Files with no reviewable changes (2)

• examples/simple/.zpress/README.md
• examples/kitchen-sink/.zpress/README.md

---

📝 Walkthrough

Walkthrough

This pull request enhances the diff command to watch top-level root directories alongside included paths, integrates the CLI's diff command into Vercel's deployment ignoreCommand, updates package configuration to handle the vscode extension, bumps the JSON schema version to v0.4.0, and removes generated documentation from example projects.

Changes

Cohort / File(s)	Summary
Changeset & Config .changeset/diff-watch-asset-roots.md, .changeset/config.json	Added changeset documenting diff command's enhanced root directory watching. Extended changesets ignore list to include zpress-vscode and modified privatePackages settings to disable version and tag flags.
CLI Watch Path Enhancement packages/cli/src/commands/diff.ts	Added toTopLevelRoot helper to extract first-segment path prefix. Modified collectWatchPaths to include top-level roots of included paths alongside directory paths, ensuring sibling directories under the same root are watched.
Schema Version packages/config/schemas/schema.json	Updated JSON schema $id from v0.3.0 to v0.4.0.
Vercel Integration vercel.json	Changed ignoreCommand from git-diff-based file checks to shell command using pnpm zpress diff, with special handling to skip on changeset-release branch.
VS Code Extension extensions/vscode/package.json	Removed "private": true field to enable package publishing.
Example Projects examples/kitchen-sink/.gitignore, examples/simple/.gitignore	Added .zpress/ directory to gitignore patterns.
Generated Documentation examples/kitchen-sink/.zpress/README.md, examples/simple/.zpress/README.md	Removed autogenerated README documentation describing .zpress directory structure and commands.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat(packages/cli): add zpress diff command #49: Both modify the collectWatchPaths logic and watch directory handling in packages/cli/src/commands/diff.ts for including top-level roots.
• docs(repo): fix critical and major documentation issues #46: Previous iteration of vercel.json's ignoreCommand—this PR replaces the git-diff approach with the pnpm zpress diff command.
• fix(extensions/vscode): exclude vscode extension from changesets npm publish #20: Shares changes to .changeset/config.json (adding zpress-vscode to ignore list) and extensions/vscode/package.json (modifying the "private" flag).

Poem

🐰 Watch the roots now spread so wide,
Top-level paths walk side by side!
Vercel checks what changes are real,
Assets watched with zpress zeal.
The vscode gem breaks free to shine! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: the diff command now watches top-level root directories to detect asset and image changes. The title is specific, concise, and directly related to the primary objective of the PR.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/diff-watch-asset-roots

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@vercel.json`:
- Line 6: The ignoreCommand currently discards pnpm zpress diff's exit status by
evaluating its output with $(...), so failures are treated as empty output;
update the ignoreCommand to run pnpm zpress diff and preserve its exit code by
assigning its output to a variable (e.g., output="$(pnpm zpress diff)") and
immediately fail if the command exits non‑zero, then test emptiness of that
variable to decide deployment skipping; reference ignoreCommand and the pnpm
zpress diff invocation when making this change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 918c19ba-c3a0-4561-889c-556be6bcc4aa

📥 Commits

Reviewing files that changed from the base of the PR and between 44ab8aa and 2a47efa.

📒 Files selected for processing (3)

• .changeset/diff-watch-asset-roots.md
• packages/cli/src/commands/diff.ts
• vercel.json

[coderabbitai]

Actionable comments posted: 8

🧹 Nitpick comments (1)

examples/kitchen-sink/.zpress/content/apps/web/routing.md (1)

35-42: Consider completing the middleware example.

The middleware snippet shows configuration but omits the actual middleware function that performs authentication checks. Readers might find it difficult to understand how publicPaths is used to protect routes.

💡 Example of a more complete snippet

 // middleware.ts
+import { NextResponse } from 'next/server'
+import type { NextRequest } from 'next/server'
+
 const publicPaths = ['/auth/login', '/auth/signup']
 
+export function middleware(request: NextRequest) {
+  const { pathname } = request.nextUrl
+  
+  if (publicPaths.includes(pathname)) {
+    return NextResponse.next()
+  }
+  
+  // Check authentication here
+  // ...
+  
+  return NextResponse.redirect(new URL('/auth/login', request.url))
+}
+
 export const config = {
   matcher: ['/((?!_next|api|static).*)'],
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@examples/kitchen-sink/.zpress/content/apps/web/routing.md` around lines 35 -
42, The snippet defines publicPaths and config but omits the actual middleware
handler that uses them; add an exported middleware function (export default
function middleware(req)) that reads the request path (req.nextUrl.pathname),
skips paths in publicPaths, performs an auth check (e.g., verify session cookie
or token), and when unauthenticated redirects to '/auth/login' while preserving
the return URL; ensure the function uses the existing publicPaths and
config.matcher's behavior and returns NextResponse.next() for allowed requests
and NextResponse.redirect(...) for blocked ones.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@examples/kitchen-sink/.zpress/content/apps/api/reference/openapi.json`:
- Around line 857-861: The global "bearerAuth" security definition is applied to
all operations, but the public endpoints /auth/login and /auth/refresh need to
override it; edit the OpenAPI operations for the paths "/auth/login" and
"/auth/refresh" in openapi.json and add an explicit operation-level "security":
[] entry to each operation (ensuring it sits alongside the existing
responses/requestBody/etc.), which will override the global security requirement
for those endpoints.
- Around line 24-29: Add explicit bounds to the pagination parameters and
response array: update the query parameter schemas for "limit" and "offset" (the
parameter objects named limit and offset) to include "minimum" and "maximum"
constraints (e.g., minimum 0 for offset, minimum 1 for limit and a sensible
maximum like 100 or 1000), and update the response schema where the "data" array
is defined to include "maxItems" (and optionally "minItems") to prevent
unbounded responses; ensure the changes are applied in openapi.json to the
parameter objects named "limit" and "offset" and to the response schema that has
the "data" array.

In `@examples/kitchen-sink/.zpress/content/apps/web.md`:
- Around line 22-30: The markdown code fence in the README snippet (the
unlabeled triple-backtick block showing the apps/web/ tree) lacks a language
label and triggers MD040; update the fenced block around the directory tree (the
block that starts with "apps/web/") to include a language label such as "text"
(i.e., change ``` to ```text) so the linter recognizes it as a text/code block.

In `@examples/kitchen-sink/.zpress/content/apps/web/routing.md`:
- Around line 48-50: The fenced code block showing the path
"src/app/products/[id]/page.tsx" is missing a language identifier; update the
markdown snippet in routing.md to use a plain text language tag (e.g., change
the triple backticks to ```text or ```plaintext) so the file path renders
correctly, ensuring the block that contains src/app/products/[id]/page.tsx is
updated accordingly.
- Around line 12-29: The fenced code block containing the file tree (the
triple-backtick block in routing.md) lacks a language identifier; update the
opening fence to include a plaintext language hint (e.g., ```text or
```plaintext) so the directory tree renders/accessibility improves, by editing
the opening ``` to ```text (or ```plaintext) for the block that starts with
"src/app/" and ends with the closing ```; no other content changes required.

In `@examples/kitchen-sink/.zpress/content/architecture.md`:
- Around line 12-21: In architecture.md update the two unlabeled fenced code
blocks (the ASCII tree and the ASCII diagram) to include a language label (use
"text") on the opening ``` fence so markdownlint MD040 is satisfied; locate the
two fence blocks in the file and change ``` to ```text for the apps/packages
tree and the web→ui→config diagram respectively, leaving the ASCII content
unchanged.

In `@examples/kitchen-sink/.zpress/content/packages/db.md`:
- Around line 31-42: The markdown code fence for the directory tree in the
packages/db example is missing a language tag (MD040); update the opening
triple-backtick before the tree (the block showing "packages/db/ ...
drizzle.config.ts") to include a language such as "text" (e.g., ```text) so the
code fence specifies a language and satisfies markdownlint MD040.

In `@examples/kitchen-sink/.zpress/content/packages/db/migrations.md`:
- Around line 37-42: The fenced code block showing the migrations tree is
missing a language label (triggering markdownlint MD040); update the fenced
block in examples/kitchen-sink/.zpress/content/packages/db/migrations.md by
changing the opening fence from ``` to a labeled fence such as ```text so the
block becomes a labeled code fence (e.g., use "text") to satisfy the linter.

---

Nitpick comments:
In `@examples/kitchen-sink/.zpress/content/apps/web/routing.md`:
- Around line 35-42: The snippet defines publicPaths and config but omits the
actual middleware handler that uses them; add an exported middleware function
(export default function middleware(req)) that reads the request path
(req.nextUrl.pathname), skips paths in publicPaths, performs an auth check
(e.g., verify session cookie or token), and when unauthenticated redirects to
'/auth/login' while preserving the return URL; ensure the function uses the
existing publicPaths and config.matcher's behavior and returns
NextResponse.next() for allowed requests and NextResponse.redirect(...) for
blocked ones.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 91d28867-a4bd-45b7-a3a8-faf3df1ee2a9

📥 Commits

Reviewing files that changed from the base of the PR and between 2a47efa and fea8bfd.

⛔ Files ignored due to path filters (12)

• examples/kitchen-sink/.zpress/content/public/banner.svg is excluded by !**/*.svg
• examples/kitchen-sink/.zpress/content/public/icon.svg is excluded by !**/*.svg
• examples/kitchen-sink/.zpress/content/public/icons/guides.svg is excluded by !**/*.svg
• examples/kitchen-sink/.zpress/content/public/icons/reference.svg is excluded by !**/*.svg
• examples/kitchen-sink/.zpress/content/public/icons/security.svg is excluded by !**/*.svg
• examples/kitchen-sink/.zpress/content/public/icons/standards.svg is excluded by !**/*.svg
• examples/kitchen-sink/.zpress/content/public/logo.svg is excluded by !**/*.svg
• examples/kitchen-sink/.zpress/content/public/logos/blaxel.png is excluded by !**/*.png
• examples/kitchen-sink/.zpress/content/public/logos/nango.svg is excluded by !**/*.svg
• examples/kitchen-sink/.zpress/content/public/logos/trigger.svg is excluded by !**/*.svg
• examples/kitchen-sink/.zpress/content/public/logos/vercel.svg is excluded by !**/*.svg
• examples/kitchen-sink/.zpress/public/icon.svg is excluded by !**/*.svg

📒 Files selected for processing (47)

• .changeset/config.json
• examples/kitchen-sink/.gitignore
• examples/kitchen-sink/.zpress/content/.generated/manifest.json
• examples/kitchen-sink/.zpress/content/.generated/nav.json
• examples/kitchen-sink/.zpress/content/.generated/sidebar.json
• examples/kitchen-sink/.zpress/content/.generated/workspaces.json
• examples/kitchen-sink/.zpress/content/apps.mdx
• examples/kitchen-sink/.zpress/content/apps/api.md
• examples/kitchen-sink/.zpress/content/apps/api/reference/createteam.mdx
• examples/kitchen-sink/.zpress/content/apps/api/reference/createuser.mdx
• examples/kitchen-sink/.zpress/content/apps/api/reference/deleteuser.mdx
• examples/kitchen-sink/.zpress/content/apps/api/reference/getuser.mdx
• examples/kitchen-sink/.zpress/content/apps/api/reference/index.mdx
• examples/kitchen-sink/.zpress/content/apps/api/reference/listteammembers.mdx
• examples/kitchen-sink/.zpress/content/apps/api/reference/listteams.mdx
• examples/kitchen-sink/.zpress/content/apps/api/reference/listusers.mdx
• examples/kitchen-sink/.zpress/content/apps/api/reference/login.mdx
• examples/kitchen-sink/.zpress/content/apps/api/reference/openapi.json
• examples/kitchen-sink/.zpress/content/apps/api/reference/refreshtoken.mdx
• examples/kitchen-sink/.zpress/content/apps/api/reference/updateuser.mdx
• examples/kitchen-sink/.zpress/content/apps/web.md
• examples/kitchen-sink/.zpress/content/apps/web/deployment.md
• examples/kitchen-sink/.zpress/content/apps/web/routing.md
• examples/kitchen-sink/.zpress/content/architecture.md
• examples/kitchen-sink/.zpress/content/contributing.md
• examples/kitchen-sink/.zpress/content/contributing/guides.mdx
• examples/kitchen-sink/.zpress/content/contributing/guides/code-style.md
• examples/kitchen-sink/.zpress/content/contributing/guides/pull-requests.md
• examples/kitchen-sink/.zpress/content/getting-started.md
• examples/kitchen-sink/.zpress/content/guides.mdx
• examples/kitchen-sink/.zpress/content/guides/adding-a-package.md
• examples/kitchen-sink/.zpress/content/guides/deployment.md
• examples/kitchen-sink/.zpress/content/guides/local-development.md
• examples/kitchen-sink/.zpress/content/index.md
• examples/kitchen-sink/.zpress/content/integrations.mdx
• examples/kitchen-sink/.zpress/content/integrations/stripe.md
• examples/kitchen-sink/.zpress/content/packages.mdx
• examples/kitchen-sink/.zpress/content/packages/config.md
• examples/kitchen-sink/.zpress/content/packages/db.md
• examples/kitchen-sink/.zpress/content/packages/db/migrations.md
• examples/kitchen-sink/.zpress/content/packages/db/schema.md
• examples/kitchen-sink/.zpress/content/packages/ui.md
• examples/kitchen-sink/.zpress/content/packages/ui/components.md
• examples/kitchen-sink/.zpress/content/packages/ui/theming.md
• examples/simple/.gitignore
• extensions/vscode/package.json
• packages/config/schemas/schema.json

💤 Files with no reviewable changes (1)

• extensions/vscode/package.json

✅ Files skipped from review due to trivial changes (36)

• examples/kitchen-sink/.zpress/content/integrations/stripe.md
• examples/kitchen-sink/.zpress/content/apps/api.md
• examples/kitchen-sink/.zpress/content/apps/api/reference/refreshtoken.mdx
• examples/kitchen-sink/.gitignore
• examples/simple/.gitignore
• examples/kitchen-sink/.zpress/content/apps/api/reference/login.mdx
• examples/kitchen-sink/.zpress/content/apps/api/reference/index.mdx
• examples/kitchen-sink/.zpress/content/contributing.md
• examples/kitchen-sink/.zpress/content/apps/api/reference/updateuser.mdx
• examples/kitchen-sink/.zpress/content/apps/api/reference/listteams.mdx
• examples/kitchen-sink/.zpress/content/apps/api/reference/deleteuser.mdx
• examples/kitchen-sink/.zpress/content/apps/api/reference/listusers.mdx
• examples/kitchen-sink/.zpress/content/apps/api/reference/getuser.mdx
• examples/kitchen-sink/.zpress/content/guides.mdx
• examples/kitchen-sink/.zpress/content/apps/api/reference/createuser.mdx
• examples/kitchen-sink/.zpress/content/apps/web/deployment.md
• examples/kitchen-sink/.zpress/content/index.md
• examples/kitchen-sink/.zpress/content/packages/ui.md
• examples/kitchen-sink/.zpress/content/contributing/guides.mdx
• examples/kitchen-sink/.zpress/content/contributing/guides/pull-requests.md
• examples/kitchen-sink/.zpress/content/apps.mdx
• examples/kitchen-sink/.zpress/content/.generated/nav.json
• examples/kitchen-sink/.zpress/content/packages/ui/theming.md
• examples/kitchen-sink/.zpress/content/contributing/guides/code-style.md
• examples/kitchen-sink/.zpress/content/packages.mdx
• examples/kitchen-sink/.zpress/content/guides/local-development.md
• examples/kitchen-sink/.zpress/content/packages/ui/components.md
• examples/kitchen-sink/.zpress/content/.generated/manifest.json
• examples/kitchen-sink/.zpress/content/packages/config.md
• packages/config/schemas/schema.json
• examples/kitchen-sink/.zpress/content/guides/deployment.md
• examples/kitchen-sink/.zpress/content/.generated/workspaces.json
• examples/kitchen-sink/.zpress/content/apps/api/reference/createteam.mdx
• examples/kitchen-sink/.zpress/content/getting-started.md
• examples/kitchen-sink/.zpress/content/guides/adding-a-package.md
• examples/kitchen-sink/.zpress/content/packages/db/schema.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE="examples/kitchen-sink/.zpress/content/apps/api/reference/openapi.json"

echo "Current limit schema:"
jq '.paths["/users"].get.parameters[] | select(.name=="limit").schema' "$FILE"

echo "Current users.data schema:"
jq '.paths["/users"].get.responses["200"].content["application/json"].schema.properties.data' "$FILE"

Repository: joggrdocs/zpress

Length of output: 774

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE="examples/kitchen-sink/.zpress/content/apps/api/reference/openapi.json"

# Get the file with line numbers to verify the exact lines mentioned
echo "=== File content with line numbers around the limit parameter ==="
sed -n '15,35p' "$FILE" | cat -n

echo -e "\n=== File content with line numbers around the data array ==="
sed -n '40,60p' "$FILE" | cat -n

# Check if there are other array properties or pagination parameters
echo -e "\n=== All parameters in /users endpoint ==="
jq '.paths["/users"].get.parameters[] | {name: .name, in: .in, schema: .schema}' "$FILE"

# Check all array-type properties in /users response
echo -e "\n=== All array-type properties in /users 200 response ==="
jq '.paths["/users"].get.responses["200"].content["application/json"].schema.properties | to_entries[] | select(.value.type == "array") | {property: .key, value: .value}' "$FILE"

Repository: joggrdocs/zpress

Length of output: 2714

---

Add bounds to pagination parameters and response array to prevent unbounded responses.

The limit and offset query parameters lack minimum and maximum constraints, and the data array response lacks maxItems. This allows unbounded requests that could cause performance degradation.

Suggested fixes

{
  "name": "limit",
  "in": "query",
  "schema": {
    "type": "integer",
+   "minimum": 1,
+   "maximum": 100,
    "default": 20
  }
}

{
  "name": "offset",
  "in": "query",
  "schema": {
    "type": "integer",
+   "minimum": 0,
    "default": 0
  }
}

"data": {
  "type": "array",
+ "maxItems": 100,
  "items": {

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"name": "limit",
	"in": "query",
	"schema": {
	"type": "integer",
	"default": 20
	}
	"name": "limit",
	"in": "query",
	"schema": {
	"type": "integer",
	"minimum": 1,
	"maximum": 100,
	"default": 20
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@examples/kitchen-sink/.zpress/content/apps/api/reference/openapi.json` around
lines 24 - 29, Add explicit bounds to the pagination parameters and response
array: update the query parameter schemas for "limit" and "offset" (the
parameter objects named limit and offset) to include "minimum" and "maximum"
constraints (e.g., minimum 0 for offset, minimum 1 for limit and a sensible
maximum like 100 or 1000), and update the response schema where the "data" array
is defined to include "maxItems" (and optionally "minItems") to prevent
unbounded responses; ensure the changes are applied in openapi.json to the
parameter objects named "limit" and "offset" and to the response schema that has
the "data" array.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE="examples/kitchen-sink/.zpress/content/apps/api/reference/openapi.json"

echo "Global security:"
jq '.security' "$FILE"

echo "Operation-level security on auth endpoints (null means inherited global security):"
jq '.paths["/auth/login"].post.security, .paths["/auth/refresh"].post.security' "$FILE"

Repository: joggrdocs/zpress

Length of output: 202

---

Add explicit unauthenticated security to /auth/login and /auth/refresh operations.

Global bearer auth is defined at lines 857-861, and both /auth/login and /auth/refresh inherit this security requirement since they lack explicit operation-level security definitions. Public authentication endpoints must override this with "security": [].

Suggested fixes

"/auth/login": {
  "post": {
+   "security": [],
    "operationId": "login",
    "summary": "Authenticate",

"/auth/refresh": {
  "post": {
+   "security": [],
    "operationId": "refreshToken",
    "summary": "Refresh token",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@examples/kitchen-sink/.zpress/content/apps/api/reference/openapi.json` around
lines 857 - 861, The global "bearerAuth" security definition is applied to all
operations, but the public endpoints /auth/login and /auth/refresh need to
override it; edit the OpenAPI operations for the paths "/auth/login" and
"/auth/refresh" in openapi.json and add an explicit operation-level "security":
[] entry to each operation (ensuring it sits alongside the existing
responses/requestBody/etc.), which will override the global security requirement
for those endpoints.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add a language label to the fenced block.

Line 22 is an unlabeled fence and triggers markdownlint MD040.

Suggested fix

-```
+```text
 apps/web/
 ├── src/
 │   ├── app/              # App router pages
 │   ├── components/       # App-specific components
 │   └── lib/              # Utilities and helpers
 ├── public/               # Static assets
 └── next.config.ts

</details>

<!-- suggestion_start -->

<details>
<summary>📝 Committable suggestion</summary>

> ‼️ **IMPORTANT**
> Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

```suggestion

🧰 Tools

🪛 markdownlint-cli2 (0.21.0)

[warning] 22-22: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@examples/kitchen-sink/.zpress/content/apps/web.md` around lines 22 - 30, The
markdown code fence in the README snippet (the unlabeled triple-backtick block
showing the apps/web/ tree) lacks a language label and triggers MD040; update
the fenced block around the directory tree (the block that starts with
"apps/web/") to include a language label such as "text" (i.e., change ``` to
```text) so the linter recognizes it as a text/code block.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Specify language for the fenced code block.

The directory tree code block is missing a language identifier. For plain text content like file trees, use text or plaintext to improve rendering and accessibility.

📝 Proposed fix

-```
+```text
 src/app/
 ├── layout.tsx           # Root layout (nav, providers)

🧰 Tools

🪛 markdownlint-cli2 (0.21.0)

[warning] 12-12: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@examples/kitchen-sink/.zpress/content/apps/web/routing.md` around lines 12 -
29, The fenced code block containing the file tree (the triple-backtick block in
routing.md) lacks a language identifier; update the opening fence to include a
plaintext language hint (e.g., ```text or ```plaintext) so the directory tree
renders/accessibility improves, by editing the opening ``` to ```text (or
```plaintext) for the block that starts with "src/app/" and ends with the
closing ```; no other content changes required.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Specify language for the fenced code block.

The file path code block is missing a language identifier. Use text or plaintext for better rendering.

📝 Proposed fix

-```
+```text
 src/app/products/[id]/page.tsx

</details>

<details>
<summary>🧰 Tools</summary>

<details>
<summary>🪛 markdownlint-cli2 (0.21.0)</summary>

[warning] 48-48: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

</details>

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @examples/kitchen-sink/.zpress/content/apps/web/routing.md around lines 48 -
50, The fenced code block showing the path "src/app/products/[id]/page.tsx" is
missing a language identifier; update the markdown snippet in routing.md to use
a plain text language tag (e.g., change the triple backticks to ```text or

contains src/app/products/[id]/page.tsx is updated accordingly.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Label both fenced code blocks with a language.

Line 12 and Line 25 use unlabeled fences and trigger markdownlint MD040.

Suggested fix

-```
+```text
 apps/
 ├── web/          # Next.js frontend
 └── api/          # Hono REST API

 packages/
 ├── ui/           # Shared React components
 ├── db/           # Database client and schema
 └── config/       # Shared configuration

```diff
-```
+```text
 web ──→ ui ──→ config
  │              ↑
  └──→ db ───────┘
        ↑
 api ───┘

</details>


Also applies to: 25-31

<details>
<summary>🧰 Tools</summary>

<details>
<summary>🪛 markdownlint-cli2 (0.21.0)</summary>

[warning] 12-12: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

</details>

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @examples/kitchen-sink/.zpress/content/architecture.md around lines 12 - 21,
In architecture.md update the two unlabeled fenced code blocks (the ASCII tree
and the ASCII diagram) to include a language label (use "text") on the opening

file and change ``` to ```text for the apps/packages tree and the web→ui→config
diagram respectively, leaving the ASCII content unchanged.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Specify a language for the directory tree code fence.

Line 31 should include a fence language to satisfy markdownlint MD040.

Suggested fix

-```
+```text
 packages/db/
 ├── src/
 │   ├── index.ts          # Client export
 │   ├── schema/           # Table definitions
 │   │   ├── users.ts
 │   │   ├── products.ts
 │   │   └── orders.ts
 │   └── seed.ts           # Development seed data
 ├── migrations/           # SQL migration files
 └── drizzle.config.ts

</details>

<!-- suggestion_start -->

<details>
<summary>📝 Committable suggestion</summary>

> ‼️ **IMPORTANT**
> Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

```suggestion

🧰 Tools

🪛 markdownlint-cli2 (0.21.0)

[warning] 31-31: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@examples/kitchen-sink/.zpress/content/packages/db.md` around lines 31 - 42,
The markdown code fence for the directory tree in the packages/db example is
missing a language tag (MD040); update the opening triple-backtick before the
tree (the block showing "packages/db/ ... drizzle.config.ts") to include a
language such as "text" (e.g., ```text) so the code fence specifies a language
and satisfies markdownlint MD040.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add a language label for the fenced block.

Line 37 uses an unlabeled fence, which triggers markdownlint MD040.

Suggested fix

-```
+```text
 migrations/
 ├── 0000_initial.sql
 ├── 0001_add_orders_table.sql
 └── 0002_add_user_role.sql

</details>

<!-- suggestion_start -->

<details>
<summary>📝 Committable suggestion</summary>

> ‼️ **IMPORTANT**
> Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

```suggestion

🧰 Tools

🪛 markdownlint-cli2 (0.21.0)

[warning] 37-37: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@examples/kitchen-sink/.zpress/content/packages/db/migrations.md` around lines
37 - 42, The fenced code block showing the migrations tree is missing a language
label (triggering markdownlint MD040); update the fenced block in
examples/kitchen-sink/.zpress/content/packages/db/migrations.md by changing the
opening fence from ``` to a labeled fence such as ```text so the block becomes a
labeled code fence (e.g., use "text") to satisfy the linter.