chore(repo): Typedoc: Handle <code> injection in function signatures

[alexisintech]

Description

In this PR, the Simplify type was introduced to wrap the type for VerifyTokenOptions, causing the docs for the verifyToken() to change

Before that PR:

Screen.Recording.2025-10-16.at.14.52.55.mov

After that PR:

Screen.Recording.2025-10-16.at.14.59.10.mov

The function signature incorrectly had <code> in the codeblock.

This PR updates our typedoc theme to disallow the injection of a <code> in function signatures, as function signatures are already output into codeblocks.

Changes regarding this PR:

Screen.Recording.2025-10-16.at.14.51.33.mov

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• Documentation
  • Improved generated API docs: function signatures now show parameters and types without extraneous code-wrapping, while non-signature types retain consistent code formatting for clarity.
• Chores
  • Simplified some in-source documentation and updated examples to recommend using environment variables for secret configuration; added a placeholder changeset file.

[changeset-bot]

🦋 Changeset detected

Latest commit: c5989e1

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 0 packages

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
clerk-js-sandbox	Ready	Preview	Comment	Oct 30, 2025 7:12pm

[coderabbitai]

Walkthrough

Adds an internal _insideFunctionSignature flag and a new reflectionType(model) partial in .typedoc/custom-theme.mjs to control whether types are wrapped in <code> when rendering function signatures. Removes a JSDoc block from packages/backend/src/tokens/verify.ts and adds a changeset file.

Changes

Cohort / File(s)	Summary
TypeDoc Theme Rendering .typedoc/custom-theme.mjs	Added _insideFunctionSignature field on ClerkMarkdownThemeContext. Updated constructor, signatureTitle flow, and several partials (declarationType, unionType, arrayType, functionType) to toggle/observe the flag. Added new public partial reflectionType(model) that strips backticks and <code> tags and conditionally wraps output only when not inside a function signature.
Documentation Cleanup packages/backend/src/tokens/verify.ts	Removed an extended JSDoc documentation block for verifyToken (doc text recommending env var usage); no runtime, type-signature, or control-flow changes.
Changeset .changeset/silly-jars-shave.md	Added a new changeset placeholder file. No functional changes.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Renderer as Theme Renderer
    participant Context as ClerkMarkdownThemeContext
    participant Partial as reflectionType / other partials
    participant Output as HTML

    Renderer->>Context: render signatureTitle(...)
    Note right of Context #E8F6FF: Context sets\n_insideFunctionSignature = true\nwhile rendering params/types
    Context->>Partial: render type model
    alt inside signature (_insideFunctionSignature = true)
        Partial->>Partial: strip backticks & remove <code>
        Partial-->>Context: return unwrapped type string
    else outside signature (_insideFunctionSignature = false)
        Partial->>Partial: strip backticks & ensure single `<code>` wrapper
        Partial-->>Context: return wrapped type string
    end
    Context-->>Renderer: composed signature HTML
    Renderer->>Output: emit final HTML

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Pay extra attention to .typedoc/custom-theme.mjs changes that toggle _insideFunctionSignature across nested partial calls.
• Verify reflectionType(model) correctly removes existing <code>/backticks and preserves HTML-escaping and edge cases.

Poem

🐰 I found the crumbs of backticks strewn,

I hopped through signatures by moon and noon,
I wrapped where needed, left others free,
A tidy theme — a small jubilee,
Little rabbit code, light as a tune.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "chore(repo): Typedoc: Handle injection in function signatures" directly and accurately describes the primary change in the changeset. The main modifications are in .typedoc/custom-theme.mjs, which implements a solution to prevent <code> tag injection within function signatures by introducing an internal flag and conditional code-wrapping logic across multiple partials. The title is clear, specific, and focused on the core issue being addressed—preventing improper code block nesting in Typedoc-generated documentation—without using vague terminology or unnecessary embellishment.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch aa/handle-simplify-types

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 160dc93 and 9e0261a.

📒 Files selected for processing (2)

• .typedoc/custom-theme.mjs (5 hunks)
• packages/backend/src/tokens/verify.ts (0 hunks)

💤 Files with no reviewable changes (1)

• packages/backend/src/tokens/verify.ts

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7010

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7010

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7010

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7010

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7010

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7010

@clerk/elements

npm i https://pkg.pr.new/@clerk/elements@7010

@clerk/clerk-expo

npm i https://pkg.pr.new/@clerk/clerk-expo@7010

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7010

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7010

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7010

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7010

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7010

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7010

@clerk/clerk-react

npm i https://pkg.pr.new/@clerk/clerk-react@7010

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7010

@clerk/remix

npm i https://pkg.pr.new/@clerk/remix@7010

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7010

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7010

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7010

@clerk/themes

npm i https://pkg.pr.new/@clerk/themes@7010

@clerk/types

npm i https://pkg.pr.new/@clerk/types@7010

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7010

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7010

commit: c5989e1

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

.typedoc/custom-theme.mjs (3)

47-48: Consider adding JSDoc documentation for the internal flag.

The _insideFunctionSignature flag is central to preventing <code> injection, but lacks documentation explaining its purpose and usage pattern.

Consider adding a comment like:

+    /**
+     * Internal flag to track when rendering types inside a function signature context.
+     * When true, type partials should return unwrapped output to avoid nested code blocks.
+     * @private
+     */
     this._insideFunctionSignature = false;

---

148-158: The save/restore pattern correctly addresses the past review concern.

The implementation now saves and restores _insideFunctionSignature around both signatureParameters and someType calls, which correctly handles nested function signatures (e.g., callbacks or higher-order returns).

Optional improvements:

1. For robustness, consider try-finally to ensure flag restoration even if an error occurs:

  const prevInsideParams = this._insideFunctionSignature;
- this._insideFunctionSignature = true;
- md.push(this.partials.signatureParameters(model.parameters || []));
- this._insideFunctionSignature = prevInsideParams;
+ try {
+   this._insideFunctionSignature = true;
+   md.push(this.partials.signatureParameters(model.parameters || []));
+ } finally {
+   this._insideFunctionSignature = prevInsideParams;
+ }

2. Minor nitpick: prevInsideParams and prevInsideType both save the same flag in a non-overlapping sequence. A consistent name like prev might be clearer.

---

148-158: Coverage is complete for all overridden partials.

The custom theme overrides exactly 5 type partials that wrap types in <code> tags: declarationType, unionType, functionType, arrayType, and reflectionType. All 5 have the guard pattern, plus 2 additional occurrences in signatureTitle, for a total of 7 guards. Other type partials like intersectionType, tupleType, typeOperatorType, etc., are not overridden, so they use the default typedoc-plugin-markdown implementations and don't need guards in this theme.

The code duplication concern remains valid—the save/restore pattern appears 7 times across the file. The suggested helper extraction would improve maintainability and reduce duplication.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 9e0261a and 385adaa.

📒 Files selected for processing (1)

• .typedoc/custom-theme.mjs (6 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build Packages
• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (3)

.typedoc/custom-theme.mjs (3)

355-359: LGTM! Conditional wrapping prevents double code blocks.

The guard correctly returns unwrapped output when inside a function signature, preventing the <code> injection issue.

---

378-382: LGTM! Consistent guard pattern across all modified type partials.

The conditional wrapping is correctly applied to unionType, functionType, and arrayType, maintaining consistency with the fix.

Also applies to: 406-410, 509-515

---

516-536: LGTM! New reflectionType partial correctly handles wrapped types like Simplify.

This addition directly addresses the issue from PR #6993 where Simplify<VerifyTokenOptions> was causing <code> injection. The implementation correctly follows the established pattern.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 385adaa and bdd332e.

📒 Files selected for processing (1)

• .changeset/silly-jars-shave.md (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

.changeset/**

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Automated releases must use Changesets.

Files:

• .changeset/silly-jars-shave.md

🪛 LanguageTool

.changeset/silly-jars-shave.md

[grammar] ~1-~1: Hier könnte ein Fehler sein.
Context: --- ---

(QB_NEW_DE)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: Analyze (javascript-typescript)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Changeset file is incomplete and missing required content.

The changeset file contains only the frontmatter delimiters (---) but lacks the package bump entries and change summary. This will fail Changesets processing.

According to the Changesets format, the file should contain:

• Inside the frontmatter: one or more package entries with their bump types (e.g., "@clerk/backend": patch)
• After the frontmatter: a human-readable summary of the changes

Expected format:

---
"@clerk/backend": patch
---

Fix Typedoc rendering of <code> tags in function signatures

Please update the changeset file with the appropriate package name(s) and bump type based on which packages were modified in this PR.

🧰 Tools

🪛 LanguageTool

[grammar] ~1-~1: Hier könnte ein Fehler sein.
Context: --- ---

(QB_NEW_DE)

🤖 Prompt for AI Agents

In .changeset/silly-jars-shave.md around lines 1 to 2 the file only contains
frontmatter delimiters and is missing required package bump entries and a
human-readable summary; update the file by adding one or more package entries
with their bump types inside the frontmatter (e.g., "@clerk/backend": patch) and
then add a short summary of the change after the closing --- delimiter, choosing
the correct package names and bump levels that correspond to the packages
modified in this PR.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

packages/backend/src/tokens/verify.ts (1)

43-43: Excellent documentation enhancement!

The extended description effectively guides developers toward the best practice of using environment variables for configuration. The example is clear and actionable, directly demonstrating how to pass secretKey from an environment variable.

Optional readability improvement:

The line is quite long (~400+ characters). Consider breaking it into multiple sentences for improved readability:

-@param options - Options for verifying the token. It is recommended to set these options as [environment variables](/docs/guides/development/clerk-environment-variables#api-and-sdk-configuration) where possible, and then pass them to the function. For example, you can set the `secretKey` option using the `CLERK_SECRET_KEY` environment variable, and then pass it to the function like this: `verifyToken(token, { secretKey: process.env.CLERK_SECRET_KEY })`.
+@param options - Options for verifying the token. It is recommended to set these options as [environment variables](/docs/guides/development/clerk-environment-variables#api-and-sdk-configuration) where possible, and then pass them to the function. For example, you can set the `secretKey` option using the `CLERK_SECRET_KEY` environment variable and pass it like this: `verifyToken(token, { secretKey: process.env.CLERK_SECRET_KEY })`.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between bdd332e and c5989e1.

📒 Files selected for processing (2)

• .typedoc/custom-theme.mjs (6 hunks)
• packages/backend/src/tokens/verify.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .typedoc/custom-theme.mjs

🧰 Additional context used

📓 Path-based instructions (6)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

**/*.{js,jsx,ts,tsx}: All code must pass ESLint checks with the project's configuration
Follow established naming conventions (PascalCase for components, camelCase for variables)
Maintain comprehensive JSDoc comments for public APIs
Use dynamic imports for optional features
All public APIs must be documented with JSDoc
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Profile and optimize critical paths
Validate all inputs and sanitize outputs
Implement proper logging with different levels

Files:

• packages/backend/src/tokens/verify.ts

**/*.{js,jsx,ts,tsx,json,css,scss,md,yaml,yml}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• packages/backend/src/tokens/verify.ts

packages/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

• packages/backend/src/tokens/verify.ts

packages/**/*.{ts,tsx,d.ts}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Packages should export TypeScript types alongside runtime code

Files:

• packages/backend/src/tokens/verify.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Prefer readonly for properties that shouldn't change after construction
Prefer composition and interfaces over deep inheritance chains
Use mixins for shared behavior across unrelated classes
Implement dependency injection for loose coupling
Let TypeScript infer when types are obvious
Use const assertions for literal types: as const
Use satisfies operator for type checking without widening
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Use type-only imports: import type { ... } from ...
No any types without justification
Proper error handling with typed errors
Consistent use of readonly for immutable data
Proper generic constraints
No unused type parameters
Proper use of utility types instead of manual type construction
Type-only imports where possible
Proper tree-shaking friendly exports
No circular dependencies
Efficient type computations (avoid deep recursion)

Files:

• packages/backend/src/tokens/verify.ts

**/*.{js,ts,tsx,jsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Support multiple Clerk environment variables (CLERK_, NEXT_PUBLIC_CLERK_, etc.) for configuration.

Files:

• packages/backend/src/tokens/verify.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: Build Packages
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (2)

packages/backend/src/tokens/verify.ts (2)

23-25: Verify @interface tag usage for type alias.

The @interface JSDoc tag is typically used with TypeScript interface declarations, but here it's applied to a type alias. While this may be intentional for Typedoc rendering purposes (especially given this PR addresses Typedoc issues), it's technically inconsistent with standard JSDoc conventions.

If this is intentional for Typedoc, consider it approved. Otherwise, you may want to remove the @interface tag or convert the type to an interface if extensibility is needed.

---

26-34: LGTM! Type definition is well-structured.

The VerifyTokenOptions type correctly uses Simplify to flatten the intersection for better IDE experience. The JSDoc for the jwtKey property appropriately recommends using environment variables, which aligns with security best practices.