Overview - Router

router

7 days30 days

Latest CI Pipeline Executions

Fuzzy

Succeeded
taren/flamboyant-northcutt-34501b
e22b1490 docs(skills): drop wrong-import-path mistakes — TS already catches them Manuel pointed out that TypeScript catches both common wrong paths: '@tanstack/react-router' has no exported member createServerFn / createMiddleware, and '@tanstack/start' is "Cannot find module". Skill space is precious; the items don't earn their slot if tsc handles them. Removed: - Common Mistake "Wrong import path" from server-functions and middleware skills (renumbered the remaining mistakes) - The matching top-of-file CRITICAL line in both skills - The "Import path" callouts in the middleware and server-functions docs
by Tanner Lin...
Succeeded
7314
1a3e34b6 docs(skills): fix two real bugs in auth-server-primitives examples 1. Cookie parser truncated values containing '='. Signed cookies, JWTs, and base64-padded values all use '='. Use indexOf to split on the FIRST '=' only. 2. Login example short-circuited verifyPasswordHash on user-not-found, contradicting the prose's "same time, same error" claim — the no-user branch returned instantly while wrong-password spent ~100ms hashing, leaking account existence over the wire. Always verify against a hash; use a precomputed DUMMY_PASSWORD_HASH when the user is missing, then combine with the user-exists bit for the final ok. Same fixes in the SKILL.md and the docs companion.
by Tanner Lin...
Succeeded
7314
1a3e34b6 docs(skills): fix two real bugs in auth-server-primitives examples 1. Cookie parser truncated values containing '='. Signed cookies, JWTs, and base64-padded values all use '='. Use indexOf to split on the FIRST '=' only. 2. Login example short-circuited verifyPasswordHash on user-not-found, contradicting the prose's "same time, same error" claim — the no-user branch returned instantly while wrong-password spent ~100ms hashing, leaking account existence over the wire. Always verify against a hash; use a precomputed DUMMY_PASSWORD_HASH when the user is missing, then combine with the user-exists bit for the final ok. Same fixes in the SKILL.md and the docs companion.
by Tanner Lin...
Succeeded
7314
1a3e34b6 docs(skills): fix two real bugs in auth-server-primitives examples 1. Cookie parser truncated values containing '='. Signed cookies, JWTs, and base64-padded values all use '='. Use indexOf to split on the FIRST '=' only. 2. Login example short-circuited verifyPasswordHash on user-not-found, contradicting the prose's "same time, same error" claim — the no-user branch returned instantly while wrong-password spent ~100ms hashing, leaking account existence over the wire. Always verify against a hash; use a precomputed DUMMY_PASSWORD_HASH when the user is missing, then combine with the user-exists bit for the final ok. Same fixes in the SKILL.md and the docs companion.
by Tanner Lin...
Succeeded
7314
d8fcc933 docs(skills): make useDelayedNavigate callback truly return void The callback returned the result of setTimeout (a timer handle), not void as the public overload's return type implied. Wrap in a block so the example matches the declared return type. Skipped the related nitpick to add a separate redirect example — the existing prose already describes the same overload pattern, and a duplicate example would push the file close to the 500-line cap that prettier autofix has been bumping us against.
by Tanner Lin...
Succeeded
taren/flamboyant-northcutt-34501b
85fb9770 docs(skills): fix two real bugs in auth-server-primitives examples 1. Cookie parser truncated values containing '='. Signed cookies, JWTs, and base64-padded values all use '='. Use indexOf to split on the FIRST '=' only. 2. Login example short-circuited verifyPasswordHash on user-not-found, contradicting the prose's "same time, same error" claim — the no-user branch returned instantly while wrong-password spent ~100ms hashing, leaking account existence over the wire. Always verify against a hash; use a precomputed DUMMY_PASSWORD_HASH when the user is missing, then combine with the user-exists bit for the final ok. Same fixes in the SKILL.md and the docs companion.
by Tanner Lin...
Succeeded
7314
7111d185 docs(skills): address 8 agent failure modes from lovable feedback Adds new start-core/auth-server-primitives skill (sessions, cookies, OAuth+PKCE, password-reset enumeration defense, CSRF, rate limiting, session rotation) and updates 8 existing skills + matching docs to fix patterns where agents produce insecure or wrong-framework output. Skill changes: - new: start-core/auth-server-primitives (server half of auth) - router-core/auth-and-guards: route guard != RPC guard - start-core/server-functions: wrong import path, RPC auth required, Cache-Control public is a cross-tenant leak, wrong-framework patterns - start-core/middleware: wrong import path, sendContext shape vs access (3-layer wrong/still-wrong/correct), authMiddleware framing - start-core/execution-model: file markers (server-only/client-only), module-level process.env is undefined under Worker SSR - start-core/deployment: cloudflare env-at-request-time - router-core/ssr: wrong file structures (next.js, react-router-dom) - router-core/type-safety: wrong-framework imports + structures Docs updated to mirror each skill change so source-of-truth and the intent-indexed skill stay in sync. New authentication-server-primitives guide is the long-form companion to the new skill. intent validate: 30 skill files pass (was 29).
by Tanner Lin...
Succeeded
taren/flamboyant-northcutt-34501b
f33dc7ef docs(skills): CSRF origin check should compare full origin, not host alone Comparing only new URL(origin).host against APP_HOST silently accepts a mismatched scheme — http://example.com would pass a check meant for https://example.com. Compare the full origin (scheme + host + port) against APP_ORIGIN instead. Same fix in skill and docs.
by Tanner Lin...
Succeeded
7314
7111d185 docs(skills): address 8 agent failure modes from lovable feedback Adds new start-core/auth-server-primitives skill (sessions, cookies, OAuth+PKCE, password-reset enumeration defense, CSRF, rate limiting, session rotation) and updates 8 existing skills + matching docs to fix patterns where agents produce insecure or wrong-framework output. Skill changes: - new: start-core/auth-server-primitives (server half of auth) - router-core/auth-and-guards: route guard != RPC guard - start-core/server-functions: wrong import path, RPC auth required, Cache-Control public is a cross-tenant leak, wrong-framework patterns - start-core/middleware: wrong import path, sendContext shape vs access (3-layer wrong/still-wrong/correct), authMiddleware framing - start-core/execution-model: file markers (server-only/client-only), module-level process.env is undefined under Worker SSR - start-core/deployment: cloudflare env-at-request-time - router-core/ssr: wrong file structures (next.js, react-router-dom) - router-core/type-safety: wrong-framework imports + structures Docs updated to mirror each skill change so source-of-truth and the intent-indexed skill stay in sync. New authentication-server-primitives guide is the long-form companion to the new skill. intent validate: 30 skill files pass (was 29).
by Tanner Lin...
Succeeded
7314
7111d185 docs(skills): address 8 agent failure modes from lovable feedback Adds new start-core/auth-server-primitives skill (sessions, cookies, OAuth+PKCE, password-reset enumeration defense, CSRF, rate limiting, session rotation) and updates 8 existing skills + matching docs to fix patterns where agents produce insecure or wrong-framework output. Skill changes: - new: start-core/auth-server-primitives (server half of auth) - router-core/auth-and-guards: route guard != RPC guard - start-core/server-functions: wrong import path, RPC auth required, Cache-Control public is a cross-tenant leak, wrong-framework patterns - start-core/middleware: wrong import path, sendContext shape vs access (3-layer wrong/still-wrong/correct), authMiddleware framing - start-core/execution-model: file markers (server-only/client-only), module-level process.env is undefined under Worker SSR - start-core/deployment: cloudflare env-at-request-time - router-core/ssr: wrong file structures (next.js, react-router-dom) - router-core/type-safety: wrong-framework imports + structures Docs updated to mirror each skill change so source-of-truth and the intent-indexed skill stay in sync. New authentication-server-primitives guide is the long-form companion to the new skill. intent validate: 30 skill files pass (was 29).
by Tanner Lin...
Succeeded
7314
7111d185 docs(skills): address 8 agent failure modes from lovable feedback Adds new start-core/auth-server-primitives skill (sessions, cookies, OAuth+PKCE, password-reset enumeration defense, CSRF, rate limiting, session rotation) and updates 8 existing skills + matching docs to fix patterns where agents produce insecure or wrong-framework output. Skill changes: - new: start-core/auth-server-primitives (server half of auth) - router-core/auth-and-guards: route guard != RPC guard - start-core/server-functions: wrong import path, RPC auth required, Cache-Control public is a cross-tenant leak, wrong-framework patterns - start-core/middleware: wrong import path, sendContext shape vs access (3-layer wrong/still-wrong/correct), authMiddleware framing - start-core/execution-model: file markers (server-only/client-only), module-level process.env is undefined under Worker SSR - start-core/deployment: cloudflare env-at-request-time - router-core/ssr: wrong file structures (next.js, react-router-dom) - router-core/type-safety: wrong-framework imports + structures Docs updated to mirror each skill change so source-of-truth and the intent-indexed skill stay in sync. New authentication-server-primitives guide is the long-form companion to the new skill. intent validate: 30 skill files pass (was 29).
by Tanner Lin...
Succeeded
7314
7111d185 docs(skills): address 8 agent failure modes from lovable feedback Adds new start-core/auth-server-primitives skill (sessions, cookies, OAuth+PKCE, password-reset enumeration defense, CSRF, rate limiting, session rotation) and updates 8 existing skills + matching docs to fix patterns where agents produce insecure or wrong-framework output. Skill changes: - new: start-core/auth-server-primitives (server half of auth) - router-core/auth-and-guards: route guard != RPC guard - start-core/server-functions: wrong import path, RPC auth required, Cache-Control public is a cross-tenant leak, wrong-framework patterns - start-core/middleware: wrong import path, sendContext shape vs access (3-layer wrong/still-wrong/correct), authMiddleware framing - start-core/execution-model: file markers (server-only/client-only), module-level process.env is undefined under Worker SSR - start-core/deployment: cloudflare env-at-request-time - router-core/ssr: wrong file structures (next.js, react-router-dom) - router-core/type-safety: wrong-framework imports + structures Docs updated to mirror each skill change so source-of-truth and the intent-indexed skill stay in sync. New authentication-server-primitives guide is the long-form companion to the new skill. intent validate: 30 skill files pass (was 29).
by Tanner Lin...
Canceled
7314
7111d185 docs(skills): address 8 agent failure modes from lovable feedback Adds new start-core/auth-server-primitives skill (sessions, cookies, OAuth+PKCE, password-reset enumeration defense, CSRF, rate limiting, session rotation) and updates 8 existing skills + matching docs to fix patterns where agents produce insecure or wrong-framework output. Skill changes: - new: start-core/auth-server-primitives (server half of auth) - router-core/auth-and-guards: route guard != RPC guard - start-core/server-functions: wrong import path, RPC auth required, Cache-Control public is a cross-tenant leak, wrong-framework patterns - start-core/middleware: wrong import path, sendContext shape vs access (3-layer wrong/still-wrong/correct), authMiddleware framing - start-core/execution-model: file markers (server-only/client-only), module-level process.env is undefined under Worker SSR - start-core/deployment: cloudflare env-at-request-time - router-core/ssr: wrong file structures (next.js, react-router-dom) - router-core/type-safety: wrong-framework imports + structures Docs updated to mirror each skill change so source-of-truth and the intent-indexed skill stay in sync. New authentication-server-primitives guide is the long-form companion to the new skill. intent validate: 30 skill files pass (was 29).
by Tanner Lin...