npm - minutework - Versions diffs - 0.1.32 → 0.1.33 - Mend

minutework 0.1.32 → 0.1.33

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (91) hide show

package/assets/claude-local/skills/README.md CHANGED Viewed

@@ -15,6 +15,8 @@ receive:
 - Builder should compose shared substrate before generating bespoke tenant code
 - `tenant-app` is the combined public plus private web starter
+- `tenant-app` auth/data uses `@minutework/web-auth` and thin `src/mw/`
+  substrate, not per-app auth/gateway BFF routes
 - `mw.core.site` is a runtime baseline capability
 - tenant public authoring is runtime/CMS-backed through `mw.core.site`
 - Vuilder-owned public sites use `vuilder-public-site` and public-dj CMS

package/assets/claude-local/skills/app-pack-authoring/SKILL.md CHANGED Viewed

@@ -16,6 +16,19 @@ An `app pack` is the shipped product unit.
   contract boundaries.
 - Start with declarative schema/manifests and add code surfaces only when needed.
 - Use `tenant-app` for the combined public-site plus private-app web surface.
+- `tenant-app` auth/data must stay on the frozen `@minutework/web-auth`
+  contract. Wire it through the thin `src/mw/` substrate only; do not add
+  per-app `src/app/api/auth/*`, `src/app/api/gateway/*`, platform-session BFF
+  layers, platform credential login screens, operator-console links, or
+  runtime-command demos.
+- Browser calls from `tenant-app` should use `mw.query(...)` and
+  `mw.action(..., { idempotencyKey })`; actions require a non-empty
+  idempotency key. The runtime surface must be declared on the manifest with
+  `webCustomerExposed` / `web_customer_exposed`, and V1 customer roles are
+  `customer` only.
+- The authenticated `tenant-app` principal is `tenant_customer`. Do not model
+  the generated customer app as an operator/platform-session app, and do not
+  persist bearer/session/runtime tokens in browser JavaScript.
 - Use `sidecar` for internal APIs, workers, integrations, or Python-heavy compute.
 - For member-facing collaboration and operator workflows, check shell fit first
   before proposing standalone `tenant-app` routes or dashboards.
@@ -77,7 +90,7 @@ An `app pack` is the shipped product unit.
   `SCHEMA_KEY_UPSERT_REGISTRY` may ship in the active manifest.
 - For `mw.core.site.form`, do not author `form_key` or `app_pack_ref` inside
   `data`; the install pipe injects both. Keep `surface_key == form_key` for
-  public intake BFFs.
+  public intake gateway handling.
 - For `mw.runtime.agent`, use `logical_key` as the runtime `Agent.slug`.
   Author stable agent fields in `data` such as `name`, `system_instruction`,
   `enabled_tools`, `trigger_intents`, `channels_enabled`, and

package/assets/claude-local/skills/contract-first-public-intake/SKILL.md CHANGED Viewed

@@ -35,6 +35,14 @@ guest-continuity threads, public submission routing, or claim-after-auth flows.
 - Post-auth continuation stays on the existing `handoff_key` and flows through
   `apply_post_auth_access_policy()`. Do not invent automatic membership upgrades
   or a parallel claim token model.
+- Tenant web auth `claimRef` is an opaque platform-signed handoff claim token,
+  not a raw `PublicHandoff.id` or `core:public_handoff:*` ref. A `tenant-app`
+  may pass that token through `@minutework/web-auth` signup, but platform must
+  store it pending verification and link only after the authenticating email is
+  verified, the signed handoff is bound to that verified identity, and
+  `apply_post_auth_access_policy()` succeeds.
+- Do not create customer identity claims during unverified signup. Anonymous or
+  unbound handoffs must not be auto-linked.
 ## Privacy And Prompt Semantics
@@ -65,9 +73,9 @@ guest-continuity threads, public submission routing, or claim-after-auth flows.
   source that can drive later `action:` or `flow:` execution.
 - Do not gate public intake render on a hardcoded client-side token
   allowlist. The handoff token is a platform-issued, server-validated
-  payload; the workspace UI should pass it through to the BFF and let the
-  platform decide validity. A client-side allowlist drifts from the real
-  token registry and silently breaks once real tokens are minted.
+  payload; the workspace UI should pass it through to the hosted gateway/auth
+  path and let the platform decide validity. A client-side allowlist drifts
+  from the real token registry and silently breaks once real tokens are minted.
 ## Vuilder Vertical Onboarding

package/assets/claude-local/skills/generated-workspace-architecture/SKILL.md CHANGED Viewed

@@ -22,13 +22,20 @@ the monorepo or a live tenant runtime.
 - `tenant-app`, optional `sidecar`, and the optional `mobile` starter are
   implementation surfaces inside the tenant product, not the whole architecture.
 - `tenant-app` is the combined public plus private web starter.
+- In `tenant-app`, keep MinuteWork web auth/data access inside the thin
+  `src/mw/` substrate and `@minutework/web-auth`. Product UI may call that
+  substrate, but it must not recreate platform-session BFF routes, platform
+  credential login, or browser-exposed platform/runtime tokens.
+- `tenant-app` runtime data access goes through `mw.query(...)` and
+  `mw.action(..., { idempotencyKey })` against manifest-declared
+  `webCustomerExposed` / `web_customer_exposed` customer surfaces.
 - A mobile / native client (Expo, React Native, native iOS/Android) is a
   standalone-client exception authored in the `mobile` starter, not in
   `tenant-app` or `sidecar`. It is a direct platform API client that consumes
   the platform native-token API (`/api/v1/native/...`) directly with a
-  platform-issued native session token, rather than the `tenant-app` BFF cookie
-  session. The mobile starter remains npm-owned standalone app code and should
-  not be added to the generated root `pnpm-workspace.yaml`.
+  platform-issued native session token, rather than the `tenant-app` web SDK /
+  hosted-cookie session. The mobile starter remains npm-owned standalone app
+  code and should not be added to the generated root `pnpm-workspace.yaml`.
 - If the `mobile` starter is enabled (`starters.mobile.enabled`), read
   `standalone-mobile-client/SKILL.md` before proposing the mobile surface.
 - `vuilder-public-site` is a Vuilder-owned public-site authoring workspace for

package/assets/claude-local/skills/published-web-and-mw-core-site/SKILL.md CHANGED Viewed

@@ -20,18 +20,21 @@ flows, or the default MinuteWork site model.
   runtime-canonical through `mw.core.site` and installed app-pack data.
 - `tenant-app` is the combined web starter for public routes plus the private
   `/app` workspace.
+- Do not add a server-only public content token adapter to `tenant-app`.
+  Public content should come from hosted published releases/snapshots or
+  gateway-approved public-content routes over the MinuteWork substrate, not
+  from a baked-in platform token in the generated app.
 - Author public content against runtime/CMS records, not a fixed in-repo site
   starter.
 - For contract-first intake pipeline decisions, also read
   `contract-first-public-intake/SKILL.md`.
 - Use `published-web` and hosted public-release flows for anonymous delivery by
   default.
-- `MW_PUBLIC_CONTENT_SOURCE` selects the public content adapter mode.
-- `MW_CONTENT_API_TOKEN`, `MW_PUBLIC_SITE_PROPERTY_KEY`, and
-  `MW_PUBLIC_SITE_ENV` are required only for `MW_PUBLIC_CONTENT_SOURCE=minutework_cms`.
-- `MW_STATIC_PUBLIC_CONTENT_PATH` is used for `MW_PUBLIC_CONTENT_SOURCE=static_json`.
-- `MW_PUBLIC_SITE_ENV=preview` is for preview or draft-safe reads.
-- `MW_PUBLIC_SITE_ENV=live` is for publication-safe reads only.
+- Legacy starter variables such as `MW_PUBLIC_CONTENT_SOURCE`,
+  `MW_CONTENT_API_TOKEN`, `MW_PUBLIC_SITE_PROPERTY_KEY`,
+  `MW_STATIC_PUBLIC_CONTENT_PATH`, and `MW_PUBLIC_SITE_ENV` describe old
+  adapter modes. Do not introduce them into new `tenant-app` work unless a
+  compatibility task explicitly targets that legacy adapter.
 - Anonymous live traffic should prefer published snapshots instead of direct
   runtime reads on every request.
 - `runtime_local_sidecar` is an explicit exception path for live serving, not

package/assets/claude-local/skills/standalone-mobile-client/SKILL.md CHANGED Viewed

@@ -80,9 +80,9 @@ The native token flow mirrors the existing CLI developer-token flow
    freshly returned pair. Re-run the browser-assisted authorize step only when
    the refresh token itself is invalid or revoked.
-The browser/BFF cookie path belongs to `tenant-app` and is **web-only**. The
-mobile app does not ride the `tenant-app` cookie jar, and it does not read or
-forward CSRF -- native uses the bearer token directly against the platform.
+The `tenant-app` web SDK / hosted-cookie path is **web-only**. The mobile app
+does not ride the `tenant-app` cookie jar, and it does not read or forward
+CSRF -- native uses the bearer token directly against the platform.
 ### Token binding (what is and isn't enforced)
@@ -100,7 +100,8 @@ boundary.
 - Do not mint a JWT inside the app or stand up a local user table / token issuer.
 - Do not expose access or refresh tokens to web pages or generic React state;
   keep them in `expo-secure-store`.
-- Do not route the mobile app through the `tenant-app` BFF cookie session.
+- Do not route the mobile app through the `tenant-app` web SDK / hosted-cookie
+  session.
 - Do not read or forward CSRF from native; bearer-token auth does not use it.
 - Do not put native code inside `tenant-app` or `sidecar`.

package/assets/templates/next-tenant-app/README.md CHANGED Viewed

@@ -3,157 +3,45 @@
 This directory is the canonical combined Next.js web starter for Builder.
 In the runtime Builder flow, this bundle materializes into
-`BuilderWorkspace.sandbox_root/app/`.
+`BuilderWorkspace.sandbox_root/app/`. In the external CLI scaffold flow, the
+same starter is copied into `tenant-app/`.
-In the external CLI scaffold flow, the same starter is copied into
-`tenant-app/`.
-On managed tenant VMs, `BuilderWorkspace.sandbox_root` normally lives under
-`/srv/minutework/workspaces/<workspace_id>/`, so the Builder-edited app copy is
-typically `/srv/minutework/workspaces/<workspace_id>/app/`.
-`apps/mw-next-client` is still the repo-side seed used to harden and evolve this scaffold. It is not the runtime template location.
+`apps/mw-next-client` may still seed visual conventions, but this template is
+no longer a platform-session BFF app.
 ## Auth profile
-This template stays fixed to the `platform_session_bff` profile:
-- browsers use this BFF only (cookie session, server-owned CSRF); native clients
-  (e.g. a mobile app) instead use a platform-issued native session token
-  directly against `/api/v1/native/...` -- see the `mobile` starter /
-  `standalone-mobile-client` skill
-- upstream platform `sessionid` and `csrftoken` stay server-owned
-- unsafe upstream requests bootstrap and forward CSRF through the BFF
-- there is no browser-to-runtime direct access
-- there is no local JWT system, local user table, or parallel auth stack
-## Runtime requirements
-- Node.js `20.9.0` or newer
-- `pnpm@9.0.0`
+This template uses the `tenant_web_auth_sdk` profile:
-## Direct web hosts
+- browser auth and manifest API calls go through `@minutework/web-auth`
+- the browser stores no bearer token, runtime key, or platform credential
+- SDK calls use same-origin `/_mw` routes with `credentials: "include"`
+- CSRF is handled by the SDK using the non-secret CSRF cookie
+- runtime query/action calls are authorized as `principal_kind=tenant_customer`
-When this starter lives inside an external CLI workspace with an optional
-`sidecar`, deploy direct web hosts against `tenant-app` only.
-- Root `pnpm install` stays Node-only and does not auto-install sidecar Python deps.
-- If you need the sidecar locally, run `pnpm run install:sidecar` from the workspace root or `cd sidecar && poetry install`.
-- For Vercel, set the project Root Directory to `tenant-app`.
-Those host-specific instructions apply to the CLI scaffold layout, not the
-runtime Builder sandbox layout under `app/`.
+Only `src/mw/` is MinuteWork substrate. Keep product UI and product logic in
+`src/app`, `src/features`, and developer-owned modules.
 ## Default route shape
-The template ships one combined app with two explicit route surfaces:
-- public routes at the root: `/`, `/pricing`, `/docs`, `/blog`, `/login`
-- authenticated routes under `/app`
-- optional runtime example under `/app/examples/runtime-commands`
-Public marketing, docs, and blog routes render through a swappable public-content adapter seam. The authenticated shell keeps tenant context controls, password flows, and the platform-session BFF boundary.
-## Public content adapter
-The public content seam lives under `src/lib/content`.
-The default built-in adapter is `MinuteWorkPublicSiteContentAdapter`. It calls the
-MinuteWork gateway with a server-only content token and reads the narrow
-`mw.core.site` public-site snapshot contract.
-`mw.core.site` is treated as a runtime baseline capability. This starter
-composes against that baseline rather than trying to install it locally.
-The gateway response carries an explicit boundary:
-- `environment=preview` must declare `source_boundary=runtime_preview`
-- `environment=live` may declare `source_boundary=published_live` for hosted releases or `source_boundary=runtime_live` for runtime-served sidecar releases
-That keeps preview free to use runtime-backed draft reads while keeping live
-publication-safe for hosted delivery while still allowing an explicit
-runtime-served public lane when the release is activated through
-`runtime_local_sidecar`.
-To replace the built-ins for a tenant-specific CMS or content API, implement the hook in `src/lib/content/custom-adapter.ts`.
-## Example gating
+- public routes at `/`, `/pricing`, `/docs`, and `/blog`
+- customer auth at `/login`
+- authenticated workspace at `/app`
+- SDK manifest demo at `/app/demo`
-`MW_ENABLE_RUNTIME_COMMAND_EXAMPLE=false` by default.
-When disabled:
-- `/app/examples/runtime-commands` returns `404`
-- the example gateway API routes return `404`
-- the example navigation entry is omitted
+The template intentionally does not include `src/lib/platform/*`,
+`src/app/api/auth/*`, `src/app/api/gateway/*`, an operator-console link, a
+runtime-command demo, or a server-only public-content token adapter.
 ## Environment
-Copy `.env.example` to `.env.local` when running the template directly. The
-example file uses `MW_PUBLIC_CONTENT_SOURCE=none` so the private `/app` surface
-can boot without MinuteWork CMS credentials; set `MW_PUBLIC_CONTENT_SOURCE` to
-`minutework_cms` and fill the CMS values below when enabling the public site.
-- `MW_PLATFORM_BASE_URL` is required
-- `MW_PUBLIC_CONTENT_SOURCE` defaults to `none` when omitted; supported values are `minutework_cms`, `custom`, `static_json`, and `none`
-- `MW_CONTENT_API_TOKEN` is required only for `minutework_cms` and must stay server-only
-- `MW_TEMPLATE_APP_NAME` defaults to `MinuteWork Combined Starter`
-- `MW_PUBLIC_BASE_URL` is required for public content sources and should match the deployed public origin; it may be omitted when `MW_PUBLIC_CONTENT_SOURCE=none`
-- `MW_PUBLIC_SITE_PROPERTY_KEY` is required only for `minutework_cms` and selects the `PublishedWebProperty` backing the site
-- `MW_PUBLIC_SITE_ENV` defaults to `preview`
-- `MW_STATIC_PUBLIC_CONTENT_PATH` defaults to `content/public-site.json` and is used when `MW_PUBLIC_CONTENT_SOURCE=static_json`
-- `MW_ENABLE_RUNTIME_COMMAND_EXAMPLE` defaults to `false`
-## SEO baseline
-The public route surface ships with:
-- canonical URLs derived from `MW_PUBLIC_BASE_URL`
-- `robots.ts` and `sitemap.ts`
-- Open Graph metadata for marketing and article/detail pages
-- server-rendered public pages by default, with no tenant/session reads during render
-- docs/blog static params generated from the same public-site snapshot used during render
-- graceful empty states for fresh properties with no authored or no published content
-Private routes under `/app` are marked `noindex`.
-## Generated artifact policy
-Checked-in generated artifacts are limited to:
-- `next-env.d.ts`
-- `src/design-system/tokens/manifest.ts`
-- `src/design-system/tokens/manifest.json`
-- `pnpm-lock.yaml`
-Generated build outputs such as `.next/`, `storybook-static/`, `test-results/`, and `tools/design-system/__screenshots__/` are not canonical template contents.
+- `NEXT_PUBLIC_MW_APP_ID` selects the manifest app id used by the SDK and
+  defaults to `tenant.app`
+- `MW_TEMPLATE_APP_NAME` controls the display name and defaults to `Tenant App`
+- `MW_PUBLIC_BASE_URL` is optional and only affects metadata routes
 ## Validation
-Use `pnpm validate` from this directory. It runs:
-1. `template:validate`
-2. `template:route-contract`
-3. `next typegen`
-4. `design-system:tokens`
-5. `design-system:check`
-6. `typecheck`
-7. `lint`
-8. `test`
-9. `build:validate`
-10. `build-storybook:validate`
-`template:validate` validates `template.json` against the bundled `template.schema.json`, so the template remains self-validating after Builder materializes it into a workspace sandbox.
-When the CLI scaffolds this starter into `tenant-app/`, the same validation
-contract still applies to that copied workspace surface. When Runtime Builder
-materializes it into `app/`, the same validation contract applies there too.
-The validation-only build steps inject fixture values for the required
-production env vars and run against a local public-site fixture server, so the
-template can prove its build contract in-repo without weakening the real
-`pnpm build` requirement.
-`template:route-contract` verifies that the combined public/private route tree, metadata routes, and content-adapter entrypoints remain present in the template.
-Inside the repo, the shared schema at `runtime/builder/templates/template.schema.json` is authoritative. The bundled `template.schema.json` inside this template must stay byte-equivalent, and `template:validate` fails if the two drift.
+Use `pnpm validate` from this directory. It runs template validation, route
+contract validation, typegen, design-system checks, typecheck, tests, and build
+validation.

package/assets/templates/next-tenant-app/package.json CHANGED Viewed

@@ -27,6 +27,7 @@
     "design-system:visual": "playwright test -c tools/design-system/playwright.config.mjs"
   },
   "dependencies": {
+    "@minutework/web-auth": "^0.1.0",
     "@radix-ui/react-slot": "^1.2.4",
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",

package/assets/templates/next-tenant-app/src/app/app/demo/page.tsx ADDED Viewed

@@ -0,0 +1,15 @@
+import { ManifestDemo } from "@/features/demo/components/manifest-demo";
+export const metadata = {
+  title: "Demo",
+};
+export default function DemoPage() {
+  return (
+    <main className="min-h-screen bg-background text-foreground">
+      <div className="mx-auto flex min-h-screen max-w-5xl flex-col gap-6 px-6 py-8">
+        <ManifestDemo />
+      </div>
+    </main>
+  );
+}

package/assets/templates/next-tenant-app/src/app/app/layout.tsx CHANGED Viewed

@@ -1,8 +1,6 @@
 import type { Metadata } from "next";
 import type { ReactNode } from "react";
-import { resolveAuthenticatedSession } from "@/lib/platform/auth.server";
 export const metadata: Metadata = {
   robots: {
     index: false,
@@ -10,11 +8,10 @@ export const metadata: Metadata = {
   },
 };
-export default async function AuthenticatedAppLayout({
+export default function AuthenticatedAppLayout({
   children,
 }: {
   children: ReactNode;
 }) {
-  await resolveAuthenticatedSession();
   return children;
 }

package/assets/templates/next-tenant-app/src/app/app/page.tsx CHANGED Viewed

@@ -1,24 +1,9 @@
 import { PrivateAppShell } from "@/features/shell/components/private-app-shell";
-import { resolveAuthenticatedSession } from "@/lib/platform/auth.server";
-import { platformAuthEndpoints } from "@/lib/platform/endpoints.server";
-import { env } from "@/lib/platform/env.server";
 export const metadata = {
   title: "Workspace",
-  description:
-    "Authenticated workspace surface for the combined MinuteWork starter.",
 };
-export default async function AppHomePage() {
-  const session = await resolveAuthenticatedSession();
-  return (
-    <PrivateAppShell
-      initialSession={session}
-      appName={env.MW_TEMPLATE_APP_NAME}
-      operatorConsoleHref={platformAuthEndpoints.operatorConsole}
-      runtimeCommandExampleEnabled={env.MW_ENABLE_RUNTIME_COMMAND_EXAMPLE}
-      view="dashboard"
-    />
-  );
+export default function AppHomePage() {
+  return <PrivateAppShell appName={process.env.MW_TEMPLATE_APP_NAME || "Tenant App"} />;
 }

package/assets/templates/next-tenant-app/src/app/blog/[slug]/page.tsx CHANGED Viewed

@@ -1,73 +1,15 @@
-import { notFound } from "next/navigation";
+import { StaticPublicPage } from "@/features/public-shell/components/static-public-page";
-import { ContentArticle } from "@/features/public-shell/components/content-article";
-import { PublicSiteShell } from "@/features/public-shell/components/public-site-shell";
-import { getEntry, getSiteConfig, listEntries } from "@/lib/content/adapter.server";
-import { appRoutes } from "@/lib/app-routes";
-import {
-  buildDisabledPublicMetadata,
-  buildPublicMetadata,
-  isPublicContentDisabled,
-} from "@/lib/public-site";
-type BlogArticlePageProps = {
-  params: Promise<{ slug: string }>;
+export const metadata = {
+  title: "Blog",
 };
-export const dynamicParams = false;
-export async function generateStaticParams() {
-  if (isPublicContentDisabled()) {
-    return [];
-  }
-  return (await listEntries("blog")).map((entry) => ({
-    slug: entry.slug[0],
-  }));
-}
-export async function generateMetadata({ params }: BlogArticlePageProps) {
-  if (isPublicContentDisabled()) {
-    return buildDisabledPublicMetadata();
-  }
-  const [{ slug }, siteConfig] = await Promise.all([params, getSiteConfig()]);
-  const entry = await getEntry("blog", [slug]);
-  if (!entry) {
-    return buildPublicMetadata({
-      title: siteConfig.collections.blog.title,
-      description: siteConfig.collections.blog.description,
-      path: appRoutes.blogIndex,
-      siteName: siteConfig.siteName,
-    });
-  }
-  return buildPublicMetadata({
-    title: entry.seo.title,
-    description: entry.seo.description,
-    path: appRoutes.blogPost(entry.slug),
-    siteName: siteConfig.siteName,
-    type: "article",
-    publishedTime: entry.publishedAt,
-  });
-}
-export default async function BlogArticlePage({ params }: BlogArticlePageProps) {
-  if (isPublicContentDisabled()) {
-    notFound();
-  }
-  const [{ slug }, siteConfig] = await Promise.all([params, getSiteConfig()]);
-  const entry = await getEntry("blog", [slug]);
-  if (!entry) {
-    notFound();
-  }
+export default function BlogPostPage() {
   return (
-    <PublicSiteShell activeHref={appRoutes.blogIndex} siteConfig={siteConfig}>
-      <ContentArticle entry={entry} />
-    </PublicSiteShell>
+    <StaticPublicPage
+      eyebrow="Blog"
+      title="Update"
+      body="A customer-facing update."
+    />
   );
 }

package/assets/templates/next-tenant-app/src/app/blog/page.tsx CHANGED Viewed

@@ -1,51 +1,15 @@
-import { notFound } from "next/navigation";
+import { StaticPublicPage } from "@/features/public-shell/components/static-public-page";
-import { ContentCollection } from "@/features/public-shell/components/content-collection";
-import { PublicSiteShell } from "@/features/public-shell/components/public-site-shell";
-import { getSiteConfig, listEntries } from "@/lib/content/adapter.server";
-import { appRoutes } from "@/lib/app-routes";
-import {
-  buildDisabledPublicMetadata,
-  buildPublicMetadata,
-  isPublicContentDisabled,
-} from "@/lib/public-site";
-export async function generateMetadata() {
-  if (isPublicContentDisabled()) {
-    return buildDisabledPublicMetadata();
-  }
-  const siteConfig = await getSiteConfig();
-  const collection = siteConfig.collections.blog;
-  return buildPublicMetadata({
-    title: collection.title,
-    description: collection.description,
-    path: appRoutes.blogIndex,
-    siteName: siteConfig.siteName,
-  });
-}
-export default async function BlogIndexPage() {
-  if (isPublicContentDisabled()) {
-    notFound();
-  }
-  const [siteConfig, entries] = await Promise.all([
-    getSiteConfig(),
-    listEntries("blog"),
-  ]);
-  const collection = siteConfig.collections.blog;
+export const metadata = {
+  title: "Blog",
+};
+export default function BlogIndexPage() {
   return (
-    <PublicSiteShell activeHref={appRoutes.blogIndex} siteConfig={siteConfig}>
-      <ContentCollection
-        description={collection.description}
-        entries={entries}
-        eyebrow={collection.eyebrow}
-        kind="blog"
-        title={collection.title}
-      />
-    </PublicSiteShell>
+    <StaticPublicPage
+      eyebrow="Blog"
+      title="Updates"
+      body="News, releases, and customer notes."
+    />
   );
 }

package/assets/templates/next-tenant-app/src/app/docs/[...slug]/page.tsx CHANGED Viewed

@@ -1,71 +1,15 @@
-import { notFound } from "next/navigation";
+import { StaticPublicPage } from "@/features/public-shell/components/static-public-page";
-import { ContentArticle } from "@/features/public-shell/components/content-article";
-import { PublicSiteShell } from "@/features/public-shell/components/public-site-shell";
-import { getEntry, getSiteConfig, listEntries } from "@/lib/content/adapter.server";
-import { appRoutes } from "@/lib/app-routes";
-import {
-  buildDisabledPublicMetadata,
-  buildPublicMetadata,
-  isPublicContentDisabled,
-} from "@/lib/public-site";
-type DocsArticlePageProps = {
-  params: Promise<{ slug: string[] }>;
+export const metadata = {
+  title: "Docs",
 };
-export const dynamicParams = false;
-export async function generateStaticParams() {
-  if (isPublicContentDisabled()) {
-    return [];
-  }
-  return (await listEntries("docs")).map((entry) => ({
-    slug: entry.slug,
-  }));
-}
-export async function generateMetadata({ params }: DocsArticlePageProps) {
-  if (isPublicContentDisabled()) {
-    return buildDisabledPublicMetadata();
-  }
-  const [{ slug }, siteConfig] = await Promise.all([params, getSiteConfig()]);
-  const entry = await getEntry("docs", slug);
-  if (!entry) {
-    return buildPublicMetadata({
-      title: siteConfig.collections.docs.title,
-      description: siteConfig.collections.docs.description,
-      path: appRoutes.docsIndex,
-      siteName: siteConfig.siteName,
-    });
-  }
-  return buildPublicMetadata({
-    title: entry.seo.title,
-    description: entry.seo.description,
-    path: appRoutes.docsPage(entry.slug),
-    siteName: siteConfig.siteName,
-  });
-}
-export default async function DocsArticlePage({ params }: DocsArticlePageProps) {
-  if (isPublicContentDisabled()) {
-    notFound();
-  }
-  const [{ slug }, siteConfig] = await Promise.all([params, getSiteConfig()]);
-  const entry = await getEntry("docs", slug);
-  if (!entry) {
-    notFound();
-  }
+export default function DocsPage() {
   return (
-    <PublicSiteShell activeHref={appRoutes.docsIndex} siteConfig={siteConfig}>
-      <ContentArticle entry={entry} />
-    </PublicSiteShell>
+    <StaticPublicPage
+      eyebrow="Docs"
+      title="Documentation page"
+      body="Helpful context for customer workflows."
+    />
   );
 }