feat(hexclave): PR 2 — visible rebrand (Hexclave brand goes public)#1481
Open
BilalG1 wants to merge 21 commits into
Open
feat(hexclave): PR 2 — visible rebrand (Hexclave brand goes public)#1481BilalG1 wants to merge 21 commits into
BilalG1 wants to merge 21 commits into
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
|
Important Review skippedToo many files! This PR contains 288 files, which is 138 over the limit of 150. To get a review, narrow the scope: ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (12)
📒 Files selected for processing (288)
You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![vercel[bot]](https://avatars.githubusercontent.com/in/8329?s=60&v=4){kind=small}
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
2 issues found across 371 files
Partial review: This PR has more than 50 files, so cubic reviewed the highest-priority files first. During the trial, paid plans get a higher file limit.
You can try an ultrareview to bypass the file limit, comment @cubic-dev-ai ultrareview. Learn more.
Fix all with cubic | Re-trigger cubic
Contributor
Greptile SummaryThis is the visible surface flip of the Stack Auth → Hexclave rebrand (~381 files): SDK default URLs, package exports, error messages, email content, CLI snippets, docs, and a one-shot SQL migration are all switched to Hexclave branding, while PR 1's dual-accept wire identifiers keep legacy traffic working indefinitely.
Confidence Score: 4/5The rebrand sweep is mechanically sound, but the mirror-publish CI step will fail before the new @hexclave/* packages reach npm. The pnpm publish -r command in the new workflow step publishes every non-private workspace package, not just the 9 rewritten @hexclave/* ones. Packages like @stackframe/init-stack that were deliberately left out of the rewrite map still carry their current public versions, which already exist on npm. npm rejects re-publishing an existing version with HTTP 403, so the publish step will error out — potentially before any @hexclave/* packages are published. The rest of the PR is clean and well-guarded. .github/workflows/npm-publish.yaml — the pnpm publish -r step needs a --filter @hexclave/* guard so only the rewritten packages are published. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[Push to main] --> B[Build and bump versions on dev]
B --> C[git checkout main]
C --> D[rewrite-packages-to-hexclave.ts]
D --> E[9 packages rewritten to hexclave]
D --> F[Other publishable packages unchanged]
E --> G[pnpm publish -r]
F --> G
G --> H[hexclave packages published OK]
G --> I[stackframe/init-stack already on npm FAILS]
I --> J[Step aborts - hexclave may not publish]
style I fill:#f88,stroke:#c00
style J fill:#f88,stroke:#c00
style H fill:#8f8,stroke:#080
Prompt To Fix All With AIFix the following 2 code review issues. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 2
.github/workflows/npm-publish.yaml:109-116
**Unscoped `pnpm publish -r` will fail on already-published packages**
After `git checkout main`, this step runs `pnpm publish -r` across the entire workspace. The rewrite script only mutates 9 packages in `PACKAGE_DIRS`; every other non-private publishable package (e.g. `@stackframe/init-stack@2.8.103`) keeps its current name and version. npm rejects re-publishing an existing version with HTTP 403, so this step will fail as soon as it hits the first unchanged package — the new `@hexclave/*` packages may or may not have been published before the failure.
The fix is to filter the publish command to only the 9 rewritten packages, for example: `pnpm publish -r --filter "@hexclave/*" --no-git-checks --access public`.
### Issue 2 of 2
packages/template/src/lib/stack-app/apps/implementations/common.ts:130-131
`getAnalyticsBaseUrl` now only maps `api.hexclave.com → r.hexclave.com`. Customers who explicitly set `baseUrl: "https://api.stack-auth.com"` (or who had it hard-coded by a version of the SDK shipped before this PR changed the default) will receive `"https://api.stack-auth.com"` from this function instead of `"https://r.stack-auth.com"` — analytics requests silently go to the API origin instead of the analytics beacon. The `getHardcodedFallbackUrls` backward-compat entry for `api.stack-auth.com` keeps their API calls working, but analytics are silently dropped for this cohort.
```suggestion
const ANALYTICS_BASE_URL_MAP: Record<string, string> = {
[defaultBaseUrl]: defaultAnalyticsBaseUrl,
// Backward-compat: customers with explicit legacy base URL keep correct analytics routing.
"https://api.stack-auth.com": "https://r.stack-auth.com",
};
export function getAnalyticsBaseUrl(regularBaseUrl: string): string {
return ANALYTICS_BASE_URL_MAP[regularBaseUrl] ?? regularBaseUrl;
```
Reviews (2): Last reviewed commit: "fix(hexclave): update url-targets snapsh..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
BilalG1
added a commit
that referenced
this pull request
May 23, 2026
Triaged 4 unresolved review threads on PR #1481; 3 were not yet handled (the 4th — cubic-dev-ai's IDP audience flag — was already addressed in the prior round-2 commit ad870ef). - apps/backend/src/app/page.tsx:9 (cubic-dev-ai P2): the link's URL was flipped to https://app.hexclave.com but its link text still said 'Stack's dashboard'. Half-rebranded. Flipped the text to 'Hexclave's dashboard' to match. - .github/workflows/npm-publish.yaml (greptile-apps P1): the mirror-publish step used '${{ vars.HEXCLAVE_VERSION || '1.0.0' }}'. GitHub Actions evaluates an unset 'vars.*' as empty string, so the literal '1.0.0' was the silent fallback. The first push to main after this lands — before the repo variable is intentionally configured — would publish @hexclave/*@1.0.0 to the public npm registry as an unrecoverable release. Replaced with an explicit gate step: if vars.HEXCLAVE_VERSION is unset, the rewrite + mirror-publish steps are skipped (silent no-op); if set, the value is used as-is with no fallback. - scripts/rewrite-packages-to-hexclave.ts:161 (greptile-apps P2): the text-rewrite extension allow-list included '.map'. Source maps embed original file paths and (when sourcesContent is set) the original source code — a blanket '@stackframe/' → '@hexclave/' substitution inside them corrupts the mappings and breaks production-error debugging. Dropped '.map' from the regex with a code comment explaining why. Lint + typecheck pass on backend (the only locally-affected package).
# Conflicts: # apps/backend/package.json # apps/dashboard/package.json # apps/dev-launchpad/package.json # apps/e2e/package.json # apps/mcp/package.json # apps/mock-oauth-server/package.json # apps/skills/package.json # docs-mintlify/index.mdx # examples/cjs-test/package.json # examples/convex/package.json # examples/demo/package.json # examples/docs-examples/package.json # examples/e-commerce/package.json # examples/js-example/package.json # examples/lovable-react-18-example/package.json # examples/middleware/package.json # examples/react-example/package.json # examples/supabase/package.json # examples/tanstack-start-demo/package.json # packages/dashboard-ui-components/package.json # packages/init-stack/package.json # packages/js/package.json # packages/react/package.json # packages/stack-cli/package.json # packages/stack-sc/package.json # packages/stack-shared/package.json # packages/stack-ui/package.json # packages/stack/package.json # packages/tanstack-start/package.json # packages/template/package-template.json # packages/template/package.json # skills/stack-auth/SKILL.md
Filter `pnpm publish -r` to only the rewritten @hexclave/* packages in the mirror step, removing the reliance on pnpm's skip-existing-versions behavior for the unchanged @stackframe/* packages still in the workspace at that point. Addresses greptile P1 finding on PR #1481.
…sertionError suffix Companion to ff44d4e — that commit shortened the disclaimer from '...error in Hexclave (formerly Stack Auth).' to '...error in Hexclave.' and updated the url-targets test snapshots, but missed the matching inline snapshot in apps/backend/src/lib/redirect-urls.test.tsx. The test suite passes after the update (33/33).
|
You're iterating quickly on this pull request. To help protect your rate limits, cubic has paused automatic reviews on new pushes for now—when you're ready for another review, comment |
nams1570
requested changes
May 26, 2026
Collaborator
nams1570
left a comment
nams1570
left a comment
There was a problem hiding this comment.
this is a partial review
# Conflicts: # docs-mintlify/guides/getting-started/ai-integration.mdx # docs-mintlify/guides/going-further/local-development.mdx # docs-mintlify/guides/going-further/local-emulator.mdx # docs-mintlify/guides/other/showcase.mdx
# Conflicts: # apps/skills/src/app/route.ts # packages/stack-shared/src/ai/unified-prompts/skill-site-prompt-parts/ai-setup-prompt.ts # packages/stack-shared/src/interface/page-component-versions.ts
# Conflicts: # docs-mintlify/guides/getting-started/setup.mdx # docs-mintlify/snippets/home-prompt-island.jsx
The bare-name sweep was mutating the sentinel string
('js @stackframe/js@2.8.105') into 'js @hexclave/js@2.8.105' before
the sentinel-specific regex (built from oldName) had a chance to
match, silently leaving the version stuck at the old @StackFrame
version on published @hexclave/* artifacts. Reorder so the sentinel
rewrite runs first; the name sweep that follows can't touch the
rewritten sentinel because it no longer contains any @stackframe/*
substrings.
Resolve conflicts in init-prompt.ts (take dev's unified-prompt structure, keep Hexclave branding), and rebrand the auto-merged ai-setup-prompt.ts sweep (CLI Python template names, MCP server name/URL/tool, StackConfig type, x-hexclave-* header teach). Regenerated docs-mintlify setup files.
nams1570
reviewed
May 26, 2026
| @@ -88,3 +88,34 @@ jobs: | |||
|
|
|||
Collaborator
There was a problem hiding this comment.
[Re: line +30]
unrelated to this PR, but why do we just grab latest node version instead of pinning it?
See this comment inline on Graphite.
Collaborator
Author
There was a problem hiding this comment.
not sure, think it should be pinned probably
nams1570
reviewed
May 26, 2026
The legacy docs/ folder still referenced noreply@stackframe.co for the shared email provider — flip to match the new sender domain set up on Resend as the dedicated transactional-sender domain. Aligns with the dashboard + docs-mintlify references that were already flipped.
…erCache Result.or returns T | U synchronously, so awaiting it tripped @typescript-eslint/await-thenable and @typescript-eslint/return-await in the generated packages/stack and packages/react SDKs.
…mple apps PR 1481's sweep missed four user-visible spots in the examples/ tree: - examples/demo: page title 'Stack Demo' + description 'using Stack...' - examples/docs-examples: page title 'Stack Demo' + description 'using Stack...' - examples/tanstack-start-demo: 'Stack TanStack Demo' link text in header - examples/middleware: description 'A demo of Stack\'s middleware capabilities.' (title was already flipped; only the description was missed)
The MDX content was flipped to Hexclave in PR 1481, but the URL slug itself (/guides/other/tutorials/build-a-saas-with-stack-auth) was still public-facing. Rename the file and update the five internal links: - docs.json navigation reference - 3 in-MDX cross-links in build-a-team-based-app.mdx - 2 in-MDX cross-links in ship-production-ready-auth.mdx
PR 1481 carved out binary visual assets pending design work, but we now have the Hexclave brand mark from PR 1493 (the neon-gradient benzene ring) and a full wordmark variant. Swap them in everywhere the dashboard, docs site, and example demo rendered the Stack Auth logo. Icon-only variant (PR 1493's hexclave-icon.svg, neon-gradient benzene mark) replaces: - apps/dashboard/public/logo.svg + logo-bright.svg - examples/demo/public/logo.svg + logo-bright.svg Full wordmark variant (benzene mark + 'Hexclave' text in Jersey 10) replaces: - apps/dashboard/public/logo-full.svg (black text — light mode) - apps/dashboard/public/logo-full-bright.svg (white text — dark mode) - docs-mintlify/images/logo-light.svg (black text) - docs-mintlify/images/logo-dark.svg (white text) The benzene mark uses a colored gradient that reads on both light and dark backgrounds, so logo.svg and logo-bright.svg now share identical content — the dark-mode SmartImage swap in logo.tsx is effectively a no-op but the file pair is preserved to avoid touching the component API. Same applies to examples/demo. Also drop the 'dark:invert' className on examples/demo's <Image> — the new gradient mark should not be color-inverted on dark backgrounds (it already reads correctly on both).
Three favicon.ico files and the dashboard's open-graph-image.png are
regenerated from the canonical Hexclave benzene-mark SVG committed in
the previous logo-swap commit (apps/dashboard/public/logo.svg).
Favicons (all three: dashboard, dev-launchpad, docs-mintlify) bundle
16x16, 32x32, and 48x48 PNG-encoded variants — 32bpp RGBA for crisp
rendering on retina + dark-mode tab strips. dev-launchpad's old icon
was a 4bpp 16x16 single-frame; it now matches the other two.
OG image is 1200x630 with a centered 360px gradient benzene mark on a
dark canvas with a subtle radial glow. No wordmark — Jersey 10 isn't
available at rasterize time and the mark alone reads cleanly on the
standard OG card preview area in Slack / Twitter / LinkedIn.
The dashboard layout's openGraph.images metadata points at
${apiUrl}/open-graph-image.png — the backend deploy needs to serve
this file from the same path so social previews actually resolve.
Tracked separately as ops work.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Stacked on #1475 (
cl/hexclave-pr1, the invisible compatibility layer). Diff vs that base = the actual PR 2 code.This is PR 2 of the Stack Auth → Hexclave rebrand: the visible flip. Old wire identifiers (cookies, request/response headers, Bearer prefix, JWT issuers, MCP tool name) keep working indefinitely via PR 1's dual-accept. This PR flips every user-visible surface — package names taught in docs, SDK class names in code examples, dashboard setup snippets, page titles, error messages, email content, CLI binary, default base URLs, GitHub repo slug, contributor guidance — to the Hexclave brand.
See
RENAME-TO-HEXCLAVE.md→ "PR 2: Rebrand to Hexclave (visible)" for the full per-work-area spec.What's implemented (per the plan's PR 2 scope)
SDK base URLs flipped:
defaultBaseUrlanddefaultAnalyticsBaseUrlin common.ts →https://api.hexclave.com/https://r.hexclave.com. PR 1'sgetHardcodedFallbackUrlstable now keys on the Hexclave domain.Domain inventory sweep (16 subdomains from the plan): every
api/app/docs/discord/demo/mcp/skill/feedback/test/preview/r/api2/api.staging/idp-jwk-audience/built-with.stack-auth.comreference in production code, docs-mintlify, examples, READMEs, and contributor guidance flipped to*.hexclave.com. Carve-outs: PR 1's intentional JWT issuer dual-accept table in tokens.tsx, the legacy./docs/folder, theunified-docs-widgetallowlist (deliberately accepts both during DNS transition), andurl-targets.tshosted-component default (baked into existing customer deploys).@deprecatedJSDoc on everyStack*public export (packages/template/src/lib/stack-app/index.ts + packages/template/src/index.ts) —StackClientApp,StackServerApp,StackAdminApp+ every constructor/options/JSON type,StackHandler,StackProvider,StackTheme,useStackApp,defineStackConfig,StackConfig. Hexclave* aliases are now canonical.Runtime
console.warn(packages/template/src/internal/deprecation-warning.ts) — once-per-process when the SDK is loaded from a@stackframe/*artifact. Detection uses the existingSTACK_COMPILE_TIME_CLIENT_PACKAGE_VERSION_SENTINEL(rewritten at build time to e.g.js @stackframe/stack@2.8.92orjs @hexclave/next@1.0.0);@hexclave/*mirror artifacts short-circuit the warning.Tier 3 data migration: new idempotent SQL migration
20260523000000_rename_internal_project_to_hexclave— updates the internal ProjectdisplayName'Stack Dashboard' → 'Hexclave Dashboard' anddescriptiononly if both still hold the pre-rebrand defaults. Operator-renamed projects untouched, missing row no-ops, re-runs are no-ops.seed.tsdefault flipped.getSharedEmailConfig("Stack Auth")→("Hexclave").Tier 4 brand strings (mechanical sweep, ~340 files):
info.descriptiondocumentsX-Hexclave-*headers as canonical with compat note onX-Stack-*.HexclaveAssertionErrormessage text (errors.tsx:71) — "an error in Stack." → "an error in Hexclave."x-hexclave-*+ the newdocs.hexclave.comURL; legacyx-stack-*mentioned as compat aliases. 25 e2e test files updated in lockstep.sent-with-hexclave.com), test-email-recipient default.CHANGELOG.mdtitle → "Hexclave Changelog".AGENTS.mdenv var convention: new vars prefixHEXCLAVE_/NEXT_PUBLIC_HEXCLAVE_for Category A/B; legacySTACK_*explicitly noted as accepted via PR 1's dual-read.CLI / init wizard:
npx @hexclave/cli@latest init(was@stackframe/stack-cli). setup-page.tsx + link-existing-onboarding.STACK_*_INSTALL_PACKAGE_NAME_OVERRIDEdefaults flipped to@hexclave/*.stack/client.ts/stack/server.tsimport from@hexclave/nextand referenceHexclaveClientApp/HexclaveServerApp.StackAuthKeysdashboard component renamed toHexclaveKeys.docs-mintlify rewrite (legacy
./docs/intentionally untouched per scoping decision):@stackframe/{react,stack,js,tanstack-start,...}→@hexclave/{react,stack,js,...}in install snippets and code blocks;Stack*SDK class names →Hexclave*in all code examples; 'Stack Auth' brand phrase → 'Hexclave'.openapi/{server,admin,client,webhooks}.jsontitles → 'Hexclave REST API' / 'Hexclave Webhooks API'.Generators flipped before regeneration:
packages/stack-shared/src/helpers/init-prompt.ts,/ai/prompts.ts,apps/backend/src/lib/ai/prompts.ts,apps/backend/src/lib/ai/tools/create-email-{template,draft}.ts,apps/skills/src/app/route.ts(taught MCP tool →ask_hexclavewith compat note; CLI binary teach →hexclave),docs-mintlify/snippets/home-prompt-island.jsx,packages/template/README.md+ integrations/convex/component/README.md.generate-sdkspropagated changes topackages/{react,stack,js}.OpenAPI dual-documentation:
apps/backend/src/app/api/latest/route.tsnow listsX-Hexclave-*headers as primary documented schemas withX-Stack-*duplicates marked.optional()(both accepted at runtime by PR 1's normalize-at-proxy shim).@stackframe/emailsvirtual module: dual-aliased to@hexclave/emailsat the bundler boundary (email-rendering.tsx:89). Stored email templates continue to import from either name; new AI-generated templates and the system prompt teach@hexclave/emails.Tier 2 mirror-publish wiring (new this PR, lays the groundwork for
@hexclave/*first publish):scripts/rewrite-packages-to-hexclave.ts— rewrites 9 publishable@stackframe/*→@hexclave/*package.jsonfiles (readsHEXCLAVE_VERSIONenv or--version=flag), pins cross-deps to the shared@hexclaveversion, registershexclavebin alongsidestackfor@hexclave/cli..github/workflows/npm-publish.yamlappended with rewrite-then-republish step.pnpm publishskips already-on-npm versions so reruns are safe.Sender email domain:
noreply@stackframe.co→noreply@sent-with-hexclave.com(the dedicated transactional-sender domain split per the plan, to isolate bulk deliverability fromhexclave.comreputation);security@/team@stack-auth.cominbound mailboxes →@hexclave.com.Self-host docs: docker network / container names in the bash examples flipped from
stack-authtohexclave(hexclave-postgres,hexclave-clickhouse,hexclave.env). The docker image tagstackauth/server:lateststays per the plan's locked decision.GitHub repo slug:
hexclave/stack-auth→hexclave/hexclavein everypackage.jsonrepositoryfield, README link, CHANGELOG raw-asset URL.Carve-outs (deliberately untouched)
apps/backend/src/lib/tokens.tsxJWT issuer dual-accept table — PR 1 intentional infrastructure, kept indefinitely../docs/folder — per scoping decision (onlydocs-mintlify/rewritten).unified-docs-widgethostname allowlist — accepts both.hexclave.com(canonical) and.stack-auth.com(transition window) for DNS rollout.url-targets.tshosted-domain default.built-with-stack-auth.com— wire identifier baked into existing customer deploys; indefinite read-fallback.Verification
pnpm typecheckonpackages/{template,stack-shared,react,stack,js}+apps/dashboard: all green. The remaining backend / e-commerce-demo typecheck errors are pre-existing (Prisma codegen output +./generated/api-versions.jsonnot present in fresh worktrees withoutpnpm run codegen-prisma+ a live DB) and unrelated to this diff.pnpm linton the same 6 packages: all green.Stack Auth/stack-auth.com/@stackframe/stack-cli@latestreferences: zero outside the intentional carve-outs above.Deploy blockers (ops sequencing before this rebrand goes live)
This PR is code-complete, but the rebrand's visible surfaces (SDK default URLs, dashboard links, npm READMEs, REST error messages, runtime deprecation warning) all point at
*.hexclave.com/@hexclave/*resources that don't exist yet. None of these are fixable from a PR — they're ops/registrar/npm work that has to be sequenced before merging this to a release tag.Suggested ordering, hardest blockers first:
Tier 1 — required before customer-facing deploy (everything below this line will visibly break customers on day 1 if skipped)
api.hexclave.com+api1./api2.hexclave.com→ must point at the same backend that servesapi.stack-auth.com(or a backend that mirrors PR 1's dual-accept). The SDK's newdefaultBaseUrlishttps://api.hexclave.com; every customer that relied on the old default and upgrades to a post-PR2 SDK build sends API requests here. Until this resolves, every default-config customer's API call NXDOMAINs.app.hexclave.com→ the dashboard. Referenced in the SDK's default-error messages ("Please create a project on the Hexclave dashboard at https://app.hexclave.com"), the init-stack flow'swizard-congratsredirect, and the OAuth dashboard handoff.docs.hexclave.com+ Mintlify deploy → the SDK runtime deprecation warning (https://docs.hexclave.com/migration), every README, every "Learn more" link in the dashboard, and every REST API error body (/api/overview#authentication) points here. The MDX is in this PR; the docs build target needs DNS.mcp.hexclave.com→ the MCP server endpoint that every taught agent integration (claude mcp add ...,cursor,codex,vscode) registers. Until this resolves, everynpx @hexclave/cli@latest initMCP-registration step fails.@hexclavenpm scope + set repo variableHEXCLAVE_VERSION→ the mirror-publish step in.github/workflows/npm-publish.yamlis gated on this variable. Without it, the entire taught onboarding commandnpx @hexclave/cli@latest init404s from the npm registry, and every README that says "install@hexclave/next" leads to install failure. Pick the initial version intentionally (1.0.0or aligned to@stackframe/stack); don't accept a silent default.Tier 2 — required before announcing the rebrand publicly (lookalike or low-traffic surfaces, but visibly broken)
r.hexclave.com→ the analytics beacondefaultAnalyticsBaseUrl. Silent failure if missing (analytics drops), but should land alongside Tier 1.sent-with-hexclave.com+ full email auth (SPF / DKIM / DMARC) → the new default sender domain for shared-sender transactional emails. Without it the dashboard "send test email" path emits bounces, and shared-sender flows (getSharedEmailConfig("Hexclave")) deliver to spam at best.hexclave.com→team@hexclave.comandsecurity@hexclave.commailboxes. The security disclosure mailbox is referenced in.github/SECURITY.md;team@hexclave.comis the actual recipient of internal feedback emails sent at runtime byapps/backend/src/lib/internal-feedback-emails.tsx. Today, every runtime feedback email bounces.skill.hexclave.com→ the canonical AI-agent skill fetch URL (the agent bootstrap pivot). Without it, the entire "agent downloadsSKILL.mdfrom a known URL" flow taught inpackages/stack-shared/src/helpers/init-prompt.tsfails.github.com/hexclave/hexclaveas a public repo (even as a redirect tohexclave/stack-auth) OR rewrite everypackage.json"repository"field + dashboard footer "view on GitHub" link to point athexclave/stack-auth(which already exists). Currently every npm package page's "Repository" link is dead, and the dashboard's GitHub button + dev-tool repo link are dead.Tier 3 — broken but low-visibility / low-traffic
discord.hexclave.com→ Discord invite redirect, used in every README's chip and the dashboard footer.demo.hexclave.com→ "✨ Demo" badge in every npm package README. Broken-image badge on the package page.built-with-hexclave.com→ optional hosted-handler domain (the default reverted to.built-with-stack-auth.comin this PR's carve-outs, so this only matters for projects that manually flip).Other follow-ups (not deploy-blocking)
x-hexclave-*response headers (PR 1 follow-up;vitest -uin CI absorbs).docs-mintlify/openapi/are committed but regen runs in CI. Verify the workflow that does this still works against the post-PR2 source.codegen-prisma+codegen-route-infoto clear; pre-existing, unaffected by this PR.Test plan
vitest -uto absorb residual snapshot deltas, then committed back).@hexclave/cli init(once published) generateshexclave.config.tsand works against a fresh project.@stackframe/stackimport sees the once-per-processconsole.warnrecommending@hexclave/nexton SDK init.npx @hexclave/cli@latest initsnippet and thex-hexclave-publishable-client-keyAPI header in the curl example.pnpm run prisma migrateagainst a clean DB sets the internal project displayName to 'Hexclave Dashboard'.