Hot Fix for undefined error

.changeset/add-plugin-content-schema-extension.md

@@ -0,0 +1,7 @@
+---
+"@stackwright/types": minor
+---
+
+Add `contentItemSchemas` and `knownContentTypeKeys` to `PrebuildPlugin` interface.
+Add `buildExtendedPageContentSchema()` function for merging OSS and plugin content schemas.
+Add `ValidatePageContentOptions` to `validatePageContent()` for plugin-aware validation.

.changeset/add-pro-content-normalization.md

@@ -0,0 +1,6 @@
+---
+"@stackwright/build-scripts": minor
+---
+
+Add content format normalization (mapping-key YAML format → type-field format) to prebuild pipeline.
+Plugin `contentItemSchemas` and `knownContentTypeKeys` are now applied during page validation.

.changeset/dependabot-batch-updates.md

@@ -0,0 +1,15 @@
+---
+"@stackwright/core": patch
+"@stackwright/icons": patch
+"@stackwright/maplibre": patch
+"@stackwright/nextjs": patch
+"@stackwright/ui-shadcn": patch
+---
+
+chore: consolidate dependabot dependency updates
+
+- `lucide-react`: `^0.525.0` → `^1.8.0` (icons, ui-shadcn) — includes icon rename fixes for v1 API (`CheckCircle` → `CircleCheck`, `Code2`/`Layout` backward-compat aliases)
+- `@swc/core`: `^1.15.18` → `^1.15.26` (core, nextjs)
+- `jsdom`: `^28.1.0` → `^29.0.2` (maplibre)
+- `react-dom`: `19.2.4` → `19.2.5` (pnpm.overrides)
+- `prettier`: `^3.8.1` → `^3.8.3` (devDependencies)

.changeset/feat-188-page-add-content-flag.md

@@ -0,0 +1,7 @@
+---
+"@stackwright/cli": patch
+---
+
+feat(cli): add --content flag to `page add` for inline YAML (#188)
+
+Agents can now create a page with full content in a single command instead of a two-step add + write sequence. Content is validated before writing; invalid YAML is rejected with field-level errors.

.changeset/feat-243-security-headers.md

@@ -0,0 +1,5 @@
+---
+"@stackwright/nextjs": minor
+---
+
+Add security headers (CSP, HSTS, COOP/CORP/COEP) to Next.js integration with customizable configuration

.changeset/fix-352-install-flag-actually-installs.md

@@ -0,0 +1,5 @@
+---
+"@stackwright/cli": patch
+---
+
+fix(cli): --install flag now runs pnpm install before postInstall hooks

.changeset/fix-plugin-config-schema-242.md

@@ -0,0 +1,6 @@
+---
+"@stackwright/types": patch
+"@stackwright/build-scripts": patch
+---
+
+Add configSchema field to PrebuildPlugin for plugin config validation

.changeset/fix-plugin-this-binding.md

@@ -0,0 +1,14 @@
+---
+"@stackwright/build-scripts": patch
+---
+
+fix(executePluginHook): preserve `this` binding when calling plugin lifecycle hooks
+
+`executePluginHook` was extracting hook methods as unbound references
+(`const hookFn = plugin[hook]`) and calling them as plain functions
+(`hookFn(context)`). In strict-mode ES classes, this strips `this`,
+causing any plugin that calls a private/instance method from `beforeBuild`
+or `afterBuild` to throw `Cannot read properties of undefined`.
+
+Fix: use `hookFn.call(plugin, context)` so the plugin instance is always
+the receiver.

.changeset/fix-preinstall-double-run.md

@@ -0,0 +1,18 @@
+---
+"@stackwright/cli": patch
+---
+
+fix(cli): remove duplicate preInstall hook call from processTemplate
+
+`processTemplate()` was calling `runScaffoldHooks('preInstall', ...)` internally,
+then `scaffold.ts` called it again after `processTemplate` returned — running every
+preInstall handler twice. Worse, the second call passed the original empty `{}` object
+(not the built package.json), so hooks registered via `scaffold.ts` could never affect
+the written file.
+
+Fix: lifecycle orchestration now lives entirely in `scaffold.ts`. `buildPackageJson` is
+exported so `scaffold.ts` can build the default package.json before running preInstall
+hooks, then passes the already-hooks-modified object into `processTemplate` for writing.
+`processTemplate` no longer calls hooks.
+
+Fixes #351.

.changeset/grumpy-paws-create.md

@@ -0,0 +1,5 @@
+---
+"@stackwright/core": patch
+---
+
+fix(core): prevent duplicate TopAppBar rendering that caused a double dark-mode toggle icon

.changeset/pre.json

@@ -18,21 +18,31 @@
     "@stackwright/scaffold-core": "0.1.0-alpha.1",
     "@stackwright/themes": "0.5.1-alpha.0",
     "@stackwright/types": "1.1.0-alpha.6",
-    "@stackwright/ui-shadcn": "0.1.0"
+    "@stackwright/ui-shadcn": "0.1.0",
+    "@stackwright/hooks-registry": "0.1.0-alpha.0"
   },
   "changesets": [
     "add-code2-layout-icons",
+    "add-image-dimension-validation",
     "bright-otters-glow",
     "built-in-search-feature",
     "compose-site-atomic",
     "declarative-entry-pages",
+    "dependabot-batch-updates",
     "docs-architecture-principles",
+    "feat-243-security-headers",
+    "feat-env-var-secrets-245",
+    "fix-352-install-flag-actually-installs",
     "fix-cli-scaffold-smoke-test",
     "fix-dark-mode-bugs",
     "fix-dark-mode",
     "fix-icons-architecture-codeblock",
+    "fix-issue-339-icon-theme-tokens",
     "fix-maplibre-lockfile",
+    "fix-plugin-config-schema-242",
+    "fix-preinstall-double-run",
     "fix-unpin-otter-models",
+    "grumpy-paws-create",
     "integrations-config",
     "launch-stackwright-package",
     "map-adapter-phases-1-2",

.github/workflows/accessibility.yml

@@ -55,7 +55,7 @@ jobs:
 
       - name: Parse test results and comment on PR
         if: github.event_name == 'pull_request' && always()
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         continue-on-error: true
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/coverage.yml

@@ -47,7 +47,7 @@ jobs:
 
       - name: Comment PR with coverage
         if: github.event_name == 'pull_request'
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         continue-on-error: true
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/deploy-docs.yml

@@ -43,7 +43,7 @@ jobs:
           fetch-depth: 0
 
       - name: Install pnpm
-        run: npm install -g pnpm@10.30.3
+        run: npm install -g pnpm@10.33.0
 
       - name: Setup Node.js
         uses: actions/setup-node@v5

.github/workflows/performance.yml

@@ -2,7 +2,7 @@ name: Performance Benchmarks
 
 on:
   pull_request:
-    branches: [main, develop]
+    branches: [main, dev]
   workflow_dispatch:
     inputs:
       run-all:
@@ -27,6 +27,9 @@ jobs:
           build: true
           relink-bins: true
 
+      - name: Install Playwright browsers
+        run: pnpm --filter @stackwright/e2e exec playwright install --with-deps chromium
+
       - name: ⚡ Run build time benchmarks
         id: build-time
         env:
@@ -91,7 +94,7 @@ jobs:
 
       - name: 💬 Comment PR with results
         if: github.event_name == 'pull_request'
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         continue-on-error: true
         with:
           script: |

.github/workflows/prerelease.yml

@@ -27,7 +27,7 @@ jobs:
         with:
           token: ${{ steps.app-token.outputs.token }}
 
-      - uses: pnpm/action-setup@v4
+      - uses: pnpm/action-setup@v6
         with:
           version: "10.30.3"
 

.github/workflows/release.yml

@@ -35,7 +35,7 @@ jobs:
           token: ${{ steps.app-token.outputs.token }}
           fetch-depth: 0
 
-      - uses: pnpm/action-setup@v4
+      - uses: pnpm/action-setup@v6
         with:
           version: "10.30.3"
 

.github/workflows/security.yml

@@ -29,9 +29,9 @@ jobs:
           fetch-depth: 0  # Full history for gitleaks
 
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
-          go-version: '1.21'
+          go-version: '1.24'
 
       - name: Install Gitleaks
         run: go install github.com/gitleaks/gitleaks/v9@latest
@@ -47,9 +47,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v2
-        with:
-          version: 8
+        uses: pnpm/action-setup@v6
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
@@ -71,9 +69,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v2
-        with:
-          version: 8
+        uses: pnpm/action-setup@v6
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
@@ -95,7 +91,7 @@ jobs:
 
       - name: Upload Semgrep SARIF
         if: always() && -f semgrep.sarif
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: semgrep.sarif
           category: semgrep

.github/workflows/visual-regression.yml

@@ -63,7 +63,7 @@ jobs:
 
       - name: Comment PR with results
         if: always() && github.event_name == 'pull_request'
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

CLAUDE.md

@@ -325,6 +325,17 @@ Core components (`packages/core/src/components/`) use **inline `style={{}}` prop
 - For flex layouts that must stack on mobile, use `flexWrap: 'wrap'` with a `minWidth` on children to control the wrap breakpoint. Use `minWidth: 'min(Xpx, 100%)'` to prevent overflow on very narrow viewports.
 - For text that may overflow on narrow viewports (emails, URLs, long strings), add `wordBreak: 'break-word'` or `wordBreak: 'break-all'` as appropriate.
 
+### Security Headers
+
+Stackwright projects should implement security headers for defense in depth. See [docs/CSP-BEST-PRACTICES.md](./docs/CSP-BEST-PRACTICES.md) for:
+- Complete `next.config.js` CSP configuration
+- Next.js App Router (middleware.ts) patterns
+- Google Fonts-specific directives
+- Permissions-Policy recommendations
+- Common gotchas and testing strategies
+
+Quick reference snippet: [docs/snippets/CSP-QUICK-REF.js](./docs/snippets/CSP-QUICK-REF.js)
+
 ### Image Co-location Pipeline
 
 Images can be co-located with their page YAML files in `pages/`. Using a relative path starting with `./` in YAML (e.g., `src: ./hero-image.png`) triggers automatic processing during the prebuild step:

CONTRIBUTING.md

@@ -146,7 +146,7 @@ Good commit points:
 - After adding a new module or file that compiles/passes lint
 - After wiring up a new feature end-to-end (even before tests)
 - After adding or updating tests for the feature
-- After updating docs, ROADMAP.md, or changesets
+- After updating docs or changesets
 - Before and after a refactor that touches many files
 
 Commit messages should be concise and use conventional commit prefixes (`feat:`, `fix:`, `refactor:`, `test:`, `docs:`, `chore:`). Include the issue number when relevant (e.g., `feat(build-scripts): add --watch mode (#122)`).
@@ -266,7 +266,7 @@ The AGENTS.md tables are auto-generated from the live Zod schemas. Do NOT edit t
 
 ## Priority Labels & Product Board
 
-Work is tracked via GitHub Issues with priority labels. `ROADMAP.md` is a narrative document describing architectural direction — not a task tracker.
+Work is tracked via GitHub Issues with priority labels. GitHub Issues are the single source of truth for planned work — run `pnpm stackwright -- board` to see the prioritized board.
 
 | Label | Meaning |
 |-------|--------|
@@ -286,7 +286,7 @@ pnpm stackwright -- board --json
 
 Agents can call `stackwright_get_board` via MCP for the same data.
 
-The architect sets priority tiers. Contributors and agents should pick work from `priority:now` first, then `priority:next`. When a PR closes an issue, GitHub handles it automatically — no manual ROADMAP.md updates needed.
+The architect sets priority tiers. Contributors and agents should pick work from `priority:now` first, then `priority:next`. When a PR closes an issue, GitHub handles it automatically.
 
 ## Package Structure
 

PHILOSOPHY.md

@@ -4,7 +4,7 @@ This document captures the product intent and architectural principles behind St
 
 Stackwright's one-sentence thesis: **Visual rendering + constrained DSL + AI iteration = non-technical people building enterprise apps that are safe by construction.**
 
-[CONTRIBUTING.md](./CONTRIBUTING.md) tells you how to work in this repo. [ROADMAP.md](./ROADMAP.md) tells you what to build next. This document tells you what Stackwright is and why it is built the way it is.
+[CONTRIBUTING.md](./CONTRIBUTING.md) tells you how to work in this repo. For the live list of what's being worked on, run `pnpm stackwright -- board` or see the [GitHub Issues](https://github.com/Per-Aspera-LLC/stackwright/issues). This document tells you what Stackwright is and why it is built the way it is.
 
 ---
 
@@ -269,4 +269,3 @@ For contributors and agents making implementation decisions:
 5. **Agent-facing docs are part of the build.** The content type reference tables in AGENTS.md must be kept in sync with the TypeScript types. This is as important as keeping the JSON schemas in sync. Stale agent docs produce exactly the same class of bugs as stale type definitions.
 
 6. **Constrain first, extend later — in the free tier.** When in doubt about whether to add a new content type or field to `@stackwright/core`, wait. The cost of adding something is low; the cost of maintaining it, keeping it in the schema reference, making it agent-writable, and eventually removing it is high. The right answer to "I need something the core schema doesn't support" is either a developer-written React component or a pro component package — not a core schema extension. This principle does not apply to pro packages, which exist specifically to serve specialized use cases.
-t support" is either a developer-written React component or a pro component package — not a core schema extension. This principle does not apply to pro packages, which exist specifically to serve specialized use cases.