feat(hexclave): PR 2 — visible rebrand (Hexclave brand goes public)

[BilalG1]

Summary

Stacked on #1475 (cl/hexclave-pr1, the invisible compatibility layer). Diff vs that base = the actual PR 2 code.

This is PR 2 of the Stack Auth → Hexclave rebrand: the visible flip. Old wire identifiers (cookies, request/response headers, Bearer prefix, JWT issuers, MCP tool name) keep working indefinitely via PR 1's dual-accept. This PR flips every user-visible surface — package names taught in docs, SDK class names in code examples, dashboard setup snippets, page titles, error messages, email content, CLI binary, default base URLs, GitHub repo slug, contributor guidance — to the Hexclave brand.

See RENAME-TO-HEXCLAVE.md → "PR 2: Rebrand to Hexclave (visible)" for the full per-work-area spec.

What's implemented (per the plan's PR 2 scope)

• SDK base URLs flipped: defaultBaseUrl and defaultAnalyticsBaseUrl in common.ts → https://api.hexclave.com / https://r.hexclave.com. PR 1's getHardcodedFallbackUrls table now keys on the Hexclave domain.

• Domain inventory sweep (16 subdomains from the plan): every api/app/docs/discord/demo/mcp/skill/feedback/test/preview/r/api2/api.staging/idp-jwk-audience/built-with.stack-auth.com reference in production code, docs-mintlify, examples, READMEs, and contributor guidance flipped to *.hexclave.com. Carve-outs: PR 1's intentional JWT issuer dual-accept table in tokens.tsx, the legacy ./docs/ folder, the unified-docs-widget allowlist (deliberately accepts both during DNS transition), and url-targets.ts hosted-component default (baked into existing customer deploys).

• @deprecated JSDoc on every Stack* public export (packages/template/src/lib/stack-app/index.ts + packages/template/src/index.ts) — StackClientApp, StackServerApp, StackAdminApp + every constructor/options/JSON type, StackHandler, StackProvider, StackTheme, useStackApp, defineStackConfig, StackConfig. Hexclave* aliases are now canonical.

• Runtime console.warn (packages/template/src/internal/deprecation-warning.ts) — once-per-process when the SDK is loaded from a @stackframe/* artifact. Detection uses the existing STACK_COMPILE_TIME_CLIENT_PACKAGE_VERSION_SENTINEL (rewritten at build time to e.g. js @stackframe/stack@2.8.92 or js @hexclave/next@1.0.0); @hexclave/* mirror artifacts short-circuit the warning.

• Tier 3 data migration: new idempotent SQL migration 20260523000000_rename_internal_project_to_hexclave — updates the internal Project displayName 'Stack Dashboard' → 'Hexclave Dashboard' and description only if both still hold the pre-rebrand defaults. Operator-renamed projects untouched, missing row no-ops, re-runs are no-ops. seed.ts default flipped. getSharedEmailConfig("Stack Auth") → ("Hexclave").

• Tier 4 brand strings (mechanical sweep, ~340 files):

  • Page + OpenAPI titles (Hexclave API / Dashboard / REST API / Webhooks API / Documentation). OpenAPI info.description documents X-Hexclave-* headers as canonical with compat note on X-Stack-*.
  • HexclaveAssertionError message text (errors.tsx:71) — "an error in Stack." → "an error in Hexclave."
  • Known-error message templates (known-errors.tsx) flipped to lead with x-hexclave-* + the new docs.hexclave.com URL; legacy x-stack-* mentioned as compat aliases. 25 e2e test files updated in lockstep.
  • Email content: failed-emails-digest body, sendTestEmail recipient (now sent-with-hexclave.com), test-email-recipient default.
  • CHANGELOG.md title → "Hexclave Changelog".
  • AGENTS.md env var convention: new vars prefix HEXCLAVE_ / NEXT_PUBLIC_HEXCLAVE_ for Category A/B; legacy STACK_* explicitly noted as accepted via PR 1's dual-read.

• CLI / init wizard:

  • Every dashboard setup snippet, init-stack template, and docs-mintlify page teaches npx @hexclave/cli@latest init (was @stackframe/stack-cli). setup-page.tsx + link-existing-onboarding.
  • init-stack STACK_*_INSTALL_PACKAGE_NAME_OVERRIDE defaults flipped to @hexclave/*.
  • Generated stack/client.ts / stack/server.ts import from @hexclave/next and reference HexclaveClientApp / HexclaveServerApp.
  • Internal StackAuthKeys dashboard component renamed to HexclaveKeys.

• docs-mintlify rewrite (legacy ./docs/ intentionally untouched per scoping decision):

  • 78 MDX files swept. @stackframe/{react,stack,js,tanstack-start,...} → @hexclave/{react,stack,js,...} in install snippets and code blocks; Stack* SDK class names → Hexclave* in all code examples; 'Stack Auth' brand phrase → 'Hexclave'.
  • openapi/{server,admin,client,webhooks}.json titles → 'Hexclave REST API' / 'Hexclave Webhooks API'.

• Generators flipped before regeneration:

  • packages/stack-shared/src/helpers/init-prompt.ts, /ai/prompts.ts, apps/backend/src/lib/ai/prompts.ts, apps/backend/src/lib/ai/tools/create-email-{template,draft}.ts, apps/skills/src/app/route.ts (taught MCP tool → ask_hexclave with compat note; CLI binary teach → hexclave), docs-mintlify/snippets/home-prompt-island.jsx, packages/template/README.md + integrations/convex/component/README.md.
  • generate-sdks propagated changes to packages/{react,stack,js}.

• OpenAPI dual-documentation: apps/backend/src/app/api/latest/route.ts now lists X-Hexclave-* headers as primary documented schemas with X-Stack-* duplicates marked .optional() (both accepted at runtime by PR 1's normalize-at-proxy shim).

• @stackframe/emails virtual module: dual-aliased to @hexclave/emails at the bundler boundary (email-rendering.tsx:89). Stored email templates continue to import from either name; new AI-generated templates and the system prompt teach @hexclave/emails.

• Tier 2 mirror-publish wiring (new this PR, lays the groundwork for @hexclave/* first publish):

  • scripts/rewrite-packages-to-hexclave.ts — rewrites 9 publishable @stackframe/* → @hexclave/* package.json files (reads HEXCLAVE_VERSION env or --version= flag), pins cross-deps to the shared @hexclave version, registers hexclave bin alongside stack for @hexclave/cli.
  • .github/workflows/npm-publish.yaml appended with rewrite-then-republish step. pnpm publish skips already-on-npm versions so reruns are safe.

• Sender email domain: noreply@stackframe.co → noreply@sent-with-hexclave.com (the dedicated transactional-sender domain split per the plan, to isolate bulk deliverability from hexclave.com reputation); security@ / team@stack-auth.com inbound mailboxes → @hexclave.com.

• Self-host docs: docker network / container names in the bash examples flipped from stack-auth to hexclave (hexclave-postgres, hexclave-clickhouse, hexclave.env). The docker image tag stackauth/server:latest stays per the plan's locked decision.

• GitHub repo slug: hexclave/stack-auth → hexclave/hexclave in every package.json repository field, README link, CHANGELOG raw-asset URL.

Carve-outs (deliberately untouched)

• apps/backend/src/lib/tokens.tsx JWT issuer dual-accept table — PR 1 intentional infrastructure, kept indefinitely.
• Legacy ./docs/ folder — per scoping decision (only docs-mintlify/ rewritten).
• unified-docs-widget hostname allowlist — accepts both .hexclave.com (canonical) and .stack-auth.com (transition window) for DNS rollout.
• url-targets.ts hosted-domain default .built-with-stack-auth.com — wire identifier baked into existing customer deploys; indefinite read-fallback.
• Binary visual assets (logos, favicons, OG images, README screenshots) — out of scope for this PR. Need design work; tracked separately.

Verification

• pnpm typecheck on packages/{template,stack-shared,react,stack,js} + apps/dashboard: all green. The remaining backend / e-commerce-demo typecheck errors are pre-existing (Prisma codegen output + ./generated/api-versions.json not present in fresh worktrees without pnpm run codegen-prisma + a live DB) and unrelated to this diff.
• pnpm lint on the same 6 packages: all green.
• Final grep for residual Stack Auth / stack-auth.com / @stackframe/stack-cli@latest references: zero outside the intentional carve-outs above.
• 25 e2e test files updated in lockstep with the known-error message changes (asserted strings flipped to match the new x-hexclave-* + compat-note messages).

Deploy blockers (ops sequencing before this rebrand goes live)

This PR is code-complete, but the rebrand's visible surfaces (SDK default URLs, dashboard links, npm READMEs, REST error messages, runtime deprecation warning) all point at *.hexclave.com / @hexclave/* resources that don't exist yet. None of these are fixable from a PR — they're ops/registrar/npm work that has to be sequenced before merging this to a release tag.

Suggested ordering, hardest blockers first:

Tier 1 — required before customer-facing deploy (everything below this line will visibly break customers on day 1 if skipped)

1. DNS + TLS for api.hexclave.com + api1./api2.hexclave.com → must point at the same backend that serves api.stack-auth.com (or a backend that mirrors PR 1's dual-accept). The SDK's new defaultBaseUrl is https://api.hexclave.com; every customer that relied on the old default and upgrades to a post-PR2 SDK build sends API requests here. Until this resolves, every default-config customer's API call NXDOMAINs.
2. DNS for app.hexclave.com → the dashboard. Referenced in the SDK's default-error messages ("Please create a project on the Hexclave dashboard at https://app.hexclave.com"), the init-stack flow's wizard-congrats redirect, and the OAuth dashboard handoff.
3. DNS for docs.hexclave.com + Mintlify deploy → the SDK runtime deprecation warning (https://docs.hexclave.com/migration), every README, every "Learn more" link in the dashboard, and every REST API error body (/api/overview#authentication) points here. The MDX is in this PR; the docs build target needs DNS.
4. DNS for mcp.hexclave.com → the MCP server endpoint that every taught agent integration (claude mcp add ..., cursor, codex, vscode) registers. Until this resolves, every npx @hexclave/cli@latest init MCP-registration step fails.
5. Reserve the @hexclave npm scope + set repo variable HEXCLAVE_VERSION → the mirror-publish step in .github/workflows/npm-publish.yaml is gated on this variable. Without it, the entire taught onboarding command npx @hexclave/cli@latest init 404s from the npm registry, and every README that says "install @hexclave/next" leads to install failure. Pick the initial version intentionally (1.0.0 or aligned to @stackframe/stack); don't accept a silent default.

Tier 2 — required before announcing the rebrand publicly (lookalike or low-traffic surfaces, but visibly broken)

6. DNS for r.hexclave.com → the analytics beacon defaultAnalyticsBaseUrl. Silent failure if missing (analytics drops), but should land alongside Tier 1.
7. Register sent-with-hexclave.com + full email auth (SPF / DKIM / DMARC) → the new default sender domain for shared-sender transactional emails. Without it the dashboard "send test email" path emits bounces, and shared-sender flows (getSharedEmailConfig("Hexclave")) deliver to spam at best.
8. MX + SPF / DMARC for hexclave.com → team@hexclave.com and security@hexclave.com mailboxes. The security disclosure mailbox is referenced in .github/SECURITY.md; team@hexclave.com is the actual recipient of internal feedback emails sent at runtime by apps/backend/src/lib/internal-feedback-emails.tsx. Today, every runtime feedback email bounces.
9. DNS for skill.hexclave.com → the canonical AI-agent skill fetch URL (the agent bootstrap pivot). Without it, the entire "agent downloads SKILL.md from a known URL" flow taught in packages/stack-shared/src/helpers/init-prompt.ts fails.
10. Create github.com/hexclave/hexclave as a public repo (even as a redirect to hexclave/stack-auth) OR rewrite every package.json "repository" field + dashboard footer "view on GitHub" link to point at hexclave/stack-auth (which already exists). Currently every npm package page's "Repository" link is dead, and the dashboard's GitHub button + dev-tool repo link are dead.

Tier 3 — broken but low-visibility / low-traffic

11. DNS for discord.hexclave.com → Discord invite redirect, used in every README's chip and the dashboard footer.
12. DNS for demo.hexclave.com → "✨ Demo" badge in every npm package README. Broken-image badge on the package page.
13. DNS + TLS for built-with-hexclave.com → optional hosted-handler domain (the default reverted to .built-with-stack-auth.com in this PR's carve-outs, so this only matters for projects that manually flip).

Other follow-ups (not deploy-blocking)

• E2E snapshot regen across the full suite for the dual-emitted x-hexclave-* response headers (PR 1 follow-up; vitest -u in CI absorbs).
• Binary visual assets — logos, favicons, OG images, README screenshots; need design pass.
• Backend OpenAPI fumadocs regen in CI flow — the JSON files in docs-mintlify/openapi/ are committed but regen runs in CI. Verify the workflow that does this still works against the post-PR2 source.
• Backend typecheck infra debt — needs codegen-prisma + codegen-route-info to clear; pre-existing, unaffected by this PR.

Test plan

• CI runs full e2e suite (with vitest -u to absorb residual snapshot deltas, then committed back).
• Spot-check: new @hexclave/cli init (once published) generates hexclave.config.ts and works against a fresh project.
• Spot-check: existing customer with @stackframe/stack import sees the once-per-process console.warn recommending @hexclave/next on SDK init.
• Manual: dashboard setup page renders the npx @hexclave/cli@latest init snippet and the x-hexclave-publishable-client-key API header in the curl example.
• Manual: a fresh pnpm run prisma migrate against a clean DB sets the internal project displayName to 'Hexclave Dashboard'.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
stack-auth-hosted-components	Ready	Preview, Comment	May 23, 2026 10:51pm
stack-auth-mcp	Ready	Preview, Comment	May 23, 2026 10:51pm
stack-auth-skills	Ready	Preview, Comment	May 23, 2026 10:51pm
stack-backend	Ready	Preview, Comment	May 23, 2026 10:51pm
stack-dashboard	Ready	Preview, Comment	May 23, 2026 10:51pm
stack-demo	Ready	Preview, Comment	May 23, 2026 10:51pm
stack-docs	Ready	Preview, Comment	May 23, 2026 10:51pm
stack-preview-backend	Ready	Preview, Comment	May 23, 2026 10:51pm
stack-preview-dashboard	Ready	Preview, Comment	May 23, 2026 10:51pm

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 62360919-6cd7-44c3-ab1b-71e91cb5f847

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cl/romantic-mendel-5a2c25

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[vercel]

Additional Suggestion:

X-Hexclave-* request headers are not converted to X-Stack-* headers because proxy middleware was not configured

[cubic-dev-ai]

2 issues found across 371 files

<sub>Partial review: This PR has more than 50 files, so cubic reviewed the highest-priority files first. During the trial, paid plans get a higher file limit.
You can try an ultrareview to bypass the file limit, comment @cubic-dev-ai ultrareview. Learn more.

Fix all with cubic | Re-trigger cubic</sub>

[greptile-apps]

Greptile Summary

This PR performs the visible half of the Stack Auth → Hexclave rebrand across ~371 files: flipping SDK default base URLs, package names, page titles, error messages, email content, CLI snippets, docs, and OpenAPI specs to the Hexclave brand while keeping all pre-rebrand wire identifiers working via PR 1's compatibility layer.

• SDK & URLs: defaultBaseUrl/defaultAnalyticsBaseUrl in common.ts now point to api.hexclave.com/r.hexclave.com; getHardcodedFallbackUrls gains matching Hexclave entries; @deprecated JSDoc added to every Stack* public export with Hexclave* as canonical.
• Deprecation warning: New deprecation-warning.ts emits a once-per-process console.warn when the SDK loads from a @stackframe/* artifact, using the build-time version sentinel for detection and Symbol.for dedup to avoid console spam.
• Mirror publish pipeline: New scripts/rewrite-packages-to-hexclave.ts rewrites 9 package.json files and their dist/ artifacts in-place; the vars.HEXCLAVE_VERSION || '1.0.0' fallback in the workflow will silently default to version 1.0.0 if the repository variable is not configured before a push lands on main.

Confidence Score: 3/5

The brand-string sweep and compatibility wiring are well-executed, but the CI publish pipeline has a fallback that could permanently publish 9 npm packages with the wrong version on any main push before the repository variable is configured.

The bulk of the change is mechanical text replacement with no logic impact. The migration is idempotent, the deprecation warning is safely isolated, and the email dual-alias is correct. The one concrete risk is in the new CI step: vars.HEXCLAVE_VERSION || '1.0.0' will use 1.0.0 silently when the variable is absent, and the downstream pnpm publish fires on every main push — npm publishes are permanent and cannot be fully retracted.

.github/workflows/npm-publish.yaml — the HEXCLAVE_VERSION fallback needs to be removed or replaced with an explicit failure step to prevent an accidental publish with the wrong version.

Important Files Changed

Filename	Overview
.github/workflows/npm-publish.yaml	Appends Hexclave mirror-publish steps; the `vars.HEXCLAVE_VERSION
scripts/rewrite-packages-to-hexclave.ts	New script that rewrites 9 @stackframe/* package.json files and their dist artifacts to @hexclave/*; logic is sound but the .map sourcemap extension is included in the rewrite sweep unnecessarily.
apps/backend/prisma/migrations/20260523000000_rename_internal_project_to_hexclave/migration.sql	Idempotent UPDATE that renames the internal project display name to 'Hexclave Dashboard' only when both fields still hold the pre-rebrand defaults; clean and safe.
packages/template/src/internal/deprecation-warning.ts	New file: once-per-process console.warn triggered when SDK is loaded from a @stackframe/* artifact; uses Symbol.for dedup and a try/catch for sandbox-safe execution.
packages/template/src/lib/stack-app/apps/implementations/common.ts	Flips defaultBaseUrl/defaultAnalyticsBaseUrl to hexclave.com endpoints and updates user-facing error messages; backward compat env var names (STACK_*) intentionally retained.
packages/stack-shared/src/utils/urls.tsx	Prepends hexclave.com fallback URL entries ahead of the existing stack-auth.com entries in getHardcodedFallbackUrls; backward compat block for legacy stack-auth.com base URLs is preserved.
apps/backend/src/lib/email-rendering.tsx	Dual-aliases @hexclave/emails alongside @stackframe/emails in the bundler's externalPackages map so stored templates using either import name continue to render.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Push to main] --> B[Build @stackframe/* packages]
    B --> C[pnpm publish -r\n@stackframe/* to npm]
    C --> D[rewrite-packages-to-hexclave.ts\n--version=HEXCLAVE_VERSION or 1.0.0]
    D --> E{vars.HEXCLAVE_VERSION set?}
    E -->|Yes| F[Rename 9 package.json files\nto @hexclave/*\nRewrite dist/ artifacts]
    E -->|No| G[Falls back to 1.0.0\nsilent accidental publish]
    F --> H[pnpm publish -r\n@hexclave/* to npm]
    G --> H

    subgraph SDK Load
        I[User imports @stackframe/stack] --> J[deprecation-warning.ts fires]
        J --> K{clientVersion starts with js @stackframe/?}
        K -->|Yes| L[console.warn once per process]
        K -->|No| M[No-op - already @hexclave/*]
    end

Loading

Prompt To Fix All With AI

Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 2
.github/workflows/npm-publish.yaml:56
**Silent publish with wrong version if `HEXCLAVE_VERSION` is unset**

When `vars.HEXCLAVE_VERSION` is not configured in the repository, this expression evaluates to the literal string `'1.0.0'` (GitHub Actions `||` treats an unset `vars.*` as `''`). The `--version=1.0.0` argument passes the regex guard in `getHexclaveVersion()`, so the script happily rewrites all 9 packages and then the next step publishes them as `@hexclave/*@1.0.0` to the public npm registry — a release that cannot be undone. This workflow triggers on every push to `main`, so if the repository variable isn't set before the branch lands, the accidental publish fires automatically.

### Issue 2 of 2
scripts/rewrite-packages-to-hexclave.ts:161
**Sourcemap files should be excluded from text replacement**

The pattern includes `.map` files (source maps). Sourcemaps are JSON blobs that embed original source file paths and, when `sourcesContent` is set, the full source text. A blanket `@stackframe/` → `@hexclave/` replacement inside source maps will corrupt the embedded file paths and source snippets, making the maps unusable for debugging production errors. The package-name references that actually need rewriting are in the `.js`/`.cjs` compiled output, not the maps.

```suggestion
      if (!/\.(?:m?js|cjs|d\.m?ts|d\.cts|json|html|txt|md)$/.test(entry.name)) continue;
```

_{Reviews (1): Last reviewed commit: "chore(hexclave): regen openapi fumadocs ..." | Re-trigger Greptile}