@wopr-network/platform-ui-core 1.0.0 → 1.1.0

package/package.json

@@ -1,12 +1,21 @@
 {
   "name": "@wopr-network/platform-ui-core",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "description": "Brand-agnostic AI agent platform UI — deploy as any brand via env vars",
   "repository": {
     "type": "git",
     "url": "https://github.com/wopr-network/platform-ui-core.git"
   },
   "license": "UNLICENSED",
+  "exports": {
+    ".": "./src/lib/index.ts",
+    "./app/*": "./src/app/*",
+    "./components/*": "./src/components/*",
+    "./hooks/*": "./src/hooks/*",
+    "./lib/*": "./src/lib/*",
+    "./globals.css": "./src/app/globals.css",
+    "./proxy": "./src/proxy.ts"
+  },
   "publishConfig": {
     "registry": "https://registry.npmjs.org",
     "access": "public"
@@ -20,8 +29,7 @@
     "tailwind.config.ts",
     "biome.json",
     "vitest.config.ts",
-    ".env.wopr",
-    ".env.paperclip"
+    ".env.wopr"
   ],
   "dependencies": {
     "@hookform/resolvers": "^5.2.2",

package/src/__tests__/api-tenant-route.test.ts

@@ -0,0 +1,65 @@
+import { describe, expect, it, vi } from "vitest";
+
+// Mock brand-config before importing route
+vi.mock("@/lib/brand-config", () => ({
+  getBrandConfig: vi.fn(() => ({
+    tenantCookieName: "platform_tenant_id",
+  })),
+}));
+
+// We test the route handler directly
+import { DELETE, POST } from "@/app/api/tenant/route";
+
+function makeRequest(method: string, body?: Record<string, unknown>): Request {
+  return new Request("http://localhost:3000/api/tenant", {
+    method,
+    headers: { "Content-Type": "application/json" },
+    ...(body ? { body: JSON.stringify(body) } : {}),
+  });
+}
+
+describe("POST /api/tenant", () => {
+  it("sets HttpOnly cookie with the provided tenantId", async () => {
+    const req = makeRequest("POST", { tenantId: "org-123" });
+    const res = await POST(req);
+
+    expect(res.status).toBe(200);
+    const setCookie = res.headers.get("set-cookie");
+    expect(setCookie).not.toBeNull();
+    expect(setCookie).toContain("platform_tenant_id=org-123");
+    expect(setCookie).toContain("HttpOnly");
+    expect(setCookie).toContain("Secure");
+    expect(setCookie).toMatch(/SameSite=lax/i);
+    expect(setCookie).toContain("Max-Age=2592000");
+    expect(setCookie).toContain("Path=/");
+  });
+
+  it("rejects missing tenantId", async () => {
+    const req = makeRequest("POST", {});
+    const res = await POST(req);
+    expect(res.status).toBe(400);
+  });
+
+  it("rejects empty tenantId", async () => {
+    const req = makeRequest("POST", { tenantId: "" });
+    const res = await POST(req);
+    expect(res.status).toBe(400);
+  });
+
+  it("rejects tenantId with invalid characters", async () => {
+    const req = makeRequest("POST", { tenantId: "org;evil=true" });
+    const res = await POST(req);
+    expect(res.status).toBe(400);
+  });
+});
+
+describe("DELETE /api/tenant", () => {
+  it("clears the tenant cookie", async () => {
+    const res = await DELETE();
+
+    expect(res.status).toBe(200);
+    const setCookie = res.headers.get("set-cookie");
+    expect(setCookie).toContain("platform_tenant_id=");
+    expect(setCookie).toContain("Max-Age=0");
+  });
+});

package/src/__tests__/middleware.test.ts

@@ -118,6 +118,41 @@ describe("middleware", () => {
     });
   });
 
+  // ---------------------------------------------------------------------------
+  // Open redirect prevention — callbackUrl sanitization
+  // ---------------------------------------------------------------------------
+  describe("callbackUrl sanitization (open redirect prevention)", () => {
+    it("sanitizes percent-encoded protocol-relative pathname in callbackUrl", async () => {
+      // /%2F%2Fevil-redirect decodes to //evil-redirect — must be rejected.
+      // Path has no dot so it reaches the session check (not static-file bypass).
+      const req = buildRequest("/%2F%2Fevil-redirect");
+      const res = await middleware(req);
+      expect(isRedirect(res)).toBe(true);
+      const loc = redirectPath(res);
+      expect(loc).toContain("/login");
+      // callbackUrl must be "/" (sanitized), not the malicious path
+      expect(loc).toContain("callbackUrl=%2F");
+      expect(loc).not.toContain("evil-redirect");
+    });
+
+    it("preserves legitimate callbackUrl for normal paths", async () => {
+      const req = buildRequest("/settings/profile");
+      const res = await middleware(req);
+      expect(isRedirect(res)).toBe(true);
+      const loc = redirectPath(res);
+      expect(loc).toContain("callbackUrl=%2Fsettings%2Fprofile");
+    });
+
+    it("sanitizes mixed-case percent-encoded bypass attempts", async () => {
+      // /%2f%2Fevil-redirect also decodes to //evil-redirect — path has no dot.
+      const req = buildRequest("/%2f%2Fevil-redirect");
+      const res = await middleware(req);
+      expect(isRedirect(res)).toBe(true);
+      const loc = redirectPath(res);
+      expect(loc).not.toContain("evil-redirect");
+    });
+  });
+
   // ---------------------------------------------------------------------------
   // Authenticated pass-through
   // ---------------------------------------------------------------------------
@@ -678,6 +713,57 @@ describe("CSP style-src directive", () => {
   });
 });
 
+// ---------------------------------------------------------------------------
+// Tenant cookie forwarding (WOP-2114)
+// ---------------------------------------------------------------------------
+describe("tenant cookie forwarding", () => {
+  it("forwards tenant cookie as x-tenant-id request header for authenticated users", async () => {
+    const req = buildRequest("/marketplace", {
+      cookies: {
+        "better-auth.session_token": "valid-token",
+        platform_tenant_id: "org-456",
+      },
+    });
+    const res = await middleware(req);
+    expect(isPassThrough(res)).toBe(true);
+    expect(res.headers.get("x-middleware-request-x-tenant-id")).toBe("org-456");
+  });
+
+  it("does not set x-tenant-id header when no tenant cookie present", async () => {
+    const req = buildRequest("/marketplace", {
+      cookies: { "better-auth.session_token": "valid-token" },
+    });
+    const res = await middleware(req);
+    expect(isPassThrough(res)).toBe(true);
+    expect(res.headers.get("x-middleware-request-x-tenant-id")).toBeNull();
+  });
+
+  it("strips client-supplied x-tenant-id header when no tenant cookie is set (spoofing prevention)", async () => {
+    const req = buildRequest("/marketplace", {
+      cookies: { "better-auth.session_token": "valid-token" },
+      headers: { "x-tenant-id": "attacker-tenant" },
+    });
+    const res = await middleware(req);
+    expect(isPassThrough(res)).toBe(true);
+    // The attacker's header must not be forwarded to server components
+    expect(res.headers.get("x-middleware-request-x-tenant-id")).toBeNull();
+  });
+
+  it("replaces client-supplied x-tenant-id with the trusted cookie value when cookie is set", async () => {
+    const req = buildRequest("/marketplace", {
+      cookies: {
+        "better-auth.session_token": "valid-token",
+        platform_tenant_id: "real-tenant",
+      },
+      headers: { "x-tenant-id": "attacker-tenant" },
+    });
+    const res = await middleware(req);
+    expect(isPassThrough(res)).toBe(true);
+    // Must be the cookie value, not the client-supplied value
+    expect(res.headers.get("x-middleware-request-x-tenant-id")).toBe("real-tenant");
+  });
+});
+
 // ---------------------------------------------------------------------------
 // config export
 // ---------------------------------------------------------------------------

package/src/__tests__/plugin-install-flow.test.tsx

@@ -43,24 +43,57 @@ vi.mock("framer-motion", () => {
 });
 
 // vi.hoisted runs before module imports so TEST_PLUGINS and mocks are available in vi.mock factories
-const { TEST_PLUGINS, mockInstallPlugin, mockListBots, mockListInstalledPlugins } = vi.hoisted(
-  () => {
-    const mockInstallPlugin = vi.fn();
-    const mockListBots = vi
-      .fn()
-      .mockResolvedValue([{ id: "bot-001", name: "My Bot", state: "running" }]);
-    const mockListInstalledPlugins = vi.fn().mockResolvedValue([]);
-    // eslint-disable-next-line @typescript-eslint/no-require-imports
-    const { INSTALL_FLOW_TEST_PLUGINS } =
-      require("./fixtures/mock-manifests-data") as typeof import("./fixtures/mock-manifests");
-    return {
-      TEST_PLUGINS: INSTALL_FLOW_TEST_PLUGINS,
-      mockInstallPlugin,
-      mockListBots,
-      mockListInstalledPlugins,
-    };
-  },
-);
+const {
+  TEST_PLUGINS,
+  ALL_PLUGINS,
+  mockInstallPlugin,
+  mockListBots,
+  mockListInstalledPlugins,
+  injectPathlessZodError,
+} = vi.hoisted(() => {
+  const mockInstallPlugin = vi.fn();
+  const mockListBots = vi
+    .fn()
+    .mockResolvedValue([{ id: "bot-001", name: "My Bot", state: "running" }]);
+  const mockListInstalledPlugins = vi.fn().mockResolvedValue([]);
+  // eslint-disable-next-line @typescript-eslint/no-require-imports
+  const { INSTALL_FLOW_TEST_PLUGINS, MARKETPLACE_TEST_PLUGINS } =
+    require("./fixtures/mock-manifests-data") as typeof import("./fixtures/mock-manifests");
+  // Flag to conditionally inject a path-less Zod error in the mocked z.object
+  const injectPathlessZodError = { value: false };
+  return {
+    TEST_PLUGINS: INSTALL_FLOW_TEST_PLUGINS,
+    ALL_PLUGINS: MARKETPLACE_TEST_PLUGINS,
+    mockInstallPlugin,
+    mockListBots,
+    mockListInstalledPlugins,
+    injectPathlessZodError,
+  };
+});
+
+// Mock zod with a conditional wrapper: when injectPathlessZodError.value is true,
+// z.object() adds a superRefine that produces a path-less ZodIssue.
+// Only inject on schemas with fields (Object.keys(shape).length > 0) so empty
+// setup steps (no fields) pass through without triggering the fake error.
+vi.mock("zod", async () => {
+  const realZod = await vi.importActual<typeof import("zod")>("zod");
+  const originalObject = realZod.z.object.bind(realZod.z);
+  const wrappedObject = (
+    shape?: Record<string, unknown>,
+    params?: string | Record<string, unknown>,
+  ) => {
+    const schema = originalObject(shape, params as undefined);
+    if (!injectPathlessZodError.value || !shape || Object.keys(shape).length === 0) return schema;
+    return schema.superRefine((_val, ctx) => {
+      ctx.addIssue({
+        code: realZod.z.ZodIssueCode.custom,
+        message: "Cross-field validation failed",
+        path: [],
+      });
+    });
+  };
+  return { ...realZod, z: { ...realZod.z, object: wrappedObject } };
+});
 
 const mockPush = vi.fn();
 const mockParams: { plugin?: string } = {};
@@ -441,6 +474,46 @@ describe("Plugin Toggle (Enable/Disable)", () => {
     });
     expect(screen.getByText("Create a Bot")).toBeInTheDocument();
   });
+
+  it("validateFields surfaces path-less Zod errors visibly instead of swallowing them", async () => {
+    // Enable the path-less error injection on z.object (mocked at file level)
+    injectPathlessZodError.value = true;
+
+    const user = userEvent.setup();
+    const { InstallWizard } = await import("../components/marketplace/install-wizard");
+
+    // Use the Discord plugin which has a setup step with fields
+    const discordPlugin = ALL_PLUGINS.find(
+      (p: Record<string, unknown>) => p.id === "discord",
+    ) as unknown as PluginManifest;
+
+    render(<InstallWizard plugin={discordPlugin} onComplete={vi.fn()} onCancel={vi.fn()} />);
+
+    // Select bot and advance to setup
+    const botButton = await screen.findByText("My Bot");
+    await user.click(botButton);
+    await user.click(screen.getByText("Continue"));
+
+    // Skip the first setup step (no fields — "Create a Discord Bot")
+    await user.click(screen.getByText("Continue"));
+
+    // Now on "Enter Bot Token" step — fill in a valid token so the only
+    // error left is the path-less superRefine issue we injected.
+    const tokenInput = screen.getByPlaceholderText("Paste your Discord bot token");
+    await user.type(tokenInput, "valid-token-123");
+    await user.click(screen.getByText("Continue"));
+
+    // The path-less error should surface as a _form-level banner, not be silently dropped
+    await waitFor(() => {
+      expect(screen.getByText("Cross-field validation failed")).toBeInTheDocument();
+    });
+
+    // After typing in any field the _form banner should clear immediately
+    await user.type(tokenInput, "x");
+    expect(screen.queryByText("Cross-field validation failed")).not.toBeInTheDocument();
+
+    injectPathlessZodError.value = false;
+  });
 });
 
 describe("Install Wizard Navigation", () => {

package/src/__tests__/sanitize-redirect-url.test.ts

@@ -18,6 +18,33 @@ describe("sanitizeRedirectUrl", () => {
     expect(sanitizeRedirectUrl("//evil.com/path")).toBe("/");
   });
 
+  it("rejects percent-encoded protocol-relative URLs (bypass attempt)", () => {
+    expect(sanitizeRedirectUrl("/%2F%2Fevil.com")).toBe("/");
+    expect(sanitizeRedirectUrl("/%2f%2fevil.com")).toBe("/");
+    expect(sanitizeRedirectUrl("/%2F/evil.com")).toBe("/");
+    expect(sanitizeRedirectUrl("/%252F%252Fevil.com")).toBe("/");
+  });
+
+  it("rejects backslash-relative URLs", () => {
+    expect(sanitizeRedirectUrl("/\\evil.com")).toBe("/");
+    expect(sanitizeRedirectUrl("/%5Cevil.com")).toBe("/");
+  });
+
+  it("returns / when decode loop exceeds max iterations", () => {
+    // Build a string with deeply nested encoding that requires >5 rounds to decode
+    let tail = "//evil.com";
+    for (let i = 0; i < 10; i++) {
+      tail = encodeURIComponent(tail);
+    }
+    const deeplyEncoded = `/${tail}`;
+    expect(sanitizeRedirectUrl(deeplyEncoded)).toBe("/");
+  });
+
+  it("allows valid paths with percent-encoded characters (no false rejection)", () => {
+    // /100%25 decodes to /100% — a literal % sign, not a bypass — must not be rejected
+    expect(sanitizeRedirectUrl("/100%25")).toBe("/100%25");
+  });
+
   it("falls back to / for null and undefined", () => {
     expect(sanitizeRedirectUrl(null)).toBe("/");
     expect(sanitizeRedirectUrl(undefined)).toBe("/");

package/src/__tests__/tenant-context.test.tsx

@@ -16,36 +16,32 @@ vi.mock("@/lib/trpc", () => ({
   },
 }));
 
-import { getActiveTenantId, TenantProvider, useTenant } from "@/lib/tenant-context";
-
-function createWrapper() {
+import {
+  getActiveTenantId,
+  setServerTenantId,
+  TenantProvider,
+  useTenant,
+} from "@/lib/tenant-context";
+
+function createWrapper(initialTenantId?: string) {
   const queryClient = new QueryClient({
     defaultOptions: { queries: { retry: false } },
   });
   return ({ children }: { children: React.ReactNode }) => (
     <QueryClientProvider client={queryClient}>
-      <TenantProvider>{children}</TenantProvider>
+      <TenantProvider initialTenantId={initialTenantId}>{children}</TenantProvider>
     </QueryClientProvider>
   );
 }
 
-function clearTenantCookie() {
-  // biome-ignore lint/suspicious/noDocumentCookie: test helper — mirrors production writeTenantCookie pattern
-  document.cookie = "platform_tenant_id=; path=/; max-age=0";
-}
-
-function setTenantCookie(tenantId: string) {
-  // biome-ignore lint/suspicious/noDocumentCookie: test helper — mirrors production writeTenantCookie pattern
-  document.cookie = `platform_tenant_id=${encodeURIComponent(tenantId)}; path=/`;
-}
-
 describe("useTenant", () => {
   beforeEach(() => {
-    clearTenantCookie();
+    setServerTenantId("");
     mockQuery.mockResolvedValue([]);
+    vi.stubGlobal("fetch", vi.fn().mockResolvedValue(new Response(JSON.stringify({ ok: true }))));
   });
 
-  it("defaults to the user's personal account", async () => {
+  it("defaults to the user's personal account when no initial tenant", async () => {
     const { result } = renderHook(() => useTenant(), {
       wrapper: createWrapper(),
     });
@@ -55,32 +51,26 @@ describe("useTenant", () => {
     });
 
     expect(result.current.activeTenantId).toBe("user-1");
-    expect(result.current.tenants).toEqual([
-      { id: "user-1", name: "Test User", type: "personal", image: null },
-    ]);
   });
 
-  it("includes orgs when listMyOrganizations returns results", async () => {
+  it("uses initialTenantId from server when provided", async () => {
     mockQuery.mockResolvedValue([{ id: "org-1", name: "My Team", image: null }]);
 
     const { result } = renderHook(() => useTenant(), {
-      wrapper: createWrapper(),
+      wrapper: createWrapper("org-1"),
     });
 
     await vi.waitFor(() => {
       expect(result.current.isLoading).toBe(false);
     });
 
-    expect(result.current.tenants).toHaveLength(2);
-    expect(result.current.tenants[1]).toEqual({
-      id: "org-1",
-      name: "My Team",
-      type: "org",
-      image: null,
-    });
+    expect(result.current.activeTenantId).toBe("org-1");
   });
 
-  it("persists tenant switch to cookie", async () => {
+  it("calls /api/tenant on switchTenant instead of writing document.cookie", async () => {
+    const mockFetch = vi.fn().mockResolvedValue(new Response(JSON.stringify({ ok: true })));
+    vi.stubGlobal("fetch", mockFetch);
+
     mockQuery.mockResolvedValue([{ id: "org-1", name: "My Team", image: null }]);
 
     const { result } = renderHook(() => useTenant(), {
@@ -96,15 +86,20 @@ describe("useTenant", () => {
     });
 
     expect(result.current.activeTenantId).toBe("org-1");
-    expect(document.cookie).toContain("platform_tenant_id=org-1");
+    expect(mockFetch).toHaveBeenCalledWith(
+      "/api/tenant",
+      expect.objectContaining({
+        method: "POST",
+        body: JSON.stringify({ tenantId: "org-1" }),
+      }),
+    );
   });
 
   it("falls back to personal if stored tenant is not in list", async () => {
-    setTenantCookie("org-deleted");
     mockQuery.mockResolvedValue([]);
 
     const { result } = renderHook(() => useTenant(), {
-      wrapper: createWrapper(),
+      wrapper: createWrapper("org-deleted"),
     });
 
     await vi.waitFor(() => {
@@ -132,15 +127,15 @@ describe("useTenant", () => {
 
 describe("getActiveTenantId", () => {
   beforeEach(() => {
-    clearTenantCookie();
+    setServerTenantId("");
   });
 
-  it("returns stored tenant ID from cookie", () => {
-    setTenantCookie("org-1");
+  it("returns the server-injected tenant ID", () => {
+    setServerTenantId("org-1");
     expect(getActiveTenantId()).toBe("org-1");
   });
 
-  it("returns empty string when nothing stored", () => {
+  it("returns empty string when nothing set", () => {
     expect(getActiveTenantId()).toBe("");
   });
 });

package/src/app/(dashboard)/onboarding/page.tsx

@@ -23,6 +23,7 @@ import {
   saveOnboardingState,
 } from "@/lib/onboarding-store";
 
+const homePath = () => getBrandConfig().homePath;
 const MAX_STEP = 2;
 
 export default function OnboardingPage() {
@@ -34,7 +35,7 @@ export default function OnboardingPage() {
   // biome-ignore lint/correctness/useExhaustiveDependencies: router.push is stable; using [router] causes infinite re-renders
   useEffect(() => {
     if (isOnboardingComplete()) {
-      router.push("/marketplace");
+      router.push(homePath());
       return;
     }
     const saved = loadOnboardingState();
@@ -85,12 +86,12 @@ export default function OnboardingPage() {
       plugins: preset?.plugins ?? state.plugins,
     });
     markOnboardingComplete();
-    router.push("/marketplace");
+    router.push(homePath());
   }
 
   function handleSkip() {
     markOnboardingComplete();
-    router.push("/marketplace");
+    router.push(homePath());
   }
 
   const selectedPresetData = presets.find((p) => p.id === selectedPreset);

package/src/app/api/tenant/route.ts

@@ -0,0 +1,50 @@
+import { NextResponse } from "next/server";
+import { getBrandConfig } from "@/lib/brand-config";
+
+/** Tenant IDs are UUIDs or alphanumeric identifiers — reject anything suspicious. */
+const TENANT_ID_PATTERN = /^[a-zA-Z0-9_-]+$/;
+const MAX_AGE_SECONDS = 30 * 24 * 60 * 60; // 30 days
+
+function cookieName(): string {
+  return getBrandConfig().tenantCookieName;
+}
+
+export async function POST(request: Request): Promise<NextResponse> {
+  let body: unknown;
+  try {
+    body = await request.json();
+  } catch {
+    return NextResponse.json({ error: "Invalid JSON" }, { status: 400 });
+  }
+
+  const tenantId =
+    typeof body === "object" && body !== null && "tenantId" in body
+      ? (body as Record<string, unknown>).tenantId
+      : undefined;
+
+  if (typeof tenantId !== "string" || !tenantId || !TENANT_ID_PATTERN.test(tenantId)) {
+    return NextResponse.json({ error: "Invalid tenantId" }, { status: 400 });
+  }
+
+  const response = NextResponse.json({ ok: true });
+  response.cookies.set(cookieName(), tenantId, {
+    httpOnly: true,
+    secure: true,
+    sameSite: "lax",
+    path: "/",
+    maxAge: MAX_AGE_SECONDS,
+  });
+  return response;
+}
+
+export async function DELETE(): Promise<NextResponse> {
+  const response = NextResponse.json({ ok: true });
+  response.cookies.set(cookieName(), "", {
+    httpOnly: true,
+    secure: true,
+    sameSite: "lax",
+    path: "/",
+    maxAge: 0,
+  });
+  return response;
+}

package/src/app/instances/[id]/instance-detail-client.tsx

@@ -67,11 +67,9 @@ import {
   renameInstance,
   restoreSnapshot,
   toggleInstancePlugin,
-  updateInstanceBudget,
   updateInstanceConfig,
   updateInstanceSecrets,
 } from "@/lib/api";
-import { getBrandConfig } from "@/lib/brand-config";
 import { toUserMessage } from "@/lib/errors";
 import { cn } from "@/lib/utils";
 
@@ -118,10 +116,6 @@ export function InstanceDetailClient({ instanceId }: { instanceId: string }) {
   const [renaming, setRenaming] = useState(false);
   const [renameValue, setRenameValue] = useState("");
   const [renameSaving, setRenameSaving] = useState(false);
-  const [budgetCents, setBudgetCents] = useState<number>(0);
-  const [budgetSaving, setBudgetSaving] = useState(false);
-  const [budgetError, setBudgetError] = useState<string | null>(null);
-
   useEffect(() => {
     if (!configText.trim()) return;
     try {
@@ -193,7 +187,6 @@ export function InstanceDetailClient({ instanceId }: { instanceId: string }) {
       const data = await getInstance(instanceId);
       setInstance(data);
       setConfigText(JSON.stringify(data.config, null, 2));
-      if (data.budgetCents !== undefined) setBudgetCents(data.budgetCents);
     } catch (err) {
       setError(toUserMessage(err, "Failed to load instance"));
     } finally {
@@ -306,19 +299,6 @@ export function InstanceDetailClient({ instanceId }: { instanceId: string }) {
     }
   }
 
-  async function handleSaveBudget() {
-    setBudgetSaving(true);
-    setBudgetError(null);
-    try {
-      await updateInstanceBudget(instanceId, budgetCents);
-      await load();
-    } catch (err) {
-      setBudgetError(toUserMessage(err, "Failed to update budget"));
-    } finally {
-      setBudgetSaving(false);
-    }
-  }
-
   async function handleCreateSnapshot() {
     setSnapshotsError(null);
     setCreating(true);
@@ -496,16 +476,6 @@ export function InstanceDetailClient({ instanceId }: { instanceId: string }) {
               </Badge>
             )}
             <span>{instance.provider}</span>
-            {instance.subdomain && (
-              <a
-                href={`https://${instance.subdomain}.${getBrandConfig().domain}`}
-                target="_blank"
-                rel="noopener noreferrer"
-                className="font-mono text-xs text-terminal hover:underline"
-              >
-                {instance.subdomain}.{getBrandConfig().domain}
-              </a>
-            )}
           </div>
         </div>
         <div className="flex gap-2">
@@ -599,48 +569,6 @@ export function InstanceDetailClient({ instanceId }: { instanceId: string }) {
             <MetricCard title="Active Sessions" value={String(instance.sessions.length)} />
             <MetricCard title="Created" value={new Date(instance.createdAt).toLocaleDateString()} />
           </div>
-
-          {/* Budget management — shown when backend provides budget data */}
-          {instance.budgetCents !== undefined && (
-            <Card className="mt-4">
-              <CardHeader className="pb-3">
-                <CardTitle className="text-sm font-medium">Spending Budget</CardTitle>
-              </CardHeader>
-              <CardContent className="space-y-4">
-                <div className="flex items-center justify-between">
-                  <span className="text-2xl font-bold font-mono">
-                    ${(budgetCents / 100).toFixed(2)}
-                  </span>
-                  <span className="text-xs text-muted-foreground">per month</span>
-                </div>
-                <input
-                  type="range"
-                  min={0}
-                  max={10000}
-                  step={100}
-                  value={budgetCents}
-                  onChange={(e) => setBudgetCents(Number(e.target.value))}
-                  className="w-full accent-terminal"
-                  aria-label="Budget slider"
-                />
-                <div className="flex items-center justify-between text-xs text-muted-foreground">
-                  <span>$0</span>
-                  <span>$100</span>
-                </div>
-                {budgetError && <p className="text-sm text-destructive">{budgetError}</p>}
-                <div className="flex justify-end">
-                  <Button
-                    size="sm"
-                    variant="terminal"
-                    onClick={handleSaveBudget}
-                    disabled={budgetSaving || budgetCents === instance.budgetCents}
-                  >
-                    {budgetSaving ? "Saving..." : "Update Budget"}
-                  </Button>
-                </div>
-              </CardContent>
-            </Card>
-          )}
         </TabsContent>
 
         {/* Health Tab */}

package/src/app/layout.tsx

@@ -57,7 +57,9 @@ export default async function RootLayout({
 }: Readonly<{
   children: React.ReactNode;
 }>) {
-  const nonce = (await headers()).get("x-nonce") ?? undefined;
+  const headersList = await headers();
+  const nonce = headersList.get("x-nonce") ?? undefined;
+  const initialTenantId = headersList.get("x-tenant-id") ?? "";
 
   return (
     <html lang="en" suppressHydrationWarning>
@@ -71,7 +73,7 @@ export default async function RootLayout({
             disableTransitionOnChange
             nonce={nonce}
           >
-            <TRPCProvider>
+            <TRPCProvider initialTenantId={initialTenantId}>
               {children}
               <Toaster theme="dark" richColors />
             </TRPCProvider>

package/src/components/auth/auth-redirect.tsx

@@ -3,6 +3,7 @@
 import { useRouter } from "next/navigation";
 import { useEffect } from "react";
 import { useSession } from "@/lib/auth-client";
+import { getBrandConfig } from "@/lib/brand-config";
 
 export function AuthRedirect() {
   const { data: session, isPending } = useSession();
@@ -10,7 +11,7 @@ export function AuthRedirect() {
 
   useEffect(() => {
     if (!isPending && session) {
-      router.replace("/marketplace");
+      router.replace(getBrandConfig().homePath);
     }
   }, [isPending, session, router]);
 

package/src/components/chat/chat-panel.tsx

@@ -25,7 +25,7 @@ const panelVariants = {
     opacity: 1,
     y: 0,
     scale: 1,
-    transition: { type: "spring", damping: 25, stiffness: 300 },
+    transition: { type: "spring" as const, damping: 25, stiffness: 300 },
   },
   exit: { opacity: 0, y: 20, scale: 0.95, transition: { duration: 0.15 } },
 };

package/src/components/marketplace/install-wizard.tsx

@@ -174,6 +174,7 @@ export function InstallWizard({ plugin, onComplete, onCancel }: InstallWizardPro
     setErrors((prev) => {
       const next = { ...prev };
       delete next[key];
+      delete next._form;
       return next;
     });
   }, []);
@@ -211,8 +212,16 @@ export function InstallWizard({ plugin, onComplete, onCancel }: InstallWizardPro
     }
     const stepErrors: Record<string, string> = {};
     for (const issue of result.error.issues) {
-      const key = issue.path[0] as string;
-      stepErrors[key] = issue.message;
+      if (issue.path.length > 0) {
+        const key = issue.path[0] as string;
+        stepErrors[key] = issue.message;
+      } else {
+        // Object-level errors (refinements, superRefine, union discriminants) have empty path.
+        // Collect under _form so they render in a general error area.
+        stepErrors._form = stepErrors._form
+          ? `${stepErrors._form}. ${issue.message}`
+          : issue.message;
+      }
     }
     setErrors(stepErrors);
     return false;
@@ -608,6 +617,7 @@ function SetupStepForm({
 
   return (
     <div className="space-y-4">
+      {errors._form && <p className="text-xs text-destructive">{errors._form}</p>}
       {step.instruction && <p className="text-sm text-muted-foreground">{step.instruction}</p>}
       {step.externalUrl && (
         <a

package/src/components/sidebar.tsx

@@ -17,25 +17,13 @@ import {
 import { Skeleton } from "@/components/ui/skeleton";
 import { getCreditBalance } from "@/lib/api";
 import { signOut, useSession } from "@/lib/auth-client";
-import { productName } from "@/lib/brand-config";
+import { getBrandConfig, productName } from "@/lib/brand-config";
 import { formatCreditStandard } from "@/lib/format-credit";
 import { cn } from "@/lib/utils";
 
-const navItems = [
-  { label: "Dashboard", href: "/dashboard" },
-  { label: "Chat", href: "/chat" },
-  { label: "Marketplace", href: "/marketplace" },
-  { label: "Channels", href: "/channels" },
-  { label: "Plugins", href: "/plugins" },
-  { label: "Instances", href: "/instances" },
-  { label: "Changesets", href: "/changesets" },
-  { label: "Network", href: "/dashboard/network" },
-  { label: "Fleet Health", href: "/fleet/health" },
-  { label: "Credits", href: "/billing/credits" },
-  { label: "Billing", href: "/billing/plans" },
-  { label: "Settings", href: "/settings/profile" },
-  { label: "Admin", href: "/admin/tenants" },
-];
+function getNavItems() {
+  return getBrandConfig().navItems;
+}
 
 function isNavActive(href: string, pathname: string): boolean {
   if (href === "/dashboard") return pathname === "/dashboard";
@@ -104,7 +92,7 @@ export function SidebarContent({ onNavigate }: { onNavigate?: () => void }) {
       </div>
       <AccountSwitcher />
       <nav className="flex-1 space-y-1 px-3 py-4">
-        {navItems
+        {getNavItems()
           .filter(
             (item) =>
               item.href !== "/admin/tenants" ||

package/src/lib/api.ts

@@ -61,8 +61,6 @@ export interface Instance {
   plugins: PluginInfo[];
   uptime: number | null;
   createdAt: string;
-  subdomain?: string;
-  nodeId?: string;
 }
 
 export interface PluginInfo {
@@ -95,8 +93,6 @@ export interface InstanceDetail extends Instance {
     memoryMb: number;
     cpuPercent: number;
   };
-  budgetCents?: number;
-  perAgentCents?: number;
 }
 
 // --- API client ---
@@ -323,7 +319,6 @@ export async function getInstance(id: string): Promise<InstanceDetail> {
     id,
   })) as BotStatusResponse;
   const uptimeMs = bot.uptime ? new Date(bot.uptime).getTime() : NaN;
-  const extra = bot as Record<string, unknown>;
   return {
     id: bot.id,
     name: bot.name,
@@ -333,8 +328,6 @@ export async function getInstance(id: string): Promise<InstanceDetail> {
     plugins: parsePluginsFromEnv(bot.env as Record<string, string> | undefined),
     uptime: Number.isNaN(uptimeMs) ? null : Math.floor((Date.now() - uptimeMs) / 1000),
     createdAt: (bot.createdAt as string | undefined) ?? new Date().toISOString(),
-    subdomain: (extra.subdomain as string | undefined) ?? undefined,
-    nodeId: (extra.nodeId as string | undefined) ?? undefined,
     config: bot.env ?? {},
     channelDetails: [],
     sessions: [],
@@ -342,8 +335,6 @@ export async function getInstance(id: string): Promise<InstanceDetail> {
       memoryMb: bot.stats?.memoryUsageMb ?? 0,
       cpuPercent: bot.stats?.cpuPercent ?? 0,
     },
-    budgetCents: typeof extra.budgetCents === "number" ? extra.budgetCents : undefined,
-    perAgentCents: typeof extra.perAgentCents === "number" ? extra.perAgentCents : undefined,
   };
 }
 
@@ -471,18 +462,6 @@ export async function updateInstanceConfig(id: string, env: Record<string, strin
   });
 }
 
-/** PUT /api/provision/budget — Update instance spending budget. */
-export async function updateInstanceBudget(
-  id: string,
-  budgetCents: number,
-  perAgentCents?: number,
-): Promise<void> {
-  await apiFetch("/provision/budget", {
-    method: "PUT",
-    body: JSON.stringify({ instanceId: id, budgetCents, perAgentCents }),
-  });
-}
-
 /** PATCH /fleet/bots/:id — Rename a bot instance. */
 export async function renameInstance(id: string, name: string): Promise<void> {
   await fleetFetch(`/bots/${id}`, {

package/src/lib/brand-config.ts

@@ -53,6 +53,19 @@ export interface BrandConfig {
 
   /** Base pricing display string (e.g. "$5/month") */
   price: string;
+
+  /**
+   * Post-auth redirect path (default "/marketplace").
+   *
+   * The Next.js middleware reads this from NEXT_PUBLIC_BRAND_HOME_PATH
+   * at build time. setBrandConfig({ homePath }) only affects client-side
+   * redirects. Brand shells must set the env var AND call setBrandConfig
+   * to keep both paths in sync.
+   */
+  homePath: string;
+
+  /** Sidebar navigation items. Each has a label and href. */
+  navItems: Array<{ label: string; href: string }>;
 }
 
 /**
@@ -87,6 +100,22 @@ function envDefaults(): BrandConfig {
     tenantCookieName: env("NEXT_PUBLIC_BRAND_TENANT_COOKIE") || `${storagePrefix}_tenant_id`,
     companyLegalName: env("NEXT_PUBLIC_BRAND_COMPANY_LEGAL") || "Platform Inc.",
     price: env("NEXT_PUBLIC_BRAND_PRICE"),
+    homePath: env("NEXT_PUBLIC_BRAND_HOME_PATH") || "/marketplace",
+    navItems: [
+      { label: "Dashboard", href: "/dashboard" },
+      { label: "Chat", href: "/chat" },
+      { label: "Marketplace", href: "/marketplace" },
+      { label: "Channels", href: "/channels" },
+      { label: "Plugins", href: "/plugins" },
+      { label: "Instances", href: "/instances" },
+      { label: "Changesets", href: "/changesets" },
+      { label: "Network", href: "/dashboard/network" },
+      { label: "Fleet Health", href: "/fleet/health" },
+      { label: "Credits", href: "/billing/credits" },
+      { label: "Billing", href: "/billing/plans" },
+      { label: "Settings", href: "/settings/profile" },
+      { label: "Admin", href: "/admin/tenants" },
+    ],
   };
 }
 

package/src/lib/tenant-context.tsx

@@ -3,28 +3,44 @@
 import { useQueryClient } from "@tanstack/react-query";
 import { createContext, useCallback, useContext, useEffect, useMemo, useState } from "react";
 import { useSession } from "@/lib/auth-client";
-import { getBrandConfig } from "@/lib/brand-config";
 import { trpcVanilla } from "@/lib/trpc";
 
-const COOKIE_NAME = getBrandConfig().tenantCookieName;
-
-function readTenantCookie(): string {
-  if (typeof document === "undefined") return "";
-  const match = document.cookie.split("; ").find((row) => row.startsWith(`${COOKIE_NAME}=`));
-  return match ? decodeURIComponent(match.split("=")[1]) : "";
-}
+/**
+ * Module-level tenant ID, set by TenantProvider from the server-injected value.
+ * Read by getActiveTenantId() for non-React callers (apiFetch, tRPC, SSE hooks).
+ */
+let _activeTenantId = "";
 
-function writeTenantCookie(tenantId: string): void {
-  // biome-ignore lint/suspicious/noDocumentCookie: intentional session cookie write (security: tenant ID moved out of localStorage)
-  document.cookie = `${COOKIE_NAME}=${encodeURIComponent(tenantId)}; path=/; SameSite=Lax; Secure`;
+/**
+ * Set the active tenant ID from server context (called by TenantProvider on mount
+ * and on tenant switch). Also used by tests.
+ *
+ * @internal Not for production code. Import in tests only.
+ */
+export function setServerTenantId(tenantId: string): void {
+  _activeTenantId = tenantId;
 }
 
 /**
- * Read the active tenant ID from a session cookie.
+ * Read the active tenant ID.
  * Used by non-React code (apiFetch, trpc client) to inject X-Tenant-Id headers.
  */
 export function getActiveTenantId(): string {
-  return readTenantCookie();
+  return _activeTenantId;
+}
+
+/** Persist tenant selection via HttpOnly cookie (server-side). */
+async function persistTenantSelection(tenantId: string): Promise<void> {
+  try {
+    await fetch("/api/tenant", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ tenantId }),
+    });
+  } catch {
+    // Best-effort — cookie will be stale on next hard navigation but
+    // in-memory state is already updated for the current session.
+  }
 }
 
 export interface TenantOption {
@@ -43,16 +59,20 @@ export interface TenantContextValue {
 
 const TenantContext = createContext<TenantContextValue | null>(null);
 
-export function TenantProvider({ children }: { children: React.ReactNode }) {
+interface TenantProviderProps {
+  children: React.ReactNode;
+  /** Server-injected tenant ID from the HttpOnly cookie (read in middleware → layout). */
+  initialTenantId?: string;
+}
+
+export function TenantProvider({ children, initialTenantId = "" }: TenantProviderProps) {
   const { data: session, isPending: sessionPending } = useSession();
   const queryClient = useQueryClient();
   const user = session?.user;
 
   const [orgs, setOrgs] = useState<Array<{ id: string; name: string; image?: string | null }>>([]);
   const [orgsLoaded, setOrgsLoaded] = useState(false);
-  const [activeTenantId, setActiveTenantId] = useState<string>(() => {
-    return readTenantCookie();
-  });
+  const [activeTenantId, setActiveTenantId] = useState<string>(initialTenantId);
 
   // Fetch orgs once user is available
   useEffect(() => {
@@ -101,10 +121,20 @@ export function TenantProvider({ children }: { children: React.ReactNode }) {
     return user.id;
   }, [user, activeTenantId, tenants]);
 
+  // Keep module-level var in sync with resolved value.
+  // Guard on truthy value so an initial render with user=null (resolvedTenantId="")
+  // does not overwrite a value already set by switchTenant or SSR hydration.
+  useEffect(() => {
+    if (resolvedTenantId) {
+      _activeTenantId = resolvedTenantId;
+    }
+  }, [resolvedTenantId]);
+
   const switchTenant = useCallback(
     (tenantId: string) => {
       setActiveTenantId(tenantId);
-      writeTenantCookie(tenantId);
+      _activeTenantId = tenantId;
+      persistTenantSelection(tenantId);
       queryClient.invalidateQueries();
     },
     [queryClient],

package/src/lib/trpc.tsx

@@ -59,7 +59,10 @@ function getQueryClient(): QueryClient {
   return browserQueryClient;
 }
 
-export function TRPCProvider({ children }: Readonly<{ children: React.ReactNode }>) {
+export function TRPCProvider({
+  children,
+  initialTenantId,
+}: Readonly<{ children: React.ReactNode; initialTenantId?: string }>) {
   const queryClient = getQueryClient();
   const [trpcClient] = useState(() =>
     trpc.createClient({
@@ -79,7 +82,7 @@ export function TRPCProvider({ children }: Readonly<{ children: React.ReactNode
   return (
     <trpc.Provider client={trpcClient} queryClient={queryClient}>
       <QueryClientProvider client={queryClient}>
-        <TenantProvider>{children}</TenantProvider>
+        <TenantProvider initialTenantId={initialTenantId}>{children}</TenantProvider>
       </QueryClientProvider>
     </trpc.Provider>
   );

package/src/lib/utils.test.ts

@@ -33,6 +33,15 @@ describe("sanitizeRedirectUrl", () => {
     expect(sanitizeRedirectUrl("//evil.com")).toBe("/");
   });
 
+  it("rejects percent-encoded protocol-relative URLs", () => {
+    expect(sanitizeRedirectUrl("/%2F%2Fevil.com")).toBe("/");
+    expect(sanitizeRedirectUrl("/%2f%2fevil.com")).toBe("/");
+  });
+
+  it("rejects double-encoded protocol-relative URLs", () => {
+    expect(sanitizeRedirectUrl("/%252F%252Fevil.com")).toBe("/");
+  });
+
   it("rejects absolute URLs", () => {
     expect(sanitizeRedirectUrl("https://evil.com")).toBe("/");
   });

package/src/lib/utils.ts

@@ -7,12 +7,43 @@ export function cn(...inputs: ClassValue[]) {
 
 /**
  * Validate a redirect URL is a safe relative path.
- * Accepts paths starting with "/" but rejects protocol-relative URLs like "//evil.com".
+ * Fully decodes percent-encoding (up to 5 iterations) then rejects
+ * protocol-relative URLs ("//evil.com") and backslash-relative URLs ("/\evil.com").
  * Falls back to "/" for any unsafe value.
  */
 export function sanitizeRedirectUrl(raw: string | null | undefined): string {
-  if (raw?.startsWith("/") && !raw.startsWith("//")) {
-    return raw;
+  if (!raw?.startsWith("/")) {
+    return "/";
   }
-  return "/";
+
+  // Decode percent-encoding to catch bypass attempts like /%2F%2Fevil.com or /%5Cevil.com.
+  // Loop because double-encoding is possible (/%252F → /%2F → //).
+  // Cap iterations to prevent abuse via deeply nested encoding.
+  // On URIError mid-loop, stop at the last stable decode — e.g. /100%25 → /100% is valid.
+  const MAX_DECODE_ITERATIONS = 5;
+  let decoded = raw;
+  let iterations = 0;
+  while (iterations < MAX_DECODE_ITERATIONS) {
+    let next: string;
+    try {
+      next = decodeURIComponent(decoded);
+    } catch {
+      // Malformed percent-encoding in remainder — stop at current stable value
+      break;
+    }
+    if (next === decoded) {
+      break;
+    }
+    decoded = next;
+    iterations++;
+  }
+  if (iterations >= MAX_DECODE_ITERATIONS) {
+    return "/";
+  }
+
+  if (decoded.startsWith("//") || decoded.startsWith("/\\")) {
+    return "/";
+  }
+
+  return raw;
 }

package/src/proxy.ts

@@ -1,5 +1,7 @@
 import { type NextRequest, NextResponse } from "next/server";
+import { getBrandConfig } from "@/lib/brand-config";
 import { logger } from "@/lib/logger";
+import { sanitizeRedirectUrl } from "@/lib/utils";
 
 const log = logger("middleware");
 
@@ -78,6 +80,15 @@ const CSRF_EXEMPT_AUTH_PATHS = [
 
 const PLATFORM_BASE_URL = process.env.NEXT_PUBLIC_API_URL ?? "http://localhost:3001";
 
+const TENANT_COOKIE_NAME = getBrandConfig().tenantCookieName;
+
+/** Post-auth landing page — configurable per brand (default: /marketplace). */
+const HOME_PATH = (() => {
+  const p = (process.env.NEXT_PUBLIC_BRAND_HOME_PATH || "/marketplace").trim();
+  if (!p || /^https?:\/\//i.test(p)) return "/marketplace";
+  return p.startsWith("/") ? p : `/${p}`;
+})();
+
 /**
  * Validate that a state-changing request originates from this application.
  * Checks the Origin header (preferred) with Referer as fallback.
@@ -167,6 +178,18 @@ export default async function middleware(request: NextRequest) {
   function nextWithNonce(): NextResponse {
     const requestHeaders = new Headers(request.headers);
     requestHeaders.set("x-nonce", nonce);
+
+    // Strip any client-supplied x-tenant-id before conditionally setting from the
+    // trusted HttpOnly cookie. Without this delete, a client that sends their own
+    // x-tenant-id header could spoof a tenant when no cookie is present.
+    requestHeaders.delete("x-tenant-id");
+
+    // Forward HttpOnly tenant cookie as request header for server components
+    const tenantCookie = request.cookies.get(TENANT_COOKIE_NAME);
+    if (tenantCookie?.value) {
+      requestHeaders.set("x-tenant-id", tenantCookie.value);
+    }
+
     return NextResponse.next({ request: { headers: requestHeaders } });
   }
 
@@ -182,7 +205,7 @@ export default async function middleware(request: NextRequest) {
   }
 
   // Redirect authenticated users from "/" to the app subdomain if on the marketing domain.
-  // On the app subdomain, redirect to /marketplace. On the base domain, redirect to app subdomain.
+  // On the app subdomain, redirect to HOME_PATH. On the base domain, redirect to app subdomain.
   // NOTE: This check requires the Better Auth server to set the session cookie with
   // domain=".<base-domain>" so it is visible on both the app and marketing subdomains.
   // See: wopr-platform/src/auth/better-auth.ts advanced.cookies.session_token.attributes.domain
@@ -195,10 +218,12 @@ export default async function middleware(request: NextRequest) {
         process.env.NEXT_PUBLIC_BRAND_APP_DOMAIN || process.env.NEXT_PUBLIC_APP_DOMAIN;
       if (appDomain && !host.startsWith("app.")) {
         // On marketing domain — redirect to the app subdomain
-        return withCsp(NextResponse.redirect(new URL(`https://${appDomain}/marketplace`)));
+        const appUrl = new URL(`https://${appDomain}`);
+        appUrl.pathname = HOME_PATH;
+        return withCsp(NextResponse.redirect(appUrl));
       }
-      // On app subdomain (or no configured app domain) — redirect to /marketplace
-      return withCsp(NextResponse.redirect(new URL("/marketplace", request.url)));
+      // On app subdomain (or no configured app domain) — redirect to home
+      return withCsp(NextResponse.redirect(new URL(HOME_PATH, request.url)));
     }
   }
 
@@ -212,7 +237,7 @@ export default async function middleware(request: NextRequest) {
     if (sessionCookie?.value.trim()) {
       const role = await getSessionRole(request);
       if (role !== "platform_admin") {
-        return withCsp(NextResponse.redirect(new URL("/marketplace", request.url)));
+        return withCsp(NextResponse.redirect(new URL(HOME_PATH, request.url)));
       }
       // Admin confirmed — serve page with anti-cache headers so revocation
       // is detected on the very next navigation (browser must revalidate).
@@ -246,7 +271,7 @@ export default async function middleware(request: NextRequest) {
 
   if (!sessionToken || !sessionToken.value.trim()) {
     const loginUrl = new URL("/login", request.url);
-    loginUrl.searchParams.set("callbackUrl", pathname);
+    loginUrl.searchParams.set("callbackUrl", sanitizeRedirectUrl(pathname));
     return withCsp(NextResponse.redirect(loginUrl));
   }
 

package/.env.paperclip

@@ -1,18 +0,0 @@
-# Paperclip Brand Configuration
-# Copy to .env.local to deploy as Paperclip
-NEXT_PUBLIC_BRAND_PRODUCT_NAME="Paperclip"
-NEXT_PUBLIC_BRAND_NAME="Paperclip"
-NEXT_PUBLIC_BRAND_DOMAIN="runpaperclip.com"
-NEXT_PUBLIC_BRAND_APP_DOMAIN="app.runpaperclip.com"
-NEXT_PUBLIC_BRAND_TAGLINE="AI agents that run your business."
-NEXT_PUBLIC_BRAND_EMAIL_PRIVACY="privacy@runpaperclip.com"
-NEXT_PUBLIC_BRAND_EMAIL_LEGAL="legal@runpaperclip.com"
-NEXT_PUBLIC_BRAND_EMAIL_SUPPORT="support@runpaperclip.com"
-NEXT_PUBLIC_BRAND_DEFAULT_IMAGE="ghcr.io/wopr-network/wopr:latest"
-NEXT_PUBLIC_BRAND_STORAGE_PREFIX="paperclip"
-NEXT_PUBLIC_BRAND_EVENT_PREFIX="paperclip"
-NEXT_PUBLIC_BRAND_ENV_PREFIX="PAPERCLIP"
-NEXT_PUBLIC_BRAND_TOOL_PREFIX="paperclip"
-NEXT_PUBLIC_BRAND_TENANT_COOKIE="paperclip_tenant_id"
-NEXT_PUBLIC_BRAND_COMPANY_LEGAL="Paperclip AI Inc."
-NEXT_PUBLIC_BRAND_PRICE="$5/month"