feat(upgrade): Sign-in Client Trust status handling

[tmilewski]

Description

• Adds handling for new Sign-in Client Trust status: needs_client_trust
• Adds ability to exclude the matcher frontmatter to indicate that the change should always be displayed.

TODO

• Update link when documentation is ready.

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• New Features

  • Introduced new Sign-in Client Trust Status for enhanced client trust verification in authentication flows.

• Documentation

  • Added documentation and code examples for the new Sign-in Client Trust Status, including prerequisites and implementation guidance.

• Tests

  • Enhanced test coverage for the upgrade scanner to ensure accurate detection and comprehensive handling of configuration changes.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

🦋 Changeset detected

Latest commit: 3a4a7e4

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@clerk/upgrade	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Dec 12, 2025 10:24pm

[coderabbitai]

Walkthrough

This PR introduces support for tracking Sign-in client trust status changes in the upgrade CLI. It adds a new changeset file, updates the runner logic to handle changes without matchers as first-class outputs, extends integration tests to verify the new behavior, and documents the new needs_client_trust sign-in status.

Changes

Cohort / File(s)	Summary
Versioning & Documentation .changeset/small-dots-scream.md, packages/upgrade/src/versions/core-3/changes/needs-client-trust-sign-in-status-added.md	Adds changeset entry for @clerk/upgrade patch version and new documentation describing the needs_client_trust sign-in status with prerequisite details and usage examples.
Test Updates packages/upgrade/src/__tests__/integration/runner.test.js	Refines existing matcher-focused test by filtering config.changes; adds two new tests verifying that changes without matchers are always included in results, and that both matcher and non-matcher changes coexist.
Core Runner Logic packages/upgrade/src/runner.js	Refactors runScans() to differentiate between changes with and without matchers. Changes without matchers are now always included in results with zero instances. Scanning is only performed if changes with matchers exist. Updates loadMatchers() to include all changes whose packages match the current SDK.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Areas requiring extra attention:

• Logic in runScans() that splits changes into two groups and determines when scanning is skipped
• Duplicate instance detection and accumulation logic during the scanning phase
• Modified behavior of loadMatchers() to include changes without explicit matchers
• Test assertions verifying edge cases of changes with and without matchers coexisting

Poem

A rabbit hops through Sign-in's door, 🐰
With trust that needs reviewing more,
Changes dance both matched and free,
Each finds its place in the spree,
No matcher? Included in lore! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(upgrade): Sign-in Client Trust status handling' clearly and specifically describes the main feature being added: handling for the new Sign-in Client Trust status. It aligns with the primary changes across all files (new changeset, documentation, logic modifications to support changes without matchers).

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch tom/user-4211-needs-client-status-upgrade

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tmilewski]

@brkalow Added the "force display" option we were discussing earlier.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

packages/upgrade/src/versions/core-3/changes/needs-client-trust-sign-in-status-added.md (2)

8-8: TODO reminder: Documentation link placeholder.

The documentation link is pending. Per the PR description, this will be updated when documentation is ready.

Would you like me to open an issue to track this TODO, or is this already being handled as part of the PR workflow?

---

15-15: Minor: Improve phrasing for clarity.

The phrasing "If ... aren't enabled" in the prerequisite list could be clearer. Consider rewording to "If Email or SMS sign-in verification is not enabled."

Apply this diff:

-- If [Email](https://dashboard.clerk.com/~/user-authentication/user-and-authentication) or [SMS](https://dashboard.clerk.com/~/user-authentication/user-and-authentication?user_auth_tab=phone) sign-in verification aren't enabled.
+- If [Email](https://dashboard.clerk.com/~/user-authentication/user-and-authentication) or [SMS](https://dashboard.clerk.com/~/user-authentication/user-and-authentication?user_auth_tab=phone) sign-in verification is not enabled.

packages/upgrade/src/runner.js (1)

137-146: Consider renaming loadMatchers to reflect its broader purpose.

The function loadMatchers now returns all changes (both with and without matchers) that match the SDK, not just those with matchers. Consider renaming to loadChanges or loadApplicableChanges for better clarity.

Apply this diff:

-function loadMatchers(config, sdk) {
+function loadChanges(config, sdk) {
   if (!config.changes) {
     return [];
   }

   return config.changes.filter(change => {
     const packages = change.packages || ['*'];
     return packages.includes('*') || packages.includes(sdk);
   });
 }

And update the call site:

 export async function runScans(config, sdk, options) {
-  const changes = loadMatchers(config, sdk);
+  const changes = loadChanges(config, sdk);

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 8c8873d and 3a4a7e4.

📒 Files selected for processing (4)

• .changeset/small-dots-scream.md (1 hunks)
• packages/upgrade/src/__tests__/integration/runner.test.js (2 hunks)
• packages/upgrade/src/runner.js (2 hunks)
• packages/upgrade/src/versions/core-3/changes/needs-client-trust-sign-in-status-added.md (1 hunks)

🧰 Additional context used

📓 Path-based instructions (9)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

All code must pass ESLint checks with the project's configuration

Files:

• packages/upgrade/src/__tests__/integration/runner.test.js
• packages/upgrade/src/runner.js

**/*.{js,jsx,ts,tsx,json,md,yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• packages/upgrade/src/__tests__/integration/runner.test.js
• packages/upgrade/src/runner.js
• packages/upgrade/src/versions/core-3/changes/needs-client-trust-sign-in-status-added.md

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Follow established naming conventions (PascalCase for components, camelCase for variables)

Files:

• packages/upgrade/src/__tests__/integration/runner.test.js
• packages/upgrade/src/runner.js

packages/**/src/**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

packages/**/src/**/*.{ts,tsx,js,jsx}: Maintain comprehensive JSDoc comments for public APIs
Use tree-shaking friendly exports
Validate all inputs and sanitize outputs
All public APIs must be documented with JSDoc
Use dynamic imports for optional features
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Implement proper logging with different levels

Files:

• packages/upgrade/src/__tests__/integration/runner.test.js
• packages/upgrade/src/runner.js

**/*.{test,spec}.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

**/*.{test,spec}.{ts,tsx,js,jsx}: Unit tests are required for all new functionality
Verify proper error handling and edge cases
Include tests for all new features

Files:

• packages/upgrade/src/__tests__/integration/runner.test.js

**/*.{test,spec,e2e}.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use real Clerk instances for integration tests

Files:

• packages/upgrade/src/__tests__/integration/runner.test.js

**/*.{js,ts,jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Use ESLint with custom configurations tailored for different package types

Files:

• packages/upgrade/src/__tests__/integration/runner.test.js
• packages/upgrade/src/runner.js

**/*.{js,ts,jsx,tsx,json,md,yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Use Prettier for code formatting across all packages

Files:

• packages/upgrade/src/__tests__/integration/runner.test.js
• packages/upgrade/src/runner.js
• packages/upgrade/src/versions/core-3/changes/needs-client-trust-sign-in-status-added.md

**/*.{md,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Update documentation for API changes

Files:

• packages/upgrade/src/versions/core-3/changes/needs-client-trust-sign-in-status-added.md

🧬 Code graph analysis (1)

packages/upgrade/src/runner.js (1)

packages/upgrade/src/config.js (3)

• config (29-29)
• config (53-53)
• matcher (164-168)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (7)

.changeset/small-dots-scream.md (1)

1-5: LGTM!

The changeset is correctly formatted with an appropriate patch version bump for adding the new Sign-in Client Trust Status entry.

packages/upgrade/src/versions/core-3/changes/needs-client-trust-sign-in-status-added.md (1)

19-27: LGTM!

The code example effectively demonstrates how to handle the new needs_client_trust status alongside the existing complete status. The diff format makes the required changes clear.

packages/upgrade/src/runner.js (2)

62-82: LGTM! Clear separation of concerns.

The refactoring correctly splits changes into those with and without matchers, ensuring changes without matchers are always included in results with empty instances. The early return optimization when there are no changes with matchers is a good performance improvement.

---

99-126: LGTM! Scanning logic correctly handles matcher-based changes.

The scanning loop now correctly iterates only over changesWithMatchers, accumulating matches into the results object that was pre-populated with changes without matchers. The duplicate detection logic ensures clean results.

packages/upgrade/src/__tests__/integration/runner.test.js (3)

59-60: LGTM! Important fix for the ignore patterns test.

Filtering to only changes with matchers ensures this test validates the ignore functionality correctly without being affected by changes without matchers that would always appear in results.

---

72-97: LGTM! Comprehensive test for changes without matchers.

The test correctly validates that changes without matchers are always included in results with an empty instances array, which is the core new behavior introduced in this PR.

---

99-135: Good test coverage for mixed scenarios.

The test validates that both changes with and without matchers appear in results. The assertions correctly verify the presence of the change without a matcher and its empty instances array.

One minor observation: Line 131 uses toBeGreaterThanOrEqual(1) which is somewhat weak. However, given the dynamic nature of the matcher-based change (it may or may not find matches in the fixture), this assertion level is acceptable.