tanstack-start-security
@rules/auth-and-session.md @rules/server-boundaries.md @rules/http-and-headers.md @rules/validation.md @references/official-security-notes.md
TanStack Start Security
<output_language>
Default all user-facing deliverables, saved artifacts, reports, plans, generated docs, summaries, handoff notes, commit/message drafts, and validation notes to Korean, even when this canonical skill file is written in English.
Preserve source code identifiers, CLI commands, file paths, schema keys, JSON/YAML field names, API names, package names, proper nouns, and quoted source excerpts in their required or original language.
Use a different language only when the user explicitly requests it, an existing target artifact must stay in another language for consistency, or a machine-readable contract requires exact English tokens. If a localized template or reference exists (for example *.ko.md or *.ko.json), prefer it for user-facing artifacts.
</output_language>
Purpose
Harden TanStack Start applications without turning every change into a full security rewrite.
Use this skill when the job is specifically about security posture in a TanStack Start app:
- auth and session protection
- cookies, CSRF, trusted origins, and browser request safety
- request middleware in
src/start.ts - server function and server route hardening
- secret and env boundary protection
- SSR, hydration, and client/server execution leaks
- security headers, CSP, webhook verification, and rate limiting
Do not use this skill for generic React work or non-security copy edits.
If the task is mainly TanStack Start architecture compliance rather than security hardening, use skills/tanstack-start-architecture/ instead of stretching this skill.
If the request is a generic non-TanStack security review, route away to the normal security-review path instead of forcing TanStack Start rules.
Trigger Examples
Positive
Review TanStack Start login and session handling security.Prevent secrets from leaking through a TanStack Start server function.Review auth, cookies, CSRF, and webhook security in this TanStack Start app.
Negative
Make a small style-only change to a plain React page.Security review an Express API server that is not a TanStack Start app.
Boundary
Change only the copy on a TanStack Start page.If there is no change to security boundaries, auth, env handling, server routes, or headers, this skill may be too heavy.
Step 1: Project Validation
Apply this skill only when the repository is actually using TanStack Start signals such as:
app.config.ts@tanstack/react-startinpackage.json@tanstack/react-routerinpackage.jsonsrc/routes/__root.tsx
If those signals are absent, stop and fall back to the normal implementation or security-review path.
Step 2: Read The Right Rules
Read these files before editing security-sensitive code:
rules/auth-and-session.mdfor authentication, authorization, cookies, and request-origin rulesrules/server-boundaries.mdforcreateServerFn,createServerOnlyFn, env/secrets, and import boundariesrules/http-and-headers.mdfor server routes, CSP, headers, CORS, rate limiting, and webhook handlingrules/validation.mdfor review gates and verification steps
Read references/official-security-notes.md when auth stack details, TanStack execution rules, or Better Auth specifics matter.
Start Here By Prompt Type
- auth, session, cookie, CSRF,
beforeLoad, and authorization issues: start withrules/auth-and-session.md - secret leaks, env exposure,
loader, SSR context, hydration leaks, and import-boundary issues: start withrules/server-boundaries.md src/start.tsmiddleware, CSP, CORS, headers, webhooks, rate limiting, and server routes: start withrules/http-and-headers.md- if the prompt is a copy-only edit or a non-TanStack security request, stop at the core boundary decision and route away instead of reading deeper files
Step 3: Security Mapping
Before changing code, map which security surface you are touching:
- Auth/session
- Secrets/env
- Request middleware in
src/start.ts - Server functions
- Server routes / HTTP endpoints
- Browser-delivered headers and CSP
- SSR / hydration / import boundary leaks
If more than one surface is affected, validate all linked rule files before editing.
Step 4: Preferred Fix Order
Use the lightest fix that closes the actual risk:
- Stop secret or boundary leaks first
- Add session/authz enforcement next
- Tighten cookies, origins, and mutation safety
- Add explicit headers, CSP, webhook checks, and rate limits
- Only then consider larger auth-stack or route-structure migrations
Step 5: Auto-Remediation Policy
Auto-fix directly when the change is local, reversible, and clearly safer:
- move privileged logic behind
createServerFnorcreateServerOnlyFn - add route/session guard checks
- replace client-exposed secret access with server-only access
- add missing input validation or origin/signature checks
- tighten cookie or header defaults when the current stack is clear
Do not auto-apply broad, risky migrations without explicit justification:
- replacing the auth library
- sweeping session model changes
- site-wide CSP rewrites without checking asset/script requirements
- broad CORS or cookie-domain changes across environments
Core Security Gates
Block the change until fixed if any of these are true:
- client-reachable code can import or derive a secret
- protected data mutation trusts client-provided identity or role claims
- a TanStack Start
loaderor shared utility performs privileged work without an explicit server boundary - a route relies on
beforeLoadonly, without equivalent server-side protection for protected actions - loader output, SSR context, or hydrated state serializes secrets or internal-only auth data
- a server route is accepting browser state-changing input without auth/origin/CSRF strategy
- webhook handlers trust payloads before signature verification
- auth/session cookies are configured loosely without deliberate environment rules
Verification
Before claiming completion:
- verify the relevant rule-file checklist
- run the project checks that prove the change did not break the app
- summarize what was hardened and what remains stack-dependent
For detailed review and command guidance, use rules/validation.md.
More from alpoxdev/hypercore
bug-fix
[Hyper] Analyze bugs, present repair options, then implement and verify the user-selected fix path. Routes simple bugs directly; tracks complex multi-phase investigations via .hypercore/bug-fix/ JSON flow.
47tanstack-start-architecture
[Hyper] Enforce TanStack Start architecture in existing Start projects, especially route structure, server functions, loader/client-server boundaries, importProtection, hooks, SSR/hydration, and hypercore conventions. Use before structural code changes, route work, server function work, or architecture audits in TanStack Start codebases.
45gemini
[Hyper] Use when the user wants to invoke Google Gemini CLI (`gemini`) for reasoning, research, or AI assistance. Trigger phrases: \"use gemini\", \"ask gemini\", \"run gemini\", \"call gemini\", \"gemini cli\", \"Google AI\", \"Gemini reasoning\", or when users request Google's Gemini models, research with web search, plan-mode review, or want to resume a previous Gemini session. Do not use for generic writing, runbook cleanup, or local edits that do not require the Gemini CLI.
45crawler
[Hyper] Investigate websites with Playwriter plus CDP to choose a crawl strategy, capture API/auth evidence, document findings under `.hypercore/crawler/[site]/`, and generate crawler code only after discovery is grounded.
45research
[Hyper] Produce a multi-source, source-backed markdown research report for fact-finding, comparisons, market/trend analysis, or evidence-backed recommendations across live web, official docs, GitHub, and local repo sources. Use when synthesis and citations are needed, not for one-source lookups.
45genius-thinking
[Hyper] Generate and prioritize differentiated ideas for stuck product, strategy, or innovation problems when ordinary brainstorming is too shallow. Saves structured multi-file analysis under .hypercore/genius-thinking/[topic-slug]/ with phase tracking.
44