← ClaudeAtlas

trpc-securitylisted

Security audit for tRPC applications covering procedure auth via middleware, input validation with Zod, protectedProcedure vs publicProcedure patterns, router composition, context creation, batching abuse, output sanitization, and tRPC-specific patterns across Next.js, Express, Fastify, and standalone adapters. Use this skill whenever the user mentions tRPC, @trpc/server, @trpc/client, @trpc/react-query, createTRPCRouter, protectedProcedure, publicProcedure, t.procedure, ctx, or asks "audit my tRPC app", "tRPC security", "tRPC middleware safe". Trigger when the codebase contains `@trpc/server` or `@trpc/client` in package.json.
hlsitechio/claude-skills-security · ★ 1 · API & Backend · score 65
Install: claude install-skill hlsitechio/claude-skills-security
# tRPC Security Audit Audit tRPC applications. tRPC procedures are RPC endpoints — every procedure is a public surface even if not documented. ## When this skill applies - Reviewing tRPC router and procedure definitions - Auditing middleware chains (`use(...)`) for auth - Reviewing input/output schemas (Zod) - Checking context creation for auth resolution - Reviewing protected vs public procedure patterns ## Workflow Follow `../_shared/audit-workflow.md`. ### Phase 1: Stack detection ```bash grep -E '"@trpc/(server|client|react-query|next)":' package.json # Detect adapter grep -nE 'fetchRequestHandler|createNextApiHandler|createExpressMiddleware|createHTTPServer' src/ ``` ### Phase 2: Inventory ```bash # Router definitions grep -rn 'createTRPCRouter\|router(\|t\.router' src/ | head # Procedures grep -rnE 'publicProcedure|protectedProcedure|t\.procedure' src/ | head -50 # Middleware grep -rn 't\.middleware\|\.use(' src/ # Context creation grep -rn 'createContext\|createInnerTRPCContext' src/ # Input validation grep -rn '\.input(' src/ | head -30 ``` ### Phase 3: Detection — the checks #### Context creation The context is where auth resolution happens. Every procedure sees this. - **TRP-CTX-1** `createContext` reads auth token/cookie and resolves user once per request. - **TRP-CTX-2** Context doesn't leak secrets (DB password, internal IDs) — only resolved primitives needed by procedures. - **TRP-CTX-3** Context creation errors don't expose stack traces to clie