feat(js,shared,ui): Support needs_client_trust sign-in status

[tmilewski]

Description

We're introducing a new status of needs_client_trust. This will supersede relying on needs_second_factor & client_trust_state/mapping over second-factors, enabling a more concrete state for the AIO and custom flows to be in.

This PR adds the SignInClientTrust component and, functionally, everything acts largely the same as SignInFactorTwo.

The changes are that it ensures that the notice is visible and that only phone_code, email_code, and email_link are available. Most everything outside of that file are navigational additions to ensure that when needs_client_trust is returned, we navigate to the correct location.

This addition is non-breaking and will be offered, to existing customers, as an opt-in update via the Dashboard.

I also moved out logic shared between three components into a hook: useSecondFactorSelection.

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• New Features

  • Client-Trust verification added to the sign-in flow — users may be routed to a new "Client Trust" step to verify their device.
  • New UI for client-trust second-factor handling with improved second-factor selection and alternative-methods flow.
  • Verification cards now optionally show a "new device" / client-trust notice during code or email-link verification.

• Tests

  • End-to-end test coverage added for the client-trust sign-in flow.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

🦋 Changeset detected

Latest commit: d6e048a

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages

Name	Type
@clerk/ui	Minor
@clerk/chrome-extension	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
clerk-js-sandbox	Ready	Preview	Comment	Dec 12, 2025 2:50pm

[coderabbitai]

Walkthrough

Adds a "client trust" sign-in step: new needs_client_trust status, core detection treating it like a second factor, new Client Trust UI route/component, shared second-factor selection hook, related UI updates, integration presets/tests, and Playwright test adjustments.

Changes

Cohort / File(s)	Summary
Type System packages/shared/src/types/signInCommon.ts	Added 'needs_client_trust' to SignInStatus.
Core Sign-In Logic packages/clerk-js/src/core/resources/SignIn.ts	Treats 'needs_client_trust' like 'needs_second_factor' for second-factor detection and verificationKey selection.
Client Trust UI & Routing packages/ui/src/components/SignIn/SignInClientTrust.tsx, packages/ui/src/components/SignIn/index.tsx, packages/ui/src/components/SignIn/SignInStart.tsx	New exported SignInClientTrust component wired via HOCs; registered client-trust route; navigation updated to branch to client-trust when status is needs_client_trust.
First-Factor Flow packages/ui/src/components/SignIn/SignInFactorOnePasswordCard.tsx	Navigate to ../client-trust on needs_client_trust status.
Second-Factor Selection Hook packages/ui/src/components/SignIn/useSecondFactorSelection.ts	New hook managing currentFactor, showAllStrategies, factorAlreadyPrepared, and handlers (handleFactorPrepare, selectFactor, toggleAllStrategies).
Second-Factor UI Refactors packages/ui/src/components/SignIn/SignInFactorTwo.tsx, packages/ui/src/components/UserVerification/UserVerificationFactorTwo.tsx	Replaced local factor state/logic with useSecondFactorSelection; updated rendering and prop wiring to use hook outputs.
Factor Card Props / Notices packages/ui/src/components/SignIn/SignInFactorTwoCodeForm.tsx, packages/ui/src/components/SignIn/SignInFactorTwoEmailLinkCard.tsx	Added optional showClientTrustNotice?: boolean and updated card notice logic to show client-trust notice when appropriate.
Integration presets & long-running apps integration/presets/envs.ts, integration/presets/longRunningApps.ts	Added withNeedsClientTrust env preset and added a long-running app config using it.
Integration Tests integration/tests/client-trust.test.ts	New Playwright integration test validating the client-trust flow, device notice, OTP behavior, sign-out/sign-in scenarios, and known-device reuse.
Testing Helpers packages/testing/src/playwright/unstable/page-objects/common.ts	Extended POST response wait conditions to include prepare_second_factor and attempt_second_factor endpoints.
Changeset .changeset/goofy-lines-greet.md	New changeset documenting the UI addition.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Pay special attention to:
  • useSecondFactorSelection initialization and factorAlreadyPrepared correctness across phone/email/TOTP factors.
  • Routing changes in SignInStart.tsx and index.tsx to avoid regressions in existing sign-in flows.
  • HOC composition and prop wiring in SignInClientTrust.tsx.
  • Integration preset correctness and that long-running app config references the new env.
  • Playwright test stability and updated wait conditions in testing helpers.

Poem

🐰 I hopped through routes both new and true,
A client-trust step stitched into view.
One hook hums choices, cards take the lead,
Tests and presets follow the lead—
A tiny trust blossom, signed and new. ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding support for a new needs_client_trust sign-in status across the js, shared, and ui packages, which is the core feature of this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch tom/user-4151-enable-sdk-functionality

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7430

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7430

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7430

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7430

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7430

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7430

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@7430

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7430

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7430

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7430

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7430

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7430

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7430

@clerk/react

npm i https://pkg.pr.new/@clerk/react@7430

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7430

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7430

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7430

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7430

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@7430

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7430

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7430

commit: d6e048a

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e7c5f92 and d6e048a.

📒 Files selected for processing (4)

• integration/presets/envs.ts (2 hunks)
• integration/presets/longRunningApps.ts (1 hunks)
• integration/tests/client-trust.test.ts (1 hunks)
• packages/testing/src/playwright/unstable/page-objects/common.ts (2 hunks)

🧰 Additional context used

📓 Path-based instructions (12)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

All code must pass ESLint checks with the project's configuration

Files:

• integration/tests/client-trust.test.ts
• integration/presets/envs.ts
• packages/testing/src/playwright/unstable/page-objects/common.ts
• integration/presets/longRunningApps.ts

**/*.{js,jsx,ts,tsx,json,md,yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• integration/tests/client-trust.test.ts
• integration/presets/envs.ts
• packages/testing/src/playwright/unstable/page-objects/common.ts
• integration/presets/longRunningApps.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Follow established naming conventions (PascalCase for components, camelCase for variables)

Files:

• integration/tests/client-trust.test.ts
• integration/presets/envs.ts
• packages/testing/src/playwright/unstable/page-objects/common.ts
• integration/presets/longRunningApps.ts

**/*.{test,spec}.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

**/*.{test,spec}.{ts,tsx,js,jsx}: Unit tests are required for all new functionality
Verify proper error handling and edge cases
Include tests for all new features

Files:

• integration/tests/client-trust.test.ts

**/*.ts?(x)

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use proper TypeScript error types

Files:

• integration/tests/client-trust.test.ts
• integration/presets/envs.ts
• packages/testing/src/playwright/unstable/page-objects/common.ts
• integration/presets/longRunningApps.ts

**/*.{test,spec,e2e}.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use real Clerk instances for integration tests

Files:

• integration/tests/client-trust.test.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/typescript.mdc)

**/*.{ts,tsx}: Always define explicit return types for functions, especially public APIs
Use proper type annotations for variables and parameters where inference isn't clear
Avoid any type - prefer unknown when type is uncertain, then narrow with type guards
Implement type guards for unknown types using the pattern function isType(value: unknown): value is Type
Use interface for object shapes that might be extended
Use type for unions, primitives, and computed types
Prefer readonly properties for immutable data structures
Use private for internal implementation details in classes
Use protected for inheritance hierarchies
Use public explicitly for clarity in public APIs
Use mixins for shared behavior across unrelated classes in TypeScript
Use generic constraints with bounded type parameters like <T extends { id: string }>
Use utility types like Omit, Partial, and Pick for data transformation instead of manual type construction
Use discriminated unions instead of boolean flags for state management and API responses
Use mapped types for transforming object types
Use conditional types for type-level logic
Leverage template literal types for string manipulation at the type level
Use ES6 imports/exports consistently
Use default exports sparingly, prefer named exports
Document functions with JSDoc comments including @param, @returns, @throws, and @example tags
Create custom error classes that extend Error for specific error types
Use the Result pattern for error handling instead of throwing exceptions
Use optional chaining (?.) and nullish coalescing (??) operators for safe property access
Let TypeScript infer obvious types to reduce verbosity
Use const assertions with as const for literal types
Use satisfies operator for type checking without widening types
Declare readonly arrays and objects for immutable data structures
Use spread operator and array spread for immutable updates instead of mutations
Use lazy loading for large types...

Files:

• integration/tests/client-trust.test.ts
• integration/presets/envs.ts
• packages/testing/src/playwright/unstable/page-objects/common.ts
• integration/presets/longRunningApps.ts

**/*.test.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Use React Testing Library for component testing

Files:

• integration/tests/client-trust.test.ts

**/*.{js,ts,jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Use ESLint with custom configurations tailored for different package types

Files:

• integration/tests/client-trust.test.ts
• integration/presets/envs.ts
• packages/testing/src/playwright/unstable/page-objects/common.ts
• integration/presets/longRunningApps.ts

**/*.{js,ts,jsx,tsx,json,md,yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Use Prettier for code formatting across all packages

Files:

• integration/tests/client-trust.test.ts
• integration/presets/envs.ts
• packages/testing/src/playwright/unstable/page-objects/common.ts
• integration/presets/longRunningApps.ts

packages/**/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

TypeScript is required for all packages

Files:

• packages/testing/src/playwright/unstable/page-objects/common.ts

packages/**/src/**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

packages/**/src/**/*.{ts,tsx,js,jsx}: Maintain comprehensive JSDoc comments for public APIs
Use tree-shaking friendly exports
Validate all inputs and sanitize outputs
All public APIs must be documented with JSDoc
Use dynamic imports for optional features
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Implement proper logging with different levels

Files:

• packages/testing/src/playwright/unstable/page-objects/common.ts

🧬 Code graph analysis (2)

integration/tests/client-trust.test.ts (2)

integration/testUtils/index.ts (2)

• testAgainstRunningApps (88-88)
• createTestUtils (24-86)

integration/presets/index.ts (1)

• appConfigs (14-30)

integration/presets/longRunningApps.ts (2)

integration/presets/next.ts (1)

• next (52-59)

integration/presets/envs.ts (1)

• envs (213-243)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (25)

• GitHub Check: Integration Tests (machine, chrome, RQ)
• GitHub Check: Integration Tests (machine, chrome)
• GitHub Check: Integration Tests (astro, chrome)
• GitHub Check: Integration Tests (billing, chrome, RQ)
• GitHub Check: Integration Tests (quickstart, chrome, 16)
• GitHub Check: Integration Tests (nextjs, chrome, 16)
• GitHub Check: Integration Tests (custom, chrome)
• GitHub Check: Integration Tests (nextjs, chrome, 16, RQ)
• GitHub Check: Integration Tests (handshake:staging, chrome)
• GitHub Check: Integration Tests (quickstart, chrome, 15)
• GitHub Check: Integration Tests (nextjs, chrome, 15)
• GitHub Check: Integration Tests (generic, chrome)
• GitHub Check: Integration Tests (billing, chrome)
• GitHub Check: Integration Tests (express, chrome)
• GitHub Check: Integration Tests (localhost, chrome)
• GitHub Check: Integration Tests (sessions:staging, chrome)
• GitHub Check: Integration Tests (ap-flows, chrome)
• GitHub Check: Integration Tests (react-router, chrome)
• GitHub Check: Integration Tests (sessions, chrome)
• GitHub Check: Integration Tests (handshake, chrome)
• GitHub Check: Integration Tests (nuxt, chrome)
• GitHub Check: Integration Tests (tanstack-react-start, chrome)
• GitHub Check: Integration Tests (vue, chrome)
• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (5)

packages/testing/src/playwright/unstable/page-objects/common.ts (2)

53-62: Endpoint name is correct and verified.

The attempt_second_factor endpoint name is properly implemented and matches the actual API endpoint paths found in Session.ts and action names throughout the codebase. The addition maintains consistency with attempt_first_factor and attempt_verification.

---

32-41: Confirm the endpoint name for prepare_second_factor aligns with the actual API implementation.

The addition of prepare_second_factor follows the established pattern of existing endpoints (prepare_verification, prepare_first_factor). However, since the PR notes indicate "related API changes are not yet live," verify that this endpoint name matches the final API specification when deployed. The naming is logically consistent with Clerk's MFA flow, but explicit confirmation from API documentation would reduce risk of mismatches.

integration/tests/client-trust.test.ts (1)

25-62: Nice: good end-to-end coverage of “route + notice + not signed-in + OTP + known device”
The sequence of assertions is solid for validating the new needs_client_trust routing/UX.

integration/presets/envs.ts (1)

207-212: Verify whether this env also needs CLERK_ENCRYPTION_KEY
Some other env presets set CLERK_ENCRYPTION_KEY; if the client-trust flow or the Next app under test expects it, add it here too.

integration/presets/longRunningApps.ts (1)

35-35: LGTM — wiring long-running app to the new env preset looks correct