111 Commits

Author	SHA1	Message	Date
Bilal Godil	e131ef0e53	Merge remote-tracking branch 'origin/dev' into fix/config-parsing-rde-error ... # Conflicts: # docs-mintlify/guides/getting-started/setup.mdx # docs-mintlify/snippets/home-prompt-island.jsx	2026-06-05 15:21:05 -07:00
Bilal Godil	d748f38b3a	fix(rde): address review feedback on config load + import detection ... - config-file: capture the raw jiti error for diagnostics instead of attaching it as `cause`. The dashboard error formatter (errorToNiceString -> nicify) renders `Error.cause` recursively, which would leak the underlying framework stack back into the user-facing message. - config-rendering: add `@hexclave/tanstack-start` to CONFIG_IMPORT_PACKAGES so projects that only depend on it render `@hexclave/tanstack-start/config` instead of falling back to `@hexclave/js/config` (a missing-module TS error).	2026-06-04 16:41:41 -07:00
Konsti Wohlwend	bc45117777	Support local dashboard in remote SSH and GH Codespaces (#1538)	2026-06-04 16:36:17 -07:00
Bilal Godil	6a01e2507a	fix(rde): graceful config load errors + lightweight /config import path ... The local dashboard evaluates a project's hexclave.config.ts in a plain Node context via jiti. When a config imported a value (e.g. defineStackConfig) from a framework package like @stackframe/stack / @hexclave/next, jiti executed the whole SDK (React, server-only, Next internals) and threw, surfacing only as "Failed to register development environment session (500)". - Catch jiti load failures in readConfigFile and rethrow a helpful message that points at the lightweight import path. - Add a side-effect-free `./config` subpath to the framework packages (@hexclave/{js,next,react,tanstack-start}/config) that re-exports defineHexclaveConfig/defineStackConfig + the HexclaveConfig type from @hexclave/shared/config, with no framework runtime. Users directly depend on these packages, so the subpath resolves under pnpm strict mode (unlike the transitive @hexclave/shared/config). - Point the setup prompt, hand-written docs (docs-mintlify), and the renderer that auto-writes config files at the new `<pkg>/config` path. Legacy @stackframe/* packages predate the subpath, so they keep their root import. Existing config files that import from a package root are upgraded to the /config path on their next dashboard/CLI sync.	2026-06-04 15:05:59 -07:00
BilalG1	c14a9dd3d0	feat(hexclave): PR 5 — internal symbol/path/package renames + brand strings (#1547) ... ## Stack Auth → Hexclave rename — PR 5 (internal symbols, paths, packages, brand strings) PR 5 finishes the **internal / non-wire** half of the Stack→Hexclave rename. It only touches things where nothing outside the repo depends on the exact name: internal symbols, file/dir names, the `@stackframe/template` package, and residual brand strings. Plan + progress are in `HEXCLAVE-RENAME-PR5-PLAN.md`. Every step was verified green (`pnpm typecheck` + `pnpm lint`, 28/28) and committed as its own checkpoint, then a fan-out of review agents audited all commits and the findings were fixed. ### What changed - **Internal symbols** (`@hexclave/shared`, `packages/template`, apps): `stack*`/`Stack*` → `hexclave*`/`Hexclave*` — incl. `stackGlobalsSymbol`, the `_Stack*AppImpl` classes, `stackAppInternalsSymbol`, `StackContext`, `getStackStripe`, etc. The `stack*App` local-variable convention (`stackServerApp`/`stackClientApp`/…) was renamed across 175 source/example/doc files. - **File renames**: `hexclave-handler/provider/context.tsx`, `backend/hexclave.tsx`, `internal-tool/hexclave.ts`, `hexclave-app-internals.ts`. - **Directory renames**: `lib/hexclave-app`, `hexclave-companion`, `[...hexclave]` route segment, `skills/hexclave`, `dashboard/src/hexclave`, and the package dirs **`packages/{next,shared,ui,sc,cli}`** (dropping the `stack-` prefix to match the `@hexclave/*` npm names). - **Packages**: `@stackframe/template` → `@hexclave/template`; **deleted `packages/init-stack`** (onboarding lives in `@hexclave/cli init`; the published npm package is untouched). - **Brand strings**: reworded `Stack Auth`/`Stack dashboard` prose in code + docs-mintlify, renamed `hexclave-app.mdx`/`use-hexclave-app.mdx` with redirects, regenerated OpenAPI, updated coupled e2e assertions; `doctor`/`init` now prefer `hexclave.config.ts`. ### Intentionally kept (verified, not oversights) Wire/compat identifiers (`x-stack-*` headers, `stack-*` cookies, `STACK_*` env names, `*.stack-auth.com`, `stackauth_`, `ask_stack_auth`, query params), public `Stack*` SDK aliases, crypto/JWT/vault domain-separation tags, `*-brand-sentinel`s, the `Symbol.for("StackAuth--…")` string, `_stack_sync_metadata`, Postgres `stackframe` / docker image names, the `stack-auth-logo*.svg` (used by the rebrand modal), and `migration.mdx` / "formerly known as Stack Auth" notes. False positives (Phosphor `StackIcon`/`StackSimple`, `TanStack`, `OrbStack`, `stackable`/`Stacked` charts) left alone. ### Review pass Six review agents audited all commits. Found + fixed one real bug — a build script (`bundle-type-definitions.ts`) hardcoded the old `lib/stack-app` glob path (not an import, so typecheck/lint were blind), silently emptying the dashboard AI type bundle — plus stale comments, a dead CI env var, and stale `.gitignore`/`.dockerignore` entries. Cross-cutting audit confirmed **zero wire-compat identifiers were accidentally renamed**. ### ⚠️ Verification note `typecheck` + `lint` are fully green locally. The **e2e suite was not run** (needs a live backend+DB), so the brand-string assertion + OpenAPI-regen changes are verified by grep/codegen only — please let CI exercise e2e to confirm. ### Base-branch note This branch was forked from the local-only `cl/friendly-lewin-72293f` (not on origin, no separate PR), so this PR against `dev` also carries that branch's ~11 preceding Hexclave-rename commits (config-file rename, env-var dual-read, AI setup-prompt rebrand). If those should land separately, re-parent before merge. <!-- This is an auto-generated description by cubic. --> --- ## Summary by cubic Finishes the internal Stack Auth → Hexclave rename and cleans up remaining stragglers, including dev-tool and prompt copy. All changes are internal-only; public/wire APIs remain unchanged. Re-merged `dev` and resolved the payments create-purchase-url conflict. - **Refactors** - Internal symbols: stack*/Stack* → hexclave*/Hexclave* (e.g., `getHexclaveServerApp` via `@/hexclave`, `getHexclaveStripe`, `hexclaveAppInternalsSymbol`, `hexclaveSchemaInfo`, Prisma `__hexclave_*`, `data-hexclave-handler-page`, Stripe mock `hexclavePortPrefix`). - Files/dirs: moved to `lib/hexclave-app`; handler route `[...hexclave]`; backend entry `src/hexclave.tsx`; dashboard internals `hexclave-app-internals`; companion `hexclave-companion`; dropped `stack-` prefix across package dirs (`packages/{shared,ui,sc,cli,next}`); workflows/emulator paths now `packages/cli`; Quetzal codegen env at `packages/next/.env.local`. - Packages/docs: `@stackframe/template` → `@hexclave/template`; removed `packages/init-stack`; regenerated OpenAPI and updated docs slugs/redirects for hexclave-app/use-hexclave-app. - Brand strings/prompts: reworded remaining “Stack” dashboard strings to Hexclave; updated dev-tool copy and prompts; `doctor/init` now prefer `hexclave.config.ts`. Kept all wire-compat identifiers and public aliases (`x-stack-*`, `stack-*` cookies, `STACK_*` env, `*.stack-auth.com`, `Stack*` SDK names). - Rebased/merged onto latest `dev`: retained `@hexclave/template`, kept `src` in published files, refreshed setup-prompt imports and docs JSON, adopted 1.0.5 version bumps, and re-merged `dev` again (resolved `create-purchase-url` with `getHexclaveStripe`). - **Bug Fixes** - Restored dashboard AI type bundle by pointing the glob to `packages/template/src/lib/hexclave-app`. - Addressed rename leftovers: updated lingering `@/stack` imports and CSS selector, fixed schema/meta and port-prefix expansions, and aligned emulator commands to `packages/cli`. - CI/build: removed a dead env var and stale ignore entries; fixed Docker by renaming `STACK_SKIP_TEMPLATE_GENERATION` → `HEXCLAVE_SKIP_TEMPLATE_GENERATION`. <sup>Written for commit 3c1af3bff3. Summary will update on new commits.</sup> <a href="https://cubic.dev/pr/hexclave/hexclave/pull/1547?utm_source=github" target="_blank" rel="noopener noreferrer" data-no-image-dialog="true"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cubic.dev/buttons/review-in-cubic-dark.svg"><source media="(prefers-color-scheme: light)" srcset="https://cubic.dev/buttons/review-in-cubic-light.svg"><img alt="Review in cubic" src="https://cubic.dev/buttons/review-in-cubic-dark.svg"></picture></a> <!-- End of auto-generated description by cubic. -->	2026-06-03 18:57:09 -07:00
BilalG1	501ae9fe61	PR 4: Rename Stack -> Hexclave: examples config module, app-internal symbols, crypto docs (#1534) ... ## What Continues the **Stack Auth → Hexclave** rename for a set of safe, internal-only surfaces. This intentionally avoids public-contract names. ### Changes - **Examples** — renamed the user-facing config module `stack.ts`/`stack.tsx` (and the `convex` / `lovable` `stack/` directories) to `hexclave`, and updated every importer across `.ts`/`.tsx`/`.jsx`. The public `app/handler/[...stack]/` route segment is left unchanged. - **apps/{dashboard,backend,internal-tool}** — renamed app-local SDK-init symbols `stackClientApp → hexclaveClientApp` and `getStackServerApp → getHexclaveServerApp`, and the dashboard `StackCompanion` component → `HexclaveCompanion` (incl. `useStackCompanion`, context types). The public `StackClientApp`/`StackServerApp` SDK classes are **unchanged**. - **packages/stack-shared** — added comments to the crypto / JWT / vault `stack-*` literals documenting that they must **not** be renamed (key derivation / JWKS / KMS-alias stability). The literals are byte-identical. ### Deliberately excluded - **`STACK_*` → `HEXCLAVE_*` env-var rename** — `HEXCLAVE_*` already resolves via the dual-read layers (SDK env, dashboard `_inlineEnvVars`, `getEnvVariable`). The remaining holdout is the docker post-build sentinel path, which the codebase authors explicitly deferred and which is tightly coupled to `entrypoint.sh` + untestable here. A blind rename there risks silently breaking self-host/emulator bootstrap for ~zero functional gain. - **All public-contract names** — SDK class names, env vars, HTTP headers (`x-stack-*`), and the `/handler` route convention. ## Verification - `pnpm lint` — **29/29 passing**. - `pnpm typecheck` — **28/29 passing**; the only failure is `@hexclave/docs` (pre-existing missing fumadocs `.source` codegen, untouched by this PR). - Two rounds of adversarial multi-agent review; findings fixed: string-literal collateral from the symbol sweep (CLI test fixtures + an AI-prompt template) reverted, and a missed `.jsx` importer in `examples/cjs-test` corrected. ## Notes - Based on a `dev` snapshot from when the branch was cut (a couple commits behind tip); the diff contains only the changes above. <!-- This is an auto-generated description by cubic. --> --- ## Summary by cubic Complete the internal “Stack” → “Hexclave” rename across examples, app-local code, config tooling, and setup docs, and standardize env output to HEXCLAVE_* with correct default API URL handling. Public SDK classes, handler routes, and legacy env names keep working. - **Refactors** - Examples/config: `stack.*` files and `stack/` dirs → `hexclave.*`/`hexclave/`; imports updated; keep `app/handler/[...stack]` route. - Apps: backend/dashboard/internal-tool now use `getHexclaveServerApp` and `hexclaveClientApp`; dashboard `StackCompanion` → `HexclaveCompanion`. Public `StackClientApp`/`StackServerApp` unchanged. - Env/setup: Next.js and CLI generators write HEXCLAVE_* and omit API URL when using https://api.stack-auth.com; CLI `doctor` and auth resolution prefer HEXCLAVE_* (e.g. `HEXCLAVE_SECRET_SERVER_KEY`, `HEXCLAVE_PROJECT_ID`) with `STACK_*` fallback. - Config tooling: `stack-config-file` → `hexclave-config-file`, emitting `HexclaveConfig`; imports updated across backend/dashboard/tooling. - Shared/docs: added “do not rename” notes for crypto/JWT/vault `stack-*` literals; regenerated setup prompt/docs to use `hexclave.config.ts`, `hexclave dev`, and `src/hexclave/`. - Tests: updated snapshots/assertions to expect `HexclaveConfig` and HEXCLAVE_* env names. - **Migration** - No action required. SDK and CLI read both HEXCLAVE_* and STACK_*. <sup>Written for commit 8a891b4f6c. Summary will update on new commits.</sup> <a href="https://cubic.dev/pr/hexclave/hexclave/pull/1534?utm_source=github" target="_blank" rel="noopener noreferrer" data-no-image-dialog="true"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cubic.dev/buttons/review-in-cubic-dark.svg"><source media="(prefers-color-scheme: light)" srcset="https://cubic.dev/buttons/review-in-cubic-light.svg"><img alt="Review in cubic" src="https://cubic.dev/buttons/review-in-cubic-dark.svg"></picture></a> <!-- End of auto-generated description by cubic. --> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Refactor** * Renamed internal app/client/server instances and companion/provider components to the new product name across backend, dashboard, examples, and tooling; imports updated accordingly. * Updated generated environment variable names and CLI init/doctor outputs to prefer the new product prefix. * **Documentation** * Added clarifying notes about vault/encryption and JWT/key labels to avoid breaking existing encrypted data. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-06-03 12:09:20 -07:00
Konsti Wohlwend	bfd15f07d1	Improve development environment loopback error message (#1526)	2026-06-02 15:40:45 -07:00
Konsti Wohlwend	9fa3a19920	Fix Docker builds for pnpm v11 (#1532)	2026-06-02 14:41:18 -07:00
Konstantin Wohlwend	97bb65cc33	Fix config overrides for RDEs	2026-06-01 14:51:47 -07:00
BilalG1	011d7d751d	Fix stale e2e CLI + RDE config tests (emulator removal & hexclave rename) (#1528) ... ## What Fixes the 9 failing tests in the E2E (Local Emulator) job — 2 test files, both stale after recent refactors that renamed source but missed the tests. ### `apps/e2e/tests/general/cli.test.ts` (6 failures) The `stack emulator` command was removed in #1522 (which also reworded its auth errors from "local emulator" → "development environment"), but the e2e tests were never updated: - Updated two error-string assertions: - `"Local emulator publishable client key not found"` → `"Development environment publishable client key not found"` - `"Cannot reach local emulator"` → `"Cannot reach development environment"` - Removed the dead `"Stack CLI — Emulator"` describe block (4 tests for the deleted `emulator pull/start/stop/list-releases` subcommands) and the now-unused `CLI_SRC_BIN` const. ### `apps/dashboard/src/lib/remote-development-environment/config-file.test.ts` (3 failures) Leftover `@stackframe/*` names from the `@hexclave` rename: - Fixture imports `@stackframe/stack-shared/config` → `@hexclave/shared/config` (the `defineStackConfig` / `defineHexclaveConfig` cases were failing with `Cannot find module`). - Rendered-config snapshot type import `@stackframe/js` → `@hexclave/js`. ## Verification - `config-file.test.ts`: **7 passed**. - `cli.test.ts` against a live local backend: **69 passed / 4 skipped / 0 failed** (the 4 skips are environment-gated `it.runIf`/`it.skip`, not failures). - Reproduced both CLI error paths against the built CLI binary to confirm the new strings match exactly. - `lint` ✓ and `typecheck` ✓ for `@hexclave/e2e-tests` and `@hexclave/dashboard`. Only test files are changed — no production code. <!-- This is an auto-generated description by cubic. --> --- ## Summary by cubic Fixes 9 failing E2E tests by updating CLI error messages and RDE config test imports after the emulator command removal and the `@hexclave` rename. Removes obsolete emulator CLI tests; no production code changed. - **Bug Fixes** - CLI: updated two error-string assertions to use “Development environment …” wording. - CLI: removed the obsolete “Stack CLI — Emulator” test block and the unused `CLI_SRC_BIN`. - Dashboard RDE config tests: replaced `@stackframe/stack-shared/config` with `@hexclave/shared/config`. - Snapshot import: `@stackframe/js` → `@hexclave/js`. <sup>Written for commit a887d7209b. Summary will update on new commits.</sup> <a href="https://cubic.dev/pr/hexclave/stack-auth/pull/1528?utm_source=github" target="_blank" rel="noopener noreferrer" data-no-image-dialog="true"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cubic.dev/buttons/review-in-cubic-dark.svg"><source media="(prefers-color-scheme: light)" srcset="https://cubic.dev/buttons/review-in-cubic-light.svg"><img alt="Review in cubic" src="https://cubic.dev/buttons/review-in-cubic-dark.svg"></picture></a> <!-- End of auto-generated description by cubic. --> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Updated error messages to use "development environment" terminology instead of "emulator" references. * **Tests** * Adjusted test assertions and imports for consistency with updated terminology. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-06-01 14:31:01 -07:00
Konstantin Wohlwend	66242c9e63	Mark @stackframe packages as deprecated	2026-06-01 14:30:19 -07:00
BilalG1	609579abab	feat(hexclave): PR 3 — native @hexclave/* source rename + delete dual-publish wiring (#1482)	2026-05-29 15:21:59 -07:00
Konstantin Wohlwend	1ba69eb1fb	More tests for jiti RDE	2026-05-29 13:09:53 -07:00
Konstantin Wohlwend	70486596f0	Use jiti for RDE config parsing	2026-05-29 12:59:59 -07:00
BilalG1	57ff5d3ce9	feat(hexclave): PR 2 — visible rebrand (Hexclave brand goes public) (#1481) ... ## Summary **Stacked on [#1475](https://github.com/hexclave/stack-auth/pull/1475)** (`cl/hexclave-pr1`, the invisible compatibility layer). Diff vs that base = the actual PR 2 code. This is **PR 2 of the Stack Auth → Hexclave rebrand: the visible flip**. Old wire identifiers (cookies, request/response headers, Bearer prefix, JWT issuers, MCP tool name) keep working indefinitely via PR 1's dual-accept. This PR flips every user-visible surface — package names taught in docs, SDK class names in code examples, dashboard setup snippets, page titles, error messages, email content, CLI binary, default base URLs, GitHub repo slug, contributor guidance — to the Hexclave brand. See [`RENAME-TO-HEXCLAVE.md`](./RENAME-TO-HEXCLAVE.md) → *"PR 2: Rebrand to Hexclave (visible)"* for the full per-work-area spec. ## What's implemented (per the plan's PR 2 scope) - **SDK base URLs** flipped: `defaultBaseUrl` and `defaultAnalyticsBaseUrl` in [common.ts](packages/template/src/lib/stack-app/apps/implementations/common.ts:127) → `https://api.hexclave.com` / `https://r.hexclave.com`. PR 1's [`getHardcodedFallbackUrls`](packages/stack-shared/src/utils/urls.tsx:199) table now keys on the Hexclave domain. - **Domain inventory sweep** (16 subdomains from the plan): every `api/app/docs/discord/demo/mcp/skill/feedback/test/preview/r/api2/api.staging/idp-jwk-audience/built-with.stack-auth.com` reference in production code, docs-mintlify, examples, READMEs, and contributor guidance flipped to `*.hexclave.com`. Carve-outs: PR 1's intentional JWT issuer dual-accept table in [tokens.tsx](apps/backend/src/lib/tokens.tsx), the legacy `./docs/` folder, the `unified-docs-widget` allowlist (deliberately accepts both during DNS transition), and `url-targets.ts` hosted-component default (baked into existing customer deploys). - **`@deprecated` JSDoc** on every `Stack*` public export ([packages/template/src/lib/stack-app/index.ts](packages/template/src/lib/stack-app/index.ts) + [packages/template/src/index.ts](packages/template/src/index.ts)) — `StackClientApp`, `StackServerApp`, `StackAdminApp` + every constructor/options/JSON type, `StackHandler`, `StackProvider`, `StackTheme`, `useStackApp`, `defineStackConfig`, `StackConfig`. Hexclave\* aliases are now canonical. - **Runtime `console.warn`** ([packages/template/src/internal/deprecation-warning.ts](packages/template/src/internal/deprecation-warning.ts)) — once-per-process when the SDK is loaded from a `@stackframe/*` artifact. Detection uses the existing `STACK_COMPILE_TIME_CLIENT_PACKAGE_VERSION_SENTINEL` (rewritten at build time to e.g. `js @stackframe/stack@2.8.92` or `js @hexclave/next@1.0.0`); `@hexclave/*` mirror artifacts short-circuit the warning. - **Tier 3 data migration**: new idempotent SQL migration [`20260523000000_rename_internal_project_to_hexclave`](apps/backend/prisma/migrations/20260523000000_rename_internal_project_to_hexclave/migration.sql) — updates the internal Project `displayName` 'Stack Dashboard' → 'Hexclave Dashboard' and `description` only if both still hold the pre-rebrand defaults. Operator-renamed projects untouched, missing row no-ops, re-runs are no-ops. [`seed.ts`](apps/backend/prisma/seed.ts:87) default flipped. `getSharedEmailConfig("Stack Auth")` → `("Hexclave")`. - **Tier 4 brand strings** (mechanical sweep, ~340 files): - Page + OpenAPI titles (Hexclave API / Dashboard / REST API / Webhooks API / Documentation). OpenAPI `info.description` documents `X-Hexclave-*` headers as canonical with compat note on `X-Stack-*`. - `HexclaveAssertionError` message text ([errors.tsx:71](packages/stack-shared/src/utils/errors.tsx:71)) — "an error in Stack." → "an error in Hexclave." - Known-error message templates ([known-errors.tsx](packages/stack-shared/src/known-errors.tsx)) flipped to lead with `x-hexclave-*` + the new `docs.hexclave.com` URL; legacy `x-stack-*` mentioned as compat aliases. **25 e2e test files updated in lockstep**. - Email content: failed-emails-digest body, sendTestEmail recipient (now `sent-with-hexclave.com`), test-email-recipient default. - `CHANGELOG.md` title → "Hexclave Changelog". - `AGENTS.md` env var convention: new vars prefix `HEXCLAVE_` / `NEXT_PUBLIC_HEXCLAVE_` for Category A/B; legacy `STACK_*` explicitly noted as accepted via PR 1's dual-read. - **CLI / init wizard**: - Every dashboard setup snippet, init-stack template, and docs-mintlify page teaches `npx @hexclave/cli@latest init` (was `@stackframe/stack-cli`). [setup-page.tsx](apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/(overview)/setup-page.tsx) + [link-existing-onboarding](apps/dashboard/src/app/(main)/(protected)/(outside-dashboard)/new-project/page-client-parts/link-existing-onboarding.tsx). - [init-stack](packages/init-stack/src/index.ts:634) `STACK_*_INSTALL_PACKAGE_NAME_OVERRIDE` defaults flipped to `@hexclave/*`. - Generated `stack/client.ts` / `stack/server.ts` import from `@hexclave/next` and reference `HexclaveClientApp` / `HexclaveServerApp`. - Internal `StackAuthKeys` dashboard component renamed to `HexclaveKeys`. - **docs-mintlify rewrite** (legacy `./docs/` intentionally untouched per scoping decision): - **78 MDX files swept**. `@stackframe/{react,stack,js,tanstack-start,...}` → `@hexclave/{react,stack,js,...}` in install snippets and code blocks; `Stack*` SDK class names → `Hexclave*` in all code examples; 'Stack Auth' brand phrase → 'Hexclave'. - `openapi/{server,admin,client,webhooks}.json` titles → 'Hexclave REST API' / 'Hexclave Webhooks API'. - **Generators flipped before regeneration**: - [`packages/stack-shared/src/helpers/init-prompt.ts`](packages/stack-shared/src/helpers/init-prompt.ts), [`/ai/prompts.ts`](packages/stack-shared/src/ai/prompts.ts), [`apps/backend/src/lib/ai/prompts.ts`](apps/backend/src/lib/ai/prompts.ts), [`apps/backend/src/lib/ai/tools/create-email-{template,draft}.ts`](apps/backend/src/lib/ai/tools/create-email-template.ts), [`apps/skills/src/app/route.ts`](apps/skills/src/app/route.ts) (taught MCP tool → `ask_hexclave` with compat note; CLI binary teach → `hexclave`), [`docs-mintlify/snippets/home-prompt-island.jsx`](docs-mintlify/snippets/home-prompt-island.jsx), [`packages/template/README.md`](packages/template/README.md) + integrations/convex/component/README.md. - `generate-sdks` propagated changes to `packages/{react,stack,js}`. - **OpenAPI dual-documentation**: [`apps/backend/src/app/api/latest/route.ts`](apps/backend/src/app/api/latest/route.ts) now lists `X-Hexclave-*` headers as primary documented schemas with `X-Stack-*` duplicates marked `.optional()` (both accepted at runtime by PR 1's normalize-at-proxy shim). - **`@stackframe/emails` virtual module**: dual-aliased to `@hexclave/emails` at the bundler boundary ([email-rendering.tsx:89](apps/backend/src/lib/email-rendering.tsx:89)). Stored email templates continue to import from either name; new AI-generated templates and the system prompt teach `@hexclave/emails`. - **Tier 2 mirror-publish wiring** (new this PR, lays the groundwork for `@hexclave/*` first publish): - [`scripts/rewrite-packages-to-hexclave.ts`](scripts/rewrite-packages-to-hexclave.ts) — rewrites 9 publishable `@stackframe/*` → `@hexclave/*` `package.json` files (reads `HEXCLAVE_VERSION` env or `--version=` flag), pins cross-deps to the shared `@hexclave` version, registers `hexclave` bin alongside `stack` for `@hexclave/cli`. - [`.github/workflows/npm-publish.yaml`](.github/workflows/npm-publish.yaml) appended with rewrite-then-republish step. `pnpm publish` skips already-on-npm versions so reruns are safe. - **Sender email domain**: `noreply@stackframe.co` → `noreply@sent-with-hexclave.com` (the dedicated transactional-sender domain split per the plan, to isolate bulk deliverability from `hexclave.com` reputation); `security@` / `team@stack-auth.com` inbound mailboxes → `@hexclave.com`. - **Self-host docs**: docker network / container names in the bash examples flipped from `stack-auth` to `hexclave` (`hexclave-postgres`, `hexclave-clickhouse`, `hexclave.env`). The docker image tag `stackauth/server:latest` stays per the plan's locked decision. - **GitHub repo slug**: `hexclave/stack-auth` → `hexclave/hexclave` in every `package.json` `repository` field, README link, CHANGELOG raw-asset URL. ## Carve-outs (deliberately untouched) - **[`apps/backend/src/lib/tokens.tsx`](apps/backend/src/lib/tokens.tsx)** JWT issuer dual-accept table — PR 1 intentional infrastructure, kept indefinitely. - **Legacy `./docs/` folder** — per scoping decision (only `docs-mintlify/` rewritten). - **`unified-docs-widget` hostname allowlist** — accepts both `.hexclave.com` (canonical) and `.stack-auth.com` (transition window) for DNS rollout. - **`url-targets.ts`** hosted-domain default `.built-with-stack-auth.com` — wire identifier baked into existing customer deploys; indefinite read-fallback. - **Binary visual assets** (logos, favicons, OG images, README screenshots) — out of scope for this PR. Need design work; tracked separately. ## Verification - **`pnpm typecheck`** on `packages/{template,stack-shared,react,stack,js}` + `apps/dashboard`: **all green**. The remaining backend / e-commerce-demo typecheck errors are pre-existing (Prisma codegen output + `./generated/api-versions.json` not present in fresh worktrees without `pnpm run codegen-prisma` + a live DB) and unrelated to this diff. - **`pnpm lint`** on the same 6 packages: all green. - **Final grep** for residual `Stack Auth` / `stack-auth.com` / `@stackframe/stack-cli@latest` references: zero outside the intentional carve-outs above. - **25 e2e test files updated in lockstep** with the known-error message changes (asserted strings flipped to match the new x-hexclave-* + compat-note messages). ## Deploy blockers (ops sequencing before this rebrand goes live) This PR is code-complete, but the rebrand's visible surfaces (SDK default URLs, dashboard links, npm READMEs, REST error messages, runtime deprecation warning) all point at `*.hexclave.com` / `@hexclave/*` resources that don't exist yet. None of these are fixable from a PR — they're ops/registrar/npm work that has to be sequenced before merging this to a release tag. Suggested ordering, hardest blockers first: ### Tier 1 — required before customer-facing deploy (everything below this line *will visibly break customers on day 1* if skipped) 1. **DNS + TLS for `api.hexclave.com` + `api1./api2.hexclave.com`** → must point at the same backend that serves `api.stack-auth.com` (or a backend that mirrors PR 1's dual-accept). The SDK's new `defaultBaseUrl` is `https://api.hexclave.com`; every customer that relied on the old default and upgrades to a post-PR2 SDK build sends API requests here. Until this resolves, every default-config customer's API call NXDOMAINs. 2. **DNS for `app.hexclave.com`** → the dashboard. Referenced in the SDK's default-error messages ("Please create a project on the Hexclave dashboard at https://app.hexclave.com"), the init-stack flow's `wizard-congrats` redirect, and the OAuth dashboard handoff. 3. **DNS for `docs.hexclave.com`** + Mintlify deploy → the SDK runtime deprecation warning (`https://docs.hexclave.com/migration`), every README, every "Learn more" link in the dashboard, and every REST API error body (`/api/overview#authentication`) points here. The MDX is in this PR; the docs build target needs DNS. 4. **DNS for `mcp.hexclave.com`** → the MCP server endpoint that every taught agent integration (`claude mcp add ...`, `cursor`, `codex`, `vscode`) registers. Until this resolves, every `npx @hexclave/cli@latest init` MCP-registration step fails. 5. **Reserve the `@hexclave` npm scope + set repo variable `HEXCLAVE_VERSION`** → the mirror-publish step in `.github/workflows/npm-publish.yaml` is gated on this variable. Without it, the entire taught onboarding command `npx @hexclave/cli@latest init` 404s from the npm registry, *and* every README that says "install `@hexclave/next`" leads to install failure. Pick the initial version intentionally (`1.0.0` or aligned to `@stackframe/stack`); don't accept a silent default. ### Tier 2 — required before announcing the rebrand publicly (lookalike or low-traffic surfaces, but visibly broken) 6. **DNS for `r.hexclave.com`** → the analytics beacon `defaultAnalyticsBaseUrl`. Silent failure if missing (analytics drops), but should land alongside Tier 1. 7. **Register `sent-with-hexclave.com` + full email auth (SPF / DKIM / DMARC)** → the new default sender domain for shared-sender transactional emails. Without it the dashboard "send test email" path emits bounces, and shared-sender flows (`getSharedEmailConfig("Hexclave")`) deliver to spam at best. 8. **MX + SPF / DMARC for `hexclave.com`** → `team@hexclave.com` and `security@hexclave.com` mailboxes. The security disclosure mailbox is referenced in [`.github/SECURITY.md`](.github/SECURITY.md); `team@hexclave.com` is the actual recipient of internal feedback emails sent at runtime by [`apps/backend/src/lib/internal-feedback-emails.tsx`](apps/backend/src/lib/internal-feedback-emails.tsx). Today, every runtime feedback email bounces. 9. **DNS for `skill.hexclave.com`** → the canonical AI-agent skill fetch URL (the agent bootstrap pivot). Without it, the entire "agent downloads `SKILL.md` from a known URL" flow taught in [`packages/stack-shared/src/helpers/init-prompt.ts`](packages/stack-shared/src/helpers/init-prompt.ts) fails. 10. **Create `github.com/hexclave/hexclave` as a public repo** (even as a redirect to `hexclave/stack-auth`) **OR** rewrite every `package.json` `"repository"` field + dashboard footer "view on GitHub" link to point at `hexclave/stack-auth` (which already exists). Currently every npm package page's "Repository" link is dead, and the dashboard's GitHub button + dev-tool repo link are dead. ### Tier 3 — broken but low-visibility / low-traffic 11. **DNS for `discord.hexclave.com`** → Discord invite redirect, used in every README's chip and the dashboard footer. 12. **DNS for `demo.hexclave.com`** → "✨ Demo" badge in every npm package README. Broken-image badge on the package page. 13. **DNS + TLS for `built-with-hexclave.com`** → optional hosted-handler domain (the default reverted to `.built-with-stack-auth.com` in this PR's carve-outs, so this only matters for projects that manually flip). ## Other follow-ups (not deploy-blocking) - **E2E snapshot regen across the full suite** for the dual-emitted `x-hexclave-*` response headers (PR 1 follow-up; `vitest -u` in CI absorbs). - **Binary visual assets** — logos, favicons, OG images, README screenshots; need design pass. - **Backend OpenAPI fumadocs regen** in CI flow — the JSON files in `docs-mintlify/openapi/` are committed but regen runs in CI. Verify the workflow that does this still works against the post-PR2 source. - **Backend typecheck infra debt** — needs `codegen-prisma` + `codegen-route-info` to clear; pre-existing, unaffected by this PR. ## Test plan - [ ] CI runs full e2e suite (with `vitest -u` to absorb residual snapshot deltas, then committed back). - [ ] Spot-check: new `@hexclave/cli init` (once published) generates `hexclave.config.ts` and works against a fresh project. - [ ] Spot-check: existing customer with `@stackframe/stack` import sees the once-per-process `console.warn` recommending `@hexclave/next` on SDK init. - [ ] Manual: dashboard setup page renders the `npx @hexclave/cli@latest init` snippet and the `x-hexclave-publishable-client-key` API header in the curl example. - [ ] Manual: a fresh `pnpm run prisma migrate` against a clean DB sets the internal project displayName to 'Hexclave Dashboard'. --------- Co-authored-by: Konstantin Wohlwend <n2d4xc@gmail.com>	2026-05-26 19:18:20 -07:00
BilalG1	f7e389809e	feat(hexclave): PR 1 — wire compatibility layer (invisible) (#1475) ... ## Summary **Stacked on #1468** (`docs/hexclave-rename-plan` — the plan doc). Diff vs that base = the actual PR 1 code. This is **PR 1 of the Hexclave rebrand: the invisible compatibility layer**. Everything is additive. Old SDKs, old wire identifiers, and old env var names keep working unchanged. The backend dual-accepts and dual-emits; new SDK code emits `x-hexclave-*` headers and the `hexclave_` Bearer prefix; cookies dual-write; env vars dual-read across every category. **No user-visible rebranding lands here** — that's PR 2. See [`RENAME-TO-HEXCLAVE.md`](./RENAME-TO-HEXCLAVE.md) → *"PR 1 implementation guide"* for the full per-work-area spec, file pointers, and chosen approach. ## What's implemented (all 14 PR-1 work-areas) - **SDK export aliases** — `Hexclave*` aliases for the user-facing `Stack*` exports added in `packages/template`; codegen propagates them to `@stackframe/{js,stack,react,tanstack-start}`. React-only aliases correctly excluded from `@stackframe/js`. (`e60550a2`) - **JWT issuer dual-accept** — `decodeAccessToken` accepts both `api.stack-auth.com` and `api.hexclave.com` issuers. Signing unchanged. (`fc781def`) - **Request-header dual-accept** — backend + dashboard proxies normalize `x-hexclave-*` → `x-stack-*` at the existing empty proxy hook (so `smart-request.tsx` and every route schema keep working unchanged); CORS allowlists extended via a derive-once helper. (`2a056eac`) - **MCP `ask_hexclave`** — registered alongside `ask_stack_auth` via a shared helper; `ask_stack_auth` behavior byte-identical. (`30ffd604`) - **Dev-tool** — DOM ids + header emit switched. `window.HexclaveDevTool` exposed alongside `window.StackDevTool`. (`32131ea7`) - **The big consolidated commit** (`7fed864a`): - **Env vars** — central `getEnvVariable` prefix-transform (HEXCLAVE first, STACK fallback); dashboard + template client env files dual-read; `turbo.json` globalEnv; `NEXT_PUBLIC_STACK_PORT_PREFIX` renamed outright across ~82 files including docker. - **Cookies** — dual-write/dual-read auth (`stack-access`/`-refresh-*` and custom-domain variants), OAuth-state (`stack-oauth-{inner,outer}-*`), and low-risk cookies (`stack-is-https`, `stack-last-seen-changelog-version`). Bypass sites patched (backend OAuth callback, dashboard remote-dev auth route, impersonation snippets, snapshot serializer). - **Bearer prefix** — SDK token parser accepts both `stackauth_` and `hexclave_`; emits `hexclave_`. Discovery correction: this is purely SDK-internal — the backend never parses it. - **Response headers** — backend dual-emits `x-hexclave-{request-id,actual-status,known-error}`; SDKs dual-read (new first, stack fallback). - **SDK request-header emit switch** — `client/server/admin-interface.ts` + dashboard `api-headers.ts` + `internal-project-headers.ts` + `feedback-form.tsx` switched to `x-hexclave-*`. Plus `stack_response_mode` query param. - **Storage keys** — dev-tool / cli-auth / oauth-button / docs keys renamed (straight); `stack:session-replay:v1` dual-read so in-progress recordings survive SDK upgrades; `stack_mfa_attempt_code` dual-read. - **Query params** — cross-domain params dual-emit/dual-accept via shared helpers; backend `oauth/authorize` accepts `hexclave_response_mode` and `stack_response_mode`; `stack-init-id` renamed. - **`Symbol.for`** — app-internals symbol gets a parallel `Symbol.for("Hexclave--app-internals")` getter on each attach site (no read-site churn — old symbol still attached). 3 file-private symbols renamed outright. - **Config discovery** — prefer `hexclave.config.ts`, fall back to `stack.config.ts` at every discovery site (CLI / dashboard / backend / local-emulator); `init` writes the new filename; CLI credentials path migrates. - **Internal renames** — `StackAssertionError`, `StackClient/Server/AdminInterface` renamed outright (no alias, per the "internal-only → rename" rule). ~264 files touched. - **Review-pass fixes** (`21217fbe`) — three real bugs found by parallel review agents and fixed: - `snapshot-serializer.ts` was interpolating the whole `keyedCookieNamePrefixes` array (`${arr}`) — adding a second prefix would have corrupted **every** OAuth-cookie snapshot, not just new ones. - **Docker port-prefix producer/consumer mismatch** — `entrypoint.sh`/`run-emulator.sh`/cloud-init `user-data` were still producing `NEXT_PUBLIC_STACK_PORT_PREFIX` while the dashboard sentinel + consumers had been renamed; silent self-host regression (custom port prefix would be ignored). - **Missing `hexclave-oauth-inner-*` dual-write** in the OAuth authorize route — callback's fallback masked it but the dual-write was specified by the plan. - Plus: `mcp.test.ts` tool-list assertions updated to include `ask_hexclave`; two dashboard header-emit sites switched to `x-hexclave-*` for consistency. - **E2E snapshot serializer follow-up** (`4b16cc5d`) — `x-hexclave-request-id` added to the hidden-headers list (mirroring `x-stack-request-id` treatment), and 2 sample inline snapshots regenerated in `projects.test.ts` to include the new dual-emitted headers. ## Verification - **`pnpm typecheck`** — clean (the fresh-worktree `@/.source` / Prisma codegen gap in `stack-docs` is pre-existing and unrelated). - **`pnpm lint`** — 29/29 packages green. - **`pnpm exec turbo run build --filter=./packages/*`** — 13/13 packages build (including `@stackframe/stack-cli` once the dashboard standalone is present). - **Live E2E** against a running backend on `cl/hexclave-pr1`: - `pnpm test run apps/e2e/tests/backend/endpoints/api/v1/internal/mcp.test.ts` — **6/6 pass** (verifies the new `ask_hexclave` tool — the hand-written inline snapshot matched actual MCP server output). - `pnpm test run apps/e2e/tests/backend/endpoints/api/v1/internal/projects.test.ts` — **11/11 pass** (verifies wire dual-accept + dual-emit end-to-end; the snapshot serializer fix was found and applied during this check). A four-agent parallel **review pass** also audited the full diff for logic/runtime bugs across the work-areas (wire headers + JWT, cookies + bearer + symbols, env vars, query params + config + MCP + aliases). All in-slice review verdicts were ✓ except the three bugs listed above, which are now fixed. ## Known follow-ups (out of scope for this PR) - **E2E snapshots across the rest of the suite** — backend now dual-emits `x-hexclave-{known-error,actual-status}` alongside `x-stack-*`, which legitimately appears in inline snapshots throughout `apps/e2e`. Two were regenerated here as a sample; the rest should regen with `vitest -u` in CI. - **Docker shell env vars beyond `PORT_PREFIX`** — `entrypoint.sh` still reads `STACK_*` env vars directly (the JS-side `getEnvVariable` transform doesn't help the shell). JS consumers dual-read so it works in practice; full shell-level dual-read is a deeper self-host follow-up. - **`@stackframe/stack-cli` build ordering** — pre-existing; needs `build:rde-standalone` first. Not affected by this PR. ## Test plan - [ ] CI runs full e2e suite (with `vitest -u` to absorb dual-emit snapshot deltas, then committed back) - [ ] Spot-check: an old SDK build (emitting only `x-stack-*`) still authenticates against the new backend - [ ] Spot-check: a new SDK (emitting `x-hexclave-*` / `Bearer hexclave_*`) still authenticates against an old backend during deploy ordering - [ ] Manual: `npx @stackframe/stack-cli@latest init` (new onboarding entrypoint) generates `hexclave.config.ts` - [ ] Manual: existing `stack.config.ts`-only project still resolves (no migration required) --------- Co-authored-by: bilal <bilal@stack-auth.com>	2026-05-23 17:24:55 -07:00
BilalG1	b8fc04bdbd	feat: link Stack Auth projects to GitHub and push config from the dashboard (#1450) ... End-to-end flow for managing Stack Auth config via GitHub: link a repo during onboarding, edit settings in the dashboard, and have the change committed to your repo + synced back via a GitHub Actions workflow.  ## What this adds - **CLI** — `stack config push --source github --source-repo --source-path --source-workflow-path`. Records the source on the config row so the dashboard knows where the file lives. Reads `GITHUB_SHA` / `GITHUB_REF_NAME` for commit + branch. - **Onboarding "Link existing project"** — searchable repo/branch comboboxes, auto-detects candidate `stack.config.{ts,js}` paths, writes `STACK_AUTH_PROJECT_ID` + `STACK_AUTH_SECRET_SERVER_KEY` secrets, and commits a generated workflow YAML that re-runs `stack config push` on every change to the config file. - **Dashboard "Push to GitHub" dialog** — replaces the prior TODO buttons. Pre-flights `repo`+`workflow` scopes on the user's GitHub connection; if missing, the button flips to "Reconnect with GitHub". On push, commits the dashboard's edit straight to the linked repo/branch via the Contents API (with `cache: "no-store"` to dodge GitHub's 60s GET cache so consecutive pushes don't 409). Suspense boundary scoped to the dialog body so opening it doesn't blank the dashboard. - **Project settings** — surface the linked workflow file as a clickable GitHub link when the source carries `workflow_path`. ## Test plan - `pnpm lint` (29/29) ✓ - `pnpm typecheck` (29/29) ✓ - `pnpm --filter @stackframe/stack-cli test` (111/111) ✓ - Dashboard vitest on the three relevant files (`link-existing-onboarding-workflow`, `github-api`, `github-config-push`) — 37/37 ✓ - Live end-to-end: `BilalG1/lex-lookup` linked to a local dev project; passkey toggled, push committed `0bb958bd` ([commit](0bb958bda3)). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Persist workflow file paths for GitHub-backed config sync * Dashboard “Push” flow to commit config updates with trimmed/default commit messages * CLI options to declare GitHub source (repo/path/workflow) and persist selectable package runner for manual pushes * Show workflow-file link in project configuration when present * **Improvements** * Robust config-path normalization, existence checks, debounced repo/branch search, and better GitHub rate-limit handling * New GitHub API utilities for safe file read/commit and import-package detection * **Tests** * Expanded tests covering GitHub API, config rendering/merge, and push behaviors <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/hexclave/stack-auth/pull/1450?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-05-21 13:47:46 -07:00
Konsti Wohlwend	2c620aa208	Show enabled alpha apps in sidebar and app store (#1449)	2026-05-20 11:07:49 -07:00
Konsti Wohlwend	29cea48beb	Remote dev envs (#1435)	2026-05-19 15:54:18 -07:00
Armaan Jain	b526e3b367	Project transfer page redesign (#1309) ... <!-- Make sure you've read the CONTRIBUTING.md guidelines: https://github.com/stack-auth/stack-auth/blob/dev/CONTRIBUTING.md --> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Reusable transfer confirmation UI with clear loading, success, and error states. * Neon-specific transfer flow added, guiding sign-in, account switching, or accepting transfers. * Custom integration transfer flow with streamlined confirm/check behavior. * Improved transfer sign-up redirect so users return to the correct page after auth. * **Bug Fixes** * Consistent messaging for missing/invalid/expired transfer codes. * Safer widget “Reload” handling when reset may be unavailable. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --- ## Summary Redesigns the **custom integration** project-transfer confirmation page (`/integrations/custom/projects/transfer/confirm`) onto the new design-components system (`DesignCard` + `DesignAlert` + `DesignButton` + `DesignInput`). The presentational shell is extracted into a reusable `ProjectTransferConfirmView` so the route file only handles state + API calls. The legacy Neon transfer page is split out unchanged into its own client component to keep the existing Neon × Stack co-branded UI intact. --- ## Screenshots — before and after > Captured against `http://localhost:8101` at 1280×900. Dev-only overlays (outdated-version banner, console toast, DEV badge) are hidden via injected CSS for clarity. ### Custom integration — missing transfer code Visiting `/integrations/custom/projects/transfer/confirm` with no `?code=…` query param. | Before (`dev`) | After (this PR) | | --- | --- | |  |  | |  |  | Before was a raw `"Error: No transfer code provided."` line. After is a dedicated `DesignAlert` with an explanation and recovery instructions. ### Custom integration — invalid / expired code (check endpoint fails) | Before (`dev`) | After (this PR) | | --- | --- | |  |  | |  |  | Before showed the raw backend error string (`Request validation failed on POST …`). After uses a `DesignCard` with the `ArrowsLeftRightIcon`, a friendlier "This transfer can't continue" copy in an inline `DesignAlert`, the Stack Auth logomark in the actions slot, and an explicit **Close** button to dismiss. ### Neon integration — legacy UI preserved The Neon page (`/integrations/neon/projects/transfer/confirm`) was deliberately **not** redesigned — it still uses the Neon × Stack co-branded card so partner-facing copy/branding stay identical. It's now its own client component (`neon-transfer-confirm-page.tsx`) instead of sharing the redesigned one. | Before (`dev`) | After (this PR) | | --- | --- | |  |  | |  |  | Same shell on both sides — copy was tightened slightly ("Return to your Neon dashboard and start the transfer again") and the raw API error string is gone. --- ## What changed - **New** `apps/dashboard/src/components/project-transfer-confirm-view.tsx` — purely presentational `ProjectTransferConfirmView`. Owns the design-components shell, the loading spinner, the signed-in vs signed-out branches of the success state (with `DesignInput` + "Use a different account" button), and the error / missing-code alerts. - **New** `apps/dashboard/src/app/(main)/integrations/neon-transfer-confirm-page.tsx` — extraction of the legacy Neon UI (Neon logo, Stack logo, "Project transfer" header, Card / CardContent / CardFooter). Behaviour and copy match the previous `transfer-confirm-page` exactly when `type === "neon"`. - **Rewritten** `apps/dashboard/src/app/(main)/integrations/transfer-confirm-page.tsx` — now hard-coded to the `custom` integration (no more `type` prop), defers UI to `ProjectTransferConfirmView`, and exports a `TransferConfirmMissingCodeView` used by the route when `code` is absent from the URL. - **Route plumbing** - `app/(main)/integrations/custom/projects/transfer/confirm/page.tsx` — renders the redesigned flow, falls back to `TransferConfirmMissingCodeView` when `code` is missing. - `app/(main)/integrations/neon/projects/transfer/confirm/page.tsx` — points at the new dedicated Neon client component. - **New** `apps/dashboard/src/lib/stack-app-internals.ts` — consolidates the symbol-keyed `getStackAppInternals(app)` helper (and `stackAppInternalsSymbol`) into one module with a JSDoc explainer + runtime type guard, replacing scattered `as any` casts. - **New** `apps/dashboard/src/lib/transfer-utils.ts` — `buildTransferSignUpUrl()` helper so the route file + the view stay in sync on the `/handler/signup?after_auth_return_to=…` query construction. --- ## Bot review follow-ups addressed in this PR - **Fail-loud assertions for unset handlers** in the success state of `ProjectTransferConfirmView` (`StackAssertionError` instead of silent no-op). - **SSR safety:** moved every `window.location` read into client-only handlers / `useEffect`s — the page was previously evaluating it at module load. - **Friendly error fallback** when the backend `/check` endpoint throws — replaces the raw `KnownError<…>` message with "This transfer link is invalid, has expired, or has already been used. Open the original link from the partner or integrations dashboard, or start the transfer again." - **`runAsynchronouslyWithAlert`** around every async `onClick` (Transfer, Sign in, Switch account, Close) so unhandled rejections surface to the user. - **JSX entity bug fix:** `&apos;` was a string-attribute literal, not a JSX expression — converted to a JSX expression so it renders as `'`. - **`window.close()` removal** in error state — replaced with a Close button that resets local state, so users on a fresh tab (no opener) aren't stuck. - **`getStackAppInternals` consolidated** — previously three independent copies (here + two in `projects/page-client.tsx`). Now one helper with a runtime type guard instead of `as any`, plus a comment explaining the symbol-keyed SDK escape hatch. - **Widget-playground reset:** the original change here turned out to duplicate a deliberate prior fix on `dev` (N2D4, `e68015909d "Fix lint"`). Reverted in `fe92689eb` so we don't fight that fix. --- ## Notes for reviewers - **Start with** `components/project-transfer-confirm-view.tsx`. Everything reviewer-interesting is in the props shape (`ProjectTransferConfirmUiState` union, `onPrimary` / `onCancel` / `onSwitchAccount` callbacks). The route file just wires those to the `getStackAppInternals(app).sendRequest(...)` calls. - **The Neon page was intentionally not migrated.** Partner-facing co-branding (Neon logo × Stack logo, "Neon would like to transfer…" copy) is unchanged — flag it if you think it should be brought onto design-components too, but the goal of this PR was only the custom flow. - **API surface is unchanged** — same `/integrations/custom/projects/transfer/confirm/check` and `/integrations/custom/projects/transfer/confirm` endpoints, same request bodies, same redirect to `/projects/{project_id}` on success. - **Success state isn't in the screenshots** because reproducing it locally needs a real transfer code (the `/check` endpoint validates the code against the DB). It uses the same `DesignCard` shell with either a `DesignInput` showing the receiving account + a "Use a different account" outline button (signed-in branch), or a `DesignAlert variant="info"` prompting sign-in (signed-out branch). Worth manually testing on a real transfer before merging. ## Test plan - [ ] Visit `/integrations/custom/projects/transfer/confirm` with no `code` → renders the "transfer link is incomplete" alert (screenshots above) - [ ] Visit `/integrations/custom/projects/transfer/confirm?code=invalid` → renders the redesigned card with the friendly error inside a `DesignAlert variant="error"` and a working Close button - [ ] Trigger a real custom-integration transfer end to end → loading spinner, success state, "Accept transfer" works while signed in, "Sign in" deep-links to `/handler/signup?after_auth_return_to=…` while signed out - [ ] Visit `/integrations/neon/projects/transfer/confirm?code=…` → unchanged legacy Neon × Stack co-branded card - [ ] Light + dark mode visual sanity (screenshots above are the canonical reference) --------- Co-authored-by: Aadesh Kheria <kheriaaadesh@gmail.com> Co-authored-by: aadesh18 <110230993+aadesh18@users.noreply.github.com>	2026-05-15 16:59:51 -07:00
Mantra	c808e23b7d	Data-grid overhaul + session-replays / team-payments dashboard surfaces (#1424) ... ## Summary Refactors the dashboard data-grid into a smaller, URL-state-aware primitive and lands several new dashboard surfaces around it: per-user session replays, team-level analytics and payments, and pagination for permission definitions. Also moves session replays out from under `/analytics` to a top-level surface and adds a `project_user.last_active_at` index that the new weekly-active metrics depend on. **Base:** `dev` → **Head:** `refactor/data-grid-and-dashboard-surfaces` **Scope:** 91 files, +5,644 / −1,858. Assets in [this gist](https://gist.github.com/mantrakp04/01bf8db4c71ec7a119b73d6ee60717a7). ## Screenshots Captured from a local dev server (dashboard at `:8101`, dummy project seeded with 26 users). Standard viewport **1920×1200**, widescreen **2560×1440**. ### Users list — data-grid overhaul in context | Light | Dark | | --- | --- | |  |  | Widescreen: | Light | Dark | | --- | --- | |  |  | ### User detail — new session-replays card + weekly metrics | Light | Dark | | --- | --- | |  |  | Widescreen: | Light | Dark | | --- | --- | |  |  | ### Session replays — moved out of `/analytics` | Light | Dark | | --- | --- | |  |  | Widescreen: | Light | Dark | | --- | --- | |  |  | ### Project permissions — new pagination | Light | Dark | | --- | --- | |  |  | Widescreen: | Light | Dark | | --- | --- | |  |  | ### Other migrated surfaces | Page | Light | Dark | | --- | --- | --- | | Project picker |  |  | | Overview / setup |  |  | | Teams list |  |  | | Team permissions |  |  | | API keys |  |  | ### Scroll behaviour — new data-grid on the users list | Light | Dark | | --- | --- | |  |  | ## What's new - **`packages/dashboard-ui-components/src/components/data-grid`** — rewritten. Trimmed `data-grid.tsx` from ~1.7k LOC, split sizing logic into `data-grid-sizing.ts`, added `use-url-state.ts` for URL-synced state, and added `data-grid.test.tsx`. - **Session replays** moved from `…/analytics/replays` to `…/session-replays` (top-level surface). New `user-session-replays.tsx` card on the user detail page; new internal `route.tsx` to feed it. - **Teams** detail page gains `team-analytics.tsx` and `team-payments.tsx`. - **Permissions** — new shared `permission-definitions-pagination.ts` consumed by both project and team permission CRUD routes. - **Backend** — Prisma migration `add_project_user_last_active_at_idx` + a `lastActiveAt` index that backs the new weekly-active metrics. - **Polish** — `editable-input`, `inline-save-discard`, `settings.tsx`, walkthrough steps, and several data-table components touched in line with the data-grid rewrite. ## Notes for reviewers - The data-grid rewrite changes the *shape* of state (now URL-synced), not just internals. Consumers in `apps/dashboard/src/components/data-table/*` were updated to match — please scan those for any missed knobs. - The `analytics/replays` → `session-replays` rename is git-tracked as renames; diffs should be small in those files. - New SDK surface in `packages/template/src/lib/stack-app/session-replays/index.ts` and additions in `admin-app-impl.ts` / `server-app-impl.ts` mean OpenAPI specs (`docs-mintlify/openapi/{admin,client}.json`) regenerate; the diff is mostly mechanical. ## Test plan - [ ] `pnpm typecheck` clean - [ ] `pnpm lint` clean - [ ] Data-grid unit tests pass (`packages/dashboard-ui-components`) - [ ] Manual: users list — column resize, sort, filter, paginate; URL state reflects each change and survives reload - [ ] Manual: user detail — session-replays card lists replays; weekly-metrics card renders without `lastActiveAt` index migration applied (i.e. on a fresh DB) and after applying it - [ ] Manual: project + team permissions — pagination cursor advances and stays consistent under search - [ ] Manual: session-replays top-level page loads; old `/analytics/replays/...` URL path is no longer expected to be linked anywhere <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Session Replays app (embedded mode, search, sorting, share links) * Tabbed Team pages with Team Analytics and Team Payments dashboards * Server-backed cursor pagination, debounced search, and infinite-scroll for teams/users/permissions * **UX** * Permission and member tables refresh after edits; permission creation triggers table refresh * Users list supports sorting by last-active * **Performance** * Index added to speed ProjectUser last-active queries * **Documentation** * API/SDK docs updated for pagination and new query params * Contributor guidance: explicit git-safety rules added (no destructive git ops without consent) * **Tests** * Added e2e tests for pagination and filtering on list endpoints <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-05-15 14:16:47 -07:00
Madison	2cf0f6f981	[Apps] Adding support app alpha and dogfooding (#1368) ... <!-- Make sure you've read the CONTRIBUTING.md guidelines: https://github.com/stack-auth/stack-auth/blob/dev/CONTRIBUTING.md --> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Support app: inbox UI to create, view, reply, and manage conversations (status, priority, assignee, tags, internal notes). * Dashboard pages: Conversations and Support Settings; feedback can create managed conversations. * Public/internal APIs for listing, creating, updating, and fetching conversation details; client-side helpers. * **SLA** * Configurable first/next response targets, urgency classification, and timing logic. * **Data** * New conversation persistence (conversations, entry points, messages) and migration tests; preserves conversations on user/team deletion and anonymizes sender data. * **Tests** * Unit, migration, and end-to-end tests added. * **Documentation** * Updated docs describing conversation model and workflow rules. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-13 11:36:11 -05:00
Mantra	68ae6d1f1c	[codex] Add TanStack Start SDK integration (#1399) ... ## Summary - Adds the generated `@stackframe/tanstack-start` workspace package registration. - Adds TanStack Start platform macros/dependencies to the SDK template and generator. - Adds TanStack Start cookie/token-store support plus the handler SSR guard needed by Start. ## Scope This intentionally excludes Dashboard V2 routes, hooks, components, app shell logic, and dashboard API type additions. Those stay in the existing dashboard PR/branch. ## Validation - `pnpm install --lockfile-only --ignore-scripts` - `pnpm install --ignore-scripts` - `pnpm -C packages/template lint src/components-page/stack-handler-client.tsx src/lib/cookie.ts src/lib/stack-app/apps/implementations/client-app-impl.ts` Package typecheck was attempted with `pnpm -C packages/template typecheck`, but the clean worktree lacks generated package declaration outputs for workspace dependencies such as `@stackframe/stack-shared` and `@stackframe/stack-ui`. Per repo instructions, package builds/codegen are not run by agents. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * TanStack Start integration: published SDK package, example demo app, dashboard onboarding flow, framework-aware CTAs/docs, and a TanStack-specific provider for client-only auth routes. * Improved client/server auth: safer runtime guards and consistent cookie/token-store behavior across SSR and client. * **Documentation** * New Integrations guide and expanded getting-started/setup docs with TanStack Start examples and env/key guidance. * **Chores** * Template, build, tooling, and demo config updates to support the new platform. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-05-08 10:59:16 -07:00
Madison	185bddec9e	[Dashboard] Redefine the user page with tabs and updated UI (#1351) ... <!-- Make sure you've read the CONTRIBUTING.md guidelines: https://github.com/stack-auth/stack-auth/blob/dev/CONTRIBUTING.md --> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Tabbed user profile with Activity (30-day analytics, KPIs, daily chart, top lists, recent events), Payments (transactions, subscriptions, product/item balances) and an activity heatmap sidebar. * New internal user-activity API and admin-facing activity hook; admin API client can fetch per-user activity. * **UI/UX Improvements** * Unified menus, cards and tables; inline editable user details with accept/revert; metadata editor validates JSON; country-code input has draft editing; tabs support optional icons. * **API** * Transactions endpoint and admin transaction queries now support optional customer-scoped filtering. * **Tests** * End-to-end coverage for the user-activity endpoint. <!-- end of auto-generated comment: release notes by coderabbit.ai --> <img width="1326" height="752" alt="image" src="https://github.com/user-attachments/assets/97c04dca-db59-4357-98b1-8eae5a7a3673" /> <img width="1142" height="251" alt="image" src="https://github.com/user-attachments/assets/e1aa44fc-0d7e-436d-90a5-c7cb15155e24" /> <img width="1170" height="1125" alt="image" src="https://github.com/user-attachments/assets/bf6659fd-a9b5-4ae6-a13d-dab9956ad650" />	2026-05-05 17:09:09 -05:00
Mantra	65d87a4836	Dashboard: DataGrid refactor + layout (stacked on overview-revamp) (#1338) ... ## Summary Stacked on `overview-revamp` (now rebased against `dev`). Introduces a first-class `DataGrid` component in `@stackframe/dashboard-ui-components`, migrates every dashboard table off the legacy `DesignDataTable` / hand-rolled `<Table>` pattern to it, and ships a matching dashboard design guide. Since the last writeup the `DataGrid` runtime has been substantially rewritten: the virtualizer now supports `rowHeight="auto"` with `estimatedRowHeight`, every column can opt into `cellOverflow: "wrap"`, the toolbar + header stick under a configurable `stickyTop`, and the seeded dummy data has been fleshed out so the migrated surfaces render with realistic density. The AI-analytics prompt was also extended with full schema docs for the auth / team / email / payments tables so natural-language queries produce better SQL. **Base:** `dev` → **Head:** `ui-fixes-minor` **Scope:** 39 files, ~+6.5k / -2.4k ## Screenshots Captured against the seeded Demo Project on the local dashboard (`admin@example.com` via mock GitHub OAuth). Viewport: **1920×1200** (standard) and **2560×1440** (widescreen). Assets hosted in [this gist](https://gist.github.com/mantrakp04/2fe05ddbb2d2d7cd2d237027c909c1b9). ### Overview — revamped metrics + line chart | Light | Dark | | --- | --- | |  |  | Widescreen: | Light | Dark | | --- | --- | |  |  | ### Users — DataGrid with seeded rows | Light | Dark | | --- | --- | |  |  | Widescreen: | Light | Dark | | --- | --- | |  |  | ### Transactions — new DataGridToolbar + sticky chrome | Light | Dark | | --- | --- | |  |  | Widescreen: | Light | Dark | | --- | --- | |  |  | ### Teams | Light | Dark | | --- | --- | |  |  | Widescreen: | Light | Dark | | --- | --- | |  |  | ### Email Outbox | Light | Dark | | --- | --- | |  |  | Widescreen: | Light | Dark | | --- | --- | |  |  | ### Payments — Customers | Light | Dark | | --- | --- | |  |  | Widescreen: | Light | Dark | | --- | --- | |  |  | ### Sticky behaviour — scrolled views Grids scrolled down ~600px. The page header is still pinned, and the `DataGrid` toolbar + column header row stay put under it (backdrop-blur + `stickyTop` offset) while the virtualized body rows scroll past. Compare the scrolled view against the top-of-page view above. | Page | Light | Dark | | --- | --- | --- | | Users |  |  | | Teams |  |  | | Transactions |  |  | | Payments Customers |  |  | | Email Outbox |  |  | | Analytics Tables |  |  | ### Other migrated surfaces | Page | Light | Dark | | --- | --- | --- | | Analytics Tables |  |  | | Emails |  |  | | Email Sent |  |  | | Domains |  |  | | Webhooks |  |  | | External DB Sync |  |  | ## What's new ### `DataGrid` in `@stackframe/dashboard-ui-components` A new, fully-typed, fully-controlled grid component under `packages/dashboard-ui-components/src/components/data-grid/`. Single source of truth for tabular UI across the dashboard. Package files: - `data-grid.tsx` — main grid renderer (virtualized rows, sticky toolbar + header) - `data-grid-toolbar.tsx` — built-in toolbar (search, columns, density, export) - `data-grid-sizing.ts` — column width / flex / min-width resolution - `state.ts` — state helpers (`createDefaultDataGridState`, sort / select / paginate utilities, `exportToCsv`, date formatters) - `strings.ts` — i18n string table + `resolveDataGridStrings` - `types.ts` — public types (`DataGridColumnDef`, `DataGridProps`, `DataGridState`, `DataGridDataSource`, etc.) - `use-data-source.ts` — `useDataSource` hook with `client` / `server` / `infinite` modes - `index.ts` — package entrypoint Features: - Controlled state (`state` + `onChange`) covering sorting, pagination, column visibility, column widths, column pinning, selection, date-display mode, and quick search. - Column definitions with `string` / `number` / `date` / `dateTime` / `boolean` / `singleSelect` / `custom` types, custom `renderCell`, custom sort comparators, per-column `parseValue` / `dateFormat`, pinning, align, flex / min / max width. - **Cell overflow control** — new `cellOverflow: "truncate" | "wrap"` per column. `"wrap"` + `rowHeight="auto"` lets rows grow to fit multi-line content. - **Dynamic row heights** — `rowHeight` now accepts `"auto"` with an `estimatedRowHeight` hint for the virtualizer, eliminating scroll-position jank while rows are still being measured. - **Sticky chrome with `stickyTop`** — the toolbar and header stick under a caller-provided offset (matching the page header height) with a proper blur backdrop. See the _Sticky behaviour — scrolled views_ section above for the visual. - Client-side sort + quick-search + pagination via `useDataSource` — consumer never pre-sorts / paginates. - Server-side and async-generator data sources for streaming / cursor pagination. - Paginated and infinite-scroll UI modes. - CSV export + clipboard copy. - Row single / multi selection with shift-range anchor. - Row + cell click / double-click callbacks. - Pluggable toolbar / footer / empty / loading states and i18n strings. ### Dashboard design guide New `apps/dashboard/DESIGN-GUIDE.md`: prescriptive, AI-readable source of truth for dashboard UI. Documents when to use each `design-components` primitive, the `DataGrid` canonical pattern, color / typography / spacing / motion rules, route-specific guidance, and the migration priority. Now also documents the new `cellOverflow` and dynamic-`rowHeight` patterns, and marks `DesignDataTable` as deprecated in favor of `DataGrid` + `useDataSource` + `createDefaultDataGridState`. ### Overview page revamp `apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/(overview)/line-chart.tsx` — line chart rewritten on top of the shared `AnalyticsChart` / `DonutChartDisplay` primitives, feeding the revamped Overview. ### Data-table migrations Every shared table under `apps/dashboard/src/components/data-table/` has been rewritten on top of `DataGrid`: - `api-key-table.tsx` - `payment-product-table.tsx` - `permission-table.tsx` - `team-member-search-table.tsx` - `team-member-table.tsx` - `team-search-table.tsx` - `team-table.tsx` - `transaction-table.tsx` — now also wires in `DataGridToolbar` with search / column visibility - `user-search-picker.tsx` - `user-table.tsx` — extracted `USER_TABLE_COLUMNS` for readability / reuse ### Page adoption Page-level tables migrated to `DataGrid` (or the new `useDataSource` + `createDefaultDataGridState` pattern): - `(overview)/line-chart.tsx` - `analytics/tables/query-data-grid.tsx` (now with sticky header) - `domains/page-client.tsx` - `email-drafts/[draftId]/page-client.tsx` - `email-outbox/page-client.tsx` (with `DataGridToolbar`) - `email-sent/page-client.tsx`, `grouped-email-table.tsx`, `sent-emails-view.tsx` - `emails/page-client.tsx` - `external-db-sync/page-client.tsx` - `payments/layout.tsx`, `payments/customers/page-client.tsx`, `payments/products/[productId]/page-client.tsx` - `users/[userId]/page-client.tsx` - `webhooks/page-client.tsx`, `webhooks/[endpointId]/page-client.tsx` - `design-language/page-client.tsx`, `design-language/realistic-demo/page-client.tsx` - `playground/page-client.tsx` ### Backend & supporting changes - `apps/backend/src/lib/ai/prompts.ts` — extends the AI-analytics prompt with detailed schema docs for `contact_channels`, `teams`, `team_member_profiles`, `team_permissions`, `team_invitations`, `email_outboxes`, `project_permissions`, `notification_preferences`, `refresh_tokens`, and `connected_accounts`, so natural-language queries have richer context to compile against. - `apps/backend/src/lib/seed-dummy-data.ts` — additional OAuth providers on seed users, improving dummy-data coverage for the migrated tables (visible on the Users grid). - `apps/dashboard/src/app/globals.css` — adds `--data-grid-sticky-top` token used to derive the grid's sticky offset under the page header. - `packages/template/src/dev-tool/dev-tool-core.ts` — persist the "closed" state when the user closes the dev-tool panel so it doesn't reopen on next load. ## Notes for reviewers - Rebased onto latest `dev`; conflict in `api-key-table.tsx` resolved by keeping the `DataGrid` implementation (consistent with the other migrated tables). - `DesignDataTable` is still in the codebase but marked deprecated in the design guide — new code must use `DataGrid`. - `DataGrid` is fully controlled: consumers must pass state + onChange, must feed `rows` from `useDataSource` (never raw arrays), and must define columns outside the component or via `useMemo`. The guide's §4.12 spells this out. - `rowHeight="auto"` is opt-in; the default fixed-height virtualization path is unchanged and remains the fast path for dense, single-line grids (users, transactions, etc.). - Screenshots are JPEG this round — the local capture tooling's PNG path was producing blank frames, so the new set is `.jpg` end-to-end. Same viewports, same seeded project. ## Test plan - [ ] `pnpm lint` passes - [ ] `pnpm typecheck` passes - [ ] Load the dashboard and verify every migrated surface renders, sorts, searches, paginates, and handles row-click navigation: - [ ] Overview (line chart + donut metrics) - [ ] Users list + user detail (teams, sessions, permissions, API keys) - [ ] Teams list + team detail (members, permissions) - [ ] Domains - [ ] Emails, email-sent, email-outbox, email-drafts - [ ] Webhooks list + endpoint detail - [ ] Payments customers, product detail, transactions (new toolbar) - [ ] External DB sync - [ ] Analytics query table (sticky header) - [ ] Verify infinite-scroll surfaces (domains, etc.) load additional rows on scroll - [ ] Verify sticky header stays below the page header in light and dark themes - [ ] Verify CSV export produces correct output on a representative table - [ ] Verify column resize, visibility toggle, and sort work across themes - [ ] Verify `cellOverflow: "wrap"` rows grow to fit when `rowHeight="auto"` and clip when `rowHeight` is numeric - [ ] Spot-check AI analytics queries against the new schema context (contact_channels, teams, email_outboxes, …) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * **New Features** * Unified table components across dashboard with improved infinite pagination and quick search. * **Improvements** * Enhanced table performance with sticky headers and better row height handling. * Improved sorting, filtering, and data loading with consistent state management. * Better visual consistency across all data grids and table layouts. * **UI/Styling** * Refined table styling for better text truncation and content wrapping. * Optimized layout spacing and alignment across dashboard tables. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Developing-Gamer <maxcodes11110@gmail.com> Co-authored-by: Armaan Jain <84474476+Developing-Gamer@users.noreply.github.com> Co-authored-by: Konstantin Wohlwend <n2d4xc@gmail.com>	2026-04-27 13:50:24 -07:00
Konstantin Wohlwend	22ae47fe73	Replace Cmd with Ctrl on Windows computers	2026-04-17 17:04:30 -07:00
Armaan Jain	94dd22c1c5	Overview revamp (#1238)	2026-04-15 09:36:00 -07:00
aadesh18	8aa80ceb2c	AI in Stack Companion (#1297) ... This PR puts the ask ai functionality into the ai stack companion, along with persistent history. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * "Ask AI" chat sidebar with streaming assistant responses, progressive word-by-word reveal, auto-scroll, Enter-to-send and Arrow-key navigation, "Thinking…" and error indicators * Chat UI primitives: inline/code blocks, smart links, copy-to-clipboard for code/URLs, and expandable tool-result cards with copyable outputs * **Bug Fixes** * Prevented button/menu clicks inside list items from bubbling to parent row handlers * **Refactor** * Chat rendering, streaming, parsing, and UI helpers consolidated into a shared module and integrated into the sidebar widget <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Co-authored-by: Konsti Wohlwend <n2d4xc@gmail.com>	2026-04-13 18:40:32 +00:00
aadesh18	a0710f8807	fixed delete bug and removed console statements (#1313)	2026-04-08 17:14:30 -07:00
BilalG1	4f99c469fe	stack auth preview mode (#1307) ... <!-- Make sure you've read the CONTRIBUTING.md guidelines: https://github.com/stack-auth/stack-auth/blob/dev/CONTRIBUTING.md --> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Preview mode: sandboxed experience with mock projects, placeholder data, and disabled external integrations (payments, webhooks, email rendering, session replays). * One-click preview project creation and automatic preview sign-in for quick access. * **New Features — Walkthrough** * Interactive guided walkthroughs with spotlight, animated cursor, step-driven navigation, and targeted element hooks. * **Style** * UI/UX adjustments for preview: theme behavior, conditional banners/alerts, informational alerts, and walkthrough attributes added across pages. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-04-08 16:57:42 -07:00
Konstantin Wohlwend	9b1284dc9e	Fraud Protection sub-app	2026-04-05 21:35:01 -07:00
Konstantin Wohlwend	87705fbeae	Separate Users and Trusted Domains from Authentication app	2026-04-03 10:14:52 -07:00
Mantra	cfa6204c2d	Replace Web3Forms with internal feedback emails (#1244) ... ## Summary - replace the dashboard feedback form's Web3Forms submission with an authenticated internal backend endpoint - send support and feature-request notifications through Stack Auth's native internal email pipeline - share internal project auth headers in the dashboard and add backend E2E coverage for support feedback ## Testing - pnpm typecheck - pnpm lint -- "src/components/feedback-form.tsx" "src/components/stack-companion/feature-request-board.tsx" <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Internal feedback submission endpoint with automated internal email notifications * New internal email builder and sending utility; recipient list configurable via env * **Enhancements** * Feedback form requires sign-in, disables submit when unauthenticated, and tightens validation * Centralized header helper for authenticated internal requests * Feature request board gates actions for signed-out users and improves upvote/submit reliability * Runtime retrieval/validation of the feature-tracking API key and streamlined user handling * **Tests** * End-to-end tests covering internal feedback flows, validation, and email delivery <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-03-23 17:07:37 -07:00
Mantra	e59a70783e	Turnstile integration for fraud protection (#1239) ... Enhances sign-up process with Turnstile integration for fraud protection. Builds on top of fraud-protection-temp-emails. Made with [Cursor](https://cursor.com) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Cloudflare Turnstile bot-protection across signup/sign-in flows (including SDK JSON mode). * Email deliverability checks via Emailable. * Sign-up risk scoring with persisted risk metrics and country code tracking. * UI: country-code selector, risk-score editing in user details, users list refresh button, and Turnstile signup demo pages. * **Bug Fixes** * Use actual sign-up timestamp for reporting/metrics. * **Documentation** * Expanded knowledge base on Turnstile, risk scoring, and env configuration. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Konstantin Wohlwend <n2d4xc@gmail.com> Co-authored-by: BilalG1 <bg2002@gmail.com> Co-authored-by: Armaan Jain <84474476+Developing-Gamer@users.noreply.github.com> Co-authored-by: nams1570 <amanganapathy@gmail.com>	2026-03-20 21:26:45 +00:00
aadesh18	8267ebce35	Custom dashboards and unified ai no playground (#1243) ... This PR implements unified AI endpoint and custom dashboards. **Unified AI Endpoint** We now use a single endpoint throughout the codebase that makes the call to openrouter. Specifically, email drafts, email templates, email themes, wysiwyg, cmd centre ai search and docs ai, all use this unified ai endpoint. All the tools are defined in the backend, all the prompts exist in the backend. How to review this PR for unified ai endpoint: This PR will be easier to review if we look at the different folders that were affected. under packages - We added streaming functionality, and made renaming changes under docs - there are three files that have changed package.json - we updated the package (we were previously using a very old version of the package) route.ts - we changed the call from a direct call to openrouter to the unified ai endpoint ai-chat.tsx - because of updating the package, we had to make changes to adapt to the latest versions of the package under backend route.ts - the main unified ai endpoint. this endpoint uses various support files forward.ts - this is the forward to production functionality models.ts - consists of the models, and the rules for selecting those models prompts.ts - consists of the base prompt + specific system prompts depending upon the usage schema.ts every single file under ai/tools folder - which as the name suggests, consists of the implementations of the different tools that can be provided to the llm route-handlers - added support for streaming to SmartRoute and response under dashboard ai-search/route.ts - refactored the file to use unified ai endpoint chat-adapters.ts - refactored the file to use unified ai endpoint and created extra checks for the ai generated code **Custom Dashboards** We let the user write their query in english. We then use AI to create dashboards that are interactive, live and savable. This PR includes a new package called dashboard-ui-components. This package has components that are used in the dashboard and more importantly, these components are being imported from esm in the ai generated code for custom dashboards. We also change the bar at the top for the products pages. How to review this PR: Review the new package (package/dashboard-ui-components), the setup and the files inside it. Review the schema changes in stack-shared/src Review the changes in dashboard. The following changes have been made Updated the design-components folder since we moved the dashboard components to the new package Updated imports for these components accordingly Updated the title bar of the product pages Created the files for custom dashboards under the dashboards folder and components under commands/create-dashboard Created a script under dashboard/scripts that generates the file with type definitions that would go to the llm Review the backend Started using unified ai endpoint <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added custom dashboards feature allowing users to create and manage personalized dashboards with AI assistance. * Integrated AI-assisted dashboard code generation with visual preview and editing capabilities. * Introduced new AI query endpoints supporting stream and generate modes with configurable model quality/speed settings. * **Improvements** * Reorganized UI components into a dedicated component library package for better code reuse. * Enhanced chat architecture with improved message handling and tool integration. * Updated AI provider integration with improved configuration management. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Konsti Wohlwend <n2d4xc@gmail.com> Co-authored-by: Bilal Godil <bg2002@gmail.com> Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2026-03-13 20:24:40 +00:00
Aman Ganapathy	485fa9d623	[Refactor][Feat][Fix] Rework Email Section With New Sent Page, Better Drafts Page, and Settings Page (#1221) ... ### Context We didn't have an easy place for a user to see their domain statistics and track their sent emails, either overall or by draft. Additionally, there was scope creep with the sidebar, where we were supporting more pages. Our emails landing page was also rather confusing, especially toggling/ working with different email server types. So, we decide to add a "sent" page, to track email logs and email statistics, as well as let users temporarily override their sending limits if need be. Additionally, a user may want to see a particular email in more detail: what stage is it in? How did it proceed through time? How can I pause the sending of this email or change the scheduled time or edit the code? We allow for that to happen. ### Summary of Changes #### New Pages 1. **Sent Page:** A Domain Reputation card lets you track how many of your sent emails were bounced or marked as spam as well as how much capacity you have left. We also provide a temporary override, where you can use up to 4 times your capacity for a limited period of time. Additionally, we provide an email log that lets you see the recently sent emails. You can also toggle this view from a "list all emails" to "group by template/draft" which shows stats for each template/draft id (i.e a bar showing how many emails were sent, are pending, were marked as spam, were bounced etc, and the total number of emails sent with that template or draft). Clicking on an email in the list all view takes you to the "email-viewer" endpoint for that email (see below). Clicking on a template/draft in the group by view takes you to a page where you can see the statistics for that template/draft in more detail (the "send" stage view for that template/draft, as referenced below). 2. **Settings Page:** This is a new page we created because the old "emails" landing page wasn't doing its job. This page is to track all the email settings. Currently, we put in 2 sections. A "theme settings" card where users can see their active theme and click on a button to be navigated to the themes page. This is necessary as we remove themes from the sidebar. The other section is a card for email server and domain configuration - you can change your server type and adjust the settings or send a test email. It's cleaner and less noisy. 3. **Drafts Page**: There are a lot of changes here. On the landing page, we actually separate out the drafts into "active drafts" and "draft history" because drafts are meant to be fire-and-forget, not reusable. We also add the functionality to create a draft from a template. This was tricky to manage because templates rely on template variables which sent to the backend along with the code and injected during render time. We deal with this by having AI rewrite the template source code to remove any references to template variables and to make the draft standalone. The drafts page has been separated into a stepper-controlled multi stage process: draft->recipients->schedule->sent. Sent is a read only view that shows you the statistics of the emails sent using that draft, as mentioned earlier. You can also see the sent view of a historical draft. You can also bulk pause/cancel any unsent emails from the sent view of the drafts. 4. **Sidebar Updates**: The email sidebar now doesn't show "themes" or "emails" (the old landing page), but it does show "settings" and "sent", and the default landing page for emails is "sent". 5. **Email Viewer**: When you click on an individual email, you get navigated here. This has a timeline showing the progress of the email on the right, and some optional info for the user that's toggleable on the right bottom, while having either a preview of the email if it's sent or a way to edit it. You can also change the scheduledAt date of an email if it hasn't already been sent. #### Bug Fixes 1. **Search in `TeamMemberSearchTable`**: This was broken. Every time you tried to enter or remove a character, it would trigger skeleton loading that overlapped the search bar too, preventing you from adding/removing more. This was caused because the `useUser` hook eventually ended up calling a `use` hook, which throws a promise that triggers a suspense. This, coupled with the fact that the implementation of `TeamMemberSearchTable` involved a prop-drilling/ dependency inversion approach to passing down its toolbar to a base table component, meant the suspense would cover the toolbar too and couldn't be scoped to just the table. A refactor has gotten rid of the need for those base components while fixing tables in `payments/customers`, `teams/team_id`, and `payments/transactions` on top of the existing use in email drafts recipients stage. We also dedupped some code. 2. **Stale draft fetches on draft landing page**: `useEmailDrafts` uses an asyncCache to cache the fetched drafts. It is used on the drafts landing page to render the drafts. When a draft is sent, its `sentAt` is marked versus when it is still active, it is marked as null. The cache was stale and so navigating to the landing page after firing off a draft would errorneously represent that draft as still active and indeed, even allow you to edit it and fire it again. This violated the principle of drafts being fire and forget. This has been dealt with by adding functionality to refresh the draft cache upon firing off a draft. #### Other Changes 1. We bumped up the base time for the exponential send attempt retry backoff in `email-queue-step` to 20 seconds. The previous base was two seconds, and this effectively just made it wait until the next iteration of the `email-queue-step` cron job or at most an iteration that wasn't too far away. When an outage with our provider happens, it may take a while for it to be resolved, so a longer backoff is justified 2. We transitioned the themes page and the templates page to using the new components, though deeper UI refactors for them were out of scope for this ticket. 3. We implement a "temporarily increase capacity" button, that bumps up the throughput/ capacity limit fourfold for a user for a given period of time. It works like this: > Clicking the button sets a boost expiredat time. > When this time is set and still valid, the capacity rate is multiplied by 4. > When the button is clicked, trigger a loading spinner until the route finishes processing. > When the timer runs out, we reset the button back to its original state. > We dont need to wrap the onclick with runAsyncWithAlert because the component does that already. 4. We add a new default theme: a colorful theme with a lavender base. This was mainly done so we could have three times in a theme showcase in the settings page. ### UI Demos **Sent Page Demo:** https://github.com/user-attachments/assets/19294a90-bb65-4f00-9a97-111f6c08287f **Drafts Page Demo** https://github.com/user-attachments/assets/847609ef-d699-470c-a699-297bb9e17f04 **Settings Page Demo** https://github.com/user-attachments/assets/190a3829-036a-4f57-89c0-a873bef5a7ce **Email Viewer Page Demo** https://github.com/user-attachments/assets/3bc50159-4acb-4865-a4dd-830c84ee4235 --------- Co-authored-by: Konstantin Wohlwend <n2d4xc@gmail.com>	2026-03-11 12:01:36 -07:00
BilalG1	66adb4e50f	Local emulator base (#1233) ... <!-- Make sure you've read the CONTRIBUTING.md guidelines: https://github.com/stack-auth/stack-auth/blob/dev/CONTRIBUTING.md --> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Provision local-emulator projects from a local config file and return emulator credentials via a new internal endpoint. * Dashboard: "Open config file" flow to open local projects and refresh owned projects. * **Changes** * Branch config can prefer/read/write local files for emulator projects. * Environment config updates/resets are blocked for local-emulator projects. * Dashboard UI shows read-only notices and disables project creation in emulator mode. * Added DB mapping and a standard env flag to identify local-emulator projects. * **Tests** * New E2E tests covering provisioning and config restrictions. * **Chores** * Removed legacy emulator docs and compose; added CI workflow for local-emulator E2E runs. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Konstantin Wohlwend <n2d4xc@gmail.com>	2026-03-10 15:15:06 -07:00
Konstantin Wohlwend	9c0d4e058f	Remove next-themes from dashboard	2026-02-26 14:12:17 -08:00
BilalG1	fa27c80319	rename tabId to sessionReplaySegmentId (#1206) ... <!-- Make sure you've read the CONTRIBUTING.md guidelines: https://github.com/stack-auth/stack-auth/blob/dev/CONTRIBUTING.md --> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added new session replay analytics columns to ClickHouse for enhanced tracking and reporting * **Refactor** * Renamed session recording segment identifier across APIs and data models from `tab_id` to `session_replay_segment_id` * Updated internal data structures and type definitions to align with new naming convention <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-02-17 11:00:07 -08:00
Armaan Jain	11b6b4210b	Emails redesign (#1076)	2026-02-16 14:57:17 -08:00
BilalG1	c7ef526bb4	session replays (#1187) ... https://www.loom.com/share/3b7c9288149e4f878693281778c9d7e0 ## Todos (future PRs) - Fix pre-login recording - Better session search (filters, cmd-k, etc) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Analytics → Replays: session recording & multi-tab replay with timeline, speed, seek, and playback settings; dashboard UI for listing and viewing replays. * **Admin APIs** * Admin endpoints to list recordings, list chunks, fetch chunk events, and retrieve all events (paginated). * **Client** * Client-side rrweb recording with batching, deduplication, upload API and a send-batch client method. * **Configuration** * New STACK_S3_PRIVATE_BUCKET for private session storage. * **Tests** * Extensive unit and end-to-end tests for replay logic, streams, playback, and APIs. * **Chores** * Removed an E2E API test GitHub Actions workflow. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-02-16 14:15:17 -08:00
Konsti Wohlwend	d319285403	Queries view (#1145)	2026-02-16 11:39:21 -08:00
Konsti Wohlwend	7a35751f8e	Sign up rules (#1138) ... <!-- CURSOR_SUMMARY --> > [!NOTE] > **High Risk** > Touches core sign-up/auth flows and user restriction semantics (including new DB constraints) and introduces dynamic rule evaluation/logging; misconfiguration or CEL/parser bugs could block sign-ups or incorrectly restrict users. > > **Overview** > Introduces **CEL-based sign-up rules** (config-driven) that are evaluated during password/OTP/OAuth sign-ups and anonymous upgrades; matching rules can reject sign-ups or mark users as admin-restricted, and triggers are logged for analytics. > > Extends `ProjectUser` with `restrictedByAdmin` plus public/private restriction details, updates restriction computation/filtering, and exposes these fields via user CRUD (including validation + DB constraint enforcing consistency when unrestricted). > > Adds a new dashboard **Sign-up Rules** page with a visual condition builder (CEL <-> visual tree), drag-reorder by priority, per-rule 48h sparkline analytics via a new hidden internal endpoint, and adds user-page UI to view/edit manual restrictions. Also refactors ClickHouse client initialization to require env vars (removing `isClickhouseConfigured` checks) and adjusts CI container startup wait time. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 2141e689e8c1b72303b805e9234f996010d0880. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Sign-up Rules: visual rule builder, in-project CRUD with drag-reorder, per-rule analytics, backend evaluation, and admin UI. * Admin user restrictions: dashboard controls, banners/status, public/private admin details surfaced in user views. * **APIs & Schema** * Config and user schemas extended; new SignUpRejected error and sign-up rule types added. * **Tests** * Extensive unit and E2E coverage for rules, parser, evaluator, analytics, and restricted-user flows. * **Docs** * Editorial guidance added to AGENTS.md. * **Chores** * DB statement timeout, updated clean script, minor dependency additions. <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-02-03 11:08:24 -08:00
Konstantin Wohlwend	57a050ef01	Run Query in Control Center	2026-01-30 17:56:10 -08:00
Konstantin Wohlwend	28144334eb	Fix tests	2026-01-30 16:20:01 -08:00
Konstantin Wohlwend	0bb39192f8	Improve control center query button	2026-01-30 15:36:43 -08:00
Madison	b32eb9e351	[Dashboard] Introduce changelog to stack-companion (#1090) ... <!-- Make sure you've read the CONTRIBUTING.md guidelines: https://github.com/stack-auth/stack-auth/blob/dev/CONTRIBUTING.md --> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Changelog panel now fetches and displays recent releases with rich Markdown rendering, per-release cards, and change-type labels. * Visual cues (badge, glow, tooltip) indicate when unseen updates are available; last-seen state tracked for users. * **Chores** * Configured external changelog data source and added a backend endpoint to serve parsed changelog entries. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-01-29 12:22:24 -06:00
Konstantin Wohlwend	c35578de9f	Analytics dashboard frontend	2026-01-28 19:33:41 -08:00
Konsti Wohlwend	6c22e6e511	Config sources (#1083)	2026-01-21 18:08:35 -08:00
BilalG1	d469a9f297	payments block purchases (#1121) ... <img width="1179" height="965" alt="Screenshot 2026-01-19 at 1 45 19 PM" src="https://github.com/user-attachments/assets/5583e2e7-08a7-4524-9d16-57dcb9f4fad3" /> <!-- Make sure you've read the CONTRIBUTING.md guidelines: https://github.com/stack-auth/stack-auth/blob/dev/CONTRIBUTING.md --> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added a Payments Settings page that surfaces a "Settings" screen for managing payment behavior. * Added a "Block new purchases" toggle on that page; changing it updates the project's payment setting immediately. * Added a "Settings" link to the Payments navigation menu for quick access. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai -->	2026-01-19 20:10:23 -08:00