feat: add algolia search support

[JounQin]

Summary by CodeRabbit

• New Features

  • Added support for Algolia-powered search, including a new search component that automatically uses Algolia when configured.
  • Introduced a CLI option to enable or disable Algolia search.
  • Extended configuration options to allow specifying Algolia credentials.

• Chores

  • Updated dependencies and TypeScript configuration.
  • Added documentation for Algolia crawler verification.
  • Improved configuration file organization and export structure.

[changeset-bot]

🦋 Changeset detected

Latest commit: bfacf62

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@alauda/doom	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

The changes introduce Algolia search integration into the project. This includes configuration updates, CLI enhancements, conditional theme logic for search, and type extensions to support Algolia options. Supporting updates add relevant dependencies, environment variable handling, and documentation for crawler verification. A new theme export and TypeScript path alias are also included.

Changes

File(s)	Change Summary
docs/public/Robots.txt	Added Algolia crawler verification directive.
doom.config.yml	Moved themeConfig section, added empty algolia config section.
package.json	Added @rspress/plugin-algolia dependency, updated TypeScript-related packages, and added theme export.
src/cli/index.ts	Added -a, --algolia CLI option for enabling Algolia search.
src/cli/load-config.ts	Updated config loading to handle Algolia flag and inject Algolia env variables via plugin if enabled.
src/theme.tsx	Added Search component that conditionally uses Algolia or default search; re-exported all from core theme.
src/types.ts	Extended types/interfaces to support Algolia options in CLI and user config.
theme/index.ts	New file re-exporting all from @alauda/doom/theme.
tsconfig.json	Added path alias for @alauda/doom/theme pointing to ./src/theme.tsx.
.changeset/witty-carrots-repair.md	Added changeset documenting Algolia search feature addition.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant CLI
    participant ConfigLoader
    participant Env
    participant Theme

    User->>CLI: Run with --algolia flag
    CLI->>ConfigLoader: loadConfig({ algolia: true })
    ConfigLoader->>Env: Inject ALGOLIA_* env vars if algolia enabled
    CLI->>Theme: Start app with env
    Theme->>Env: Check ALGOLIA_* env vars
    alt All ALGOLIA_* vars present
        Theme->>User: Render AlgoliaSearch
    else
        Theme->>User: Render DefaultSearch
    end

Loading

Poem

In the warren of code, a new search takes flight,
Algolia hops in, making queries light.
With config and CLI, the options expand—
Now searching is swift, just as we planned.
From burrow to theme, our changes are keen,
🐇✨ Hooray for the best search you’ve seen!

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5dea411 and bfacf62.

📒 Files selected for processing (1)

• .changeset/witty-carrots-repair.md (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• .changeset/witty-carrots-repair.md

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@alauda/doom@34

commit: bfacf62

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

docs/public/Robots.txt (1)

1-1: Consider using lowercase filename for web standards compliance.

The file is named Robots.txt with a capital 'R', but web standards typically expect robots.txt in lowercase. Most web crawlers and search engines expect the lowercase version.

Consider renaming the file to robots.txt to ensure better compatibility with web standards and crawler expectations.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a292525 and 5dea411.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (9)

• docs/public/Robots.txt (1 hunks)
• doom.config.yml (2 hunks)
• package.json (4 hunks)
• src/cli/index.ts (1 hunks)
• src/cli/load-config.ts (5 hunks)
• src/theme.tsx (1 hunks)
• src/types.ts (3 hunks)
• theme/index.ts (1 hunks)
• tsconfig.json (1 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (1)

src/cli/index.ts (1)

src/cli/helpers.ts (1)

• parseBoolean (10-11)

🪛 ESLint

src/theme.tsx

[error] 1-1: Unable to resolve path to module '@rspress/core/theme'.

(import-x/no-unresolved)

---

[error] 2-2: Unable to resolve path to module '@rspress/plugin-algolia/runtime'.

(import-x/no-unresolved)

---

[error] 20-20: Unable to resolve path to module '@rspress/core/theme'.

(import-x/no-unresolved)

🔇 Additional comments (15)

tsconfig.json (1)

15-16: LGTM! Path mapping follows existing conventions.

The new TypeScript path alias @alauda/doom/theme properly follows the existing pattern and correctly points to the theme module. This will enable clean imports of the theme components.

theme/index.ts (1)

1-1: LGTM! Clean barrel export pattern.

This file correctly implements a barrel export pattern, providing a clean public interface for the theme module. The re-export aligns well with the TypeScript path mapping added in tsconfig.json.

src/cli/index.ts (1)

106-111: LGTM! CLI option follows established patterns.

The new Algolia CLI option is properly implemented:

• Uses the existing parseBoolean helper function consistently with other boolean options
• Has a clear, descriptive help text
• Appropriately defaults to false
• Follows the established option ordering and formatting

doom.config.yml (2)

4-8: LGTM: Clean configuration reorganization.

The themeConfig section has been appropriately moved for better organization while maintaining the same content structure.

---

34-37: LGTM: Proper Algolia configuration structure.

The algolia section follows the expected structure with all required keys (appId, apiKey, indexName) matching the AlgoliaOptions type definition. Empty values are appropriate for configuration templates.

src/theme.tsx (1)

1-2:

Details

❓ Verification inconclusive

Verify import resolution for Algolia dependencies.

The static analysis tools are reporting import resolution errors for the rspress modules. Please ensure these dependencies are properly installed and the import paths are correct.

---

🏁 Script executed:

#!/bin/bash
# Description: Verify that the Algolia plugin and core theme exports exist
# Expected: Both modules should be resolvable and export the expected components

# Check if the Algolia plugin is installed and has the runtime export
fd -t f "package.json" | xargs -I {} dirname {} | head -1 | xargs -I {} find {} -name "node_modules" -type d | head -1 | xargs -I {} find {} -path "*/@rspress/plugin-algolia/runtime*" -type f

# Check if the core theme export exists  
fd -t f "package.json" | xargs -I {} dirname {} | head -1 | xargs -I {} find {} -name "node_modules" -type d | head -1 | xargs -I {} find {} -path "*/@rspress/core/theme*" -type f

Length of output: 471

---

Verify @rspess/core and @rspess/plugin-algolia installation and exports

I wasn’t able to confirm these imports in this sandbox (no node_modules), so please double-check locally:

• src/theme.tsx (lines 1–2):

  import { Search as OriginalSearch } from '@rspess/core/theme'
  import { Search as AlgoliaSearch }    from '@rspess/plugin-algolia/runtime'

• Ensure both @rspess/core and @rspess/plugin-algolia appear in your package.json and are installed.
• Run locally:

  npm ls @rspess/core
  npm ls @rspess/plugin-algolia
  

  to verify there are no resolution errors.
• Confirm that each package exports a Search component at the specified paths.

🧰 Tools

🪛 ESLint

[error] 1-1: Unable to resolve path to module '@rspress/core/theme'.

(import-x/no-unresolved)

---

[error] 2-2: Unable to resolve path to module '@rspress/plugin-algolia/runtime'.

(import-x/no-unresolved)

src/types.ts (3)

33-33: LGTM: Appropriate CLI option addition.

The algolia boolean flag is properly added to GlobalCliOptions interface, maintaining consistency with other optional CLI flags.

---

45-49: LGTM: Well-defined Algolia configuration interface.

The AlgoliaOptions interface correctly defines all required Algolia configuration properties as strings, matching the expected Algolia DocSearch API requirements.

---

66-66: LGTM: Proper UserConfig extension.

The algolia property is appropriately added as optional to the UserConfig interface, allowing users to configure Algolia settings when needed.

package.json (3)

18-18: LGTM: Appropriate theme export addition.

The new "./theme" export correctly points to the compiled theme module, enabling external consumption of the custom theme functionality.

---

68-68: LGTM: Consistent Algolia plugin dependency.

The @rspress/plugin-algolia dependency is added with version 2.0.0-beta.8, matching the version of @rspress/core for consistency.

---

101-101: LGTM: Routine dependency updates.

The typescript-eslint and @types/node version updates are minor maintenance updates that should provide bug fixes and improvements.

Also applies to: 115-115

src/cli/load-config.ts (3)

117-117: LGTM: Function signature updates

The addition of the optional algolia parameter to the function signature and type definition is clean and follows the existing pattern.

Also applies to: 134-134

---

346-346: LGTM: Parameter threading

The algolia parameter is correctly threaded through the function call chain from loadConfig to getCommonConfig.

Also applies to: 426-426

---

301-309:

Details

❓ Verification inconclusive

Verify API key security

The Algolia API key is being exposed as a client-side environment variable. Please ensure this is a search-only API key with read permissions and not an admin API key.

Please confirm that the API key being used here is:

1. A search-only API key with restricted permissions
2. Safe to expose in client-side code
3. Not an admin API key that could be misused

---

🌐 Web query:

What are the security best practices for exposing Algolia API keys in client-side applications?

💡 Result:

Security Best Practices for Exposing Algolia API Keys in Client-Side Applications

Exposing Algolia API keys in client-side applications requires careful attention. While some API keys are intended for public use (like search-only keys), mishandling or misconfiguring them can lead to data leaks or potential misuse. Here’s a breakdown of best practices to minimize your risk:

1. Only Expose Search-Only API Keys on the Client

• Never use Admin or write-access API keys in any client-side code. Only search-only API keys, which permit search queries and not data modification, should be exposed in the frontend[1][2][3][5].
• Admin keys or keys with permissions like addObject, deleteIndex, or editSettings should be strictly kept on the server and never sent to the browser[2][5].

2. Strictly Limit Permissions and Scope

• Ensure every exposed API key has the minimum permissions required—ideally, only search. Remove all unnecessary permissions[3][5].
• Limit the key to specific indices whenever possible, rather than using a global key that accesses all data[2][4].
• Algolia allows you to generate secured API keys with embedded restrictions (scope, filters, rate limits, and expiration) for even finer control[2][4][5].

3. Use HTTP Referrer and Rate Limits

• Restrict API key use to specific HTTP referrers (your web domains) so the key is only valid on your site[1].
• Note: While HTTP referrer restrictions can help, they can be spoofed and are only a partial safeguard.
• Apply sensible rate limits to keys to minimize abuse if they are leaked[1][4].

4. Store and Distribute Keys Securely during Development

• Never hard-code any API keys directly in your source code, even for frontend-only keys; use environment variables or build tools to inject them as needed during deployment[7][8][10].
• Avoid committing any keys to your code repository (even in development), as this risks permanent exposure[8][10].

5. Monitor Key Usage and Rotate Regularly

• Monitor requests made with your keys for unusual or unauthorized activity and set up alerts for anomalies[1][7].
• Rotate (regenerate) your public API keys at least annually—or immediately if you suspect a leak[1][7][8].

6. Use Secure Proxy or Backend when Possible

• If your data is highly sensitive, do not expose any key (even search-only) on the client. Instead, create a backend endpoint (a proxy) that holds the API key securely and relays requests from the client. This ensures the key is never visible to users or attackers[7][9].
• This setup is strongly recommended if you want to enforce authentication, user-level filtering, or hide all API keys from the browser.

7. Use Secrets Management for Sensitive Keys

• Store sensitive keys (like Admin or write-access keys) in secure secrets management solutions (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) and never expose them to the client[8][9].

---

Summary Table

Best Practice	Details/Actions
Use Only Search-Only Keys	Never expose Admin/write keys; restrict public keys to search permissions
Enforce Scope/Restrictions	Limit accessible indices, use secured API keys for granular restrictions
Referrer/Rate Limits	Bind keys to domains and set limits to reduce misuse risk
Avoid Hardcoding/Exposure	Use environment variables/build tools; never commit keys to source repos
Monitor & Rotate	Watch for suspicious use; rotate keys regularly
Backend Proxy Option	For sensitive data, use a backend to keep all keys private
Secrets Management	Store sensitive keys in vaults or secret managers, not in source/code

---

Key Takeaways

• Never expose sensitive Algolia API keys (Admin/write-access) on the client—use only strictly limited, search-only keys with strong restrictions[1][2][5][10].
• Harden exposed keys by scoping access, using referer restrictions, rate limits, and monitoring[1][2][4].
• Proactively manage keys: rotate, audit, and use secure storage and distribution methods[1][7][8][10].

Following these practices will significantly reduce the risk of unauthorized data access and incidents from exposed Algolia API keys.

Citations:

• 1: https://www.algolia.com/doc/guides/security/security-best-practices/
• 2: https://www.algolia.com/doc/guides/security/api-keys/
• 3: https://support.algolia.com/hc/en-us/articles/14339249272977-What-are-the-best-practices-to-manage-Algolia-API-keys-in-my-code-and-protect-them
• 4: https://www.algolia.com/doc/guides/security/api-keys/in-depth/api-key-restrictions/
• 5: https://echeloncyber.com/intelligence/entry/hackers-perspective-web-app-vulnerabilities-algolia-api-keys
• 6: https://cloud.google.com/docs/authentication/api-keys-best-practices
• 7: https://dev.to/theudemezue/how-to-secure-an-api-key-in-javascript-51bh
• 8: https://www.gitguardian.com/remediation/algolia-key
• 9: https://strapi.io/blog/how-to-store-API-keys-securely
• 10: https://www.legitsecurity.com/aspm-knowledge-base/api-key-security-best-practices

---

Verify Algolia API Key Exposure

We’re injecting process.env.ALGOLIA_API_KEY into the client bundle. Please confirm the following before shipping:

• It is strictly a search-only key (no write/admin permissions).
• Permissions are scoped to only the indices your frontend needs.
• You’ve applied HTTP referrer restrictions or generated a secured API key with embedded filters/rate limits.
• You’re monitoring usage and have a key-rotation policy in place.

If your use case ever requires more than pure search, or you need to enforce user-level access, route requests through a backend proxy so no key appears in the browser.

[Copilot]

Pull Request Overview

This PR adds support for Algolia-powered search by introducing a new search component, CLI flag, and configuration options, and wiring them into the build process.

• Added an --algolia CLI flag and corresponding types for Algolia credentials
• Conditionally render the Algolia search component in the theme
• Inject Algolia environment variables into the bundler via DefinePlugin

Reviewed Changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
theme/index.ts	Re-export theme entry point
src/types.ts	Add algolia boolean flag and AlgoliaOptions type
src/theme.tsx	Conditionally switch between default and Algolia search
src/cli/load-config.ts	Destructure algolia, define plugin when enabled
src/cli/index.ts	Add -a, --algolia CLI option
package.json	Export theme, bump dependencies
doom.config.yml	Add themeConfig block and algolia placeholders
docs/public/Robots.txt	Add Algolia crawler verification comment
.changeset/witty-carrots-repair.md	Record minor update for Algolia feature