feat(upgrade): Sign-in Client Trust status handling

[tmilewski]

Description

• Adds handling for new Sign-in Client Trust status: needs_client_trust
• Adds ability to exclude the matcher frontmatter to indicate that the change should always be displayed.
• Documentation will update appropriately with: feat: Add needs_client_trust status clerk-docs#3096

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• New Features

  • Scanner now always reports changes that lack matcher criteria and skips scanning when no matchers are present.

• Documentation

  • Added guidance and examples for the new Sign-in Client Trust Status, including prerequisites and handling patterns.

• Tests

  • Expanded integration tests to cover changes both with and without matchers.

• Chores

  • Added a changeset entry to support versioning and publishing metadata.

[changeset-bot]

🦋 Changeset detected

Latest commit: 456bc24

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@clerk/upgrade	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Feb 20, 2026 9:26pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

---

📝 Walkthrough

Walkthrough

Adds a changeset entry and documentation for a new Sign-in status needs_client_trust. Refactors runScans() to separate changes with and without matchers; changes without matchers are pre-populated into results with empty instances. Scanning now iterates only over matcher-bearing changes, accumulates matches per matcher title with de-duplication, and returns early if no matcher-bearing changes exist. Updates loadMatchers selection logic. Expands integration tests to cover changes with and without matchers. No public API signatures were changed.

Changes

Cohort / File(s)	Summary
Versioning .changeset/small-dots-scream.md	Adds a changeset entry for a patch release of the upgrade package describing the new Sign-in Client Trust Status.
Documentation packages/upgrade/src/versions/core-3/changes/needs-client-trust-sign-in-status-added.md	Adds documentation for a new needs_client_trust sign-in status, with prerequisites, example handling, and support contact guidance.
Core Runner Logic packages/upgrade/src/runner.js	Refactors runScans() to separate changes with and without matchers; changes without matchers are included in results with empty instances. Scanning iterates only over matcher-bearing changes, accumulates matches per matcher title with de-duplication, and returns early if no matcher-bearing changes exist. loadMatchers logic is adjusted to include changes whose packages match the SDK.
Tests packages/upgrade/src/__tests__/integration/runner.test.js	Filters an existing test to focus on matcher-bearing changes and adds tests asserting that changes without matchers are always included and that matcher and non-matcher changes can coexist in results.

Estimated code review effort

Medium — ~25 minutes

Areas requiring focused review:

• Separation of changes into matcher-bearing vs non-matcher groups and the early-return path
• Per-matcher accumulation and de-duplication of instances
• loadMatchers change that broadens which changes are considered for scanning

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(upgrade): Sign-in Client Trust status handling' directly aligns with the primary changes in the PR, which adds handling for a new Sign-in Client Trust status and introduces a force-display capability for upgrade documentation.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tmilewski]

@brkalow Added the "force display" option we were discussing earlier.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

packages/upgrade/src/versions/core-3/changes/needs-client-trust-sign-in-status-added.md (2)

8-8: TODO reminder: Documentation link placeholder.

The documentation link is pending. Per the PR description, this will be updated when documentation is ready.

Would you like me to open an issue to track this TODO, or is this already being handled as part of the PR workflow?

---

15-15: Minor: Improve phrasing for clarity.

The phrasing "If ... aren't enabled" in the prerequisite list could be clearer. Consider rewording to "If Email or SMS sign-in verification is not enabled."

Apply this diff:

-- If [Email](https://dashboard.clerk.com/~/user-authentication/user-and-authentication) or [SMS](https://dashboard.clerk.com/~/user-authentication/user-and-authentication?user_auth_tab=phone) sign-in verification aren't enabled.
+- If [Email](https://dashboard.clerk.com/~/user-authentication/user-and-authentication) or [SMS](https://dashboard.clerk.com/~/user-authentication/user-and-authentication?user_auth_tab=phone) sign-in verification is not enabled.

packages/upgrade/src/runner.js (1)

137-146: Consider renaming loadMatchers to reflect its broader purpose.

The function loadMatchers now returns all changes (both with and without matchers) that match the SDK, not just those with matchers. Consider renaming to loadChanges or loadApplicableChanges for better clarity.

Apply this diff:

-function loadMatchers(config, sdk) {
+function loadChanges(config, sdk) {
   if (!config.changes) {
     return [];
   }

   return config.changes.filter(change => {
     const packages = change.packages || ['*'];
     return packages.includes('*') || packages.includes(sdk);
   });
 }

And update the call site:

 export async function runScans(config, sdk, options) {
-  const changes = loadMatchers(config, sdk);
+  const changes = loadChanges(config, sdk);

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 8c8873d and 3a4a7e4.

📒 Files selected for processing (4)

• .changeset/small-dots-scream.md (1 hunks)
• packages/upgrade/src/__tests__/integration/runner.test.js (2 hunks)
• packages/upgrade/src/runner.js (2 hunks)
• packages/upgrade/src/versions/core-3/changes/needs-client-trust-sign-in-status-added.md (1 hunks)

🧰 Additional context used

📓 Path-based instructions (9)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

All code must pass ESLint checks with the project's configuration

Files:

• packages/upgrade/src/__tests__/integration/runner.test.js
• packages/upgrade/src/runner.js

**/*.{js,jsx,ts,tsx,json,md,yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use Prettier for consistent code formatting

Files:

• packages/upgrade/src/__tests__/integration/runner.test.js
• packages/upgrade/src/runner.js
• packages/upgrade/src/versions/core-3/changes/needs-client-trust-sign-in-status-added.md

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Follow established naming conventions (PascalCase for components, camelCase for variables)

Files:

• packages/upgrade/src/__tests__/integration/runner.test.js
• packages/upgrade/src/runner.js

packages/**/src/**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

packages/**/src/**/*.{ts,tsx,js,jsx}: Maintain comprehensive JSDoc comments for public APIs
Use tree-shaking friendly exports
Validate all inputs and sanitize outputs
All public APIs must be documented with JSDoc
Use dynamic imports for optional features
Provide meaningful error messages to developers
Include error recovery suggestions where applicable
Log errors appropriately for debugging
Lazy load components and features when possible
Implement proper caching strategies
Use efficient data structures and algorithms
Implement proper logging with different levels

Files:

• packages/upgrade/src/__tests__/integration/runner.test.js
• packages/upgrade/src/runner.js

**/*.{test,spec}.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

**/*.{test,spec}.{ts,tsx,js,jsx}: Unit tests are required for all new functionality
Verify proper error handling and edge cases
Include tests for all new features

Files:

• packages/upgrade/src/__tests__/integration/runner.test.js

**/*.{test,spec,e2e}.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Use real Clerk instances for integration tests

Files:

• packages/upgrade/src/__tests__/integration/runner.test.js

**/*.{js,ts,jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Use ESLint with custom configurations tailored for different package types

Files:

• packages/upgrade/src/__tests__/integration/runner.test.js
• packages/upgrade/src/runner.js

**/*.{js,ts,jsx,tsx,json,md,yml,yaml}

📄 CodeRabbit inference engine (.cursor/rules/monorepo.mdc)

Use Prettier for code formatting across all packages

Files:

• packages/upgrade/src/__tests__/integration/runner.test.js
• packages/upgrade/src/runner.js
• packages/upgrade/src/versions/core-3/changes/needs-client-trust-sign-in-status-added.md

**/*.{md,tsx}

📄 CodeRabbit inference engine (.cursor/rules/development.mdc)

Update documentation for API changes

Files:

• packages/upgrade/src/versions/core-3/changes/needs-client-trust-sign-in-status-added.md

🧬 Code graph analysis (1)

packages/upgrade/src/runner.js (1)

packages/upgrade/src/config.js (3)

• config (29-29)
• config (53-53)
• matcher (164-168)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (7)

.changeset/small-dots-scream.md (1)

1-5: LGTM!

The changeset is correctly formatted with an appropriate patch version bump for adding the new Sign-in Client Trust Status entry.

packages/upgrade/src/versions/core-3/changes/needs-client-trust-sign-in-status-added.md (1)

19-27: LGTM!

The code example effectively demonstrates how to handle the new needs_client_trust status alongside the existing complete status. The diff format makes the required changes clear.

packages/upgrade/src/runner.js (2)

62-82: LGTM! Clear separation of concerns.

The refactoring correctly splits changes into those with and without matchers, ensuring changes without matchers are always included in results with empty instances. The early return optimization when there are no changes with matchers is a good performance improvement.

---

99-126: LGTM! Scanning logic correctly handles matcher-based changes.

The scanning loop now correctly iterates only over changesWithMatchers, accumulating matches into the results object that was pre-populated with changes without matchers. The duplicate detection logic ensures clean results.

packages/upgrade/src/__tests__/integration/runner.test.js (3)

59-60: LGTM! Important fix for the ignore patterns test.

Filtering to only changes with matchers ensures this test validates the ignore functionality correctly without being affected by changes without matchers that would always appear in results.

---

72-97: LGTM! Comprehensive test for changes without matchers.

The test correctly validates that changes without matchers are always included in results with an empty instances array, which is the core new behavior introduced in this PR.

---

99-135: Good test coverage for mixed scenarios.

The test validates that both changes with and without matchers appear in results. The assertions correctly verify the presence of the change without a matcher and its empty instances array.

One minor observation: Line 131 uses toBeGreaterThanOrEqual(1) which is somewhat weak. However, given the dynamic nature of the matcher-based change (it may or may not find matches in the fixture), this assertion level is acceptable.

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7446

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7446

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7446

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7446

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7446

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7446

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@7446

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7446

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7446

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7446

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@7446

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7446

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7446

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7446

@clerk/react

npm i https://pkg.pr.new/@clerk/react@7446

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7446

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7446

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7446

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7446

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@7446

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7446

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7446

commit: 456bc24

[jacekradko]

LGTM

[dstaley]

if we remove this line the example will be compatible for both the new hooks and the included legacy hooks

Suggested change

+ signIn.attemptFirstFactor({ strategy: 'password', password: '...' })

[dstaley]

also maybe this is a better way to visualize this?

const { signIn } = useSignIn()
// ...
- if (signIn.status === 'complete') { /* ... */ }
+ if (signIn.status === 'needs_client_trust') { /* ... */ }
+ else if (signIn.status === 'complete') {  /* ... */ }

```diff
const { signIn } = useSignIn()
// ...
- if (signIn.status === 'complete') { /* ... */ }
+ if (signIn.status === 'needs_client_trust') { /* ... */ }
+ else if (signIn.status === 'complete') {  /* ... */ }
```

[tmilewski]

👍 I definitely like this more. Thanks!