Merge branch 'feat/impeccable-remediation' into codex-merge-cleanup

# Conflicts:
#	apps/web/app/components/guest/SignupPromptModal.tsx
#	apps/web/app/page.tsx
#	apps/web/app/providers.tsx
#	apps/web/app/try/page.tsx
#	apps/web/tests/components/guest/SignupPromptModal.test.tsx

Author: hollandkevint

AGENTS.md

@@ -0,0 +1,91 @@
+# AGENTS.md
+
+*Last Updated: 2026-03-26*
+
+## Project Context
+**ThinkHaven** - Decision accelerator for structured AI sessions
+- **Tech Stack**: Next.js 15.5, React 19, TypeScript, Supabase, Stripe, Anthropic Codex
+- **Architecture**: Monorepo with Next.js app in `apps/web/`
+- **Deployment**: Vercel project `thinkhaven` (https://thinkhaven.co)
+
+## Essential Commands
+
+All commands run from `apps/web/`:
+```bash
+npm run dev              # Dev server (localhost:3000, Turbopack)
+npm run build            # Production build
+npm run lint             # ESLint
+npm test                 # Unit tests (Vitest, watch mode)
+npm run test:run         # Unit tests (once)
+npm run test:e2e         # E2E tests (Playwright, 7 smoke tests)
+npm run test:prod        # Smoke tests against production (15 tests)
+```
+
+Migrations: `apps/web/supabase/migrations/` (001 → 017, sequential, never skip)
+
+## Route Architecture
+
+**Protected** (`/app/*` - requires auth):
+- `/app` - Dashboard
+- `/app/new` - New session
+- `/app/session/[id]` - Active session workspace
+- `/app/account` - Account settings
+
+**Public**: `/` (landing), `/try` (guest, 10 msg limit), `/demo`, `/assessment`
+
+**Legacy redirects**: `/dashboard` → `/app`, `/bmad` → `/app/new`, `/workspace/[id]` → `/app/session/[id]`, `/account` → `/app/account`
+
+## Environment Variables
+
+See `.env.example`. Required: `NEXT_PUBLIC_SUPABASE_URL`, `NEXT_PUBLIC_SUPABASE_ANON_KEY`, `SUPABASE_SERVICE_ROLE_KEY`, `ANTHROPIC_API_KEY`, `STRIPE_SECRET_KEY`, `NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY`, `STRIPE_WEBHOOK_SECRET`, `NEXT_PUBLIC_APP_URL`
+
+## Testing
+
+- Unit tests: `**/*.test.{ts,tsx}`, setup in `tests/setup.ts`
+- E2E: `tests/e2e/smoke/health.spec.ts` - 7 public route smoke tests, all passing in CI
+- Prod: `tests/e2e/smoke/beta-checklist.spec.ts` - 9 production verification tests (`npm run test:prod`)
+- Config: `vitest.config.ts`, `playwright.config.ts`, `playwright.prod.config.ts` (production)
+- 45/71 unit test files fail (pre-existing, not regressions). mary-persona: 67/67 pass.
+
+## Configuration
+
+- `next.config.ts` - Next.js config
+- `tailwind.config.cjs` - Tailwind (CommonJS format)
+- `eslint.config.mjs` - Linting rules
+
+## Common Pitfalls
+
+1. **Middleware active** (`middleware.ts`) - Validates JWTs via `supabase.auth.getUser()` and refreshes tokens. Runs in Edge Runtime; avoid Node-only APIs in middleware context.
+2. **Credit deduction** - ALWAYS use `deduct_credit_transaction()` for atomicity, never manual UPDATE
+3. **File-system routing** - Every route needs a `page.tsx` file
+4. **Migration order** - Sequential (001 → 017), never skip
+5. **Stripe webhooks** - Verify signatures with `stripe-service.ts.constructWebhookEvent()`
+6. **Tldraw v4** - Use `getSnapshot(store)` / `loadSnapshot(store, data)`, NOT instance methods
+7. **Agentic tool loop** - Max 5 rounds per message (`MAX_TOOL_ROUNDS` in `/api/chat/stream/route.ts`)
+8. **Tool results** - Use `ToolExecutor.formatResultsForClaude()` for Codex's expected `tool_result` format
+9. **Session ops** - Use `session-primitives.ts` functions, not direct Supabase calls
+10. **Supabase server client** - `createClient()` returns null when env vars missing; callers must null-check
+11. **Next.js env files** - Only reads `.env`, `.env.local`, `.env.production` (NOT `.env.test`)
+12. **SSG safety** - `lib/supabase/client.ts` exports a no-op Proxy for SSG; use for client components
+13. **Monorepo git paths** - Always use absolute paths or run git commands from repo root, not `apps/web/`
+14. **Codex Review CI** - `anthropics/Codex-action@v1` has known SDK crash (issue #911). `continue-on-error: true` is set. Job may show failed but workflow passes.
+15. **Never use `text-secondary` for text** - shadcn maps `--secondary` to parchment (a background color), producing invisible text on cream/parchment. Use `text-muted-foreground` (slate-blue) for secondary text, or `text-ink-light` for warm secondary text.
+16. **Hooks must re-throw or return errors** - If a hook catches an error and only sets state, callers can't detect failure. Always re-throw after setting error state, or return a success/failure indicator. Silent swallowing creates impossible UI states.
+17. **IDOR checks on every session-scoped handler** - When adding ownership verification to API routes, audit ALL handlers in the file, not just the ones that triggered the fix. Partial coverage is worse than none (false sense of security).
+18. **React ErrorBoundaries don't catch event handlers** - Errors in `onClick`, `onSubmit`, etc. are not caught by ErrorBoundary. Wrap event handler bodies in try/catch or use error state for recovery.
+19. **Design system source of truth** - The actual design system lives in `globals.css` (CSS variables, component classes) and `tailwind.config.cjs` (Tailwind tokens). Do NOT trust `docs/design/MASTER.md` if it reappears — it's auto-generated by ui-ux-pro-max with wrong colors/fonts.
+20. **Rate limiting** - Use `RateLimiter.createLimitResponse(resetTime)` from `lib/security/rate-limiter.ts` for 429 responses. Never hand-roll the response. Admin bypass check (`isAdminEmail`) must run BEFORE rate limit check so admins aren't blocked.
+21. **Lazy module-level init for env vars** - Never use IIFEs or top-level `const x = fn()` that reads env vars at import time. Vercel builds don't have runtime env vars, causing build crashes. Use lazy getter functions instead (see `getAppUrl()` in `stripe-service.ts`).
+22. **Branded error pages exist** - `app/error.tsx` (runtime errors) and `app/not-found.tsx` (404s) are in place. Use them as patterns for sub-route-group error handling. Both use the design system (cream/terracotta/ink).
+23. **In-memory rate limiter is per-instance** - `RateLimiter` uses a static Map, so state isn't shared across Vercel serverless instances. Acceptable for beta; needs Redis/database-backed solution at scale.
+24. **Client components cannot import server-only modules** - `'use client'` files cannot transitively import modules that use `next/headers` or other server-only APIs. `session-primitives.ts` imports `supabase/server.ts`, so client components must not import from it. Shared types/constants go in a separate client-safe file (e.g., `pathway-labels.ts`). This broke a Vercel build.
+25. **Heavy libraries must be dynamically imported** - Mermaid (~250KB gzip), Excalidraw (~500KB), and similar large packages must use `next/dynamic` with `ssr: false`. Never import at module scope in components rendered on every page. Gate behind user action or lazy-load on first use.
+26. **Sanitize dangerouslySetInnerHTML from third-party libs** - Any `dangerouslySetInnerHTML` with output from mermaid, markdown renderers, or similar must be sanitized with DOMPurify. Mermaid's `securityLevel: 'strict'` has had bypasses (CVE-2023-20052). Defense in depth.
+27. **Radix Dialog for all new modals** - Hand-rolled modals lack focus trap, Escape handling, and aria-modal. `@radix-ui/react-dialog` is installed. Use it for all new modals. Existing hand-rolled modals (SignupPromptModal, ExportDialog, BranchDialog) are tracked for migration.
+
+## Production Deployment
+
+- **Vercel**: Auto-deploys on push to main
+- **Manual**: `cd apps/web && vercel --prod`
+- **Env vars**: Set via Vercel dashboard (Settings -> Environment Variables)
+- **URL**: https://thinkhaven.co