minutework 0.1.33 → 0.1.34

package/assets/claude-local/skills/app-pack-authoring/SKILL.md

@@ -21,6 +21,16 @@ An `app pack` is the shipped product unit.
   per-app `src/app/api/auth/*`, `src/app/api/gateway/*`, platform-session BFF
   layers, platform credential login screens, operator-console links, or
   runtime-command demos.
+- If a generated workspace reports `@minutework/web-auth` as missing, treat it
+  as dependency installation, package publishing, or package sync work. Do not
+  hand-roll auth/data routes or browser tokens as a workaround.
+- The template may render a local `/login` page that calls SDK hooks. The SDK
+  also exposes hosted UI helpers for same-origin `/_mw/login`,
+  `/_mw/signup`, and `/_mw/verify-email`; both choices remain SDK-only.
+- Client-side `/app` session checks are UX gating only. Real authorization is
+  enforced server-side by platform `/_mw` routes and runtime dispatch checks:
+  active customer membership, email verification, app publication, and
+  `webCustomerExposed` / `web_customer_exposed` manifest declarations.
 - Browser calls from `tenant-app` should use `mw.query(...)` and
   `mw.action(..., { idempotencyKey })`; actions require a non-empty
   idempotency key. The runtime surface must be declared on the manifest with

package/assets/claude-local/skills/generated-workspace-architecture/SKILL.md

@@ -26,6 +26,15 @@ the monorepo or a live tenant runtime.
   `src/mw/` substrate and `@minutework/web-auth`. Product UI may call that
   substrate, but it must not recreate platform-session BFF routes, platform
   credential login, or browser-exposed platform/runtime tokens.
+- If `@minutework/web-auth` is not installed or resolvable in a generated
+  workspace, fix dependency installation, package publishing, or package sync.
+  Do not replace the SDK with local auth/gateway routes.
+- A local `/login` page may call SDK hooks, while SDK hosted UI helpers point
+  to same-origin `/_mw/login`, `/_mw/signup`, and `/_mw/verify-email`; both
+  are valid only when they stay on the SDK/`/_mw` contract.
+- Client-side app guards are UX only. Platform `/_mw` routes and runtime
+  dispatch enforce active customer membership, email verification, app
+  publication, and manifest exposure server-side.
 - `tenant-app` runtime data access goes through `mw.query(...)` and
   `mw.action(..., { idempotencyKey })` against manifest-declared
   `webCustomerExposed` / `web_customer_exposed` customer surfaces.

package/assets/templates/next-tenant-app/README.md

@@ -22,6 +22,20 @@ This template uses the `tenant_web_auth_sdk` profile:
 Only `src/mw/` is MinuteWork substrate. Keep product UI and product logic in
 `src/app`, `src/features`, and developer-owned modules.
 
+The local `/login` route is product UI that calls SDK hooks. The SDK also
+provides hosted UI helpers for same-origin `/_mw/login`, `/_mw/signup`, and
+`/_mw/verify-email` URLs; both paths stay on the same SDK contract.
+
+Client-side `/app` session checks are only UX gating. Authorization is enforced
+by the platform `/_mw` routes and runtime dispatch: active customer membership,
+email verification, app publication, and manifest `web_customer_exposed`
+declarations are checked server-side.
+
+If a generated workspace reports `@minutework/web-auth` as missing, treat that
+as a dependency installation or package publishing/sync issue. Do not recreate
+platform BFF routes, browser bearer tokens, or platform credential login as a
+workaround.
+
 ## Default route shape
 
 - public routes at `/`, `/pricing`, `/docs`, and `/blog`

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "minutework",
-  "version": "0.1.33",
+  "version": "0.1.34",
   "description": "MinuteWork CLI for workspace scaffolding, local preview workflows, and hosted preview deploys.",
   "type": "module",
   "bin": {