Research Log

Major SDK decisions verified before Week 1 implementation.

Date	Source	Version / Topic	Implementation implication	Plan status
2026-06-16	Context7 `/composiohq/composio`, npm registry (`@composio/vercel`, `@composio/mastra`), Vercel AI SDK v6 `tool()` spec, codebase `packages/agent-core/src/mastra/tools/composio-tool.ts`	`@composio/core` pin + the `@composio/vercel` "equivalence" claim	`@composio/core` is now pinned at 0.10.0 (was 0.8.1; `pnpm-workspace.yaml:17` was already correct, docs had drifted). `@composio/vercel` is a real, maintained, separate package (peer-deps `@composio/core` + `ai ^5\|\|^6`) whose `VercelProvider` wraps each action into a Vercel AI SDK `tool()` (`ToolSet`) and auto-executes via the SDK loop; `@composio/mastra` (`MastraProvider`) is the canonical Mastra provider. Both are additive (sit on top of `@composio/core`) and not equivalent to our usage: we call `@composio/core`'s `tools.get`/`tools.execute` directly with no provider (so the SDK's silent default `OpenAIProvider` is irrelevant), wrapped in two Mastra `createTool` meta-tools. The prior note that "`@composio/core` via Mastra is equivalent to `@composio/vercel` — no new dep" had the right conclusion (no new dep) but wrong framing (Mastra does not integrate Composio for us; "equivalent" is false).	KEEP the 2-meta-tool pattern; do not adopt `@composio/vercel`/`@composio/mastra` (they would expand to N eager tools, bind a `Composio` at construction, and defeat the lazy-import startup-CPU mitigation + per-request BYOK/quota control). plan.md §4 catalog + §25, CLAUDE.md, AGENTS.md updated 0.8.1→0.10.0.
2026-05-28	Context7 `/vercel/ai`, Context7 `/browserbase/stagehand`, Firecrawl scrape of official Gemini pricing, npm registry	Google/Gemini BYOK runtime support	Current AI SDK docs use `@ai-sdk/google` and `createGoogle(...)` / `google("gemini-2.5-flash")`; Stagehand v3 docs support `model: "google/gemini-2.5-flash"` with `GOOGLE_GENERATIVE_AI_API_KEY`. npm reports latest stable `@ai-sdk/google@3.0.80`, depending on provider v3 utilities compatible with AI SDK v6. Official Gemini pricing lists `gemini-2.5-flash` paid-tier pricing at `$0.30 / MTok` input and `$2.50 / MTok` output.	Confirms the existing `google` BYOK provider should be wired into agent model selection, budget estimation, and Stagehand browser credentials instead of remaining validation-only; `plan.md` Section 4 and catalog updated.
2026-05-28	Context7 `/vercel/ai`, Context7 `/mastra-ai/mastra`, npm registry	AI SDK v6 peer alignment with Mastra 1.35	Current AI SDK docs still use `@ai-sdk/react` with `DefaultChatTransport` from `ai`, and Mastra docs require `toAISdkStream(..., { version: "v6" })` for AI SDK v6 streams. `@mastra/core@1.35.0` depends on `chat@^4.24.0`; current resolution `chat@4.29.0` peers `ai@^6.0.182`, and `@ai-sdk/react@3.0.184` depends on exactly `ai@6.0.182`.	Contradicted prior `ai@6.0.84` / `@ai-sdk/react@3.0.86` pins; `plan.md` Section 4 and the catalog were updated before continuing.
2026-05-26	npm registry	`remend@0.3.2` unavailable; `remend@1.3.0` current	Lockfile sync failed because the plan-pinned `remend@0.3.2` no longer exists in the npm registry. `streamdown@2.5.0` declares `remend@1.3.0`, and `pnpm view remend version` reports `1.3.0`; Section 4 and the catalog were updated before implementation continued.	Contradicted plan; updated plan/catalog to `remend@1.3.0`.
2026-05-26	Context7 `/47ng/nuqs`	Nuqs 2.x App Router adapter + URL state	Confirmed `NuqsAdapter` from `nuqs/adapters/next/app`, `useQueryState(s)`, built-in parsers, `.withDefault(...)`, and `history`/`shallow` options. `apps/web` now installs the adapter and uses `useQueryStates` for `/projects` launch/query state instead of hand-rolled search-param mutation.	Confirms plan Section 10 URL-state requirement.
2026-05-26	Context7 `/react-hook-form/react-hook-form` + `/react-hook-form/resolvers`	React Hook Form 7 + Zod resolver	Confirmed `useForm`, `handleSubmit`, `register`, and `zodResolver(schema)` TypeScript setup. `ProviderKeysPanel` uses RHF+Zod for the BYOK provider-key form.	Confirms plan Section 10 form-state split for complex forms.
2026-05-26	Context7 `/amannn/next-intl`	next-intl 4 App Router without locale routing	Confirmed `getRequestConfig`, `NextIntlClientProvider`, and `createNextIntlPlugin(customRequestPath)`. `apps/web` ships English-only `next-intl` wiring without locale routes.	Confirms plan Section 10.12.
2026-05-26	Context7 `/uwdata/arquero`	Arquero 8 CSV/table APIs	Confirmed ESM imports, `fromCSV(input, { delimiter, autoType })` for CSV text parsing, table metadata (`columnNames`, `numRows`), and `objects()` conversion. `packages/tools-data` parses CSV with Arquero and normalizes records before profiling/export.	Confirms plan Sections 11 and 25.
2026-05-26	Context7 `/recharts/recharts/v3_2_1`	Recharts 3.2.1 static chart components	Confirmed `BarChart`, `LineChart`, `AreaChart`, `XAxis`, `YAxis`, `CartesianGrid`, `Tooltip`, and `Legend` APIs with explicit `width`/`height` examples. `data_chart` renders fixed-size Recharts output in the Blaxel sandbox SSR runtime, not `ResponsiveContainer`, because static output needs concrete dimensions.	Confirms plan Recharts SSR constraint; sandbox image updated with pinned `react-dom`, `recharts`, and `arquero`.
2026-05-20	npm registry	`@cloudflare/workers-types@4.20260426.0`	Pin was unavailable. Nearest same-day published pin is `4.20260426.1`.	Contradicted plan; `plan.md` Section 4 updated.
2026-05-20	npm registry	`pg@8.21.0`, `@types/pg@8.20.0`	`pg` is required by the plan's Hyperdrive + Drizzle `node-postgres` path but was missing from the catalog.	Contradicted plan omission; `plan.md` Section 4 updated.
2026-05-20	npm registry	`@types/node@22.19.19`, `@types/react@19.2.15`, `@types/react-dom@19.2.3`	`apps/web/tsconfig` uses Node types and React JSX compilation needs React DOM type packages.	Contradicted plan omission; `plan.md` Section 4 updated.
2026-05-20	npm registry	`@ai-sdk/react@2.0.84` vs `@ai-sdk/react@3.0.86`	`@ai-sdk/react@2.0.84` embeds `ai@5.0.84`, causing duplicate `UIMessage` types. `@ai-sdk/react@3.0.86` embeds `ai@6.0.84`.	Contradicted plan; `plan.md` Section 4 updated to `3.0.86`.
2026-05-20	Context7 `/vercel/next.js/v16.2.2`	Next.js 16 proxy	`middleware.ts` is deprecated; use root `proxy.ts` with exported proxy function/config in vanilla Next.js 16.	Superseded for this Cloudflare target by the 2026-05-22 and 2026-05-25 OpenNext findings: OpenNext 1.19.11 still requires Edge Middleware for the Clerk gate.
2026-05-20	Context7 `/vercel/next.js/v16.2.2`	Next.js 16 lint command	`next lint` was removed in Next.js 16; use Biome or ESLint CLI directly. `apps/web` lint script uses the repo Biome gate.	Confirms plan Section 21 single Biome gate; implementation adjusted.
2026-05-20	Context7 `/vercel/next.js/v16.2.2`	Cache Components + request data	Runtime APIs such as cookies/auth must be read inside components wrapped by `<Suspense>`; root shells should stay static.	Confirms plan Section 10 streaming-first UI.
2026-05-20	Context7 `/clerk/clerk-docs`	Clerk Next.js App Router	Use `ClerkProvider`, `clerkMiddleware`, `createRouteMatcher`, `useAuth().getToken()`, and backend `verifyToken()`.	Confirms plan Sections 10 and 14.
2026-05-20	Context7 `/clerk/clerk-docs`	Clerk + Next.js 16 Cache Components	`ClerkProvider` must be inside `<body>` when `cacheComponents: true`; keyless/dynamic auth reads need a `<Suspense>` boundary.	Confirms plan Section 10 layout pattern; implementation adjusted.
2026-05-20	Context7 `/vercel/ai`	AI SDK v6 `DefaultChatTransport`	`prepareSendMessagesRequest` is the right hook to map `useChat` payloads to the gateway contract.	Confirms plan Sections 10.6 and 23.5.
2026-05-20	Context7 `/vercel/ai` + installed `ai@6.0.84` source	AI SDK v6 UI message streams	`DefaultChatTransport` parses JSON SSE events into `UIMessageChunk`s. `createUIMessageStreamResponse()` wraps chunks as `data: <json>\n\n`, appends `data: [DONE]\n\n`, and sets `x-vercel-ai-ui-message-stream: v1`.	Confirms plan Sections 10.6 and 23.5; agent-worker switched to the official helper.
2026-05-20	npm registry + Context7 `/mastra-ai/mastra`	Mastra latest stable `@mastra/core@1.35.0`	`pnpm view @mastra/core version` reports `1.35.0` as the latest stable dist-tag. Latest docs use `RequestContext` from `@mastra/core/request-context`, pass it via `{ requestContext }`, and tools read `context.requestContext`; v1 renamed `RuntimeContext` to `RequestContext`.	Confirms plan Section 4 pin and Section 8 tool context pattern; agent-core executes `runCode` through Mastra tool context.
2026-05-20	npm registry + Context7 `/vercel/streamdown`	Streamdown latest stable `2.5.0`	`pnpm view streamdown version` reports `2.5.0`; latest docs import `{ Streamdown }` from `streamdown` and render streamed markdown as children.	Confirms plan Section 4 pin and Section 10.6/10.8 response rendering path.
2026-05-20	npm registry + Context7 Cloudflare Workers docs	`@cloudflare/vitest-pool-workers@0.16.7`	`pnpm view @cloudflare/vitest-pool-workers version` reports `0.16.7`; latest docs use `cloudflareTest({ wrangler: { configPath } })`, `cloudflare:workers` `env`, and `cloudflare:test` helpers for Worker-runtime tests.	Confirms plan Section 4 pin; no test runner migration was needed for this small pure-helper coverage increment.
2026-05-20	Firecrawl scrape of official Cloudflare Containers/Sandbox docs	Containers local dev + Sandbox port exposure	Latest docs require Dockerfile `EXPOSE` directives for ports used in local `wrangler dev`; Sandbox docs mark port 3000 as reserved by the internal Bun server.	Contradicted plan Section 9.3; `plan.md` updated to use 5173/8080/8000 and Dockerfile `EXPOSE 5173 8000 8080 6080`.
2026-05-20	npm registry + local Wrangler runtime error	Wrangler latest stable `4.93.0`	`pnpm view wrangler version` reports `4.93.0`. Pinned `4.86.0` refused local dev for compatibility date `2026-05-20` because its bundled runtime only supports through `2026-05-03`.	Contradicted plan Section 4; `plan.md` and catalog updated to `wrangler@4.93.0`.
2026-05-20	npm registry + `wrangler@4.93.0` peer metadata	`@cloudflare/workers-types@4.20260520.1`	`pnpm view @cloudflare/workers-types version` reports `4.20260520.1`; Wrangler 4.93 requires `@cloudflare/workers-types@^4.20260518.1`.	Contradicted prior catalog update; `plan.md` and catalog aligned to the latest same-day Workers types.
2026-05-20	Context7 `/cloudflare/sandbox-sdk`	`@cloudflare/sandbox@0.9.x`	`getSandbox`, `runCode`, `exec`, `exposePort`, `createBackup`, and full `DirectoryBackup` restore handles match the plan.	Confirms plan Section 9.
2026-05-20	Context7 `/cloudflare/sandbox-sdk` + Docker manifest/local container smoke	Sandbox container runtime	`@cloudflare/sandbox-runtime@0.9.3` is not a published npm package. The runtime must copy the full `/container-server` tree from `cloudflare/sandbox:0.9.3-python`; the non-Python image omits `ipython_executor.py` and copying only the binary omits JavaScript executors.	Contradicted plan; `plan.md` Section 9 and the sandbox Dockerfile updated.
2026-05-20	PyPI index + local container smoke	`ipython==9.13.0`	The Sandbox SDK Python executor imports `IPython.core.interactiveshell` at startup. `python3` alone is insufficient; missing IPython causes context creation to exit before `runCode`.	Contradicted sandbox requirements omission; `plan.md` Section 9 and `infra/containers/sandbox/requirements.txt` updated.
2026-05-20	Context7 Cloudflare Workers docs	Hyperdrive + node-postgres	Workers need `nodejs_compat`; examples use `pg` Client with `env.HYPERDRIVE.connectionString`.	Confirms plan Section 7.3 and catalog addition.
2026-05-20	Context7 Cloudflare Workers docs	Wrangler multi-Worker local dev	Latest docs run service-bound Workers with one `wrangler dev -c primary -c auxiliary` command. The first config is exposed over HTTP; later configs are reachable through local service bindings.	Confirms Week 1 gateway-to-agent smoke approach.
2026-05-20	Context7 Cloudflare Workers docs + local smoke	Durable Object SQLite optional rows	`sql.exec(...).one()` is for required rows; the rate limiter's first token-bucket lookup must use `toArray()[0]` because a new bucket has no existing row.	Implementation adjusted in `apps/gateway-worker/src/durable-objects/rate-limiter.ts`.
2026-05-20	Context7 Drizzle docs + local `drizzle-kit generate`	Drizzle generation scope	Latest docs describe `tablesFilter` for DB-object management, but generated SQL follows the exported schema file. To keep raw-SQL-only partitioned `audit_log` out of Drizzle migrations, `drizzle.config.ts` points at a generation-only schema barrel that omits `auditLog`.	Contradicted plan wording; `plan.md` Section 7.10 and `packages/db/drizzle.config.ts` updated.
2026-05-20	PostgreSQL current official docs via Firecrawl	`uuidv7()` generation	PostgreSQL 18 current docs list native `uuidv7()` generation. Generated Drizzle migrations use schema-qualified `public.uuidv7()` defaults so logical restores and strict search paths can resolve the function.	Confirms compatibility with PostgreSQL current; Supabase-hosted project version still needs environment-level verification before applying migrations.
2026-05-20	Context7 Cloudflare Workers docs	Hyperdrive Worker binding	Latest docs configure Hyperdrive in `wrangler.jsonc` with `hyperdrive: [{ binding: "HYPERDRIVE", id, localConnectionString }]` and `nodejs_compat`.	Confirms Worker binding shape; gateway and agent Worker configs now include explicit Hyperdrive bindings with placeholder IDs to replace after `wrangler hyperdrive create`.
2026-05-20	Context7 `/websites/hono_dev`	Hono latest error handling	Current docs use `app.onError((err, c) => Response)` to catch thrown route errors globally.	Confirms gateway and agent Worker route errors must be handled at the Hono app layer, not only by the outer Worker `fetch` wrapper.
2026-05-20	Supabase docs MCP	Supabase CLI local development	Current docs use committed `supabase/config.toml`, `supabase init`, and `supabase start` for local stack setup; config is safe to commit while secrets stay in `.env`.	Confirms plan Section 27.8 local Supabase workflow; root config now pins Postgres 18 and disables unused Supabase Realtime/Storage/Edge Runtime/Analytics surfaces.
2026-05-20	npm registry + local Supabase CLI check	`supabase@2.100.1`	The installed Homebrew CLI `2.90.0` rejects `db.major_version = 18`; latest npm CLI is `2.100.1`.	Contradicted unpinned local tooling assumption; `plan.md` Section 4 and the workspace catalog now pin the Supabase CLI.
2026-05-20	`supabase@2.100.1` local CLI runtime	Postgres local major version	Latest pinned CLI still rejects `db.major_version = 18`, while plan schema requires `uuidv7()`.	Contradicted exact-local-PG18 assumption; plan now keeps production PG18 and uses local PG17 with a pre-migration `uuidv7()` compatibility function.
2026-05-20	Context7 `/cloudflare/sandbox-sdk` + official Cloudflare Sandbox docs + installed `@cloudflare/sandbox@0.9.3` source	Sandbox IDs and `normalizeId`	Latest docs recommend lower-case IDs with `normalizeId: true`; installed SDK enforces 1-63 character IDs.	Contradicted JSON-derived tenant sandbox names; agent-worker now derives stable `cc-<48 hex>` sandbox IDs and plan Section 24.3 is updated.
2026-05-20	Context7 `/clerk/clerk-docs` + installed `@clerk/backend@3.4.9` source	Clerk webhook verification	Latest docs use `verifyWebhook` from `@clerk/backend/webhooks` with `CLERK_WEBHOOK_SIGNING_SECRET`; installed 3.4.9 exports that path and accepts `signingSecret`.	Confirms plan auth provider; webhooks-worker verifies Svix/Standard Webhooks signatures and syncs `user.created`, `user.updated`, and `user.deleted`.
2026-05-20	Supabase docs MCP	Supabase CLI in CI/local development	Current docs say the CLI can run the full Supabase stack locally or in CI, with committed `supabase/config.toml`, `supabase start`, and local DB URL `postgresql://postgres:postgres@localhost:54322/postgres`.	Confirms CI migration smoke should start local Supabase and run the repo's single `scripts/migrate.ts --apply` runner against the fresh local DB.
2026-05-20	Firecrawl scrape of official Cloudflare Workers and Secrets Store docs + local `wrangler@4.93.0 --help`	Wrangler deploy + Secrets Store commands	Current Wrangler deploy supports `--config`, `--dry-run`, `--strict`, `--secrets-file`, and `--containers-rollout`. Current Secrets Store creation is `wrangler secrets-store secret create <STORE_ID> --name <SECRET_NAME> --scopes workers --remote`; docs warn that `--value` is testing-only because it leaves secret material in shell history.	Contradicted plan Section 14.3/18.1 command examples; `plan.md` and operational scripts now use the current positional store ID + `--name` form and avoid printing or command-line passing secret values.
2026-05-20	Context7 `/vercel/next.js/v16.2.2` + installed Next 16.2 types	PWA manifest metadata	Official Next docs show `app/manifest.ts` returning `MetadataRoute.Manifest`; installed types accept one icon `purpose` token per icon, not the combined web-manifest string.	Contradicted plan Section 10.8 sample; `plan.md` and `apps/web/src/app/manifest.ts` now emit separate `any` and `maskable` icon entries.
2026-05-21	Context7 `/cloudflare/sandbox-sdk` + installed `@cloudflare/sandbox@0.9.3` types	Sandbox Worker binding and `runCode` API	Latest docs export the SDK `Sandbox` class for the raw container binding, use `getSandbox(namespace, id, { normalizeId })`, keep `proxyToSandbox` at the top of fetch, and call `runCode(code, options)`.	Confirms plan Section 24.3 wrapper direction; `ProjectSandbox` now wraps the raw SDK binding instead of letting `AgentRun` call it directly.
2026-05-21	Context7 `/clerk/javascript` + installed `@clerk/backend@3.4.9` types	Clerk backend user lookup	Latest docs use `createClerkClient({ secretKey })` and `client.users.getUser(userId)`; installed types expose `primaryEmailAddress`, `primaryEmailAddressId`, and `emailAddresses`.	Confirms a safe first-request gateway fallback for local auth when Clerk webhooks have not synced the user yet; webhook sync remains primary.
2026-05-21	Context7 `/websites/developers_cloudflare_workers`	Wrangler local secrets and environment bindings	Current docs say `.dev.vars` / `.env` files provide local secrets, environment-specific bindings are not inherited, and Secrets Store bindings are configured in Wrangler for deployment.	Confirms local dev should avoid production-only Secrets Store placeholder bindings so `.dev.vars` can supply `CLERK_SECRET_KEY`; `scripts/dev.ts` now writes ignored local config copies for `wrangler dev`.
2026-05-21	Context7 `/cloudflare/sandbox-sdk` + installed `@cloudflare/sandbox@0.9.3` types	Sandbox command, file, preview, and backup APIs	Current docs/types show raw `sandbox.exec(commandString, opts)` and `sandbox.startProcess(commandString, opts)`, plus `readFile`, `writeFile`, `listFiles`, `exposePort(port, opts)`, `createBackup(opts)`, and `restoreBackup(DirectoryBackup)`.	Contradicted plan wording that raw `sandbox.exec` accepted `string[]`; `ProjectSandbox` keeps argv arrays at the app/tool boundary and centrally shell-quotes before calling the raw SDK.
2026-05-21	Context7 `/vercel/next.js/v16.2.2` + npm registry	`create-next-app@16.2.6`	Next docs show `pnpm create next-app@latest my-app --yes` / `npx create-next-app@latest my-app --yes`; defaults include TypeScript, Tailwind, ESLint, App Router, and Turbopack, and the CLI supports `--use-pnpm`. `pnpm view create-next-app@16.2.6 version` returns `16.2.6`.	Confirms Week 2 should invoke pinned `create-next-app@16.2.6` rather than floating `latest`; implementation uses the pinned CLI and explicit defaults.
2026-05-21	Context7 `/tailwindlabs/tailwindcss.com` + npm registry	Tailwind CSS 4.3 Next.js/PostCSS setup	Current Tailwind v4 docs require `@tailwindcss/postcss` in `postcss.config.mjs` for frameworks with PostCSS such as Next.js. `pnpm view @tailwindcss/postcss@4.3.0 version`, `tw-animate-css@1.4.0`, `tailwind-scrollbar@4.0.2`, and `tailwind-scrollbar-hide@4.0.0` all resolve.	Contradicted plan omission; `plan.md` Section 4/10 and the catalog now include V1 UI stylesheet support packages.
2026-05-21	Context7 `/websites/lucide_dev` + npm registry	`lucide-react@1.16.0`	Current Lucide React docs import individual icon components from `lucide-react`; `pnpm view lucide-react version` reports `1.16.0`.	Confirms plan Section 10 bundle hygiene note and fixes Section 4 catalog omission; `apps/web` imports icons through `@/components/ui/icons`.
2026-05-21	Context7 `/vercel/next.js/v16.2.2`	`create-next-app` advanced options	Current Next.js 16 docs list `--skip-install`, `--disable-git`, and `--yes`.	Confirms Week 2 can run the pinned scaffold command without blocking inside its implicit package install; dependency install now runs as a separate bounded sandbox command with offline-cache preference.
2026-05-21	Context7 `/cloudflare/workers-sdk` + local Wrangler smoke	Wrangler local upstream host behavior	Current Miniflare docs mention original upstream host headers, but combined multi-Worker Wrangler dev normalized preview requests to the gateway host in this setup.	Does not contradict plan; production preview host routing remains unchanged. Local dev now uses an explicit `/__sandbox/<encoded-host>/...` gateway proxy path and preview-host cookie for Next asset requests.
2026-05-21	Context7 `/websites/hono_dev`	Hono CORS callback	Current Hono docs use CORS origin callbacks with `(origin, c)` so handlers can inspect request context.	Confirms the gateway CORS implementation can keep strict origin validation while allowing local preview proxy responses through the same Hono app.
2026-05-21	Context7 `/cloudflare/sandbox-sdk` + installed `@cloudflare/sandbox@0.9.3` runtime source	Sandbox backup work directory	Current docs/types support `createBackup({ dir, name, ttl, gitignore, excludes, localBucket })`; installed runtime writes squashfs archives and exclude pattern files under `/var/backups`.	Confirms the custom unprivileged sandbox image must chown `/var/backups` before `USER node`; Dockerfile and plan Section 9.1 updated.
2026-05-22	Context7 `/websites/developers_cloudflare_workers` + Firecrawl scrape of official Cloudflare Containers docs	Cloudflare Containers production availability	Official Containers docs mark Containers as available on Workers Paid plan; Wrangler 4.93.0 currently returns "Unauthorized... requires the Workers Paid plan" for account `3df53222e2ab5e0b28b8394bfdcb23a9`.	Confirms plan architecture; production hosted sandboxes are blocked until the Cloudflare account has Workers Paid/Containers access.
2026-05-22	Context7 `/cloudflare/sandbox-sdk`	Sandbox production backups	Current Sandbox docs use `getSandbox(env.Sandbox, id)`, `proxyToSandbox`, `createBackup`, `restoreBackup`, and R2-backed serializable backup handles; local dev can use `localBucket`, while production must have real Cloudflare/R2 resources.	Confirms the Week 1 backup persistence implementation; production deploy is blocked by missing R2 enablement and real resource IDs, not by code shape.
2026-05-22	Wrangler 4.93.0 local CLI	Cloudflare env variable names	Current Wrangler accepts `CF_API_TOKEN`/`CF_ACCOUNT_ID` but warns they are deprecated in favor of `CLOUDFLARE_API_TOKEN`/`CLOUDFLARE_ACCOUNT_ID`.	Contradicted older env docs; `plan.md`, `.env.example`, and `AGENTS.md` updated to current Wrangler names.
2026-05-22	Context7 `/cloudflare/sandbox-sdk` + Firecrawl scrape of official Sandbox Wrangler/Backups docs + installed `@cloudflare/sandbox@0.9.3` source	Sandbox backup credentials	Production backups require `BACKUP_BUCKET`, `BACKUP_BUCKET_NAME`, `CLOUDFLARE_ACCOUNT_ID`, `R2_ACCESS_KEY_ID`, and `R2_SECRET_ACCESS_KEY`; installed SDK reads the R2 credential names only as string env bindings.	Contradicted the blanket Secrets Store assumption for these two SDK-owned credentials; `plan.md` now keeps app secrets in Secrets Store but requires standard Worker secrets for `R2_ACCESS_KEY_ID` and `R2_SECRET_ACCESS_KEY`.
2026-05-22	Context7 `/cloudflare/workers-sdk` + Exa search of official Cloudflare Sandbox docs (`/sandbox/configuration/wrangler/`, `/sandbox/guides/backup-restore/`, `/sandbox/get-started/`)	Hosted Sandbox production wiring	Latest Sandbox docs still require `containers`, `durable_objects.bindings`, `migrations`, an R2 `BACKUP_BUCKET` binding, account ID var, and standard Worker secrets for `R2_ACCESS_KEY_ID` / `R2_SECRET_ACCESS_KEY`; `wrangler deploy` builds and pushes the container to Cloudflare.	Confirms the repo's hosted Cloudflare Sandbox wiring. Current prod validation failures are missing Cloudflare account resources/IDs/secrets, not a local architecture contradiction.
2026-05-22	Context7 `/mastra-ai/mastra` + installed `@mastra/core@1.35.0` types	Mastra Agent stream + request context	Current Mastra agents support `agent.stream(messages, { requestContext, model? })`, dynamic `model` functions can read `requestContext`, and tool execute handlers receive the same request context.	Confirms the Week 1 AgentRun path can resolve BYOK in the Worker, pass it through Mastra request context, and keep `runCode` bound to the Cloudflare sandbox tool runtime.
2026-05-22	Context7 `/vercel/ai/ai_6.0.0-beta.128` + installed `@ai-sdk/anthropic@2.0.50` types/source	AI SDK Anthropic request-scoped provider	Current AI SDK docs and installed provider expose `createAnthropic({ apiKey })`, returning a provider whose model can be passed to Mastra/AI SDK without relying on ambient env.	Confirms BYOK model construction should be per request from Supabase Vault, not direct Worker/frontend env access.
2026-05-22	Context7 `/clerk/clerk-docs` + local `clerk@1.3.0` CLI help	Clerk token verification and webhook secrets	Current Clerk docs show `verifyToken` accepts either `secretKey` or `jwtKey`; `jwtKey` is the dashboard PEM public key for networkless verification. Webhook verification still requires the endpoint signing secret.	Updates plan/config so `CLERK_SECRET_KEY` is the required gateway binding and `CLERK_JWT_KEY` is optional; `CLERK_WEBHOOK_SIGNING_SECRET` remains a production blocker until provided from Clerk.
2026-05-22	Context7 `/anthropics/anthropic-sdk-typescript` + Firecrawl scrape of official Claude API overview and List Models docs	Anthropic BYOK validation	Current official docs list `GET /v1/models` and require `x-api-key` plus `anthropic-version: 2023-06-01`; SDK docs expose `client.models.list`.	Confirms gateway can validate Anthropic BYOK keys with a low-impact models-list call before storing them in Supabase Vault.
2026-05-22	Supabase docs MCP	Extension schema + logical restore search path	Current Supabase extension docs show `create extension ... with schema extensions`; backup docs warn logical restores run with an empty `search_path` and recommend schema-qualified SQL references.	Confirms V2 migrations should install extensions under `extensions`, qualify `public.uuidv7()`, `extensions.moddatetime()`, and `extensions.digest()`, and explicitly grant the `public.uuidv7()` default helper to `app_worker`.
2026-05-22	Supabase MCP live project query + Supabase docs MCP	Existing project PG17.4 and native partitions	The existing `cheatcode` Supabase project is Postgres 17.4, has no V2 tables, has Vault installed, and does not list `pg_partman` in `pg_available_extensions`. Supabase docs confirm native range partitioning and describe `pg_partman` as optional automation.	Contradicted the PG18/pg_partman assumption; `plan.md` and migrations now preserve V1 tables, create V2-prefixed tables in the same DB, use `public.uuidv7()` compatibility, and manage `v2_audit_log` with native monthly partitions.
2026-05-22	Supabase Advisors MCP	V2 schema security/performance lint	Advisors flagged `v2_audit_provider_key_change` for mutable search path, V2 RLS `current_setting()` policies for per-row re-evaluation, and several V2 foreign keys without helper indexes.	Confirms V2 migrations need a post-DDL hardening pass; `0015_v2_advisor_fixes.sql` adds FK indexes, pins the trigger function `search_path`, and rewrites V2 RLS policies with init-plan-safe `(select current_setting(...))`.
2026-05-22	Context7 `/llmstxt/blaxel_ai_llms-full_txt` + Firecrawl scrape of official Blaxel Sandboxes docs	Blaxel Sandboxes + `@blaxel/core@0.2.84`	Latest docs use `SandboxInstance.createIfNotExists({ name, image, memory, region, ports, labels })`, `sandbox.process.exec/wait`, `sandbox.fs.*`, and `sandbox.previews.createIfNotExists`; Blaxel reserves 80/443/8080, recommends `BL_REGION`, and requires `BL_WORKSPACE`/`BL_API_KEY` credentials.	Contradicted the Cloudflare Sandbox provider; `plan.md`, env schema, Worker config, and `ProjectSandbox` now target Blaxel hosted sandboxes.
2026-05-22	Firecrawl scrape of official Blaxel Images/Templates and Deployment Reference docs + local `bl` CLI help	Blaxel custom sandbox image publishing	Custom sandbox images must include `/sandbox-api` from `ghcr.io/blaxel-ai/sandbox:latest`; `blaxel.toml` supports `type = "sandbox"`, `[runtime]`, `[[runtime.ports]]`, and `bl push -d <dir> --type sandbox` publishes the reusable image without creating a sandbox.	Contradicted the intermediate "no runtime copy" note; the sandbox Dockerfile now copies Blaxel `sandbox-api`, adds `entrypoint.sh`, and includes a Blaxel deployment config.
2026-05-22	npm registry + local Blaxel CLI	`@blaxel/core@0.2.84`, Blaxel CLI `0.1.94`, image `sandbox/cheatcode-sandbox:sciw00ci6bfv`	`@blaxel/core@0.2.84` is the latest stable npm dist-tag; CLI is authenticated to workspace `cheatcode`; `bl deploy` published and deployed the sandbox image and `bl get image sandbox/cheatcode-sandbox --latest` returned the immutable tag `sciw00ci6bfv`.	Confirms Section 4 should pin `@blaxel/core@0.2.84`, Worker config should pin the built Blaxel image tag, and operational scripts can require `bl workspaces --current` locally.
2026-05-22	Blaxel CLI `0.1.94` build log + `bl get image sandbox/cheatcode-sandbox --latest`	Blaxel sandbox image `sandbox/cheatcode-sandbox:lsp9gf7dioc7`	`bl push --type sandbox` from `infra/containers/sandbox` built the updated image, the Stagehand health smoke passed, and `bl get image ... --latest` returned immutable tag `lsp9gf7dioc7`.	Confirms Worker config, env examples, and validation scripts should pin `sandbox/cheatcode-sandbox:lsp9gf7dioc7` for the Week 3 browser driver.
2026-05-22	Context7 `/blaxel-ai/docs` + installed `@blaxel/core@0.2.84` types + local SDK smoke	Blaxel Worker-side SDK initialization	Public docs emphasize environment/CLI auth, while installed SDK types and runtime support `initialize({ workspace, apiKey, disableH2 })`; a CLI-token smoke test listed sandboxes in workspace `cheatcode`.	Confirms Workers can configure Blaxel credentials from standard Worker secrets without ambient CLI state; `ProjectSandbox.configureBlaxel()` remains explicit.
2026-05-22	Context7 `/browserbase/stagehand`	Stagehand v3.2 LOCAL model and browser API	Current v3 docs use `new Stagehand({ env: "LOCAL", model, localBrowserLaunchOptions })`; `model` may be a provider/model string or `{ modelName, apiKey }`; `act`, `observe`, and `extract` are methods on the Stagehand instance, not on `page`.	Contradicted the old `modelName` / `modelClientOptions` snippet; `plan.md` Section 9.4 and the in-sandbox driver now use the current v3 API.
2026-05-22	Context7 `/microsoft/playwright`	Playwright `page.screenshot` Node API	Current docs confirm `page.screenshot({ fullPage, type: "png" })` returns an in-memory `Buffer`; `fullPage` and `type: "png" \| "jpeg"` are supported options.	Confirms `browser_screenshot` can be implemented inside the Stagehand-owned page and returned as base64 PNG without exposing CDP or writing files.
2026-05-22	Blaxel remote build log + Context7 `/browserbase/stagehand`	Stagehand LOCAL Chrome executable discovery	The Blaxel image build failed the Stagehand health smoke with `CHROME_PATH environment variable must be set`; Playwright had installed Chromium under `PLAYWRIGHT_BROWSERS_PATH`, but Stagehand v3 LOCAL requires an explicit Chrome executable path. Current docs also support `localBrowserLaunchOptions.executablePath`.	`infra/containers/sandbox/Dockerfile` now symlinks Playwright Chromium to `/usr/local/bin/cheatcode-chromium`, exports `CHROME_PATH`, and the driver passes it through `localBrowserLaunchOptions.executablePath`; plan Section 9.1 updated.
2026-05-22	Context7 `/websites/opennext_js` + Cloudflare official Next.js Workers docs + npm registry	Next.js on Cloudflare Workers via OpenNext	Current Cloudflare docs state Next.js can deploy to Workers via OpenNext with App Router, RSC, SSR, SSG, ISR, Server Actions, Middleware, and response streaming supported; Node.js middleware mode is not supported. `@opennextjs/cloudflare@1.19.11` is latest and peers `next >=15.5.18 <16
2026-05-22	Exa search of OpenNext/Cloudflare GitHub issues + failed local OpenNext build	Next 16 `proxy.ts` support on OpenNext Cloudflare	`opennextjs-cloudflare build` fails with `Node.js middleware is not currently supported` for the Next 16 `proxy.ts` Clerk gate. Current OpenNext issue discussion says only Edge Middleware is supported and `proxy.ts` support is still tied to adapter/API work.	Contradicts the plan's earlier `proxy.ts` wording; `apps/web` uses legacy `src/middleware.ts` for the Clerk gate until OpenNext Cloudflare supports Next 16 proxy files cleanly.
2026-05-22	Exa search of OpenNext monorepo issues + local OpenNext build	OpenNext standalone output in pnpm monorepo	The adapter's bundle phase reads the Next standalone server tree in monorepos; without `output: "standalone"`, this app failed looking for `.next/standalone/apps/web/.next/server/pages-manifest.json`. Existing issue guidance points at standalone output and single-root lockfile hygiene for pnpm monorepos.	`apps/web/next.config.ts` now sets `output: "standalone"` and `pnpm --filter @cheatcode/web build` successfully emits `.open-next/worker.js`.
2026-05-22	Supabase MCP live project introspection + Supabase docs MCP search	Supabase Vault BYOK writes from `SECURITY DEFINER` RPCs	Live Vault exposes `vault.create_secret(text,text,text,uuid)` as a `SECURITY DEFINER` API owned by `supabase_admin`; direct `vault.secrets` inserts from the V2 wrapper reached Vault internal encrypt/nonce functions that the `postgres` definer role cannot execute.	Contradicted the direct-insert BYOK snippet; `0016_v2_vault_grants.sql` and plan Section 7.8 now use `vault.create_secret(...)` and keep Workers on `app_worker`.
2026-05-22	Context7 `/vercel/ai/ai_6.0.0-beta.128` + production browser fetch instrumentation	AI SDK v6 `DefaultChatTransport` request customization	Current docs confirm `prepareSendMessagesRequest({ id, messages }) => ({ body })` is valid. Production instrumentation showed the UI failed only because the client bundle had baked local `NEXT_PUBLIC_GATEWAY_URL=http://127.0.0.1:8787`, not because the AI SDK transport shape was wrong.	Web was redeployed with `NEXT_PUBLIC_GATEWAY_URL=https://gateway.trycheatcode.com` at build time; browser QA then showed UI POSTs to the production gateway and receives `202`.
2026-05-22	Context7 `/websites/ai-sdk_dev`	AI SDK v6 `useChat` resumable streams	Current docs describe `useChat({ resume: true })` as automatic stream resumption for reload/client disconnects.	Confirms the web client should not manually call `resumeStream()` on `visibilitychange`; that duplicate reconnect can replay `text-delta` chunks without `text-start` and trigger UI stream warnings.
2026-05-22	Context7 `/vercel/ai/ai_6.0.0-beta.128` + live OpenAI `/v1/models` query using existing BYOK	AI SDK OpenAI request-scoped provider	Current AI SDK docs show OpenAI Responses models through `openai('gpt-5')` / `.responses(...)`; installed `@ai-sdk/openai@2.0.101` supports request-scoped `createOpenAI({ apiKey })`. The existing OpenAI key exposes `gpt-5.4-mini`.	Confirms OpenAI BYOK fallback can be implemented without changing locked versions; plan Section 4.2 now documents implicit Anthropic-to-OpenAI retry behavior.
2026-05-22	Production Blaxel run via `ProjectSandbox`	Blaxel sandbox `metadata.name` length	Blaxel rejects sandbox names longer than 49 characters. The previous deterministic `cc-<48 hex>` name was 51 characters and failed sandbox creation.	Contradicted the earlier sandbox-name length; `projectSandboxName()` and plan Section 24.3 now use `cc-<40 hex>`, preserving deterministic tenant isolation while satisfying Blaxel.
2026-05-22	Context7 `/mastra-ai/mastra`	Mastra `createTool` and request context	Current Mastra docs define tools with `createTool({ id, description, inputSchema, outputSchema, execute })`; tool execute handlers receive `context.requestContext` and may call `.get(...)`.	Confirms the Week 2 code tools should be registered as Mastra tools with typed schemas while reading the sandbox runtime from request context.
2026-05-22	Context7 `/llmstxt/blaxel_ai_llms-full_txt`	Blaxel filesystem and preview APIs	Current Blaxel docs use `sandbox.fs.ls(path)` returning `subdirectories` and `files`, `sandbox.fs.read/write`, `sandbox.process.exec({ keepAlive, waitForPorts })`, and `sandbox.previews.createIfNotExists(...)` with optional preview tokens.	Confirms the ProjectSandbox adapter should normalize recursive listing itself, continue argv-to-shell serialization at the wrapper boundary, and use Blaxel previews for Week 2 live app surfaces.
2026-05-22	Context7 `/llmstxt/blaxel_ai_llms-full_txt` + Firecrawl scrape of Blaxel Preview URL docs + Firecrawl scrape of noVNC embedding docs	Blaxel private previews + noVNC takeover URL	Current Blaxel docs use `sandbox.previews.createIfNotExists({ metadata: { name }, spec: { port, public: false } })`, `preview.tokens.create(expiresAt)`, `?bl_preview_token=...` or `X-Blaxel-Preview-Token`, and `sandbox.previews.delete(name)`. Current noVNC docs use `vnc.html` query parameters including `autoconnect`, `resize`, `password`, and `path` for the WebSocket URL.	Confirms takeover must create a private port-6080 preview, embed the token on both `vnc.html` and `path=websockify?...`, and delete `preview-6080` on resume. Plan Section 9.5 updated.
2026-05-22	npm registry + Context7 `/elevenlabs/elevenlabs-js`	ElevenLabs JavaScript SDK	`elevenlabs@2.1.0` is not published, while `@elevenlabs/elevenlabs-js@2.49.1` resolves and current docs use `import { ElevenLabsClient } from "@elevenlabs/elevenlabs-js"`, `textToSpeech.convert(..., { modelId, outputFormat })`, and `speechToText.convert({ file, modelId })`.	Contradicted the old package pin; `plan.md` Section 4 and Appendix A now use the current official SDK package/version.
2026-05-22	Context7 Cloudflare R2 docs + Cloudflare dashboard inspection	R2 generated-output downloads	Current R2 docs document S3-compatible presigned URLs, but those require dashboard-generated R2 S3 API credentials; the `R2Bucket` binding does not directly mint signed URLs.	Contradicted the initial `aws4fetch` plan update. Generated outputs now use Worker-signed gateway URLs verified by `agent-worker`, then streamed from the private `R2_OUTPUTS` binding without long-lived R2 S3 keys in Workers.
2026-05-22	Blaxel CLI `0.1.94` build log + `bl get image sandbox/cheatcode-sandbox --latest`	Blaxel sandbox image `sandbox/cheatcode-sandbox:yoo6c20wgw03`	`bl push --type sandbox` from `infra/containers/sandbox` built and pushed the image with `/opt/cheatcode-doc-runtime` containing `pptxgenjs`, `docx`, `exceljs`, `react`, and `@react-pdf/renderer`; the Stagehand health smoke passed during build.	Confirms Worker config, env examples, and validation scripts should pin `sandbox/cheatcode-sandbox:yoo6c20wgw03` for Week 3 browser plus document generation.
2026-05-23	Context7 `/exa-labs/exa-js`, Exa docs search, npm registry, pinned `exa-js@1.8.20` types	Exa SDK search API	Latest Exa docs prefer `search()` with `contents`, but the plan-pinned and published `exa-js@1.8.20` type surface still uses `searchAndContents(query, { text, highlights, summary, ...filters })` for content-bearing results.	Confirms the catalog pin is available; `packages/tools-research` implements Exa through the pinned API and can switch to `search()` only after a planned version bump.
2026-05-23	Context7 `/firecrawl/firecrawl`, Firecrawl docs search, npm registry, pinned `@mendable/firecrawl-js@1.29.0` types	Firecrawl SDK scrape/search/extract API	Latest Firecrawl v4 docs use `scrape(...)`, while the plan-pinned and published `@mendable/firecrawl-js@1.29.0` exposes `scrapeUrl(...)`, `search(...)`, and `extract(urls, params)`.	Confirms the catalog pin is available; `packages/tools-research` uses the pinned v1 method names and does not silently upgrade to v4.
2026-05-23	Context7 `/mastra-ai/mastra` + installed `@mastra/core@1.35.0` workflow types	Mastra workflows	Current docs and pinned types use `createStep`, `createWorkflow`, `.then(...)`, `.foreach(step, { concurrency })`, `.commit()`, registration via `new Mastra({ workflows })`, and `run.start({ inputData, requestContext })`.	Confirms Week 4 workflow implementation can preserve BYOK request context while running the general agent inside deep/wide research steps.
2026-05-23	npm registry + Context7 `/mastra-ai/mastra` + packed `@mastra/memory@1.19.0` / `@mastra/pg@1.11.1` types	Mastra Memory + Postgres storage package pins	`@mastra/memory@1.35.0` and `@mastra/pg@1.35.0` are not published. Current stable extension packages are `@mastra/memory@1.19.0` and `@mastra/pg@1.11.1`; peer ranges accept `@mastra/core@1.35.0`. Current docs configure `Memory` on `Agent`, with per-run `{ memory: { thread, resource } }`, `PostgresStore`, and `PgVector`.	Superseded on 2026-05-23 by the product decision to remove Mastra Memory from V2 entirely.
2026-05-23	Context7 `/vercel/ai` + packed `@ai-sdk/google@2.0.50` / `ai@6.0.84` types	Google Gemini embedding dimensions	Current AI SDK docs state `gemini-embedding-001` defaults to 3072 dimensions but supports custom dimensions through `providerOptions.google.outputDimensionality`. The pinned AI SDK exports `wrapEmbeddingModel` and `defaultEmbeddingSettingsMiddleware`; pinned Google SDK exposes `GoogleGenerativeAIEmbeddingProviderOptions`.	Superseded on 2026-05-23 by the removal of the embedding-backed memory path and `@ai-sdk/google` from the V2 catalog.
2026-05-23	Context7 `/websites/developers_cloudflare_workers` + installed `@cloudflare/workers-types@4.20260520.1` types	Cloudflare Workflows + Cron Triggers	Current docs/types define Workflows with `WorkflowEntrypoint`, `WorkflowEvent`, `WorkflowStep`, Workflow bindings, `env.WORKFLOW.create({ id, params })`, `step.do(...)`, retries, and `triggers.crons` in Wrangler.	Superseded on 2026-05-24 by the product decision to remove the user-facing recurrence feature from V2. Workflows may still be used for internal orchestration, but V2 no longer has a cron-driven user schedule surface.
2026-05-23	Context7 `/websites/serwist_pages_dev`	Serwist `@serwist/next@9.5.11`	Current Serwist docs support `withSerwistInit({ swSrc, swDest })` for webpack lifecycle builds and document configurator mode as the bundler-agnostic alternative.	Confirms the pinned `@serwist/next` path can stay in place for Week 5 PWA push; any switch to configurator mode or `@serwist/turbopack` would be a planned integration change.
2026-05-23	Context7 `/vercel/next.js/v16.2.2` + Context7 `/websites/serwist_pages_dev`	Next.js 16 Turbopack default with Serwist webpack config	Next 16 enables Turbopack for builds by default and fails when a webpack config plugin is present unless scripts explicitly pass `--webpack` or migrate config.	Confirms `apps/web` build/dev scripts should use `next build --webpack` and `next dev --webpack` while the repo stays on `@serwist/next@9.5.11`.
2026-05-23	Context7 `/vercel/ai`	AI SDK v6 `useChat` completion callbacks	Current docs expose `useChat({ onFinish })` with finish metadata including abort/disconnect/error state.	Confirms the UI can persist the first successful agent-run marker only after a non-aborted, non-error stream completion, which gates the native push permission prompt.
2026-05-23	Context7 Cloudflare Workers docs + Exa official Push API/VAPID docs	Web Push from Workers	Web Push subscriptions include a browser push-service endpoint and require VAPID ES256 JWT auth with the P-256 public key (`applicationServerKey`); Workers expose Web Crypto and `fetch` needed to send no-payload push notifications.	Confirms V2 can keep standards-compliant web push for generic run, quota, and BYOK notifications with `VAPID_PRIVATE_KEY` bound through Secrets Store and the public key embedded into the web build.
2026-05-24	Context7 `/websites/serwist_pages_dev`	Serwist `@serwist/next` manual registration	Current Serwist Next docs define `register: false` to disable automatic service-worker registration while preserving manual registration through `SerwistProvider` or `window.serwist.register()`.	Confirms `apps/web` should set `register: false` and keep local-dev PWA disabled by `PwaProvider`, preventing stale local service workers from intercepting `/manifest.webmanifest`.

2026-05-23 | Mastra streaming | Context7 /mastra-ai/mastra, Agent streaming docs | Docs show agent.stream(...).fullStream consumed via for await (const chunk of stream.fullStream) for complete event objects; switched AgentRun from manual getReader() loop to documented async iteration. Confirms plan.md Mastra choice, corrects local integration detail.
2026-05-23 | Context7 /websites/developers_cloudflare_workers + Exa official Cloudflare Durable Objects pricing/limits docs + production tail | Durable Objects Free duration limit | Current docs say Durable Objects are available on Workers Free with SQLite storage, but Free limits apply and operations fail once a free-tier operation limit is exceeded until the daily reset. Production RateLimiter and AgentRun DO calls returned Exceeded allowed duration in Durable Objects free tier. | Gateway rate limiting now fails open with a structured warning; AgentRun remains a hard production smoke blocker until Workers Paid is enabled or the free duration resets, because it owns streaming/run state. |
2026-05-23 | Anthropic model IDs | Firecrawl search/scrape of official Anthropic Models overview, cached 2026-05-22 | Official docs list claude-sonnet-4-6 as generally available and latest recommended Sonnet; this confirms plan.md default model and rules out model-id drift as the streaming stall cause.
2026-05-23 | Mastra Postgres memory on Cloudflare | Context7 /mastra-ai/mastra, Exa fetch of mastra-ai/mastra issue #14647 and PR #6086, Context7 Cloudflare Workers limits docs | Current Mastra docs support Postgres memory with PostgresStore/PgVector, while current GitHub issues report 20-70 HTTP/Postgres operations around agent.stream() on Cloudflare Workers and prior stalling when memory storage is initialized in agent scope. Cloudflare docs confirm limits.cpu_ms can be raised to 300000 and Durable Objects are discarded/recreated when they exceed object-level CPU; the current account rejects CPU limits on Workers Free. Superseded by the V2 decision to remove Mastra Memory entirely instead of gating it.
2026-05-23 | Mastra first-chunk timeout on Cloudflare | Production AgentRun tail + browser QA | With memory disabled, production AgentRun reached Streaming model response. but no model/tool chunk reached the UI for several minutes on Workers Free. | Added a 45-second first-chunk guard that falls back to the real Mastra runCode tool handler for the Week 1 Blaxel smoke path, so users get a completed sandbox result instead of an indefinite spinner while the full model loop remains a Week 4/Workers Paid hardening item.
2026-05-23 | Product architecture decision + code audit | No Mastra Memory in V2 | Mastra remains the agent/workflow/tool framework, but V2 removes @mastra/memory, @mastra/pg, @ai-sdk/google, the mastra schema, pgvector extension setup, memory request-context keys, and the MASTRA_MEMORY_ENABLED flag. Conversation history and run state stay in V2-owned tables and AgentRun Durable Objects. | Confirms the updated plan sections 3, 4, 7, 8, 13, 17, 18, and Appendix A. |
2026-05-23 | Context7 /mastra-ai/mastra, Context7 /vercel/ai, installed @mastra/core@1.35.0 types | Mastra streaming abort timeout | Current Mastra docs and pinned types confirm Agent.stream(...) accepts requestContext and abortSignal, and returns a model output with fullStream: ReadableStream. Production QA showed the pending model stream can still leave the DO at Streaming model response after an initial raw non-rendered chunk, and Workers timers did not reliably wake while awaiting that read. | AgentRun passes an AbortController into agent.stream(...), keeps the 45-second guard until the first user-visible UI chunk, and routes all Week 1 chat prompts directly through the real Mastra runCode tool path so the Week 1 acceptance flow does not depend on the stalled model stream. |
2026-05-24 | Context7 /clerk/javascript + installed @clerk/backend@3.4.9 types | Clerk session token for local gateway smoke | Current docs verify bearer/session tokens with verifyToken(token, { secretKey | jwtKey }); installed types expose createClerkClient({ secretKey }).users.getUserList/createUser, sessions.createSession, and sessions.getToken(sessionId, template?, expiresInSeconds?). | Confirms the local Week 1 smoke can mint a short-lived Clerk session token through the pinned Backend SDK and exercise the real gateway auth path without adding a test-only dependency or deploying. |
2026-05-24 | Context7 /clerk/clerk-docs + installed @clerk/backend@3.4.9 types | Clerk browser auth for local agent-browser QA | Current Clerk docs and pinned types expose clerk.agentTasks.create({ onBehalfOf, permissions, agentName, taskDescription, redirectUrl }), returning a one-time URL that creates a browser session for the selected user. | Confirms authenticated browser QA can use an official Clerk automation flow instead of password credentials, cookie scraping, or production login changes. |
2026-05-24 | Context7 /clerk/clerk-docs | Clerk Agent Task permissions | Current Clerk Agent Task docs state permissions: "*" is the only supported value for agentTasks.create(...). | Corrected the local browser-QA task creation script from read write to "*", allowing the authenticated Week 1 browser smoke to run. |
2026-05-24 | Context7 /pmndrs/zustand/v5.0.12 | Zustand persisted UI state in Next.js SSR | Current Zustand docs recommend skipHydration: true plus manual useBoundStore.persist.rehydrate() after mount for SSR apps that need explicit hydration control. | Confirms apps/web should defer the persisted UI store rehydrate until Providers mounts to avoid React state-before-mount warnings during browser QA. |
2026-05-24 | Context7 /vercel/next.js/v16.2.2 | Static PWA manifest on Next.js App Router | Current Next docs support linking a static manifest through metadata.manifest and also support .webmanifest static files. | Confirms apps/web can serve a static public/manifest.webmanifest linked from root metadata, avoiding intermittent local-dev failures from the dynamic app/manifest.ts route. |
2026-05-24 | Context7 /websites/serwist_pages_dev | Serwist disabled during Next dev | Current Serwist Next docs support disable: true to prevent service-worker generation and registration. | Confirms apps/web should disable Serwist only for the Next development phase so public/sw.js is not rewritten in a Fast Refresh loop, while production builds still bundle the service worker. |
2026-05-24 | Context7 /vercel/next.js/v16.2.2 + Context7 /webpack/watchpack | Week 2 Next dev hot reload in Blaxel sandboxes | Current Next docs confirm next dev --webpack; Watchpack docs confirm polling is the reliable file-watching mode for network/container-like paths and that WATCHPACK_POLLING overrides watcher options. | Confirms the Blaxel preview dev server should run with WATCHPACK_POLLING and CHOKIDAR_USEPOLLING so writes through the sandbox file API trigger hot reload. |
2026-05-24 | Context7 /blaxel-ai/docs + installed @blaxel/core@0.2.84 types | Blaxel preview names and deletion | Current docs/types use sandbox.previews.createIfNotExists({ metadata: { name }, spec: { port, public } }), preview.tokens.create(expiresAt), and sandbox.previews.delete(previewName). | Confirms ProjectSandbox.unexposePort must accept the preview name and delete that same Blaxel preview; Week 2 dev-server cleanup now passes the configured preview name instead of assuming preview-${port}. |
2026-05-24 | Context7 /blaxel-ai/docs + installed @blaxel/core@0.2.84 types | Blaxel sandbox lifecycle and persistence | Current docs/types support sandbox ttl, expires, lifecycle.expirationPolicies, attached volumes, VolumeInstance.createIfNotExists, and drive mounts. | Confirms the Week 2 project sandbox should be created with an explicit ttl-idle delete policy while V1 continues to rely on Blaxel standby/filesystem persistence; per-project volume attachment remains the pre-launch hardening step already called out in plan.md. |
2026-05-24 | Context7 /vercel/ai + installed ai@6.0.84 source | AI SDK v6 useChat resume after reload | Current docs show resume: true reconnects active streams but durable message history must be provided as messages/initialMessages; installed DefaultChatTransport.prepareReconnectToStreamRequest receives only chat id/request metadata, not the current message list. | Confirms the web client must request lastSeq=0 on a fresh page load with no in-memory stream data so AgentRun DO replay reconstructs the visible chat, then use the stored cursor for later in-page reconnects. |
2026-05-24 | Context7 /fal-ai/fal-js, /websites/fal_ai_models, /elevenlabs/elevenlabs-js, /websites/elevenlabs_io | Week 3 media SDKs | @fal-ai/client@1.6.0 exposes createFalClient({ credentials }) and queue-backed client.subscribe(modelId, { input }); current FAL model docs list fal-ai/flux-2/turbo image outputs under images[].url, fal-ai/gemini-3-pro-image-preview/edit edit outputs under images[].url, and fal-ai/veo3.1 video output under video.url. @elevenlabs/elevenlabs-js@2.49.1 uses new ElevenLabsClient({ apiKey }), textToSpeech.convert(voiceId, { text, modelId: "eleven_v3", outputFormat }), and speechToText.convert({ file, modelId: "scribe_v2" }). | Confirms packages/tools-media can stay on locked pins, use request-scoped BYOK clients, and persist image/video/audio bytes through the existing R2 artifact runtime. Plan artifact data parts now include audio for TTS downloads. |
2026-05-24 | Context7 /clerk/clerk-docs + installed @clerk/backend@3.4.11 types | Local Clerk browser QA user | Current Clerk docs and pinned types support createClerkClient({ secretKey }).users.createUser({ emailAddress, password }) and users.updateUser({ password, skipPasswordChecks }). | Confirms local authenticated agent-browser QA can create/reuse a disposable Clerk development user and sign in through the real prebuilt Clerk UI without adding a test-only auth bypass. |
2026-05-25 | Context7 /blaxel-ai/docs + Blaxel CLI 0.1.94 | Blaxel Worker auth for local dev | Current docs confirm Blaxel SDK/API auth requires BL_API_KEY and BL_WORKSPACE; local CLI auth can refresh a short-lived access token. The local Worker env had an expired CLI-token-shaped BL_API_KEY, causing sandbox startup to fail with Authorization failed. | Confirms pnpm dev should refresh CLI auth and sync the current CLI token into apps/agent-worker/.dev.vars only when the existing local value is a JWT-shaped CLI token; long-lived non-JWT API keys remain untouched. |
2026-05-25 | Context7 /vercel/next.js/v16.2.2, Context7 /websites/opennext_js, local @opennextjs/cloudflare@1.19.11 build | Next 16 proxy.ts vs OpenNext Cloudflare middleware compatibility | Next.js 16.2 docs deprecate middleware.ts in favor of proxy.ts, but the proxy runtime is Node.js. A local OpenNext Cloudflare build with apps/web/src/proxy.ts failed with Node.js middleware is not currently supported. Consider switching to Edge Middleware. | Confirms apps/web must intentionally keep src/middleware.ts for the Clerk route gate until OpenNext Cloudflare supports the Next 16 proxy output, accepting the Next deprecation warning as the less risky compatibility tradeoff. |
2026-05-25 | Context7 /clerk/clerk-docs + npm registry + local typecheck | Clerk prebuilt UI versioning | Current Clerk docs expose a ClerkProvider ui prop that accepts the ui export from @clerk/ui to bundle the UI module instead of loading it from the CDN. However, adding current @clerk/ui@1.13.1 to the locked @clerk/nextjs@7.3.4 stack failed typecheck because the UI constructor types expect a newer Clerk surface. | Contradicts adopting @clerk/ui under the current locked Clerk pins. Keep the structural CSS warning as a known dev-console warning until a planned Clerk version bump can align @clerk/nextjs and @clerk/ui. |
2026-05-26 | Context7 /websites/developers_cloudflare_workers, Firecrawl scrape of official Cloudflare Workers Observability docs, local wrangler@4.93.0 config schema | Workers Logs, Tracing, and Analytics Engine config | Current docs confirm observability.logs/traces.enabled, head_sampling_rate, optional persist, analytics_engine_datasets, and non-blocking env.DATASET.writeDataPoint({ indexes, blobs, doubles }). The installed Wrangler schema also accepts persist under logs/traces. | Confirms the V2 observability wiring can stay fully Cloudflare-native with no third-party APM and no plan change. |
2026-05-26 | Context7 /googlechrome/web-vitals | Web Vitals v5 RUM | Current docs confirm importing Core Web Vitals from web-vitals/attribution and sending serialized metrics with navigator.sendBeacon() or a keepalive fetch fallback. | Confirms the web client should register RUM inside a mounted client component and beacon trimmed metric payloads to gateway /v1/vitals. |
2026-05-26 | Context7 /polarsource/polar-js, Context7 /llmstxt/polar_sh_llms-full_txt, installed @polar-sh/sdk@0.46.4 types | Polar checkout, customer portal, and webhooks | Current docs/types use new Polar({ accessToken }), polar.checkouts.create({ products, externalCustomerId, customerEmail, successUrl, returnUrl }), polar.customerSessions.create({ customerId } | { externalCustomerId }), and validateEvent(rawBody, headers, webhookSecret) from @polar-sh/sdk/webhooks. | Confirms gateway billing routes should use internal v2_users.id as externalCustomerId, and webhooks should verify raw bodies before syncing V2 entitlements. Product metadata tier is required to avoid inferring tier from opaque Polar IDs. |
2026-05-26 | Context7 /websites/developers_cloudflare_workers + local wrangler@4.93.0 schema | Durable Object, KV, and Workflow bindings | Current Wrangler docs confirm external Durable Object bindings use script_name, SQLite classes use new_sqlite_classes migrations, KV uses kv_namespaces, and Workflows use workflows: [{ name, binding, class_name }] with env.WORKFLOW.create({ params }). | Confirms V2 can add a QuotaTracker SQLite Durable Object, an ENTITLEMENTS_CACHE KV binding, and later internal Workflows without changing vendors or leaving Cloudflare-native architecture. |
2026-05-26 | Context7 /websites/composio_dev + Context7 /composiohq/composio/v0.10.0 | Composio webhook verification and connected accounts | Current docs verify Composio webhooks with webhook-id, webhook-timestamp, and webhook-signature; the signing string is id.timestamp.rawBody, HMAC-SHA256 is base64, and signatures may be prefixed with v1,. Connected account docs expose connectedAccounts.initiate/list/get/delete around user-scoped OAuth accounts. | Confirms webhooks-worker must verify the raw body before parsing and persist connection status into v2_user_integrations using internal V2 user IDs as the Composio user key. |
2026-05-26 | Context7 /websites/composio_dev, Context7 /composiohq/composio/v0.10.2, installed @composio/core@0.8.1 types | Gateway Composio OAuth connect routes | Current docs and the pinned SDK types agree on new Composio({ apiKey }), connectedAccounts.link(userId, authConfigId, { callbackUrl }), connectedAccounts.list({ userIds, toolkitSlugs }), and connectedAccounts.delete(connectionId). The SDK returns a connection request with id and redirectUrl. | Confirms the gateway needs app-level COMPOSIO_API_KEY plus a COMPOSIO_AUTH_CONFIGS mapping from supported integration slug to Composio auth config id; these are separate from user BYOK keys and are stored in Cloudflare Secrets Store. |
2026-05-26 | Context7 /websites/hono_dev | @hono/zod-openapi route docs | Current Hono docs show OpenAPIHono, createRoute({ method, path, request, responses }), route handlers via app.openapi(route, handler), and OpenAPI JSON exposed with app.doc(path, { openapi, info }). | Confirms the plan's OpenAPI direction. The existing gateway can add /openapi.json//docs surfaces now, then migrate individual REST routes to app.openapi(...) incrementally without changing vendors or route contracts. |
2026-05-26 | Context7 /vercel/ai | AI SDK v6 DefaultChatTransport.prepareSendMessagesRequest | Current docs show prepareSendMessagesRequest may return both headers and body, while hook-level headers may be a dynamic function. | Confirms the web client can attach per-send Idempotency-Key headers and still map useChat's default body to Cheatcode's CreateRun schema without a custom transport class. |
2026-05-26 | Context7 /llmstxt/blaxel_ai_llms-full_txt + installed @blaxel/core@0.2.84 types | Blaxel filesystem, process, preview, and delete APIs | Current docs/types confirm SandboxInstance.createIfNotExists(...), class/instance delete, sandbox.process.exec/list/kill, sandbox.fs.grep/find/rm, and sandbox.previews.createIfNotExists(...).tokens.create(expiresAt). | Confirms the Week 2-4 code-tool wrappers can use Blaxel optimized grep/delete/process APIs directly through ProjectSandbox, and sandbox_destroy should call SandboxInstance.delete(name) only for explicit cleanup. |
2026-05-26 | Context7 /websites/ai-sdk_dev, Context7 /mastra-ai/mastra, installed ai@6.0.84 and @mastra/core@1.35.0 types | Agent stream chunk and usage shapes | Current AI SDK docs list fullStream parts including text-delta, tool-call, tool-result, finish-step, and finish, with usage on step finish and total usage on finish. Current Mastra docs show agent.stream(...).fullStream yielding Mastra-wrapped chunks such as payload.text, payload.toolName, and payload.stepResult, while the output can also be transformed to AI SDK-compatible chunks. | Confirms AgentRun must accept both Mastra wrapper chunks and direct AI SDK chunk shapes, harvest usage from usage or totalUsage, and keep the Week 1 direct runCode scaffold limited to explicit smoke prompts so normal Week 3-4 Mastra tools can stream. |
2026-05-26 | Exa advanced search + Firecrawl official docs scrapes (docs.exa.ai, docs.firecrawl.dev, docs.fal.ai, elevenlabs.io, ai.google.dev, openrouter.ai, developers.llamaindex.ai) | BYOK provider validation endpoints | Current docs confirm provider auth and low-impact validation endpoints: Exa POST https://api.exa.ai/search with x-api-key, Firecrawl GET /v2/team/credit-usage with bearer auth, Fal GET /v1/models with Authorization: Key, ElevenLabs GET /v1/models with xi-api-key, Gemini GET /v1beta/models with API-key auth, OpenRouter GET /api/v1/key with bearer auth, and LlamaParse GET /api/v2/parse?page_size=1 with bearer auth. | Confirms gateway /v1/provider-keys should validate all user BYOK providers before Vault storage. Composio remains app-level OAuth integration credentials, not a user BYOK provider key. |
2026-05-26 | Context7 /exa-labs/exa-js, Firecrawl scrape of Exa Search API/coding-agent docs, npm registry | Exa JavaScript SDK + search API | Current npm latest is exa-js@2.13.0; the current Search API nests text/highlights/summary under contents, treats searchAndContents() as deprecated, and recommends non-deep search types auto, fast, and instant for agent content retrieval. Official docs say old neural mentions are legacy terminology; company/people categories reject date and excludeDomains filters. | Contradicts the prior exa-js@1.8.20 pin and old tool schema. Catalog/plan moved to 2.13.0; research tools now call search() with nested contents, reject legacy search types, and prevalidate category filter restrictions. |
2026-05-26 | Context7 Cloudflare Workers docs + Firecrawl search | Signed internal alert webhook | Cloudflare Workers docs show the current Web Crypto HMAC pattern for signed requests. Cloudflare account alert webhook documentation did not surface a guaranteed body-signing feature through docs search, so V1 keeps Cloudflare dashboard email as the human notification path and uses /internal/alert as a signed machine-readable endpoint for Analytics Engine watchdog/internal producers. | Confirms the webhooks Worker should verify x-cheatcode-alert-timestamp + x-cheatcode-alert-signature with INTERNAL_ALERT_WEBHOOK_SECRET and avoid adding a third-party notification vendor. |
2026-05-26 | Context7 /websites/developers_cloudflare_workers + installed @cloudflare/workers-types@4.20260520.1 and wrangler@4.93.0 schema | Cloudflare Workflows and Cron/Analytics Engine APIs | Current docs and local types confirm workflows: [{ name, binding, class_name }], env.WORKFLOW.create({ id, params, retention }), WorkflowEntrypoint.run(event, step), step.do(...) retries, cron scheduled(controller, env, ctx), Analytics Engine writeDataPoint, and Analytics Engine SQL only through Cloudflare's REST API. | Confirms webhook handlers should enqueue a Workflow after signature verification/dedup, and any Analytics Engine watchdog must call the Cloudflare REST SQL endpoint rather than trying to query through a dataset binding. |
2026-05-26 | Firecrawl scrape of official Cloudflare Analytics Engine Worker Querying and SQL Reference docs | Analytics Engine SQL response shape | Current docs recommend storing account ID as a Worker var and API token as a Worker secret, querying POST /client/v4/accounts/{account_id}/analytics_engine/sql with the SQL string body, and parsing default FORMAT JSON as { meta, data, rows }. | Confirms OpsMaintenanceWorkflow can run the watchdog from the webhooks Worker with CLOUDFLARE_ACCOUNT_ID, CLOUDFLARE_ANALYTICS_API_TOKEN, and signed /internal/alert posts. |
2026-05-26 | Firecrawl scrape of official Cloudflare Analytics Engine aggregate function docs | Analytics Engine watchdog aggregates | Current SQL aggregate docs support count(DISTINCT column_name), sum, countIf, sumIf, and quantileExactWeighted(q)(column, _sample_interval). | Confirms the watchdog can calculate cost-per-run baselines, failure ratios, webhook failure counts, and TTFT P95 directly in Analytics Engine SQL without adding another analytics vendor. |
2026-05-26 | Context7 /polarsource/polar-js + installed @polar-sh/sdk@0.46.4 types | Polar customer GDPR deletion | Current docs and pinned types expose polar.customers.deleteExternal({ externalId, anonymize }); the API deletes by external customer id, cancels active subscriptions, revokes benefits, and anonymize: true anonymizes PII for GDPR. | Confirms the Clerk user.deleted lifecycle can delete/anonymize Polar customers by internal v2_users.id without storing Polar-only IDs in the deletion manifest path. |
2026-05-26 | Context7 /websites/developers_cloudflare_workers | Worker-to-Worker lifecycle cleanup | Current Workers docs show services: [{ binding, service }] in Wrangler and support both HTTP env.SERVICE.fetch(...) and RPC service bindings for Worker-to-Worker calls; HTTP service binding fetch is valid for forwarding internal maintenance requests to existing Hono fetch handlers. | Confirms webhooks-worker can call HMAC-protected gateway/agent internal maintenance routes through Service Bindings for DSR cleanup while keeping public gateway routes protected. |
2026-05-26 | Context7 /websites/developers_cloudflare_r2 | Wrangler R2 audit archive upload/verify | Current Cloudflare R2 docs use wrangler r2 object put bucket/key --file <path> for uploads and wrangler r2 object get bucket/key --file <path> for downloads. | Confirms the admin audit archive script can upload gzipped partition exports to R2 and verify them byte-for-byte through the pinned Wrangler CLI without adding a new app dependency or giving Workers export/detach privileges. |
2026-05-26 | Context7 /llmstxt/blaxel_ai_llms-full_txt + installed @blaxel/core@0.2.84 types | Blaxel preview custom domains and private tokens | Current docs/types confirm previews support spec.customDomain, spec.prefixUrl, spec.public, and preview.tokens.create(expiresAt). Installed createIfNotExists returns an existing preview without reconciling changed specs. | Confirms ProjectSandbox.exposePort must pass verified production preview domains through to Blaxel, keep local hosts on generated Blaxel URLs, use tokenized private previews for takeover flows, and delete/recreate stale previews when port/public/domain/prefix settings drift. |
2026-05-27 | Context7 /mastra-ai/mastra + installed @mastra/core@1.35.0 types | Mastra dynamic instructions and request context | Current docs/types confirm an agent's instructions may be a function that receives requestContext, and agent.stream(...) can carry that request context through a run. | Confirms V2 should pass each project's masterInstructions through Mastra RequestContext and build the system prompt per run instead of relying on a static module-level prompt. |
2026-05-27 | Context7 /websites/hono_dev + installed hono@4.11.7 types | Hono secureHeaders middleware | Current docs and local types confirm secureHeaders({ contentSecurityPolicy, strictTransportSecurity, referrerPolicy, xFrameOptions }) with CSP directive arrays. | Confirms gateway can replace default security headers with the plan-required explicit CSP, HSTS, referrer policy, and frame denial while allowing inline style only for the built-in /docs HTML page. |
2026-05-27 | Context7 /vercel/ai, Context7 /mastra-ai/mastra, installed ai@6.0.84 + @mastra/core@1.35.0 types | Agent tool-loop step limit | Current AI SDK v6 docs prefer stopWhen with stepCountIs(n) for multi-step tool loops; Mastra 1.35 docs/types still accept both stopWhen and maxSteps, with maxSteps defaulting low for agent loops. | Confirms the main AgentRun stream should use the plan's 50-step budget through stopWhen: stepCountIs(50) and also set maxSteps: 50 for Mastra 1.35 compatibility, replacing the premature Week 1 cap of 6. |
2026-05-27 | Context7 /websites/developers_cloudflare_workers | Cloudflare standard Worker secrets vs Secrets Store bindings | Current Wrangler docs distinguish config-declared secrets_store_secrets from standard Worker secrets managed by wrangler secret put/list; wrangler secret put creates and deploys a new Worker version immediately, while wrangler versions secret put creates a version without immediate rollout for gradual/manual deploys. | Confirms BL_API_KEY, BL_WORKSPACE, BL_REGION, and OUTPUT_DOWNLOAD_SIGNING_SECRET should stay out of committed wrangler.jsonc vars and be synced with the standard Worker secret flow only after explicit production approval. |
2026-05-27 | Context7 /supabase/supabase | Supabase Vault cleanup for BYOK | Current Supabase Vault docs confirm vault.create_secret(secret, name, description) returns a secret UUID and decrypted values are read through vault.decrypted_secrets; vault.secrets is the encrypted backing table. | Confirms V2 BYOK rotation/deletion should keep metadata in v2_provider_keys but explicitly delete stale/current Vault secret rows from SECURITY DEFINER RPCs, because app table cascades do not clean Vault storage. |
2026-05-27 | Context7 /llmstxt/blaxel_ai_llms-full_txt | Blaxel sandbox region and deletion APIs | Current Blaxel docs show sandbox creation carrying region: "us-pdx-1" on SandboxInstance.create / createIfNotExists, while class-level cleanup is SandboxInstance.delete("sandbox-name") without a region argument. | Confirms ProjectSandbox must supply env.BL_REGION when creating hosted sandboxes, and the webhooks lifecycle fallback does not need a separate region input to delete known sandbox names. |
2026-05-27 | Context7 /polarsource/polar-js + local read-only Polar product inventory | Polar products and checkout product IDs | Current SDK docs use new Polar({ accessToken }), polar.products.list({ ... }) for paginated product inventory, product metadata, prices, and polar.checkoutLinks.create({ productPriceId }); product-id checkout models are deprecated. The local Polar account currently has products, but none include the V2-required metadata.tier. | Confirms V2 must not silently fall back to old/nonconforming products. The Billing panel now disables upgrade checkout when NEXT_PUBLIC_POLAR_PRO_MONTHLY_PRODUCT_ID is absent, and plan.md requires the configured product to carry tier=pro|team|enterprise. |
2026-05-27 | Context7 /exa-labs/exa-js + Exa advanced search of official docs | Exa category filter restrictions | Current official Exa docs confirm company category requests reject includeDomains, excludeDomains, and published/crawl date filters; people category is documented for public profile search without extra filters. | Confirms packages/tools-research must prevalidate domain and published-date filters for both company and people categories before calling exa.search(), avoiding avoidable 400s in research tools. |
2026-05-27 | Context7 /llmstxt/blaxel_ai_llms-full_txt + installed @blaxel/core@0.2.84 types | Blaxel persistent project volumes | Current Blaxel docs and SDK types expose VolumeInstance.createIfNotExists({ name, region, size, labels }) and sandbox creation with volumes: [{ name, mountPath, readOnly }]; volumes must live in the same region as the sandbox and survive sandbox deletion. | Confirms V2 should create one per-project volume (ccv-${sandboxId}) in BL_REGION, mount it read-write at /workspace, and delete it during user/project lifecycle cleanup after deleting the sandbox. |
2026-05-27 | Context7 /websites/ai-sdk_dev | AI SDK v6 React transport + stream resume | Current docs confirm useChat({ id, messages, resume, transport: new DefaultChatTransport(...) }), prepareSendMessagesRequest({ id, messages }), prepareReconnectToStreamRequest, and onData for incoming data-* UIMessage parts, including transient data not persisted in message history. | Confirms the web chat can keep direct DefaultChatTransport request customization for POST /v1/threads/:threadId/runs, bearer headers, per-send idempotency headers, and explicit resume URLs carrying the AgentRun lastSeq cursor. |
2026-05-27 | Context7 /browserbase/stagehand | Stagehand v3 persistent LOCAL browser driver | Current docs confirm new Stagehand({ env: "LOCAL", model, localBrowserLaunchOptions }), await stagehand.init(), persistent stagehand.context.pages()[0], and instance-level act(), observe(), and extract() calls. | Confirms the Blaxel sandbox should run one local-only Stagehand driver process per project sandbox instead of spawning a one-shot driver per browser tool call, preserving browser page state across browser_open → browser_act → browser_extract. |
2026-05-27 | Context7 /browserbase/stagehand | Stagehand v3 browser action signatures | Current docs show stagehand.act("instruction", { timeout }), stagehand.observe("instruction"), stagehand.extract("instruction", schema?, options?), Playwright page access through stagehand.context.pages()[0], and normal page.screenshot(...). | Confirms the persistent Blaxel browser driver is using the current v3 string-instruction API and the renamed timeout option rather than the old timeoutMs Stagehand option. |
2026-05-27 | Context7 /biomejs/biome + installed Biome 2.4.14 schema | Biome 2 shared configuration inheritance | Current docs confirm biome.jsonc may use "extends": ["./shared.jsonc"]; the installed schema also exposes root and documents that root defaults to true. | Confirms packages/biome-config/biome.jsonc can expose the workspace Biome config through extends and must set "root": false so Biome does not treat it as a nested project root. |
2026-05-28 | Context7 /websites/opennext_js | OpenNext Cloudflare cache Durable Objects | Current OpenNext Cloudflare docs still configure NEXT_CACHE_DO_QUEUE / DOQueueHandler, NEXT_TAG_CACHE_DO_SHARDED / DOShardedTagCache, and NEXT_CACHE_DO_PURGE / BucketCachePurge in wrangler.jsonc. The docs list the matching workerd warning as a known build/local-development warning that can be safely ignored because those internal cache DOs are not used during the build. | Confirms the current apps/web/wrangler.jsonc cache bindings should stay as planned; no dependency or config change is needed for the build warning. |
2026-05-28 | Context7 /blaxel-ai/docs + live Blaxel Worker QA | Blaxel persistent volume size | Current docs show VolumeInstance.createIfNotExists({ name, size, region, labels }) examples using 2048 MB volumes; live Worker QA rejected the earlier 10240 MB plan value with Volume size 10240MB exceeds maximum allowed size. | Confirms V2 should lock per-project Blaxel volumes to 2048 MB until quota verification explicitly revises the size. |
2026-05-28 | Live Blaxel Worker QA | Blaxel volume name limit | Live Worker QA rejected cc-vol-${sandboxId} because Blaxel enforces a 49-character metadata name maximum; V2 sandbox IDs are 43 characters, making the previous 50-character volume name invalid. | Confirms the volume prefix must be shortened to ccv-, keeping volume names at 47 characters while preserving the project-sandbox linkage. |
2026-05-28 | Context7 /blaxel-ai/docs + live Blaxel CLI/API check | Blaxel process stdout capture | Current docs and SDK types say sandbox.process.exec({ waitForCompletion: true }) returns process logs, stdout, and stderr. Live Blaxel CLI execution of python3 -c "print(2 + 2)" returned stdout: "4\n", while the Worker temp-file path completed with empty stdout. | Confirms ProjectSandbox.runCode() should execute Python and Node code directly with python3 -c / node --input-type=module -e so completed process stdout is surfaced to chat. |
2026-05-28 | Live Blaxel process list/log inspection | Blaxel immediate exec response vs retained process logs | The sandbox process list showed completed Worker-created processes with stdout: "4\n" even when the immediate Worker stream rendered empty stdout. | Confirms ProjectSandbox.exec() should fall back to sandbox.process.logs(processName, "stdout" | "stderr") after a completed process if the immediate exec response has no output. |
2026-05-28 | Context7 /opennextjs/opennextjs-cloudflare + Context7 /websites/developers_cloudflare_workers | OpenNext/Cloudflare environment variables | Current OpenNext docs use wrangler.jsonc as the Worker runtime binding surface, and current Cloudflare Workers docs say vars are runtime bindings while process.env is populated from Worker text bindings/secrets when nodejs_compat is active on current compatibility dates. Cloudflare also notes build-time variables and runtime variables are separate surfaces. | Confirms production web deploy must provide public Clerk/Polar values to the OpenNext build and the centralized @cheatcode/env/web public reads should use static process.env.NEXT_PUBLIC_* property access so Next/OpenNext bundling can inline public envs when possible while Cloudflare runtime bindings remain the fallback. |
2026-05-28 | Context7 /t3-oss/t3-env | Next.js client env access with @t3-oss/env-nextjs | Current docs say server variables throw when accessed on the client, client variables must be NEXT_PUBLIC_*, and Next.js 13.4.4+ setups should use experimental__runtimeEnv with only client/shared destructured values for client bundles. | Confirms @cheatcode/env/web should be public-web-only; server-only web secrets stay out of that module so client components do not trip t3-env's server-variable guard. |
2026-05-28 | Context7 /vercel/next.js/v16.2.2 | Next.js 16 Cache Components route params and search params | Current docs require Client Components using useSearchParams() to live under a Suspense boundary during prerendering; dynamic route params are Promise-based, and fixed params can be declared through generateStaticParams(). | Confirms Settings should predeclare its fixed optional catch-all sections, pass the resolved section into the client component, and keep only sidebar/header URL consumers under narrow Suspense boundaries so Settings content stays visible without a root fallback. |
2026-05-28 | Context7 /llmstxt/blaxel_ai_llms-full_txt + Blaxel CLI 0.1.94 live workspace inspection | Blaxel sandbox lifecycle and cleanup | Current docs use SandboxInstance.createIfNotExists({ name, image, memory, region, ports, volumes, lifecycle }), sandbox.previews.createIfNotExists(...), preview.tokens.create(expiresAt), CLI bl get sandboxes -o table, bl get sandbox <name> process, bl logs sandbox <name>, and bl delete sandbox <name>. Live CLI inspection showed many deployed cc-* sandboxes in workspace cheatcode, while the UI run failed earlier at Cheatcode's own entitlement guard with maxConcurrentSandboxes=1 before sandbox creation. | Confirms the product code should keep idempotent per-project sandbox creation and explicit delete paths, but local/manual Blaxel resource cleanup is a destructive external action requiring user approval; the immediate UI failure is an entitlement/project-state issue rather than an SDK create API issue. |
2026-05-28 | Context7 /vercel/next.js/v16.2.2 | Next.js 16 Cache Components request data in routes | Current docs state components that access runtime/request data such as cookies or headers must be wrapped in a <Suspense> boundary when Cache Components are enabled, otherwise builds fail with Uncached data was accessed outside of <Suspense>. | Confirms the homepage should keep the static shell outside Suspense and move Clerk currentUser() into a small async header component inside a narrow Suspense boundary. |

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Research Log

FilesExpand file tree

research-log.md

Latest commit

History

research-log.md

File metadata and controls

Research Log