feat(hexclave): PR 3 — native @hexclave/* source rename + delete dual-publish wiring

[BilalG1]

Summary

Stacked on #1481 (cl/romantic-mendel-5a2c25, PR 2's visible rebrand). Diff vs that base = ~1000 files of mechanical source rename + deletion of the dual-publish indirection.

This is PR 3 of the Stack Auth → Hexclave rebrand: native source rename. PR 2 added the rewrite-at-publish-time mechanism that re-published every @stackframe/* artifact as a @hexclave/* mirror on each push to main. PR 3 makes Hexclave the canonical source identity — every publishable package is renamed in source, scripts/rewrite-packages-to-hexclave.ts is deleted, the workflow's mirror-publish block is gone, and the deprecation-warning runtime is removed (no @stackframe/* artifact is ever built from source again).

Cutover ordering

PR 3 is intentionally landed after the first publish triggered by PR 2's mirror flow:

1. PR 2 merges → first push to main publishes @stackframe/*@<bumped> (carrying the deprecation warning) AND @hexclave/*@1.0.0 (the one-shot mirror, version hardcoded in PR 2's workflow).
2. PR 3 merges → the existing Update package versions on dev pre-merge bump moves source from 1.0.0 → 1.0.1, so the first push to main after this lands publishes @hexclave/*@1.0.1 natively (no collision with PR 2's @hexclave/*@1.0.0).
3. From then on, @stackframe/* is frozen at its final warning version on npm; only @hexclave/* is published.

What's implemented (per the plan's PR 3 scope)

Package renames

The 9 publishable packages, native source rename:

Old name	New name
@stackframe/react	@hexclave/react
@stackframe/stack	@hexclave/next
@stackframe/js	@hexclave/js
@stackframe/stack-shared	@hexclave/shared
@stackframe/stack-ui	@hexclave/ui
@stackframe/stack-sc	@hexclave/sc
@stackframe/stack-cli	@hexclave/cli
@stackframe/tanstack-start	@hexclave/tanstack-start
@stackframe/dashboard-ui-components	@hexclave/dashboard-ui-components

Internal monorepo packages (backend, dashboard, mcp, skills, e2e-tests, swift-sdk, all examples, the monorepo root, etc.) also renamed to @hexclave/* for brand consistency. All private, never published — cost is purely mechanical, payoff is no stray @stackframe/* names left in apps/, examples/, sdks/.

Deleted

• scripts/rewrite-packages-to-hexclave.ts (~200 lines) — no longer needed; source packages publish natively.
• packages/template/src/internal/deprecation-warning.ts + its import sites in packages/template/src/index.ts and generated SDKs (~60 lines) — no @stackframe/* artifact is ever built from source again, so the runtime warning has nothing to detect.
• The mirror-publish block in .github/workflows/npm-publish.yaml (~30 lines): Checkout main for Hexclave mirror rewrite, Rewrite package names to @hexclave/*, Publish @hexclave/* mirror packages. The remaining Publish packages step publishes @hexclave/* natively.
• The auto-bump's changeset target flipped from "@stackframe/stack": patch to "@hexclave/next": patch.

Versions reset to 1.0.0

Every renamed publishable package + the kept-name @stackframe/template + @stackframe/init-stack reset to 1.0.0. The existing Update package versions on dev pre-merge bump moves them to 1.0.1 on first run — that's the first natively-published Hexclave version, sequenced after PR 2's mirror-published 1.0.0.

Carve-outs (deliberately kept under their legacy names)

• @stackframe/emails — virtual module imported by customer-stored email templates. The renderer at apps/backend/src/lib/email-rendering.tsx:89 dual-aliases both @stackframe/emails and @hexclave/emails to the same backing module — old stored templates keep rendering indefinitely. ~47 references in e2e test fixtures (embedded TSX-as-string) preserved as-is.
• @stackframe/template — internal codegen source in packages/template/. Never published. Per docs-mintlify/migration.mdx, "internal packages keep names."
• @stackframe/init-stack — deprecated; now private: true in packages/init-stack/package.json so the workspace stops publishing it. The last @stackframe/init-stack@<last> on npm continues to serve any stale npx @stackframe/init-stack@latest calls.

Backward-compat detection (so projects pinned to the last legacy release keep working)

• packages/stack-shared/src/config-rendering.ts — CONFIG_IMPORT_PACKAGES table lists @hexclave/* first (canonical, wins on tie) then @stackframe/* legacy. Function renamed detectStackframeImportPackage → detectConfigImportPackage. Vitest cases cover priority ordering, hexclave-preferred, legacy-only fallback.
• apps/dashboard/src/lib/github-config-push.ts — detectImportPackage regex matches both scopes, hexclave preferred. Test coverage for both branches in github-config-push.test.ts.
• packages/init-stack/src/index.ts — bidirectional includes("@stackframe/") && includes("@hexclave/") checks preserved; correctly detect when neither scope is present so the wizard can scaffold fresh files.

Hexclave CLI bin alias

packages/stack-cli/package.json declares both hexclave and stack bins natively in source. PR 2's rewrite script added this at publish time; PR 3 bakes it in.

Legacy docs/ folder excluded from workspace

docs/ is the legacy fumadocs site, no longer maintained — replaced by docs-mintlify/. Dropped from pnpm-workspace.yaml so it no longer gates install / typecheck / lint. Folder kept on disk for migration reference. Root scripts that filtered @hexclave/docs (build:docs, dev, dev:tui, dev:docs, fern) rerouted to @hexclave/docs-mintlify or dropped.

Multi-agent diff review

Four parallel reviewers (package/deps integrity, source-level rename correctness, workflow/CI/scripts, e2e tests + fixtures) audited the diff. Six actionable findings, all addressed:

1. Backend .well-known/ routes still on @stackframe/stack-shared/dist/* — original sweep's dir walker had a bug that skipped dot-prefixed dirs (intended to exclude .git/.turbo); also caught Next.js's .well-known/. Fixed.
2. docs/src/ had 25 unresolved imports breaking @hexclave/docs typecheck — fixed by removing legacy docs/ from workspace per direction.
3. github-config-push.test.ts legacy-fallback test was silently de-tested by the sweep — fixed by renaming the modified test and adding a new parallel case exercising the legacy regex branch.
4. examples/react-example/package.json version still 2.8.103 (sweep missed unscoped name) — bumped to 1.0.0.
5. Root build:demo filter targeted nonexistent demo-app (pre-existing bug) — fixed to @hexclave/example-demo-app....
6. Stale --filter=@hexclave/docs references in root scripts after Backend design doc #2 — rerouted to @hexclave/docs-mintlify.

Verification

• pnpm install --frozen-lockfile — clean.
• pnpm typecheck — 28/28 tasks green across the whole workspace.
• pnpm lint — 28/28 tasks green.
• All four parallel reviewer findings addressed in commit 839d6fe86.

Diff stats

~1000 files, mostly mechanical. The non-mechanical surface fits in:

• Workflow + rewrite-script deletions.
• Two backward-compat detection sites (config-rendering, github-config-push).
• Test coverage for the legacy fallback branch.
• Legacy docs/ workspace removal.

Test plan

• CI runs full lint + build + typecheck matrix green.
• After PR 2 has published @hexclave/*@1.0.0 on first push to main, verify the pre-merge bump moves PR 3's source from 1.0.0 → 1.0.1.
• On PR 3 merge to main: verify CI publishes @hexclave/*@1.0.1 natively (no rewrite step). Spot-check: npm view @hexclave/next@1.0.1.
• Verify no @stackframe/*@<new> ever publishes again — the workflow's first Publish packages step is now the only one, and it publishes the renamed source.
• Spot-check: npx @hexclave/cli@1.0.1 init works on the natively-published artifact (no longer depends on the rewrite script's dist-rewrite of cross-package require() specifiers).
• Spot-check: a project on the last @stackframe/stack@<final> release with config importing import type { StackConfig } from "@stackframe/stack" — the dashboard's GitHub config-push flow preserves that legacy import on re-render (covered by the new test case).

---

Summary by cubic

Make Hexclave the canonical package scope. All packages now publish natively under @hexclave/*; the dual‑publish mirror is removed, and small follow‑ups fix SSR/docs, CI filters, and an e2e version sentinel.

• Refactors

  • Renamed all publishable packages to @hexclave/* (9 packages) and updated internal workspaces/imports.
  • Removed scripts/rewrite-packages-to-hexclave.ts and the mirror‑publish workflow; auto‑bump now targets @hexclave/next.
  • Dropped the deprecation‑warning runtime; reset versions to 1.0.0 (first native publish will be 1.0.1).
  • Kept carve‑outs: @stackframe/emails, @stackframe/template, @stackframe/init-stack (now private).
  • Added hexclave CLI bin; excluded legacy docs/; CI and qemu-emulator-build workflow filters switched to @hexclave/*.

• Bug Fixes

  • TanStack Start demo: fixed Vite SSR noExternal regex to /^@hexclave\// to inline workspace deps and avoid ESM errors.
  • Docs: corrected README logo alt text, setup link path, and contrib.rocks repo; fixed docs footer GitHub link to hexclave/hexclave.
  • E2E: updated clientApp.version test regex to match the @hexclave/js sentinel.

^{Written for commit e50c929. Summary will update on new commits. Review in cubic}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
stack-auth-hosted-components	Ready	Preview, Comment	May 24, 2026 12:48am
stack-auth-mcp	Ready	Preview, Comment	May 24, 2026 12:48am
stack-auth-skills	Ready	Preview, Comment	May 24, 2026 12:48am
stack-backend	Ready	Preview, Comment	May 24, 2026 12:48am
stack-dashboard	Ready	Preview, Comment	May 24, 2026 12:48am
stack-demo	Ready	Preview, Comment	May 24, 2026 12:48am
stack-docs	Error		May 24, 2026 12:48am
stack-preview-backend	Ready	Preview, Comment	May 24, 2026 12:48am
stack-preview-dashboard	Ready	Preview, Comment	May 24, 2026 12:48am

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d2251980-9cec-443d-bc3b-ba08e8649d4d

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cl/hexclave-pr3

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 1005 files

<sub>Partial review: This PR has more than 50 files, so cubic reviewed the highest-priority files first. During the trial, paid plans get a higher file limit.
You can try an ultrareview to bypass the file limit, comment @cubic-dev-ai ultrareview. Learn more.

Re-trigger cubic</sub>

[vercel]

Additional Suggestions:

1. SSR noExternal configuration still references old @stackframe/* package names instead of @hexclave/* after rebrand

2. Default email template strings import from @stackframe/emails instead of @hexclave/emails after the rebrand

[vercel]

Additional Suggestions:

1. Multiple stale imports from @stackframe/stack-shared instead of @hexclave/shared in docs app

2. Documentation code examples still reference outdated @StackFrame package names instead of @hexclave, misleading users about correct packages to install

[vercel]

Additional Suggestion:

Next.js statically analyzes instrumentation.ts for Edge Runtime and includes manager.ts in the bundle, causing build failure when manager.ts imports Node.js modules (crypto, fs)