fix(clerk-js,shared): Move clientTrustState to SignIn

[tmilewski]

Description

Fixes a rebase issue where clientTrustState didn't get moved to SignIn.

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• New Features

  • Email-based authentication codes are now supported as a second-factor verification method.

• Changes

  • Client trust state is now surfaced on the sign-in object instead of the client profile.
  • Public type surfaces updated to expose the trust state on sign-in and include the new second-factor option.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
clerk-js-sandbox	Ready	Preview	Comment	Nov 5, 2025 8:51pm

[changeset-bot]

🦋 Changeset detected

Latest commit: eab6a9c

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 22 packages

Name	Type
@clerk/clerk-js	Patch
@clerk/shared	Patch
@clerk/chrome-extension	Patch
@clerk/clerk-expo	Patch
@clerk/agent-toolkit	Patch
@clerk/astro	Patch
@clerk/backend	Patch
@clerk/elements	Patch
@clerk/expo-passkeys	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/clerk-react	Patch
@clerk/remix	Patch
@clerk/tanstack-react-start	Patch
@clerk/testing	Patch
@clerk/themes	Patch
@clerk/types	Patch
@clerk/vue	Patch
@clerk/localizations	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

clientTrustState is removed from Client (runtime and types) and added to SignIn (runtime and types); Client JSON no longer includes client_trust_state while SignIn JSON/snapshots may include it. SignInSecondFactor now includes EmailCodeFactor. A patch changeset records the move.

Changes

Cohort / File(s)	Summary
Changeset \.changeset/evil-aliens-hope.md	Adds a patch changeset documenting the behavioral rename: moving clientTrustState from Client to SignIn.
Client resource & JSON/types removed packages/clerk-js/src/core/resources/Client.ts, packages/shared/src/types/client.ts, packages/shared/src/types/json.ts	Removes clientTrustState from the Client class and ClientResource interface; removes client_trust_state from ClientJSON; deletes related imports, initialization, (de)serialization code.
SignIn resource & types added packages/clerk-js/src/core/resources/SignIn.ts, packages/shared/src/types/signIn.ts, packages/shared/src/types/snapshots.ts	Adds clientTrustState?: ClientTrustState to the SignIn class and SignInResource; adds client_trust_state?: ClientTrustState to SignIn JSON and snapshot shapes and imports ClientTrustState; populates from JSON.
SignIn second-factor expansion packages/shared/src/types/signInCommon.ts	Extends SignInSecondFactor and AttemptSecondFactorParams unions to include EmailCodeFactor / EmailCodeAttempt.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant API as Backend JSON
  participant Client as Client (resource)
  participant SignIn as SignIn (resource)

  rect rgb(235,245,255)
    Note over API,Client: Old flow (before change)
  end

  API->>Client: GET /client -> { ..., client_trust_state }
  Client-->>API: serializes client (includes client_trust_state)
  Note over Client: clientTrustState persisted on Client resource

Loading

sequenceDiagram
  autonumber
  participant API as Backend JSON
  participant Client as Client (resource)
  participant SignIn as SignIn (resource)

  rect rgb(245,255,235)
    Note over API,SignIn: New flow (after change)
  end

  API->>Client: GET /client -> { ... }
  Note over Client: no client_trust_state persisted
  API->>SignIn: GET /sign_in -> { ..., client_trust_state }
  SignIn-->>API: serializes sign_in (includes client_trust_state)
  Note over SignIn: clientTrustState persisted on SignIn resource

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Focus areas:
  • packages/clerk-js/src/core/resources/Client.ts — verify all clientTrustState references removed and serialization snapshot updated.
  • packages/clerk-js/src/core/resources/SignIn.ts — confirm import, property typing, and fromJSON assignment for client_trust_state.
  • packages/shared/src/types/* — ensure JSON shapes, resource types, and snapshots are consistent.
  • packages/shared/src/types/signInCommon.ts — check callers for the new EmailCodeFactor/EmailCodeAttempt variants.

Poem

🐰 I hopped from Client to SignIn with glee,
A trust-state moved, now fresh and free.
Email codes joined the second-factor tune,
The rabbit winks beneath the moon 🌙
Change shipped swift — a happy hop, hooray!

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly summarizes the main change: moving clientTrustState from Client to SignIn, which aligns with the primary objective of this bug fix PR.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch tom/fix-client-trust-state

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between ba05615 and eab6a9c.

📒 Files selected for processing (1)

• packages/shared/src/types/signInCommon.ts (2 hunks)

🧰 Additional context used

📓 Path-based instructions (6)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

**/*.{js,jsx,ts,tsx}: All code must pass ESLint checks with the project's configuration
Follow established naming conventions (PascalCase for components, camelCase for variables)
Maintain comprehensive JSDoc comments for public APIs
Use dynamic imports for optional features
All public APIs must be documented with JSDoc
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Profile and optimize critical paths
Validate all inputs and sanitize outputs
Implement proper logging with different levels

Files:

• packages/shared/src/types/signInCommon.ts

**/*.{js,jsx,ts,tsx,json,css,scss,md,yaml,yml}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• packages/shared/src/types/signInCommon.ts

packages/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

• packages/shared/src/types/signInCommon.ts

packages/**/*.{ts,tsx,d.ts}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Packages should export TypeScript types alongside runtime code

Files:

• packages/shared/src/types/signInCommon.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Prefer readonly for properties that shouldn't change after construction
Prefer composition and interfaces over deep inheritance chains
Use mixins for shared behavior across unrelated classes
Implement dependency injection for loose coupling
Let TypeScript infer when types are obvious
Use const assertions for literal types: as const
Use satisfies operator for type checking without widening
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Use type-only imports: import type { ... } from ...
No any types without justification
Proper error handling with typed errors
Consistent use of readonly for immutable data
Proper generic constraints
No unused type parameters
Proper use of utility types instead of manual type construction
Type-only imports where possible
Proper tree-shaking friendly exports
No circular dependencies
Efficient type computations (avoid deep recursion)

Files:

• packages/shared/src/types/signInCommon.ts

**/*.{js,ts,tsx,jsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Support multiple Clerk environment variables (CLERK_, NEXT_PUBLIC_CLERK_, etc.) for configuration.

Files:

• packages/shared/src/types/signInCommon.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (3)

packages/shared/src/types/signInCommon.ts (3)

122-122: LGTM!

The addition of EmailCodeAttempt is consistent with EmailCodeFactor being added to SignInSecondFactor on line 88, maintaining proper alignment between factor types and their attempt parameters.

---

120-120: I need to check the actual implementation and definitions in the codebase to understand whether this is intentional design.

Review comment is incorrect and should be disregarded.

According to Clerk's official documentation, if the strategy is set to TOTP, it does not require preparation and you can directly attempt the second factor verification. Only the phone_code strategy requires calling the prepareSecondFactor method.

The asymmetry between PrepareSecondFactorParams (only PhoneCodeSecondFactorConfig) and AttemptSecondFactorParams (four factor types) is intentional by Clerk's design. Backup codes are a fallback when the user is unable to use their primary MFA method, and do not require a separate preparation step. EmailCode and TOTP similarly do not require preparation configuration, which is why no corresponding config types exist for them.

The type definition is correct and complete.

Likely an incorrect or invalid review comment.

---

88-88: EmailCodeFactor as second factor is intentional and properly implemented.

The changes add email code authentication as a supported second factor, paralleling existing patterns for phone code and backup code. The generic attemptSecondFactor implementation accepts {strategy, code} parameters, which EmailCodeAttempt provides. Types are properly exported and integrated into verification machines and UI components (clerk-js, elements packages). The addition to both SignInFirstFactor and SignInSecondFactor is correct—email authentication is designed to work as both primary and secondary authentication.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tmilewski]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

packages/shared/src/types/signIn.ts (1)

46-46: LGTM! Consider adding JSDoc for the new property.

The clientTrustState property is correctly added to both interfaces with appropriate types and optional modifiers for backward compatibility. The naming follows conventions (camelCase in resource, snake_case in JSON).

Consider adding JSDoc documentation to explain what this property represents and its possible values, as per coding guidelines for public APIs.

Example JSDoc for line 46:

+  /**
+   * The trust state of the client device for this sign-in attempt.
+   * Possible values: 'new', 'known', 'pending'.
+   */
   clientTrustState?: ClientTrustState;

Also applies to: 99-99

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 9ffa221 and ba05615.

📒 Files selected for processing (1)

• packages/shared/src/types/signIn.ts (3 hunks)

🧰 Additional context used

📓 Path-based instructions (6)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

**/*.{js,jsx,ts,tsx}: All code must pass ESLint checks with the project's configuration
Follow established naming conventions (PascalCase for components, camelCase for variables)
Maintain comprehensive JSDoc comments for public APIs
Use dynamic imports for optional features
All public APIs must be documented with JSDoc
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Profile and optimize critical paths
Validate all inputs and sanitize outputs
Implement proper logging with different levels

Files:

• packages/shared/src/types/signIn.ts

**/*.{js,jsx,ts,tsx,json,css,scss,md,yaml,yml}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• packages/shared/src/types/signIn.ts

packages/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

• packages/shared/src/types/signIn.ts

packages/**/*.{ts,tsx,d.ts}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Packages should export TypeScript types alongside runtime code

Files:

• packages/shared/src/types/signIn.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Prefer readonly for properties that shouldn't change after construction
Prefer composition and interfaces over deep inheritance chains
Use mixins for shared behavior across unrelated classes
Implement dependency injection for loose coupling
Let TypeScript infer when types are obvious
Use const assertions for literal types: as const
Use satisfies operator for type checking without widening
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Use type-only imports: import type { ... } from ...
No any types without justification
Proper error handling with typed errors
Consistent use of readonly for immutable data
Proper generic constraints
No unused type parameters
Proper use of utility types instead of manual type construction
Type-only imports where possible
Proper tree-shaking friendly exports
No circular dependencies
Efficient type computations (avoid deep recursion)

Files:

• packages/shared/src/types/signIn.ts

**/*.{js,ts,tsx,jsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Support multiple Clerk environment variables (CLERK_, NEXT_PUBLIC_CLERK_, etc.) for configuration.

Files:

• packages/shared/src/types/signIn.ts

🧬 Code graph analysis (1)

packages/shared/src/types/signIn.ts (1)

packages/shared/src/types/json.ts (1)

• ClientTrustState (105-105)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Build Packages
• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: semgrep-cloud-platform/scan

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7163

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7163

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7163

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7163

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7163

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7163

@clerk/elements

npm i https://pkg.pr.new/@clerk/elements@7163

@clerk/clerk-expo

npm i https://pkg.pr.new/@clerk/clerk-expo@7163

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7163

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7163

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7163

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7163

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7163

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7163

@clerk/clerk-react

npm i https://pkg.pr.new/@clerk/clerk-react@7163

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7163

@clerk/remix

npm i https://pkg.pr.new/@clerk/remix@7163

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7163

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7163

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7163

@clerk/themes

npm i https://pkg.pr.new/@clerk/themes@7163

@clerk/types

npm i https://pkg.pr.new/@clerk/types@7163

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7163

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7163

commit: eab6a9c

[tmilewski]

Pushing through. 429's are blocking the Next CI