Skip to content

feat(tanstack-react-start): Add keyless mode support #7518

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
brkalow wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat(tanstack-react-start): Add keyless mode support #7518

brkalow wants to merge 4 commits into from

Conversation

@brkalow
Copy link
Member

@brkalow brkalow commented Dec 19, 2025
edited by coderabbitai bot
Loading

Adds keyless mode support to @clerk/tanstack-react-start, enabling developers to get started without API keys in development.

Changes

  • Added file-based keyless storage (fileStorage.ts)
  • Integrated keyless service with clerkMiddleware
  • Updated ClerkProvider to pass keyless URLs to the client
  • Added canUseKeyless feature flag (respects VITE_CLERK_KEYLESS_DISABLED)
  • Updated loadOptions to handle missing keys in keyless mode

Implementation

Uses the shared createKeylessService from @clerk/shared/keyless with a lazy singleton pattern and proper error handling for API calls.

Summary by CodeRabbit

Release Notes

  • New Features

    • Introduced a new keyless service architecture with simplified credential management stored in the .clerk directory.
    • Added development-focused logging for keyless mode setup.

  • Refactor

    • Consolidated keyless implementation details across modules for improved maintainability.
    • Simplified credential storage and retrieval mechanisms.

  • Documentation

    • Removed obsolete code examples from documentation.

✏️ Tip: You can customize this high-level summary in your review settings.
@changeset-bot
Copy link

changeset-bot bot commented Dec 19, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: 8739d13

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR
@vercel
Copy link

vercel bot commented Dec 19, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Review Updated (UTC)
clerk-js-sandbox Skipped Skipped Dec 20, 2025 3:39am
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Dec 19, 2025

📝 Walkthrough

Walkthrough

This pull request refactors the keyless authentication system across multiple packages. Changes include removing keyless environment drift detection and telemetry from the NextJS package, consolidating keyless implementation into a shared service module with a singleton factory pattern, and replacing direct function exports with a keyless() function. File storage for configuration is restructured under a .clerk/.tmp directory. Development cache and logging utilities are moved to @clerk/shared/keyless. Metadata header collection and custom header utilities are eliminated. TanStack React Start middleware is updated to support keyless mode with file-based storage. Several documentation examples are removed.

Pre-merge checks

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 35.71% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'feat(tanstack-react-start): Add keyless mode support' accurately reflects the main change in the PR, which focuses on adding keyless mode functionality to the TanStack React Start package.

Comment @coderabbitai help to get the list of available commands and usage tips.
coderabbitai[bot]
coderabbitai bot reviewed Dec 19, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (4)
packages/tanstack-react-start/src/server/keyless/index.ts (2)

14-31: Silent error swallowing may hide important failures.

Both createAccountlessApplication and completeOnboarding catch all errors and return null without logging. This makes debugging difficult when keyless mode silently fails to initialize or complete onboarding.

Consider logging errors at an appropriate level before returning null:

Suggested improvement 
 async createAccountlessApplication(requestHeaders?: Headers) { try { return await clerkClient().__experimental_accountlessApplications.createAccountlessApplication({ requestHeaders, }); - } catch { + } catch (error) { + console.warn('[Clerk] Failed to create accountless application:', error); return null; } }, async completeOnboarding(requestHeaders?: Headers) { try { return await clerkClient().__experimental_accountlessApplications.completeAccountlessApplicationOnboarding({ requestHeaders, }); - } catch { + } catch (error) { + console.warn('[Clerk] Failed to complete onboarding:', error); return null; } },

9-37: Consider adding explicit return type annotation.

Per coding guidelines, public APIs should have explicit return types. The function relies on type inference from createKeylessService.

-export function keyless() { +export function keyless(): ReturnType<typeof createKeylessService> {
packages/tanstack-react-start/src/server/keyless/fileStorage.ts (2)

101-113: Silent failure on lock contention could cause unexpected behavior.

When write() fails to acquire the lock, it silently returns without writing. The caller has no way to know the operation was skipped. This could lead to stale configuration being used.

Consider returning a boolean to indicate success, or throwing an error:

Suggested approach 
- write(data: string): void { + write(data: string): boolean { if (!lock()) { - return; + return false; } try { ensureDirectoryExists(); updateGitignore(); writeReadme(); fs.writeFileSync(getConfigPath(), data, { encoding: 'utf8', mode: 0o600 }); + return true; } finally { unlock(); } },

64-76: Verify .gitignore handling for edge cases.

The updateGitignore function appends to .gitignore without checking if the file ends with a newline. If the existing .gitignore doesn't end with a newline, the entry will be appended to the last line.

Suggested fix 
 const content = fs.readFileSync(gitignorePath, 'utf-8'); if (!content.includes(entry)) { - fs.appendFileSync(gitignorePath, `\n# clerk configuration (can include secrets)\n${entry}\n`); + const prefix = content.length > 0 && !content.endsWith('\n') ? '\n' : ''; + fs.appendFileSync(gitignorePath, `${prefix}\n# clerk configuration (can include secrets)\n${entry}\n`); }
📜 Review details

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e76d248 and 483a9fc.

📒 Files selected for processing (26)
  • packages/nextjs/src/app-router/client/ClerkProvider.tsx (0 hunks)
  • packages/nextjs/src/app-router/keyless-actions.ts (2 hunks)
  • packages/nextjs/src/app-router/server/ClerkProvider.tsx (0 hunks)
  • packages/nextjs/src/app-router/server/keyless-provider.tsx (4 hunks)
  • packages/nextjs/src/server/keyless-custom-headers.ts (0 hunks)
  • packages/nextjs/src/server/keyless-log-cache.ts (1 hunks)
  • packages/nextjs/src/server/keyless-node.ts (1 hunks)
  • packages/nextjs/src/server/keyless-telemetry.ts (0 hunks)
  • packages/nextjs/src/utils/feature-flags.ts (1 hunks)
  • packages/shared/docs/use-clerk.md (0 hunks)
  • packages/shared/docs/use-session-list.md (0 hunks)
  • packages/shared/docs/use-session.md (0 hunks)
  • packages/shared/docs/use-user.md (0 hunks)
  • packages/shared/package.json (1 hunks)
  • packages/shared/src/keyless/devCache.ts (1 hunks)
  • packages/shared/src/keyless/index.ts (1 hunks)
  • packages/shared/src/keyless/service.ts (1 hunks)
  • packages/shared/src/keyless/types.ts (1 hunks)
  • packages/shared/tsdown.config.mts (1 hunks)
  • packages/tanstack-react-start/src/client/ClerkProvider.tsx (2 hunks)
  • packages/tanstack-react-start/src/client/utils.ts (3 hunks)
  • packages/tanstack-react-start/src/server/clerkMiddleware.ts (2 hunks)
  • packages/tanstack-react-start/src/server/keyless/fileStorage.ts (1 hunks)
  • packages/tanstack-react-start/src/server/keyless/index.ts (1 hunks)
  • packages/tanstack-react-start/src/server/loadOptions.ts (3 hunks)
  • packages/tanstack-react-start/src/utils/feature-flags.ts (1 hunks)
💤 Files with no reviewable changes (8)
  • packages/nextjs/src/app-router/client/ClerkProvider.tsx
  • packages/nextjs/src/server/keyless-custom-headers.ts
  • packages/shared/docs/use-user.md
  • packages/shared/docs/use-session-list.md
  • packages/shared/docs/use-clerk.md
  • packages/nextjs/src/server/keyless-telemetry.ts
  • packages/shared/docs/use-session.md
  • packages/nextjs/src/app-router/server/ClerkProvider.tsx
🧰 Additional context used
📓 Path-based instructions (16)
**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

All code must pass ESLint checks with the project's configuration

Files:

  • packages/shared/src/keyless/types.ts
  • packages/tanstack-react-start/src/utils/feature-flags.ts
  • packages/shared/src/keyless/index.ts
  • packages/tanstack-react-start/src/server/keyless/index.ts
  • packages/nextjs/src/app-router/keyless-actions.ts
  • packages/tanstack-react-start/src/server/clerkMiddleware.ts
  • packages/nextjs/src/server/keyless-log-cache.ts
  • packages/tanstack-react-start/src/client/ClerkProvider.tsx
  • packages/shared/src/keyless/devCache.ts
  • packages/nextjs/src/server/keyless-node.ts
  • packages/shared/src/keyless/service.ts
  • packages/tanstack-react-start/src/server/loadOptions.ts
  • packages/nextjs/src/utils/feature-flags.ts
  • packages/tanstack-react-start/src/client/utils.ts
  • packages/tanstack-react-start/src/server/keyless/fileStorage.ts
  • packages/nextjs/src/app-router/server/keyless-provider.tsx
**/*.{js,jsx,ts,tsx,json,md,yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

  • packages/shared/src/keyless/types.ts
  • packages/shared/package.json
  • packages/tanstack-react-start/src/utils/feature-flags.ts
  • packages/shared/src/keyless/index.ts
  • packages/tanstack-react-start/src/server/keyless/index.ts
  • packages/nextjs/src/app-router/keyless-actions.ts
  • packages/tanstack-react-start/src/server/clerkMiddleware.ts
  • packages/nextjs/src/server/keyless-log-cache.ts
  • packages/tanstack-react-start/src/client/ClerkProvider.tsx
  • packages/shared/src/keyless/devCache.ts
  • packages/nextjs/src/server/keyless-node.ts
  • packages/shared/src/keyless/service.ts
  • packages/tanstack-react-start/src/server/loadOptions.ts
  • packages/nextjs/src/utils/feature-flags.ts
  • packages/tanstack-react-start/src/client/utils.ts
  • packages/tanstack-react-start/src/server/keyless/fileStorage.ts
  • packages/nextjs/src/app-router/server/keyless-provider.tsx
packages/**/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

  • packages/shared/src/keyless/types.ts
  • packages/tanstack-react-start/src/utils/feature-flags.ts
  • packages/shared/src/keyless/index.ts
  • packages/tanstack-react-start/src/server/keyless/index.ts
  • packages/nextjs/src/app-router/keyless-actions.ts
  • packages/tanstack-react-start/src/server/clerkMiddleware.ts
  • packages/nextjs/src/server/keyless-log-cache.ts
  • packages/tanstack-react-start/src/client/ClerkProvider.tsx
  • packages/shared/src/keyless/devCache.ts
  • packages/nextjs/src/server/keyless-node.ts
  • packages/shared/src/keyless/service.ts
  • packages/tanstack-react-start/src/server/loadOptions.ts
  • packages/nextjs/src/utils/feature-flags.ts
  • packages/tanstack-react-start/src/client/utils.ts
  • packages/tanstack-react-start/src/server/keyless/fileStorage.ts
  • packages/nextjs/src/app-router/server/keyless-provider.tsx
**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Follow established naming conventions (PascalCase for components, camelCase for variables)

Files:

  • packages/shared/src/keyless/types.ts
  • packages/tanstack-react-start/src/utils/feature-flags.ts
  • packages/shared/src/keyless/index.ts
  • packages/tanstack-react-start/src/server/keyless/index.ts
  • packages/nextjs/src/app-router/keyless-actions.ts
  • packages/tanstack-react-start/src/server/clerkMiddleware.ts
  • packages/nextjs/src/server/keyless-log-cache.ts
  • packages/tanstack-react-start/src/client/ClerkProvider.tsx
  • packages/shared/src/keyless/devCache.ts
  • packages/nextjs/src/server/keyless-node.ts
  • packages/shared/src/keyless/service.ts
  • packages/tanstack-react-start/src/server/loadOptions.ts
  • packages/nextjs/src/utils/feature-flags.ts
  • packages/tanstack-react-start/src/client/utils.ts
  • packages/tanstack-react-start/src/server/keyless/fileStorage.ts
  • packages/nextjs/src/app-router/server/keyless-provider.tsx
packages/**/src/**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

packages/**/src/**/*.{ts,tsx,js,jsx}: Maintain comprehensive JSDoc comments for public APIs
Use tree-shaking friendly exports
Validate all inputs and sanitize outputs
All public APIs must be documented with JSDoc
Use dynamic imports for optional features
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Implement proper logging with different levels

Files:

  • packages/shared/src/keyless/types.ts
  • packages/tanstack-react-start/src/utils/feature-flags.ts
  • packages/shared/src/keyless/index.ts
  • packages/tanstack-react-start/src/server/keyless/index.ts
  • packages/nextjs/src/app-router/keyless-actions.ts
  • packages/tanstack-react-start/src/server/clerkMiddleware.ts
  • packages/nextjs/src/server/keyless-log-cache.ts
  • packages/tanstack-react-start/src/client/ClerkProvider.tsx
  • packages/shared/src/keyless/devCache.ts
  • packages/nextjs/src/server/keyless-node.ts
  • packages/shared/src/keyless/service.ts
  • packages/tanstack-react-start/src/server/loadOptions.ts
  • packages/nextjs/src/utils/feature-flags.ts
  • packages/tanstack-react-start/src/client/utils.ts
  • packages/tanstack-react-start/src/server/keyless/fileStorage.ts
  • packages/nextjs/src/app-router/server/keyless-provider.tsx
**/*.ts?(x)

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

Files:

  • packages/shared/src/keyless/types.ts
  • packages/tanstack-react-start/src/utils/feature-flags.ts
  • packages/shared/src/keyless/index.ts
  • packages/tanstack-react-start/src/server/keyless/index.ts
  • packages/nextjs/src/app-router/keyless-actions.ts
  • packages/tanstack-react-start/src/server/clerkMiddleware.ts
  • packages/nextjs/src/server/keyless-log-cache.ts
  • packages/tanstack-react-start/src/client/ClerkProvider.tsx
  • packages/shared/src/keyless/devCache.ts
  • packages/nextjs/src/server/keyless-node.ts
  • packages/shared/src/keyless/service.ts
  • packages/tanstack-react-start/src/server/loadOptions.ts
  • packages/nextjs/src/utils/feature-flags.ts
  • packages/tanstack-react-start/src/client/utils.ts
  • packages/tanstack-react-start/src/server/keyless/fileStorage.ts
  • packages/nextjs/src/app-router/server/keyless-provider.tsx
**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/typescript.mdc)

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Implement type guards for unknown types using the pattern function isType(value: unknown): value is Type
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details in classes
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Use mixins for shared behavior across unrelated classes in TypeScript
Use generic constraints with bounded type parameters like <T extends { id: string }>
Use utility types like Omit, Partial, and Pick for data transformation instead of manual type construction
Use discriminated unions instead of boolean flags for state management and API responses
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation at the type level
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Document functions with JSDoc comments including @param, @returns, @throws, and @example tags
Create custom error classes that extend Error for specific error types
Use the Result pattern for error handling instead of throwing exceptions
Use optional chaining (?.) and nullish coalescing (??) operators for safe property access
Let TypeScript infer obvious types to reduce verbosity
Use const assertions with as const for literal types
Use satisfies operator for type checking without widening types
Declare readonly arrays and objects for immutable data structures
Use spread operator and array spread for immutable updates instead of mutations
Use lazy loading for large types...

Files:

  • packages/shared/src/keyless/types.ts
  • packages/tanstack-react-start/src/utils/feature-flags.ts
  • packages/shared/src/keyless/index.ts
  • packages/tanstack-react-start/src/server/keyless/index.ts
  • packages/nextjs/src/app-router/keyless-actions.ts
  • packages/tanstack-react-start/src/server/clerkMiddleware.ts
  • packages/nextjs/src/server/keyless-log-cache.ts
  • packages/tanstack-react-start/src/client/ClerkProvider.tsx
  • packages/shared/src/keyless/devCache.ts
  • packages/nextjs/src/server/keyless-node.ts
  • packages/shared/src/keyless/service.ts
  • packages/tanstack-react-start/src/server/loadOptions.ts
  • packages/nextjs/src/utils/feature-flags.ts
  • packages/tanstack-react-start/src/client/utils.ts
  • packages/tanstack-react-start/src/server/keyless/fileStorage.ts
  • packages/nextjs/src/app-router/server/keyless-provider.tsx
**/*.{js,ts,jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Use ESLint with custom configurations tailored for different package types

Files:

  • packages/shared/src/keyless/types.ts
  • packages/tanstack-react-start/src/utils/feature-flags.ts
  • packages/shared/src/keyless/index.ts
  • packages/tanstack-react-start/src/server/keyless/index.ts
  • packages/nextjs/src/app-router/keyless-actions.ts
  • packages/tanstack-react-start/src/server/clerkMiddleware.ts
  • packages/nextjs/src/server/keyless-log-cache.ts
  • packages/tanstack-react-start/src/client/ClerkProvider.tsx
  • packages/shared/src/keyless/devCache.ts
  • packages/nextjs/src/server/keyless-node.ts
  • packages/shared/src/keyless/service.ts
  • packages/tanstack-react-start/src/server/loadOptions.ts
  • packages/nextjs/src/utils/feature-flags.ts
  • packages/tanstack-react-start/src/client/utils.ts
  • packages/tanstack-react-start/src/server/keyless/fileStorage.ts
  • packages/nextjs/src/app-router/server/keyless-provider.tsx
**/*.{js,ts,jsx,tsx,json,md,yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Use Prettier for code formatting across all packages

Files:

  • packages/shared/src/keyless/types.ts
  • packages/shared/package.json
  • packages/tanstack-react-start/src/utils/feature-flags.ts
  • packages/shared/src/keyless/index.ts
  • packages/tanstack-react-start/src/server/keyless/index.ts
  • packages/nextjs/src/app-router/keyless-actions.ts
  • packages/tanstack-react-start/src/server/clerkMiddleware.ts
  • packages/nextjs/src/server/keyless-log-cache.ts
  • packages/tanstack-react-start/src/client/ClerkProvider.tsx
  • packages/shared/src/keyless/devCache.ts
  • packages/nextjs/src/server/keyless-node.ts
  • packages/shared/src/keyless/service.ts
  • packages/tanstack-react-start/src/server/loadOptions.ts
  • packages/nextjs/src/utils/feature-flags.ts
  • packages/tanstack-react-start/src/client/utils.ts
  • packages/tanstack-react-start/src/server/keyless/fileStorage.ts
  • packages/nextjs/src/app-router/server/keyless-provider.tsx
**/*

⚙️ CodeRabbit configuration file

If there are no tests added or modified as part of the PR, please suggest that tests be added to cover the changes.

**/*: Only comment on issues that would block merging, ignore minor or stylistic concerns.
Restrict feedback to errors, security risks, or functionality-breaking problems.
Do not post comments on code style, formatting, or non-critical improvements.
Keep reviews short: flag only issues that make the PR unsafe to merge.
Group similar issues into a single comment instead of posting multiple notes.
Skip repetition: if a pattern repeats, mention it once at a summary level only.
Do not add general suggestions, focus strictly on merge-blocking concerns.
If there are no critical problems, respond with minimal approval (e.g., 'Looks good'). Do not add additional review.
Avoid line-by-line commentary unless it highlights a critical bug or security hole.
Highlight only issues that could cause runtime errors, data loss, or severe maintainability issues.
Ignore minor optimization opportunities, focus solely on correctness and safety.
Provide a top-level summary of critical blockers rather than detailed per-line notes.
Comment only when the issue must be resolved before merge, otherwise remain silent.
When in doubt, err on the side of fewer comments, brevity and blocking issues only.
Avoid posting any refactoring issues.

Files:

  • packages/shared/src/keyless/types.ts
  • packages/shared/package.json
  • packages/tanstack-react-start/src/utils/feature-flags.ts
  • packages/shared/src/keyless/index.ts
  • packages/tanstack-react-start/src/server/keyless/index.ts
  • packages/shared/tsdown.config.mts
  • packages/nextjs/src/app-router/keyless-actions.ts
  • packages/tanstack-react-start/src/server/clerkMiddleware.ts
  • packages/nextjs/src/server/keyless-log-cache.ts
  • packages/tanstack-react-start/src/client/ClerkProvider.tsx
  • packages/shared/src/keyless/devCache.ts
  • packages/nextjs/src/server/keyless-node.ts
  • packages/shared/src/keyless/service.ts
  • packages/tanstack-react-start/src/server/loadOptions.ts
  • packages/nextjs/src/utils/feature-flags.ts
  • packages/tanstack-react-start/src/client/utils.ts
  • packages/tanstack-react-start/src/server/keyless/fileStorage.ts
  • packages/nextjs/src/app-router/server/keyless-provider.tsx
packages/*/package.json

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

packages/*/package.json: Packages should export TypeScript types alongside runtime code
Follow semantic versioning for all packages

All packages must be published under @clerk namespace

packages/*/package.json: Framework packages should depend on @clerk/clerk-js for core functionality
@clerk/shared should be a common dependency for most packages in the monorepo

Files:

  • packages/shared/package.json
**/package.json

📄 CodeRabbit inference engine (.cursor/rules/global.mdc)

Use pnpm as the package manager for this monorepo

Files:

  • packages/shared/package.json
**/index.ts

📄 CodeRabbit inference engine (.cursor/rules/typescript.mdc)

Avoid barrel files (index.ts re-exports) as they can cause circular dependencies

Files:

  • packages/shared/src/keyless/index.ts
  • packages/tanstack-react-start/src/server/keyless/index.ts
**/*.tsx

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

**/*.tsx: Use error boundaries in React components
Minimize re-renders in React components

**/*.tsx: Use proper type definitions for props and state in React components
Leverage TypeScript's type inference where possible in React components
Use proper event types for handlers in React components
Implement proper generic types for reusable React components
Use proper type guards for conditional rendering in React components

Files:

  • packages/tanstack-react-start/src/client/ClerkProvider.tsx
  • packages/nextjs/src/app-router/server/keyless-provider.tsx
**/*.{md,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Update documentation for API changes

Files:

  • packages/tanstack-react-start/src/client/ClerkProvider.tsx
  • packages/nextjs/src/app-router/server/keyless-provider.tsx
**/*.{jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/react.mdc)

**/*.{jsx,tsx}: Always use functional components with hooks instead of class components
Follow PascalCase naming for components (e.g., UserProfile, NavigationMenu)
Keep components focused on a single responsibility - split large components
Limit component size to 150-200 lines; extract logic into custom hooks
Use composition over inheritance - prefer smaller, composable components
Export components as named exports for better tree-shaking
One component per file with matching filename and component name
Separate UI components from business logic components
Use useState for simple state management in React components
Use useReducer for complex state logic in React components
Implement proper state initialization in React components
Use proper state updates with callbacks in React components
Implement proper state cleanup in React components
Use Context API for theme/authentication state management
Implement proper state persistence in React applications
Use React.memo for expensive components
Implement proper useCallback for handlers in React components
Use proper useMemo for expensive computations in React components
Implement proper virtualization for lists in React components
Use proper code splitting with React.lazy in React applications
Implement proper cleanup in useEffect hooks
Use proper refs for DOM access in React components
Implement proper event listener cleanup in React components
Use proper abort controllers for fetch in React components
Implement proper subscription cleanup in React components
Use proper HTML elements for semantic HTML in React components
Implement proper ARIA attributes for accessibility in React components
Use proper heading hierarchy in React components
Implement proper form labels in React components
Use proper button types in React components
Implement proper focus management for keyboard navigation in React components
Use proper keyboard shortcuts in React components
Implement proper tab order in React components
Use proper ...

Files:

  • packages/tanstack-react-start/src/client/ClerkProvider.tsx
  • packages/nextjs/src/app-router/server/keyless-provider.tsx
🧬 Code graph analysis (5)
packages/tanstack-react-start/src/utils/feature-flags.ts (3)
packages/nextjs/src/server/constants.ts (1)
  • KEYLESS_DISABLED (27-27)
packages/shared/src/underscore.ts (1)
  • isTruthy (118-152)
packages/shared/src/getEnvVariable.ts (1)
  • getEnvVariable (18-50)
packages/tanstack-react-start/src/client/ClerkProvider.tsx (1)
packages/tanstack-react-start/src/client/utils.ts (2)
  • pickFromClerkInitState (6-56)
  • mergeWithPublicEnvs (58-72)
packages/shared/src/keyless/devCache.ts (3)
packages/shared/src/keyless/index.ts (7)
  • ClerkDevCache (7-7)
  • createClerkDevCache (3-3)
  • createKeylessModeMessage (5-5)
  • AccountlessApplication (12-12)
  • PublicKeylessApplication (12-12)
  • createConfirmationMessage (4-4)
  • clerkDevelopmentCache (2-2)
packages/nextjs/src/server/keyless-log-cache.ts (4)
  • createClerkDevCache (7-7)
  • createKeylessModeMessage (9-9)
  • createConfirmationMessage (8-8)
  • clerkDevelopmentCache (6-6)
packages/shared/src/keyless/types.ts (2)
  • AccountlessApplication (5-10)
  • PublicKeylessApplication (15-15)
packages/tanstack-react-start/src/server/loadOptions.ts (3)
packages/tanstack-react-start/src/utils/feature-flags.ts (1)
  • canUseKeyless (11-11)
packages/clerk-js/src/core/clerk.ts (1)
  • isSatellite (324-329)
packages/shared/src/keys.ts (1)
  • isDevelopmentFromSecretKey (230-232)
packages/nextjs/src/utils/feature-flags.ts (1)
packages/nextjs/src/server/constants.ts (1)
  • KEYLESS_DISABLED (27-27)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)
  • GitHub Check: Integration Tests (nuxt, chrome)
  • GitHub Check: Integration Tests (nextjs, chrome, 16)
  • GitHub Check: Integration Tests (billing, chrome, RQ)
  • GitHub Check: Integration Tests (handshake, chrome)
  • GitHub Check: Integration Tests (react-router, chrome)
  • GitHub Check: Integration Tests (quickstart, chrome, 15)
  • GitHub Check: Integration Tests (tanstack-react-start, chrome)
  • GitHub Check: Integration Tests (nextjs, chrome, 15)
  • GitHub Check: Integration Tests (generic, chrome)
  • GitHub Check: Integration Tests (handshake:staging, chrome)
  • GitHub Check: Integration Tests (nextjs, chrome, 16, RQ)
  • GitHub Check: Integration Tests (astro, chrome)
  • GitHub Check: Integration Tests (machine, chrome, RQ)
  • GitHub Check: semgrep-cloud-platform/scan
  • GitHub Check: Analyze (javascript-typescript)
🔇 Additional comments (18)
packages/shared/tsdown.config.mts (1)

52-52: LGTM!

Build configuration correctly adds the keyless module entry point.

packages/shared/src/keyless/devCache.ts (1)

1-109: LGTM!

The development cache implementation with throttled logging and async caching is well-structured. The singleton pattern via globalThis is appropriate for cross-module state in development.

packages/tanstack-react-start/src/utils/feature-flags.ts (1)

1-11: LGTM!

Feature flag correctly restricts keyless mode to development environments with an opt-out mechanism.

packages/tanstack-react-start/src/client/ClerkProvider.tsx (1)

36-73: LGTM!

Keyless mode props are correctly conditionally passed to the provider only when available.

packages/shared/src/keyless/types.ts (1)

1-15: LGTM!

Type definitions correctly separate full application data from public-facing data that excludes the secret key.

packages/nextjs/src/app-router/keyless-actions.ts (1)

51-93: LGTM!

The migration to the new keyless() service API with dynamic imports is implemented correctly. Error handling appropriately catches failures.

packages/nextjs/src/utils/feature-flags.ts (1)

1-8: LGTM!

The refactoring to use the shared canUseKeyless utility centralizes the keyless logic appropriately. The public API remains unchanged.

packages/tanstack-react-start/src/server/loadOptions.ts (1)

33-47: LGTM!

The keyless mode guard correctly allows missing secretKey when canUseKeyless is true. The added secretKey check on line 44 properly prevents calling isDevelopmentFromSecretKey with undefined.

packages/shared/package.json (1)

53-62: LGTM!

The new ./keyless export follows the established pattern used by other exports in this package.

packages/tanstack-react-start/src/server/clerkMiddleware.ts (2)

16-46: LGTM!

The keyless mode integration is well-structured. The flow correctly:

  • Only activates when canUseKeyless is true and keys are missing
  • Gracefully handles null response from getOrCreateKeys()
  • Preserves user-provided keys via the || operator

71-78: Consider using proper type augmentation for internal state.

The double type cast (clerkInitialState as Record<string, unknown>).__internal_clerk_state is functional but loses type safety. Not blocking, but worth noting for future type improvements.

packages/tanstack-react-start/src/client/utils.ts (1)

6-55: LGTM!

The keyless URL fields are correctly added as optional properties and properly extracted from the clerk init state.

packages/shared/src/keyless/index.ts (1)

1-12: LGTM!

This barrel file serves as the public API entry point for the @clerk/shared/keyless module, consolidating exports from distinct leaf modules. The separation of runtime exports and type-only exports is clean.

packages/nextjs/src/server/keyless-log-cache.ts (1)

1-10: LGTM!

Clean re-export maintaining backward compatibility with existing imports while consolidating implementation in the shared module.

packages/nextjs/src/app-router/server/keyless-provider.tsx (3)

20-22: LGTM!

Correctly migrated to the new keyless service API with appropriate optional chaining for null safety.

45-47: LGTM!

Migration to getOrCreateKeys() aligns with the new keyless service interface.

84-100: LGTM!

The updated key retrieval and simplified onboarding call (without requestHeaders) align with the broader metadata header removal in this refactor.

packages/tanstack-react-start/src/server/keyless/fileStorage.ts (1)

1-128: Tests should be added for the file storage implementation.

This file contains critical functionality (locking, file I/O, gitignore manipulation) that would benefit from unit tests covering:

  • Lock acquisition/release
  • Concurrent access scenarios
  • Edge cases (missing directories, permission errors)
  • Gitignore update logic
packages/tanstack-react-start/src/server/keyless/fileStorage.ts
Comment on lines +27 to +44
const isLocked = (): boolean => inMemoryLock || fs.existsSync(getLockPath());

const lock = (): boolean => {
if (isLocked()) {
return false;
}
inMemoryLock = true;
try {
fs.writeFileSync(getLockPath(), 'This file can be deleted if your app is stuck.', {
encoding: 'utf8',
mode: 0o644,
});
return true;
} catch {
inMemoryLock = false;
return false;
}
};
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Race condition in lock acquisition (TOCTOU vulnerability).

The locking mechanism has a time-of-check to time-of-use race condition. Between isLocked() returning false and writeFileSync completing, another process could acquire the lock. The in-memory flag only protects within the same Node.js process.

Use the wx flag (exclusive creation) to atomically create the lock file, which fails if the file already exists:

Suggested fix 
 const lock = (): boolean => { - if (isLocked()) { + if (inMemoryLock) { return false; } inMemoryLock = true; try { - fs.writeFileSync(getLockPath(), 'This file can be deleted if your app is stuck.', { + fs.writeFileSync(getLockPath(), `locked at ${Date.now()}`, { + flag: 'wx', // Exclusive creation - fails if file exists encoding: 'utf8', - mode: 0o644, + mode: 0o644 }); return true; } catch { inMemoryLock = false; return false; } };
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
const isLocked = (): boolean => inMemoryLock || fs.existsSync(getLockPath());
const lock = (): boolean => {
if (isLocked()) {
return false;
}
inMemoryLock = true;
try {
fs.writeFileSync(getLockPath(), 'This file can be deleted if your app is stuck.', {
encoding: 'utf8',
mode: 0o644,
});
return true;
} catch {
inMemoryLock = false;
return false;
}
};
const isLocked = (): boolean => inMemoryLock || fs.existsSync(getLockPath());
const lock = (): boolean => {
if (inMemoryLock) {
return false;
}
inMemoryLock = true;
try {
fs.writeFileSync(getLockPath(), `locked at ${Date.now()}`, {
flag: 'wx', // Exclusive creation - fails if file exists
encoding: 'utf8',
mode: 0o644
});
return true;
} catch {
inMemoryLock = false;
return false;
}
};
Copy link
Member Author

@brkalow brkalow Dec 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be isolated to the same process, as it's a dev server running on a local machine
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@brkalow, you're right—in a single-process dev server environment, the in-memory lock is sufficient to prevent re-entrance, and the risk of multiple processes competing for the lock is minimal. This isn't a blocking concern for the intended use case.
@pkg-pr-new
Copy link

pkg-pr-new bot commented Dec 20, 2025

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7518

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7518

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7518

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7518

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7518

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7518

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@7518

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7518

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7518

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7518

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7518

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7518

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7518

@clerk/react

npm i https://pkg.pr.new/@clerk/react@7518

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7518

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7518

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7518

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7518

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@7518

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7518

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7518

commit: 8739d13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

core-3 nextjs tanstack

2 participants

@brkalow