chore(ai): add agent skills

[halvaradop]

Description

Summary by CodeRabbit

• Documentation

  • Added comprehensive guides for authentication setup, including createAuth server configuration and createAuthClient client-side integration
  • Added OAuth provider configuration documentation with built-in and custom provider support
  • Added security best practices guide covering secrets, cookies, trusted origins, and JWT session strategy
  • Added guide for JWT/JWS/JWE utility operations

• New Features

  • Added environment secret management script for authentication credentials

• Chores

  • Reformatted TypeScript configuration files

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
auth	Ready	Preview, Comment	Apr 6, 2026 2:37am

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

This PR introduces comprehensive Aura Auth skill documentation files defining setup workflows for server (createAuth) and client (createAuthClient) authentication, OAuth provider configuration, security practices, and JWT utilities. It also refactors TypeScript configurations and adds a Bash script for managing authentication secrets in .env files.

Changes

Cohort / File(s)	Summary
TypeScript Configuration packages/core/tsconfig.json, packages/rate-limiter/tsconfig.json	Reformatted compilerOptions with restructured indentation and trailing commas. rate-limiter additionally removes baseUrl setting and adds @/* path mapping.
Auth Server Setup Skill skills/create-auth/SKILL.md, skills/create-auth/evals/evals.json	Defines end-to-end production server setup for @aura-stack/auth including preflight discovery, runtime/framework detection, secret generation consent flow, handler wiring patterns for multiple routing models, and environment variable template with verification checklist.
Auth Client Setup Skill skills/create-auth-client/SKILL.md, skills/create-auth-client/evals/evals.json	Specifies client-side createAuthClient configuration workflow with framework-specific base URL/path detection, compatibility gating for server-only targets, and minimal usage snippets for signIn, signOut, and session management.
OAuth Provider Configuration Skill skills/oauth-providers/SKILL.md, skills/oauth-providers/evals/evals.json	Documents provider setup including built-in and custom OAuth configuration, environment variable requirements, trustedOrigins recommendations, and identity schema validation behavior with troubleshooting for common misconfigurations.
Security Hardening Skill skills/security-practices/SKILL.md, skills/security-practices/evals/evals.json	Covers production security guidance: .env and git safety, secret handling with rotation planning, cookie hardening strategies, trustedProxyHeaders and trustedOrigins decision frameworks, and JWT session configuration with mode analysis.
JOSE Utilities Skill skills/use-jose-utilities/SKILL.md, skills/use-jose-utilities/evals/evals.json	Specifies server-side JWT/JWS/JWE operations using createAuth(...).jose, with examples for encodeJWT, signJWS, encryptJWE patterns, context restrictions (server-only), and failure-mode handling ordered by likelihood.
Secret Management Utility skills/create-auth/scripts/update-auth-env.sh	Bash script for idempotent .env secret generation, detecting existing AURA_AUTH_SALT and AURA_AUTH_SECRET, generating base64 values via openssl rand for missing/empty secrets, and atomically updating the file.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• fix(security): mitigate potential security risks #89: Removal of automatic salt derivation with requirement for environment-provided secrets, directly aligned with this PR's secret management script and environment variable guidance.

Suggested labels

documentation, enhancement

Poem

🐰 Whiskers twitch with pride ✨
Auth skills bloom like clover—
Secrets sealed, clients guided,
Docs guide developers onward.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore(ai): add agent skills' accurately describes the main change: multiple new agent skill files (SKILL.md, evals.json, and a supporting script) are being added to the repository.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/add-agent-skills

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (2)

skills/create-auth-client/SKILL.md (1)

1-5: Consider shortening the frontmatter description.

The description field is 242 characters long and contains detailed usage instructions. Frontmatter descriptions are typically concise summaries. Consider moving detailed usage guidance into the body and keeping the description brief (e.g., "Create a client-side @aura-stack/auth instance for frameworks with browser support").

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@skills/create-auth-client/SKILL.md` around lines 1 - 5, The frontmatter
description in SKILL.md (the description field for name: create-auth-client) is
too long and should be shortened to a concise summary; replace the current
242‑character description with a brief line like "Create a client-side
`@aura-stack/auth` instance for frameworks with browser support" and move the
detailed usage guidance (supported frameworks, when to use, and exclusions) into
the document body below the frontmatter so the frontmatter remains a short
summary while preserving the existing instructions in the content section.

skills/create-auth/SKILL.md (1)

1-5: Consider shortening the frontmatter description.

The description field is 340 characters long. Frontmatter descriptions should be concise. Consider: "Set up a server-side @aura-stack/auth instance with OAuth providers and route handlers for any runtime or framework."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@skills/create-auth/SKILL.md` around lines 1 - 5, The frontmatter description
value is too long; replace the current long string assigned to the description
field in the SKILL.md frontmatter with a concise summary (e.g., "Set up a
server-side `@aura-stack/auth` instance with OAuth providers and route handlers
for any runtime or framework.") — update the description key in the frontmatter
(alongside name: create-basic-auth) to the shorter text, ensuring punctuation
and YAML quoting remain valid.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@skills/create-auth/SKILL.md`:
- Line 29: Update the documentation line that currently reads "Preferred OAuth
provider (default to `github` when unspecified)." to use proper casing: replace
the lowercase "github" in prose with "GitHub" while leaving the inline code
sample `oauth: ["github"]` unchanged; locate the sentence in SKILL.md that
mentions Preferred OAuth provider and update only the prose casing to "GitHub".

In `@skills/oauth-providers/evals/evals.json`:
- Line 2: The eval binding uses "skill_name": "setup-aura-oauth-providers" which
doesn't match the skill's declared name "oauth-providers" in SKILL.md; update
the identifier so they exactly match (either change "skill_name" in
skills/oauth-providers/evals/evals.json to "oauth-providers" or rename the
"name:" field in skills/oauth-providers/SKILL.md to
"setup-aura-oauth-providers") so the evals attach correctly to the intended
skill.

In `@skills/security-practices/SKILL.md`:
- Around line 212-215: The docs for expirationStrategy only list "absolute" and
"rolling" but must match the type contract for expirationStrategy which also
allows "fixed" and "sliding"; update the SKILL.md section describing
expirationStrategy to include clear definitions and recommended usage for
"fixed" and "sliding" alongside "absolute" and "rolling", ensuring wording
mirrors the semantics in the session type (expirationStrategy) so valid configs
are accepted and guidance is accurate.

In `@skills/use-jose-utilities/evals/evals.json`:
- Line 2: The eval manifest's skill_name "use-createauth-jose" doesn't match the
skill frontmatter identifier "use-jose-utilities"; update the eval entry to use
the canonical frontmatter name (replace "use-createauth-jose" with
"use-jose-utilities") or alternatively update the skill frontmatter to
"use-createauth-jose" if that is the intended canonical name, or verify and
document that the runner supports aliases and add an explicit alias mapping;
ensure consistency between the eval's skill_name and the skill frontmatter to
avoid binding mismatches.

---

Nitpick comments:
In `@skills/create-auth-client/SKILL.md`:
- Around line 1-5: The frontmatter description in SKILL.md (the description
field for name: create-auth-client) is too long and should be shortened to a
concise summary; replace the current 242‑character description with a brief line
like "Create a client-side `@aura-stack/auth` instance for frameworks with browser
support" and move the detailed usage guidance (supported frameworks, when to
use, and exclusions) into the document body below the frontmatter so the
frontmatter remains a short summary while preserving the existing instructions
in the content section.

In `@skills/create-auth/SKILL.md`:
- Around line 1-5: The frontmatter description value is too long; replace the
current long string assigned to the description field in the SKILL.md
frontmatter with a concise summary (e.g., "Set up a server-side `@aura-stack/auth`
instance with OAuth providers and route handlers for any runtime or framework.")
— update the description key in the frontmatter (alongside name:
create-basic-auth) to the shorter text, ensuring punctuation and YAML quoting
remain valid.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6649320f-e5ac-4275-bda5-fc34b13edb02

📥 Commits

Reviewing files that changed from the base of the PR and between 2d55c95 and 19698ae.

📒 Files selected for processing (13)

• packages/core/tsconfig.json
• packages/rate-limiter/tsconfig.json
• skills-lock.json
• skills/create-auth-client/SKILL.md
• skills/create-auth-client/evals/evals.json
• skills/create-auth/SKILL.md
• skills/create-auth/evals/evals.json
• skills/oauth-providers/SKILL.md
• skills/oauth-providers/evals/evals.json
• skills/security-practices/SKILL.md
• skills/security-practices/evals/evals.json
• skills/use-jose-utilities/SKILL.md
• skills/use-jose-utilities/evals/evals.json