feat(hexclave): PR 2 — visible rebrand (Hexclave brand goes public)

.agents/skills/pr-visual-writeup/references/capture-patterns.md

@@ -108,7 +108,7 @@ Return contract:
 
 Why the two-consecutive-stable-reads check: a single `ready` flicker can land between a skeleton disappearing and the real content swapping in. Two consecutive 250ms ticks with identical body HTML length means the DOM has actually settled.
 
-Tune the skeleton selector list for your codebase. The Stack Auth dashboard uses Tailwind `.animate-pulse` extensively for loading rows — that's the highest-signal one. Inspect the diff or the running app once and add any project-specific loading markers (`Spinner` component class, etc.) to the selector list in the subagent prompt rather than guessing.
+Tune the skeleton selector list for your codebase. The Hexclave dashboard uses Tailwind `.animate-pulse` extensively for loading rows — that's the highest-signal one. Inspect the diff or the running app once and add any project-specific loading markers (`Spinner` component class, etc.) to the selector list in the subagent prompt rather than guessing.
 
 After `wait-for-ready` returns `ok`, still sleep ~300ms before screenshotting so any final animations (slide-in, fade, etc.) land on their resting frame.
 

.agents/skills/pr-visual-writeup/scripts/detect_dev_server.sh

@@ -4,8 +4,8 @@
 #
 # Output (one per line):  <port>\t<title>\t<url>
 # Example:
-#   8101    Stack Auth Dashboard    http://localhost:8101
-#   8102    Stack Auth API          http://localhost:8102
+#   8101    Hexclave Dashboard    http://localhost:8101
+#   8102    Hexclave API          http://localhost:8102
 #
 # Use the output to pick the right port for screenshotting. A common convention
 # is that the "dashboard" / "app" is the one you want; the API/docs/OAuth servers

.devcontainer/README.md

@@ -1,6 +1,6 @@
-# Stack Auth Development Container
+# Hexclave Development Container
 
-This development container provides a standardized development environment for working on Stack Auth.
+This development container provides a standardized development environment for working on Hexclave.
 
 ## Getting Started
 

.devcontainer/devcontainer.json

@@ -1,5 +1,5 @@
 {
-  "name": "Stack Auth Development",
+  "name": "Hexclave Development",
   "image": "mcr.microsoft.com/devcontainers/base:ubuntu",
   "features": {
     "ghcr.io/devcontainers/features/node:1": {

.github/SECURITY.md

@@ -2,14 +2,14 @@
 
 ## Supported Versions
 
-Only the latest versions of Stack Auth's server and client packages are supported. We do not provide security updates for older versions.
+Only the latest versions of Hexclave's server and client packages are supported. We do not provide security updates for older versions.
 
-If you would like to get security consulting regarding older versions of on-prem or self-hosted deployments of Stack Auth, please [contact us](mailto:team@stack-auth.com).
+If you would like to get security consulting regarding older versions of on-prem or self-hosted deployments of Hexclave, please [contact us](mailto:team@hexclave.com).
 
 ## Reporting a Vulnerability
 
-Stack Auth practices [responsible disclosure](https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure). This helps us protect our users, but requires your cooperation.
+Hexclave practices [responsible disclosure](https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure). This helps us protect our users, but requires your cooperation.
 
-Please disclose security vulnerabilities responsibly by emailing us at security@stack-auth.com. In this case, we will get back to you within 96 hours, and aim to get a fix released as soon as possible. We will disclose the issue publicly after at most 90 days.
+Please disclose security vulnerabilities responsibly by emailing us at security@hexclave.com. In this case, we will get back to you within 96 hours, and aim to get a fix released as soon as possible. We will disclose the issue publicly after at most 90 days.
 
 Hence, we ask you not to publicize issues until the 90 days deadline is over. Also, please do not create GitHub issues with security vulnerabilities; instead, email us directly at the address above.

.github/pull_request_template.md

@@ -1,5 +1,5 @@
 <!--
 
-Make sure you've read the CONTRIBUTING.md guidelines: https://github.com/hexclave/stack-auth/blob/dev/CONTRIBUTING.md
+Make sure you've read the CONTRIBUTING.md guidelines: https://github.com/hexclave/hexclave/blob/dev/CONTRIBUTING.md
 
 -->

.github/workflows/npm-publish.yaml

@@ -88,3 +88,29 @@ jobs:
 
           git commit -m "chore: update package versions"
           git push origin dev
+
+      # Hexclave rebrand mirror publish (Tier 2). Each publishable `@stackframe/*`
+      # package is re-published as `@hexclave/*` with all cross-deps pinned to one
+      # shared `@hexclave` version. Built artifacts (`dist/`) are also rewritten by
+      # the script so cross-package require()/import specifiers + the build-time
+      # package-version sentinel point at `@hexclave/*` instead of `@stackframe/*`.
+      #
+      # Hardcoded to 1.0.0 — `pnpm publish` skips versions already on npm, so
+      # after the first successful run on main this becomes a no-op. PR 3 in
+      # the rebrand sequence renames the source packages natively to
+      # `@hexclave/*` and deletes this entire mirror flow; until then, 1.0.0
+      # is the one-shot cutover version.
+      #
+      # Runs AFTER `Update package versions on dev` because that step asserts a
+      # clean working tree (`git diff --exit-code HEAD`); the rewrite below
+      # mutates package.json files in-place and would trip that assertion.
+      - name: Checkout main for Hexclave mirror rewrite
+        run: git checkout main
+
+      - name: Rewrite package names to @hexclave/*
+        run: pnpm tsx scripts/rewrite-packages-to-hexclave.ts --version=1.0.0
+
+      - name: Publish @hexclave/* mirror packages
+        run: pnpm publish -r --no-git-checks --access public
+        env:
+          NPM_CONFIG_PROVENANCE: true

AGENTS.md

@@ -31,7 +31,7 @@ You should ALWAYS add new E2E tests when you change the API or SDK interface. Ge
 
 ## Architecture Overview
 
-Stack Auth is a monorepo using Turbo for build orchestration. The main components are:
+Hexclave is a monorepo using Turbo for build orchestration. The main components are:
 
 ### Apps (`/apps`)
 - **backend** (`/apps/backend`): Next.js API backend running on port `${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}02` (defaults to 8102)
@@ -82,7 +82,7 @@ To see all development ports, refer to the index.html of `apps/dev-launchpad/pub
 - Whenever you make backwards-incompatible changes to the config schema, you must update the migration functions in `packages/stack-shared/src/config/schema.ts`!
 - NEVER try-catch-all, NEVER void a promise, and NEVER .catch(console.error) (or similar). In most cases you don't actually need to be asynchronous, especially when UI is involved (instead, use a loading indicator! eg. our <Button> component already takes an async callback for onClick and sets its loading state accordingly — if whatever component doesn't do that, update the component instead). If you really do need things to be asynchronous, use `runAsynchronously` or `runAsynchronouslyWithAlert` instead as it deals with error logging.
 - WHENEVER you create hover transitions, avoid hover-enter transitions, and just use hover-exit transitions. For example, `transition-colors hover:transition-none`.
-- Any environment variables you create should be prefixed with `STACK_` (or NEXT_PUBLIC_STACK_ if they are public). This ensures that their changes are picked up by Turborepo (and helps readability).
+- Any environment variables you create should be prefixed with `HEXCLAVE_` (or `NEXT_PUBLIC_HEXCLAVE_` if they are public) for new customer-facing or framework-internal vars. This ensures that their changes are picked up by Turborepo (and helps readability). Self-host operator vars (e.g. `STACK_DATABASE_CONNECTION_STRING`) and build/dev/test vars (e.g. `NEXT_PUBLIC_STACK_API_URL` in dev fixtures) stay `STACK_`-prefixed for now — the dual-read shim accepts both. The Hexclave SDK reads both prefixes; new names take precedence when both are set.
 - NEVER just silently use fallback values or whatever when you don't know how to fix type errors. If there is a state that should never happen because of higher-level logic, and the type system doesn't represent that, either update the types or throw an error. Stuff like `?? 0` or `?? ""` is often code smell when `?? throwErr("this should never happen because XYZ")` would be better.
 - Code defensively. Prefer `?? throwErr(...)` over non-null assertions, with good error messages explicitly stating the assumption that must've been violated for the error to be thrown.
 - Try to avoid the `any` type. Whenever you need to use `any`, leave a comment explaining why you're using it (optimally it explains why the type system fails here, and how you can be certain that any errors in that code path would still be flagged at compile-, test-, or runtime).
@@ -92,7 +92,7 @@ To see all development ports, refer to the index.html of `apps/dev-launchpad/pub
 - IMPORTANT: Any assumption you make should either be validated through type system (preferred), assertions, or tests. Optimally, two out of three.
 - If there is an external browser tool connected, use it to test changes you make to the frontend when possible.
 - Whenever you update an SDK implementation in `sdks/implementations`, make sure to update the specs accordingly in `sdks/specs` such that if you reimplemented the entire SDK from the specs again, you would get the same implementation. (For example, if the specs are not precise enough to describe a change you made, make the specs more precise.)
-- When building internal tools for Stack Auth developers (eg. internal interfaces like the WAL info log etc.): Make the interfaces look very concise, assume the user is a pro-user. This only applies to internal tools that are used primarily by Stack Auth developers.
+- When building internal tools for Hexclave developers (eg. internal interfaces like the WAL info log etc.): Make the interfaces look very concise, assume the user is a pro-user. This only applies to internal tools that are used primarily by Hexclave developers.
 - The dev server already builds the packages in the background whenever you update a file. If you run into issues with typechecking or linting in a dependency after updating something in a package, just wait a few seconds, and then try again, and they will likely be resolved.
 - When asked to review PR comments, you can use `gh pr status` to get the current pull request you're working on.
 - NEVER EVER AUTOMATICALLY COMMIT OR STAGE ANY CHANGES — DON'T MODIFY GIT WITHOUT USER CONSENT! if its already staged and you didnt do it then dont unstage it.

CHANGELOG.md

@@ -1,4 +1,4 @@
-# Stack Auth Changelog
+# Hexclave Changelog
 
 ---
 

CLAUDE.md

@@ -1,4 +1,4 @@
-# Stack Auth
+# Hexclave
 
 ## Commands
 - **Lint**: `pnpm lint`

CONTRIBUTING.md

@@ -1,6 +1,6 @@
-# Contributing to Stack Auth
+# Contributing to Hexclave
 
-Welcome to Stack Auth!
+Welcome to Hexclave!
 
 Due to the nature of authentication, this may not be the easiest project to contribute to, so if you are looking for projects to help gain programming experience, we may not be a great match. If you're looking for projects for beginners, check out [Awesome First PR Opportunities](https://github.com/MunGell/awesome-for-beginners).
 
@@ -19,18 +19,18 @@ Due to the nature of authentication, this may not be the easiest project to cont
 
 ## How to contribute
 
-If you think Stack Auth is a good fit for you, follow these steps:
+If you think Hexclave is a good fit for you, follow these steps:
 
-1. Join [our Discord](https://discord.stack-auth.com)
-2. [Use Stack Auth](https://docs.stack-auth.com/). The best way to understand the project is to use it. Build an application on top of Stack Auth, and post it on GitHub or write a blog post about how you built it. This also lets us assess your skills and understand where you could best help the project.
+1. Join [our Discord](https://discord.hexclave.com)
+2. [Use Hexclave](https://docs.hexclave.com/). The best way to understand the project is to use it. Build an application on top of Hexclave, and post it on GitHub or write a blog post about how you built it. This also lets us assess your skills and understand where you could best help the project.
 3. Give us feedback on Discord or GitHub; let us know where you got stuck, and which things you wish were easier. (We appreciate contributions most when they solve problems the authors encountered themselves in real usage.)
-4. Contribute to the [documentation](https://docs.stack-auth.com) and create examples & guides. This way, you can share your knowledge and expertise with everyone else who's just getting started.
+4. Contribute to the [documentation](https://docs.hexclave.com) and create examples & guides. This way, you can share your knowledge and expertise with everyone else who's just getting started.
 5. Only then, start [contributing to the codebase](README.md#-development--contribution). Coordinate with us on Discord beforehand to ensure we are not working on the same thing already, and to make sure a task is not more difficult than it seems.
 
 
 ## Security & bug bounties
 
-For any security-related concerns & bug bounties, please email us at [security@stack-auth.com](mailto:security@stack-auth.com).
+For any security-related concerns & bug bounties, please email us at [security@hexclave.com](mailto:security@hexclave.com).
 
 ## Vibecoding setup
 
@@ -47,7 +47,7 @@ For vibecoding, it can help to have multiple parallel copies of the codebase ope
   eval "$(/path/to/direnv hook <bash|zsh>)"
   eval "$(/path/to/direnv export <bash|zsh>)"
   ```
-3. Now, create a `.envrc` file in the root of Stack Auth's codebase with the following content:
+3. Now, create a `.envrc` file in the root of Hexclave's codebase with the following content:
   ```sh
   # .envrc
   # make sure to install direnv and add it to your shell rc file (e.g. ~/.bashrc or ~/.zshrc)

LICENSE

@@ -2,4 +2,4 @@ Stack is licensed per-package, and 100% open-source.
 
 Generally speaking, client code and examples are licensed under an open-source MIT license, while server components are licensed under an open-source AGPLv3 license. Please refer to each package's `LICENSE` files for more information.
 
-We also have enterprise licenses available, if you prefer; please contact [enterprise@stack-auth.com](mailto:enterprise@stack-auth.com).
+We also have enterprise licenses available, if you prefer; please contact [enterprise@hexclave.com](mailto:enterprise@hexclave.com).