@lssm/example.learning-journey-quest-challenges 0.0.0-canary-20251217073102 → 0.0.0-canary-20251217083314

package/dist/libs/contracts/dist/docs/tech/studio/learning-journeys.docblock.js

@@ -0,0 +1,79 @@
+import { registerDocBlocks } from "../../registry.js";
+
+//#region ../../libs/contracts/dist/docs/tech/studio/learning-journeys.docblock.js
+const tech_studio_learning_journeys_DocBlocks = [{
+	id: "docs.tech.studio.learning-journeys",
+	title: "Studio learning journeys (onboarding + coach)",
+	summary: "DB-backed learning journeys tracked per organization: seeded tracks/steps, event-driven progress, XP/streaks, and a Studio coach surface.",
+	kind: "reference",
+	visibility: "public",
+	route: "/docs/tech/studio/learning-journeys",
+	tags: [
+		"studio",
+		"learning",
+		"onboarding",
+		"journey",
+		"graphql",
+		"database"
+	],
+	body: `# Studio learning journeys
+
+Studio supports **DB-backed learning journeys** (onboarding tracks + ambient coach tips) that are advanced by **recorded learning events**.
+
+> See also: \`/docs/tech/studio/learning-events\` for event naming + payload guardrails.
+
+## Scope (multi-tenancy)
+
+- Progress is tracked **per organization** (tenant/workspace), via a \`Learner\` record keyed by \`(userId, organizationId)\`.
+- Learning events are stored as \`StudioLearningEvent\` under the Studio DB schema, scoped to an organization (optionally a project).
+
+## Persistence model (Prisma)
+
+Learning journey progress lives in the \`lssm_learning\` schema:
+
+- \`Learner\` — one per \`(userId, organizationId)\`
+- \`OnboardingTrack\` — seeded track definitions (trackKey, name, metadata)
+- \`OnboardingStep\` — seeded step definitions (stepKey, completionCondition, xpReward, metadata)
+- \`OnboardingProgress\` — learner × track progress (progress %, xpEarned, completedAt, dismissedAt)
+- \`OnboardingStepCompletion\` — append-only completion records (stepKey, status, xpEarned, completedAt)
+
+## Track definition source (spec-first)
+
+- Canonical track specs live in \`@lssm/example.learning-journey-registry\`.
+- The Studio API seeds/updates the DB definitions via an idempotent “ensure tracks” routine.
+- The DB is kept aligned with track specs (stale steps are removed) to prevent drift and unblock completion.
+
+## Progress advancement (event-driven)
+
+1) UI records an event via GraphQL \`recordLearningEvent\`
+2) Backend creates \`StudioLearningEvent\`
+3) Backend advances onboarding by matching the new event against step completion conditions
+4) Backend persists step completions and recomputes:
+   - \`progress\` percentage
+   - \`xpEarned\` (including streak/completion bonuses when configured)
+   - track completion state (\`completedAt\`)
+
+## GraphQL API (Studio)
+
+- \`myOnboardingTracks(productId?, includeProgress?)\`
+  - returns all tracks + optional progress for the current learner
+- \`myOnboardingProgress(trackKey)\`
+  - returns progress + step completion list for a single track
+- \`dismissOnboardingTrack(trackKey)\`
+  - marks a track dismissed for the learner (prevents auto-coach)
+
+## UI routes/surfaces (web)
+
+- \`/studio/learning\` — learning hub (track list + progress widget)
+- \`/studio/learning/{trackKey}\` — track detail (steps + map)
+- Studio shell mounts a **coach sheet** that can auto-open for incomplete, non-dismissed onboarding.
+
+## Security + data hygiene
+
+- Do not put secrets/PII in \`payload\` fields of learning events.
+- Prefer shallow payload filters (small, stable keys).
+`
+}];
+registerDocBlocks(tech_studio_learning_journeys_DocBlocks);
+
+//#endregion

package/dist/libs/contracts/dist/docs/tech/studio/platform-admin-panel.docblock.js

@@ -0,0 +1,84 @@
+import { registerDocBlocks } from "../../registry.js";
+
+//#region ../../libs/contracts/dist/docs/tech/studio/platform-admin-panel.docblock.js
+const tech_studio_platform_admin_panel_DocBlocks = [{
+	id: "docs.tech.studio.platform-admin-panel",
+	title: "Studio Platform Admin Panel",
+	summary: "How PLATFORM_ADMIN organizations manage tenant orgs and integration connections without session switching.",
+	kind: "reference",
+	visibility: "public",
+	route: "/docs/tech/studio/platform-admin-panel",
+	tags: [
+		"studio",
+		"admin",
+		"multi-tenancy",
+		"integrations",
+		"better-auth"
+	],
+	body: `# Studio Platform Admin Panel
+
+ContractSpec Studio exposes a dedicated **Platform Admin Panel** for users whose **active organization** has:
+
+- \`Organization.type = PLATFORM_ADMIN\`
+
+The UI route is:
+
+- \`/studio/admin\`
+
+## Authorization model (no org switching)
+
+Platform admins **remain in their own organization**. Cross-tenant actions are always explicit and scoped:
+
+- Admin operations require an explicit \`targetOrganizationId\`.
+- No session / activeOrganizationId switching is performed as part of admin operations.
+
+## Integrations management
+
+The admin panel manages the full ContractSpec Integrations system:
+
+- Lists all shipped \`IntegrationSpec\` entries (registry built via \`createDefaultIntegrationSpecRegistry()\`).
+- CRUD \`IntegrationConnection\` records for a selected tenant org.
+
+### Secrets (reference-only + write-only)
+
+The admin UI supports two modes:
+
+- **Reference-only (BYOK)**: store only \`secretProvider\` + \`secretRef\`.
+- **Write-only provisioning/rotation**: paste a raw secret payload; server writes to the selected backend and stores the resulting reference. The secret value is **never returned or displayed**.
+
+Supported backends:
+
+- Env overrides (\`env://...\`)
+- Google Cloud Secret Manager (\`gcp://...\`)
+- AWS Secrets Manager (\`aws://secretsmanager/...\`)
+- Scaleway Secret Manager (\`scw://secret-manager/...\`)
+
+## Better Auth Admin plugin
+
+The panel uses the Better Auth **Admin plugin** for user operations (list users, impersonation):
+
+- Client calls use \`authClient.admin.*\`.
+- Server-side, ContractSpec enforces that users in a PLATFORM_ADMIN active org have \`User.role\` containing \`admin\` so Better Auth Admin endpoints authorize.
+
+## GraphQL surface
+
+The platform-admin GraphQL operations are guarded by the active org type and include:
+
+- \`platformAdminOrganizations(search, limit, offset)\`
+- \`platformAdminIntegrationSpecs\`
+- \`platformAdminIntegrationConnections(input: { targetOrganizationId, category?, status? })\`
+- \`platformAdminIntegrationConnectionCreate(input)\`
+- \`platformAdminIntegrationConnectionUpdate(input)\`
+- \`platformAdminIntegrationConnectionDelete(targetOrganizationId, connectionId)\`
+
+## Key implementation files
+
+- Auth + role enforcement: \`packages/bundles/contractspec-studio/src/application/services/auth.ts\`
+- Admin GraphQL module: \`packages/bundles/contractspec-studio/src/infrastructure/graphql/modules/platform-admin.ts\`
+- Integrations admin service: \`packages/bundles/contractspec-studio/src/modules/platform-integrations/index.ts\`
+- Web route: \`packages/apps/web-landing/src/app/(app-customer)/studio/admin/*\`
+`
+}];
+registerDocBlocks(tech_studio_platform_admin_panel_DocBlocks);
+
+//#endregion

package/dist/libs/contracts/dist/docs/tech/studio/project-access-teams.docblock.js

@@ -0,0 +1,45 @@
+import { registerDocBlocks } from "../../registry.js";
+
+//#region ../../libs/contracts/dist/docs/tech/studio/project-access-teams.docblock.js
+const tech_studio_project_access_teams_DocBlocks = [{
+	id: "docs.tech.studio.project-access-teams",
+	title: "Studio Project Access via Teams",
+	summary: "Projects live under organizations; team sharing refines access with an admin/owner override.",
+	kind: "reference",
+	visibility: "public",
+	route: "/docs/tech/studio/project-access-teams",
+	tags: [
+		"studio",
+		"projects",
+		"teams",
+		"rbac",
+		"access-control"
+	],
+	body: `# Studio Project Access via Teams
+
+Studio access control is **organization-first** with optional **team-based sharing**.
+
+## Data model
+
+- \`Team\` and \`TeamMember\` define team membership inside an organization.
+- \`StudioProject\` is owned by an organization.
+- \`StudioProjectTeam\` links projects to 0..N teams.
+
+## Access rules
+
+- **Admins/owners**: always have access to all projects in the organization.
+- **Org-wide projects**: if a project has **no team links**, all organization members can access it.
+- **Team-scoped projects**: if a project has **one or more team links**, a user must be a member of at least one linked team.
+
+## GraphQL surfaces
+
+- Read:\n  - \`myStudioProjects\` (returns only projects you can access)\n  - \`studioProjectBySlug(slug)\` (enforces the same access rules)\n  - \`myTeams\`\n  - \`projectTeams(projectId)\`\n\n- Write:\n  - \`createStudioProject(input.teamIds?)\` (teamIds optional)\n  - \`setProjectTeams(projectId, teamIds)\` (admin-only)\n
+## Related\n+\n+- Team administration + invitations: see \`/docs/tech/studio/team-invitations\`.\n+
+## Notes
+
+Payloads and events must avoid secrets/PII. For Sandbox, the model remains local-first and unlogged.
+`
+}];
+registerDocBlocks(tech_studio_project_access_teams_DocBlocks);
+
+//#endregion

package/dist/libs/contracts/dist/docs/tech/studio/project-routing.docblock.js

@@ -0,0 +1,67 @@
+import { registerDocBlocks } from "../../registry.js";
+
+//#region ../../libs/contracts/dist/docs/tech/studio/project-routing.docblock.js
+const tech_studio_project_routing_DocBlocks = [{
+	id: "docs.tech.studio.project-routing",
+	title: "Studio Project Routing",
+	summary: "Studio uses slugged, project-first routes: /studio/{projectSlug}/* with canonical slug redirects and soft-deleted projects hidden.",
+	kind: "reference",
+	visibility: "public",
+	route: "/docs/tech/studio/project-routing",
+	tags: [
+		"studio",
+		"routing",
+		"projects",
+		"slug",
+		"redirects"
+	],
+	body: `# Studio Project Routing
+
+ContractSpec Studio uses a **project-first URL scheme**:
+
+- \`/studio/projects\` — create, select, and delete projects.
+- \`/studio/{projectSlug}/*\` — project modules (canvas/specs/deploy/integrations/evolution/learning).
+- \`/studio/learning\` — learning hub that does not require selecting a project.
+
+## Studio layout shell
+
+Studio routes are wrapped in a dedicated **Studio app shell** (header + footer) that provides in-app navigation (Projects/Learning/Teams), organization switching, and account actions.
+
+Project module routes (\`/studio/{projectSlug}/*\`) render their own module shell (\`WorkspaceProjectShellLayout\`). When combined with the global Studio header, the project shell uses a **sticky header offset** to avoid overlapping sticky headers.
+
+## Slug behavior (rename-safe)
+
+- Each project has a \`slug\` stored in the database (\`StudioProject.slug\`).
+- When a project name changes, Studio **updates the slug** and stores the previous slug as an alias (\`StudioProjectSlugAlias\`).
+- Requests to an alias slug are **redirected to the canonical slug**.
+
+GraphQL entrypoint:
+
+- \`studioProjectBySlug(slug: String!)\` returns:
+  - \`project\`
+  - \`canonicalSlug\`
+  - \`wasRedirect\`
+
+## Deletion behavior (soft delete)
+
+Projects are **soft-deleted**:
+
+- \`deleteStudioProject(id: String!)\` sets \`StudioProject.deletedAt\`.
+- All listings and access checks filter \`deletedAt = null\`.
+- Soft-deleted projects are treated as “not found” in Studio routes and GraphQL access checks.
+
+## Available modules for a selected project
+
+The following project modules are expected under \`/studio/{projectSlug}\`:
+
+- \`/canvas\` — Visual builder canvas (stored via overlays and canvas versions).
+- \`/specs\` — Spec editor (stored as \`StudioSpec\`).
+- \`/deploy\` — Deployments history + triggers (stored as \`StudioDeployment\`).
+- \`/integrations\` — Integrations scoped to project (stored as \`StudioIntegration\`).
+- \`/evolution\` — Evolution sessions (stored as \`EvolutionSession\`).
+- \`/learning\` — Project learning activity.
+`
+}];
+registerDocBlocks(tech_studio_project_routing_DocBlocks);
+
+//#endregion

package/dist/libs/contracts/dist/docs/tech/studio/sandbox-unlogged.docblock.js

@@ -0,0 +1,40 @@
+import { registerDocBlocks } from "../../registry.js";
+
+//#region ../../libs/contracts/dist/docs/tech/studio/sandbox-unlogged.docblock.js
+const tech_studio_sandbox_unlogged_DocBlocks = [{
+	id: "docs.tech.studio.sandbox.unlogged",
+	title: "Sandbox (unlogged) vs Studio (authenticated)",
+	summary: "The sandbox is a lightweight, unlogged surface that mirrors Studio navigation without auth or analytics.",
+	kind: "reference",
+	visibility: "public",
+	route: "/docs/tech/studio/sandbox-unlogged",
+	tags: [
+		"studio",
+		"sandbox",
+		"privacy",
+		"analytics"
+	],
+	body: `## Sandbox guarantees
+
+- Route: \`/sandbox\`
+- **No auth requirement**
+- **No PostHog init**
+- **No Vercel Analytics**
+- Local-only state (in-browser runtime + localStorage where needed)
+
+## What Sandbox is for
+
+- Try templates and feature modules safely
+- Preview specs/builder/evolution/learning
+- Produce copyable CLI commands (no side effects)
+
+## What Sandbox is *not* for
+
+- Persisted projects/workspaces
+- Real deployments
+- Organization-scoped integrations (unless explicitly enabled later)
+`
+}];
+registerDocBlocks(tech_studio_sandbox_unlogged_DocBlocks);
+
+//#endregion

package/dist/libs/contracts/dist/docs/tech/studio/team-invitations.docblock.js

@@ -0,0 +1,69 @@
+import { registerDocBlocks } from "../../registry.js";
+
+//#region ../../libs/contracts/dist/docs/tech/studio/team-invitations.docblock.js
+const tech_studio_team_invitations_DocBlocks = [{
+	id: "docs.tech.studio.team-invitations",
+	title: "Studio Teams & Invitations",
+	summary: "Admin-only team management and email invitation flow to join an organization and optionally a team.",
+	kind: "reference",
+	visibility: "public",
+	route: "/docs/tech/studio/team-invitations",
+	tags: [
+		"studio",
+		"teams",
+		"invitations",
+		"access-control",
+		"onboarding"
+	],
+	body: `# Studio Teams & Invitations
+
+Studio uses **organization membership** as the base access model. Teams are optional and used to refine access to projects.
+
+## Who can manage teams?
+
+- **Admins/owners only**: create, rename, delete teams; manage project team access; issue invitations.
+
+## Invitation data model
+
+- \`Invitation\` rows are stored under an organization and target an **email** address.\n
+- An invitation can optionally target a \`teamId\`, which will grant the user membership in that team upon acceptance.
+
+Key fields:
+- \`email\`: invited address (must match the accepting user's account email)\n
+- \`status\`: \`pending | accepted | declined | expired\`\n
+- \`teamId?\`: optional team to join\n
+- \`inviterId\`: user who issued the invitation
+
+## GraphQL surfaces
+
+- Team CRUD (admin-only):\n
+  - \`createTeam(name)\`\n
+  - \`renameTeam(teamId, name)\`\n
+  - \`deleteTeam(teamId)\`\n
+
+- Invitations (admin-only):\n
+  - \`organizationInvitations\`\n
+  - \`inviteToOrganization(email, role?, teamId?)\` → returns \`inviteUrl\` and whether an email was sent
+
+## Accepting an invitation
+
+The invite link is served as:\n
+- \`/invite/{invitationId}\`
+
+Acceptance rules:
+- The user must be authenticated.\n
+- The authenticated user’s email must match \`Invitation.email\`.\n
+- If not already a member, create \`Member(userId, organizationId, role)\`.\n
+- If \`teamId\` is present, ensure \`TeamMember(teamId, userId)\`.\n
+- Mark invitation \`status='accepted'\` and set \`acceptedAt\`.\n
+- Set \`activeOrganizationId\` for the session so \`/studio/*\` routes work immediately.
+
+## Email delivery
+
+- If \`RESEND_API_KEY\` is set, the system attempts to send an email.\n
+- Otherwise, the UI uses the returned \`inviteUrl\` for manual copy/share.
+`
+}];
+registerDocBlocks(tech_studio_team_invitations_DocBlocks);
+
+//#endregion

package/dist/libs/contracts/dist/docs/tech/studio/workspace-ops.docblock.js

@@ -0,0 +1,47 @@
+import { registerDocBlocks } from "../../registry.js";
+
+//#region ../../libs/contracts/dist/docs/tech/studio/workspace-ops.docblock.js
+const tech_studio_workspace_ops_DocBlocks = [{
+	id: "docs.tech.studio.workspace_ops",
+	title: "Workspace ops (repo-linked): list / validate / deps / diff",
+	summary: "Read-only repo operations used by Studio to inspect and validate a linked ContractSpec workspace.",
+	kind: "reference",
+	visibility: "mixed",
+	route: "/docs/tech/studio/workspace-ops",
+	tags: [
+		"studio",
+		"repo",
+		"workspace",
+		"validate",
+		"diff"
+	],
+	body: `## API surface (api-contractspec)
+
+Base: \`/api/workspace-ops\`
+
+These endpoints are **read-only** in v1 and never push to git:
+
+- \`GET /api/workspace-ops/:integrationId/config?organizationId=\`
+- \`GET /api/workspace-ops/:integrationId/specs?organizationId=\`
+- \`POST /api/workspace-ops/:integrationId/validate\` (body: organizationId, files?, pattern?)
+- \`POST /api/workspace-ops/:integrationId/deps\` (body: organizationId, pattern?)
+- \`POST /api/workspace-ops/:integrationId/diff\` (body: organizationId, specPath, baseline?, breakingOnly?)
+
+## Repo resolution
+
+- The repo root is resolved from the Studio Integration (\`IntegrationProvider.GITHUB\`) config:
+  - \`config.repoCachePath\` (preferred) or \`config.localPath\`
+- Resolution is constrained to \`CONTRACTSPEC_REPO_CACHE_DIR\` (default: \`/tmp/contractspec-repos\`)
+
+## Intended UX
+
+- Studio Assistant can run these checks and present results as suggestions.
+- Users can copy equivalent CLI commands for local runs:
+  - \`contractspec validate\`
+  - \`contractspec deps\`
+  - \`contractspec diff --baseline <ref>\`
+`
+}];
+registerDocBlocks(tech_studio_workspace_ops_DocBlocks);
+
+//#endregion

package/dist/libs/contracts/dist/docs/tech/studio/workspaces.docblock.js

@@ -0,0 +1,62 @@
+import { registerDocBlocks } from "../../registry.js";
+
+//#region ../../libs/contracts/dist/docs/tech/studio/workspaces.docblock.js
+const tech_studio_workspaces_DocBlocks = [{
+	id: "docs.tech.studio.workspaces",
+	title: "Studio projects, teams, environments",
+	summary: "Organization-first Studio: projects live under an organization; teams refine access; projects deploy to multiple environments.",
+	kind: "reference",
+	visibility: "mixed",
+	route: "/docs/tech/studio/workspaces",
+	tags: [
+		"studio",
+		"projects",
+		"teams",
+		"rbac",
+		"environments"
+	],
+	body: `## Concepts
+
+- **Organization**: the primary grouping boundary for Studio projects.
+- **Project**: one application (specs, overlays, deployments, integrations, evolution, learning).
+- **Team**: refines who can see/edit a project within an organization.
+- **Environment**: deployment target (Development / Staging / Production).
+
+## Project access (teams + admin override)
+
+Studio uses multi-team sharing to refine access:
+
+- **Admins/owners** can access all projects.
+- If a project is shared with **no teams**, it is **org-wide** (all org members).
+- If a project is shared with **one or more teams**, it is visible to:
+  - admins/owners, and
+  - members of any linked team.
+
+## Current persistence (DB + GraphQL)
+
+- DB (Prisma): \`StudioProject\`, \`Team\`, \`TeamMember\`, \`StudioProjectTeam\`
+- GraphQL:
+  - \`myStudioProjects\`
+  - \`createStudioProject(input.teamIds?)\`
+  - \`myTeams\`
+  - \`projectTeams(projectId)\`
+  - \`setProjectTeams(projectId, teamIds)\`
+
+## UI shell behavior
+
+Studio and Sandbox both use a shared shell:
+
+- Project selector → Module navigation → Environment selector
+- Always-on Assistant button (floating)
+- Learning journey progress (Studio persists learning events; Sandbox stays local-only)
+
+## Routing
+
+- \`/studio/projects\`: create/select/delete projects (organization-first).
+- \`/studio/{projectSlug}/*\`: project modules (canvas/specs/deploy/integrations/evolution/learning).
+- \`/studio/learning\`: learning hub without selecting a project.
+`
+}];
+registerDocBlocks(tech_studio_workspaces_DocBlocks);
+
+//#endregion

package/dist/libs/contracts/dist/docs/tech/telemetry-ingest.docblock.js

@@ -0,0 +1,155 @@
+import { registerDocBlocks } from "../registry.js";
+
+//#region ../../libs/contracts/dist/docs/tech/telemetry-ingest.docblock.js
+const tech_telemetry_ingest_DocBlocks = [{
+	id: "docs.tech.telemetry.ingest",
+	title: "Telemetry Ingest Endpoint",
+	summary: "Server-side telemetry ingestion for ContractSpec clients (VS Code extension, CLI, etc.).",
+	kind: "reference",
+	visibility: "internal",
+	route: "/docs/tech/telemetry/ingest",
+	tags: [
+		"telemetry",
+		"api",
+		"posthog",
+		"analytics"
+	],
+	body: `# Telemetry Ingest Endpoint
+
+The ContractSpec API provides a telemetry ingest endpoint for clients to send product analytics events.
+
+## Endpoint
+
+\`\`\`
+POST /api/telemetry/ingest
+\`\`\`
+
+## Request
+
+\`\`\`json
+{
+  "event": "contractspec.vscode.command_run",
+  "distinct_id": "client-uuid",
+  "properties": {
+    "command": "validate"
+  },
+  "timestamp": "2024-01-15T10:30:00.000Z"
+}
+\`\`\`
+
+### Headers
+
+| Header | Description |
+|--------|-------------|
+| \`x-contractspec-client-id\` | Optional client identifier (used as fallback for distinct_id) |
+| \`Content-Type\` | Must be \`application/json\` |
+
+### Body
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| \`event\` | string | Yes | Event name (e.g., \`contractspec.vscode.activated\`) |
+| \`distinct_id\` | string | Yes | Anonymous client identifier |
+| \`properties\` | object | No | Event properties |
+| \`timestamp\` | string | No | ISO 8601 timestamp |
+
+## Response
+
+\`\`\`json
+{
+  "success": true
+}
+\`\`\`
+
+## Configuration
+
+The endpoint requires \`POSTHOG_PROJECT_KEY\` environment variable to be set. If not configured, events are accepted but not forwarded.
+
+| Environment Variable | Description | Default |
+|---------------------|-------------|---------|
+| \`POSTHOG_HOST\` | PostHog host URL | \`https://eu.posthog.com\` |
+| \`POSTHOG_PROJECT_KEY\` | PostHog project API key | (required) |
+
+## Privacy
+
+- No PII is collected or stored
+- \`distinct_id\` is an anonymous client-generated UUID
+- File paths and source code are never included in events
+- Respects VS Code telemetry settings on the client side
+
+## Events
+
+### Extension Events
+
+| Event | Description | Properties |
+|-------|-------------|------------|
+| \`contractspec.vscode.activated\` | Extension activated | \`version\` |
+| \`contractspec.vscode.command_run\` | Command executed | \`command\` |
+| \`contractspec.vscode.mcp_call\` | MCP call made | \`endpoint\`, \`tool\` |
+
+### API Events
+
+| Event | Description | Properties |
+|-------|-------------|------------|
+| \`contractspec.api.mcp_request\` | MCP request processed | \`endpoint\`, \`method\`, \`success\`, \`duration_ms\` |
+`
+}, {
+	id: "docs.tech.telemetry.hybrid",
+	title: "Hybrid Telemetry Model",
+	summary: "How ContractSpec clients choose between direct PostHog and API-routed telemetry.",
+	kind: "usage",
+	visibility: "internal",
+	route: "/docs/tech/telemetry/hybrid",
+	tags: [
+		"telemetry",
+		"architecture",
+		"posthog"
+	],
+	body: `# Hybrid Telemetry Model
+
+ContractSpec uses a hybrid telemetry model where clients can send events either directly to PostHog or via the API server.
+
+## Decision Flow
+
+\`\`\`
+Is contractspec.api.baseUrl configured?
+├── Yes → Send via /api/telemetry/ingest
+└── No → Is posthogProjectKey configured?
+    ├── Yes → Send directly to PostHog
+    └── No → Telemetry disabled
+\`\`\`
+
+## Benefits
+
+### Direct PostHog
+- No server dependency
+- Works offline (with batching)
+- Lower latency
+
+### Via API
+- Centralized key management (no client-side keys)
+- Server-side enrichment and validation
+- Rate limiting and abuse prevention
+- Easier migration to other providers
+
+## Recommendation
+
+- **Development**: Use direct PostHog with a dev project key
+- **Production**: Route via API for better governance
+
+## Future: OpenTelemetry
+
+The current PostHog implementation is behind a simple interface that can be swapped for OpenTelemetry:
+
+\`\`\`typescript
+interface TelemetryClient {
+  send(event: TelemetryEvent): Promise<void>;
+}
+\`\`\`
+
+This allows future migration without changing client code.
+`
+}];
+registerDocBlocks(tech_telemetry_ingest_DocBlocks);
+
+//#endregion