Skip to content

chore(imports): trial TanStack Start import protection on git token functions#283

Open
jaredglaser wants to merge 2 commits into
mainfrom
chore/f26-import-protection-eval
Open

chore(imports): trial TanStack Start import protection on git token functions#283
jaredglaser wants to merge 2 commits into
mainfrom
chore/f26-import-protection-eval

Conversation

@jaredglaser

@jaredglaser jaredglaser commented Jun 12, 2026

Copy link
Copy Markdown
Owner

Summary

Evaluates TanStack Start import protection (closes #251). Static imports are safe in createServerFn modules; SSE route handlers (src/routes/api/) keep the dynamic import rule.

  • Converts src/data/git-tokens.functions.tsx from dynamic imports inside handlers to static top-level imports.
  • Adds @tanstack/react-start/server-only to src/lib/clients/database-client.ts so pg leaking into the client graph fails the build instead of breaking at runtime.
  • Adds docs/import-protection.md with verification steps and a conversion checklist.
  • Updates CLAUDE.md rule 4 to document the static-import allowance for createServerFn modules.

Testing

  • bun run typecheck passes.
  • Existing tests pass unchanged (git-tokens.functions 7 tests, database-client 19 tests).
  • bun run build passes; client assets contain no server-only module identifiers.
  • Importing database-client from a client component fails the build with [import-protection] Import denied in client environment.
  • bun run build:demo passes.

Closes #251

🤖 Generated with Claude Code

…unctions

The repo-wide rule that server-only modules load via await import() inside
handlers predates import protection in TanStack Start. The installed version
(1.167.16) ships the plugin enabled by default with build behavior "error",
plus a server-only marker module and compiler dead code elimination of
handler-only imports in the client environment.

Convert src/data/git-tokens.functions.tsx to static imports as the trial
module and mark src/lib/clients/database-client.ts server-only so a pg leak
into the client graph fails the build with an import trace instead of
breaking at runtime with node:async_hooks errors. Verified: client assets
contain no pg, repository, or keyring identifiers; a deliberate client-side
import of database-client fails the build; demo build unaffected.

SSE route handlers keep the dynamic import rule because their closures live
in route modules that ship to the client. Details and a conversion checklist
in docs/import-protection.md; CLAUDE.md rule 4 updated to match.

Closes #251

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Warning

Review limit reached

@jaredglaser, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 18 minutes and 27 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f7eedf85-2ff8-4b80-828b-a0d7e30265bd

📥 Commits

Reviewing files that changed from the base of the PR and between 5d66d9f and c0b29a3.

📒 Files selected for processing (4)
  • CLAUDE.md
  • docs/import-protection.md
  • src/data/git-tokens.functions.tsx
  • src/lib/clients/database-client.ts
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/f26-import-protection-eval

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Evaluate TanStack Start import protection vs dynamic-import rule

1 participant