implement_auth#2
Merged
Merged
Conversation
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughAdds a Clerk skills library (docs, evals, OpenAPI tooling, execution scripts) and integrates Clerk authentication into the Ghost AI app: installs Clerk deps, wraps root in ClerkProvider, adds sign-in/sign-up pages, middleware proxy route protection, protected editor routes, and UI wiring (UserButton + auth redirects). ChangesAgent Skills — Clerk Library
Application Integration — Ghost AI
Sequence Diagram(s)sequenceDiagram
participant User
participant BrowserApp as Ghost AI (Next.js)
participant Middleware as proxy.ts
participant ClerkAuth as Clerk Auth
participant Editor as /editor
User->>BrowserApp: GET /
BrowserApp->>Middleware: request /
Middleware->>ClerkAuth: auth() / check session
ClerkAuth-->>Middleware: userId or null
alt userId present
Middleware-->>BrowserApp: allow
BrowserApp->>BrowserApp: redirect -> /editor
BrowserApp-->>User: 302 /editor
else no user
Middleware-->>BrowserApp: allow
BrowserApp->>BrowserApp: redirect -> /sign-in
BrowserApp-->>User: 302 /sign-in
end
User->>BrowserApp: GET /editor
BrowserApp->>Middleware: request /editor
Middleware->>ClerkAuth: auth.protect()
ClerkAuth-->>Middleware: userId confirmed
Middleware-->>BrowserApp: allow
BrowserApp-->>User: editor page (with UserButton)
Estimated code review effort🎯 4 (Complex) | ⏱️ ~60 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (1 warning, 1 inconclusive)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Review rate limit: 9/10 reviews remaining, refill in 6 minutes. Comment |
|
Note Docstrings generation - SUCCESS |
coderabbitai Bot
added a commit
that referenced
this pull request
May 3, 2026
Docstrings generation was requested by @daikictrl. * #2 (comment) The following files were modified: * `.agents/skills/clerk-nextjs-patterns/templates/nextjs-basic-auth/app/layout.tsx` * `.agents/skills/clerk-nextjs-patterns/templates/nextjs-basic-auth/app/page.tsx` * `app/editor/layout.tsx` * `app/editor/page.tsx` * `app/layout.tsx` * `app/page.tsx` * `app/sign-in/[[...sign-in]]/page.tsx` * `app/sign-up/[[...sign-up]]/page.tsx` * `components/auth/auth-page-shell.tsx` * `components/editor/editor-navbar.tsx`
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 17
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.agents/skills/clerk-backend-api/scripts/api-specs-context.sh (1)
12-31:⚠️ Potential issue | 🟠 Major | ⚡ Quick winHarden remote fetches (
curl) with fail/timeout guards.Current calls use
-sonly. On HTTP errors or network stalls, this can hang or push invalid payloads downstream. Add--fail, timeouts/retries, and an empty-version guard.Proposed hardening
-versions=$(curl -s "$API_URL" | node -e " +versions=$(curl --fail --silent --show-error --location --retry 3 --max-time 20 "$API_URL" | node -e " @@ latest=$(echo "$versions" | tail -1) +if [[ -z "${latest}" ]]; then + echo "ERROR: no valid BAPI versions found from ${API_URL}" >&2 + exit 1 +fi @@ -curl -s "${RAW_BASE}/${latest}" | node "$(dirname "$0")/extract-tags.js" +curl --fail --silent --show-error --location --retry 3 --max-time 20 "${RAW_BASE}/${latest}" \ + | node "$(dirname "$0")/extract-tags.js"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.agents/skills/clerk-backend-api/scripts/api-specs-context.sh around lines 12 - 31, The remote curl calls in the script (the curl that populates the versions variable and the curl that fetches "${RAW_BASE}/${latest}") need to be hardened: update both curl invocations to use --fail, a max time (e.g. --max-time), and retry options (e.g. --retry and --retry-connrefused) so failures/timeouts return non-zero instead of hanging; after populating versions, add an empty-version guard that checks the versions variable before computing latest (and exit non-zero with a clear error when it's empty) so tail -1 is not fed invalid input; ensure the second curl is only executed when latest is set and also fails fast on error so extract-tags.js is not given bad input.
🧹 Nitpick comments (2)
.agents/skills/clerk-backend-api/evals/evals.json (2)
60-72: 💤 Low valueInconsistent schema: missing
filesproperty.Eval 5 is missing the
"files": []property that is present in evals 1-4. While likely non-breaking, this inconsistency could cause issues if the eval runner expects a consistent schema.📋 Proposed fix for consistency
{ "id": 5, "prompt": "i'm updating user metadata to add a 'plan' field but it keeps deleting the existing 'role' field. what am i doing wrong?", "expected_output": "Metadata updates overwrite not merge. Read existing metadata first, spread it, then write back.", "scaffold": "nextjs-basic-auth", + "files": [], "expectations": [🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.agents/skills/clerk-backend-api/evals/evals.json around lines 60 - 72, Eval object with "id": 5 is missing the "files" property causing schema inconsistency; add a "files": [] property to that eval object (the JSON object where "id": 5 and "prompt" are defined) so its keys match evals 1-4 and the eval runner receives a consistent schema.
73-85: 💤 Low valueSame inconsistency: eval 6 also missing
filesproperty.Same issue as eval 5 — add
"files": []for schema consistency.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.agents/skills/clerk-backend-api/evals/evals.json around lines 73 - 85, The JSON object with "id": 6 in the evals array is missing the required "files" property; add a "files": [] key/value pair to that object to match the schema used by other eval entries (look for the object containing "id": 6, "prompt": "my clerk backend api calls..."). Ensure you insert the empty array exactly as "files": [] inside that same object so the file-level schema remains consistent.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.agents/skills/clerk-backend-api/SKILL.md:
- Line 155: Several fenced code blocks in SKILL.md are missing language
identifiers (triggering MD040); update each triple-backtick block to include the
appropriate language tag (e.g., ```json, ```yaml, ```bash, ```ts, ```md) so
markdownlint stops warning and rendered docs show proper highlighting. Locate
every backtick fence used for sample payloads, CLI examples, and code snippets
and add the correct language token based on the snippet content (JSON for JSON
payloads, bash for shell commands, TypeScript/JavaScript for code, etc.),
ensuring consistency across all occurrences noted in the review.
- Line 157: Update the description for the created_at filter in SKILL.md to
remove the "ISO 8601" mention and state that the Clerk Backend API GET /v1/users
accepts only Unix milliseconds (e.g., created_at=gt:1234567890000); specifically
edit the line containing "created_at (ISO 8601 range: gt:TIMESTAMP or
lt:TIMESTAMP in Unix ms)" so it references only Unix ms and the gt:/lt: syntax
for the created_at filter used by the GET /v1/users endpoint.
- Around line 65-72: The examples call clerkClient methods directly but the
Clerk Next.js server SDK requires awaiting the clerkClient promise first; update
both usages so you await clerkClient and assign to a local client variable
(e.g., await clerkClient -> client) before calling
client.organizations.createOrganization(...) and client.users.updateUser(...),
ensuring you reference the awaited client when invoking createOrganization and
updateUser instead of using clerkClient directly.
In @.agents/skills/clerk-custom-ui/core-3/custom-sign-up.md:
- Around line 170-174: The code treats the whole result of signUp.create() as an
error object, which is wrong; destructure the returned shape from
signUp.create() (e.g., const { error } = await signUp.create({ phoneNumber }))
and then check that error is null/absent before calling
signUp.verifications.sendPhoneCode(); update the call site where you currently
assign to error and the conditional to use the destructured error so OTP is only
sent on successful creation.
In @.agents/skills/clerk-nextjs-patterns/evals/evals.json:
- Around line 58-64: Update the eval expectations to require the
server-component flow by referencing auth() server-side only: replace any
allowance of useAuth() with a requirement to call getToken via the auth()
server-side context (e.g., "Uses getToken from auth() server-side to get a
custom JWT") and ensure the prompt/description mentions server component; remove
or change the expectation entry that currently allows useAuth() so only
auth().getToken server-side is accepted.
In @.agents/skills/clerk-nextjs-patterns/references/api-routes.md:
- Around line 40-44: The GET route handler currently types params as synchronous
({ params: { orgId: string } }) and accesses it directly; update the signature
to expect params as a Promise and await it (change the second parameter's type
to { params: Promise<{ orgId: string }> } and call await params before
destructuring) so that in GET you do const { orgId } = await params and then use
that orgId when comparing against auth()'s orgId; keep the auth() call and
unchanged checks for userId and orgId !== params.orgId logic but use the awaited
value.
In @.agents/skills/clerk-nextjs-patterns/references/caching-auth.md:
- Around line 48-53: The code creates an org-scoped cache entry using orgId
without verifying it, causing all unaffiliated users to share the
"org-undefined-data" cache key; update the logic around auth() and
unstable_cache (symbols: auth, unstable_cache, getOrgData, orgId) to guard orgId
before constructing the cache key and creating getOrgData: if orgId is falsy, do
not create the org-scoped unstable_cache entry (return an empty result or use a
safe per-user fallback) and only call unstable_cache with keys/tags that include
a valid orgId when orgId is defined.
In @.agents/skills/clerk-nextjs-patterns/references/server-actions.md:
- Around line 43-51: The deleteProject function currently checks permission but
doesn't scope the DB delete to the caller's organization; update deleteProject
to read orgId from auth() (alongside userId/has), verify orgId exists, and
include organizationId: orgId in the db.projects.delete where clause (in
addition to id: projectId) so the delete is constrained to the caller's tenant
even when the caller has org:project:delete permission.
- Around line 8-18: The example's createPost server action calls revalidatePath
but does not import it; update the top of the file to import revalidatePath
(e.g., add an import for revalidatePath from Next.js like "revalidatePath" from
'next/cache') so the createPost function can call revalidatePath('/posts')
without runtime errors; reference the createPost function and the revalidatePath
symbol when making the change.
In @.agents/skills/clerk-nextjs-patterns/SKILL.md:
- Line 87: The table row containing the matcher string "'/(api|trpc)(.*)'" is
breaking Markdown table parsing because the pipe characters are seen as column
separators; update that cell to escape the pipe(s) so the matcher reads
correctly (for example replace (api|trpc) with (api\|trpc) or wrap the entire
matcher in backticks) so the table column count is preserved and the matcher
displays as a single cell.
In
@.agents/skills/clerk-nextjs-patterns/templates/nextjs-basic-auth/package.json:
- Around line 6-14: Replace the four scaffold dependencies currently set to
"latest" ("next", "react", "react-dom", "@clerk/nextjs") and the devDependencies
("typescript", "@types/react", "@types/react-dom") with explicit, constrained
semver ranges matching Clerk's tested compatibility (for example caret or fixed
versions used in your official starter templates); update the values in
package.json so each dependency uses the chosen semver string instead of
"latest" to ensure reproducible scaffolds and avoid breakages when creating
projects from this template.
In @.agents/skills/clerk-setup/evals/evals.json:
- Around line 7-12: The expected_output string conflicts with the Next.js 16
allowance for proxy.ts: update the "expected_output" value so it mentions that
either middleware.ts or proxy.ts will be created (or explicitly reference
Next.js 16+), ensuring consistency with the "Creates middleware.ts (or proxy.ts
for Next.js 16+) with clerkMiddleware export" expectation; locate and edit the
"expected_output" field in the JSON to include both filenames or a Next.js-16
conditional phrase so the eval no longer produces false negatives.
In @.agents/skills/clerk-setup/SKILL.md:
- Around line 232-242: The Markdown table is broken by unescaped pipe characters
in the regex patterns; update the two entries containing the matcher patterns
(the strings starting with "matcher: ['/((?!.*\\..*|_next).*)', '/']" and
"matcher: ['/((?!.*\\..*|_next|^/$).*)', '/api/(.*)']") so the pipes don't split
table columns—either escape each "|" as "\|" or replace them with the HTML
entity "|", or remove the patterns from the table and place them in a
fenced code block directly below the table; make sure the table cells still read
correctly and the regex examples remain intact.
In `@app/layout.tsx`:
- Around line 49-64: ClerkProvider is currently wrapping the <html> element
which violates Clerk Core 3; move the ClerkProvider inside the <body> so the
layout keeps <html lang="en" ...> as the top-level element and <body
className="min-h-full"> immediately under it, then render <ClerkProvider
appearance={clerkAppearance} signInUrl={...} signUpUrl={...}
afterSignOutUrl={...}
afterMultiSessionSingleSignOutUrl={...}>{children}</ClerkProvider> inside the
body, preserving all Clerk props (appearance, signInUrl, signUpUrl,
afterSignOutUrl, afterMultiSessionSingleSignOutUrl) and keeping the html
className and body className unchanged.
In `@app/page.tsx`:
- Line 7: The redirect call uses a hardcoded "/sign-in" which ignores the
configured sign-in URL; update the redirect logic in app/page.tsx (the
redirect(...) invocation) to read and use the environment-configured sign-in URL
(NEXT_PUBLIC_CLERK_SIGN_IN_URL) — e.g., resolve the value used in
proxy.ts/provider config and pass that value to redirect when userId is falsy so
the app honors custom sign-in paths.
In `@context/current-issues.md`:
- Around line 1-3: Edit the issue text paragraph that begins "After I sign-in to
the app..." to fix typos and clarify wording: change "sign-in" to "sign in",
"whitish/blurish" to "white/blurred foreground overlay", "behig the Manage
account window" to "behind the Manage account window", "editors background" to
"editor's background", "signing-out" to "signing out", "Nextjs" to "Next.js",
"buttom" to "bottom", "Redering..." to "Rendering...", and rephrase the sign-out
sentence to "When I try signing out, the Next.js compiler indicator at the
bottom-left stays on 'Rendering...' until I manually refresh the page to
complete sign out." Keep punctuation consistent and ensure both problems are two
clear, grammatically-correct sentences.
In `@context/feature-spec/03-auth.md`:
- Line 11: Replace the phrase "Large screens: Simple two panel layout" with the
hyphenated form "Large screens: Simple two-panel layout" in the spec text
(update the exact string to include the hyphen between "two" and "panel" to
improve clarity and consistency).
---
Outside diff comments:
In @.agents/skills/clerk-backend-api/scripts/api-specs-context.sh:
- Around line 12-31: The remote curl calls in the script (the curl that
populates the versions variable and the curl that fetches
"${RAW_BASE}/${latest}") need to be hardened: update both curl invocations to
use --fail, a max time (e.g. --max-time), and retry options (e.g. --retry and
--retry-connrefused) so failures/timeouts return non-zero instead of hanging;
after populating versions, add an empty-version guard that checks the versions
variable before computing latest (and exit non-zero with a clear error when it's
empty) so tail -1 is not fed invalid input; ensure the second curl is only
executed when latest is set and also fails fast on error so extract-tags.js is
not given bad input.
---
Nitpick comments:
In @.agents/skills/clerk-backend-api/evals/evals.json:
- Around line 60-72: Eval object with "id": 5 is missing the "files" property
causing schema inconsistency; add a "files": [] property to that eval object
(the JSON object where "id": 5 and "prompt" are defined) so its keys match evals
1-4 and the eval runner receives a consistent schema.
- Around line 73-85: The JSON object with "id": 6 in the evals array is missing
the required "files" property; add a "files": [] key/value pair to that object
to match the schema used by other eval entries (look for the object containing
"id": 6, "prompt": "my clerk backend api calls..."). Ensure you insert the empty
array exactly as "files": [] inside that same object so the file-level schema
remains consistent.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: bb040fd7-e929-422f-a7bf-702331105573
⛔ Files ignored due to path filters (1)
package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (43)
.agents/skills/clerk-backend-api/SKILL.md.agents/skills/clerk-backend-api/evals/evals.json.agents/skills/clerk-backend-api/scripts/api-specs-context.sh.agents/skills/clerk-backend-api/scripts/execute-request.sh.agents/skills/clerk-backend-api/scripts/extract-endpoint-detail.sh.agents/skills/clerk-backend-api/scripts/extract-tag-endpoints.sh.agents/skills/clerk-backend-api/scripts/extract-tags.js.agents/skills/clerk-custom-ui/SKILL.md.agents/skills/clerk-custom-ui/core-2/custom-sign-in.md.agents/skills/clerk-custom-ui/core-2/custom-sign-up.md.agents/skills/clerk-custom-ui/core-3/custom-sign-in.md.agents/skills/clerk-custom-ui/core-3/custom-sign-up.md.agents/skills/clerk-custom-ui/core-3/show-component.md.agents/skills/clerk-nextjs-patterns/SKILL.md.agents/skills/clerk-nextjs-patterns/evals/evals.json.agents/skills/clerk-nextjs-patterns/references/api-routes.md.agents/skills/clerk-nextjs-patterns/references/caching-auth.md.agents/skills/clerk-nextjs-patterns/references/middleware-strategies.md.agents/skills/clerk-nextjs-patterns/references/server-actions.md.agents/skills/clerk-nextjs-patterns/references/server-vs-client.md.agents/skills/clerk-nextjs-patterns/templates/nextjs-basic-auth/app/layout.tsx.agents/skills/clerk-nextjs-patterns/templates/nextjs-basic-auth/app/page.tsx.agents/skills/clerk-nextjs-patterns/templates/nextjs-basic-auth/package.json.agents/skills/clerk-nextjs-patterns/templates/nextjs-basic-auth/proxy.ts.agents/skills/clerk-nextjs-patterns/templates/nextjs-basic-auth/tsconfig.json.agents/skills/clerk-setup/SKILL.md.agents/skills/clerk-setup/evals/evals.json.agents/skills/clerk/SKILL.mdapp/editor/layout.tsxapp/editor/page.tsxapp/layout.tsxapp/page.tsxapp/sign-in/[[...sign-in]]/page.tsxapp/sign-up/[[...sign-up]]/page.tsxcomponents/auth/auth-page-shell.tsxcomponents/editor/editor-navbar.tsxcontext/architecture.mdcontext/current-issues.mdcontext/feature-spec/03-auth.mdcontext/progress-tracker.mdpackage.jsonproxy.tsskills-lock.json
Comment on lines
+65
to
+72
| import { clerkClient } from '@clerk/nextjs/server' | ||
| // OR if using @clerk/backend directly: | ||
| // import { createClerkClient } from '@clerk/backend' | ||
| // const clerkClient = createClerkClient({ secretKey: process.env.CLERK_SECRET_KEY }) | ||
|
|
||
| // Step 1: Create organization | ||
| const org = await clerkClient.organizations.createOrganization({ | ||
| name: 'Acme Corp', |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
In current Clerk Next.js server docs, what is the correct usage pattern for clerkClientwhen calling methods likeorganizations.createOrganizationandusers.updateUser?
💡 Result:
In current Clerk Next.js server documentation (App Router), the correct usage pattern for clerkClient is to await its initialization in async server contexts like Server Components, Route Handlers, or Server Actions. Import from @clerk/nextjs/server: import { clerkClient } from '@clerk/nextjs/server'; 1. Await the client: const client = await clerkClient; 2. Call methods on client: - For organizations.createOrganization(params): const org = await client.organizations.createOrganization({ name: 'Example Org', createdBy: 'user_2abc123def' // userId from auth.userId }); Requires name (string) and createdBy (user ID who becomes admin). Optional: slug, metadata, maxAllowedMemberships. - For users.updateUser(userId, params): const user = await client.users.updateUser('user_2abc123def', { firstName: 'John' }); Pass userId (string) first, then UpdateUserParams object. Always use await auth first to get userId for safety/authorization: const { userId } = await auth; if (!userId) throw new Error('Unauthorized'); This pattern is shown consistently in official docs for server-side Backend API access. Client-side organization creation uses hooks like useOrganizationList.createOrganization instead.
Citations:
- 1: https://beta.clerk.com/docs/nextjs/guides/organizations/getting-started
- 2: https://clerk.com/docs/nextjs/guides/organizations/getting-started
- 3: https://clerk.dev/docs/users/update-user-profiles
- 4: https://clerk.com/docs/reference/backend/user/update-user
- 5: https://clerk.com/docs/nextjs/guides/users/reading
- 6: https://clerk.com/docs/reference/backend/organization/create-organization
- 7: https://clerk.com/docs/nextjs/overview
🏁 Script executed:
# Get the file and check lines around 107-111
cat -n .agents/skills/clerk-backend-api/SKILL.md | sed -n '100,120p'Repository: daikictrl/Ghost_Workflow
Length of output: 1033
Fix clerkClient initialization pattern in examples—must be awaited before method access.
Current Clerk Next.js server SDK requires awaiting clerkClient before calling methods. Both examples (lines 65–72 and 107–111) call methods directly without this intermediate step, which will fail at runtime.
Correct pattern:
import { clerkClient } from '@clerk/nextjs/server'
const client = await clerkClient
const org = await client.organizations.createOrganization({ name: 'Acme Corp' })
await client.users.updateUser(userId, { publicMetadata: { plan: 'pro' } })🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.agents/skills/clerk-backend-api/SKILL.md around lines 65 - 72, The examples
call clerkClient methods directly but the Clerk Next.js server SDK requires
awaiting the clerkClient promise first; update both usages so you await
clerkClient and assign to a local client variable (e.g., await clerkClient ->
client) before calling client.organizations.createOrganization(...) and
client.users.updateUser(...), ensuring you reference the awaited client when
invoking createOrganization and updateUser instead of using clerkClient
directly.
| ### Users | ||
|
|
||
| **List users** | ||
| ``` |
There was a problem hiding this comment.
Add language identifiers to fenced code blocks (MD040).
These blocks are missing language tags, which will keep markdownlint warnings active and reduce readability in rendered docs.
Also applies to: 162-162, 168-168, 174-174, 184-184, 191-191, 197-197, 323-323
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)
[warning] 155-155: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.agents/skills/clerk-backend-api/SKILL.md at line 155, Several fenced code
blocks in SKILL.md are missing language identifiers (triggering MD040); update
each triple-backtick block to include the appropriate language tag (e.g.,
```json, ```yaml, ```bash, ```ts, ```md) so markdownlint stops warning and
rendered docs show proper highlighting. Locate every backtick fence used for
sample payloads, CLI examples, and code snippets and add the correct language
token based on the snippet content (JSON for JSON payloads, bash for shell
commands, TypeScript/JavaScript for code, etc.), ensuring consistency across all
occurrences noted in the review.
| **List users** | ||
| ``` | ||
| GET /v1/users | ||
| Query params: limit (max 500, default 10), offset, order_by (+/-created_at, +/-updated_at, +/-email_address, +/-web3wallet, +/-first_name, +/-last_name, +/-phone_number, +/-username, +/-last_active_at, +/-last_sign_in_at), email_address[], phone_number[], username[], web3wallet[], user_id[], query, created_at (ISO 8601 range: gt:TIMESTAMP or lt:TIMESTAMP in Unix ms) |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
For Clerk Backend API GET /v1/users, what is the exact accepted format for the created_atfilter values (e.g.,gt:/lt:): Unix milliseconds, ISO 8601 strings, or both?
💡 Result:
For Clerk Backend API GET /v1/users, the created_at filter value(s) must be Unix milliseconds, encoded in the form: - created_at=gt:TIMESTAMP or created_at=lt:TIMESTAMP where TIMESTAMP is the Unix time in milliseconds (a number). They are not ISO 8601 strings in this filter syntax (the docs state the range uses Unix ms, even though the label mentions “ISO 8601 range”).
Citations:
- 1: https://clerk.com/docs/reference/backend-api/tag/users/get/users
- 2: https://github.com/clerk/skills/blob/main/skills/core/clerk-backend-api/SKILL.md
Remove "ISO 8601" from the created_at filter description; the format accepts only Unix milliseconds.
Line 157 lists both "ISO 8601 range" and "Unix ms," but the Clerk Backend API GET /v1/users endpoint only accepts Unix milliseconds for the created_at filter (e.g., created_at=gt:1234567890000). Remove the ISO 8601 mention to prevent invalid filter construction.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.agents/skills/clerk-backend-api/SKILL.md at line 157, Update the
description for the created_at filter in SKILL.md to remove the "ISO 8601"
mention and state that the Clerk Backend API GET /v1/users accepts only Unix
milliseconds (e.g., created_at=gt:1234567890000); specifically edit the line
containing "created_at (ISO 8601 range: gt:TIMESTAMP or lt:TIMESTAMP in Unix
ms)" so it references only Unix ms and the gt:/lt: syntax for the created_at
filter used by the GET /v1/users endpoint.
Comment on lines
+170
to
+174
| const error = await signUp.create({ phoneNumber }) | ||
|
|
||
| // For email OTP: change sendPhoneCode() to sendEmailCode() | ||
| if (!error) await signUp.verifications.sendPhoneCode() | ||
| } |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
In Clerk Core 3 useSignUp(), what is the exact return shape of signUp.create(...)?
💡 Result:
In Clerk Core 3’s useSignUp hook, signUp.create(...) does not return a result payload at all. It returns a Promise that resolves to an object with exactly this shape: { error: ClerkError | null } So in code you typically do: const { error } = await signUp.create({ emailAddress, password }) and then check if (error) { ... }. This shape is supported by the SignUpFutureResource/SignUpFuture “create” method implementation (it is typed/implemented to return { error: ClerkError | null }) and matches the documented Core 3 pattern where step methods return { error } for error handling.
Citations:
- 1: https://github.com/clerk/javascript/blob/4fae43c0/packages/clerk-js/src/core/resources/SignUp.ts
- 2: https://clerk.com/docs/nextjs/reference/objects/sign-up-future
- 3: https://clerk.com/docs/nextjs/reference/hooks/use-sign-up
- 4: https://clerk.com/docs/react/reference/hooks/use-sign-up.md
signUp.create() result is handled incorrectly—the return object is not being destructured.
The signUp.create() method returns { error: ClerkError | null }. The current code assigns the entire object to error and then checks if (!error), which will always be truthy since objects are truthy in JavaScript. This breaks error handling and will send the OTP even when creation fails.
Suggested fix
- const error = await signUp.create({ phoneNumber })
+ const { error } = await signUp.create({ phoneNumber })
// For email OTP: change sendPhoneCode() to sendEmailCode()
if (!error) await signUp.verifications.sendPhoneCode()🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.agents/skills/clerk-custom-ui/core-3/custom-sign-up.md around lines 170 -
174, The code treats the whole result of signUp.create() as an error object,
which is wrong; destructure the returned shape from signUp.create() (e.g., const
{ error } = await signUp.create({ phoneNumber })) and then check that error is
null/absent before calling signUp.verifications.sendPhoneCode(); update the call
site where you currently assign to error and the conditional to use the
destructured error so OTP is only sent on successful creation.
Comment on lines
+58
to
+64
| "prompt": "i need to call an external API (Hasura GraphQL) from my Next.js server component. get a custom JWT using a template called 'hasura' and pass it in the Authorization header.", | ||
| "expected_output": "Uses getToken with template parameter from auth() server-side, passes as Bearer token to external API", | ||
| "scaffold": "nextjs-basic-auth", | ||
| "expectations": [ | ||
| "Uses getToken with a template parameter (e.g. 'hasura') to get a custom JWT", | ||
| "Uses either auth() server-side or useAuth() client-side to access getToken", | ||
| "Passes the token as Authorization Bearer header to the external API call", |
There was a problem hiding this comment.
Align eval #5 with the server-component requirement.
Line 58 requires a server-component flow, but Line 63 currently allows useAuth() client-side. This can incorrectly pass non-server solutions in evaluation. Restrict expectations to auth() server-side (getToken from auth() context).
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.agents/skills/clerk-nextjs-patterns/evals/evals.json around lines 58 - 64,
Update the eval expectations to require the server-component flow by referencing
auth() server-side only: replace any allowance of useAuth() with a requirement
to call getToken via the auth() server-side context (e.g., "Uses getToken from
auth() server-side to get a custom JWT") and ensure the prompt/description
mentions server component; remove or change the expectation entry that currently
allows useAuth() so only auth().getToken server-side is accepted.
Comment on lines
+232
to
+242
| | Level | Issue | Solution | | ||
| |-------|-------|----------| | ||
| | CRITICAL | Missing `await` on `auth()` | In Next.js 15+, `auth()` is async: `const { userId } = await auth()` | | ||
| | CRITICAL | Exposing `CLERK_SECRET_KEY` | Never use secret key in client code; only `NEXT_PUBLIC_*` keys are safe | | ||
| | HIGH | Missing middleware matcher | Include API routes: `matcher: ['/((?!.*\\..*|_next).*)', '/']` | | ||
| | HIGH | ClerkProvider placement | Must be inside `<body>` in root layout (Core 2: could wrap `<html>`) | | ||
| | HIGH | Auth routes not public | Allow `/sign-in`, `/sign-up` in middleware config | | ||
| | HIGH | Landing page requires auth | To keep "/" public, exclude it: `matcher: ['/((?!.*\\..*|_next|^/$).*)', '/api/(.*)']` | | ||
| | MEDIUM | Wrong import path | Server code uses `@clerk/nextjs/server`, client uses `@clerk/nextjs` | | ||
| | MEDIUM | Wrong package name | Use `@clerk/react` not `@clerk/clerk-react` (Core 2 naming) | | ||
|
|
There was a problem hiding this comment.
Table rendering broken by unescaped pipe characters in regex patterns.
Lines 236 and 239 contain regex patterns with | characters inside backticks, but Markdown table parsers still interpret these as column separators, breaking the table layout.
🛠️ Proposed fix: escape or rephrase the patterns
-| HIGH | Missing middleware matcher | Include API routes: `matcher: ['/((?!.*\\..*|_next).*)', '/']` |
+| HIGH | Missing middleware matcher | Include API routes: `matcher: ['/((?!.*\\..*\|_next).*)', '/']` |
| HIGH | ClerkProvider placement | Must be inside `<body>` in root layout (Core 2: could wrap `<html>`) |
| HIGH | Auth routes not public | Allow `/sign-in`, `/sign-up` in middleware config |
-| HIGH | Landing page requires auth | To keep "/" public, exclude it: `matcher: ['/((?!.*\\..*|_next|^/$).*)', '/api/(.*)']` |
+| HIGH | Landing page requires auth | To keep "/" public, exclude it: `matcher: ['/((?!.*\\..*\|_next\|^/$).*)', '/api/(.*)']` |Alternatively, move these patterns to a code block below the table to avoid escaping issues entirely.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| | Level | Issue | Solution | | |
| |-------|-------|----------| | |
| | CRITICAL | Missing `await` on `auth()` | In Next.js 15+, `auth()` is async: `const { userId } = await auth()` | | |
| | CRITICAL | Exposing `CLERK_SECRET_KEY` | Never use secret key in client code; only `NEXT_PUBLIC_*` keys are safe | | |
| | HIGH | Missing middleware matcher | Include API routes: `matcher: ['/((?!.*\\..*|_next).*)', '/']` | | |
| | HIGH | ClerkProvider placement | Must be inside `<body>` in root layout (Core 2: could wrap `<html>`) | | |
| | HIGH | Auth routes not public | Allow `/sign-in`, `/sign-up` in middleware config | | |
| | HIGH | Landing page requires auth | To keep "/" public, exclude it: `matcher: ['/((?!.*\\..*|_next|^/$).*)', '/api/(.*)']` | | |
| | MEDIUM | Wrong import path | Server code uses `@clerk/nextjs/server`, client uses `@clerk/nextjs` | | |
| | MEDIUM | Wrong package name | Use `@clerk/react` not `@clerk/clerk-react` (Core 2 naming) | | |
| | Level | Issue | Solution | | |
| |-------|-------|----------| | |
| | CRITICAL | Missing `await` on `auth()` | In Next.js 15+, `auth()` is async: `const { userId } = await auth()` | | |
| | CRITICAL | Exposing `CLERK_SECRET_KEY` | Never use secret key in client code; only `NEXT_PUBLIC_*` keys are safe | | |
| | HIGH | Missing middleware matcher | Include API routes: `matcher: ['/((?!.*\\..*\|_next).*)', '/']` | | |
| | HIGH | ClerkProvider placement | Must be inside `<body>` in root layout (Core 2: could wrap `<html>`) | | |
| | HIGH | Auth routes not public | Allow `/sign-in`, `/sign-up` in middleware config | | |
| | HIGH | Landing page requires auth | To keep "/" public, exclude it: `matcher: ['/((?!.*\\..*\|_next\|^/$).*)', '/api/(.*)']` | | |
| | MEDIUM | Wrong import path | Server code uses `@clerk/nextjs/server`, client uses `@clerk/nextjs` | | |
| | MEDIUM | Wrong package name | Use `@clerk/react` not `@clerk/clerk-react` (Core 2 naming) | |
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)
[warning] 236-236: Table column count
Expected: 3; Actual: 4; Too many cells, extra data will be missing
(MD056, table-column-count)
[warning] 239-239: Table column count
Expected: 3; Actual: 5; Too many cells, extra data will be missing
(MD056, table-column-count)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.agents/skills/clerk-setup/SKILL.md around lines 232 - 242, The Markdown
table is broken by unescaped pipe characters in the regex patterns; update the
two entries containing the matcher patterns (the strings starting with "matcher:
['/((?!.*\\..*|_next).*)', '/']" and "matcher: ['/((?!.*\\..*|_next|^/$).*)',
'/api/(.*)']") so the pipes don't split table columns—either escape each "|" as
"\|" or replace them with the HTML entity "|", or remove the patterns from
the table and place them in a fenced code block directly below the table; make
sure the table cells still read correctly and the regex examples remain intact.
Comment on lines
+1
to
+3
| After I sign-in to the app, when I click the Manage account button, a whitish/blurish foreground color appears on the editor behing the Manage account window. I've uploaded the picture in the chat so that you can see even clearly what I'm talking about. Fix that. I want the editors background color to be maintained no matter the feature or window I open. | ||
|
|
||
| When I try signing-out, the Nextjs compiler at the buttom left corner of the page gets stuck on saying Redering..., until I manually refresh it the page myself before it completely gets me signed out. Fix that too No newline at end of file |
There was a problem hiding this comment.
Clean up typos in the issue description text.
Several spelling errors make the problem statements harder to parse quickly during triage.
Suggested wording cleanup
-After I sign-in to the app, when I click the Manage account button, a whitish/blurish foreground color appears on the editor behing the Manage account window. I've uploaded the picture in the chat so that you can see even clearly what I'm talking about. Fix that. I want the editors background color to be maintained no matter the feature or window I open.
+After I sign in to the app, when I click the Manage account button, a whitish/blurish foreground color appears on the editor behind the Manage account window. I've uploaded a picture in the chat so you can see exactly what I mean. Please fix that. I want the editor's background color to be maintained no matter what feature or window I open.
@@
-When I try signing-out, the Nextjs compiler at the buttom left corner of the page gets stuck on saying Redering..., until I manually refresh it the page myself before it completely gets me signed out. Fix that too
+When I try signing out, the Next.js indicator at the bottom-left corner of the page gets stuck showing "Rendering..." until I manually refresh the page. Only then does sign-out complete. Please fix that too.📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| After I sign-in to the app, when I click the Manage account button, a whitish/blurish foreground color appears on the editor behing the Manage account window. I've uploaded the picture in the chat so that you can see even clearly what I'm talking about. Fix that. I want the editors background color to be maintained no matter the feature or window I open. | |
| When I try signing-out, the Nextjs compiler at the buttom left corner of the page gets stuck on saying Redering..., until I manually refresh it the page myself before it completely gets me signed out. Fix that too | |
| After I sign in to the app, when I click the Manage account button, a whitish/blurish foreground color appears on the editor behind the Manage account window. I've uploaded a picture in the chat so you can see exactly what I mean. Please fix that. I want the editor's background color to be maintained no matter what feature or window I open. | |
| When I try signing out, the Next.js indicator at the bottom-left corner of the page gets stuck showing "Rendering..." until I manually refresh the page. Only then does sign-out complete. Please fix that too. |
🧰 Tools
🪛 LanguageTool
[grammar] ~1-~1: Ensure spelling is correct
Context: ...ck the Manage account button, a whitish/blurish foreground color appears on the editor ...
(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)
[grammar] ~1-~1: Ensure spelling is correct
Context: ... foreground color appears on the editor behing the Manage account window. I've uploade...
(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)
[grammar] ~3-~3: Ensure spelling is correct
Context: ...signing-out, the Nextjs compiler at the buttom left corner of the page gets stuck on s...
(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)
[grammar] ~3-~3: Ensure spelling is correct
Context: ...corner of the page gets stuck on saying Redering..., until I manually refresh it the pag...
(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@context/current-issues.md` around lines 1 - 3, Edit the issue text paragraph
that begins "After I sign-in to the app..." to fix typos and clarify wording:
change "sign-in" to "sign in", "whitish/blurish" to "white/blurred foreground
overlay", "behig the Manage account window" to "behind the Manage account
window", "editors background" to "editor's background", "signing-out" to
"signing out", "Nextjs" to "Next.js", "buttom" to "bottom", "Redering..." to
"Rendering...", and rephrase the sign-out sentence to "When I try signing out,
the Next.js compiler indicator at the bottom-left stays on 'Rendering...' until
I manually refresh the page to complete sign out." Keep punctuation consistent
and ensure both problems are two clear, grammatically-correct sentences.
|
|
||
| ### Sign-in and sign-up pages: | ||
|
|
||
| - Large screens: Simple two panel layout |
There was a problem hiding this comment.
Fix wording: use “two-panel layout.”
Line 11 should be hyphenated for clarity and consistency in the spec text.
🧰 Tools
🪛 LanguageTool
[grammar] ~11-~11: Use a hyphen to join words.
Context: ...n-up pages: - Large screens: Simple two panel layout - left: compact logo, tagli...
(QB_NEW_EN_HYPHEN)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@context/feature-spec/03-auth.md` at line 11, Replace the phrase "Large
screens: Simple two panel layout" with the hyphenated form "Large screens:
Simple two-panel layout" in the spec text (update the exact string to include
the hyphen between "two" and "panel" to improve clarity and consistency).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by CodeRabbit
New Features
Documentation