We ship every day.

No release notes for this version.

No release notes for this version.

No release notes for this version.

No release notes for this version.

Lint cleanup + Next 16 proxy migration

Pays down two pieces of debt explicitly called out in earlier releases:
the 32 pre-existing lint errors that v0.4.0 flagged as "worth a
dedicated cleanup pass" (now 35 errors + 4 warnings, all cleared), and
the middleware-to-proxy deprecation warning the build had been
emitting since the Next 16 upgrade.

✦ Lint cleanup (35 errors + 4 warnings → 0)

  Replaced `any` casts with narrow type assertions in the two places
  the strict-typing escape hatches actually live:

  • src/features/billing/webhooks/route.ts — `current_period_start` /
    `current_period_end` and `Invoice.subscription` are legacy fields
    no longer in Stripe's TS types but still present on the runtime
    payload. Now typed via SubscriptionPeriods / InvoiceWithSubscription
    intersections — runtime shape unchanged, the cast is just explicit
    about what's missing from upstream types.

  • src/features/auth/{actions.ts,components/ForgotPasswordForm.tsx} —
    Better Auth's `forgetPassword` is a plugin method not surfaced on
    the generated auth.api / authClient types. Narrow interfaces
    document the shape we call.

  Tightened src/lib/db/tenantGuard.ts to Record<string, unknown>
  internally (Prisma's args shape genuinely varies per operation), and
  cast back to Prisma's per-operation union at the extension boundary
  in tenant.ts. Callers and runtime behavior are unchanged; the
  organization-id equality checks remain the actual safety net.

  Dropped a stale @ts-nocheck from prisma/seed.ts. Catch blocks in
  tests/ use `unknown` + a narrowed shape. Scoped a no-require-imports
  override to scripts/**/*.js — those files are CommonJS by spec and
  not part of the Next.js bundle.

✦ Next 16 middleware → proxy rename

  Renamed src/middleware.ts → src/proxy.ts and the exported function
  from `middleware` to `proxy`. Updated harness consumers that
  referenced the old path: the entry-point exemption in
  scripts/check-conventions.js and the config-class heuristic in
  tools/graph/analyzer.ts. The Next 16 routes table now reports
  `ƒ Proxy (Middleware)` instead of `ƒ Middleware`, and the build no
  longer emits the middleware-to-proxy deprecation warning.

Verified: tsc clean, vitest 25/25, lint clean, conventions + harness
pass, production build succeeds (Next 16.2.3, all 14 routes), no
deprecation warnings.

Recurring DX fixes from buyer feedback

Three categories of recurring pain points reported across multiple
fresh-project setups, all addressed:

✦ Auth bugs that kept biting on every project (fix/auth)

  • Stale-cookie redirect loop. Middleware was redirecting auth pages
    based on cookie presence. A stale cookie (expired session,
    browser still has the token) trapped the user — /login → cookie
    seen → /settings/profile → page validates session, gets null →
    redirect to /login → repeat. Middleware can't validate sessions
    in the edge runtime, so it can't tell stale from real.

    Fix: drop the auth-page redirect from middleware. Pages do the
    "already logged in" check themselves via getSession(), which
    validates against the DB.

  • Dev port mismatch → NetworkError. better-auth was hardcoded with
    baseURL/trustedOrigins of localhost:3000. Next dev picks the next
    free port (3001, 3002, …) when 3000 is busy, and better-auth
    rejects the request without CORS headers — browser surfaces it
    as "NetworkError when attempting to fetch resource."

    Fix: server leaves baseURL undefined (better-auth derives from
    each request). In dev, trustedOrigins includes ports 3000/3001/
    3002 on both localhost and 127.0.0.1, plus the env URL when set.
    Client uses window.location.origin in the browser. Both ends
    must match — fixing only the client still gets CORS-rejected.

  Both gotchas logged in memory/errors.md.

✦ Convention check noise (fix/harness)

  Two false positives in the dead-code check that fired on every
  fresh project:

  • src/lib/email/ — buyer-wired scaffolding (transport + templates
    look unimported until the buyer adds an email-sending feature).
  • src/features/<x>/webhooks/route.ts — re-exported by the actual
    route in src/app/api/webhooks/<x>/route.ts. The graph parser
    doesn't trace `export { POST } from ...`.

  Both now exempted alongside the existing exemptions (shadcn
  primitives, hooks, types). Genuine dead-code warnings still fire
  for unwired feature components.

✦ Documentation friction (docs/harness)

  • PRD overrides every default. The agent had been forcing
    dashboard/tenant defaults onto consumer apps and other product
    types. CLAUDE.md now has a "PRD overrides every default" section
    spelling out the defaults (route group, tenant scoping, marketing
    composition, admin chrome) and explicitly handing authority to
    the PRD when they conflict. new-feature.md step 8 echoes this —
    pick the route group from the PRD, not from the dashboard default.

  • Settings layers documented. Buyers kept asking where a given hook
    or permission belongs. New .claude/settings.md describes the
    three layers (user / project / project-local), the merge order,
    and the common silent-fail mistakes.

  • bin/dev cleanup. Removed the "stale → regenerating → updated"
    pair output for the graph and state snapshots — staleness is
    expected after edits and isn't actionable for the user.

Verified: tsc clean, vitest 25/25, conventions + harness pass,
production build succeeds.

Marketing redesign + two-stage review + memory checkpoint

This is a meaningful release. Three workstreams land together:

✦ Marketing aesthetic overhaul (feat/design)
  The old "design-system" skill described a generic SaaS look — orange
  accent, card grids, scroll-reveal animations, serif display headings.
  v0.4.0 replaces it with a type-led, warm-cream system inspired by
  Basecamp and Pieter-Levels-style landing pages: huge sans-serif
  headlines, single gold accent, no card grids, plain stacked
  testimonials, FAQs as bold-question + paragraph-answer.

  • New 5-token palette (cream / ink / gold / muted / rule), fluid type
    scale, and `.mkt-*` utility classes — all scoped under a `.marketing`
    CSS class so dashboard/auth/onboarding stay visually intact.
  • All eight marketing components rewritten per the new section
    anatomy documented in .claude/skills/design-system.md.
  • Inter Tight loaded alongside the existing Geist + Instrument Serif.
  • New .claude/design-inspo/ folder — drop screenshots there as
    authoritative visual references for future UI work.

  Removed: .text-hero / .text-section-heading / .text-body-prose CSS
  utilities, scroll-reveal / animate-reveal / receipt-printing
  animations, ScrollRevealInit component, useScrollReveal hook.

✦ Two-stage code review (feat/skills)
  Reviewing big diffs as one pass conflates "does it meet the spec?"
  with "is the code good?". Now split:
  • skills/review-spec.md   — does the diff meet the spec? (stage 1)
  • skills/review-quality.md — quality / security / perf / coverage (stage 2)
  • skills/review.md kept for combined small-change passes.
  Matching reviewer-spec / reviewer-quality agents wired into router.md.

✦ Memory checkpoint at compaction time (feat/harness)
  Long sessions used to lose architectural context when the harness
  compacted. Now:
  • PreCompact hook runs scripts/session-summary.js for a deterministic
    snapshot, then nudges the agent to flush decisions / patterns /
    errors / progress to persistent memory before compaction.
  • New scripts/check-harness.js validates router/skill/agent shape;
    wired into `npm run verify`.

Migration notes:
  - Buyers who customized marketing components against .text-hero /
    .text-section-heading / .text-body-prose will need to migrate to the
    new .mkt-* utilities.
  - 32 pre-existing lint errors continue to ship (same as v0.3.3) — in
    scripts/, prisma/seed.ts, features/billing/webhooks, lib/db,
    tests/, tools/graph. None introduced in this release. Worth a
    dedicated cleanup pass.

Verified: tsc clean, vitest 25/25, conventions + harness shape pass,
production build succeeds (Next 16.2.3, all 14 routes).

new-feature skill rewrite: scaffold + tenantDb alignment

The new-feature skill drifted from the canonical reference and template.
An agent following it literally would have written code that violated
rule #1 (tenant safety) and been rejected by `npm run verify` on the
first run. This release removes the contradiction between the skill,
the scaffold template, and the reference.

Changes to .claude/skills/new-feature.md:

- Scaffold step added. The skill now starts with
  `node scripts/scaffold-feature.js <name>`, matching CLAUDE.md.
  Subsequent steps are reframed as "edit the scaffolded file" rather
  than "create from scratch", removing redundancy with the template.

- Canonical tenantDb pattern restored. actions.ts and queries.ts code
  blocks rewritten to import `tenantDb` from `@/lib/db/tenant` and
  wrap DB work in `withAuthedTenant`, matching
  .claude/reference/actions.ts.example and queries.ts.example.
  Dropped the obsolete `getSession()` + manual `organizationId`
  plumbing. Queries no longer accept an `organizationId` parameter
  (auto-injected by tenantDb from the active scope).

- Verify step made explicit. Step 9 now runs `npm run verify` (the
  five-rules enforcer) and uses `npm run state:refresh` instead of
  `node scripts/generate-state.js`, aligning with CLAUDE.md.

- Anti-Patterns list updated. Bans hand-writing feature files,
  importing `@/lib/db/prisma` directly, plumbing `organizationId`,
  and the legacy `getSession + orgId` pattern in actions.

Net effect: an agent following this skill writes code that passes
`npm run verify` on the first try.

payment primitives in @/lib, sharper conventions

No release notes for this version.

auto session summaries via Stop hook

No release notes for this version.

graph-oracle subagent

No release notes for this version.

No release notes for this version.

No release notes for this version.

No release notes for this version.

No release notes for this version.

No release notes for this version.