fix(repo): harden keyless accountless requests

[mwickett]

Summary

• add shared CI/automation environment detection
• prevent keyless mode from activating in automated environments across Next.js, Astro, Nuxt, React Router, and TanStack Start
• include a framework-derived source query parameter on SDK accountless application create/complete requests
• add regression coverage plus a changeset

Tests

• pnpm --dir packages/nextjs exec vitest run src/utils/tests/feature-flags.test.ts --typecheck.enabled=false
• pnpm --dir packages/shared exec vitest run src/tests/runtimeEnvironment.spec.ts --typecheck.enabled=false
• pnpm --dir packages/shared exec vitest run src/keyless/tests/service.spec.ts --typecheck.enabled=false
• pnpm --dir packages/backend exec vitest run src/api/tests/AccountlessApplicationsApi.test.ts --environment node
• pnpm --filter @clerk/shared build
• pnpm --filter @clerk/backend build
• pnpm exec eslint packages/shared/src/utils/runtimeEnvironment.ts packages/shared/src/tests/runtimeEnvironment.spec.ts packages/shared/src/keyless/service.ts packages/shared/src/keyless/tests/service.spec.ts packages/backend/src/api/endpoints/AccountlessApplicationsAPI.ts packages/backend/src/api/tests/AccountlessApplicationsApi.test.ts packages/nextjs/src/utils/feature-flags.ts packages/nextjs/src/utils/tests/feature-flags.test.ts packages/nextjs/src/server/keyless-node.ts packages/astro/src/utils/feature-flags.ts packages/astro/src/server/keyless/index.ts packages/nuxt/src/runtime/utils/feature-flags.ts packages/nuxt/src/runtime/server/keyless/index.ts packages/react-router/src/utils/feature-flags.ts packages/react-router/src/server/keyless/index.ts packages/tanstack-react-start/src/utils/feature-flags.ts packages/tanstack-react-start/src/server/keyless/index.ts
• pnpm exec prettier --check packages/shared/src/utils/runtimeEnvironment.ts packages/shared/src/tests/runtimeEnvironment.spec.ts packages/shared/src/keyless/service.ts packages/shared/src/keyless/tests/service.spec.ts packages/backend/src/api/endpoints/AccountlessApplicationsAPI.ts packages/backend/src/api/tests/AccountlessApplicationsApi.test.ts packages/nextjs/src/utils/feature-flags.ts packages/nextjs/src/utils/tests/feature-flags.test.ts packages/nextjs/src/server/keyless-node.ts packages/astro/src/utils/feature-flags.ts packages/astro/src/server/keyless/index.ts packages/nuxt/src/runtime/utils/feature-flags.ts packages/nuxt/src/runtime/server/keyless/index.ts packages/react-router/src/utils/feature-flags.ts packages/react-router/src/server/keyless/index.ts packages/tanstack-react-start/src/utils/feature-flags.ts packages/tanstack-react-start/src/server/keyless/index.ts .changeset/keyless-ci-guard.md
• git diff --check

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	May 28, 2026 3:37pm

[changeset-bot]

🦋 Changeset detected

Latest commit: c11afee

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 20 packages

Name	Type
@clerk/astro	Patch
@clerk/backend	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/shared	Patch
@clerk/tanstack-react-start	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/hono	Patch
@clerk/testing	Patch
@clerk/chrome-extension	Patch
@clerk/clerk-js	Patch
@clerk/expo-passkeys	Patch
@clerk/expo	Patch
@clerk/localizations	Patch
@clerk/msw	Patch
@clerk/react	Patch
@clerk/ui	Patch
@clerk/vue	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[github-actions]

API Changes Report

Generated by snapi on 2026-05-28T15:40:57.756Z

Summary

Metric	Count
Packages analyzed	6
Packages with changes	1
🔴 Breaking changes	0
🟡 Non-breaking changes	2
🟢 Additions	2

🤖 This report was reviewed by claude-sonnet-4-6.

---

@clerk/shared

Current version: 4.14.0
Recommended bump: MINOR → 4.15.0

Subpath ./keyless

🟡 Non-breaking Changes (2)

Modified: KeylessAPI.completeOnboarding

- completeOnboarding(requestHeaders?: Headers): Promise<AccountlessApplication | null>;
+ completeOnboarding(requestHeaders?: Headers, source?: string): Promise<AccountlessApplication | null>;

Static analyzer: Modified method KeylessAPI.completeOnboarding: Optional parameter source was added

🤖 AI review (confirmed) (98%): An optional parameter source?: string was appended to completeOnboarding. Existing callers passing zero or one argument continue to compile and run correctly; this is purely additive at the call site.

Modified: KeylessAPI.createAccountlessApplication

- createAccountlessApplication(requestHeaders?: Headers): Promise<AccountlessApplication | null>;
+ createAccountlessApplication(requestHeaders?: Headers, source?: string): Promise<AccountlessApplication | null>;

Static analyzer: Modified method KeylessAPI.createAccountlessApplication: Optional parameter source was added

🤖 AI review (confirmed) (98%): An optional parameter source?: string was appended to createAccountlessApplication. Existing callers are unaffected since the parameter is optional and placed at the end of the signature.

Subpath ./utils

🟢 Additions (2)

Added: automatedEnvironmentVariables

+ automatedEnvironmentVariables: readonly ["CI", "CONTINUOUS_INTEGRATION", "GITHUB_ACTIONS", "GITLAB_CI", "CIRCLECI", "TRAVIS", "BUILDKITE", "BITBUCKET_BUILD_NUMBER", "APPVEYOR", "CODEBUILD_BUILD_ID", "TF_BUILD", "TEAMCITY_VERSION", "JENKINS_URL", "HUDSON_URL", "BAMBOO_BUILDKEY", "CF_PAGES"]

Added variable automatedEnvironmentVariables

Added: isAutomatedEnvironment

+ isAutomatedEnvironment: () => boolean

Added function isAutomatedEnvironment

---

Report generated by snapi

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• ✅ Review completed - (🔄 Check again to review again)

📝 Walkthrough

Walkthrough

This PR adds a shared isAutomatedEnvironment() utility that detects CI/automation env vars and updates canUseKeyless across Astro, Next.js, Nuxt, React Router, and TanStack packages to require !isAutomatedEnvironment(). It also introduces a normalized per-service source value for accountless-application flows, extends backend AccountlessApplications endpoints to accept a source query param, threads source through shared keyless service and SDK server adapters, and adds tests plus a changeset.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• clerk/javascript#7812: Updates to Astro’s canUseKeyless feature-flag logic (related gating changes).

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 15.38% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix(repo): harden keyless accountless requests' is specific, concise, and accurately summarizes the main security hardening changes across multiple packages to prevent keyless mode in automated environments.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description clearly outlines the changes: adding CI/automation detection, preventing keyless in automated environments, adding source parameters, and test coverage.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/tanstack-react-start/src/utils/feature-flags.ts (1)

11-19: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update the JSDoc to include the automated-environment guard.

The comment says keyless is available in development when not explicitly disabled, but Line 19 also blocks it in automated environments. Please align docs with current behavior.

As per coding guidelines, "All public APIs must be documented with JSDoc" and docs should remain accurate.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/tanstack-react-start/src/utils/feature-flags.ts` around lines 11 -
19, The JSDoc above canUseKeyless is out of date: it states keyless mode is
available in development when not explicitly disabled but omits that automated
environments also block it; update the comment to reflect the full guard used by
canUseKeyless (isDevelopmentEnvironment() && !isAutomatedEnvironment() &&
!KEYLESS_DISABLED), explicitly mention automated environments prevent keyless
mode, and keep the note about disabling via VITE_CLERK_KEYLESS_DISABLED or
CLERK_KEYLESS_DISABLED; reference canUseKeyless, isDevelopmentEnvironment,
isAutomatedEnvironment, and KEYLESS_DISABLED when editing the doc so the
behavior and disable instructions are aligned.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/shared/src/utils/runtimeEnvironment.ts`:
- Around line 32-39: Replace the local getEnvVariable implementation with the
shared cross-runtime helper by importing the shared getEnvVariable and removing
the local const; update isAutomatedEnvironment to call the imported
getEnvVariable (instead of the local one) so detection checks
import.meta.env/globalThis fallbacks; ensure the import name matches the
exported symbol (getEnvVariable) and delete the local getEnvVariable function
declaration to avoid shadowing.

---

Outside diff comments:
In `@packages/tanstack-react-start/src/utils/feature-flags.ts`:
- Around line 11-19: The JSDoc above canUseKeyless is out of date: it states
keyless mode is available in development when not explicitly disabled but omits
that automated environments also block it; update the comment to reflect the
full guard used by canUseKeyless (isDevelopmentEnvironment() &&
!isAutomatedEnvironment() && !KEYLESS_DISABLED), explicitly mention automated
environments prevent keyless mode, and keep the note about disabling via
VITE_CLERK_KEYLESS_DISABLED or CLERK_KEYLESS_DISABLED; reference canUseKeyless,
isDevelopmentEnvironment, isAutomatedEnvironment, and KEYLESS_DISABLED when
editing the doc so the behavior and disable instructions are aligned.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: bce89080-379d-4448-ad50-e862116d17f6

📥 Commits

Reviewing files that changed from the base of the PR and between 8cc3129 and 031ea5b.

📒 Files selected for processing (9)

• .changeset/keyless-ci-guard.md
• packages/astro/src/utils/feature-flags.ts
• packages/nextjs/src/utils/__tests__/feature-flags.test.ts
• packages/nextjs/src/utils/feature-flags.ts
• packages/nuxt/src/runtime/utils/feature-flags.ts
• packages/react-router/src/utils/feature-flags.ts
• packages/shared/src/__tests__/runtimeEnvironment.spec.ts
• packages/shared/src/utils/runtimeEnvironment.ts
• packages/tanstack-react-start/src/utils/feature-flags.ts

[pkg-pr-new]

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8676

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8676

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8676

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8676

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8676

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8676

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8676

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8676

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8676

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8676

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8676

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8676

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8676

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8676

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8676

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8676

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8676

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8676

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8676

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8676

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8676

commit: c11afee

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

packages/shared/src/keyless/__tests__/service.spec.ts (1)

28-47: ⚡ Quick win

Expand tests to cover source normalization and fallback.

Current assertions only cover already-normalized 'nextjs'. Add cases for undefined framework (fallback to 'javascript') and normalization inputs (e.g., 'Next.js', spaced/symbol-heavy names, long names) to lock in createSource behavior.

As per coding guidelines: **/*.{test,spec}.{ts,tsx} should verify edge cases for new functionality.

Also applies to: 49-66

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/shared/src/keyless/__tests__/service.spec.ts` around lines 28 - 47,
Add tests to verify source normalization and fallback: extend the existing test
using createKeylessService and its getOrCreateKeys call to assert that when
framework is undefined the createAccountlessApplication receives source
'javascript', and add additional cases where framework inputs like 'Next.js',
'Next JS', and symbol/long-heavy names are normalized to the expected canonical
source (e.g., 'nextjs' or trimmed/slugified result produced by your createSource
logic); update both the block around the current test (the one using
createAccountlessApplication mock) and the similar block around lines 49-66 to
include these inputs and assertions against
createAccountlessApplication.mock.calls to confirm headers is a Headers instance
and source equals the normalized fallback.

packages/backend/src/api/__tests__/AccountlessApplicationsApi.test.ts (1)

16-37: ⚡ Quick win

Add a no-source edge-case test for both API calls.

These tests validate source=nextjs, but not the optional path. Please add coverage where source is omitted and assert the query param is absent (prevents regressions like source=undefined).

As per coding guidelines: **/*.{test,spec}.{ts,tsx} tests should verify proper error handling and edge cases.

Also applies to: 39-60

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/backend/src/api/__tests__/AccountlessApplicationsApi.test.ts` around
lines 16 - 37, Add tests that cover the "no source" edge case for the
accountless application API calls: duplicate the existing test in
AccountlessApplicationsApi.test.ts but call createBackendApiClient and
__experimental_accountlessApplications.createAccountlessApplication (and the
other accountless API call referenced around lines 39-60) without passing a
source, then in the server mock handler assert that new
URL(request.url).searchParams.get('source') is null (or falsy) to ensure no
"source=undefined" is sent, while keeping the same header assertions
(Clerk-API-Version and User-Agent) and response expectations (e.g.,
publishableKey).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/backend/src/api/endpoints/AccountlessApplicationsAPI.ts`:
- Line 13: The public methods createAccountlessApplication and the other public
method at line 25 need explicit TypeScript return type annotations; update their
signatures to declare the precise Promise-returning types that match their
implementations (e.g., Promise<...> or Promise<void> as appropriate) so the
exported class API has explicit return types; locate the methods by name
(createAccountlessApplication and the public method on line 25) and add the
correct return type annotations to their signatures.

---

Nitpick comments:
In `@packages/backend/src/api/__tests__/AccountlessApplicationsApi.test.ts`:
- Around line 16-37: Add tests that cover the "no source" edge case for the
accountless application API calls: duplicate the existing test in
AccountlessApplicationsApi.test.ts but call createBackendApiClient and
__experimental_accountlessApplications.createAccountlessApplication (and the
other accountless API call referenced around lines 39-60) without passing a
source, then in the server mock handler assert that new
URL(request.url).searchParams.get('source') is null (or falsy) to ensure no
"source=undefined" is sent, while keeping the same header assertions
(Clerk-API-Version and User-Agent) and response expectations (e.g.,
publishableKey).

In `@packages/shared/src/keyless/__tests__/service.spec.ts`:
- Around line 28-47: Add tests to verify source normalization and fallback:
extend the existing test using createKeylessService and its getOrCreateKeys call
to assert that when framework is undefined the createAccountlessApplication
receives source 'javascript', and add additional cases where framework inputs
like 'Next.js', 'Next JS', and symbol/long-heavy names are normalized to the
expected canonical source (e.g., 'nextjs' or trimmed/slugified result produced
by your createSource logic); update both the block around the current test (the
one using createAccountlessApplication mock) and the similar block around lines
49-66 to include these inputs and assertions against
createAccountlessApplication.mock.calls to confirm headers is a Headers instance
and source equals the normalized fallback.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: d0eb8c46-14db-40d0-a29e-df25345bf7a5

📥 Commits

Reviewing files that changed from the base of the PR and between 031ea5b and 11632fe.

📒 Files selected for processing (10)

• .changeset/keyless-ci-guard.md
• packages/astro/src/server/keyless/index.ts
• packages/backend/src/api/__tests__/AccountlessApplicationsApi.test.ts
• packages/backend/src/api/endpoints/AccountlessApplicationsAPI.ts
• packages/nextjs/src/server/keyless-node.ts
• packages/nuxt/src/runtime/server/keyless/index.ts
• packages/react-router/src/server/keyless/index.ts
• packages/shared/src/keyless/__tests__/service.spec.ts
• packages/shared/src/keyless/service.ts
• packages/tanstack-react-start/src/server/keyless/index.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• .changeset/keyless-ci-guard.md

[coderabbitai]

🧹 Nitpick comments (1)

packages/shared/src/__tests__/runtimeEnvironment.spec.ts (1)

24-29: ⚡ Quick win

Add a falsey global-fallback test case too.

Nice coverage for globalThis truthy fallback. Please also add a companion case (e.g., vi.stubGlobal('CI', 'false') or '0') to lock in falsey normalization on the same path.

As per coding guidelines, test files should verify proper error handling and edge cases.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/shared/src/__tests__/runtimeEnvironment.spec.ts` around lines 24 -
29, Add a companion test that verifies falsey global fallback: when you clear
the env var via vi.stubEnv('CI', undefined) and set the global via
vi.stubGlobal('CI', 'false') (or '0'), assert isAutomatedEnvironment() returns
false; this mirrors the existing truthy global test and locks in normalization
on the globalThis path—update runtimeEnvironment.spec.ts to include the new
it(...) using vi.stubEnv, vi.stubGlobal, and calling isAutomatedEnvironment().

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@packages/shared/src/__tests__/runtimeEnvironment.spec.ts`:
- Around line 24-29: Add a companion test that verifies falsey global fallback:
when you clear the env var via vi.stubEnv('CI', undefined) and set the global
via vi.stubGlobal('CI', 'false') (or '0'), assert isAutomatedEnvironment()
returns false; this mirrors the existing truthy global test and locks in
normalization on the globalThis path—update runtimeEnvironment.spec.ts to
include the new it(...) using vi.stubEnv, vi.stubGlobal, and calling
isAutomatedEnvironment().

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: d408055b-0422-4056-a380-b498e35b726c

📥 Commits

Reviewing files that changed from the base of the PR and between 11632fe and ba1bafe.

📒 Files selected for processing (3)

• packages/backend/src/api/endpoints/AccountlessApplicationsAPI.ts
• packages/shared/src/__tests__/runtimeEnvironment.spec.ts
• packages/shared/src/utils/runtimeEnvironment.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/backend/src/api/endpoints/AccountlessApplicationsAPI.ts
• packages/shared/src/utils/runtimeEnvironment.ts

[mwickett]

I'm unsure of better ways to detect CI envs, definitely open to suggestions from those with more knowledge!