fix/kim john ung prompt

[mantrakp04]

• Update generated prompts
• Fix React error
• Don't show alpha apps during onboarding
• [Docs] First-class TanStack Start in AI setup prompts + clearer env-var guidance ([Docs] First-class TanStack Start in AI setup prompts + clearer env-var guidance #1438)
• update docs

Summary by CodeRabbit

• Documentation
  • Simplified setup and environment-variable guidance across docs, onboarding prompts, and setup snippets, replacing long explanatory blocks with concise inline notes.
  • Condensed frontend/backend examples into shorter combined examples and streamlined cloud-project instructions.
  • Shortened custom auth page prompts by removing verbose redirect/URL override explanations and relying on shared reminder text.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
stack-auth-hosted-components	Ready	Preview, Comment	May 20, 2026 2:14am
stack-auth-mcp	Ready	Preview, Comment	May 20, 2026 2:14am
stack-auth-skills	Ready	Preview, Comment	May 20, 2026 2:14am
stack-backend	Ready	Preview, Comment	May 20, 2026 2:14am
stack-dashboard	Ready	Preview, Comment	May 20, 2026 2:14am
stack-demo	Ready	Preview, Comment	May 20, 2026 2:14am
stack-docs	Ready	Preview, Comment	May 20, 2026 2:14am
stack-preview-backend	Ready	Preview, Comment	May 20, 2026 2:14am
stack-preview-dashboard	Ready	Preview, Comment	May 20, 2026 2:14am

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR shortens and regenerates AI-generated onboarding/setup prompt text and docs: cloud-project .env.local guidance is condensed into brief inline comments. Changes touch the SDK prompt generator, regenerated home snippet, multi-framework setup docs (Next.js/React/JS/TS/TanStack/Node/Bun), and custom auth page prompts.

Changes

Cloud Project Setup Prompt Simplification

Layer / File(s)	Summary
Source prompt generator update packages/stack-shared/src/ai/prompts.ts	The getSdkSetupPrompt() content is shortened: frontend and backend .env.local snippets now use brief inline comments about STACK_PROJECT_ID prefixing and STACK_SECRET_SERVER_KEY instead of longer explanatory blocks.
Home snippet regeneration docs-mintlify/snippets/home-prompt-island.jsx	Regenerated generatedSetupPromptText to match the condensed cloud-project environment-variable guidance, removing longer paragraphs about which SDK vars are read and prefix conventions.
Framework setup documentation update docs-mintlify/guides/getting-started/setup.mdx	Updated setup tabs (Next.js, React, Other JS/TS, TanStack Start, Node.js, Bun) to use simplified frontend and backend .env.local examples with shorter inline comments for STACK_PROJECT_ID and STACK_SECRET_SERVER_KEY.
Auth page prompt simplification packages/stack-shared/src/interface/page-component-versions.ts	Removed verbose instruction blocks about URL-target overrides and OAuth callback redirect visibility; simplified the OAuth provider configuration note and rely on shared stackAuthReminders.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• hexclave/stack-auth#1438: Modified related generated setup/auth prompt content, including the “Option 2” cloud-project .env.local guidance now adjusted here.

Suggested reviewers

• nams1570
• N2D4

Poem

🐰 I trimmed the prompts, made them neat,
Short comments now take the seat.
Env keys whisper, concise and bright,
Guides glow cleaner in the light.
Hop, review, and ship tonight!

🚥 Pre-merge checks | ✅ 2 | ❌ 3

❌ Failed checks (1 warning, 2 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'fix/kim john ung prompt' is vague and lacks meaningful context about the actual changes made to prompts and documentation.	Use a more descriptive title that clearly summarizes the main change, such as 'Simplify cloud project .env guidance in setup prompts' or 'Clarify environment variable instructions in AI setup prompts'.
Description check	❓ Inconclusive	The description is a bullet-point list mixing unrelated changes without clear context, explanations, or adherence to the template structure.	Expand the description with clear sections explaining the purpose of each change, the problems being solved, and how the fixes address them, following the CONTRIBUTING.md guidelines.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/kim-john-ung-prompt

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR adjusts Stack Auth’s generated setup prompts/docs and the SDK-managed custom page prompts, primarily around environment variable instructions and auth URL target guidance.

Changes:

• Simplifies cloud-project environment variable snippets in getSdkSetupPrompt.
• Removes detailed URL-target override guidance from custom page prompt generation (including OAuth redirect notes).
• Regenerates Mintlify docs/snippets to match updated prompts.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
packages/stack-shared/src/interface/page-component-versions.ts	Updates the generated custom page prompts; removes previously included URL-target override/OAuth redirect guidance.
packages/stack-shared/src/ai/prompts.ts	Changes the cloud-project env-var instructions used by the unified setup prompt generator.
docs-mintlify/snippets/home-prompt-island.jsx	Regenerated snippet output reflecting the updated setup prompt text.
docs-mintlify/guides/getting-started/setup.mdx	Regenerated setup guide content reflecting the updated setup prompt text.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[greptile-apps]

Greptile Summary

This PR updates AI-facing setup prompts for Stack Auth: it condenses the env-var guidance in the cloud-project setup accordion and removes the URL-target override warning table from the custom page prompt template.

• prompts.ts / generated docs: Replaced multi-line .env comments (including an explicit "STACK_SECRET_SERVER_KEY must NEVER be prefixed" guard) with inline one-liners, and dropped the "only these two vars" completeness note.
• page-component-versions.ts: Removed the "Important — overriding one URL target does NOT override the others" section, including the oauthCallback / REDIRECT_URL_NOT_WHITELISTED guidance and the full URL-target table; shortened the OAuth button instruction to drop the hosted-domain caveat.

Confidence Score: 3/5

Two meaningful pieces of guidance were deliberately removed from AI-facing prompts: a security warning that the server key must never be client-prefixed, and the complete URL-target override table that prevents broken OAuth flows.

The env-var block now sits STACK_SECRET_SERVER_KEY directly below a comment telling agents to add a client-exposure prefix to STACK_PROJECT_ID, with no counter-instruction for the secret key — creating a realistic path to frontend key leakage. Separately, removing the oauthCallback override guidance means AI-generated custom sign-in pages will silently leave OAuth redirecting through the hosted domain, hitting REDIRECT_URL_NOT_WHITELISTED without any prompt-level hint about why.

packages/stack-shared/src/ai/prompts.ts and packages/stack-shared/src/interface/page-component-versions.ts both need a second look before merging.

Security Review

• packages/stack-shared/src/ai/prompts.ts (backend .env block): The explicit comment warning that the server key must never be client-prefixed was removed. The adjacent project-ID comment encourages adding a client-exposure prefix, but there is now no symmetric guard for the server key. An AI agent following these instructions could bundle the server key into the frontend.

Important Files Changed

Filename	Overview
packages/stack-shared/src/ai/prompts.ts	Condensed .env guidance in the cloud-project setup accordion; removed explicit warning that STACK_SECRET_SERVER_KEY must never be prefixed or exposed to the client.
packages/stack-shared/src/interface/page-component-versions.ts	Removed the URL-target override table and REDIRECT_URL_NOT_WHITELISTED / hosted-domain warning; simplified OAuth button line to drop oauthCallback guidance.
docs-mintlify/guides/getting-started/setup.mdx	Auto-generated file updated to reflect changes in prompts.ts; no manually authored logic changed.
docs-mintlify/snippets/home-prompt-island.jsx	Auto-generated file updated to reflect changes in prompts.ts; the React component structure (textarea island) is unchanged.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[prompts.ts\nsource of truth] -->|generate| B[setup.mdx\nauto-generated]
    A -->|generate| C[home-prompt-island.jsx\nauto-generated]
    D[page-component-versions.ts\ncustom page prompts] -->|consumed by| E[backend /internal/component-versions]
    D -->|consumed by| F[template SDK url-targets.ts]
    A -->|env var guidance\nnow missing SECRET KEY warning| G((AI Agent))
    D -->|oauthCallback guidance\nnow removed| G

Loading

Prompt To Fix All With AI

Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 2
packages/stack-shared/src/ai/prompts.ts:569-578
**Missing explicit "do not prefix secret key" guard**

The condensed backend `.env` block now places `STACK_SECRET_SERVER_KEY` on the line immediately below a comment that tells readers to "prefix with your framework's convention for client-exposed variables". An AI agent (the primary reader of this prompt) following the instruction could apply the same `NEXT_PUBLIC_` / `VITE_` prefix to the secret key, bundling it into the client. The old version contained an explicit `# STACK_SECRET_SERVER_KEY must NEVER be prefixed or exposed to the client.` comment that made the asymmetry unambiguous; removing it creates an ambiguity that could result in secret-key leakage.

### Issue 2 of 2
packages/stack-shared/src/interface/page-component-versions.ts:104-108
**Removal of `oauthCallback` guidance leaves AI-generated implementations broken by default**

The deleted section explicitly warned that overriding `signIn`/`signUp` does NOT also override `oauthCallback`, and that leaving it as "hosted" causes the browser to visibly redirect through `<projectId>.built-with-stack-auth.com` during every OAuth flow — which also requires that subdomain to be in the Trusted Domains list or the API returns `REDIRECT_URL_NOT_WHITELISTED`. Without this warning, AI agents will create custom sign-in pages while unknowingly leaving `oauthCallback` on the hosted domain, resulting in broken or confusing OAuth flows that require extra Trusted Domain configuration the prompt never mentions.

_{Reviews (1): Last reviewed commit: "update docs" | Re-trigger Greptile}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/stack-shared/src/ai/prompts.ts`:
- Around line 552-553: Update the prompt text around the environment variable
examples to make explicit that client-side frameworks (e.g., Next.js, Vite)
require the public variable to be prefixed (for example
NEXT_PUBLIC_STACK_PROJECT_ID or VITE_STACK_PROJECT_ID) rather than saying "if
available, prefix"—state the prefix is required for client runtimes; also
explicitly state that STACK_SECRET_SERVER_KEY must remain unprefixed and
server-only. Locate the lines referencing STACK_PROJECT_ID and
STACK_SECRET_SERVER_KEY in the prompts (search for those exact variable names)
and revise the wording to clearly call out "required prefix for
client/runtime-exposed variables" and "unprefixed, server-only secret"
respectively.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b8bc1263-f9cf-406e-b84b-07aa4a1aa0f8

📥 Commits

Reviewing files that changed from the base of the PR and between 07af469 and f45a1b3.

📒 Files selected for processing (4)

• docs-mintlify/guides/getting-started/setup.mdx
• docs-mintlify/snippets/home-prompt-island.jsx
• packages/stack-shared/src/ai/prompts.ts
• packages/stack-shared/src/interface/page-component-versions.ts

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs-mintlify/guides/getting-started/setup.mdx`:
- Around line 646-647: The frontend environment snippets use an unprefixed
STACK_PROJECT_ID which will not be exposed to browser builds in common
frameworks; update all frontend env-var snippets that set STACK_PROJECT_ID to
(1) add a short inline note above the snippet that the var must be prefixed for
browser exposure (Next.js -> NEXT_PUBLIC_, Vite/TanStack Start -> VITE_) and (2)
show example prefixed variants (e.g.
NEXT_PUBLIC_STACK_PROJECT_ID=<your-project-id> and
VITE_STACK_PROJECT_ID=<your-project-id>) so client initialization works in those
frameworks; ensure every occurrence of STACK_PROJECT_ID in the Frontend setup
sections (the snippets and their adjacent explanatory text) is modified
accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ce3af483-2fa4-428f-a3a6-17a211760535

📥 Commits

Reviewing files that changed from the base of the PR and between f45a1b3 and 90286e6.

📒 Files selected for processing (3)

• docs-mintlify/guides/getting-started/setup.mdx
• docs-mintlify/snippets/home-prompt-island.jsx
• packages/stack-shared/src/ai/prompts.ts

✅ Files skipped from review due to trivial changes (1)

• packages/stack-shared/src/ai/prompts.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

`For client-side env vars, what naming is required to expose values in:

1. Next.js
2. Vite (including TanStack Start)
   And would plain STACK_PROJECT_ID be available in browser bundles without those prefixes?`

💡 Result:

To expose environment variables to the browser, both Next.js and Vite (including TanStack Start) require specific prefixes. Variables without these prefixes are treated as server-only and are not included in client-side bundles [1][2][3][4]. 1) Next.js To expose a variable to the browser, you must prefix it with NEXT_PUBLIC_ [1][2]. For example, NEXT_PUBLIC_PROJECT_ID will be available in client-side code via process.env.NEXT_PUBLIC_PROJECT_ID [5][6]. Variables without this prefix are inaccessible in the browser [1][2]. 2) Vite (including TanStack Start) Vite requires variables to be prefixed with VITE_ to be exposed to the client [3][7]. These are accessed via import.meta.env.VITE_PROJECT_ID [3][4]. TanStack Start, which uses Vite, follows this same convention [4][8]. Regarding your question about STACK_PROJECT_ID: No, a plain STACK_PROJECT_ID would not be available in browser bundles in either framework [1][3]. Because it lacks the required prefix (NEXT_PUBLIC_ for Next.js or VITE_ for Vite), the build tools will intentionally exclude it from the client-side bundle to prevent accidental exposure of sensitive server-side information [1][9][7]. If you need such a value in the browser, you must either add the appropriate prefix or pass the value from the server to the client at runtime (e.g., via a server function or API response) [2][8].

Citations:

• 1: https://env.dev/guides/nextjs-env-variables
• 2: https://nextjs.org/docs/pages/guides/environment-variables
• 3: https://v6.vite.dev/guide/env-and-mode
• 4: https://tanstack.com/start/v0/docs/framework/react/guide/environment-variables
• 5: https://joshtronic.com/2024/10/27/client-side-environment-variables-nextjs/
• 6: https://oneuptime.com/blog/post/2026-01-24-nextjs-environment-variables/view
• 7: https://vite.dev/guide/env-and-mode
• 8: https://tanstack.com/router/latest/docs/how-to/use-environment-variables
• 9: https://vite-workshop.vercel.app/environment-variables

---

🏁 Script executed:

# Check file existence and size
wc -l docs-mintlify/guides/getting-started/setup.mdx

Repository: hexclave/stack-auth

Length of output: 115

---

🏁 Script executed:

# Read the first few locations mentioned to see the current documentation state
sed -n '645,648p' docs-mintlify/guides/getting-started/setup.mdx
sed -n '665,669p' docs-mintlify/guides/getting-started/setup.mdx
sed -n '826,829p' docs-mintlify/guides/getting-started/setup.mdx

Repository: hexclave/stack-auth

Length of output: 501

---

🏁 Script executed:

# Check broader context around line 646 to see if there's any framework-specific guidance
sed -n '630,660p' docs-mintlify/guides/getting-started/setup.mdx

Repository: hexclave/stack-auth

Length of output: 1533

---

🏁 Script executed:

# Check another location to confirm pattern (line 1040-1041)
sed -n '1035,1050p' docs-mintlify/guides/getting-started/setup.mdx

Repository: hexclave/stack-auth

Length of output: 864

---

Add framework-specific frontend env-var prefix guidance for STACK_PROJECT_ID.

The Frontend setup sections show unprefixed STACK_PROJECT_ID=<your-project-id> without warning that these variables won't be exposed to the browser in common frameworks. Next.js requires the NEXT_PUBLIC_ prefix, and Vite (including TanStack Start) requires the VITE_ prefix. Following these docs as-is results in non-functional client initialization.

Update all Frontend environment variable snippets to include guidance about required framework prefixes:

Suggested docs fix pattern

+# Use your framework's public env prefix when required (for example:
+# NEXT_PUBLIC_STACK_PROJECT_ID in Next.js, VITE_STACK_PROJECT_ID in Vite/TanStack Start).
 STACK_PROJECT_ID=<your-project-id>

Applies to: 646-647, 666-668, 827-828, 847-849, 1040-1041, 1060-1062, 1217-1218, 1237-1239, 1459-1460, 1479-1481, 1642-1643, 1662-1664

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	STACK_PROJECT_ID=<your-project-id>
	```
	# Use your framework's public env prefix when required (for example:
	# NEXT_PUBLIC_STACK_PROJECT_ID in Next.js, VITE_STACK_PROJECT_ID in Vite/TanStack Start).
	STACK_PROJECT_ID=<your-project-id>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs-mintlify/guides/getting-started/setup.mdx` around lines 646 - 647, The
frontend environment snippets use an unprefixed STACK_PROJECT_ID which will not
be exposed to browser builds in common frameworks; update all frontend env-var
snippets that set STACK_PROJECT_ID to (1) add a short inline note above the
snippet that the var must be prefixed for browser exposure (Next.js ->
NEXT_PUBLIC_, Vite/TanStack Start -> VITE_) and (2) show example prefixed
variants (e.g. NEXT_PUBLIC_STACK_PROJECT_ID=<your-project-id> and
VITE_STACK_PROJECT_ID=<your-project-id>) so client initialization works in those
frameworks; ensure every occurrence of STACK_PROJECT_ID in the Frontend setup
sections (the snippets and their adjacent explanatory text) is modified
accordingly.