[Feat] Hexclave AI integration: skill, MCP SKILL.md route, docs

[mantrakp04]

Summary

• Adds a hexclave SKILL.md pointer skill that fetches the live skill body on every invocation
• Adds an /SKILL.md route on the MCP app that renders the full skill (CLI usage + docs sidebar generated from docs.json)
• Expands docs-mintlify/guides/getting-started/ai-integration.mdx with three install paths (CLI, Skill, MCP) and per-agent config snippets
• Updates packages/stack-shared/src/helpers/init-prompt.ts to install both the MCP server and skill file, with per-project vs global scope detection

Test plan

• pnpm typecheck
• pnpm lint
• Hit the MCP app's /SKILL.md endpoint locally and verify it returns valid markdown with the full docs sidebar
• Render the updated ai-integration.mdx in Mintlify preview and confirm tabs/cards render

Summary by CodeRabbit

• Documentation

  • Rewrote the AI integration guide with complete, user-facing instructions for connecting Stack Auth to coding agents; removed the separate MCP setup page and updated site navigation.
  • Added the canonical Stack Auth skill content and guidance that clients should fetch the latest skill at runtime.

• New Features

  • MCP now serves the canonical Stack Auth skill dynamically and provides interactive skill responses.
  • Init prompts now include full MCP + skill install workflows and scope guidance.
  • Added a health-check endpoint.

• Chores

  • Added scaffold and configs for a new skills app (build, dev, lint, and type settings).

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
stack-auth-hosted-components	Ready	Preview, Comment	May 15, 2026 9:36pm
stack-auth-mcp	Ready	Preview, Comment	May 15, 2026 9:36pm
stack-backend	Ready	Preview, Comment	May 15, 2026 9:36pm
stack-dashboard	Ready	Preview, Comment	May 15, 2026 9:36pm
stack-demo	Ready	Preview, Comment	May 15, 2026 9:36pm
stack-docs	Ready	Preview, Comment	May 15, 2026 9:36pm
stack-preview-backend	Ready	Preview, Comment	May 15, 2026 9:36pm
stack-preview-dashboard	Ready	Preview, Comment	May 15, 2026 9:36pm

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR adds a new Next.js skills app that serves a canonical Stack Auth skill (Markdown/HTML), creates a canonical SKILL.md, updates the MCP handler to fetch and present that skill, and expands init prompts and documentation with agent-aware install and MCP configuration instructions.

Changes

Stack Auth Skill Server and Setup Integration

Layer / File(s)	Summary
Skills app configuration and infrastructure apps/skills/.eslintrc.cjs, apps/skills/next.config.mjs, apps/skills/package.json, apps/skills/src/app/health/route.ts, apps/skills/tsconfig.json	Establishes the new apps/skills/ Next.js application with ESLint and TypeScript configuration, Next.js config disabling powered-by header, npm scripts and dependencies, and a health check endpoint returning JSON status with CORS headers.
Main skill serving route with documentation and content negotiation apps/skills/src/app/route.ts	Implements the root route handler that builds a docs sidebar from docs.json, embeds it in a SKILL_MD markdown template with Stack Auth instructions, renders styled HTML with copy UI for browser requests, and uses sec-fetch-mode/sec-fetch-dest headers to return markdown or HTML with shared caching/CORS headers.
Canonical Stack Auth skill definition skills/stack-auth/SKILL.md	Introduces the canonical skill file with metadata and instructions requiring fetch-on-invocation of https://skill.stack-auth.com, following indirections and falling back to curl if needed.
MCP handler updates for skill resource apps/mcp/src/mcp-handler.ts	Updates the MCP handler to define a skillResourceUri, adds fetchSkill() to download skill content as markdown, wires MCP registration/prompting to the fetched skill resource, and adds an instructions field describing ask_stack_auth usage.
Setup prompts and user-facing integration guide packages/stack-shared/src/helpers/init-prompt.ts, docs-mintlify/guides/getting-started/ai-integration.mdx, docs-mintlify/docs.json, docs-mintlify/guides/other/mcp-setup.mdx	Expands the initialization prompt with agent-aware install-scope rules and detailed skill/MCP installation instructions with agent-specific paths and URLs. Replaces the AI integration documentation stub with a complete guide describing Skill, MCP, and Prompt integration methods, updates docs navigation and the GitHub link, and removes the old mcp-setup page.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• hexclave/stack-auth#1405: Updates to apps/mcp/src/mcp-handler.ts for registering and fetching the canonical skill resource align directly with this PR's MCP handler integration.

Suggested reviewers

• N2D4
• nams1570
• BilalG1

Poem

🐰 I fetch the SKILL from web and tree,
I tuck it in docs for agents to see,
MCP replies, the install command gleams,
Project or global—follow the schemes,
Hop, copy, paste, and ship new dreams.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main feature being added: AI integration with skill, MCP SKILL.md route, and documentation updates.
Description check	✅ Passed	The description provides a clear summary of changes across multiple areas, explains the purpose of each modification, and includes a concrete test plan with checkboxes.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch hexclave-ai-integration

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR wires up a new apps/skills Next.js service that serves the canonical Stack Auth SKILL.md at skill.stack-auth.com, updates the MCP handler to fetch the live skill on every invocation instead of embedding static text, and rewrites the AI integration docs with three install paths (CLI, skill, MCP). All three issues raised in the previous review round (humanizeSegment crash, short Cache-Control TTL, and missing res.ok guard in fetchSkill) are confirmed fixed in the current HEAD.

• apps/skills/src/app/route.ts: New Next.js route serving markdown to non-browser fetches and an HTML landing page to browser navigations, with the docs sidebar generated from docs.json at deploy time.
• apps/mcp/src/mcp-handler.ts: Replaces static MCP setup text with a live fetchSkill() call (now with res.ok guard) for both the skill resource and the new parameterless skill prompt; ask_stack_auth tool is unchanged.
• skills/stack-auth/SKILL.md / docs-mintlify/guides/getting-started/ai-integration.mdx: Thin pointer SKILL.md defers to the live URL; docs page replaces the TODO stub with complete install instructions.

Confidence Score: 5/5

Safe to merge — all previously flagged bugs are fixed and no new functional defects were found.

The changes are additive (new apps/skills service, updated MCP handler, expanded docs) with no modifications to auth or data-persistence paths. The three regressions identified in the prior review round are all addressed. Remaining observations are style-level: an unused Accept header and the HEAD-delegates-to-GET pattern that Next.js already handles correctly on the wire.

apps/skills/src/app/route.ts — buildDocsSection still throws at module init if the Documentation tab is renamed in docs.json, which would take the skills service down at deploy time.

Important Files Changed

Filename	Overview
apps/skills/src/app/route.ts	New route serving the canonical SKILL.md; humanizeSegment crash and Cache-Control TTL issues from previous review are fixed; buildDocsSection still throws at module init if "Documentation" tab is absent from docs.json
apps/mcp/src/mcp-handler.ts	fetchSkill now guards res.ok (previous P1 fixed); replaces static setup text with live skill fetch; ask_stack_auth tool preserved unchanged
packages/stack-shared/src/helpers/init-prompt.ts	Init prompt now instructs agents to install the skill and MCP server; heading still reads STACK AUTH SETUP INSTRUCTIONS (flagged in previous review, not yet updated)
apps/skills/package.json	New minimal Next.js app package; scripts include clean, typecheck, build, lint matching monorepo conventions
skills/stack-auth/SKILL.md	Thin pointer file that instructs agents to fetch live instructions from skill.stack-auth.com; frontmatter and instructions look correct
docs-mintlify/guides/getting-started/ai-integration.mdx	Expands the AI integration guide with three install paths and per-agent config snippets; replaces the TODO stub
apps/skills/src/app/health/route.ts	Simple health check endpoint with permissive CORS headers; appropriate for a public-facing status endpoint

Sequence Diagram

sequenceDiagram
    participant Agent as Coding Agent
    participant Skills as skill.stack-auth.com
    participant MCP as mcp.stack-auth.com
    participant Docs as docs.stack-auth.com

    Note over Agent,Skills: Skill install path
    Agent->>Skills: GET / (no Sec-Fetch headers)
    Skills-->>Agent: "full SKILL.md (Cache-Control: max-age=3600)"

    Note over Agent,MCP: MCP resource/prompt path
    Agent->>MCP: MCP skill resource or prompt request
    MCP->>Skills: fetch(skill.stack-auth.com)
    Skills-->>MCP: full SKILL.md markdown
    MCP-->>Agent: skill text content

    Note over Agent,Docs: Direct doc fetch (from within skill)
    Agent->>Docs: WebFetch URL from docs sidebar
    Docs-->>Agent: specific doc page content

    Note over Agent,Skills: Browser navigation path
    Agent->>Skills: GET / (Sec-Fetch-Mode: navigate)
    Skills-->>Agent: rendered HTML page with install UI

Loading

Prompt To Fix All With AI

Fix the following 3 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 3
apps/skills/src/app/route.ts:232
**Module-init throw on missing "Documentation" tab**

`buildDocsSection()` is still called eagerly at module-init time. If the `"Documentation"` tab is ever removed or renamed in `docs.json`, the explicit `throw` on line 227–228 fires before any request is handled, and the entire `apps/skills` service fails to start. Wrapping `const DOCS_SECTION = buildDocsSection()` in a try/catch and falling back to an empty string (or returning a 500 at request time) would make the failure mode recoverable without taking the whole deployment down.

### Issue 2 of 3
apps/skills/src/app/route.ts:628-630
**`HEAD` handler returns a full response body**

Delegating `HEAD` to `GET` means the `Response` object carries a body (HTML or markdown) even though HEAD responses must not include one per RFC 9110. Next.js strips it before the wire, so no bytes are actually sent, but the returned `Response` has non-zero `content-length`-style headers that could mislead any middleware inspecting the response object. A standalone `HEAD` handler that returns only the headers — or Next.js's built-in automatic HEAD-from-GET behaviour (available without an explicit export) — would be cleaner.

### Issue 3 of 3
apps/mcp/src/mcp-handler.ts:64-66
The `Accept: text/markdown` header has no effect: `apps/skills/src/app/route.ts`'s `wantsHtml()` only inspects `Sec-Fetch-Mode` and `Sec-Fetch-Dest` and completely ignores the `Accept` header. Server-side fetches never carry `Sec-Fetch-*` headers, so markdown is returned regardless — the header is correct in intent but misleading in that it suggests the server honours content negotiation via `Accept`. Consider either removing it or adding a comment noting that the server uses fetch-mode sniffing instead.

```suggestion
  // The skills server uses Sec-Fetch-Mode/Sec-Fetch-Dest for content negotiation,
  // not the Accept header. Server-side fetches never include Sec-Fetch-* headers,
  // so markdown is always returned from this call site.
  const res = await fetch(skillResourceUri, {
    headers: { Accept: "text/markdown" },
  });
```

_{Reviews (3): Last reviewed commit: "[Chore] Update TypeScript definitions fo..." | Re-trigger Greptile}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/mcp/src/app/SKILL.md/route.ts`:
- Around line 45-48: Replace the unsafe type-cast and boolean falsy check when
resolving the Documentation tab: declare a properly typed variable for docsJson
(with navigation and tabs typed to { tab: string; pages: SidebarPage[] }[]), use
optional chaining when accessing navigation.tabs and call .find(...) to locate
the tab into a typed variable named tab, then check explicitly for
null/undefined using tab == null instead of !tab before passing tab.pages to
renderSidebar; ensure you reference the existing renderSidebar function and
SidebarPage type when updating the variable and checks.
- Around line 32-36: The code builds doc links by interpolating DOCS_BASE with
raw path segments (in the lines.push call and the heading construction that uses
`${DOCS_BASE}/${p}` and `${DOCS_BASE}/${p.root}`), which can produce invalid
URLs for reserved characters; update those constructions to build safe URLs by
encoding path segments (e.g., use encodeURIComponent or create a new URL and
append encoded pathname) when combining DOCS_BASE with p and p.root, and keep
the visible label using humanize(p) and p.group unchanged.

In `@packages/stack-shared/src/helpers/init-prompt.ts`:
- Around line 11-20: Update the project-vs-global detection rule in the init
prompt text block that begins "Install both the Hexclave MCP server..." so it
lists project-scoped MCP config filenames as examples (e.g., add ".claude.json",
".cursor/mcp.json", ".vscode/mcp.json", ".codex/config.toml",
".codex/config.toml" style entries) alongside the agent folders; ensure the
wording for the rule that currently only mentions agent folders and
".vscode/mcp.json" is expanded to include these project-scoped config filenames
so the agent correctly selects per-project scope when those files exist.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4d03b5d2-72ac-449b-9af5-0b0e9e610768

📥 Commits

Reviewing files that changed from the base of the PR and between a9623d9 and cf7581d.

📒 Files selected for processing (4)

• apps/mcp/src/app/SKILL.md/route.ts
• docs-mintlify/guides/getting-started/ai-integration.mdx
• packages/stack-shared/src/helpers/init-prompt.ts
• skills/hexclave/SKILL.md

[Copilot]

Pull request overview

This PR introduces “Hexclave AI integration” surfaces by adding a Hexclave skill pointer file, exposing a Markdown skill endpoint in the MCP app, updating the AI integration docs, and extending the CLI init prompt to install Hexclave MCP + skill for the active coding agent.

Changes:

• Added skills/hexclave/SKILL.md as a pointer skill that instructs agents to fetch the canonical skill content from https://skill.hexclave.com.
• Added an apps/mcp /SKILL.md route that renders a full SKILL.md (including a docs sidebar generated from docs-mintlify/docs.json).
• Updated the Mintlify AI integration guide and the shared createInitPrompt content to include Hexclave MCP + skill installation instructions.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.

File	Description
skills/hexclave/SKILL.md	Adds a Hexclave skill pointer that directs agents to fetch canonical instructions remotely.
packages/stack-shared/src/helpers/init-prompt.ts	Updates init prompt text to instruct agents to install Hexclave MCP + skill files with project/global scoping rules.
docs-mintlify/guides/getting-started/ai-integration.mdx	Rewrites the AI integration doc to describe CLI/Skill/MCP installation paths and agent config snippets.
apps/mcp/src/app/SKILL.md/route.ts	Adds a /SKILL.md route that emits a generated SKILL.md containing a docs sidebar and CLI instructions.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 7

♻️ Duplicate comments (1)

packages/stack-shared/src/helpers/init-prompt.ts (1)

11-11: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Project-scoped MCP config files are missing from the detection rule.

The install scope detection at Line 11 only checks for agent folders and .vscode/mcp.json. Projects using other project-scoped MCP config files (e.g., .claude.json, .cursor/mcp.json) without an agent folder would be incorrectly detected as "global" scope.

📋 Proposed fix to include project-scoped MCP config files

-Install both the Stack Auth skill and the Stack Auth MCP server for the current coding agent. Pick the install scope using this rule: if the project root already contains an agent folder (e.g. \`.claude/\`, \`.agents/\`, \`.cursor/\`, \`.codex/\`, \`.opencode/\`, \`.windsurf/\`, \`.roo/\`, \`.kilocode/\`, \`.augment/\`, \`.continue/\`, \`.crush/\`, \`.vscode/mcp.json\`), install **per project**; otherwise install **globally** for the detected agent.
+Install both the Stack Auth skill and the Stack Auth MCP server for the current coding agent. Pick the install scope using this rule: if the project root already contains an agent folder or project-scoped MCP config file (e.g. \`.claude/\`, \`.claude.json\`, \`.agents/\`, \`.cursor/\`, \`.cursor/mcp.json\`, \`.codex/\`, \`.codex/config.toml\`, \`.opencode/\`, \`.windsurf/\`, \`.roo/\`, \`.kilocode/\`, \`.augment/\`, \`.continue/\`, \`.crush/\`, \`.vscode/mcp.json\`), install **per project**; otherwise install **globally** for the detected agent.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/stack-shared/src/helpers/init-prompt.ts` at line 11, The
install-scope detection logic in
packages/stack-shared/src/helpers/init-prompt.ts only checks for agent folders
and '.vscode/mcp.json', missing other project-scoped MCP config files; update
the detection code (the install scope check / detection function) to also look
for known project-scoped MCP config paths such as '.claude.json' and
'.cursor/mcp.json' (and any other project-specific MCP files you maintain) by
adding them to the list/array of projectScopedPaths or patterns and using the
same fs.existsSync/glob check used for the existing entries so projects with
those config files are detected as per-project installs.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/mcp/src/mcp-handler.ts`:
- Around line 63-68: fetchSkill currently performs an unchecked fetch and can
throw on network errors or non-2xx responses; wrap the fetch in a try/catch,
check response.ok and handle non-200 statuses, log the error (e.g.,
console.error/processLogger) and return a safe fallback string (empty string or
a brief default skill marker) instead of rethrowing so callers of fetchSkill
(the resource and prompt handlers) won't crash the MCP server; update the
function fetchSkill to return the fallback on any error or non-ok response.

In `@apps/skills/package.json`:
- Around line 22-23: The `@types` packages for React are pinned to ^18.2.0 but the
project uses React 19.2.3; update the versions for "@types/react" and
"@types/react-dom" in apps/skills/package.json to match the installed React
version (e.g., ^19.2.3 or the exact 19.2.3) so type definitions align with
"react" and "react-dom", then reinstall dependencies (npm/yarn/pnpm install) and
rebuild to ensure TypeScript uses the updated types.
- Line 16: Update the Next.js dependency in package.json from "next": "16.1.7"
to "next": "16.2.6" to pick up the May 2026 security fixes; locate the "next"
entry in apps/skills package.json (the dependency key "next") and change its
version string to "16.2.6", then run your package manager install and test
startup/build to ensure compatibility.

In `@apps/skills/src/app/route.ts`:
- Around line 10-15: humanizeSegment can throw when a split produces empty
strings; update the logic in humanizeSegment to guard against empty segments
(from leading/trailing or consecutive hyphens) by either filtering out falsy
segments before mapping or handling w === "" inside the map. Specifically,
modify the chain around .split("-").map(...) so it ignores empty strings (e.g.,
.split("-").filter(Boolean).map(...)) or returns an empty string for empty w,
and keep the existing ACRONYMS check and capitalization behavior intact.
- Around line 447-449: The HEAD handler currently returns the full GET response
body; change export function HEAD(req: Request) so it invokes GET(req) to obtain
the same headers/status but returns an empty body: call GET(req) (or the
internal handler) to get the Response, then construct and return a new
Response(null, { status: response.status, headers: response.headers }) so
headers and status match GET while the body is empty; update references in
export function HEAD to use this pattern.
- Around line 399-416: The clipboard writeText call in the click handler
currently swallows all errors in catch (_e) — change it to catch the error as a
variable (e.g., catch (err)) and handle it explicitly: attempt the existing DOM
fallback (selectNode + execCommand) but detect if that fallback fails and then
surface the failure to the user and logs (e.g., set btn.textContent = "Copy
failed" or btn.setAttribute("data-state","error") and call console.error(err)),
and if appropriate rethrow or return a rejected Promise so the error is not
silently dropped; update references in the IIFE where btn,
navigator.clipboard.writeText, and the fallback DOM selection are used.

In `@skills/stack-auth/SKILL.md`:
- Around line 28-30: Add a language identifier to the fenced code block that
contains the URL "https://skill.stack-auth.com" so it renders with proper syntax
highlighting (e.g., change the fence to ```text or ```markdown). Locate the
markdown block in SKILL.md that currently shows the raw URL and update the
opening fence to include the chosen language identifier.

---

Duplicate comments:
In `@packages/stack-shared/src/helpers/init-prompt.ts`:
- Line 11: The install-scope detection logic in
packages/stack-shared/src/helpers/init-prompt.ts only checks for agent folders
and '.vscode/mcp.json', missing other project-scoped MCP config files; update
the detection code (the install scope check / detection function) to also look
for known project-scoped MCP config paths such as '.claude.json' and
'.cursor/mcp.json' (and any other project-specific MCP files you maintain) by
adding them to the list/array of projectScopedPaths or patterns and using the
same fs.existsSync/glob check used for the existing entries so projects with
those config files are detected as per-project installs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9ee24b49-ba09-44ee-b411-d56393fe8201

📥 Commits

Reviewing files that changed from the base of the PR and between cf7581d and fbae774.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (12)

• apps/mcp/src/mcp-handler.ts
• apps/skills/.eslintrc.cjs
• apps/skills/next.config.mjs
• apps/skills/package.json
• apps/skills/src/app/health/route.ts
• apps/skills/src/app/route.ts
• apps/skills/tsconfig.json
• docs-mintlify/docs.json
• docs-mintlify/guides/getting-started/ai-integration.mdx
• docs-mintlify/guides/other/mcp-setup.mdx
• packages/stack-shared/src/helpers/init-prompt.ts
• skills/stack-auth/SKILL.md

💤 Files with no reviewable changes (1)

• docs-mintlify/guides/other/mcp-setup.mdx

✅ Files skipped from review due to trivial changes (5)

• apps/skills/tsconfig.json
• apps/skills/.eslintrc.cjs
• apps/skills/next.config.mjs
• docs-mintlify/guides/getting-started/ai-integration.mdx
• docs-mintlify/docs.json