feat(api-docs): swap RapiDoc for Scalar (actively maintained)

Per @SamTV12345's review on #7757: RapiDoc has been effectively
unmaintained for a while. Scalar (https://github.com/scalar/scalar)
is MIT-licensed, actively developed, and ships a self-contained
standalone bundle that works the same way for our purposes.

Privacy posture is preserved by configuring the embed:
  - withDefaultFonts: false   (no fonts.scalar.com woff2 fetch)
  - telemetry: false          (defensive)
  - agent.disabled: true      (no api.scalar.com/vector/* calls)
  - mcp.disabled:   true      (no MCP integration)
  - showDeveloperTools: 'never'
  - hideClientButton: true

Verified with headless Chromium: page loads /api-docs, mounts Scalar,
renders the Etherpad OpenAPI document, and makes zero requests to
any host other than localhost.

Vendor:
  - src/static/vendor/scalar/standalone.js     (@scalar/api-reference 1.57.2)
  - src/static/vendor/scalar/VERSION           (sha256 pinned)
  - src/static/vendor/scalar/LICENSE           (MIT)
Removed:
  - src/static/vendor/rapidoc/*

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: JohnMcLear

CHANGELOG.md

@@ -7,7 +7,7 @@
 ### Notable enhancements
 
 - **Privacy — drop swagger-ui telemetry, document phone-homes, add opt-outs.**
-  - Dropped `swagger-ui-express` because upstream injects a Scarf analytics pixel that cannot be disabled at install or runtime (see [swagger-api/swagger-ui#10573](https://github.com/swagger-api/swagger-ui/issues/10573)). `/api-docs` now serves a vendored copy of [RapiDoc](https://rapidocweb.com/) (MIT) with `load-fonts="false"` and explicit system-font stacks so no Google Fonts request is made either.
+  - Dropped `swagger-ui-express` because upstream injects a Scarf analytics pixel that cannot be disabled at install or runtime (see [swagger-api/swagger-ui#10573](https://github.com/swagger-api/swagger-ui/issues/10573)). `/api-docs` now serves a vendored copy of [Scalar](https://github.com/scalar/scalar) (MIT) configured with `withDefaultFonts: false` and `telemetry: false` so no outbound calls are made.
   - New `privacy.updateCheck` (default `true`) — set to `false` to disable the hourly `UpdateCheck.ts` request to `${updateServer}/info.json`.
   - New `privacy.pluginCatalog` (default `true`) — set to `false` to disable the admin plugins page fetch of `${updateServer}/plugins.json`. CLI install-by-name still works.
   - New [`PRIVACY.md`](PRIVACY.md) at repo root documenting both outbound calls, what they send, and how to turn each off.

PRIVACY.md

@@ -41,10 +41,10 @@ No analytics, no usage pings, no third-party SDKs at runtime.
 `swagger-ui-express` was dropped because the upstream npm package
 injects a Scarf analytics pixel that cannot be disabled at install or
 runtime (see [swagger-api/swagger-ui#10573](https://github.com/swagger-api/swagger-ui/issues/10573)).
-`/api-docs` is now served by a vendored copy of [RapiDoc](https://rapidocweb.com/)
-(MIT) with no outbound calls. The shell explicitly opts out of RapiDoc's
-default Google-Fonts fetch by setting `load-fonts="false"` and explicit
-system-font stacks.
+`/api-docs` is now served by a vendored copy of [Scalar](https://github.com/scalar/scalar)
+(MIT) with no outbound calls. The shell explicitly opts out of Scalar's
+default font fetch (`withDefaultFonts: false`) and analytics
+(`telemetry: false`), and pins a system-font stack via CSS.
 
 `@scarf/scarf` is listed under `ignoredBuiltDependencies` in
 `pnpm-workspace.yaml`, so its postinstall pixel is suppressed even if a

src/static/api-docs.html

@@ -5,27 +5,29 @@
     <title>Etherpad API</title>
     <meta name="viewport" content="width=device-width, initial-scale=1" />
     <meta name="referrer" content="no-referrer" />
-    <script type="module" src="/static/vendor/rapidoc/rapidoc-min.js"></script>
     <style>
       html, body { margin: 0; padding: 0; height: 100%; }
-      rapi-doc { height: 100vh; }
-      /* RapiDoc ships @font-face rules pointing at fonts.gstatic.com.
-         Override every font-family rule that mentions Open Sans so the
-         browser never fetches the woff2 from Google. */
-      rapi-doc::part(label-input), rapi-doc { font-family: system-ui, -apple-system, sans-serif !important; }
+      /* Scalar ships @font-face rules pointing at fonts.scalar.com.
+         withDefaultFonts:false disables that import; the rule below
+         forces a system-font stack so nothing fetches over the wire. */
+      :root, .scalar-app, body { font-family: system-ui, -apple-system, sans-serif !important; }
     </style>
   </head>
   <body>
-    <rapi-doc
-      spec-url="/api-docs.json"
-      theme="light"
-      render-style="read"
-      show-header="false"
-      allow-server-selection="false"
-      allow-authentication="true"
-      regular-font="system-ui, -apple-system, sans-serif"
-      mono-font="ui-monospace, SFMono-Regular, monospace"
-      load-fonts="false"
-    ></rapi-doc>
+    <div id="app"></div>
+    <script src="/static/vendor/scalar/standalone.js"></script>
+    <script>
+      Scalar.createApiReference('#app', {
+        url: '/api-docs.json',
+        theme: 'default',
+        layout: 'modern',
+        hideClientButton: true,
+        showDeveloperTools: 'never',
+        withDefaultFonts: false,
+        telemetry: false,
+        agent: { disabled: true },
+        mcp: { disabled: true }
+      });
+    </script>
   </body>
 </html>

src/static/vendor/rapidoc/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023-present Scalar
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

src/static/vendor/rapidoc/VERSION

@@ -0,0 +1,3 @@
+@scalar/api-reference 1.57.2 (standalone bundle) - vendored 2026-05-16
+source: https://cdn.jsdelivr.net/npm/@scalar/api-reference@1.57.2/dist/browser/standalone.js
+sha256: 538bea0c451ae72ca26242244491a35b3bee4e1ba282f0076f454a68b83788e5