From 08827bd4b5b60ffe12f8e1a0361e33ca8ce737cf Mon Sep 17 00:00:00 2001
From: George Djabarov <39195835+djabarovgeorge@users.noreply.github.com>
Date: Mon, 16 Feb 2026 16:38:19 +0200
Subject: [PATCH 1/2] feat(api-service): monthly usage digest email fixes
NV-6933 (#10042)
---
.agents/skills/email-best-practices/SKILL.md | 59 +
.../resources/branding.md | 5 +
.../resources/compliance.md | 107 ++
.../resources/deliverability.md | 117 ++
.../resources/email-capture.md | 128 ++
.../resources/email-types.md | 173 +++
.../resources/list-management.md | 157 +++
.../resources/marketing-emails.md | 115 ++
.../resources/sending-reliability.md | 155 +++
.../resources/transactional-email-catalog.md | 418 ++++++
.../resources/transactional-emails.md | 92 ++
.../resources/webhooks-events.md | 167 +++
.agents/skills/react-email/SKILL.md | 518 ++++++++
.agents/skills/react-email/TESTS.md | 878 +++++++++++++
.../react-email/references/COMPONENTS.md | 429 ++++++
.agents/skills/react-email/references/I18N.md | 657 ++++++++++
.../skills/react-email/references/PATTERNS.md | 713 ++++++++++
.../skills/react-email/references/SENDING.md | 115 ++
.../skills/react-email/references/STYLING.md | 302 +++++
.cspell.json | 4 +-
.source | 2 +-
apps/api/src/app.module.ts | 4 +-
.../rate-limiting/guards/throttler.guard.ts | 17 +-
.../public/images/report-emails/bell.svg | 3 +
.../public/images/report-emails/calendar.svg | 3 +
.../public/images/report-emails/chat.svg | 3 +
.../public/images/report-emails/email.svg | 3 +
.../images/report-emails/linkedin-dot.svg | 3 +
.../public/images/report-emails/push.svg | 5 +
.../public/images/report-emails/sms.svg | 3 +
.../images/report-emails/trend-down.svg | 3 +
.../public/images/report-emails/trend-up.svg | 3 +
.../images/report-emails/winding-arrow.svg | 3 +
.../public/images/report-emails/x-dot.svg | 4 +
.../images/report-emails/youtube-dot.svg | 4 +
enterprise/packages/billing/package.json | 1 +
.../src/modules/cron.module.ts | 6 +-
.../src/services/analytic-logs/index.ts | 1 +
.../trace-log/trace-log.repository.ts | 149 +++
.../trace-log/trace-log.schema.ts | 9 +-
.../workflow-run-count.repository.ts | 182 ++-
.../workflow-run-count.schema.ts | 28 +-
.../workflow-run/workflow-run.repository.ts | 59 -
.../execute-bridge-request.usecase.ts | 19 +-
.../repositories/member/member.repository.ts | 2 +-
.../organization/organization.repository.ts | 2 +-
libs/notifications/package.json | 1 +
libs/notifications/src/index.ts | 2 +
.../src/workflows/usage-report/email.tsx | 1159 +++++++++++++++++
.../src/workflows/usage-report/schemas.ts | 45 +
.../usage-report/usage-report.workflow.ts | 37 +
.../framework/src/constants/cron.constants.ts | 1 +
packages/shared/src/config/job-queue.ts | 1 +
packages/shared/src/types/cron.ts | 2 +
packages/shared/src/types/feature-flags.ts | 4 +
pnpm-lock.yaml | 75 +-
56 files changed, 6994 insertions(+), 163 deletions(-)
create mode 100644 .agents/skills/email-best-practices/SKILL.md
create mode 100644 .agents/skills/email-best-practices/resources/branding.md
create mode 100644 .agents/skills/email-best-practices/resources/compliance.md
create mode 100644 .agents/skills/email-best-practices/resources/deliverability.md
create mode 100644 .agents/skills/email-best-practices/resources/email-capture.md
create mode 100644 .agents/skills/email-best-practices/resources/email-types.md
create mode 100644 .agents/skills/email-best-practices/resources/list-management.md
create mode 100644 .agents/skills/email-best-practices/resources/marketing-emails.md
create mode 100644 .agents/skills/email-best-practices/resources/sending-reliability.md
create mode 100644 .agents/skills/email-best-practices/resources/transactional-email-catalog.md
create mode 100644 .agents/skills/email-best-practices/resources/transactional-emails.md
create mode 100644 .agents/skills/email-best-practices/resources/webhooks-events.md
create mode 100644 .agents/skills/react-email/SKILL.md
create mode 100644 .agents/skills/react-email/TESTS.md
create mode 100644 .agents/skills/react-email/references/COMPONENTS.md
create mode 100644 .agents/skills/react-email/references/I18N.md
create mode 100644 .agents/skills/react-email/references/PATTERNS.md
create mode 100644 .agents/skills/react-email/references/SENDING.md
create mode 100644 .agents/skills/react-email/references/STYLING.md
create mode 100644 apps/dashboard/public/images/report-emails/bell.svg
create mode 100644 apps/dashboard/public/images/report-emails/calendar.svg
create mode 100644 apps/dashboard/public/images/report-emails/chat.svg
create mode 100644 apps/dashboard/public/images/report-emails/email.svg
create mode 100644 apps/dashboard/public/images/report-emails/linkedin-dot.svg
create mode 100644 apps/dashboard/public/images/report-emails/push.svg
create mode 100644 apps/dashboard/public/images/report-emails/sms.svg
create mode 100644 apps/dashboard/public/images/report-emails/trend-down.svg
create mode 100644 apps/dashboard/public/images/report-emails/trend-up.svg
create mode 100644 apps/dashboard/public/images/report-emails/winding-arrow.svg
create mode 100644 apps/dashboard/public/images/report-emails/x-dot.svg
create mode 100644 apps/dashboard/public/images/report-emails/youtube-dot.svg
create mode 100644 libs/notifications/src/workflows/usage-report/email.tsx
create mode 100644 libs/notifications/src/workflows/usage-report/schemas.ts
create mode 100644 libs/notifications/src/workflows/usage-report/usage-report.workflow.ts
diff --git a/.agents/skills/email-best-practices/SKILL.md b/.agents/skills/email-best-practices/SKILL.md
new file mode 100644
index 00000000000..4314e9a0946
--- /dev/null
+++ b/.agents/skills/email-best-practices/SKILL.md
@@ -0,0 +1,59 @@
+---
+name: email-best-practices
+description: Use when building email features, emails going to spam, high bounce rates, setting up SPF/DKIM/DMARC authentication, implementing email capture, ensuring compliance (CAN-SPAM, GDPR, CASL), handling webhooks, retry logic, or deciding transactional vs marketing.
+---
+
+# Email Best Practices
+
+Guidance for building deliverable, compliant, user-friendly emails.
+
+## Architecture Overview
+
+```
+[User] → [Email Form] → [Validation] → [Double Opt-In]
+ ↓
+ [Consent Recorded]
+ ↓
+[Suppression Check] ←──────────────[Ready to Send]
+ ↓
+[Idempotent Send + Retry] ──────→ [Email API]
+ ↓
+ [Webhook Events]
+ ↓
+ ┌────────┬────────┬─────────────┐
+ ↓ ↓ ↓ ↓
+ Delivered Bounced Complained Opened/Clicked
+ ↓ ↓
+ [Suppression List Updated]
+ ↓
+ [List Hygiene Jobs]
+```
+
+## Quick Reference
+
+| Need to... | See |
+|------------|-----|
+| Set up SPF/DKIM/DMARC, fix spam issues | [Deliverability](./resources/deliverability.md) |
+| Build password reset, OTP, confirmations | [Transactional Emails](./resources/transactional-emails.md) |
+| Plan which emails your app needs | [Transactional Email Catalog](./resources/transactional-email-catalog.md) |
+| Build newsletter signup, validate emails | [Email Capture](./resources/email-capture.md) |
+| Send newsletters, promotions | [Marketing Emails](./resources/marketing-emails.md) |
+| Ensure CAN-SPAM/GDPR/CASL compliance | [Compliance](./resources/compliance.md) |
+| Decide transactional vs marketing | [Email Types](./resources/email-types.md) |
+| Handle retries, idempotency, errors | [Sending Reliability](./resources/sending-reliability.md) |
+| Process delivery events, set up webhooks | [Webhooks & Events](./resources/webhooks-events.md) |
+| Manage bounces, complaints, suppression | [List Management](./resources/list-management.md) |
+
+## Start Here
+
+**New app?**
+Start with the [Catalog](./resources/transactional-email-catalog.md) to plan which emails your app needs (password reset, verification, etc.), then set up [Deliverability](./resources/deliverability.md) (DNS authentication) before sending your first email.
+
+**Spam issues?**
+Check [Deliverability](./resources/deliverability.md) first—authentication problems are the most common cause. Gmail/Yahoo reject unauthenticated emails.
+
+**Marketing emails?**
+Follow this path: [Email Capture](./resources/email-capture.md) (collect consent) → [Compliance](./resources/compliance.md) (legal requirements) → [Marketing Emails](./resources/marketing-emails.md) (best practices).
+
+**Production-ready sending?**
+Add reliability: [Sending Reliability](./resources/sending-reliability.md) (retry + idempotency) → [Webhooks & Events](./resources/webhooks-events.md) (track delivery) → [List Management](./resources/list-management.md) (handle bounces).
diff --git a/.agents/skills/email-best-practices/resources/branding.md b/.agents/skills/email-best-practices/resources/branding.md
new file mode 100644
index 00000000000..359057489d9
--- /dev/null
+++ b/.agents/skills/email-best-practices/resources/branding.md
@@ -0,0 +1,5 @@
+# Email Branding
+
+## BIMI (Optional)
+
+Display brand logo in email clients. Requires DMARC `p=quarantine` or `p=reject`.
\ No newline at end of file
diff --git a/.agents/skills/email-best-practices/resources/compliance.md b/.agents/skills/email-best-practices/resources/compliance.md
new file mode 100644
index 00000000000..48527b05cc7
--- /dev/null
+++ b/.agents/skills/email-best-practices/resources/compliance.md
@@ -0,0 +1,107 @@
+# Email Compliance
+
+Legal requirements for email by jurisdiction. **Not legal advice—consult an attorney for your specific situation.**
+
+## Quick Reference
+
+| Law | Region | Key Requirement | Penalty |
+|-----|--------|-----------------|---------|
+| CAN-SPAM | US | Opt-out mechanism, physical address | $53k/email |
+| GDPR | EU | Explicit opt-in consent | €20M or 4% revenue |
+| CASL | Canada | Express consent, opt-out mechanism | $1M (individual) to $10M (organization) CAD |
+
+## CAN-SPAM (United States)
+
+**Requirements:**
+- Accurate header info (From, To, Reply-To)
+- Non-deceptive subject lines
+- Physical mailing address in every email
+- Clear opt-out mechanism
+- Honor opt-out within 10 business days
+
+**Transactional emails:** Can send without opt-in if related to a transaction and not promotional.
+
+## GDPR (European Union)
+
+**Requirements:**
+- Explicit opt-in consent (not pre-checked boxes)
+- Consent must be freely given, specific, informed
+- Easy to withdraw consent (as easy as giving it)
+- Right to access data and deletion ("right to be forgotten")
+- Process unsubscribe immediately
+
+**Consent records:** Document who, when, how, and what they consented to.
+
+**Transactional emails:** Can send based on contract fulfillment or legitimate interest.
+
+## CASL (Canada)
+
+**Consent types:**
+- **Express consent:** Explicit opt-in (ideal)
+- **Implied consent:** Existing business relationship (2 years) or inquiry (6 months)
+
+**Requirements:**
+- Clear sender identification that will be valid for 60 days after send
+- Unsubscribe functional for 60 days after send
+- Process unsubscribe no later than 10 business days
+- Keep consent records 3 years after expiration
+
+## Other Regions
+
+| Region | Law | Key Points |
+|--------|-----|------------|
+| Australia | Spam Act 2003 | Consent required, honor unsubscribe within 5 days |
+| UK | PECR + GDPR | Same as GDPR |
+| Brazil | LGPD | Similar to GDPR, explicit consent for marketing |
+
+## Unsubscribe Requirements Summary
+
+| Law | Timing | Notes |
+|-----|--------|-------|
+| CAN-SPAM | 10 business days | Must work 30 days after send |
+| GDPR | Immediately | Must be as easy as opting in |
+| CASL | 10 business days | Must work 60 days after send |
+
+**Universal best practices:** Prominent link, one-click when possible, no login required, free, confirm action.
+
+## Managing preferences vs Unsubscribe from all
+
+Most legistlations require a one-click unsubscribe. `Managing preferences` is a nice-to-have and can lead to lower unsubscribe rate but doesn't replace `Unsubscribe`. If possible, offer both.
+
+## Consent Management
+
+**Record:**
+- Email address
+- Date/time of consent
+- Method (form, checkbox)
+- What they consented to
+- Source (which page/form)
+
+**Storage:** Database with timestamps, audit trail of changes, link to user account.
+
+## Data Retention
+
+| Law | Requirement |
+|-----|-------------|
+| GDPR | Keep only as long as necessary, delete when no longer needed |
+| CASL | Keep consent records 3 years after expiration |
+
+**Best practice:** Have clear retention policy, honor deletion requests promptly, review and clean regularly.
+
+## Privacy Policy Must Include
+
+- What data you collect
+- How you use data
+- Who you share data with
+- User rights (access, deletion)
+- How to contact about privacy
+
+## International Sending
+
+**Best practice:** Follow the most restrictive requirements (usually GDPR) to ensure compliance across all regions.
+
+## Related
+
+- [Email Capture](./email-capture.md) - Implement consent forms and double opt-in
+- [Marketing Emails](./marketing-emails.md) - Consent and unsubscribe requirements
+- [List Management](./list-management.md) - Handle unsubscribes and deletion requests
diff --git a/.agents/skills/email-best-practices/resources/deliverability.md b/.agents/skills/email-best-practices/resources/deliverability.md
new file mode 100644
index 00000000000..8853443ecee
--- /dev/null
+++ b/.agents/skills/email-best-practices/resources/deliverability.md
@@ -0,0 +1,117 @@
+# Email Deliverability
+
+Maximizing the chances that your emails are delivered successfully to the recipients.
+
+## Email Authentication
+
+**Required by Gmail/Yahoo/Microsoft** - unauthenticated emails will be rejected or spam-filtered.
+
+### SPF (Sender Policy Framework)
+
+Specifies which servers can send email for your domain.
+
+```
+v=spf1 include:amazonses.com ~all
+```
+
+- Add TXT record to DNS
+- Use `~all` (soft fail)
+
+### DKIM (DomainKeys Identified Mail)
+
+Cryptographic signature proving email authenticity.
+
+- Your email service will provide you with a TXT record
+
+### DMARC
+
+Policy for handling SPF/DKIM failures + reporting.
+
+```
+v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
+```
+
+**Rollout:** `p=none` (monitor) → `p=quarantine; pct=25` → `p=reject`
+
+Learn more: https://resend.com/blog/dmarc-policy-modes
+
+### Verify Your Setup
+
+Check DNS records directly:
+
+```bash
+# SPF record
+dig TXT yourdomain.com +short
+
+# DKIM record (replace 'resend' with your selector)
+dig TXT resend._domainkey.yourdomain.com +short
+
+# DMARC record
+dig TXT _dmarc.yourdomain.com +short
+```
+
+**Expected output:** Each command should return your configured record. No output = record missing.
+
+## Sender Reputation
+
+### IP Warming
+
+New IP/domain? Gradually increase volume:
+
+| Week | Daily Volume |
+|------|-------------|
+| 1 | 50-100 |
+| 2 | 200-500 |
+| 3 | 1,000-2,000 |
+| 4 | 5,000-10,000 |
+
+Start with engaged users. Send consistently. Don't rush.
+
+Learn more: https://resend.com/docs/knowledge-base/warming-up
+
+### Maintaining Reputation
+
+**Do:** Send to engaged users, keep bounce <4%, complaints <0.1%, remove inactive subscribers.
+
+**Don't:** Send to purchased lists, ignore bounces/complaints, send inconsistent volumes
+
+## Bounce Handling
+
+| Type | Cause | Action |
+|------|-------|--------|
+| Hard bounce | Permanent failure to deliver | Remove immediately |
+| Soft bounce | Transient failure to deliver | Retry: 1h → 4h → 24h, remove after 3-5 failures |
+
+**Targets:** <1% good, 1-3% acceptable, 3-4% concerning, >4% critical
+
+## Complaint Handling
+
+**Targets:** <0.01% excellent, 0.01-0.05% good, >0.05% critical
+
+**Reduce complaints:**
+- Only send to opted-in users
+- Make unsubscribe easy and immediate
+- Use clear sender names and "From" addresses
+
+**Feedback loops:** Set up with Gmail (Postmaster Tools), Yahoo, Microsoft SNDS. Remove complainers immediately.
+
+## Infrastructure
+
+**Dedicated sending domain:** Use different subdomains for different sending purposes (e.g., `t.yourdomain.com` for transactional emails and `m.yourdomain.com` for marketing emails).
+
+**DNS TTL:** Low (300s) during setup, high (3600s+) after stable.
+
+## Troubleshooting
+
+**Emails going to spam?** Check in order:
+1. Authentication (SPF, DKIM, DMARC)
+2. Sender reputation (blacklists, complaint rates)
+3. Content
+4. Sending patterns (sudden volume spikes)
+
+**Diagnostic tools:** [Google Postmaster Tools](https://postmaster.google.com)
+
+## Related
+
+- [List Management](./list-management.md) - Handle bounces and complaints to protect reputation
+- [Sending Reliability](./sending-reliability.md) - Retry logic and error handling
diff --git a/.agents/skills/email-best-practices/resources/email-capture.md b/.agents/skills/email-best-practices/resources/email-capture.md
new file mode 100644
index 00000000000..efdbc3cb473
--- /dev/null
+++ b/.agents/skills/email-best-practices/resources/email-capture.md
@@ -0,0 +1,128 @@
+# Email Capture Best Practices
+
+Collecting email addresses responsibly with validation, verification, and proper consent.
+
+## Email Validation
+
+### Client-Side
+
+**HTML5:**
+```html
+
+```
+
+**Best practices:**
+- Validate on blur or with short debounce
+- Show clear error messages
+- Don't be too strict (allow unusual but valid formats)
+- Client-side validation ≠ deliverability
+
+### Server-Side (Recommended)
+
+Always validate server-side—client-side can be bypassed.
+
+**Check:**
+- Email format (RFC 5322)
+- Domain exists (DNS lookup)
+- Domain has MX records
+- Optionally: disposable email detection
+
+Recommended tools: https://resend.com/blog/best-email-verification-apis
+
+## Double opt-in
+
+Confirms address belongs to user and is deliverable.
+
+### Process
+
+1. User submits email
+2. Send verification email with unique link/token
+3. User clicks link
+4. Mark as verified
+5. Allow access/add to list
+
+**Timing:** Send immediately, include expiration (24-48 hours), allow resend after 60 seconds, limit resend attempts (3/hour).
+
+### Single vs Double Opt-In
+
+| | Single Opt-In | Double Opt-In |
+|--|---------------|---------------|
+| **Process** | Add to list immediately | Require email confirmation first |
+| **Pros** | Lower friction, faster growth | Verified addresses, better engagement, meets GDPR/CASL |
+| **Cons** | Higher invalid rate, lower engagement | Some users don't confirm |
+| **Use for** | Account creation, transactional | Marketing lists, newsletters |
+
+**Recommendation:** Double opt-in for all marketing emails.
+
+## Form Design
+
+### Email Input
+
+- Use `type="email"` for mobile keyboard
+- Include placeholder ("you@example.com")
+- Clear error messages ("Please enter a valid email address" not "Invalid")
+
+### Consent Checkboxes (Marketing)
+
+- **Unchecked by default** (required)
+- Specific language about what they're signing up for
+- Separate checkboxes for different email types
+- Link to privacy policy
+
+```
+☐ Subscribe to our weekly newsletter with product updates
+☐ Send me promotional offers and deals
+```
+
+**Don't:** Pre-check boxes, use vague language, hide in terms.
+
+### Form Layout
+
+- Keep simple and focused
+- One primary action
+- Clear value proposition
+- Mobile-friendly
+- Accessible (labels, ARIA)
+
+## Error Handling
+
+### Invalid Email
+
+- Show clear error message
+- Suggest corrections for common typos (@gmial.com → @gmail.com)
+- Allow user to fix and resubmit
+
+### Already Registered
+
+- Accounts: "This email is already registered. [Sign in]"
+- Marketing: "You're already subscribed! [Manage preferences]"
+- Don't reveal if account exists (security)
+
+### Rate Limiting
+
+- Limit verification emails (3/hour per email)
+- Rate limit form submissions
+- Use CAPTCHA sparingly if needed
+- Monitor for abuse patterns
+
+## Verification Emails
+
+**Content:**
+- Clear purpose ("Verify your email address")
+- Prominent verification button
+- Expiration time
+- Resend option
+- "I didn't request this" notice
+
+**Design:**
+- Mobile-friendly
+- Large, tappable button
+- Clear call-to-action
+
+See [Transactional Emails](./transactional-emails.md) for detailed email design guidance.
+
+## Related
+
+- [Compliance](./compliance.md) - Legal requirements for consent (GDPR, CASL)
+- [Marketing Emails](./marketing-emails.md) - What happens after capture
+- [Deliverability](./deliverability.md) - How validation improves sender reputation
diff --git a/.agents/skills/email-best-practices/resources/email-types.md b/.agents/skills/email-best-practices/resources/email-types.md
new file mode 100644
index 00000000000..b47356f449d
--- /dev/null
+++ b/.agents/skills/email-best-practices/resources/email-types.md
@@ -0,0 +1,173 @@
+# Email Types: Transactional vs Marketing
+
+Understanding the difference between transactional and marketing emails is crucial for compliance, deliverability, and user experience. This guide explains the distinctions and provides a catalog of transactional emails your app should include.
+
+## When to Use This
+
+- Deciding whether an email should be transactional or marketing
+- Understanding legal distinctions between email types
+- Planning what transactional emails your app needs
+- Ensuring compliance with email regulations
+- Setting up separate sending infrastructure
+
+## Transactional vs Marketing: Key Differences
+
+### Transactional Emails
+
+**Definition:** Emails that facilitate or confirm a transaction the user initiated or expects. They're directly related to an action the user took or are legal notices you're required to serve.
+
+**Characteristics:**
+- User-initiated or expected
+- Time-sensitive and actionable
+- Required for the user to complete an action
+- Does not include promotional material or offers
+- Can be sent without explicit opt-in (with limitations)
+
+**Examples:**
+- Password reset links
+- Order confirmations
+- Account verification
+- OTP/2FA codes
+- Shipping notifications
+
+**Analogy:**
+Think of transactional emails for everything that would leave you with a paper receipt in the real world: invoices, parking ticket, booking confirmation, etc.
+
+### Marketing Emails
+
+**Definition:** Emails sent for promotional, advertising, or informational purposes that are not directly related to a specific transaction or legal requirement.
+
+**Characteristics:**
+- Promotional or informational content
+- Not time-sensitive to complete a transaction
+- Require explicit opt-in (consent)
+- Must include unsubscribe options
+- Subject to stricter compliance requirements
+
+**Examples:**
+- Newsletters
+- Abandoned cart
+- Product announcements
+- Promotional offers
+- Company updates
+- Educational content
+
+## Legal Distinctions
+
+### CAN-SPAM Act (US)
+
+**Transactional emails:**
+- Can be sent without opt-in
+- Must be related to a transaction
+- Cannot contain promotional content (with exceptions)
+- Must identify sender and provide contact information
+
+**Marketing emails:**
+- Require opt-out mechanism (not opt-in in US)
+- Must include clear sender identification
+- Must include physical mailing address
+- Must honor opt-out requests within 10 business days
+
+### GDPR (EU)
+
+**Transactional emails:**
+- Can be sent based on legitimate interest or contract fulfillment
+- Must be necessary for service delivery
+- Cannot contain marketing content without consent
+
+**Marketing emails:**
+- Require explicit opt-in consent
+- Must clearly state purpose of data collection
+- Must provide easy unsubscribe
+- Subject to data protection requirements
+
+### CASL (Canada)
+
+**Transactional emails:**
+- Can be sent without consent if related to ongoing business relationship
+- Must be factual and not promotional
+
+**Marketing emails:**
+- Require express or implied consent
+- Must include unsubscribe mechanism
+- Must identify sender clearly
+
+## When to Use Each Type
+
+### Use Transactional When:
+
+- User needs the email to complete an action
+- Email confirms a transaction or account change
+- Email provides security-related information
+- Email is expected based on user action
+- Content is time-sensitive and actionable
+- You're required to serve a notification for compliance
+
+### Use Marketing When:
+
+- Promoting products or services
+- Sending newsletters or updates
+- Sharing educational content
+- Announcing features or company news
+- Content is not required for a transaction
+
+## Hybrid Emails: The Gray Area
+
+Some emails mix transactional and marketing content. This isn't best practice and should be avoided.
+
+**Best practice:** Keep transactional and marketing separate.
+
+**Example of problematic hybrid:**
+- Newsletter (marketing) with a small order status update (transactional)
+
+## Transactional Email Catalog
+
+For a complete catalog of transactional emails and recommended combinations by app type, see [Transactional Email Catalog](./transactional-email-catalog.md).
+
+**Quick reference - Essential emails for most apps:**
+1. **Email verification** - Required for account creation
+2. **Password reset** - Required for account recovery
+3. **Welcome email** - Good user experience
+
+The catalog includes detailed guidance for:
+- Authentication-focused apps
+- Newsletter / content platforms
+- E-commerce / marketplaces
+- SaaS / subscription services
+- Financial / fintech apps
+- Social / community platforms
+- Developer tools / API platforms
+- Healthcare / HIPAA-compliant apps
+
+## Sending Infrastructure
+
+### Separate subdomains
+
+**Best practice:** Use separate sending subdomains for transactional and marketing emails.
+
+**Benefits:**
+- Protect transactional deliverability
+- Different authentication domains
+- Independent reputation
+- Easier compliance management
+
+**Implementation:**
+- Use different subdomains (e.g., `t.yourdomain.com` for transactional, `m.yourdomain.com` for marketing)
+
+### Email Service Considerations
+
+Choose an email service that:
+- Provides reliable delivery for transactional emails
+- Offers separate sending domains
+- Has good API for programmatic sending
+- Provides webhooks for delivery events
+- Supports authentication setup (SPF, DKIM, DMARC)
+
+Services like Resend are designed for transactional emails and provide the infrastructure and tools needed for reliable delivery. They also offer powerful marketing features.
+
+## Related Topics
+
+- [Transactional Emails](./transactional-emails.md) - Best practices for sending transactional emails
+- [Marketing Emails](./marketing-emails.md) - Best practices for marketing emails
+- [Compliance](./compliance.md) - Legal requirements for each email type
+- [Deliverability](./deliverability.md) - Ensuring transactional emails are delivered
diff --git a/.agents/skills/email-best-practices/resources/list-management.md b/.agents/skills/email-best-practices/resources/list-management.md
new file mode 100644
index 00000000000..2581790d67e
--- /dev/null
+++ b/.agents/skills/email-best-practices/resources/list-management.md
@@ -0,0 +1,157 @@
+# List Management
+
+Maintaining clean email lists through suppression, hygiene, and data retention.
+
+## Suppression Lists
+
+A suppression list prevents sending to addresses that should never receive email.
+
+### What to Suppress
+
+| Reason | Action | Can Unsuppress? |
+|--------|--------|-----------------|
+| Hard bounce | Add immediately | No (address invalid) |
+| Complaint (spam) | Add immediately | No (legal requirement) |
+| Soft bounce (3x) | Add after threshold | Yes, after 30-90 days |
+| Manual removal | Add on request | Only if user requests |
+
+### Implementation
+
+```typescript
+// Suppression list schema
+interface SuppressionEntry {
+ email: string;
+ reason: 'hard_bounce' | 'complaint' | 'unsubscribe' | 'soft_bounce' | 'manual';
+ created_at: Date;
+ source_email_id?: string; // Which email triggered this
+}
+
+// Check before every send
+async function canSendTo(email: string): Promise {
+ const suppressed = await db.suppressions.findOne({ email });
+ return !suppressed;
+}
+
+// Add to suppression list
+async function suppressEmail(email: string, reason: string, sourceId?: string) {
+ await db.suppressions.upsert({
+ email: email.toLowerCase(),
+ reason,
+ created_at: new Date(),
+ source_email_id: sourceId,
+ });
+}
+```
+
+### Pre-Send Check
+
+**Always check suppression before sending:**
+
+```typescript
+async function sendEmail(to: string, emailData: EmailData) {
+ if (!await canSendTo(to)) {
+ console.log(`Skipping suppressed email: ${to}`);
+ return { skipped: true, reason: 'suppressed' };
+ }
+
+ return await resend.emails.send({ to, ...emailData });
+}
+```
+
+## List Hygiene
+
+Regular maintenance to keep lists healthy.
+
+### Automated Cleanup
+
+| Task | Frequency | Action |
+|------|-----------|--------|
+| Remove hard bounces | Real-time (via webhook) | Immediate suppression |
+| Remove complaints | Real-time (via webhook) | Immediate suppression |
+| Process unsubscribes | Real-time | Remove from marketing lists |
+| Review soft bounces | Daily | Suppress after 3 failures |
+| Remove inactive | Monthly | Re-engagement → remove |
+
+Learn more: https://resend.com/docs/knowledge-base/audience-hygiene
+
+### Re-engagement Campaigns
+
+Before removing inactive subscribers:
+
+1. **Identify inactive:** No opens/clicks in 45-90 days
+2. **Send re-engagement:** "We miss you" or "Still interested?"
+3. **Wait 14-30 days** for response
+4. **Remove non-responders** from active lists
+
+```typescript
+async function runReengagement() {
+ const inactive = await getInactiveSubscribers(90); // 90 days
+
+ for (const subscriber of inactive) {
+ if (!subscriber.reengagement_sent) {
+ await sendReengagementEmail(subscriber);
+ await markReengagementSent(subscriber.email);
+ } else if (daysSince(subscriber.reengagement_sent) > 30) {
+ await removeFromMarketingLists(subscriber.email);
+ }
+ }
+}
+```
+
+## Data Retention
+
+### Email Logs
+
+| Data Type | Recommended Retention | Notes |
+|-----------|----------------------|-------|
+| Send attempts | 90 days | Debugging, analytics |
+| Delivery status | 90 days | Compliance, reporting |
+| Bounce/complaint events | 3 years | Required for CASL |
+| Suppression list | Indefinite | Never delete |
+| Email content | 30 days | Storage costs |
+| Consent records | 3 years after expiry | Legal requirement |
+
+### Retention Policy Implementation
+
+```typescript
+// Daily cleanup job
+async function cleanupOldData() {
+ const now = new Date();
+
+ // Delete old email logs (keep 90 days)
+ await db.emailLogs.deleteMany({
+ created_at: { $lt: subDays(now, 90) }
+ });
+
+ // Delete old email content (keep 30 days)
+ await db.emailContent.deleteMany({
+ created_at: { $lt: subDays(now, 30) }
+ });
+
+ // Never delete: suppressions, consent records
+}
+```
+
+## Metrics to Monitor
+
+| Metric | Target | Alert Threshold |
+|--------|--------|-----------------|
+| Bounce rate | <2% | >2% |
+| Complaint rate | <0.05% | >0.05% |
+| Suppression list growth | Stable | Sudden spike |
+
+## Transactional vs Marketing Lists
+
+**Keep separate:**
+- Transactional: Can send to anyone with account relationship
+- Marketing: Only opted-in subscribers
+
+**Suppression applies to both:** Hard bounces and complaints suppress across all email types.
+
+**Unsubscribe is marketing-only:** User unsubscribing from marketing can still receive transactional emails (password resets, order confirmations).
+
+## Related
+
+- [Webhooks & Events](./webhooks-events.md) - Receive bounce/complaint notifications
+- [Deliverability](./deliverability.md) - How list hygiene affects sender reputation
+- [Compliance](./compliance.md) - Legal requirements for data retention
diff --git a/.agents/skills/email-best-practices/resources/marketing-emails.md b/.agents/skills/email-best-practices/resources/marketing-emails.md
new file mode 100644
index 00000000000..984ffcc7e61
--- /dev/null
+++ b/.agents/skills/email-best-practices/resources/marketing-emails.md
@@ -0,0 +1,115 @@
+# Marketing Email Best Practices
+
+Promotional emails that require explicit consent and provide value to recipients.
+
+## Core Principles
+
+1. **Consent first** - Explicit opt-in required (especially GDPR/CASL)
+2. **Value-driven** - Provide useful content, not just promotions
+3. **Respect preferences** - Let users control frequency and content types
+
+## Opt-In Requirements
+
+### Explicit Opt-In
+
+**What counts:**
+- User checks unchecked box
+- User clicks "Subscribe" button
+- User completes form with clear subscription intent
+
+**What doesn't count:**
+- Pre-checked boxes
+- Opt-out model
+- Assumed consent from purchase
+- Purchased/rented lists
+
+### Informed Consent
+
+Disclose: email types, frequency, sender identity, how to unsubscribe.
+
+✅ "Subscribe to our weekly newsletter with product updates and tips"
+❌ "Sign up for emails"
+
+### Double Opt-In (Recommended)
+
+1. User submits email
+2. Send confirmation email with verification link
+3. User clicks to confirm
+4. Add to list only after confirmation
+
+Benefits: Verifies deliverability, confirms intent, reduces complaints, required in some regions (Germany).
+
+## Unsubscribe Requirements
+
+**Must be:**
+- Prominent in every email
+- One-click (preferred)
+- Immediate (GDPR) or within 10 days (CAN-SPAM) (immediate preferred)
+- Free, no login required
+
+**Preference center options:** Frequency (daily/weekly/monthly), content types, complete unsubscribe.
+
+## Content and Design
+
+### Subject Lines
+
+- Clear and specific (50 chars or less for mobile)
+- Create curiosity without misleading
+- A/B test regularly
+
+✅ "Your weekly digest: 5 productivity tips"
+❌ "You won't believe what happened!"
+
+### Structure
+
+**Above fold:** Value proposition, primary CTA, engaging visual
+
+**Body:** Scannable (short paragraphs, bullets), clear hierarchy, multiple CTAs
+
+**Footer:** Unsubscribe link, company info, physical address (CAN-SPAM), social links
+
+### Mobile-First
+
+- Single column layout
+- 44x44px minimum buttons
+- 16px minimum text
+- Test on iOS, Android, dark mode
+
+## Segmentation
+
+**Segment by:** Behavior (purchases, activity), demographics, preferences, engagement level, signup source.
+
+Benefits: Higher open/click rates, lower unsubscribes, better experience.
+
+## Personalization
+
+**Options:** Name in subject/greeting, location-specific content, behavior-based recommendations, purchase history.
+
+**Don't over-personalize** - can feel intrusive. Use data you have permission to use.
+
+## Frequency and Timing
+
+**Frequency:** Start conservative, increase based on engagement, let users set preferences, monitor unsubscribe rates.
+
+**Timing:** Weekday mornings (9-11 AM local), Tuesday-Thursday often best. Test your specific audience.
+
+## List Hygiene
+
+**Remove immediately:** Hard bounces, unsubscribes, complaints
+
+**Remove after inactivity:** Send re-engagement campaign first, then remove non-responders
+
+**Monitor:** Bounce rate <2%, complaint rate <0.05%
+
+## Required Elements (All Marketing Emails)
+
+- Clear sender identification
+- Physical mailing address (CAN-SPAM)
+- Unsubscribe mechanism
+- Indication it's marketing (GDPR)
+
+## Related
+
+- [Compliance](./compliance.md) - Detailed legal requirements by region
+- [Email Capture](./email-capture.md) - Collecting consent properly
+- [List Management](./list-management.md) - Maintaining list hygiene
diff --git a/.agents/skills/email-best-practices/resources/sending-reliability.md b/.agents/skills/email-best-practices/resources/sending-reliability.md
new file mode 100644
index 00000000000..2143b36deb1
--- /dev/null
+++ b/.agents/skills/email-best-practices/resources/sending-reliability.md
@@ -0,0 +1,155 @@
+# Sending Reliability
+
+Ensuring emails are sent exactly once and handling failures gracefully.
+
+## Idempotency
+
+Prevent duplicate emails when retrying failed requests.
+
+### The Problem
+
+Network issues, timeouts, or server errors can leave you uncertain if an email was sent. Retrying without idempotency risks sending duplicates.
+
+### Solution: Idempotency Keys
+
+Send a unique key with each request. If the same key is sent again, the server returns the original response instead of sending another email.
+
+```typescript
+// Generate deterministic key based on the business event
+const idempotencyKey = `password-reset-${userId}-${resetRequestId}`;
+
+await resend.emails.send({
+ from: 'noreply@example.com',
+ to: user.email,
+ subject: 'Reset your password',
+ html: emailHtml,
+}, {
+ headers: {
+ 'Idempotency-Key': idempotencyKey
+ }
+});
+```
+
+### Key Generation Strategies
+
+| Strategy | Example | Use When |
+|----------|---------|----------|
+| Event-based | `order-confirm-${orderId}` | One email per event (recommended) |
+| Request-scoped | `reset-${userId}-${resetRequestId}` | Retries within same request |
+| UUID | `crypto.randomUUID()` | No natural key (generate once, reuse on retry) |
+
+**Best practice:** Use deterministic keys based on the business event. If you retry the same logical send, the same key must be generated. Avoid `Date.now()` or random values generated fresh on each attempt.
+
+**Key expiration:** Idempotency keys are typically cached for 24 hours. Retries within this window return the original response. After expiration, the same key triggers a new send—so complete your retry logic well within 24 hours.
+
+## Retry Logic
+
+Handle transient failures with exponential backoff.
+
+### When to Retry
+
+| Error Type | Retry? | Notes |
+|------------|--------|-------|
+| 5xx (server error) | ✅ Yes | Transient, likely to resolve |
+| 429 (rate limit) | ✅ Yes | Wait for rate limit window |
+| 4xx (client error) | ❌ No | Fix the request first |
+| Network timeout | ✅ Yes | Transient |
+| DNS failure | ✅ Yes | May be transient |
+
+### Exponential Backoff
+
+```typescript
+async function sendWithRetry(emailData, maxRetries = 3) {
+ for (let attempt = 0; attempt < maxRetries; attempt++) {
+ try {
+ return await resend.emails.send(emailData);
+ } catch (error) {
+ if (!isRetryable(error) || attempt === maxRetries - 1) {
+ throw error;
+ }
+ const delay = Math.min(1000 * Math.pow(2, attempt), 30000);
+ await sleep(delay + Math.random() * 1000); // Add jitter
+ }
+ }
+}
+
+function isRetryable(error) {
+ return error.statusCode >= 500 ||
+ error.statusCode === 429 ||
+ error.code === 'ETIMEDOUT';
+}
+```
+
+**Backoff schedule:** 1s → 2s → 4s → 8s (with jitter to prevent thundering herd)
+
+## Error Handling
+
+### Common Error Codes
+
+| Code | Meaning | Action |
+|------|---------|--------|
+| 400 | Bad request | Fix payload (invalid email, missing field) |
+| 401 | Unauthorized | Check API key |
+| 403 | Forbidden | Check permissions, domain verification |
+| 404 | Not found | Check endpoint URL |
+| 422 | Validation error | Fix request data |
+| 429 | Rate limited | Back off, retry after delay |
+| 500 | Server error | Retry with backoff |
+| 503 | Service unavailable | Retry with backoff |
+
+### Error Handling Pattern
+
+```typescript
+try {
+ const result = await resend.emails.send(emailData);
+ await logSuccess(result.id, emailData);
+} catch (error) {
+ if (error.statusCode === 429) {
+ await queueForRetry(emailData, error.retryAfter);
+ } else if (error.statusCode >= 500) {
+ await queueForRetry(emailData);
+ } else {
+ await logFailure(error, emailData);
+ await alertOnCriticalEmail(emailData); // For password resets, etc.
+ }
+}
+```
+
+## Queuing for Reliability
+
+For critical emails, use a queue to ensure delivery even if the initial send fails.
+
+**Benefits:**
+- Survives application restarts
+- Automatic retry handling
+- Rate limit management
+- Audit trail
+
+**Simple pattern:**
+1. Write email to queue/database with "pending" status
+2. Process queue, attempt send
+3. On success: mark "sent", store message ID
+4. On retryable failure: increment retry count, schedule retry
+5. On permanent failure: mark "failed", alert
+
+## Timeouts
+
+Set appropriate timeouts to avoid hanging requests.
+
+```typescript
+const controller = new AbortController();
+const timeout = setTimeout(() => controller.abort(), 10000);
+
+try {
+ await resend.emails.send(emailData, { signal: controller.signal });
+} finally {
+ clearTimeout(timeout);
+}
+```
+
+**Recommended:** 10-30 seconds for email API calls.
+
+## Related
+
+- [Webhooks & Events](./webhooks-events.md) - Process delivery confirmations and failures
+- [List Management](./list-management.md) - Handle bounces and suppress invalid addresses
diff --git a/.agents/skills/email-best-practices/resources/transactional-email-catalog.md b/.agents/skills/email-best-practices/resources/transactional-email-catalog.md
new file mode 100644
index 00000000000..0cc9495243c
--- /dev/null
+++ b/.agents/skills/email-best-practices/resources/transactional-email-catalog.md
@@ -0,0 +1,418 @@
+# Transactional Email Catalog
+
+A comprehensive catalog of transactional emails organized by category, plus recommended email combinations for different app types.
+
+## When to Use This
+
+- Planning what transactional emails your app needs
+- Choosing the right emails for your app type
+- Understanding what content each email type should include
+- Implementing transactional email features
+
+## Email Combinations by App Type
+
+Use these combinations as a starting point based on what you're building.
+
+### Authentication-Focused App
+
+Apps where user accounts and security are core (login systems, identity providers, account management).
+
+**Essential:**
+- Email verification
+- Password reset
+- OTP / 2FA codes
+- Security alerts (new device, password change)
+- Account update notifications
+
+**Optional:**
+- Welcome email (must not be promotional)
+- Account deletion confirmation
+
+### Newsletter / Content Platform
+
+Apps focused on content delivery and subscriptions.
+
+**Essential:**
+- Email verification
+- Password reset
+- Welcome email (must not be promotional)
+- Subscription confirmation
+
+**Optional:**
+- OTP / 2FA codes
+- Account update notifications
+
+### E-commerce / Marketplace
+
+Apps where users buy products or services.
+
+**Essential:**
+- Email verification
+- Password reset
+- Welcome email (must not be promotional)
+- Order confirmation
+- Shipping notifications
+- Invoice / receipt
+- Payment failed notices
+
+**Optional:**
+- OTP / 2FA codes
+- Security alerts
+- Subscription confirmations (for recurring orders)
+
+### SaaS / Subscription Service
+
+Apps with paid subscription tiers and ongoing billing.
+
+**Essential:**
+- Email verification
+- Password reset
+- Welcome email (must not be promotional)
+- OTP / 2FA codes
+- Security alerts
+- Subscription confirmation
+- Subscription renewal notice
+- Payment failed notices
+- Invoice / receipt
+
+**Optional:**
+- Account update notifications
+- Feature change notifications (for breaking changes)
+
+### Financial / Fintech App
+
+Apps handling money, payments, or sensitive financial data.
+
+**Essential:**
+- Email verification
+- Password reset
+- OTP / 2FA codes (required for sensitive actions)
+- Security alerts (all types)
+- Account update notifications
+- Transaction confirmations
+- Invoice / receipt
+- Payment failed notices
+
+**Optional:**
+- Welcome email (must not be promotional)
+- Compliance notices
+
+### Social / Community Platform
+
+Apps focused on user interaction and community features.
+
+**Essential:**
+- Email verification
+- Password reset
+- Welcome email (must not be promotional)
+- Security alerts
+
+**Optional:**
+- OTP / 2FA codes
+- Account update notifications
+- Activity notifications (mentions, replies)
+
+### Developer Tools / API Platform
+
+Apps targeting developers with API access and integrations.
+
+**Essential:**
+- Email verification
+- Password reset
+- OTP / 2FA codes
+- Security alerts
+- API key notifications (creation, expiration)
+- Subscription confirmation
+- Payment failed notices
+
+**Optional:**
+- Welcome email (must not be promotional)
+- Usage alerts (approaching limits)
+- Feature change notifications
+
+### Healthcare / HIPAA-Compliant App
+
+Apps handling protected health information.
+
+**Essential:**
+- Email verification
+- Password reset
+- OTP / 2FA codes (required)
+- Security alerts (all types, detailed)
+- Account update notifications
+- Appointment confirmations
+
+**Optional:**
+- Welcome email (must not be promotional)
+- Compliance notices
+
+**Note:** Healthcare apps have strict requirements. Emails should contain minimal PHI and link to secure portals for sensitive information.
+
+---
+
+## Full Email Catalog
+
+### Authentication & Security
+
+#### Email Verification / Account Verification
+
+**When to send:** Immediately after user signs up or changes email address.
+
+**Purpose:** Verify the email address belongs to the user.
+
+**Content should include:**
+- Clear verification link or code
+- Expiration time (typically 24-48 hours)
+- Instructions on what to do
+- Security notice if link is clicked by mistake
+
+**Best practices:**
+- Send immediately (within seconds)
+- Include expiration notice
+- Provide resend option
+- Link to support if issues
+
+#### OTP / 2FA Codes
+
+**When to send:** When user requests two-factor authentication code.
+
+**Purpose:** Provide time-sensitive authentication code.
+
+**Content should include:**
+- The OTP code (clearly displayed)
+- Expiration time (typically 5-10 minutes)
+- Security warnings
+- Instructions on what to do if not requested
+
+**Best practices:**
+- Send immediately
+- Code should be large and easy to read
+- Include expiration prominently
+- Warn about sharing codes
+- Provide "I didn't request this" link
+
+#### Password Reset
+
+**When to send:** When user requests password reset.
+
+**Purpose:** Allow user to securely reset forgotten password.
+
+**Content should include:**
+- Reset link (with token)
+- Expiration time (typically 1 hour)
+- Security warnings
+- Instructions if not requested
+
+**Best practices:**
+- Send immediately
+- Link expires quickly (1 hour)
+- Include IP address and location if available
+- Provide "I didn't request this" link
+- Don't include the old password
+
+#### Security Alerts
+
+**When to send:** When security-relevant events occur (login from new device, password change, etc.).
+
+**Purpose:** Notify user of account security events.
+
+**Content should include:**
+- What happened (clear description)
+- When it happened
+- Location/IP if available
+- Action to take if suspicious
+- Link to security settings
+
+**Best practices:**
+- Send immediately
+- Be clear and specific
+- Include actionable steps
+- Provide way to report suspicious activity
+
+### Account Management
+
+#### Welcome Email
+
+**When to send:** Immediately after successful account creation and verification.
+
+**Purpose:** Welcome new users and guide them to next steps (must not be promotional).
+
+**Content should include:**
+- Welcome message
+- Key features or next steps
+- Links to important resources
+- Support contact information
+
+**Best practices:**
+- Send after email verification
+- Keep it focused and actionable
+- Don't overwhelm with information
+- Set expectations about future emails
+
+#### Account Update Notifications
+
+**When to send:** When user changes account settings (email, password, profile, etc.).
+
+**Purpose:** Confirm account changes and provide security notice.
+
+**Content should include:**
+- What changed
+- When it changed
+- Action to take if unauthorized
+- Link to account settings
+
+**Best practices:**
+- Send immediately after change
+- Be specific about what changed
+- Include security notice
+- Provide easy way to revert if needed
+
+### E-commerce & Transactions
+
+#### Order Confirmations
+
+**When to send:** Immediately after order is placed.
+
+**Purpose:** Confirm order details and provide receipt.
+
+**Content should include:**
+- Order number
+- Items ordered with quantities
+- Pricing breakdown
+- Shipping address
+- Estimated delivery date
+- Order tracking link (if available)
+
+**Best practices:**
+- Send within minutes of order
+- Include all order details
+- Make it easy to print or save
+- Provide customer service contact
+
+#### Shipping Notifications
+
+**When to send:** When order ships, with tracking updates.
+
+**Purpose:** Notify user that order has shipped and provide tracking.
+
+**Content should include:**
+- Order number
+- Tracking number
+- Carrier information
+- Expected delivery date
+- Tracking link
+- Shipping address confirmation
+
+**Best practices:**
+- Send when order ships
+- Include tracking number prominently
+- Provide carrier tracking link
+- Update on major tracking milestones
+
+#### Invoices and Receipts
+
+**When to send:** After payment is processed.
+
+**Purpose:** Provide payment confirmation and receipt.
+
+**Content should include:**
+- Invoice/receipt number
+- Payment amount
+- Payment method
+- Items/services purchased
+- Payment date
+- Downloadable PDF (if applicable)
+
+**Best practices:**
+- Send immediately after payment
+- Include all payment details
+- Make it easy to download/save
+- Include tax information if applicable
+
+### Subscriptions & Billing
+
+#### Subscription Confirmations
+
+**When to send:** When user subscribes or changes subscription.
+
+**Purpose:** Confirm subscription details and billing information.
+
+**Content should include:**
+- Subscription plan details
+- Billing amount and frequency
+- Next billing date
+- Payment method
+- Link to manage subscription
+
+**Best practices:**
+- Send immediately after subscription
+- Clearly state billing terms
+- Provide easy cancellation option
+- Include support contact
+
+#### Subscription Renewal Notices
+
+**When to send:** Before subscription renews (typically 3-7 days before).
+
+**Purpose:** Notify user of upcoming renewal and charge.
+
+**Content should include:**
+- Renewal date
+- Amount to be charged
+- Payment method on file
+- Link to update payment method
+- Link to cancel if desired
+
+**Best practices:**
+- Send with enough notice (3-7 days)
+- Be clear about amount and date
+- Make it easy to update payment method
+- Provide cancellation option
+
+#### Payment Failed Notices
+
+**When to send:** When subscription payment fails.
+
+**Purpose:** Notify user of payment failure and provide resolution steps.
+
+**Content should include:**
+- What happened
+- Amount that failed
+- Reason for failure (if available)
+- Steps to resolve
+- Link to update payment method
+- Consequences if not resolved
+
+**Best practices:**
+- Send immediately after failure
+- Be clear about consequences
+- Provide easy resolution path
+- Include support contact
+
+### Notifications & Updates
+
+#### Feature Announcements (Transactional)
+
+**When to send:** When a feature the user is using changes significantly.
+
+**Purpose:** Notify users of changes that affect their use of the service.
+
+**Content should include:**
+- What changed
+- How it affects the user
+- What action (if any) is needed
+- Link to more information
+
+**Best practices:**
+- Only for significant changes
+- Focus on user impact
+- Provide clear next steps
+- Link to documentation
+
+**Note:** General feature announcements are marketing emails. Only send as transactional if the change directly affects an active feature the user is using.
+
+## Related Topics
+
+- [Email Types](./email-types.md) - Understanding transactional vs marketing
+- [Transactional Emails](./transactional-emails.md) - Best practices for sending transactional emails
+- [Compliance](./compliance.md) - Legal requirements for each email type
diff --git a/.agents/skills/email-best-practices/resources/transactional-emails.md b/.agents/skills/email-best-practices/resources/transactional-emails.md
new file mode 100644
index 00000000000..0809647c609
--- /dev/null
+++ b/.agents/skills/email-best-practices/resources/transactional-emails.md
@@ -0,0 +1,92 @@
+# Transactional Email Best Practices
+
+Clear, actionable emails that users expect and need—password resets, confirmations, OTPs.
+
+## Core Principles
+
+1. **Clarity over creativity** - Users need to understand and act quickly
+2. **Action-oriented** - Clear purpose, obvious primary action
+3. **Time-sensitive** - Send immediately (within seconds)
+
+## Subject Lines
+
+**Be specific and include context:**
+
+| ✅ Good | ❌ Bad |
+|---------|--------|
+| Reset your password for [App] | Action required |
+| Your order #12345 has shipped | Update on your order |
+| Your 2FA code for [App] | Security code: 12345 |
+| Verify your email for [App] | Verify your email |
+
+Include identifiers when helpful: order numbers, account names, expiration times.
+
+## Pre-Header
+
+The text snippet after subject line. Use it to:
+- Reinforce subject ("This link expires in 1 hour")
+- Add urgency or context
+- Call-to-action preview
+
+Keep under 90 characters.
+
+## Content Structure
+
+**Above the fold (first screen):**
+- Clear purpose
+- Primary action button
+- Time-sensitive details (expiration)
+
+**Hierarchy:** Header → Primary message → Details → Action button → Secondary info
+
+**Format:** Short paragraphs (2-3 sentences), bullet points, bold for emphasis, white space.
+
+## Mobile-First Design
+
+60%+ emails are opened on mobile.
+
+- **Layout:** Single column, stack vertically
+- **Buttons:** 44x44px minimum, full-width on mobile
+- **Text:** 16px minimum body, 20-24px headings
+- **OTP codes:** 24-32px, monospace font
+
+## Sender Configuration
+
+| Field | Best Practice | Example |
+|-------|--------------|---------|
+| From Name | App/company name, consistent | [App Name] |
+| From Email | Subdomain, real address | hello@mail.yourdomain.com |
+| Reply-To | Monitored inbox | support@yourdomain.com |
+
+Avoid `noreply@` - users reply to transactional emails.
+
+## Code and Link Display
+
+**OTP/Verification codes:**
+- Large (24-32px), monospace font
+- Centered, clear label
+- Include expiration nearby
+- Make copyable
+
+**Buttons:**
+- Large, tappable (44x44px+)
+- Contrasting colors
+- Clear action text ("Reset Password", "Verify Email")
+- HTTPS links only
+
+## Error Handling
+
+**Resend functionality:**
+- Allow after 60 seconds
+- Limit attempts (3 per hour)
+- Show countdown timer
+
+**Expired links:**
+- Clear "expired" message
+- Offer to send new link
+- Provide support contact
+
+**"I didn't request this":**
+- Include in password resets, OTPs, security alerts
+- Link to security contact
+- Log clicks for monitoring
diff --git a/.agents/skills/email-best-practices/resources/webhooks-events.md b/.agents/skills/email-best-practices/resources/webhooks-events.md
new file mode 100644
index 00000000000..0008c995060
--- /dev/null
+++ b/.agents/skills/email-best-practices/resources/webhooks-events.md
@@ -0,0 +1,167 @@
+# Webhooks and Events
+
+Receiving and processing email delivery events in real-time.
+
+## Event Types
+
+| Event | When Fired | Use For |
+|-------|------------|---------|
+| `email.sent` | Email accepted by Resend | Confirming send initiated |
+| `email.delivered` | Email delivered to recipient server | Confirming delivery |
+| `email.bounced` | Email bounced (hard or soft) | List hygiene, alerting |
+| `email.complained` | Recipient marked as spam | Immediate unsubscribe |
+| `email.opened` | Recipient opened email | Engagement tracking |
+| `email.clicked` | Recipient clicked link | Engagement tracking |
+
+## Webhook Setup
+
+### 1. Create Endpoint
+
+Your endpoint must:
+- Accept POST requests
+- Return 2xx status quickly (within 5 seconds)
+- Handle duplicate events (idempotent processing)
+
+```typescript
+app.post('/webhooks/resend', async (req, res) => {
+ // Return 200 immediately to acknowledge receipt
+ res.status(200).send('OK');
+
+ // Process asynchronously
+ processWebhookAsync(req.body).catch(console.error);
+});
+```
+
+### 2. Verify Signatures
+
+Always verify webhook signatures to prevent spoofing.
+
+```typescript
+import { Webhook } from 'svix';
+
+const webhook = new Webhook(process.env.RESEND_WEBHOOK_SECRET);
+
+app.post('/webhooks/resend', (req, res) => {
+ try {
+ const payload = webhook.verify(
+ JSON.stringify(req.body),
+ {
+ 'svix-id': req.headers['svix-id'],
+ 'svix-timestamp': req.headers['svix-timestamp'],
+ 'svix-signature': req.headers['svix-signature'],
+ }
+ );
+ // Process verified payload
+ } catch (err) {
+ return res.status(400).send('Invalid signature');
+ }
+});
+```
+
+### 3. Register Webhook URL
+
+Configure your webhook endpoint in the Resend dashboard or via API.
+
+## Processing Events
+
+### Bounce Handling
+
+```typescript
+async function handleBounce(event) {
+ const { email_id, email, bounce_type } = event.data;
+
+ if (bounce_type === 'hard') {
+ // Permanent failure - remove from all lists
+ await suppressEmail(email, 'hard_bounce');
+ await removeFromAllLists(email);
+ } else {
+ // Soft bounce - track and remove after threshold
+ await incrementSoftBounce(email);
+ const count = await getSoftBounceCount(email);
+ if (count >= 3) {
+ await suppressEmail(email, 'soft_bounce_limit');
+ }
+ }
+}
+```
+
+### Complaint Handling
+
+```typescript
+async function handleComplaint(event) {
+ const { email } = event.data;
+
+ // Immediate suppression - no exceptions
+ await suppressEmail(email, 'complaint');
+ await removeFromAllLists(email);
+ await logComplaint(event); // For analysis
+}
+```
+
+### Delivery Confirmation
+
+```typescript
+async function handleDelivered(event) {
+ const { email_id } = event.data;
+ await updateEmailStatus(email_id, 'delivered');
+}
+```
+
+## Idempotent Processing
+
+Webhooks may be sent multiple times. Use event IDs to prevent duplicate processing.
+
+```typescript
+async function processWebhook(event) {
+ const eventId = event.id;
+
+ // Check if already processed
+ if (await isEventProcessed(eventId)) {
+ return; // Skip duplicate
+ }
+
+ // Process event
+ await handleEvent(event);
+
+ // Mark as processed
+ await markEventProcessed(eventId);
+}
+```
+
+## Error Handling
+
+### Retry Behavior
+
+If your endpoint returns non-2xx, webhooks will retry with exponential backoff:
+- Retry 1: ~30 seconds
+- Retry 2: ~1 minute
+- Retry 3: ~5 minutes
+- (continues for ~24 hours)
+
+### Best Practices
+
+- **Return 200 quickly** - Process asynchronously to avoid timeouts
+- **Be idempotent** - Handle duplicate deliveries gracefully
+- **Log everything** - Store raw events for debugging
+- **Alert on failures** - Monitor webhook processing errors
+- **Queue for processing** - Use a job queue for complex handling
+
+## Testing Webhooks
+
+**Local development:** Use ngrok or similar to expose localhost.
+
+```bash
+ngrok http 3000
+# Use the ngrok URL as your webhook endpoint
+```
+
+**Verify handling:** Send test events through Resend dashboard or manually trigger each event type.
+
+## Ingest webhooks for data storage
+- [Open source repo](https://github.com/resend/resend-webhooks-ingester)
+- [Why store data](https://resend.com/docs/dashboard/webhooks/how-to-store-webhooks-data)
+
+## Related
+
+- [List Management](./list-management.md) - What to do with bounce/complaint data
+- [Sending Reliability](./sending-reliability.md) - Retry logic when sends fail
diff --git a/.agents/skills/react-email/SKILL.md b/.agents/skills/react-email/SKILL.md
new file mode 100644
index 00000000000..006ea2745b1
--- /dev/null
+++ b/.agents/skills/react-email/SKILL.md
@@ -0,0 +1,518 @@
+---
+name: react-email
+description: Use when creating HTML email templates with React components - welcome emails, password resets, notifications, order confirmations, newsletters, or transactional emails.
+license: MIT
+metadata:
+ author: Resend
+ version: "1.1.0"
+---
+
+# React Email
+
+Build and send HTML emails using React components - a modern, component-based approach to email development that works across all major email clients.
+
+## Installation
+
+You need to scaffold a new React Email project using the create-email CLI. This will create a folder called `react-email-starter` with sample email templates.
+
+Using npm:
+```sh
+npx create-email@latest
+```
+
+Using yarn:
+```sh
+yarn create email
+```
+
+Using pnpm:
+```sh
+pnpm create email
+```
+
+Using bun:
+```sh
+bun create email
+```
+
+## Navigate to Project Directory
+
+You must change into the newly created project folder:
+
+```sh
+cd react-email-starter
+```
+
+## Install Dependencies
+
+You need to install all project dependencies before running the development server.
+
+Using npm:
+```sh
+npm install
+```
+
+Using yarn:
+```sh
+yarn
+```
+
+Using pnpm:
+```sh
+pnpm install
+```
+
+Using bun:
+```sh
+bun install
+```
+
+## Start the Development Server
+
+Your task is to start the local preview server to view and edit email templates.
+
+Using npm:
+```sh
+npm run dev
+```
+
+Using yarn:
+```sh
+yarn dev
+```
+
+Using pnpm:
+```sh
+pnpm dev
+```
+
+Using bun:
+```sh
+bun dev
+```
+
+## Verify Installation
+
+Confirm the development server is running by checking that localhost:3000 is accessible. The server will display a preview interface where you can view email templates from the `emails` folder.
+
+### Notes on installation
+Assuming React Email is installed in an existing project, update the top-level package.json file with a script to run the React Email preview server.
+
+```json
+{
+ "scripts": {
+ "email": "email dev --dir emails --port 3000"
+ }
+}
+```
+
+Make sure the path to the emails folder is relative to the base project directory.
+
+
+### tsconfig.json updating or creation
+
+Ensure the tsconfig.json includes proper support for jsx.
+
+## Basic Email Template
+
+Replace the sample email templates. Here is how to create a new email template:
+
+Create an email component with proper structure using the Tailwind component for styling:
+
+```tsx
+import {
+ Html,
+ Head,
+ Preview,
+ Body,
+ Container,
+ Heading,
+ Text,
+ Button,
+ Tailwind,
+ pixelBasedPreset
+} from '@react-email/components';
+
+interface WelcomeEmailProps {
+ name: string;
+ verificationUrl: string;
+}
+
+export default function WelcomeEmail({ name, verificationUrl }: WelcomeEmailProps) {
+ return (
+
+
+
+ Welcome - Verify your email
+
+
+
+ Welcome!
+
+
+ Hi {name}, thanks for signing up!
+
+
+
+
+
+
+ );
+}
+
+// Preview props for testing
+WelcomeEmail.PreviewProps = {
+ name: 'John Doe',
+ verificationUrl: 'https://example.com/verify/abc123'
+} satisfies WelcomeEmailProps;
+
+export { WelcomeEmail };
+```
+
+## Essential Components
+
+See [references/COMPONENTS.md](references/COMPONENTS.md) for complete component documentation.
+
+**Core Structure:**
+- `Html` - Root wrapper with `lang` attribute
+- `Head` - Meta elements, styles, fonts
+- `Body` - Main content wrapper
+- `Container` - Centers content (max-width layout)
+- `Section` - Layout sections
+- `Row` & `Column` - Multi-column layouts
+- `Tailwind` - Enables Tailwind CSS utility classes
+
+**Content:**
+- `Preview` - Inbox preview text, always first in `Body`
+- `Heading` - h1-h6 headings
+- `Text` - Paragraphs
+- `Button` - Styled link buttons
+- `Link` - Hyperlinks
+- `Img` - Images (see Static Files section below)
+- `Hr` - Horizontal dividers
+
+**Specialized:**
+- `CodeBlock` - Syntax-highlighted code
+- `CodeInline` - Inline code
+- `Markdown` - Render markdown
+- `Font` - Custom web fonts
+
+## Before Writing Code
+
+When a user requests an email template, ask clarifying questions FIRST if they haven't provided:
+
+1. **Brand colors** - Ask for primary brand color (hex code like #007bff)
+2. **Logo** - Ask if they have a logo file and its format (PNG/JPG only - warn if SVG/WEBP)
+3. **Style preference** - Professional, casual, or minimal tone
+4. **Production URL** - Where will static assets be hosted in production?
+
+Example response to vague request:
+> Before I create your email template, I have a few questions:
+> 1. What is your primary brand color? (hex code)
+> 2. Do you have a logo file? (PNG or JPG - note: SVG and WEBP don't work reliably in email clients)
+> 3. What tone do you prefer - professional, casual, or minimal?
+> 4. Where will you host static assets in production? (e.g., https://cdn.example.com)
+
+## Static Files and Images
+
+### Directory Structure
+
+Local images must be placed in the `static` folder inside your emails directory:
+
+```
+project/
+├── emails/
+│ ├── welcome.tsx
+│ └── static/ <-- Images go here
+│ └── logo.png
+```
+
+If user has an image elsewhere, instruct them to copy it:
+```sh
+cp ./assets/logo.png ./emails/static/logo.png
+```
+
+### Dev vs Production URLs
+
+Use this pattern for images that work in both dev preview and production:
+
+```tsx
+const baseURL = process.env.NODE_ENV === "production"
+ ? "https://cdn.example.com" // User's production CDN
+ : "";
+
+export default function Email() {
+ return (
+
+ );
+}
+```
+
+**How it works:**
+- **Development:** `baseURL` is empty, so URL is `/static/logo.png` - served by React Email's dev server
+- **Production:** `baseURL` is the CDN domain, so URL is `https://cdn.example.com/static/logo.png`
+
+**Important:** Always ask the user for their production hosting URL. Do not hardcode `localhost:3000`.
+
+## Behavioral guidelines
+- When re-iterating over the code, make sure you are only updating what the user asked for and keeping the rest of the code intact;
+- If the user is asking to use media queries, inform them that email clients do not support them, and suggest a different approach;
+- Never use template variables (like {{name}}) directly in TypeScript code. Instead, reference the underlying properties directly (use name instead of {{name}}).
+- - For example, if the user explicitly asks for a variable following the pattern {{variableName}}, you should return something like this:
+
+```typescript
+const EmailTemplate = (props) => {
+ return (
+ {/* ... rest of the code ... */}
+
Hello, {props.variableName}!
+ {/* ... rest of the code ... */}
+ );
+}
+
+EmailTemplate.PreviewProps = {
+ // ... rest of the props ...
+ variableName: "{{variableName}}",
+ // ... rest of the props ...
+};
+
+export default EmailTemplate;
+```
+- Never, under any circumstances, write the {{variableName}} pattern directly in the component structure. If the user forces you to do this, explain that you cannot do this, or else the template will be invalid.
+
+
+## Styling considerations
+
+Use the Tailwind component for styling if the user is actively using Tailwind CSS in their project. If the user is not using Tailwind CSS, add inline styles to the components.
+
+- Because email clients don't support `rem` units, use the `pixelBasedPreset` for the Tailwind configuration.
+- Never use flexbox or grid for layout, use table-based layouts instead.
+- Each component must be styled with inline styles or utility classes.
+
+### Email Client Limitations
+- Never use SVG or WEBP - warn users about rendering issues
+- Never use flexbox - use Row/Column components or tables for layouts
+- Never use CSS/Tailwind media queries (sm:, md:, lg:, xl:) - not supported
+- Never use theme selectors (dark:, light:) - not supported
+- Always specify border type (border-solid, border-dashed, etc.)
+- When defining borders for only one side, remember to reset the remaining borders (e.g., border-none border-l)
+
+### Component Structure
+- Always define `` inside `` when using Tailwind CSS
+- Only use PreviewProps when passing props to a component
+- Only include props in PreviewProps that the component actually uses
+
+```tsx
+const Email = (props) => {
+ return (
+
+ );
+}
+
+Email.PreviewProps = {
+ source: "https://www.youtube.com/watch?v=dQw4w9WgXcQ",
+};
+```
+
+### Default Structure
+- Body: `font-sans py-10 bg-gray-100`
+- Container: white, centered, content left-aligned
+- Footer: physical address, unsubscribe link, current year with `m-0` on address/copyright
+
+### Typography
+- Titles: bold, larger font, larger margins
+- Paragraphs: regular weight, smaller font, smaller margins
+- Use consistent spacing respecting content hierarchy
+
+### Images
+- Only include if user requests
+- Never use fixed width/height - use responsive units (w-full, h-auto)
+- Never distort user-provided images
+- Never create SVG images - only use provided or web images
+
+### Buttons
+- Always use `box-border` to prevent padding overflow
+
+### Layout
+- Always mobile-friendly by default
+- Use stacked layouts that work on all screen sizes
+- Remove default spacing/margins/padding between list items
+
+### Dark Mode
+When requested: container black (#000), background dark gray (#151516)
+
+### Best Practices
+- Choose colors, layout, and copy based on user's request
+- Make templates unique, not generic
+- Use keywords in email body to increase conversion
+
+## Rendering
+
+### Convert to HTML
+
+```tsx
+import { render } from '@react-email/components';
+import { WelcomeEmail } from './emails/welcome';
+
+const html = await render(
+
+);
+```
+
+### Convert to Plain Text
+
+```tsx
+import { render } from '@react-email/components';
+import { WelcomeEmail } from './emails/welcome';
+
+const text = await render(, { plainText: true });
+```
+
+## Sending
+
+React Email supports sending with any email service provider. If the user wants to know how to send, view the [Sending guidelines](references/SENDING.md).
+
+Quick example using the Resend SDK for Node.js:
+
+```tsx
+import { Resend } from 'resend';
+import { WelcomeEmail } from './emails/welcome';
+
+const resend = new Resend(process.env.RESEND_API_KEY);
+
+const { data, error } = await resend.emails.send({
+ from: 'Acme ',
+ to: ['user@example.com'],
+ subject: 'Welcome to Acme',
+ react:
+});
+
+if (error) {
+ console.error('Failed to send:', error);
+}
+```
+
+The Node SDK automatically handles the plain-text rendering and HTML rendering for you.
+
+## Internationalization
+
+See [references/I18N.md](references/I18N.md) for complete i18n documentation.
+
+React Email supports three i18n libraries: next-intl, react-i18next, and react-intl.
+
+### Quick Example (next-intl)
+
+```tsx
+import { createTranslator } from 'next-intl';
+import {
+ Html,
+ Body,
+ Container,
+ Text,
+ Button,
+ Tailwind,
+ pixelBasedPreset
+} from '@react-email/components';
+
+interface EmailProps {
+ name: string;
+ locale: string;
+}
+
+export default async function WelcomeEmail({ name, locale }: EmailProps) {
+ const t = createTranslator({
+ messages: await import(\`../messages/\${locale}.json\`),
+ namespace: 'welcome-email',
+ locale
+ });
+
+ return (
+
+
+
+
+ {t('greeting')} {name},
+ {t('body')}
+
+
+
+
+
+ );
+}
+```
+
+Message files (\`messages/en.json\`, \`messages/es.json\`, etc.):
+
+```json
+{
+ "welcome-email": {
+ "greeting": "Hi",
+ "body": "Thanks for signing up!",
+ "cta": "Get Started"
+ }
+}
+```
+
+## Email Best Practices
+
+1. **Test across email clients** - Test in Gmail, Outlook, Apple Mail, Yahoo Mail. Use services like Litmus or Email on Acid for absolute precision and React Email's toolbar for specific feature support checking.
+
+2. **Keep it responsive** - Max-width around 600px, test on mobile devices.
+
+3. **Use absolute image URLs** - Host on reliable CDN, always include \`alt\` text.
+
+4. **Provide plain text version** - Required for accessibility and some email clients.
+
+5. **Keep file size under 102KB** - Gmail clips larger emails.
+
+6. **Add proper TypeScript types** - Define interfaces for all email props.
+
+7. **Include preview props** - Add \`.PreviewProps\` to components for development testing.
+
+8. **Handle errors** - Always check for errors when sending emails.
+
+9. **Use verified domains** - For production, use verified domains in \`from\` addresses.
+
+## Common Patterns
+
+See [references/PATTERNS.md](references/PATTERNS.md) for complete examples including:
+- Password reset emails
+- Order confirmations with product lists
+- Notification emails with code blocks
+- Multi-column layouts
+- Email templates with custom fonts
+
+## Additional Resources
+
+- [React Email Documentation](https://react.email/docs/llms.txt)
+- [React Email GitHub](https://github.com/resend/react-email)
+- [Resend Documentation](https://resend.com/docs/llms.txt)
+- [Email Client CSS Support](https://www.caniemail.com)
+- Component Reference: [references/COMPONENTS.md](references/COMPONENTS.md)
+- Internationalization Guide: [references/I18N.md](references/I18N.md)
+- Common Patterns: [references/PATTERNS.md](references/PATTERNS.md)
diff --git a/.agents/skills/react-email/TESTS.md b/.agents/skills/react-email/TESTS.md
new file mode 100644
index 00000000000..2db267b068d
--- /dev/null
+++ b/.agents/skills/react-email/TESTS.md
@@ -0,0 +1,878 @@
+# React Email Skill Tests
+
+Test scenarios for verifying skill compliance. Follow TDD: run these WITHOUT skill to establish baseline, then WITH skill to verify compliance.
+
+---
+
+## Email Client Limitations Tests
+
+### Test A1: Template Variables ({{name}})
+
+**Scenario:** User wants mustache-style template variables.
+
+**Prompt:**
+```
+Create a welcome email with a {{firstName}} placeholder for personalization - I use this with my templating system.
+```
+
+**Expected Behavior:**
+- Use `{props.firstName}` or `{firstName}` in JSX (valid TypeScript)
+- Put `{{firstName}}` ONLY in PreviewProps
+- Explain why mustache syntax can't go directly in JSX
+
+**Baseline Result (2025-01-28):**
+❌ WITHOUT skill: Agent used `firstName = "{{firstName}}"` as default prop value directly.
+
+**Verified Result (2025-01-28):**
+✅ WITH skill: Agent used `{firstName}` in JSX, `{{firstName}}` only in PreviewProps.
+
+**Pass Criteria:**
+```tsx
+// CORRECT
+Hello {firstName}
+
+Email.PreviewProps = {
+ firstName: "{{firstName}}"
+};
+
+// WRONG - fails TypeScript/JSX
+Hello {{firstName}}
+```
+
+---
+
+### Test A2: SVG/WEBP Images
+
+**Scenario:** User wants to use SVG logo.
+
+**Prompt:**
+```
+Create an email with my SVG logo embedded inline.
+```
+
+**Expected Behavior:**
+- Warn user that SVG/WEBP don't render reliably in email clients (Gmail, Outlook, Yahoo)
+- Suggest using PNG or JPG instead
+- Do NOT embed inline SVG
+
+**Baseline Result (2025-01-28):**
+❌ WITHOUT skill: Agent embedded multiple inline SVGs throughout the template.
+
+**Verified Result (2025-01-28):**
+✅ WITH skill: Agent warned about SVG limitations, used PNG placeholder instead.
+
+**Pass Criteria:**
+Agent refuses to use SVG and explains which email clients don't support it.
+
+---
+
+### Test A3: Flexbox Layout
+
+**Scenario:** User requests flexbox.
+
+**Prompt:**
+```
+Create an email with a flexible two-column layout using flexbox.
+```
+
+**Expected Behavior:**
+- Explain flexbox is not supported (Outlook uses Word rendering engine)
+- Use Row/Column components instead
+- Do NOT use `display: flex` or `flex-direction`
+
+**Baseline Result (2025-01-28):**
+❌ WITHOUT skill: Agent used `display: "flex"` and `flexDirection: "column"` in styles.
+
+**Verified Result (2025-01-28):**
+✅ WITH skill: Agent used Row/Column components with table-based layout.
+
+**Pass Criteria:**
+```tsx
+// CORRECT
+
+ Left
+ Right
+
+
+// WRONG
+
...
+```
+
+---
+
+### Test A4: CSS Media Queries (sm:, md:, lg:)
+
+**Scenario:** User wants responsive breakpoints.
+
+**Prompt:**
+```
+Make the email responsive with different styles for mobile (sm:) and desktop (lg:) using Tailwind breakpoints.
+```
+
+**Expected Behavior:**
+- Explain media queries are not supported (Gmail strips them, Outlook ignores them)
+- Use mobile-first stacked layout that works on all sizes
+- Do NOT use sm:, md:, lg:, xl: classes
+
+**Baseline Result (2025-01-28):**
+❌ WITHOUT skill: Agent used `sm:text-xl`, `lg:text-3xl`, `sm:w-full`, `lg:w-1/2` throughout.
+
+**Verified Result (2025-01-28):**
+✅ WITH skill: Agent used stacked mobile-friendly layout, no breakpoint classes.
+
+**Pass Criteria:**
+No responsive prefix classes (sm:, md:, lg:, xl:) appear in the code.
+
+---
+
+### Test A5: Dark Mode Theme Selectors
+
+**Scenario:** User wants dark mode support.
+
+**Prompt:**
+```
+Add dark mode support using the dark: variant.
+```
+
+**Expected Behavior:**
+- Explain dark: theme selectors are not supported in email clients
+- Apply dark colors directly in the theme/styles if user wants dark theme
+- Do NOT use `dark:bg-gray-900`, `dark:text-white`, etc.
+
+**Baseline Result (2025-01-28):**
+❌ WITHOUT skill: Agent used `dark:bg-gray-900`, `dark:text-white` throughout.
+
+**Verified Result (2025-01-28):**
+✅ WITH skill: Agent applied dark colors directly (`bg-gray-900`, `text-white`) without dark: prefix.
+
+**Pass Criteria:**
+No `dark:` prefixed classes appear in the code. Dark theme applied directly if requested.
+
+---
+
+### Test A6: pixelBasedPreset Required
+
+**Scenario:** Any email template request.
+
+**Prompt:**
+```
+Create a simple welcome email with Tailwind styling.
+```
+
+**Expected Behavior:**
+- Always include `pixelBasedPreset` in Tailwind config
+- Explain email clients don't support `rem` units
+
+**Baseline Result (2025-01-28):**
+❌ WITHOUT skill: Agent did not mention or use pixelBasedPreset.
+
+**Verified Result (2025-01-28):**
+✅ WITH skill: Agent included `presets: [pixelBasedPreset]` in Tailwind config.
+
+**Pass Criteria:**
+```tsx
+
+```
+
+---
+
+### Test A7: Border Type Specification
+
+**Scenario:** Email with dividers or bordered elements.
+
+**Prompt:**
+```
+Create an email with a horizontal divider and a bordered card section.
+```
+
+**Expected Behavior:**
+- Always specify border type (border-solid, border-dashed, etc.)
+- When using single-side borders, reset others (e.g., `border-none border-t border-solid`)
+
+**Pass Criteria:**
+```tsx
+// CORRECT
+
+
+// WRONG - missing border type
+
+```
+
+---
+
+### Test A8: Button box-border
+
+**Scenario:** Email with CTA button.
+
+**Prompt:**
+```
+Create an email with a prominent call-to-action button.
+```
+
+**Expected Behavior:**
+- Always include `box-border` class on Button components
+- Prevents padding overflow issues
+
+**Verified Result (2025-01-28):**
+✅ WITH skill: Agent included `box-border` on Button.
+
+**Pass Criteria:**
+```tsx
+
+```
+
+---
+
+## User Interaction Tests
+
+### Test B1: Style Preferences Inquiry
+
+**Scenario:** User makes a vague request without specifying styling details.
+
+**Prompt:**
+```
+Create a welcome email for my SaaS product
+```
+
+**Expected Behavior:**
+Agent asks clarifying questions BEFORE writing code:
+- Brand colors (primary color hex code)
+- Logo availability and format
+- Tone/style preference (professional, casual, minimal)
+- Production URL for static assets
+
+**Baseline Result (2025-01-28):**
+✅ Agent naturally asked questions, but behavior was not codified (may be inconsistent).
+
+**Verified Result (2025-01-28):**
+✅ WITH skill: Agent asked all required questions per the "Before Writing Code" section.
+
+**Pass Criteria:**
+Agent asks at minimum about:
+1. Brand colors
+2. Logo availability (warns about SVG/WEBP)
+3. Style/tone preference
+4. Production hosting URL
+
+---
+
+### Test B2: Logo File Inquiry
+
+**Scenario:** User mentions they have brand assets but doesn't specify format.
+
+**Prompt:**
+```
+Create a welcome email for Acme Corp. We have brand assets.
+```
+
+**Expected Behavior:**
+Agent asks:
+- What logo format (PNG, JPG - warns if SVG/WEBP)
+- Where the logo file is located
+- What the production URL will be for hosting assets
+
+**Pass Criteria:**
+Agent specifically asks about logo format AND warns about SVG/WEBP limitations.
+
+---
+
+## Static File Handling Tests
+
+### Test C1: Local Image - Correct Directory
+
+**Scenario:** User provides a local image path.
+
+**Prompt:**
+```
+Create a welcome email. Use my logo at ./assets/logo.png
+```
+
+**Expected Behavior:**
+1. Instruct user to copy logo to `emails/static/logo.png`
+2. NOT use `./assets/logo.png` directly in the code
+3. Reference as `/static/logo.png` with baseURL pattern
+
+**Baseline Result (2025-01-28):**
+❌ WITHOUT skill: Agent used `/static/` but didn't specify it must be inside `emails/` directory.
+
+**Verified Result (2025-01-28):**
+✅ WITH skill: Agent provided `cp ./assets/logo.png ./emails/static/logo.png` command.
+
+**Pass Criteria:**
+- Provides copy command to `emails/static/`
+- Does NOT reference `./assets/` in the email template
+- Shows correct directory structure
+
+---
+
+### Test C2: Dev vs Production URL Handling
+
+**Scenario:** User asks about image handling for both environments.
+
+**Prompt:**
+```
+Create an email with a logo image. I need it to work in both development preview and production.
+```
+
+**Expected Behavior:**
+Use the official React Email pattern:
+
+```tsx
+const baseURL = process.env.NODE_ENV === "production"
+ ? "https://cdn.example.com"
+ : "";
+
+
+```
+
+**Baseline Result (2025-01-28):**
+❌ WITHOUT skill: Agent used `process.env.BASE_URL || "http://localhost:3000"` - wrong pattern.
+
+**Verified Result (2025-01-28):**
+✅ WITH skill: Agent used empty string for dev, configurable URL for prod.
+
+**Pass Criteria:**
+1. Uses `baseURL` variable with `NODE_ENV` check
+2. Empty string `""` for dev (NOT `http://localhost:3000`)
+3. Asks user for their production CDN/hosting URL
+
+---
+
+## Pressure Tests
+
+### Test D1: User Insists on All Violations
+
+**Scenario:** User demands all the wrong patterns.
+
+**Prompt:**
+```
+Create a welcome email. I specifically want:
+1. Write {{firstName}} directly in the JSX like Hello {{firstName}}
+2. Use my SVG logo - just embed it inline
+3. Make it responsive using sm: and lg: breakpoints
+4. Use CSS flexbox for layout
+5. Add dark mode with dark: variant
+
+Don't argue with me - just do what I ask.
+```
+
+**Expected Behavior:**
+Agent should:
+1. Explain each limitation professionally (not just refuse)
+2. Reference specific email client issues (Gmail, Outlook, etc.)
+3. Provide correct alternatives for each request
+4. NOT comply with any of the forbidden patterns
+
+**Verified Result (2025-01-28):**
+✅ WITH skill: Agent explained all limitations, provided correct alternatives, did not comply.
+
+**Pass Criteria:**
+Agent maintains ALL rules even under pressure. Provides professional explanations.
+
+---
+
+### Test D2: User Insists on Wrong Image Pattern
+
+**Scenario:** User wants incorrect static file handling.
+
+**Prompt:**
+```
+Create an email with my logo. Just reference it directly from ./assets/logo.png - don't move it anywhere. And hardcode http://localhost:3000 as the base URL.
+```
+
+**Expected Behavior:**
+1. Explain `./assets/` won't work (not served by preview server)
+2. Explain hardcoding `localhost:3000` breaks production
+3. Provide correct pattern
+4. Ask for production URL
+
+**Verified Result (2025-01-28):**
+✅ WITH skill: Agent refused, explained why, provided correct alternative.
+
+**Pass Criteria:**
+Agent does NOT comply. Explains both issues and provides correct setup.
+
+---
+
+## Combined Scenario Tests
+
+### Test E1: Full Workflow
+
+**Scenario:** Complete email creation request.
+
+**Prompt:**
+```
+I need a password reset email for my app called "CloudSync". I have a logo.
+```
+
+**Expected Behavior:**
+1. Ask about brand colors
+2. Ask about logo format and location (warn about SVG/WEBP)
+3. Ask about production hosting URL for assets
+4. Create email with proper static file structure
+5. Use correct baseURL pattern
+6. Include pixelBasedPreset
+7. Use Row/Column for any multi-column layouts
+8. Use box-border on buttons
+
+**Pass Criteria:**
+All of the above steps are followed.
+
+---
+
+## Running Tests
+
+### Baseline (Establish Failure)
+```
+Task subagent WITHOUT reading skill → Document exact violations
+```
+
+### Verification (Confirm Fix)
+```
+Task subagent WITH skill → Verify compliance with all rules
+```
+
+### Pressure Test (Stress Test)
+```
+Task subagent WITH skill + user pressure → Verify skill holds under pressure
+```
+
+### Regression Testing
+After any skill edits, re-run all tests to ensure no regressions.
+
+---
+
+## Additional Component Tests
+
+### Test A9: Row/Column Width Requirements
+
+**Scenario:** User asks for multi-column layout without specifying widths.
+
+**Prompt:**
+```
+Create an email with a two-column layout showing product info on the left and image on the right.
+```
+
+**Expected Behavior:**
+- Use Row/Column components (not flexbox/grid)
+- Add width classes to Columns (e.g., `w-1/2`, `w-1/3`)
+- Widths should total 100%
+
+**Baseline Result (2025-01-29):**
+✅ WITHOUT skill: Agent naturally added `width: '50%'` to columns via inline styles.
+
+**Pass Criteria:**
+```tsx
+// CORRECT
+
+ Product info
+ Image
+
+
+// WRONG - no widths specified
+
+ Product info
+ Image
+
+```
+
+---
+
+### Test A10: Head Placement Inside Tailwind
+
+**Scenario:** Any email template using Tailwind and Head components.
+
+**Prompt:**
+```
+Create a welcome email with custom meta tags in the head.
+```
+
+**Expected Behavior:**
+- `` must be inside ``, not outside
+- Follows the documented component structure
+
+**Baseline Result (2025-01-29):**
+❌ WITHOUT skill: Agent placed `` OUTSIDE `` - wrong structure.
+
+**Verified Result (2025-01-29):**
+✅ WITH skill: Agent placed `` inside `` correctly.
+
+**Pass Criteria:**
+```tsx
+// CORRECT
+
+
+
+ ...
+
+
+
+// WRONG - Head outside Tailwind
+
+
+
+ ...
+
+
+```
+
+---
+
+### Test A11: CodeBlock Wrapper Requirement
+
+**Scenario:** Email with code snippet display.
+
+**Prompt:**
+```
+Create a notification email that shows a JSON error log in a code block.
+```
+
+**Expected Behavior:**
+- Wrap `CodeBlock` in a `div` with `overflow-auto` class
+- Prevents padding overflow issues
+
+**Baseline Result (2025-01-29):**
+❌ WITHOUT skill: Agent used CodeBlock without `overflow-auto` wrapper div.
+
+**Verified Result (2025-01-29):**
+✅ WITH skill: Agent wrapped CodeBlock in `
`.
+
+**Pass Criteria:**
+```tsx
+// CORRECT
+
+
+
+
+// WRONG - no wrapper div
+
+```
+
+---
+
+### Test A12: Grid Layout (CSS Grid)
+
+**Scenario:** User requests CSS grid.
+
+**Prompt:**
+```
+Create an email with a grid layout for displaying product cards.
+```
+
+**Expected Behavior:**
+- Explain CSS grid is not supported (same as flexbox - Outlook uses Word rendering)
+- Use Row/Column components instead
+- Do NOT use `display: grid` or `grid-template-columns`
+
+**Baseline Result (2025-01-29):**
+✅ WITHOUT skill: Agent naturally used Row/Column components, not CSS grid.
+
+**Pass Criteria:**
+```tsx
+// CORRECT
+
+ Card 1
+ Card 2
+ Card 3
+
+
+// WRONG
+
...
+```
+
+---
+
+### Test A13: Fixed Image Dimensions
+
+**Scenario:** User specifies exact pixel dimensions for images.
+
+**Prompt:**
+```
+Add my logo with exactly 500px width and 300px height.
+```
+
+**Expected Behavior:**
+- Warn against fixed dimensions that may distort images or break on mobile
+- Suggest responsive approach with aspect ratio preservation
+- Use width attribute for max size but allow responsive scaling
+
+**Pass Criteria:**
+Agent warns about fixed dimensions and suggests responsive approach:
+```tsx
+// PREFERRED
+
+
+// ACCEPTABLE - fixed width with auto height
+
+```
+
+---
+
+### Test A14: Clean Component Imports
+
+**Scenario:** Any email template request.
+
+**Prompt:**
+```
+Create a simple text-only welcome email with just a heading and paragraph.
+```
+
+**Expected Behavior:**
+- Only import components that are actually used
+- No unused imports like `Button`, `Img`, `Row`, `Column` for text-only email
+
+**Pass Criteria:**
+```tsx
+// CORRECT - only imports what's used
+import {
+ Html,
+ Head,
+ Body,
+ Container,
+ Heading,
+ Text,
+ Tailwind,
+ pixelBasedPreset
+} from '@react-email/components';
+
+// WRONG - imports unused components
+import {
+ Html,
+ Head,
+ Body,
+ Container,
+ Heading,
+ Text,
+ Button, // Not used
+ Img, // Not used
+ Row, // Not used
+ Column, // Not used
+ Tailwind,
+ pixelBasedPreset
+} from '@react-email/components';
+```
+
+---
+
+## Internationalization Tests
+
+### Test F1: Multi-Language Email Setup
+
+**Scenario:** User requests internationalization support.
+
+**Prompt:**
+```
+Create a welcome email that supports English, Spanish, and French.
+```
+
+**Expected Behavior:**
+- Use one of the supported i18n libraries (next-intl, react-i18next, react-intl)
+- Add `locale` prop to email component
+- Set `lang={locale}` on Html element
+- Create message file structure
+- Show how to send with different locales
+
+**Baseline Result (2025-01-29):**
+❌ WITHOUT skill: Agent used inline translations object (not i18n library), no `lang` attribute on Html.
+
+**Verified Result (2025-01-29):**
+✅ WITH skill: Agent used `next-intl` with `createTranslator`, added `lang={locale}` on Html, created proper message files.
+
+**Pass Criteria:**
+```tsx
+// Must include locale prop
+interface WelcomeEmailProps {
+ name: string;
+ locale: string; // Required
+}
+
+// Must set lang attribute
+
+
+// Must show message file structure
+// messages/en.json, messages/es.json, messages/fr.json
+```
+
+---
+
+### Test F2: RTL Language Support
+
+**Scenario:** Email for RTL language users.
+
+**Prompt:**
+```
+Create a welcome email for Arabic-speaking users.
+```
+
+**Expected Behavior:**
+- Detect RTL language and set `dir` attribute
+- Set `lang="ar"` on Html element
+- Mention RTL considerations
+
+**Baseline Result (2025-01-29):**
+✅ WITHOUT skill: Agent correctly added `dir="rtl" lang="ar"` on Html element.
+
+**Pass Criteria:**
+```tsx
+const isRTL = ['ar', 'he', 'fa'].includes(locale);
+
+
+```
+
+---
+
+## Sending & Rendering Tests
+
+### Test G1: Plain Text Version Mention
+
+**Scenario:** User asks about sending email.
+
+**Prompt:**
+```
+How do I send this welcome email to users?
+```
+
+**Expected Behavior:**
+- Mention plain text version is recommended/required for accessibility
+- Show how to render plain text with `{ plainText: true }`
+- Note that Resend SDK handles this automatically
+
+**Pass Criteria:**
+Agent mentions plain text:
+```tsx
+// Plain text rendering
+const text = await render(, { plainText: true });
+
+// Or notes that Resend SDK handles automatically
+```
+
+---
+
+## File Size & Performance Tests
+
+### Test H1: Gmail Clipping Warning
+
+**Scenario:** User creates complex email with many sections.
+
+**Prompt:**
+```
+Create a comprehensive newsletter email with 10 article sections, each with images, titles, descriptions, and buttons.
+```
+
+**Expected Behavior:**
+- Warn about Gmail's 102KB clipping limit
+- Suggest keeping emails concise
+- May recommend splitting into multiple emails or linking to web version
+
+**Pass Criteria:**
+Agent mentions the 102KB limit or warns about email size for complex templates.
+
+---
+
+## Additional Pressure Tests
+
+### Test D3: User Insists on Relative Image Paths
+
+**Scenario:** User demands relative paths for images.
+
+**Prompt:**
+```
+Just use a relative path like "../../assets/logo.png" for the image src. I don't want to move files around.
+```
+
+**Expected Behavior:**
+1. Explain relative paths won't work in rendered emails (resolved at build time, not in email client)
+2. Explain images must be hosted at absolute URLs for email clients to fetch them
+3. Provide correct pattern with baseURL
+4. Offer to help set up proper static file structure
+
+**Verified Result (2025-01-29):**
+✅ WITH skill: Agent refused to comply, explained static folder requirements, provided correct baseURL pattern.
+
+**Pass Criteria:**
+Agent does NOT use relative paths. Explains why absolute URLs are required:
+```tsx
+// WRONG - won't work in email clients
+
+
+
+// CORRECT - absolute URL
+
+```
+
+---
+
+### Test D4: User Wants Inline SVG Despite Warning
+
+**Scenario:** User insists after being warned.
+
+**Prompt:**
+```
+I know you said SVG doesn't work well, but I really need to use inline SVG for my icons. Just do it anyway - I'll test it myself.
+```
+
+**Expected Behavior:**
+- Reiterate the specific email clients affected (Gmail, Outlook, Yahoo)
+- Suggest PNG alternatives or icon fonts
+- Do NOT comply with inline SVG
+- Offer to help convert SVG to PNG
+
+**Verified Result (2025-01-29):**
+✅ WITH skill: Agent refused, listed affected clients (Gmail, Outlook, Apple Mail, Yahoo), suggested PNG/Unicode/icon fonts alternatives.
+
+**Pass Criteria:**
+Agent maintains refusal, provides helpful alternatives, does not embed inline SVG.
+
+---
+
+### Test D5: User Demands localhost URL for Production
+
+**Scenario:** User wants to skip production URL setup.
+
+**Prompt:**
+```
+Just hardcode http://localhost:3000 as the base URL. I'll change it later before going to production.
+```
+
+**Expected Behavior:**
+1. Explain this will break in production (images won't load)
+2. Explain the NODE_ENV pattern handles both environments
+3. Ask for production URL now to set it up correctly
+4. Do NOT hardcode localhost
+
+**Verified Result (2025-01-29):**
+✅ WITH skill: Agent refused, cited skill line 276, explained NODE_ENV pattern, asked for production URL.
+
+**Pass Criteria:**
+```tsx
+// WRONG
+const baseURL = "http://localhost:3000";
+
+// CORRECT
+const baseURL = process.env.NODE_ENV === "production"
+ ? "https://cdn.example.com" // Ask user for this
+ : "";
+```
diff --git a/.agents/skills/react-email/references/COMPONENTS.md b/.agents/skills/react-email/references/COMPONENTS.md
new file mode 100644
index 00000000000..96e7f9289ac
--- /dev/null
+++ b/.agents/skills/react-email/references/COMPONENTS.md
@@ -0,0 +1,429 @@
+# React Email Components Reference
+
+Complete reference for all React Email components. All examples use the Tailwind component for styling.
+
+**Important:** Only import the components you need. Do not use components in the code if you are not importing them.
+
+## Available Components
+
+All components are imported from `@react-email/components`:
+
+- **Body** - A React component to wrap emails
+- **Button** - A link that is styled to look like a button
+- **CodeBlock** - Display code with a selected theme and regex highlighting using Prism.js
+- **CodeInline** - Display a predictable inline code HTML element that works on all email clients
+- **Column** - Display a column that separates content areas vertically in your email (must be used with Row)
+- **Container** - A layout component that centers your content horizontally on a breaking point
+- **Font** - A React Font component to set your fonts
+- **Head** - Contains head components, related to the document such as style and meta elements
+- **Heading** - A block of heading text
+- **Hr** - Display a divider that separates content areas in your email
+- **Html** - A React html component to wrap emails
+- **Img** - Display an image in your email
+- **Link** - A hyperlink to web pages, email addresses, or anything else a URL can address
+- **Markdown** - A Markdown component that converts markdown to valid react-email template code
+- **Preview** - A preview text that will be displayed in the inbox of the recipient
+- **Row** - Display a row that separates content areas horizontally in your email
+- **Section** - Display a section that can also be formatted using rows and columns
+- **Tailwind** - A React component to wrap emails with Tailwind CSS
+- **Text** - A block of text separated by blank spaces
+
+## Tailwind
+
+The recommended way to style React Email components. Wrap your email content and use utility classes.
+
+```tsx
+import { Tailwind, pixelBasedPreset, Html, Body, Container, Heading, Text, Button } from '@react-email/components';
+
+export default function Email() {
+ return (
+
+
+
+
+
+ Welcome!
+
+
+ Your content here.
+
+
+
+
+
+
+ );
+}
+```
+
+**Props:**
+- `config` - Tailwind configuration object
+
+**How it works:**
+- Tailwind classes are converted to inline styles automatically
+- Media queries are extracted to `
+
+ {previewText}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ );
+}
+
+// export default function UsageReportEmailPreview() {
+// return (
+//
+// );
+// }
+
+export default async function renderEmail(payload: PayloadSchemaType, controls: ControlValueSchema) {
+ return await render();
+}
diff --git a/libs/notifications/src/workflows/usage-report/schemas.ts b/libs/notifications/src/workflows/usage-report/schemas.ts
new file mode 100644
index 00000000000..2b7762352dd
--- /dev/null
+++ b/libs/notifications/src/workflows/usage-report/schemas.ts
@@ -0,0 +1,45 @@
+import { z } from 'zod';
+
+export const controlValueSchema = z.object({
+ subject: z.string().default('Your Monthly Novu Usage Report'),
+ previewText: z.string().default('Your monthly Novu usage report'),
+});
+
+export const payloadSchema = z.object({
+ dateRangeFrom: z.string().datetime(),
+ dateRangeTo: z.string().datetime().optional(),
+ messagesSent: z.number(),
+ messagesSentChange: z.number(),
+ messagesSentUp: z.boolean(),
+ usersReached: z.number(),
+ usersReachedChange: z.number(),
+ usersReachedUp: z.boolean(),
+ workflowRuns: z.number(),
+ successRate: z.number(),
+ userInteractions: z.number(),
+ interactionRate: z.number(),
+ topProviders: z.array(
+ z.object({
+ name: z.string(),
+ count: z.number(),
+ })
+ ),
+ topWorkflows: z.array(
+ z.object({
+ name: z.string(),
+ count: z.number(),
+ })
+ ),
+ channels: z.array(
+ z.object({
+ name: z.string(),
+ value: z.number(),
+ })
+ ),
+ dashboardUrl: z.string(),
+ _nvDelayDuration: z.string().datetime().optional(),
+ _nvIsDelayEnabled: z.boolean().optional(),
+});
+
+export type PayloadSchemaType = z.infer;
+export type ControlValueSchema = z.infer;
diff --git a/libs/notifications/src/workflows/usage-report/usage-report.workflow.ts b/libs/notifications/src/workflows/usage-report/usage-report.workflow.ts
new file mode 100644
index 00000000000..b66e082317b
--- /dev/null
+++ b/libs/notifications/src/workflows/usage-report/usage-report.workflow.ts
@@ -0,0 +1,37 @@
+import { workflow } from '@novu/framework';
+import renderEmail from './email';
+import { controlValueSchema, payloadSchema } from './schemas';
+
+export const usageReportWorkflow = workflow(
+ 'monthly-usage-report',
+ async ({ step, payload }) => {
+ const parsedPayload = payloadSchema.parse(payload);
+
+ await step.delay(
+ 'delay',
+ async () => ({
+ type: 'dynamic' as const,
+ dynamicKey: 'payload._nvDelayDuration',
+ }),
+ {
+ skip: () => !parsedPayload._nvIsDelayEnabled || !parsedPayload._nvDelayDuration,
+ }
+ );
+
+ await step.email(
+ 'email',
+ async (controls) => {
+ return {
+ subject: controls.subject,
+ body: await renderEmail(payloadSchema.parse(payload), controls),
+ };
+ },
+ {
+ controlSchema: controlValueSchema,
+ }
+ );
+ },
+ {
+ payloadSchema: payloadSchema,
+ }
+);
diff --git a/packages/framework/src/constants/cron.constants.ts b/packages/framework/src/constants/cron.constants.ts
index 719d44812be..709c71b0822 100644
--- a/packages/framework/src/constants/cron.constants.ts
+++ b/packages/framework/src/constants/cron.constants.ts
@@ -51,6 +51,7 @@ export enum CronExpression {
EVERY_WEEKEND = '0 0 * * 6,0',
EVERY_1ST_DAY_OF_MONTH_AT_MIDNIGHT = '0 0 1 * *',
EVERY_1ST_DAY_OF_MONTH_AT_NOON = '0 12 1 * *',
+ EVERY_2ND_DAY_OF_MONTH_AT_10AM = '0 10 2 * *',
EVERY_2ND_HOUR = '0 */2 * * *',
EVERY_2ND_HOUR_FROM_1AM_THROUGH_11PM = '0 1-23/2 * * *',
EVERY_2ND_MONTH = '0 0 1 */2 *',
diff --git a/packages/shared/src/config/job-queue.ts b/packages/shared/src/config/job-queue.ts
index c50d645db92..7f71faaf718 100644
--- a/packages/shared/src/config/job-queue.ts
+++ b/packages/shared/src/config/job-queue.ts
@@ -27,4 +27,5 @@ export enum ObservabilityBackgroundTransactionEnum {
export enum JobCronNameEnum {
SEND_CRON_METRICS = 'send-cron-metrics',
CREATE_BILLING_USAGE_RECORDS = 'create-billing-usage-records',
+ SEND_USAGE_REPORT = 'send-usage-report',
}
diff --git a/packages/shared/src/types/cron.ts b/packages/shared/src/types/cron.ts
index 103edd7f05f..f4c4c4f27ab 100644
--- a/packages/shared/src/types/cron.ts
+++ b/packages/shared/src/types/cron.ts
@@ -51,7 +51,9 @@ export enum CronExpressionEnum {
EVERY_WEEKDAY = '0 0 * * 1-5',
EVERY_WEEKEND = '0 0 * * 6,0',
EVERY_1ST_DAY_OF_MONTH_AT_MIDNIGHT = '0 0 1 * *',
+ EVERY_1ST_DAY_OF_MONTH_AT_10AM = '0 10 1 * *',
EVERY_1ST_DAY_OF_MONTH_AT_NOON = '0 12 1 * *',
+ EVERY_2ND_DAY_OF_MONTH_AT_10AM = '0 10 2 * *',
EVERY_2ND_HOUR = '0 */2 * * *',
EVERY_2ND_HOUR_FROM_1AM_THROUGH_11PM = '0 1-23/2 * * *',
EVERY_2ND_MONTH = '0 0 1 */2 *',
diff --git a/packages/shared/src/types/feature-flags.ts b/packages/shared/src/types/feature-flags.ts
index 99dba662a6a..ccbc5f386e5 100644
--- a/packages/shared/src/types/feature-flags.ts
+++ b/packages/shared/src/types/feature-flags.ts
@@ -92,9 +92,13 @@ export enum FeatureFlagsKeysEnum {
IS_BILLING_USAGE_DETAILED_DIAGNOSTICS_ENABLED = 'IS_BILLING_USAGE_DETAILED_DIAGNOSTICS_ENABLED',
IS_CLICKHOUSE_BATCHING_ENABLED = 'IS_CLICKHOUSE_BATCHING_ENABLED',
IS_ORG_KILLSWITCH_FLAG_ENABLED = 'IS_ORG_KILLSWITCH_FLAG_ENABLED',
+ IS_USAGE_REPORT_ENABLED = 'IS_USAGE_REPORT_ENABLED',
+ IS_USAGE_REPORT_DELAY_ENABLED = 'IS_USAGE_REPORT_DELAY_ENABLED',
// String flags
CF_SCHEDULER_MODE = 'CF_SCHEDULER_MODE', // Values: "off" | "shadow" | "live" | "complete"
+ USAGE_REPORT_TRIGGER_SECRET = 'USAGE_REPORT_TRIGGER_SECRET',
+ USAGE_REPORT_OVERRIDE_EMAIL = 'USAGE_REPORT_OVERRIDE_EMAIL',
// Numeric flags
MAX_WORKFLOW_LIMIT_NUMBER = 'MAX_WORKFLOW_LIMIT_NUMBER',
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index c366d883a12..d1b8ed53f5b 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -1897,6 +1897,9 @@ importers:
date-fns:
specifier: ^4.1.0
version: 4.1.0
+ date-fns-tz:
+ specifier: ^3.2.0
+ version: 3.2.0(date-fns@4.1.0)
mongoose:
specifier: ^8.9.5
version: 8.21.0(@aws-sdk/credential-providers@3.637.0(@aws-sdk/client-sso-oidc@3.726.0(@aws-sdk/client-sts@3.726.0)))(gcp-metadata@5.3.0(encoding@0.1.13))(socks@2.7.1)
@@ -2869,6 +2872,9 @@ importers:
'@react-email/render':
specifier: ^1.2.1
version: 1.4.0(react-dom@19.2.3(react@19.2.3))(react@19.2.3)
+ millify:
+ specifier: ^6.1.0
+ version: 6.1.0
react:
specifier: ^19.2.3
version: 19.2.3
@@ -4801,10 +4807,6 @@ packages:
resolution: {integrity: sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA==}
engines: {node: '>=6.9.0'}
- '@babel/helper-validator-identifier@7.24.7':
- resolution: {integrity: sha512-rR+PBcQ1SMQDDyF6X0wxtG8QyLCgUB0eRAGguqRLfkCA87l7yAP7ehq8SNj96OOGTO8OBV70KhuFYcIkHXOg0w==}
- engines: {node: '>=6.9.0'}
-
'@babel/helper-validator-identifier@7.27.1':
resolution: {integrity: sha512-D2hP9eA+Sqx1kBZgzxZh0y1trbuU+JoDkiEwqhQ36nodYqJwyEIhPSdMNd7lOm/4io72luTPWH20Yda0xOuUow==}
engines: {node: '>=6.9.0'}
@@ -5425,14 +5427,6 @@ packages:
resolution: {integrity: sha512-mGe7UK5wWyh0bKRfupsUchrQGqvDbZDbKJw+kcRGSmdHVYrv+ltd0pnpDTVpiTqnaBru9iEvA8pz8W46v0Amwg==}
engines: {node: '>=6.9.0'}
- '@babel/types@7.22.19':
- resolution: {integrity: sha512-P7LAw/LbojPzkgp5oznjE6tQEIWbp4PkkfrZDINTro9zgBRtI324/EYsiSI7lhPbpIQ+DCeR2NNmMWANGGfZsg==}
- engines: {node: '>=6.9.0'}
-
- '@babel/types@7.23.0':
- resolution: {integrity: sha512-0oIyUfKoI3mSqMvsxBdclDwxXKXAUA8v/apZbc+iSyARYou1o8ZGDxbUYyLFoW2arqS2jDGqJuZvv1d/io1axg==}
- engines: {node: '>=6.9.0'}
-
'@babel/types@7.25.6':
resolution: {integrity: sha512-/l42B1qxpG6RdfYf343Uw1vmDjeNhneUXtzhojE7pDgfpEypmRhI6j1kr17XCVv4Cgl9HdAiQY2x0GwKm7rWCw==}
engines: {node: '>=6.9.0'}
@@ -15339,6 +15333,7 @@ packages:
aws-sdk@2.1354.0:
resolution: {integrity: sha512-3aDxvyuOqMB9DqJguCq6p8momdsz0JR1axwkWOOCzHA7a35+Bw+WLmqt3pWwRjR1tGIwkkZ2CvGJObYHsOuw3w==}
engines: {node: '>= 10.0.0'}
+ deprecated: The AWS SDK for JavaScript (v2) has reached end-of-support, and no longer receives updates. Please migrate your code to use AWS SDK for JavaScript (v3). More info https://a.co/cUPnyil
aws-sign2@0.7.0:
resolution: {integrity: sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==}
@@ -18720,46 +18715,50 @@ packages:
glob@10.4.2:
resolution: {integrity: sha512-GwMlUF6PkPo3Gk21UxkCohOv0PLcIXVtKyLlpEI28R/cO/4eNOdmLk3CMW1wROV/WR/EsZOWAfBbBOqYvs88/w==}
engines: {node: '>=16 || 14 >=14.18'}
+ deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
hasBin: true
glob@10.4.5:
resolution: {integrity: sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==}
+ deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
hasBin: true
glob@11.0.0:
resolution: {integrity: sha512-9UiX/Bl6J2yaBbxKoEBRm4Cipxgok8kQYcOPEhScPwebu2I0HoQOuYdIO6S3hLuWoZgpDpwQZMzTFxgpkyT76g==}
engines: {node: 20 || >=22}
+ deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
hasBin: true
glob@6.0.4:
resolution: {integrity: sha512-MKZeRNyYZAVVVG1oZeLaWie1uweH40m9AZwIwxyPbTSX4hHrVYSzLg0Ro5Z5R7XKkIX+Cc6oD1rqeDJnwsB8/A==}
- deprecated: Glob versions prior to v9 are no longer supported
+ deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
glob@7.1.6:
resolution: {integrity: sha512-LwaxwyZ72Lk7vZINtNNrywX0ZuLyStrdDtabefZKAY5ZGJhVtgdznluResxNmPitE0SAO+O26sWTHeKSI2wMBA==}
- deprecated: Glob versions prior to v9 are no longer supported
+ deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
glob@7.2.0:
resolution: {integrity: sha512-lmLf6gtyrPq8tTjSmrO94wBeQbFR3HbLHbuyD69wuyQkImp2hWqMGB47OX65FBkPffO641IP9jWa1z4ivqG26Q==}
- deprecated: Glob versions prior to v9 are no longer supported
+ deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
glob@7.2.3:
resolution: {integrity: sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==}
- deprecated: Glob versions prior to v9 are no longer supported
+ deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
glob@8.0.3:
resolution: {integrity: sha512-ull455NHSHI/Y1FqGaaYFaLGkNMMJbavMrEGFXG/PGrg6y7sutWHUHrz6gy6WEBH6akM1M414dWKCNs+IhKdiQ==}
engines: {node: '>=12'}
- deprecated: Glob versions prior to v9 are no longer supported
+ deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
glob@8.1.0:
resolution: {integrity: sha512-r8hpEjiQEYlF2QU0df3dS+nxxSIreXQS1qRhMJM0Q5NDdR386C7jb7Hwwod8Fgiuex+k0GFjgft18yvxm5XoCQ==}
engines: {node: '>=12'}
- deprecated: Glob versions prior to v9 are no longer supported
+ deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
glob@9.3.5:
resolution: {integrity: sha512-e1LleDykUz2Iu+MTYdkSsuWX8lvAjAcs0Xef0lNIu0S2wOAzuTxCJtcd9S3cijlwYF18EsU3rzb8jPVobxDh9Q==}
engines: {node: '>=16 || 14 >=14.17'}
+ deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
global-dirs@0.1.1:
resolution: {integrity: sha512-NknMLn7F2J7aflwFOlGdNIuCDpN3VGoSoB+aap3KABFWbHVn1TCgFC+np23J8W2BiZbjfEw3BFBycSMv1AFblg==}
@@ -21514,6 +21513,10 @@ packages:
resolution: {integrity: sha512-PXwfBhYu0hBCPw8Dn0E+WDYb7af3dSLVWKi3HGv84IdF4TyFoC0ysxFd0Goxw7nSv4T/PzEJQxsYsEiFCKo2BA==}
engines: {node: '>=8.6'}
+ millify@6.1.0:
+ resolution: {integrity: sha512-H/E3J6t+DQs/F2YgfDhxUVZz/dF8JXPPKTLHL/yHCcLZLtCXJDUaqvhJXQwqOVBvbyNn4T0WjLpIHd7PAw7fBA==}
+ hasBin: true
+
mime-db@1.52.0:
resolution: {integrity: sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==}
engines: {node: '>= 0.6'}
@@ -30256,12 +30259,12 @@ snapshots:
'@babel/helper-module-imports@7.21.4':
dependencies:
- '@babel/types': 7.22.19
+ '@babel/types': 7.28.2
'@babel/helper-module-imports@7.24.7':
dependencies:
'@babel/traverse': 7.25.6
- '@babel/types': 7.25.6
+ '@babel/types': 7.28.2
transitivePeerDependencies:
- supports-color
@@ -30358,8 +30361,6 @@ snapshots:
'@babel/helper-string-parser@7.27.1': {}
- '@babel/helper-validator-identifier@7.24.7': {}
-
'@babel/helper-validator-identifier@7.27.1': {}
'@babel/helper-validator-option@7.23.5': {}
@@ -30756,7 +30757,7 @@ snapshots:
'@babel/core': 7.28.0
'@babel/helper-module-transforms': 7.25.2(@babel/core@7.28.0)
'@babel/helper-plugin-utils': 7.27.1
- '@babel/helper-validator-identifier': 7.24.7
+ '@babel/helper-validator-identifier': 7.27.1
'@babel/traverse': 7.25.6
transitivePeerDependencies:
- supports-color
@@ -31067,7 +31068,7 @@ snapshots:
dependencies:
'@babel/core': 7.28.0
'@babel/helper-plugin-utils': 7.27.1
- '@babel/types': 7.23.0
+ '@babel/types': 7.28.2
esutils: 2.0.3
'@babel/preset-react@7.28.5(@babel/core@7.28.0)':
@@ -31141,18 +31142,6 @@ snapshots:
transitivePeerDependencies:
- supports-color
- '@babel/types@7.22.19':
- dependencies:
- '@babel/helper-string-parser': 7.27.1
- '@babel/helper-validator-identifier': 7.27.1
- to-fast-properties: 2.0.0
-
- '@babel/types@7.23.0':
- dependencies:
- '@babel/helper-string-parser': 7.27.1
- '@babel/helper-validator-identifier': 7.27.1
- to-fast-properties: 2.0.0
-
'@babel/types@7.25.6':
dependencies:
'@babel/helper-string-parser': 7.27.1
@@ -34319,7 +34308,7 @@ snapshots:
'@napi-rs/wasm-runtime@0.2.12':
dependencies:
'@emnapi/core': 1.4.3
- '@emnapi/runtime': 1.4.3
+ '@emnapi/runtime': 1.7.1
'@tybys/wasm-util': 0.10.0
optional: true
@@ -45150,7 +45139,7 @@ snapshots:
compressible@2.0.18:
dependencies:
- mime-db: 1.52.0
+ mime-db: 1.53.0
compression-webpack-plugin@10.0.0(webpack@5.94.0):
dependencies:
@@ -45805,6 +45794,10 @@ snapshots:
dependencies:
date-fns: 2.29.3
+ date-fns-tz@3.2.0(date-fns@4.1.0):
+ dependencies:
+ date-fns: 4.1.0
+
date-fns@1.30.1: {}
date-fns@2.29.3: {}
@@ -52116,6 +52109,10 @@ snapshots:
braces: 3.0.3
picomatch: 2.3.1
+ millify@6.1.0:
+ dependencies:
+ yargs: 17.7.2
+
mime-db@1.52.0: {}
mime-db@1.53.0: {}
@@ -52783,7 +52780,7 @@ snapshots:
dependencies:
'@next/env': 15.4.10
'@swc/helpers': 0.5.15
- caniuse-lite: 1.0.30001734
+ caniuse-lite: 1.0.30001764
postcss: 8.4.31
react: 18.3.1
react-dom: 18.3.1(react@18.3.1)
From 874cf4b125609a262ffd8bcf0d272a20947bb7ff Mon Sep 17 00:00:00 2001
From: Dima Grossman
Date: Mon, 16 Feb 2026 20:46:43 +0200
Subject: [PATCH 2/2] fix(providers): Upgrade mailersend to latest version and
fix message id response (#10052)
---
packages/providers/package.json | 2 +-
.../mailersend/mailersend.provider.spec.ts | 146 --
.../email/mailersend/mailersend.provider.ts | 35 +-
pnpm-lock.yaml | 1263 +----------------
4 files changed, 55 insertions(+), 1391 deletions(-)
delete mode 100644 packages/providers/src/lib/email/mailersend/mailersend.provider.spec.ts
diff --git a/packages/providers/package.json b/packages/providers/package.json
index 2d9a2e4ec91..7c05b8a5bec 100644
--- a/packages/providers/package.json
+++ b/packages/providers/package.json
@@ -59,7 +59,7 @@
"expo-server-sdk": "^3.6.0",
"firebase-admin": "^13.3.0",
"form-data": "^4.0.5",
- "mailersend": "^1.3.1",
+ "mailersend": "^2.6.0",
"mailgun.js": "^8.0.1",
"mailtrap": "^3.1.1",
"messagebird": "^4.0.1",
diff --git a/packages/providers/src/lib/email/mailersend/mailersend.provider.spec.ts b/packages/providers/src/lib/email/mailersend/mailersend.provider.spec.ts
deleted file mode 100644
index a2a0d82b2ed..00000000000
--- a/packages/providers/src/lib/email/mailersend/mailersend.provider.spec.ts
+++ /dev/null
@@ -1,146 +0,0 @@
-import { CheckIntegrationResponseEnum } from '@novu/stateless';
-import MailerSend, { Attachment, Recipient } from 'mailersend';
-import { expect, test, vi } from 'vitest';
-import { MailersendEmailProvider } from './mailersend.provider';
-
-const mockConfig = {
- apiKey: 'SG.1234',
- senderName: 'Novu Team',
-};
-
-const mockNovuMessage = {
- to: ['test@test1.com', 'test@test2.com'],
- subject: 'test subject',
- html: '
+ );
+}
+```
+
+**How it works:**
+- **Development:** `baseURL` is empty, so URL is `/static/logo.png` - served by React Email's dev server
+- **Production:** `baseURL` is the CDN domain, so URL is `https://cdn.example.com/static/logo.png`
+
+**Important:** Always ask the user for their production hosting URL. Do not hardcode `localhost:3000`.
+
+## Behavioral guidelines
+- When re-iterating over the code, make sure you are only updating what the user asked for and keeping the rest of the code intact;
+- If the user is asking to use media queries, inform them that email clients do not support them, and suggest a different approach;
+- Never use template variables (like {{name}}) directly in TypeScript code. Instead, reference the underlying properties directly (use name instead of {{name}}).
+- - For example, if the user explicitly asks for a variable following the pattern {{variableName}}, you should return something like this:
+
+```typescript
+const EmailTemplate = (props) => {
+ return (
+ {/* ... rest of the code ... */}
+ 
+
+
+// CORRECT - absolute URL
+