minutework 0.1.39 → 0.1.41

package/assets/templates/vuilder-shell/README.md

@@ -0,0 +1,49 @@
+# Vuilder Shell Template
+
+`vuilder-shell` is the branded customer tenant shell for Vuilder-owned verticals.
+It is generated next to `vuilder-app` in a Vuilder workspace.
+
+The shell opens after the customer has signed in through central SSO and the
+platform has completed the `customer_vertical_signup` intent. The platform owns
+identity, tenant runtime provisioning, and app-pack install authority. This
+template owns customer-visible navigation, workspace status, and vertical
+product UI.
+
+## Route Shape
+
+- public route at `/`
+- platform member auth handoff at `/login`, which redirects to central SSO with
+  a shell return URL
+- branded tenant setup/status route at `/w/[workspace_slug]/connect`
+- branded tenant workspace route at `/w/[workspace_slug]`
+- compatibility authenticated app route at `/app`
+
+## Auth Profile
+
+This template uses central platform SSO plus a tenant-bound shell session minted
+by the platform after membership is established. `/login` sets a short-lived
+host-only shell handoff state cookie before redirecting to SSO. SSO returns to
+`/api/auth/accept-shell-session` with a short-lived one-use code and the echoed
+state; the shell validates the state, exchanges the code server-side, sets a
+host-only `mw_vuilder_shell_session` cookie, and redirects to the clean
+workspace URL. Raw platform session and CSRF cookies stay on the SSO origin; the
+shell never builds Django session or CSRF headers. The shell does not render a
+password form and does not expose a local credential-login BFF; `/login` is only
+an SSO redirect handoff. Local `/api/auth/session` and `/api/auth/logout` are
+thin shell-token helpers; logout best-effort revokes the tenant-bound shell
+token before clearing cookies. Browser React never stores platform credentials,
+runtime keys, provisioning secrets, package refs, or install coordinates.
+
+For production handoff from `auth.*` to a branded shell on a sibling subdomain,
+configure `MW_AUTH_BASE_URL` and `MW_PUBLIC_BASE_URL`. Do not configure a shared
+parent-domain shell cookie; the shell session cookie is host-only on the branded
+shell origin.
+
+`vuilder-shell` is not a `tenant-app` and must not use `@minutework/web-auth`
+or same-origin `/_mw` customer routes.
+
+## Vuilder Boundary
+
+Vuilders may customize UI, route layout, visual design, tenant settings,
+runtime-backed data views, agents, workflows, and branding. They must not move
+provisioning decisions into React state or browser-submitted payloads.

package/assets/templates/vuilder-shell/components.json

@@ -0,0 +1,21 @@
+{
+  "$schema": "https://ui.shadcn.com/schema.json",
+  "style": "new-york",
+  "rsc": true,
+  "tsx": true,
+  "tailwind": {
+    "config": "",
+    "css": "src/app/globals.css",
+    "baseColor": "neutral",
+    "cssVariables": true,
+    "prefix": ""
+  },
+  "aliases": {
+    "components": "@/design-system",
+    "utils": "@/lib/utils",
+    "ui": "@/design-system/primitives",
+    "lib": "@/lib",
+    "hooks": "@/hooks"
+  },
+  "iconLibrary": "lucide"
+}

package/assets/templates/vuilder-shell/eslint.config.mjs

@@ -0,0 +1,41 @@
+import nextCoreWebVitals from "eslint-config-next/core-web-vitals";
+import nextTypeScript from "eslint-config-next/typescript";
+
+import designSystemPlugin from "./tools/design-system/eslint-plugin-design-system.mjs";
+
+const eslintConfig = [
+  ...nextCoreWebVitals,
+  ...nextTypeScript,
+  {
+    ignores: [
+      ".next/**",
+      "node_modules/**",
+      "next-env.d.ts",
+      "storybook-static/**",
+      "src/design-system/tokens/manifest.ts",
+    ],
+  },
+  {
+    files: ["src/app/**/*.{ts,tsx}", "src/features/**/*.{ts,tsx}"],
+    plugins: {
+      "design-system": designSystemPlugin,
+    },
+    rules: {
+      "design-system/no-design-system-bypass-imports": "error",
+      "design-system/no-cva-outside-design-system": "error",
+      "design-system/no-raw-design-values": "error",
+      "design-system/no-bespoke-visual-stacks-in-features": "error",
+    },
+  },
+  {
+    files: ["src/design-system/**/*.{ts,tsx}"],
+    plugins: {
+      "design-system": designSystemPlugin,
+    },
+    rules: {
+      "design-system/no-raw-design-values": "error",
+    },
+  },
+];
+
+export default eslintConfig;

package/assets/templates/vuilder-shell/next-env.d.ts

@@ -0,0 +1,6 @@
+/// <reference types="next" />
+/// <reference types="next/image-types/global" />
+import "./.next/types/routes.d.ts";
+
+// NOTE: This file should not be edited
+// see https://nextjs.org/docs/app/api-reference/config/typescript for more information.

package/assets/templates/vuilder-shell/next.config.mjs

@@ -0,0 +1,33 @@
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import { existsSync } from "node:fs";
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
+function resolveTurbopackRoot(startDirectory) {
+  let directory = startDirectory;
+
+  while (true) {
+    if (existsSync(path.join(directory, "pnpm-workspace.yaml"))) {
+      return directory;
+    }
+
+    const parent = path.dirname(directory);
+    if (parent === directory) {
+      return startDirectory;
+    }
+    directory = parent;
+  }
+}
+
+const nextConfig = {
+  reactStrictMode: true,
+  typedRoutes: true,
+  // Prefer the nearest workspace root so scaffolded tenant-app packages inside a
+  // monorepo and the in-repo template both resolve dependencies correctly.
+  turbopack: {
+    root: resolveTurbopackRoot(__dirname),
+  },
+};
+
+export default nextConfig;

package/assets/templates/vuilder-shell/package.json

@@ -0,0 +1,61 @@
+{
+  "name": "vuilder-shell",
+  "version": "0.1.0",
+  "private": true,
+  "packageManager": "pnpm@9.0.0",
+  "engines": {
+    "node": ">=20.9.0"
+  },
+  "scripts": {
+    "dev": "next dev --hostname 127.0.0.1 --port 3301",
+    "build": "next build",
+    "build:validate": "node tools/template/with-public-site-fixture.mjs next build",
+    "start": "next start -p 3301",
+    "lint": "eslint .",
+    "test": "vitest run",
+    "typegen": "next typegen",
+    "template:validate": "node tools/template/validate-template.mjs",
+    "template:route-contract": "node tools/template/validate-route-contract.mjs",
+    "typecheck": "tsc --noEmit",
+    "validate": "pnpm template:validate && pnpm template:route-contract && pnpm typegen && pnpm design-system:tokens && pnpm design-system:check && pnpm typecheck && pnpm lint && pnpm test && pnpm build:validate && pnpm build-storybook:validate",
+    "design-system:tokens": "node tools/design-system/build-token-manifest.mjs",
+    "design-system:check": "node tools/design-system/run-checks.mjs",
+    "design-system:check:staged": "node tools/design-system/run-checks.mjs --staged",
+    "storybook": "storybook dev -p 6006",
+    "build-storybook": "storybook build",
+    "build-storybook:validate": "node tools/template/with-public-site-fixture.mjs storybook build",
+    "design-system:visual": "playwright test -c tools/design-system/playwright.config.mjs"
+  },
+  "dependencies": {
+    "@radix-ui/react-slot": "^1.2.4",
+    "class-variance-authority": "^0.7.1",
+    "clsx": "^2.1.1",
+    "lucide-react": "^0.564.0",
+    "next": "^16.2.0",
+    "react": "^19.2.0",
+    "react-dom": "^19.2.0",
+    "server-only": "^0.0.1",
+    "tailwind-merge": "^3.3.1",
+    "tw-animate-css": "^1.3.3",
+    "zod": "^3.24.1"
+  },
+  "devDependencies": {
+    "@playwright/test": "^1.58.2",
+    "@storybook/addon-a11y": "^10.2.19",
+    "@storybook/addon-docs": "^10.2.19",
+    "@storybook/nextjs-vite": "^10.2.19",
+    "@tailwindcss/postcss": "^4.2.0",
+    "@types/node": "^22.0.0",
+    "@types/react": "^19.0.0",
+    "@types/react-dom": "^19.0.0",
+    "ajv": "^8.17.1",
+    "eslint": "^9.39.1",
+    "eslint-config-next": "^16.2.0",
+    "http-server": "^14.1.1",
+    "postcss": "^8.5.6",
+    "storybook": "^10.2.19",
+    "tailwindcss": "^4.2.0",
+    "typescript": "^5.6.0",
+    "vitest": "^3.2.4"
+  }
+}

package/assets/templates/vuilder-shell/postcss.config.mjs

@@ -0,0 +1,8 @@
+/** @type {import('postcss-load-config').Config} */
+const config = {
+  plugins: {
+    "@tailwindcss/postcss": {},
+  },
+};
+
+export default config;

package/assets/templates/vuilder-shell/public/.gitkeep

@@ -0,0 +1 @@
+

package/assets/templates/vuilder-shell/src/app/api/auth/accept-shell-session/route.test.ts

@@ -0,0 +1,105 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+
+const mocks = vi.hoisted(() => ({
+  applyVuilderShellSessionToResponse: vi.fn(),
+  clearVuilderShellHandoffStateFromResponse: vi.fn(),
+  exchangeVuilderShellSessionHandoffCode: vi.fn(),
+  readVuilderShellHandoffState: vi.fn(),
+}));
+
+vi.mock("@/lib/platform/client.server", () => ({
+  exchangeVuilderShellSessionHandoffCode:
+    mocks.exchangeVuilderShellSessionHandoffCode,
+}));
+
+vi.mock("@/lib/platform/session.server", () => ({
+  applyVuilderShellSessionToResponse: mocks.applyVuilderShellSessionToResponse,
+  clearVuilderShellHandoffStateFromResponse:
+    mocks.clearVuilderShellHandoffStateFromResponse,
+  readVuilderShellHandoffState: mocks.readVuilderShellHandoffState,
+}));
+
+import { GET } from "./route";
+
+describe("GET /api/auth/accept-shell-session", () => {
+  afterEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("exchanges the handoff code, sets the shell token, and redirects locally", async () => {
+    mocks.readVuilderShellHandoffState.mockResolvedValue("state-1");
+    mocks.exchangeVuilderShellSessionHandoffCode.mockResolvedValue({
+      data: {
+        expires_at: "2026-06-09T12:00:00Z",
+        shell_session_token: "shell-token-1",
+      },
+    });
+
+    const response = await GET(
+      new Request(
+        "https://shell.example.com/api/auth/accept-shell-session?code=code-1&state=state-1&return_to=%2Fw%2Ffleet-alpha%2Fconnect",
+      ),
+    );
+
+    expect(response.status).toBe(307);
+    expect(response.headers.get("location")).toBe(
+      "https://shell.example.com/w/fleet-alpha/connect",
+    );
+    expect(response.headers.get("cache-control")).toBe("no-store");
+    expect(response.headers.get("referrer-policy")).toBe("no-referrer");
+    expect(mocks.exchangeVuilderShellSessionHandoffCode).toHaveBeenCalledWith(
+      "code-1",
+      "state-1",
+    );
+    expect(mocks.applyVuilderShellSessionToResponse).toHaveBeenCalledWith(
+      expect.any(Response),
+      "shell-token-1",
+      "2026-06-09T12:00:00Z",
+    );
+  });
+
+  it("rejects external return paths", async () => {
+    mocks.readVuilderShellHandoffState.mockResolvedValue("state-1");
+    mocks.exchangeVuilderShellSessionHandoffCode.mockResolvedValue({
+      data: {
+        expires_at: "2026-06-09T12:00:00Z",
+        shell_session_token: "shell-token-1",
+      },
+    });
+
+    const response = await GET(
+      new Request(
+        "https://shell.example.com/api/auth/accept-shell-session?code=code-1&state=state-1&return_to=https%3A%2F%2Fevil.example.com%2F",
+      ),
+    );
+
+    expect(response.headers.get("location")).toBe("https://shell.example.com/app");
+  });
+
+  it("fails closed when the shell state does not match", async () => {
+    mocks.readVuilderShellHandoffState.mockResolvedValue("state-1");
+
+    const response = await GET(
+      new Request(
+        "https://shell.example.com/api/auth/accept-shell-session?code=code-1&state=attacker-state&return_to=%2Fw%2Ffleet-alpha%2Fconnect",
+        {
+          headers: {
+            cookie: "mw_vuilder_shell_session=existing-shell-token",
+          },
+        },
+      ),
+    );
+
+    expect(response.headers.get("location")).toBe(
+      "https://shell.example.com/w/fleet-alpha/connect",
+    );
+    expect(mocks.exchangeVuilderShellSessionHandoffCode).not.toHaveBeenCalled();
+    expect(mocks.applyVuilderShellSessionToResponse).not.toHaveBeenCalled();
+    expect(mocks.clearVuilderShellHandoffStateFromResponse).toHaveBeenCalledWith(
+      expect.any(Response),
+    );
+    expect(response.headers.get("set-cookie") ?? "").not.toContain(
+      "mw_vuilder_shell_session",
+    );
+  });
+});

package/assets/templates/vuilder-shell/src/app/api/auth/accept-shell-session/route.ts

@@ -0,0 +1,63 @@
+import { NextResponse } from "next/server";
+
+import { appRoutes } from "@/lib/app-routes";
+import { exchangeVuilderShellSessionHandoffCode } from "@/lib/platform/client.server";
+import {
+  applyVuilderShellSessionToResponse,
+  clearVuilderShellHandoffStateFromResponse,
+  readVuilderShellHandoffState,
+} from "@/lib/platform/session.server";
+
+function normalizeLocalReturnTo(value?: string | null) {
+  const candidate = String(value ?? "").trim();
+  if (!candidate || !candidate.startsWith("/") || candidate.startsWith("//")) {
+    return appRoutes.appHome;
+  }
+
+  try {
+    const parsed = new URL(candidate, "http://localhost");
+    if (parsed.origin !== "http://localhost" || !parsed.pathname.startsWith("/")) {
+      return appRoutes.appHome;
+    }
+    return `${parsed.pathname}${parsed.search}${parsed.hash}`;
+  } catch {
+    return appRoutes.appHome;
+  }
+}
+
+export async function GET(request: Request) {
+  const url = new URL(request.url);
+  const shellSessionHandoffCode = url.searchParams.get("code")?.trim() ?? "";
+  const shellHandoffState = url.searchParams.get("state")?.trim() ?? "";
+  const expectedShellHandoffState = await readVuilderShellHandoffState();
+  const returnTo = normalizeLocalReturnTo(url.searchParams.get("return_to"));
+  const response = NextResponse.redirect(new URL(returnTo, url.origin));
+  response.headers.set("Cache-Control", "no-store");
+  response.headers.set("Referrer-Policy", "no-referrer");
+  clearVuilderShellHandoffStateFromResponse(response);
+
+  if (
+    !shellSessionHandoffCode ||
+    !shellHandoffState ||
+    !expectedShellHandoffState ||
+    shellHandoffState !== expectedShellHandoffState
+  ) {
+    return response;
+  }
+
+  try {
+    const result = await exchangeVuilderShellSessionHandoffCode(
+      shellSessionHandoffCode,
+      expectedShellHandoffState,
+    );
+    applyVuilderShellSessionToResponse(
+      response,
+      result.data.shell_session_token,
+      result.data.expires_at,
+    );
+  } catch {
+    return response;
+  }
+
+  return response;
+}

package/assets/templates/vuilder-shell/src/app/api/auth/logout/route.test.ts

@@ -0,0 +1,63 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+
+const mocks = vi.hoisted(() => ({
+  clearPlatformSessionFromResponse: vi.fn(),
+  readPlatformAuthState: vi.fn(),
+  revokeVuilderShellSession: vi.fn(),
+}));
+
+vi.mock("@/lib/platform/client.server", () => ({
+  revokeVuilderShellSession: mocks.revokeVuilderShellSession,
+}));
+
+vi.mock("@/lib/platform/session.server", () => ({
+  clearPlatformSessionFromResponse: mocks.clearPlatformSessionFromResponse,
+  readPlatformAuthState: mocks.readPlatformAuthState,
+}));
+
+import { POST } from "./route";
+
+describe("POST /api/auth/logout", () => {
+  afterEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("rejects cross-origin submissions before clearing shared cookies", async () => {
+    const response = await POST(
+      new Request("https://shell.example.com/api/auth/logout", {
+        method: "POST",
+        headers: { origin: "https://evil.example.com" },
+      }),
+    );
+
+    expect(response.status).toBe(403);
+    expect(mocks.readPlatformAuthState).not.toHaveBeenCalled();
+    expect(mocks.revokeVuilderShellSession).not.toHaveBeenCalled();
+    expect(mocks.clearPlatformSessionFromResponse).not.toHaveBeenCalled();
+  });
+
+  it("revokes and clears shell session cookies for same-origin submissions", async () => {
+    const authState = { shellSessionToken: "shell-token-1" };
+    mocks.readPlatformAuthState.mockResolvedValue(authState);
+    mocks.revokeVuilderShellSession.mockResolvedValue(undefined);
+
+    const response = await POST(
+      new Request("https://shell.example.com/api/auth/logout", {
+        method: "POST",
+        headers: { origin: "https://shell.example.com" },
+      }),
+    );
+
+    expect(response.status).toBe(204);
+    expect(response.headers.get("Cache-Control")).toBe("no-store");
+    expect(mocks.revokeVuilderShellSession).toHaveBeenCalledWith(authState);
+    expect(mocks.clearPlatformSessionFromResponse).toHaveBeenCalledWith(
+      expect.any(Response),
+    );
+    expect(
+      mocks.revokeVuilderShellSession.mock.invocationCallOrder[0],
+    ).toBeLessThan(
+      mocks.clearPlatformSessionFromResponse.mock.invocationCallOrder[0],
+    );
+  });
+});

package/assets/templates/vuilder-shell/src/app/api/auth/logout/route.ts

@@ -0,0 +1,24 @@
+import { NextResponse } from "next/server";
+
+import { hasTrustedBrowserOrigin } from "@/lib/http/same-origin";
+import { revokeVuilderShellSession } from "@/lib/platform/client.server";
+import {
+  clearPlatformSessionFromResponse,
+  readPlatformAuthState,
+} from "@/lib/platform/session.server";
+
+export async function POST(request: Request) {
+  if (!hasTrustedBrowserOrigin(request)) {
+    return NextResponse.json(
+      { detail: "Same-origin browser submission required." },
+      { status: 403 },
+    );
+  }
+
+  const authState = await readPlatformAuthState();
+  await revokeVuilderShellSession(authState).catch(() => null);
+  const response = new NextResponse(null, { status: 204 });
+  response.headers.set("Cache-Control", "no-store");
+  clearPlatformSessionFromResponse(response);
+  return response;
+}

package/assets/templates/vuilder-shell/src/app/api/auth/session/route.test.ts

@@ -0,0 +1,70 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+
+const mocks = vi.hoisted(() => ({
+  loadCurrentSession: vi.fn(),
+  readPlatformAuthState: vi.fn(),
+  syncPlatformAuthStateToResponse: vi.fn(),
+  toPlatformErrorResponse: vi.fn(),
+}));
+
+vi.mock("@/lib/platform/client.server", () => ({
+  loadCurrentSession: mocks.loadCurrentSession,
+}));
+
+vi.mock("@/lib/platform/route-response", () => ({
+  toPlatformErrorResponse: mocks.toPlatformErrorResponse,
+}));
+
+vi.mock("@/lib/platform/session.server", () => ({
+  readPlatformAuthState: mocks.readPlatformAuthState,
+  syncPlatformAuthStateToResponse: mocks.syncPlatformAuthStateToResponse,
+}));
+
+import { GET } from "./route";
+
+describe("GET /api/auth/session", () => {
+  afterEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("returns the current session with no-store cache headers", async () => {
+    const authState = { shellSessionToken: "shell-token-1" };
+    const nextAuthState = { shellSessionToken: "shell-token-2" };
+    mocks.readPlatformAuthState.mockResolvedValue(authState);
+    mocks.loadCurrentSession.mockResolvedValue({
+      authState: nextAuthState,
+      data: { authenticated: true },
+    });
+
+    const response = await GET();
+
+    expect(response.status).toBe(200);
+    expect(response.headers.get("Cache-Control")).toBe("no-store");
+    await expect(response.json()).resolves.toEqual({ authenticated: true });
+    expect(mocks.syncPlatformAuthStateToResponse).toHaveBeenCalledWith(
+      expect.any(Response),
+      authState,
+      nextAuthState,
+    );
+  });
+
+  it("returns platform errors with no-store cache headers", async () => {
+    const authState = { shellSessionToken: "shell-token-1" };
+    const error = new Error("platform failed");
+    mocks.readPlatformAuthState.mockResolvedValue(authState);
+    mocks.loadCurrentSession.mockRejectedValue(error);
+    mocks.toPlatformErrorResponse.mockReturnValue(
+      Response.json({ detail: "Platform error" }, { status: 503 }),
+    );
+
+    const response = await GET();
+
+    expect(response.status).toBe(503);
+    expect(response.headers.get("Cache-Control")).toBe("no-store");
+    expect(mocks.toPlatformErrorResponse).toHaveBeenCalledWith(
+      error,
+      "Unable to load the current platform session.",
+      authState,
+    );
+  });
+});

package/assets/templates/vuilder-shell/src/app/api/auth/session/route.ts

@@ -0,0 +1,27 @@
+import { NextResponse } from "next/server";
+
+import { loadCurrentSession } from "@/lib/platform/client.server";
+import { toPlatformErrorResponse } from "@/lib/platform/route-response";
+import {
+  readPlatformAuthState,
+  syncPlatformAuthStateToResponse,
+} from "@/lib/platform/session.server";
+
+export async function GET() {
+  const authState = await readPlatformAuthState();
+  try {
+    const result = await loadCurrentSession(authState);
+    const response = NextResponse.json(result.data, { status: 200 });
+    response.headers.set("Cache-Control", "no-store");
+    syncPlatformAuthStateToResponse(response, authState, result.authState);
+    return response;
+  } catch (error) {
+    const response = toPlatformErrorResponse(
+      error,
+      "Unable to load the current platform session.",
+      authState,
+    );
+    response.headers.set("Cache-Control", "no-store");
+    return response;
+  }
+}

package/assets/templates/vuilder-shell/src/app/app/layout.tsx

@@ -0,0 +1,17 @@
+import type { Metadata } from "next";
+import type { ReactNode } from "react";
+
+export const metadata: Metadata = {
+  robots: {
+    index: false,
+    follow: false,
+  },
+};
+
+export default function AuthenticatedAppLayout({
+  children,
+}: {
+  children: ReactNode;
+}) {
+  return children;
+}

package/assets/templates/vuilder-shell/src/app/app/page.tsx

@@ -0,0 +1,30 @@
+import { notFound, redirect } from "next/navigation";
+
+import { appRoutes } from "@/lib/app-routes";
+import { loadCurrentWorkspaceShellSession } from "@/lib/platform/client.server";
+import { readPlatformAuthState } from "@/lib/platform/session.server";
+
+export const metadata = {
+  title: "Workspace",
+};
+
+export default async function AppHomePage() {
+  const authState = await readPlatformAuthState();
+  const shellSession = (await loadCurrentWorkspaceShellSession(authState)).data;
+  const { membership, session, workspaceCanOpen, workspaceCanView } =
+    shellSession;
+
+  if (!session.authenticated) {
+    redirect(appRoutes.login);
+  }
+
+  if (!membership || !workspaceCanView) {
+    notFound();
+  }
+
+  if (!workspaceCanOpen) {
+    redirect(appRoutes.workspaceConnect(membership.workspace_slug));
+  }
+
+  redirect(appRoutes.workspaceShell(membership.workspace_slug));
+}

package/assets/templates/vuilder-shell/src/app/blog/[slug]/page.tsx

@@ -0,0 +1,15 @@
+import { StaticPublicPage } from "@/features/public-shell/components/static-public-page";
+
+export const metadata = {
+  title: "Blog",
+};
+
+export default function BlogPostPage() {
+  return (
+    <StaticPublicPage
+      eyebrow="Blog"
+      title="Update"
+      body="A customer-facing update."
+    />
+  );
+}

package/assets/templates/vuilder-shell/src/app/blog/page.tsx

@@ -0,0 +1,15 @@
+import { StaticPublicPage } from "@/features/public-shell/components/static-public-page";
+
+export const metadata = {
+  title: "Blog",
+};
+
+export default function BlogIndexPage() {
+  return (
+    <StaticPublicPage
+      eyebrow="Blog"
+      title="Updates"
+      body="News, releases, and customer notes."
+    />
+  );
+}