Captures the v6 rebrand plan: dual-support strategy for wire identifiers
(HTTP headers, cookies, JWT issuers, Bearer prefix, OAuth state),
SDK alias re-exports, npm dual-publish via rewrite-then-republish,
Swift split into separate StackAuth/Hexclave packages, env var taxonomy,
verification matrix, and 2-PR rollout.

…n rebrand plan

Addresses review gaps in the Hexclave rename plan:
- Storage keys: add the missed localStorage keys `_STACK_AUTH.lastUsed`,
  `stack:session-replay:v1:*`, `__stack-dev-tool-state`, and
  `stack-devtool-trigger-position`, with per-key compat risk notes.
- Query parameters: new Tier 0 category — `stack_response_mode`, the four
  `stack_cross_domain_*` handoff params, and `stack-init-id` are
  wire-compat-sensitive and were previously uncovered.
- Custom DOM events: `stack-platform-change` / `stack-framework-change`.
- Dev tool: dev-tool-core.ts is its own brand surface (storage keys,
  header-emit site, DOM identifiers, brand strings).

- Tier 1: internal-only symbols (SDK interfaces, StackAssertionError)
  renamed outright with no alias; user-facing symbols keep aliases
- Tier 2: @hexclave/* starts at 1.0.0, lockstep versioning; add
  npm deprecate + runtime warn for old packages; drop @hexclave/init
- Env vars: all categories dual-read (incl. operator/internal);
  NEXT_PUBLIC_STACK_PORT_PREFIX renamed outright
- Emails: noreply moves to sent-with-hexclave.com sending domain
- CHIPS test cookies out of scope (unused feature)
- Rollout split into 3 PRs: invisible compat layer, visible rebrand,
  far-future fallback removal

- Add "PR 1 implementation guide" section resolving every open item
  with concrete file:line references and chosen approach per work-area
- Correction: Bearer stackauth_ prefix is SDK-internal, never parsed by
  the backend (was wrongly listed as a backend wire identifier)
- Request headers: normalize at the existing empty proxy.tsx:114 hook
  (no readDualHeader helper, no per-route schema edits)
- Env vars: hybrid dual-read (central getEnvVariable transform + two
  client files + per-site tail)
- Symbol.for: four symbols, not three; only one needs dual-attach
- Query params: add the two nested cross-domain params

Grep confirms x-stack-auth has zero references in apps/backend and
packages/stack-shared. It is produced by the deprecated getAuthHeaders()/
useAuthHeaders() SDK methods and consumed by the SDK tokenStore parser
(client-app-impl.ts) — the Stack backend never parses it. Reframed from
"backend read-only wire identifier" to "SDK-internal legacy identifier",
corrected the false "no current writer" claim, and resolved the open
verification item.