minutework 0.1.32 → 0.1.34

package/assets/claude-local/skills/README.md

@@ -15,6 +15,8 @@ receive:
 
 - Builder should compose shared substrate before generating bespoke tenant code
 - `tenant-app` is the combined public plus private web starter
+- `tenant-app` auth/data uses `@minutework/web-auth` and thin `src/mw/`
+  substrate, not per-app auth/gateway BFF routes
 - `mw.core.site` is a runtime baseline capability
 - tenant public authoring is runtime/CMS-backed through `mw.core.site`
 - Vuilder-owned public sites use `vuilder-public-site` and public-dj CMS

package/assets/claude-local/skills/app-pack-authoring/SKILL.md

@@ -16,6 +16,29 @@ An `app pack` is the shipped product unit.
   contract boundaries.
 - Start with declarative schema/manifests and add code surfaces only when needed.
 - Use `tenant-app` for the combined public-site plus private-app web surface.
+- `tenant-app` auth/data must stay on the frozen `@minutework/web-auth`
+  contract. Wire it through the thin `src/mw/` substrate only; do not add
+  per-app `src/app/api/auth/*`, `src/app/api/gateway/*`, platform-session BFF
+  layers, platform credential login screens, operator-console links, or
+  runtime-command demos.
+- If a generated workspace reports `@minutework/web-auth` as missing, treat it
+  as dependency installation, package publishing, or package sync work. Do not
+  hand-roll auth/data routes or browser tokens as a workaround.
+- The template may render a local `/login` page that calls SDK hooks. The SDK
+  also exposes hosted UI helpers for same-origin `/_mw/login`,
+  `/_mw/signup`, and `/_mw/verify-email`; both choices remain SDK-only.
+- Client-side `/app` session checks are UX gating only. Real authorization is
+  enforced server-side by platform `/_mw` routes and runtime dispatch checks:
+  active customer membership, email verification, app publication, and
+  `webCustomerExposed` / `web_customer_exposed` manifest declarations.
+- Browser calls from `tenant-app` should use `mw.query(...)` and
+  `mw.action(..., { idempotencyKey })`; actions require a non-empty
+  idempotency key. The runtime surface must be declared on the manifest with
+  `webCustomerExposed` / `web_customer_exposed`, and V1 customer roles are
+  `customer` only.
+- The authenticated `tenant-app` principal is `tenant_customer`. Do not model
+  the generated customer app as an operator/platform-session app, and do not
+  persist bearer/session/runtime tokens in browser JavaScript.
 - Use `sidecar` for internal APIs, workers, integrations, or Python-heavy compute.
 - For member-facing collaboration and operator workflows, check shell fit first
   before proposing standalone `tenant-app` routes or dashboards.
@@ -77,7 +100,7 @@ An `app pack` is the shipped product unit.
   `SCHEMA_KEY_UPSERT_REGISTRY` may ship in the active manifest.
 - For `mw.core.site.form`, do not author `form_key` or `app_pack_ref` inside
   `data`; the install pipe injects both. Keep `surface_key == form_key` for
-  public intake BFFs.
+  public intake gateway handling.
 - For `mw.runtime.agent`, use `logical_key` as the runtime `Agent.slug`.
   Author stable agent fields in `data` such as `name`, `system_instruction`,
   `enabled_tools`, `trigger_intents`, `channels_enabled`, and

package/assets/claude-local/skills/contract-first-public-intake/SKILL.md

@@ -35,6 +35,14 @@ guest-continuity threads, public submission routing, or claim-after-auth flows.
 - Post-auth continuation stays on the existing `handoff_key` and flows through
   `apply_post_auth_access_policy()`. Do not invent automatic membership upgrades
   or a parallel claim token model.
+- Tenant web auth `claimRef` is an opaque platform-signed handoff claim token,
+  not a raw `PublicHandoff.id` or `core:public_handoff:*` ref. A `tenant-app`
+  may pass that token through `@minutework/web-auth` signup, but platform must
+  store it pending verification and link only after the authenticating email is
+  verified, the signed handoff is bound to that verified identity, and
+  `apply_post_auth_access_policy()` succeeds.
+- Do not create customer identity claims during unverified signup. Anonymous or
+  unbound handoffs must not be auto-linked.
 
 ## Privacy And Prompt Semantics
 
@@ -65,9 +73,9 @@ guest-continuity threads, public submission routing, or claim-after-auth flows.
   source that can drive later `action:` or `flow:` execution.
 - Do not gate public intake render on a hardcoded client-side token
   allowlist. The handoff token is a platform-issued, server-validated
-  payload; the workspace UI should pass it through to the BFF and let the
-  platform decide validity. A client-side allowlist drifts from the real
-  token registry and silently breaks once real tokens are minted.
+  payload; the workspace UI should pass it through to the hosted gateway/auth
+  path and let the platform decide validity. A client-side allowlist drifts
+  from the real token registry and silently breaks once real tokens are minted.
 
 ## Vuilder Vertical Onboarding
 

package/assets/claude-local/skills/generated-workspace-architecture/SKILL.md

@@ -22,13 +22,29 @@ the monorepo or a live tenant runtime.
 - `tenant-app`, optional `sidecar`, and the optional `mobile` starter are
   implementation surfaces inside the tenant product, not the whole architecture.
 - `tenant-app` is the combined public plus private web starter.
+- In `tenant-app`, keep MinuteWork web auth/data access inside the thin
+  `src/mw/` substrate and `@minutework/web-auth`. Product UI may call that
+  substrate, but it must not recreate platform-session BFF routes, platform
+  credential login, or browser-exposed platform/runtime tokens.
+- If `@minutework/web-auth` is not installed or resolvable in a generated
+  workspace, fix dependency installation, package publishing, or package sync.
+  Do not replace the SDK with local auth/gateway routes.
+- A local `/login` page may call SDK hooks, while SDK hosted UI helpers point
+  to same-origin `/_mw/login`, `/_mw/signup`, and `/_mw/verify-email`; both
+  are valid only when they stay on the SDK/`/_mw` contract.
+- Client-side app guards are UX only. Platform `/_mw` routes and runtime
+  dispatch enforce active customer membership, email verification, app
+  publication, and manifest exposure server-side.
+- `tenant-app` runtime data access goes through `mw.query(...)` and
+  `mw.action(..., { idempotencyKey })` against manifest-declared
+  `webCustomerExposed` / `web_customer_exposed` customer surfaces.
 - A mobile / native client (Expo, React Native, native iOS/Android) is a
   standalone-client exception authored in the `mobile` starter, not in
   `tenant-app` or `sidecar`. It is a direct platform API client that consumes
   the platform native-token API (`/api/v1/native/...`) directly with a
-  platform-issued native session token, rather than the `tenant-app` BFF cookie
-  session. The mobile starter remains npm-owned standalone app code and should
-  not be added to the generated root `pnpm-workspace.yaml`.
+  platform-issued native session token, rather than the `tenant-app` web SDK /
+  hosted-cookie session. The mobile starter remains npm-owned standalone app
+  code and should not be added to the generated root `pnpm-workspace.yaml`.
 - If the `mobile` starter is enabled (`starters.mobile.enabled`), read
   `standalone-mobile-client/SKILL.md` before proposing the mobile surface.
 - `vuilder-public-site` is a Vuilder-owned public-site authoring workspace for

package/assets/claude-local/skills/published-web-and-mw-core-site/SKILL.md

@@ -20,18 +20,21 @@ flows, or the default MinuteWork site model.
   runtime-canonical through `mw.core.site` and installed app-pack data.
 - `tenant-app` is the combined web starter for public routes plus the private
   `/app` workspace.
+- Do not add a server-only public content token adapter to `tenant-app`.
+  Public content should come from hosted published releases/snapshots or
+  gateway-approved public-content routes over the MinuteWork substrate, not
+  from a baked-in platform token in the generated app.
 - Author public content against runtime/CMS records, not a fixed in-repo site
   starter.
 - For contract-first intake pipeline decisions, also read
   `contract-first-public-intake/SKILL.md`.
 - Use `published-web` and hosted public-release flows for anonymous delivery by
   default.
-- `MW_PUBLIC_CONTENT_SOURCE` selects the public content adapter mode.
-- `MW_CONTENT_API_TOKEN`, `MW_PUBLIC_SITE_PROPERTY_KEY`, and
-  `MW_PUBLIC_SITE_ENV` are required only for `MW_PUBLIC_CONTENT_SOURCE=minutework_cms`.
-- `MW_STATIC_PUBLIC_CONTENT_PATH` is used for `MW_PUBLIC_CONTENT_SOURCE=static_json`.
-- `MW_PUBLIC_SITE_ENV=preview` is for preview or draft-safe reads.
-- `MW_PUBLIC_SITE_ENV=live` is for publication-safe reads only.
+- Legacy starter variables such as `MW_PUBLIC_CONTENT_SOURCE`,
+  `MW_CONTENT_API_TOKEN`, `MW_PUBLIC_SITE_PROPERTY_KEY`,
+  `MW_STATIC_PUBLIC_CONTENT_PATH`, and `MW_PUBLIC_SITE_ENV` describe old
+  adapter modes. Do not introduce them into new `tenant-app` work unless a
+  compatibility task explicitly targets that legacy adapter.
 - Anonymous live traffic should prefer published snapshots instead of direct
   runtime reads on every request.
 - `runtime_local_sidecar` is an explicit exception path for live serving, not

package/assets/claude-local/skills/standalone-mobile-client/SKILL.md

@@ -80,9 +80,9 @@ The native token flow mirrors the existing CLI developer-token flow
    freshly returned pair. Re-run the browser-assisted authorize step only when
    the refresh token itself is invalid or revoked.
 
-The browser/BFF cookie path belongs to `tenant-app` and is **web-only**. The
-mobile app does not ride the `tenant-app` cookie jar, and it does not read or
-forward CSRF -- native uses the bearer token directly against the platform.
+The `tenant-app` web SDK / hosted-cookie path is **web-only**. The mobile app
+does not ride the `tenant-app` cookie jar, and it does not read or forward
+CSRF -- native uses the bearer token directly against the platform.
 
 ### Token binding (what is and isn't enforced)
 
@@ -100,7 +100,8 @@ boundary.
 - Do not mint a JWT inside the app or stand up a local user table / token issuer.
 - Do not expose access or refresh tokens to web pages or generic React state;
   keep them in `expo-secure-store`.
-- Do not route the mobile app through the `tenant-app` BFF cookie session.
+- Do not route the mobile app through the `tenant-app` web SDK / hosted-cookie
+  session.
 - Do not read or forward CSRF from native; bearer-token auth does not use it.
 - Do not put native code inside `tenant-app` or `sidecar`.
 

package/assets/templates/next-tenant-app/README.md

@@ -3,157 +3,59 @@
 This directory is the canonical combined Next.js web starter for Builder.
 
 In the runtime Builder flow, this bundle materializes into
-`BuilderWorkspace.sandbox_root/app/`.
+`BuilderWorkspace.sandbox_root/app/`. In the external CLI scaffold flow, the
+same starter is copied into `tenant-app/`.
 
-In the external CLI scaffold flow, the same starter is copied into
-`tenant-app/`.
-
-On managed tenant VMs, `BuilderWorkspace.sandbox_root` normally lives under
-`/srv/minutework/workspaces/<workspace_id>/`, so the Builder-edited app copy is
-typically `/srv/minutework/workspaces/<workspace_id>/app/`.
-
-`apps/mw-next-client` is still the repo-side seed used to harden and evolve this scaffold. It is not the runtime template location.
+`apps/mw-next-client` may still seed visual conventions, but this template is
+no longer a platform-session BFF app.
 
 ## Auth profile
 
-This template stays fixed to the `platform_session_bff` profile:
-
-- browsers use this BFF only (cookie session, server-owned CSRF); native clients
-  (e.g. a mobile app) instead use a platform-issued native session token
-  directly against `/api/v1/native/...` -- see the `mobile` starter /
-  `standalone-mobile-client` skill
-- upstream platform `sessionid` and `csrftoken` stay server-owned
-- unsafe upstream requests bootstrap and forward CSRF through the BFF
-- there is no browser-to-runtime direct access
-- there is no local JWT system, local user table, or parallel auth stack
-
-## Runtime requirements
+This template uses the `tenant_web_auth_sdk` profile:
 
-- Node.js `20.9.0` or newer
-- `pnpm@9.0.0`
+- browser auth and manifest API calls go through `@minutework/web-auth`
+- the browser stores no bearer token, runtime key, or platform credential
+- SDK calls use same-origin `/_mw` routes with `credentials: "include"`
+- CSRF is handled by the SDK using the non-secret CSRF cookie
+- runtime query/action calls are authorized as `principal_kind=tenant_customer`
 
-## Direct web hosts
+Only `src/mw/` is MinuteWork substrate. Keep product UI and product logic in
+`src/app`, `src/features`, and developer-owned modules.
 
-When this starter lives inside an external CLI workspace with an optional
-`sidecar`, deploy direct web hosts against `tenant-app` only.
+The local `/login` route is product UI that calls SDK hooks. The SDK also
+provides hosted UI helpers for same-origin `/_mw/login`, `/_mw/signup`, and
+`/_mw/verify-email` URLs; both paths stay on the same SDK contract.
 
-- Root `pnpm install` stays Node-only and does not auto-install sidecar Python deps.
-- If you need the sidecar locally, run `pnpm run install:sidecar` from the workspace root or `cd sidecar && poetry install`.
-- For Vercel, set the project Root Directory to `tenant-app`.
+Client-side `/app` session checks are only UX gating. Authorization is enforced
+by the platform `/_mw` routes and runtime dispatch: active customer membership,
+email verification, app publication, and manifest `web_customer_exposed`
+declarations are checked server-side.
 
-Those host-specific instructions apply to the CLI scaffold layout, not the
-runtime Builder sandbox layout under `app/`.
+If a generated workspace reports `@minutework/web-auth` as missing, treat that
+as a dependency installation or package publishing/sync issue. Do not recreate
+platform BFF routes, browser bearer tokens, or platform credential login as a
+workaround.
 
 ## Default route shape
 
-The template ships one combined app with two explicit route surfaces:
-
-- public routes at the root: `/`, `/pricing`, `/docs`, `/blog`, `/login`
-- authenticated routes under `/app`
-- optional runtime example under `/app/examples/runtime-commands`
-
-Public marketing, docs, and blog routes render through a swappable public-content adapter seam. The authenticated shell keeps tenant context controls, password flows, and the platform-session BFF boundary.
-
-## Public content adapter
-
-The public content seam lives under `src/lib/content`.
-
-The default built-in adapter is `MinuteWorkPublicSiteContentAdapter`. It calls the
-MinuteWork gateway with a server-only content token and reads the narrow
-`mw.core.site` public-site snapshot contract.
-
-`mw.core.site` is treated as a runtime baseline capability. This starter
-composes against that baseline rather than trying to install it locally.
-
-The gateway response carries an explicit boundary:
-
-- `environment=preview` must declare `source_boundary=runtime_preview`
-- `environment=live` may declare `source_boundary=published_live` for hosted releases or `source_boundary=runtime_live` for runtime-served sidecar releases
-
-That keeps preview free to use runtime-backed draft reads while keeping live
-publication-safe for hosted delivery while still allowing an explicit
-runtime-served public lane when the release is activated through
-`runtime_local_sidecar`.
-
-To replace the built-ins for a tenant-specific CMS or content API, implement the hook in `src/lib/content/custom-adapter.ts`.
-
-## Example gating
-
-`MW_ENABLE_RUNTIME_COMMAND_EXAMPLE=false` by default.
+- public routes at `/`, `/pricing`, `/docs`, and `/blog`
+- customer auth at `/login`
+- authenticated workspace at `/app`
+- SDK manifest demo at `/app/demo`
 
-When disabled:
-
-- `/app/examples/runtime-commands` returns `404`
-- the example gateway API routes return `404`
-- the example navigation entry is omitted
+The template intentionally does not include `src/lib/platform/*`,
+`src/app/api/auth/*`, `src/app/api/gateway/*`, an operator-console link, a
+runtime-command demo, or a server-only public-content token adapter.
 
 ## Environment
 
-Copy `.env.example` to `.env.local` when running the template directly. The
-example file uses `MW_PUBLIC_CONTENT_SOURCE=none` so the private `/app` surface
-can boot without MinuteWork CMS credentials; set `MW_PUBLIC_CONTENT_SOURCE` to
-`minutework_cms` and fill the CMS values below when enabling the public site.
-
-- `MW_PLATFORM_BASE_URL` is required
-- `MW_PUBLIC_CONTENT_SOURCE` defaults to `none` when omitted; supported values are `minutework_cms`, `custom`, `static_json`, and `none`
-- `MW_CONTENT_API_TOKEN` is required only for `minutework_cms` and must stay server-only
-- `MW_TEMPLATE_APP_NAME` defaults to `MinuteWork Combined Starter`
-- `MW_PUBLIC_BASE_URL` is required for public content sources and should match the deployed public origin; it may be omitted when `MW_PUBLIC_CONTENT_SOURCE=none`
-- `MW_PUBLIC_SITE_PROPERTY_KEY` is required only for `minutework_cms` and selects the `PublishedWebProperty` backing the site
-- `MW_PUBLIC_SITE_ENV` defaults to `preview`
-- `MW_STATIC_PUBLIC_CONTENT_PATH` defaults to `content/public-site.json` and is used when `MW_PUBLIC_CONTENT_SOURCE=static_json`
-- `MW_ENABLE_RUNTIME_COMMAND_EXAMPLE` defaults to `false`
-
-## SEO baseline
-
-The public route surface ships with:
-
-- canonical URLs derived from `MW_PUBLIC_BASE_URL`
-- `robots.ts` and `sitemap.ts`
-- Open Graph metadata for marketing and article/detail pages
-- server-rendered public pages by default, with no tenant/session reads during render
-- docs/blog static params generated from the same public-site snapshot used during render
-- graceful empty states for fresh properties with no authored or no published content
-
-Private routes under `/app` are marked `noindex`.
-
-## Generated artifact policy
-
-Checked-in generated artifacts are limited to:
-
-- `next-env.d.ts`
-- `src/design-system/tokens/manifest.ts`
-- `src/design-system/tokens/manifest.json`
-- `pnpm-lock.yaml`
-
-Generated build outputs such as `.next/`, `storybook-static/`, `test-results/`, and `tools/design-system/__screenshots__/` are not canonical template contents.
+- `NEXT_PUBLIC_MW_APP_ID` selects the manifest app id used by the SDK and
+  defaults to `tenant.app`
+- `MW_TEMPLATE_APP_NAME` controls the display name and defaults to `Tenant App`
+- `MW_PUBLIC_BASE_URL` is optional and only affects metadata routes
 
 ## Validation
 
-Use `pnpm validate` from this directory. It runs:
-
-1. `template:validate`
-2. `template:route-contract`
-3. `next typegen`
-4. `design-system:tokens`
-5. `design-system:check`
-6. `typecheck`
-7. `lint`
-8. `test`
-9. `build:validate`
-10. `build-storybook:validate`
-
-`template:validate` validates `template.json` against the bundled `template.schema.json`, so the template remains self-validating after Builder materializes it into a workspace sandbox.
-
-When the CLI scaffolds this starter into `tenant-app/`, the same validation
-contract still applies to that copied workspace surface. When Runtime Builder
-materializes it into `app/`, the same validation contract applies there too.
-
-The validation-only build steps inject fixture values for the required
-production env vars and run against a local public-site fixture server, so the
-template can prove its build contract in-repo without weakening the real
-`pnpm build` requirement.
-
-`template:route-contract` verifies that the combined public/private route tree, metadata routes, and content-adapter entrypoints remain present in the template.
-
-Inside the repo, the shared schema at `runtime/builder/templates/template.schema.json` is authoritative. The bundled `template.schema.json` inside this template must stay byte-equivalent, and `template:validate` fails if the two drift.
+Use `pnpm validate` from this directory. It runs template validation, route
+contract validation, typegen, design-system checks, typecheck, tests, and build
+validation.

package/assets/templates/next-tenant-app/package.json

@@ -27,6 +27,7 @@
     "design-system:visual": "playwright test -c tools/design-system/playwright.config.mjs"
   },
   "dependencies": {
+    "@minutework/web-auth": "^0.1.0",
     "@radix-ui/react-slot": "^1.2.4",
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",

package/assets/templates/next-tenant-app/src/app/app/demo/page.tsx

@@ -0,0 +1,15 @@
+import { ManifestDemo } from "@/features/demo/components/manifest-demo";
+
+export const metadata = {
+  title: "Demo",
+};
+
+export default function DemoPage() {
+  return (
+    <main className="min-h-screen bg-background text-foreground">
+      <div className="mx-auto flex min-h-screen max-w-5xl flex-col gap-6 px-6 py-8">
+        <ManifestDemo />
+      </div>
+    </main>
+  );
+}

package/assets/templates/next-tenant-app/src/app/app/layout.tsx

@@ -1,8 +1,6 @@
 import type { Metadata } from "next";
 import type { ReactNode } from "react";
 
-import { resolveAuthenticatedSession } from "@/lib/platform/auth.server";
-
 export const metadata: Metadata = {
   robots: {
     index: false,
@@ -10,11 +8,10 @@ export const metadata: Metadata = {
   },
 };
 
-export default async function AuthenticatedAppLayout({
+export default function AuthenticatedAppLayout({
   children,
 }: {
   children: ReactNode;
 }) {
-  await resolveAuthenticatedSession();
   return children;
 }

package/assets/templates/next-tenant-app/src/app/app/page.tsx

@@ -1,24 +1,9 @@
 import { PrivateAppShell } from "@/features/shell/components/private-app-shell";
-import { resolveAuthenticatedSession } from "@/lib/platform/auth.server";
-import { platformAuthEndpoints } from "@/lib/platform/endpoints.server";
-import { env } from "@/lib/platform/env.server";
 
 export const metadata = {
   title: "Workspace",
-  description:
-    "Authenticated workspace surface for the combined MinuteWork starter.",
 };
 
-export default async function AppHomePage() {
-  const session = await resolveAuthenticatedSession();
-
-  return (
-    <PrivateAppShell
-      initialSession={session}
-      appName={env.MW_TEMPLATE_APP_NAME}
-      operatorConsoleHref={platformAuthEndpoints.operatorConsole}
-      runtimeCommandExampleEnabled={env.MW_ENABLE_RUNTIME_COMMAND_EXAMPLE}
-      view="dashboard"
-    />
-  );
+export default function AppHomePage() {
+  return <PrivateAppShell appName={process.env.MW_TEMPLATE_APP_NAME || "Tenant App"} />;
 }

package/assets/templates/next-tenant-app/src/app/blog/[slug]/page.tsx

@@ -1,73 +1,15 @@
-import { notFound } from "next/navigation";
+import { StaticPublicPage } from "@/features/public-shell/components/static-public-page";
 
-import { ContentArticle } from "@/features/public-shell/components/content-article";
-import { PublicSiteShell } from "@/features/public-shell/components/public-site-shell";
-import { getEntry, getSiteConfig, listEntries } from "@/lib/content/adapter.server";
-import { appRoutes } from "@/lib/app-routes";
-import {
-  buildDisabledPublicMetadata,
-  buildPublicMetadata,
-  isPublicContentDisabled,
-} from "@/lib/public-site";
-
-type BlogArticlePageProps = {
-  params: Promise<{ slug: string }>;
+export const metadata = {
+  title: "Blog",
 };
 
-export const dynamicParams = false;
-
-export async function generateStaticParams() {
-  if (isPublicContentDisabled()) {
-    return [];
-  }
-
-  return (await listEntries("blog")).map((entry) => ({
-    slug: entry.slug[0],
-  }));
-}
-
-export async function generateMetadata({ params }: BlogArticlePageProps) {
-  if (isPublicContentDisabled()) {
-    return buildDisabledPublicMetadata();
-  }
-
-  const [{ slug }, siteConfig] = await Promise.all([params, getSiteConfig()]);
-  const entry = await getEntry("blog", [slug]);
-
-  if (!entry) {
-    return buildPublicMetadata({
-      title: siteConfig.collections.blog.title,
-      description: siteConfig.collections.blog.description,
-      path: appRoutes.blogIndex,
-      siteName: siteConfig.siteName,
-    });
-  }
-
-  return buildPublicMetadata({
-    title: entry.seo.title,
-    description: entry.seo.description,
-    path: appRoutes.blogPost(entry.slug),
-    siteName: siteConfig.siteName,
-    type: "article",
-    publishedTime: entry.publishedAt,
-  });
-}
-
-export default async function BlogArticlePage({ params }: BlogArticlePageProps) {
-  if (isPublicContentDisabled()) {
-    notFound();
-  }
-
-  const [{ slug }, siteConfig] = await Promise.all([params, getSiteConfig()]);
-  const entry = await getEntry("blog", [slug]);
-
-  if (!entry) {
-    notFound();
-  }
-
+export default function BlogPostPage() {
   return (
-    <PublicSiteShell activeHref={appRoutes.blogIndex} siteConfig={siteConfig}>
-      <ContentArticle entry={entry} />
-    </PublicSiteShell>
+    <StaticPublicPage
+      eyebrow="Blog"
+      title="Update"
+      body="A customer-facing update."
+    />
   );
 }

package/assets/templates/next-tenant-app/src/app/blog/page.tsx

@@ -1,51 +1,15 @@
-import { notFound } from "next/navigation";
+import { StaticPublicPage } from "@/features/public-shell/components/static-public-page";
 
-import { ContentCollection } from "@/features/public-shell/components/content-collection";
-import { PublicSiteShell } from "@/features/public-shell/components/public-site-shell";
-import { getSiteConfig, listEntries } from "@/lib/content/adapter.server";
-import { appRoutes } from "@/lib/app-routes";
-import {
-  buildDisabledPublicMetadata,
-  buildPublicMetadata,
-  isPublicContentDisabled,
-} from "@/lib/public-site";
-
-export async function generateMetadata() {
-  if (isPublicContentDisabled()) {
-    return buildDisabledPublicMetadata();
-  }
-
-  const siteConfig = await getSiteConfig();
-  const collection = siteConfig.collections.blog;
-
-  return buildPublicMetadata({
-    title: collection.title,
-    description: collection.description,
-    path: appRoutes.blogIndex,
-    siteName: siteConfig.siteName,
-  });
-}
-
-export default async function BlogIndexPage() {
-  if (isPublicContentDisabled()) {
-    notFound();
-  }
-
-  const [siteConfig, entries] = await Promise.all([
-    getSiteConfig(),
-    listEntries("blog"),
-  ]);
-  const collection = siteConfig.collections.blog;
+export const metadata = {
+  title: "Blog",
+};
 
+export default function BlogIndexPage() {
   return (
-    <PublicSiteShell activeHref={appRoutes.blogIndex} siteConfig={siteConfig}>
-      <ContentCollection
-        description={collection.description}
-        entries={entries}
-        eyebrow={collection.eyebrow}
-        kind="blog"
-        title={collection.title}
-      />
-    </PublicSiteShell>
+    <StaticPublicPage
+      eyebrow="Blog"
+      title="Updates"
+      body="News, releases, and customer notes."
+    />
   );
 }