Docs SPA migration, portal theming, onboarding, nav toolbars, and backend hardening

[leoisadev1]

Overview

Batches several independent workstreams on top of the original managed reverse-proxy change (this is the accumulated feature branch for production).

Docs site → TanStack Start SPA

• Migrate apps/fumadocs from the Next.js App Router to a TanStack Start SPA (Vite + Nitro for server-only routes: search, sitemap, llms, schemas).
• Remove the Next.js app/, PostCSS, and proxy.ts; add file-based routes under src/routes/.
• New docs content for Changelog, Feedback, and Roadmap.

Portal theming

• Four built-in presets (Amend, Cobalt, T3 Chat, Amber) plus a custom shadcn/tweakcn CSS paste mode with live preview and token-count feedback.
• Custom CSS is parsed through a strict APPLIED_TOKENS allowlist and applied via React inline style props only (no dangerouslySetInnerHTML); block comments and @media/@supports/@container wrappers are stripped before matching :root/.dark.
• customThemeCss capped at 50k chars server-side.

Dashboard onboarding + navigation

• New-user onboarding flow + per-project getting-started checklist (resets per project).
• Per-page sub-nav moved into top toolbars (dashboard, changelog, feedback, roadmap).
• Centralized Hugeicons wrapper (@/lib/icons); shared useDisclosureTransition motion hook.

Home redesign

• Rebuilt hero (static asset) and sections; removed the particle hero and memory/product sections; added a connect section.

Backend security hardening

• requiresApiToken is now fail-secure in production even when AMEND_API_TOKEN is absent; new requiresGetApiToken guards sensitive GET endpoints.
• HTTP actions call internal trusted* mutation variants (separating API-token auth from dashboard-session auth).
• verifyGitHubWebhookSignature rejects unsigned requests in production. New security-regressions.test.ts locks these in.

PostHog managed reverse proxy (original change)

• Browser SDK points at https://a.amend.sh to dodge ad-blocker drops; analyticsPath() strips query/hash from pageview URLs.

⚠️ Deployment note

verifyGitHubWebhookSignature is now fail-secure: a production workspace with GitHub connected but no GITHUB_WEBHOOK_SECRET will start rejecting inbound webhooks (401) after deploy. Provision GITHUB_WEBHOOK_SECRET in the production Convex environment before/with this deploy.

Validation

bun run check passes locally: lint, format, types, repo hygiene, source size, 109 tests. Reviewed across 6 local Greptile passes; all actionable findings fixed.

---

Created with PostHog Code

[greptile-apps]

Greptile Summary

This is a large accumulation PR covering five workstreams: a full TanStack Start SPA migration for the docs app (removing Next.js App Router), portal theming with four presets and a sandboxed custom CSS paste mode, dashboard onboarding, a home page redesign, and—most critically—backend security hardening plus the PostHog managed reverse proxy.

• Security hardening (the highest-risk area): requiresApiToken and a new requiresGetApiToken are now fail-secure in production when AMEND_API_TOKEN is absent; verifyGitHubWebhookSignature rejects unsigned requests outside local dev; HTTP actions now call internalMutation trusted* variants, correctly separating API-token auth from dashboard-session auth. All behavior is pinned by new regression tests.
• Portal theming: Custom CSS is parsed through a strict APPLIED_TOKENS allowlist and applied exclusively via React inline style props — no dangerouslySetInnerHTML. The 50k-char server-side cap prevents unbounded storage. The approach is safe.
• Docs migration: All Next.js App Router files are removed and replaced with TanStack Start file-based routes; server-only surfaces (search, sitemap, llms, schemas) are retained.

Confidence Score: 5/5

Safe to merge with the deployment prerequisite actioned first: provision GITHUB_WEBHOOK_SECRET before deploying to avoid webhooks being rejected.

The security hardening changes are correct, well-tested, and well-structured. The trusted/public mutation split cleanly separates the two auth paths. Portal theming is sandboxed via an allowlist and React inline styles only. The two observations raised are both style-level: a missing useMemo in the settings panel and a silent no-op for var() references in custom CSS.

No files require special attention beyond the deployment prerequisite (GITHUB_WEBHOOK_SECRET) called out in the PR description.

Important Files Changed

Filename	Overview
packages/backend/convex/httpRuntimeAuth.ts	Core security hardening: requiresApiToken now fail-secure in production, new requiresGetApiToken for sensitive GETs, requiresOwnerApiToken gates on SITE_URL to allow token-free local dev
packages/backend/convex/signatures.ts	verifyGitHubWebhookSignature now rejects unsigned requests in production via allowUnsigned option; correctly gates on isLocalAuthSiteUrl
packages/backend/convex/amend.ts	Adds internalMutation variants (trustedXxx) for all HTTP-action-callable mutations, separating API-token auth from dashboard-session auth
apps/web/src/lib/portal-themes.ts	New portal theming library: four presets, APPLIED_TOKENS allowlist, parseThemeCss parser strips comments and at-rule wrappers, portalThemeStyleVars applies tokens as React inline styles
apps/web/src/components/settings-workspace-portal-panel.tsx	Portal theme settings UI with preset swatches, custom CSS textarea, and live preview; parseThemeCss is called in the render body without useMemo
scripts/security-regressions.test.ts	New regression test suite locking in fail-secure auth behavior; covers GET token requirement, local dev bypass, production write auth, and analytics path stripping
packages/backend/convex/httpRestGet.ts	Adds requiresGetApiToken guard for sensitive GET resources (agent-runs, settings, projects, etc.) before dispatching to resource handlers
packages/backend/convex/amendSourceIngest.ts	Splits ingestSourceEventHandler into public (requires dashboard user) and trustedIngestSourceEventHandler (for HTTP actions with API token), correct separation of auth boundaries
packages/backend/convex/schemaWorkspaceCoreTables.ts	Adds customThemeCss, themeAppearance, and themePreset to portalSettings schema; all optional, backward-compatible
apps/web/src/components/settings-workspace-controller-state.ts	Adds theme form state (themePreset, themeAppearance, customThemeCss) with proper initialization from workspace and useEffect sync; dependencies correctly tracked
packages/backend/convex/amendWorkspaceSettingsMutationHandlers.ts	50k char cap on customThemeCss enforced server-side; themePreset stored as unvalidated string (relies on client/preset lookup for resolution)

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[HTTP Action\nrestGet / restPost] --> B{requiresGetApiToken\nor requiresApiToken?}
    B -- "No (public resource)" --> C[Execute handler directly]
    B -- "Yes (protected resource)" --> D[verifyApiToken]
    D -- "AMEND_API_TOKEN absent\n+ non-local SITE_URL" --> E["401\nMissing token config"]
    D -- "Token present\nbut wrong" --> F["401\nInvalid token"]
    D -- "Token OK" --> G{Which action?}
    G -- "source-events / changelog\n/ roadmap / deliveries..." --> H[ctx.runMutation\ninternal.amend.trustedXxx\ninternalMutation - no re-auth]
    G -- "public mutation path" --> I[api.amend.xxx\nmutation - requires dashboard user]

    J[GitHub Webhook] --> K[verifyGitHubSignature]
    K -- "No secret\n+ production SITE_URL" --> L["401\nMissing webhook secret"]
    K -- "No secret\n+ local SITE_URL" --> M[allowUnsigned = true\npass through]
    K -- "Secret present" --> N[HMAC verify]
    N -- "OK" --> H

Loading

_{Reviews (3): Last reviewed commit: "fix(fumadocs): declare tailwind-merge de..." | Re-trigger Greptile}

[greptile-apps]

$current_url now receives a bare pathname (e.g. /dashboard) instead of a full absolute URL. analyticsPath returns only url.pathname, stripping the origin. PostHog uses $current_url for URL-based insights, funnels, and session replay; a relative path breaks all URL-pattern filtering in the dashboard. The path custom property carries the stripped pathname already, so $current_url should still include the origin. Score: 4/5 confident this is a real regression.

Suggested change

	posthog.capture("$pageview", {
	$current_url: window.location.href,
	path,
	$current_url: analyticsPath(window.location.href),
	path: safePath,
	});
	posthog.capture("$pageview", {
	$current_url: `${window.location.origin}${safePath}`,
	path: safePath,
	});

[greptile-apps]

api_host still reads VITE_POSTHOG_HOST from env (allowing overrides), but ui_host is always hardcoded to https://us.posthog.com. If a developer or CI environment sets VITE_POSTHOG_HOST to an EU-region proxy, the toolbar and PostHog app links will still route to the US region, causing broken toolbar sessions or mismatched project lookups. Consider deriving ui_host from the region implied by VITE_POSTHOG_HOST or documenting that only US-region is supported. Score: 2/5 — unlikely to affect most users but a real inconsistency for EU-region overrides.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!