feat(clerk-js, shared): Add clientTrustState

[chriscanin]

Added the client_trust_state field to the SignIn resources to support the backend's Setup vs Unlock fraud protection feature.

Description

This PR adds type definitions and serialization support for a new fields coming from FAPI:

client_trust_state: A string enum ('new' | 'known' | 'pending') that indicates whether the backend trusts this client based on a few internal factors.

Testing

1. Build the types package: pnpm --filter @clerk/types build
2. Build dependent packages: pnpm --filter @clerk/clerk-js build
3. Run tests: pnpm test
4. To test with backend: Ensure clerk_go branch tom/setup-v-unlock-initial is deployed or built locally, then verify:
   • New users on new clients don't see password option
   • Returning users on known clients see password option

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• New Features
  • Added a client trust state field to Client and SignIn resources, exposing three possible values: new, known, or pending.
  • Field is included in resource snapshots and responses where applicable to surface the client's trust status.

[changeset-bot]

🦋 Changeset detected

Latest commit: 482b6a9

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 22 packages

Name	Type
@clerk/shared	Minor
@clerk/clerk-js	Minor
@clerk/agent-toolkit	Patch
@clerk/astro	Patch
@clerk/backend	Patch
@clerk/chrome-extension	Patch
@clerk/elements	Patch
@clerk/expo-passkeys	Patch
@clerk/clerk-expo	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/clerk-react	Patch
@clerk/remix	Patch
@clerk/tanstack-react-start	Patch
@clerk/testing	Patch
@clerk/themes	Patch
@clerk/types	Patch
@clerk/vue	Patch
@clerk/localizations	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
clerk-js-sandbox	Ready	Preview	Comment	Nov 4, 2025 9:14pm

[coderabbitai]

Walkthrough

Adds a new client_trust_state property to Client and SignIn resources; includes type additions, initialization, JSON (de)serialization, conditional snapshot serialization, and cleanup logic, plus a changelog entry for minor version bumps.

Changes

Cohort / File(s)	Summary
Changelog Entry .changeset/client-trust-state.md	Documents minor version bumps and notes addition of client_trust_state to Client and SignIn resources.
Client Resource Implementation packages/clerk-js/src/core/resources/Client.ts	Adds public clientTrustState field (type ClientTrustState from @clerk/shared/types); initializes to undefined, populated from data.client_trust_state in fromJSON, reset to undefined in destroy, and conditionally serialized in toSnapshot.
Types (referenced) @clerk/types (SignIn & Client)	client_trust_state property added to Client and SignIn type declarations (as referenced by implementation).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Check ClientTrustState import path and exported type shape.
• Verify fromJSON and toSnapshot handling matches existing property patterns.
• Confirm destroy cleanup aligns with resource lifecycle.
• Ensure corresponding SignIn type addition and any serialization mirrors Client behavior.

Poem

🐇 A little trust state hops aboard,
Whispering safety in every chord.
Client and SignIn now wink and say,
"We watch the gates while you play." ✨

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding the clientTrustState property to support the fraud protection feature mentioned in the PR objectives.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chris/supported_factors

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1b81587 and 482b6a9.

📒 Files selected for processing (2)

• .changeset/client-trust-state.md (1 hunks)
• packages/clerk-js/src/core/resources/Client.ts (5 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/clerk-js/src/core/resources/Client.ts

🧰 Additional context used

📓 Path-based instructions (1)

.changeset/**

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Automated releases must use Changesets.

Files:

• .changeset/client-trust-state.md

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (29)

• GitHub Check: Integration Tests (quickstart, chrome, 15)
• GitHub Check: Integration Tests (nextjs, chrome, 15)
• GitHub Check: Integration Tests (custom, chrome)
• GitHub Check: Integration Tests (nextjs, chrome, 14)
• GitHub Check: Integration Tests (quickstart, chrome, 16)
• GitHub Check: Integration Tests (machine, chrome)
• GitHub Check: Integration Tests (nextjs, chrome, 16)
• GitHub Check: Integration Tests (handshake, chrome)
• GitHub Check: Integration Tests (nuxt, chrome)
• GitHub Check: Integration Tests (handshake:staging, chrome)
• GitHub Check: Integration Tests (billing, chrome)
• GitHub Check: Integration Tests (ap-flows, chrome)
• GitHub Check: Integration Tests (react-router, chrome)
• GitHub Check: Integration Tests (sessions:staging, chrome)
• GitHub Check: Integration Tests (vue, chrome)
• GitHub Check: Integration Tests (elements, chrome)
• GitHub Check: Integration Tests (expo-web, chrome)
• GitHub Check: Integration Tests (tanstack-react-start, chrome)
• GitHub Check: Integration Tests (astro, chrome)
• GitHub Check: Integration Tests (localhost, chrome)
• GitHub Check: Integration Tests (generic, chrome)
• GitHub Check: Integration Tests (sessions, chrome)
• GitHub Check: Integration Tests (express, chrome)
• GitHub Check: Publish with pkg-pr-new
• GitHub Check: Static analysis
• GitHub Check: Unit Tests (22, **)
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (1)

.changeset/client-trust-state.md (1)

1-6: Changeset format looks correct.

The file follows standard Changesets format with valid YAML frontmatter, appropriate minor version bumps for both packages (suitable for a new feature), and a clear description of the changes.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tmilewski]

🚀 Just a small change for clientTrustState/client_trust_state.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (10)

packages/clerk-js/src/test/core-fixtures.ts (1)

211-211: Good defaulting to an empty array

Defaulting untrusted_first_factors to [] avoids undefined in snapshots/tests. Consider doing the same for supported_first_factors for consistency in fixtures to reduce snapshot churn.

Example change outside this hunk:

-    supported_first_factors: signInParams.supported_first_factors,
+    supported_first_factors: signInParams.supported_first_factors || [],

packages/types/src/client.ts (1)

23-23: Optional clientTrustState aligns with omission semantics

Making clientTrustState optional matches “omit when unknown”. Please add a short JSDoc since this is a public API.

Suggested doc:

   lastAuthenticationStrategy: LastAuthenticationStrategy | null;
-  clientTrustState?: ClientTrustState;
+  /**
+   * Trust classification for this client; omitted when unknown.
+   * Values: 'new' | 'known' | 'pending'.
+   */
+  clientTrustState?: ClientTrustState;

.changeset/client-trust-state.md (1)

1-7: Changeset looks right for a minor bump

Message is clear. Consider noting omission semantics explicitly: “client_trust_state omitted when unknown; untrusted_first_factors present but often empty.”

packages/clerk-js/src/core/resources/SignIn.ts (3)

106-107: Public field: add JSDoc and clarify null vs [] semantics

Add a brief JSDoc describing when untrustedFirstFactors is null vs [] for consumers.

Example:

-  untrustedFirstFactors: SignInFirstFactor[] | null = [];
+  /**
+   * First factors the backend marked untrusted for this client.
+   * null: not provided; []: provided but empty.
+   */
+  untrustedFirstFactors: SignInFirstFactor[] | null = [];

---

531-532: Avoid undefined in fromJSON

If the backend omits the field, deepSnakeToCamel(undefined) yields undefined and overrides your default. Coalesce to null to maintain a stable tri-state (array | null) and avoid undefined at runtime.

-      this.untrustedFirstFactors = deepSnakeToCamel(data.untrusted_first_factors) as SignInFirstFactor[] | null;
+      this.untrustedFirstFactors =
+        (deepSnakeToCamel(data.untrusted_first_factors) as SignInFirstFactor[] | null) ?? null;

---

550-551: Snapshot should not emit undefined

Coalesce to null so snapshots never contain undefined.

-      untrusted_first_factors: deepCamelToSnake(this.untrustedFirstFactors),
+      untrusted_first_factors: deepCamelToSnake(this.untrustedFirstFactors ?? null),

packages/types/src/signIn.ts (1)

44-45: Add JSDoc for new public API

Please document untrustedFirstFactors usage for SDK consumers (e.g., “factors disallowed for this client by trust signals”).

-  untrustedFirstFactors: SignInFirstFactor[] | null;
+  /**
+   * First factors that are not allowed for this client due to trust evaluation.
+   */
+  untrustedFirstFactors: SignInFirstFactor[] | null;

packages/types/src/json.ts (1)

105-106: Type addition looks good; add a brief doc

Add a one-line comment to clarify intended states and usage.

-export type ClientTrustState = 'new' | 'known' | 'pending';
+// Trust classification for a client, used by setup vs unlock flows.
+export type ClientTrustState = 'new' | 'known' | 'pending';

packages/expo/src/cache/dummy-data/client-resource.ts (1)

95-96: Dummy data parity

Adding untrusted_first_factors: [] is good. Consider also including client_trust_state: null at the top-level to mirror the new type (optional, but helps parity in snapshots/demos).

Example:

   last_authentication_strategy: null,
+  client_trust_state: null,
   created_at: new Date().getTime(),

packages/clerk-js/src/core/resources/Client.ts (1)

30-30: Consider adding JSDoc and simplifying the type declaration.

The property declaration has minor refinement opportunities:

1. Missing JSDoc: The similar property lastAuthenticationStrategy (line 28) includes JSDoc documentation. For consistency and API clarity, consider documenting this public property.

2. Type redundancy: The optional marker ? already makes this ClientTrustState | undefined, so the explicit | undefined and initialization to undefined are redundant.

Consider this refinement:

+  /** Client trust state for fraud protection; undefined when not yet determined by the backend. */
-  clientTrustState?: ClientTrustState | undefined = undefined;
+  clientTrustState?: ClientTrustState;

As per coding guidelines

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between ebc0f74 and 72ddfdc.

📒 Files selected for processing (9)

• .changeset/client-trust-state.md (1 hunks)
• packages/clerk-js/src/core/resources/Client.ts (5 hunks)
• packages/clerk-js/src/core/resources/SignIn.ts (3 hunks)
• packages/clerk-js/src/test/core-fixtures.ts (1 hunks)
• packages/expo/src/cache/dummy-data/client-resource.ts (1 hunks)
• packages/types/src/client.ts (2 hunks)
• packages/types/src/json.ts (2 hunks)
• packages/types/src/signIn.ts (2 hunks)
• packages/types/src/snapshots.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (7)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

**/*.{js,jsx,ts,tsx}: All code must pass ESLint checks with the project's configuration
Follow established naming conventions (PascalCase for components, camelCase for variables)
Maintain comprehensive JSDoc comments for public APIs
Use dynamic imports for optional features
All public APIs must be documented with JSDoc
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Profile and optimize critical paths
Validate all inputs and sanitize outputs
Implement proper logging with different levels

Files:

• packages/expo/src/cache/dummy-data/client-resource.ts
• packages/types/src/json.ts
• packages/types/src/signIn.ts
• packages/clerk-js/src/core/resources/SignIn.ts
• packages/clerk-js/src/test/core-fixtures.ts
• packages/types/src/snapshots.ts
• packages/clerk-js/src/core/resources/Client.ts
• packages/types/src/client.ts

**/*.{js,jsx,ts,tsx,json,css,scss,md,yaml,yml}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• packages/expo/src/cache/dummy-data/client-resource.ts
• packages/types/src/json.ts
• packages/types/src/signIn.ts
• packages/clerk-js/src/core/resources/SignIn.ts
• packages/clerk-js/src/test/core-fixtures.ts
• packages/types/src/snapshots.ts
• packages/clerk-js/src/core/resources/Client.ts
• packages/types/src/client.ts

packages/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

• packages/expo/src/cache/dummy-data/client-resource.ts
• packages/types/src/json.ts
• packages/types/src/signIn.ts
• packages/clerk-js/src/core/resources/SignIn.ts
• packages/clerk-js/src/test/core-fixtures.ts
• packages/types/src/snapshots.ts
• packages/clerk-js/src/core/resources/Client.ts
• packages/types/src/client.ts

packages/**/*.{ts,tsx,d.ts}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Packages should export TypeScript types alongside runtime code

Files:

• packages/expo/src/cache/dummy-data/client-resource.ts
• packages/types/src/json.ts
• packages/types/src/signIn.ts
• packages/clerk-js/src/core/resources/SignIn.ts
• packages/clerk-js/src/test/core-fixtures.ts
• packages/types/src/snapshots.ts
• packages/clerk-js/src/core/resources/Client.ts
• packages/types/src/client.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Prefer readonly for properties that shouldn't change after construction
Prefer composition and interfaces over deep inheritance chains
Use mixins for shared behavior across unrelated classes
Implement dependency injection for loose coupling
Let TypeScript infer when types are obvious
Use const assertions for literal types: as const
Use satisfies operator for type checking without widening
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Use type-only imports: import type { ... } from ...
No any types without justification
Proper error handling with typed errors
Consistent use of readonly for immutable data
Proper generic constraints
No unused type parameters
Proper use of utility types instead of manual type construction
Type-only imports where possible
Proper tree-shaking friendly exports
No circular dependencies
Efficient type computations (avoid deep recursion)

Files:

• packages/expo/src/cache/dummy-data/client-resource.ts
• packages/types/src/json.ts
• packages/types/src/signIn.ts
• packages/clerk-js/src/core/resources/SignIn.ts
• packages/clerk-js/src/test/core-fixtures.ts
• packages/types/src/snapshots.ts
• packages/clerk-js/src/core/resources/Client.ts
• packages/types/src/client.ts

**/*.{js,ts,tsx,jsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Support multiple Clerk environment variables (CLERK_, NEXT_PUBLIC_CLERK_, etc.) for configuration.

Files:

• packages/expo/src/cache/dummy-data/client-resource.ts
• packages/types/src/json.ts
• packages/types/src/signIn.ts
• packages/clerk-js/src/core/resources/SignIn.ts
• packages/clerk-js/src/test/core-fixtures.ts
• packages/types/src/snapshots.ts
• packages/clerk-js/src/core/resources/Client.ts
• packages/types/src/client.ts

.changeset/**

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Automated releases must use Changesets.

Files:

• .changeset/client-trust-state.md

🧬 Code graph analysis (5)

packages/types/src/signIn.ts (2)

packages/types/src/signInCommon.ts (1)

• SignInFirstFactor (74-85)

packages/types/src/json.ts (1)

• SignInFirstFactorJSON (553-553)

packages/clerk-js/src/core/resources/SignIn.ts (2)

packages/types/src/signInCommon.ts (1)

• SignInFirstFactor (74-85)

packages/shared/src/underscore.ts (2)

• deepSnakeToCamel (111-111)
• deepCamelToSnake (102-102)

packages/types/src/snapshots.ts (2)

packages/types/src/utils.ts (1)

• Nullable (40-42)

packages/types/src/signIn.ts (1)

• SignInJSON (94-110)

packages/clerk-js/src/core/resources/Client.ts (1)

packages/types/src/json.ts (1)

• ClientTrustState (105-105)

packages/types/src/client.ts (1)

packages/types/src/json.ts (1)

• ClientTrustState (105-105)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (7)

packages/types/src/signIn.ts (1)

105-106: Confirm server contract: optional vs required

untrusted_first_factors is modeled as required here, but the backend may omit it. If omission is possible, mark it optional (?:) to match wire shape, or ensure backend always sends []. Please verify with the backend PR.

If it can be omitted, change:

-  untrusted_first_factors: SignInFirstFactorJSON[];
+  untrusted_first_factors?: SignInFirstFactorJSON[];

packages/types/src/json.ts (1)

116-117: Optional client_trust_state is appropriate

Optionality reflects omission when unknown—LGTM.

packages/types/src/snapshots.ts (1)

38-41: Snapshot type updated correctly

Including untrusted_first_factors in the nullable set keeps snapshot shapes stable—LGTM.

packages/clerk-js/src/core/resources/Client.ts (4)

6-6: LGTM!

The import is correctly added alongside related types from @clerk/types.

---

91-91: LGTM!

The reset is consistent with the property's default value and follows the pattern of other properties in the destroy method.

---

141-141: LGTM!

The assignment correctly deserializes the field from JSON, with TypeScript ensuring type safety.

---

160-160: No changes needed—the conditional serialization is correct.

The conditional spread for clientTrustState is intentional and follows established patterns. The key difference from lastAuthenticationStrategy is that clientTrustState is declared as an optional property (clientTrustState?: ClientTrustState | undefined), whereas lastAuthenticationStrategy is a required property that defaults to null. The conditional spread correctly omits the field when clientTrustState is undefined, matching how optional fields should be serialized. The deserialization at line 141 mirrors this by directly assigning data.client_trust_state, preserving the field's optional semantics.

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7096

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7096

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7096

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7096

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7096

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7096

@clerk/elements

npm i https://pkg.pr.new/@clerk/elements@7096

@clerk/clerk-expo

npm i https://pkg.pr.new/@clerk/clerk-expo@7096

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7096

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7096

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7096

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7096

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7096

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7096

@clerk/clerk-react

npm i https://pkg.pr.new/@clerk/clerk-react@7096

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7096

@clerk/remix

npm i https://pkg.pr.new/@clerk/remix@7096

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7096

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7096

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7096

@clerk/themes

npm i https://pkg.pr.new/@clerk/themes@7096

@clerk/types

npm i https://pkg.pr.new/@clerk/types@7096

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7096

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7096

commit: 482b6a9

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 4ee26f2 and 1b81587.

📒 Files selected for processing (2)

• .changeset/client-trust-state.md (1 hunks)
• packages/clerk-js/src/core/resources/Client.ts (5 hunks)

🧰 Additional context used

📓 Path-based instructions (7)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

**/*.{js,jsx,ts,tsx}: All code must pass ESLint checks with the project's configuration
Follow established naming conventions (PascalCase for components, camelCase for variables)
Maintain comprehensive JSDoc comments for public APIs
Use dynamic imports for optional features
All public APIs must be documented with JSDoc
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Profile and optimize critical paths
Validate all inputs and sanitize outputs
Implement proper logging with different levels

Files:

• packages/clerk-js/src/core/resources/Client.ts

**/*.{js,jsx,ts,tsx,json,css,scss,md,yaml,yml}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• packages/clerk-js/src/core/resources/Client.ts

packages/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

• packages/clerk-js/src/core/resources/Client.ts

packages/**/*.{ts,tsx,d.ts}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Packages should export TypeScript types alongside runtime code

Files:

• packages/clerk-js/src/core/resources/Client.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Prefer readonly for properties that shouldn't change after construction
Prefer composition and interfaces over deep inheritance chains
Use mixins for shared behavior across unrelated classes
Implement dependency injection for loose coupling
Let TypeScript infer when types are obvious
Use const assertions for literal types: as const
Use satisfies operator for type checking without widening
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Use type-only imports: import type { ... } from ...
No any types without justification
Proper error handling with typed errors
Consistent use of readonly for immutable data
Proper generic constraints
No unused type parameters
Proper use of utility types instead of manual type construction
Type-only imports where possible
Proper tree-shaking friendly exports
No circular dependencies
Efficient type computations (avoid deep recursion)

Files:

• packages/clerk-js/src/core/resources/Client.ts

**/*.{js,ts,tsx,jsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Support multiple Clerk environment variables (CLERK_, NEXT_PUBLIC_CLERK_, etc.) for configuration.

Files:

• packages/clerk-js/src/core/resources/Client.ts

.changeset/**

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Automated releases must use Changesets.

Files:

• .changeset/client-trust-state.md

🧬 Code graph analysis (1)

packages/clerk-js/src/core/resources/Client.ts (1)

packages/shared/src/types/json.ts (1)

• ClientTrustState (105-105)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Build Packages
• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (5)

packages/clerk-js/src/core/resources/Client.ts (4)

6-6: LGTM! Import is correct.

The import of ClientTrustState from the shared types package is appropriate.

---

91-91: LGTM! Reset logic is correct.

Resetting clientTrustState to undefined in the destroy method is consistent with the cleanup pattern used for other fields.

---

141-141: LGTM! JSON deserialization is correct.

Direct assignment from data.client_trust_state properly handles both defined values and undefined.

---

160-160: Verify intentionality of the conditional serialization pattern for client_trust_state.

The client_trust_state field is marked as optional (?) in the ClientJSON type, which permits its omission. However, the current implementation uses a conditional spread pattern that differs from how other optional fields are serialized in the snapshot method—specifically, last_authentication_strategy uses ?? null to always include the field.

Both patterns are valid: the conditional spread omits the field when absent (potentially beneficial for backward compatibility), while ?? null ensures consistent field presence. Confirm with your team whether this pattern difference is intentional for API compatibility or should be standardized with other optional fields.

.changeset/client-trust-state.md (1)

1-7: LGTM! Changeset is properly configured.

The changeset correctly specifies minor version bumps for the affected packages (@clerk/types, @clerk/clerk-js, @clerk/expo), which is appropriate for a new feature addition. The description accurately summarizes the change.

Note: The description mentions "Client and SignIn resources," but only Client changes are visible in the provided files. Assuming SignIn changes are in other files not included in this review.