Merge branch 'dev' into dashboard/changelog

Author: madster456

.claude/CLAUDE-KNOWLEDGE.md

@@ -178,9 +178,9 @@ const [result1, result2] = await Promise.all([
 ```
 
 ### Q: What's the correct way to update project configuration in E2E tests?
-A: Use the `/api/v1/internal/config/override` endpoint with PATCH method and admin access token:
+A: Use the `/api/v1/internal/config/override/environment` endpoint with PATCH method and admin access token:
 ```typescript
-await niceBackendFetch("/api/v1/internal/config/override", {
+await niceBackendFetch("/api/v1/internal/config/override/environment", {
   method: "PATCH",
   accessType: "admin",
   headers: {

.cursor/hooks/stop-check.sh

@@ -14,7 +14,7 @@ fi
 
 # Run typecheck and lint
 pnpm run typecheck 1>&2 || exit 2
-pnpm run lint 1>&2 || exit 2
+pnpm run lint --fix 1>&2 || exit 2
 
 exit 0
 

.github/workflows/db-migration-backwards-compatibility.yaml

@@ -1,22 +1,22 @@
-name: DB migrations are backwards-compatible with main branch
+name: DB migrations are backwards-compatible
 
 on:
   push:
-    branches:
+    branches-ignore:
       - main
-      - dev
   pull_request:
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ github.ref != 'refs/heads/main' && github.ref != 'refs/heads/dev' }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/dev' }}
 
 jobs:
   check-migrations-changed:
     name: Check if migrations changed
     runs-on: ubuntu-latest
     outputs:
       migrations_changed: ${{ steps.check-diff.outputs.migrations_changed }}
+      base_branch: ${{ steps.check-diff.outputs.base_branch }}
     steps:
       - name: Checkout current branch
         uses: actions/checkout@v6
@@ -26,9 +26,17 @@ jobs:
       - name: Check for migration changes
         id: check-diff
         run: |
-          # Get the merge base with main
-          git fetch origin main
-          MERGE_BASE=$(git merge-base HEAD origin/main)
+          # Determine base branch: dev compares to main, all others compare to dev
+          if [ "${{ github.ref }}" = "refs/heads/dev" ]; then
+            BASE_BRANCH="main"
+          else
+            BASE_BRANCH="dev"
+          fi
+          echo "base_branch=$BASE_BRANCH" >> $GITHUB_OUTPUT
+          
+          # Get the merge base with the base branch
+          git fetch origin $BASE_BRANCH
+          MERGE_BASE=$(git merge-base HEAD origin/$BASE_BRANCH)
           
           # Check if there are any changes in the migrations folder
           if git diff --quiet "$MERGE_BASE" HEAD -- apps/backend/prisma/migrations/; then
@@ -40,7 +48,7 @@ jobs:
           fi
 
   backwards-compatibility:
-    name: Test migrations with main branch code
+    name: Test migrations with ${{ needs.check-migrations-changed.outputs.base_branch }} branch code
     needs: check-migrations-changed
     if: needs.check-migrations-changed.outputs.migrations_changed == 'true'
     runs-on: ubicloud-standard-8
@@ -62,25 +70,19 @@ jobs:
           mkdir -p saved-migrations
           cp -r current-branch/apps/backend/prisma/migrations/* saved-migrations/
 
-      # Now checkout main branch
-      - name: Checkout main branch
+      # Now checkout base branch (main for dev, dev for all others)
+      - name: Checkout base branch
         uses: actions/checkout@v6
         with:
-          ref: main
-          path: main-branch
+          ref: ${{ needs.check-migrations-changed.outputs.base_branch }}
+          path: base-branch
 
-      # Replace main's migrations with current branch's migrations
-      - name: Replace migrations with current branch migrations
-        run: |
-          rm -rf main-branch/apps/backend/prisma/migrations/*
-          cp -r saved-migrations/* main-branch/apps/backend/prisma/migrations/
-
-      # Move main-branch to the root for the rest of the workflow
+      # Move base-branch to the root for the rest of the workflow (keep base's migrations for now)
       - name: Setup working directory
         run: |
           shopt -s dotglob
-          mv main-branch/* .
-          rm -rf main-branch current-branch saved-migrations
+          mv base-branch/* .
+          rm -rf base-branch current-branch
 
       - name: Setup Node.js
         uses: actions/setup-node@v6
@@ -194,9 +196,27 @@ jobs:
       - name: Wait 10 seconds
         run: sleep 10
 
-      - name: Run tests
+      # First test run: base branch with base's migrations
+      - name: Run tests (base branch with original migrations)
         run: pnpm test
 
+      # Now copy over current branch's migrations and run migrate
+      - name: Replace migrations with current branch migrations
+        run: |
+          rm -rf apps/backend/prisma/migrations/*
+          cp -r saved-migrations/* apps/backend/prisma/migrations/
+          rm -rf saved-migrations
+
+      - name: Run database migrations
+        run: pnpm run db:migrate
+
+      # Second test run: base branch code with new migrations applied
+      - name: Run tests (base branch with new migrations)
+        run: pnpm test
+
+      - name: Verify data integrity
+        run: pnpm run verify-data-integrity
+
       - name: Print Docker Compose logs
         if: always()
         run: docker compose -f docker/dependencies/docker.compose.yaml logs

.github/workflows/e2e-api-tests.yaml

@@ -145,15 +145,15 @@ jobs:
         run: sleep 10
 
       - name: Run tests
-        run: pnpm test
+        run: pnpm test ${{ matrix.freestyle-mode == 'prod' && '--min-workers=1 --max-workers=1' || '' }}
 
       - name: Run tests again, to make sure they are stable (attempt 1)
         if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev'
-        run: pnpm test
+        run: pnpm test ${{ matrix.freestyle-mode == 'prod' && '--min-workers=1 --max-workers=1' || '' }}
 
       - name: Run tests again, to make sure they are stable (attempt 2)
         if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev'
-        run: pnpm test
+        run: pnpm test ${{ matrix.freestyle-mode == 'prod' && '--min-workers=1 --max-workers=1' || '' }}
 
       - name: Verify data integrity
         run: pnpm run verify-data-integrity

.vscode/settings.json

@@ -7,6 +7,7 @@
   "typescript.tsdk": "node_modules/typescript/lib",
   "editor.tabSize": 2,
   "cSpell.words": [
+    "pushable",
     "autoupdate",
     "backlinks",
     "Cancelation",

AGENTS.md

@@ -83,9 +83,16 @@ To see all development ports, refer to the index.html of `apps/dev-launchpad/pub
 - NEVER try-catch-all, NEVER void a promise, and NEVER .catch(console.error) (or similar). In most cases you don't actually need to be asynchronous, especially when UI is involved (instead, use a loading indicator! eg. our <Button> component already takes an async callback for onClick and sets its loading state accordingly — if whatever component doesn't do that, update the component instead). If you really do need things to be asynchronous, use `runAsynchronously` or `runAsynchronouslyWithAlert` instead as it deals with error logging.
 - WHENEVER you create hover transitions, avoid hover-enter transitions, and just use hover-exit transitions. For example, `transition-colors hover:transition-none`.
 - Any environment variables you create should be prefixed with `STACK_` (or NEXT_PUBLIC_STACK_ if they are public). This ensures that their changes are picked up by Turborepo (and helps readability).
+- NEVER just silently use fallback values or whatever when you don't know how to fix type errors. If there is a state that should never happen because of higher-level logic, and the type system doesn't represent that, either update the types or throw an error. Stuff like `?? 0` or `?? ""` is often code smell when `?? throwErr("this should never happen because XYZ")` would be better.
 - Code defensively. Prefer `?? throwErr(...)` over non-null assertions, with good error messages explicitly stating the assumption that must've been violated for the error to be thrown.
 - Try to avoid the `any` type. Whenever you need to use `any`, leave a comment explaining why you're using it (optimally it explains why the type system fails here, and how you can be certain that any errors in that code path would still be flagged at compile-, test-, or runtime).
 - Don't use Date.now() for measuring elapsed (real) time, instead use `performance.now()`
+- Use urlString`` or encodeURIComponent() instead of normal string interpolation for URLs, for consistency even if it's not strictly necessary.
+- When making config updates, use path notation (`{ "path.to.field": my-value }`) to avoid overwriting sibling properties
+- IMPORTANT: Any assumption you make should either be validated through type system (preferred), assertions, or tests. Optimally, two out of three.
+- If there is an external browser tool connected, use it to test changes you make to the frontend when possible.
+- Whenever you update an SDK implementation in `sdks/implementations`, make sure to update the specs accordingly in `sdks/specs` such that if you reimplemented the entire SDK from the specs again, you would get the same implementation. (For example, if the specs are not precise enough to describe a change you made, make the specs more precise.)
+- When building internal tools for Stack Auth developers (eg. internal interfaces like the WAL info log etc.): Make the interfaces look very concise, assume the user is a pro-user. This only applies to internal tools that are used primarily by Stack Auth developers.
 
 ### Code-related
 - Use ES6 maps instead of records wherever you can.

CHANGELOG.md

@@ -2,6 +2,25 @@
 
 ---
 
+## 2026.01.23
+
+### Payments
+Introduced a redesigned payments onboarding flow
+
+## 2026.01.21
+
+### Payments
+- Payments page updated with new UI changes
+- Added a new Payments Settings page with an option to temporarily disable all payments
+- Subscription renewal emails are now sent automatically to users
+- Past payment invoices are now visible on the Account Settings page
+
+### Documentation
+- Updated JWT documentation to include `isRestricted` and `restrictedReason`
+
+## 2026.01.19
+- Updated package dependencies to their newest versions.
+
 ## 2025.12.19
 - Introduces new changelog and deprecates all older changelogs. 
 - Moved away from semantic versioning in favor of CalVer.

CONTRIBUTING.md

@@ -43,8 +43,9 @@ For vibecoding, it can help to have multiple parallel copies of the codebase ope
   ```sh
   # ~/.bash_profile, ~/.bashrc, ~/.zprofile, ~/.zshrc, ~/.zshenv, etc.
   # note that different coding agents use a different shell in a different mode (login, non-login, interactive, non-interactive, etc.); from my experimentation, as of 2025-10-17 on a Mac, Cursor uses non-interactive zsh (requiring ~/.zshenv), whereas Codex uses a non-interactive login bash (requiring ~/.bash_profile). It's easiest to just add these lines of code to all of your shell configs.
-  eval "$(direnv hook <bash|zsh>)"
-  eval "$(direnv export <bash|zsh>)"
+  # also, make sure to use the correct path to the direnv binary; for example, on a Mac with Homebrew installed, it is /opt/homebrew/bin/direnv
+  eval "$(/path/to/direnv hook <bash|zsh>)"
+  eval "$(/path/to/direnv export <bash|zsh>)"
   ```
 3. Now, create a `.envrc` file in the root of Stack Auth's codebase with the following content:
   ```sh

README.md

@@ -34,8 +34,6 @@ We support Next.js, React, and JavaScript frontends, along with any backend that
   - [Requirements](#requirements)
   - [Setup](#setup)
   - [Useful commands](#useful-commands)
-  - [Chat with the codebase](#chat-with-the-codebase)
-  - [Architecture overview](#architecture-overview)
 - [❤ Contributors](#-contributors)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
@@ -142,7 +140,7 @@ pnpm restart-deps
 pnpm dev
 
 # In a different terminal, run tests in watch mode
-pnpm test
+pnpm test # useful: --no-watch (disables watch mode) and --bail 1 (stops after the first failure) 
 ```
 
 You can now open the dev launchpad at [http://localhost:8100](http://localhost:8100). From there, you can navigate to the dashboard at [http://localhost:8101](http://localhost:8101), API on port 8102, demo on port 8103, docs on port 8104, Inbucket (e-mails) on port 8105, and Prisma Studio on port 8106. See the dev launchpad for a list of all running services.
@@ -196,51 +194,6 @@ pnpm verify-data-integrity: Verify the integrity of the data in the database by
 
 Note: When working with AI, you should keep a terminal tab with the dev server open so the AI can run queries against it.
 
-### Chat with the codebase
-
-Storia trained an [AI on our codebase](https://sage.storia.ai/stack-auth) that can answer questions about using and contributing to Stack Auth.
-
-### Architecture overview
-
-```mermaid
-  graph TB
-      Website[Your Website]
-      User((User))
-      Admin((Admin))
-      subgraph "Stack Auth System"
-          Dashboard[Stack Auth Dashboard<br/>/apps/dashboard]
-          Backend[Stack Auth API Backend<br/>/apps/backend]
-          Database[(PostgreSQL Database)]
-          EmailService[Email Service<br/>Inbucket]
-          WebhookService[Webhook Service<br/>Svix]
-          StackSDK[Client SDK<br/>/packages/stack]
-          subgraph Shared
-              StackUI[Stack Auth UI<br/>/packages/stack-ui]
-              StackShared[Stack Auth Shared<br/>/packages/stack-shared]
-              StackEmails[Stack Auth Emails<br/>/packages/stack-emails]
-          end
-      end
-      Admin --> Dashboard
-      User --> Website
-      Website --> StackSDK
-      Backend --> Database
-      Backend --> EmailService
-      Backend --> WebhookService
-      Dashboard --> Shared
-      Dashboard --> StackSDK
-      StackSDK --HTTP Requests--> Backend
-      StackSDK --> Shared
-      Backend --> Shared
-      classDef container fill:#1168bd,stroke:#0b4884,color:#ffffff
-      classDef database fill:#2b78e4,stroke:#1a4d91,color:#ffffff
-      classDef external fill:#999999,stroke:#666666,color:#ffffff
-      classDef deprecated stroke-dasharray: 5 5
-      class Dashboard,Backend,EmailService,WebhookService,Website container
-      class Database database
-```
-
-Thanks to [CodeViz](https://www.codeviz.ai) for generating the diagram!
-
 ## ❤ Contributors
 
 <a href="https://github.com/stack-auth/stack-auth/graphs/contributors">

apps/backend/.env

@@ -87,6 +87,9 @@ STACK_SETUP_ADMIN_GITHUB_ID=# enter the account ID of the admin user here, and a
 OTEL_EXPORTER_OTLP_ENDPOINT=# enter the OpenTelemetry endpoint here. Optional, default is `http://localhost:8131`
 STACK_INTEGRATION_CLIENTS_CONFIG=# a list of oidc-provider clients for integrations. If not provided, disables integrations
 STACK_FREESTYLE_API_KEY=# enter your freestyle.sh api key
+STACK_VERCEL_SANDBOX_PROJECT_ID=# enter the project id for the vercel project that the vercel engine will use
+STACK_VERCEL_SANDBOX_TEAM_ID=# enter the team id for the vercel project that the vercel engine will use
+STACK_VERCEL_SANDBOX_TOKEN=# enter the token for the vercel project that the vercel engine will use
 STACK_OPENAI_API_KEY=# enter your openai api key
 STACK_FEATUREBASE_API_KEY=# enter your featurebase api key
 STACK_STRIPE_SECRET_KEY=# enter your stripe api key