feat(clerk-js,shared,ui): Add Protect SDK challenge support during sign-up and sign-in

[zourzouvillys]

Summary

Adds client-side support for Clerk Protect mid-flow SDK challenges (protect_check) during both sign-up and sign-in. When the antifraud service gates a step, the SDK exposes the challenge, surfaces a card that loads and runs the challenge script, submits the resulting proof token, and resumes the original flow.

• New protectCheck field and submitProtectCheck() method on both SignUp and SignIn resources (and their future variants), mirrored on the @clerk/react state proxies.
• New 'needs_protect_check' value on the SignInStatus union.
• New protect-check route on the prebuilt <SignIn /> and <SignUp /> components (standalone, continue, and combined-flow create / create/continue depths).

Background

Previously anti-fraud blocks could only happen at sign-in/sign-up create time. This mechanism lets the service gate at any step. When gated, the response carries:

{
  "protect_check": {
    "status": "pending",
    "token": "<challenge token>",
    "sdk_url": "https://.../sdk.js",
    "expires_at": 1700000000000,
    "ui_hints": { "reason": "device_new" }
  }
}

expires_at is a Unix epoch timestamp in milliseconds (documented on the type). The client loads the SDK at sdk_url, runs the challenge with token, and submits the proof token to PATCH /v1/client/sign_{ins,ups}/{id}/protect_check. The response clears the gate, issues a chained challenge, or completes the flow.

Implementation

Types (@clerk/shared)

• ProtectCheckJSON / ProtectCheckResource { status: 'pending', token, sdkUrl, expiresAt?, uiHints? }; expires_at is optional on both SignUpJSON and SignInJSON (older FAPI versions omit it).
• 'protect_check' added to SignUpField; 'needs_protect_check' added to SignInStatus.
• submitProtectCheck added to the sign-up/sign-in resource + future interfaces.

Core resources (@clerk/clerk-js)

• SignUp / SignIn expose protectCheck and submitProtectCheck({ proofToken }); fromJSON / __internal_toSnapshot round-trip the field; future variants mirror the API.

SDK loader helper (@clerk/shared/internal/clerk-js/protectCheck)

executeProtectCheck(protectCheck, container, { signal }) — validates sdkUrl (must be https:, no credentials, rejects data:/blob:/javascript:), runs the spec-compliant script contract (container, { token, uiHints, signal }), forwards the AbortSignal, and wraps failures in typed error codes without leaking the URL.

Shared card runner (@clerk/ui)

Both protect-check cards share one useProtectCheckRunner hook so the lifecycle can't drift:

• Keys the effect on protectCheck.token (not object identity) so an unrelated resource refresh doesn't restart the challenge.
• Caps expired-challenge reloads and fails loud instead of spinning (a plain GET doesn't re-mint).
• Wraps the script run in a timeout, and the error state offers a retry control.
• Fails closed in no-RHC builds (__BUILD_DISABLE_RHC__) before the remote import(sdk_url) — the guard lives in the component layer because @clerk/shared is compiled once with the flag false.
• Finalizes (setActive) the complete case from both the normal success and the protect_check_already_resolved reload, so neither strands the user.
• Loading state uses a descriptors.spinner spinner in an aria-live region.

Sign-in gate routing — single choke point

navigateOnSignInProtectGate(res, navigate, protectCheckPath) is the one place that turns a gated sign-in response into navigation. Every dispatch site routes through it (start ×2, passkey, password, code, alt-channel, backup-code, factor-two code, reset-password), with the protect-check path passed per caller (index route → 'protect-check', factor cards → '../protect-check'). Also wired into the previously-missed email-link result handler and the inline web3/Solana path (clerk.authenticateWithWeb3, which doesn't redirect through _handleRedirectCallback): it takes protectCheckUrl / signUpProtectCheckUrl params and routes a gated attempt to the sign-in or sign-up challenge depending on which resource the attempt resolved through (the identifier_not_found → signUp fallback is covered).

OAuth / SAML callback (clerk.ts)

_handleRedirectCallback checks the gate before its transfer/missing-fields logic, scoped to the callback intent (reloadResource) so an abandoned sign-in's stale protect_check can't hijack a sign-up callback (and vice versa). The sign-up gate check runs before the missing_fields short-circuit so a gated signUp.create({ transfer }) routes to the challenge instead of /continue.

Prebuilt UI routes (@clerk/ui)

protect-check routes registered on <SignIn />/<SignUp /> at every depth the flow can mount sign-up at; SignUpProtectCheck takes per-mount continuation paths (the continue-nested mounts pass continuePath='..').

Localization (@clerk/localizations, @clerk/shared)

Typed signUp.protectCheck.{title,subtitle,loading,retryButton} / signIn.protectCheck.* keys and unstable__errors entries for the runtime error codes (protect_check_execution_failed, …_invalid_script, …_invalid_sdk_url, …_script_load_failed, …_timed_out, …_unsupported_environment; …_aborted / …_already_resolved intentionally undefined).

Backwards compatibility

• All new JSON fields are optional; old SDK consumers ignore them.
• 'needs_protect_check' is type-additive — runtime behavior is unchanged (the server emits it only behind a feature gate, and protectCheck is the authoritative field). Strict-TypeScript consumers with an exhaustive switch (signIn.status) will get a new unhandled-branch hint, hence the minor bump.
• No existing API surface is removed.

Risks

• Custom flows that switch on signIn.status need to handle 'needs_protect_check' (or the protectCheck field). Documented on the resource interface.
• Challenge SDK contract — the loaded script must default-export (container, { token, uiHints, signal }) => Promise<string>. Coordinate with the Protect SDK team before deploying.
• CSP — apps with strict CSP must allow the Protect script origin via script-src; the load-failure error calls this out.

Test plan

• Unit (resources): SignUp.test.ts / SignIn.test.ts — serialization, optional fields, snapshot round-trip, submitProtectCheck path/method/body
• Unit (helper): protectCheck.test.ts — URL validation, script contract, cancellation, error wrapping
• Unit (flow): completeSignUpFlow.test.ts — routing priority
• Unit (redirect): clerk.test.ts — gate routing scoped to the callback intent (stale sign-in not picked up by a sign-up callback; sign-in callback routes to the gate)
• Unit (choke point): handleProtectCheck.test.ts — navigateOnSignInProtectGate / isSignInProtectGated (both gate signals, per-caller path, no navigation when ungated)
• Integration (call site): SignInFactorOne.test.tsx — a gated first-factor attempt routes to ../protect-check instead of dispatching on the underlying status
• Component: SignUpProtectCheck.test.tsx / SignInProtectCheck.test.tsx — run/expiry/already-resolved/chained/abort/no-submit-on-failure, finalize-on-reload-complete, retry control
• Build + type-check: @clerk/clerk-js, @clerk/shared, @clerk/localizations, @clerk/ui clean; lint clean
• Manual: drive a sign-up/sign-in on a Protect-enabled instance (challenge renders + resolves, chained challenge, expired auto-recovery, OAuth/SAML callback)

Follow-ups (out of scope)

• Server-side ownership of re-minting an expired challenge on read (vs. re-running the gated step) — capped client-side so it can't loop in the meantime.
• Additional test coverage (lower priority): a dedicated authenticateWithWeb3 sign-up-gate regression test, an email-link gate-routing test, and the hook's no-RHC / timeout branches (not exercisable in the current ui vitest setup).
• @clerk/backend resource model updates (the backend SDK doesn't drive end-user flows).
• Non-blocking protect_check (additive when the server starts emitting it).

Summary by CodeRabbit

• New Features

  • Clerk Protect mid-flow challenge support for sign-up and sign-in with automatic routing in pre-built flows (including Web3 and passkey), navigation guards, and routing for chained challenges
  • Added protectCheck state, submitProtectCheck APIs, and new needs_protect_check sign-in status
  • New ProtectCheck UI components, routing steps, and a shared hook to run/retry/cancel/resume challenges

• Localization

  • Added protect-check UI strings and new protect-check error messages

• Tests

  • Extensive tests covering flows, SDK execution, cancellation, chaining, routing, and edge cases

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Jun 25, 2026 9:13pm
swingset	Ready	Preview, Comment	Jun 25, 2026 9:13pm

[changeset-bot]

🦋 Changeset detected

Latest commit: 3963323

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 23 packages

Name	Type
@clerk/clerk-js	Minor
@clerk/localizations	Minor
@clerk/react	Minor
@clerk/shared	Minor
@clerk/ui	Minor
@clerk/chrome-extension	Patch
@clerk/electron	Patch
@clerk/expo	Patch
@clerk/nextjs	Patch
@clerk/react-router	Patch
@clerk/tanstack-react-start	Patch
@clerk/astro	Patch
@clerk/backend	Patch
@clerk/expo-passkeys	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/headless	Patch
@clerk/hono	Patch
@clerk/msw	Patch
@clerk/nuxt	Patch
@clerk/testing	Patch
@clerk/vue	Patch
@clerk/swingset	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[jacekradko]

[minor] is this a reference to an LLM spec document?

[zourzouvillys]

Good catch — that § reference pointed at the internal Protect FAPI design doc by section number, which isn't useful to reviewers and reads like an artifact. I've reworded this and all the other Per spec §X.X comments across the PR to describe the behavior directly instead. Fixed in ead7059.

[jacekradko]

I believe this route segment also needs a protect-check path. Looks like we have navigations to create/protect-check in the combined flow

Suggested change

	<Route path='create'>
	<Route
	path='protect-check'
	canActivate={clerk => !!clerk.client.signUp.protectCheck}
	>
	<LazySignUpProtectCheck />
	</Route>
	<Route

[zourzouvillys]

You're right, this was a real gap — handleCombinedFlowTransfer.ts:103 navigates to create/protect-check but no route was registered there, so a Protect gate during combined-flow sign-up would dead-end. Added the nested route in ead7059:

<Route path='create'>
  <Route
    path='protect-check'
    canActivate={clerk => !!clerk.client.signUp.protectCheck}
  >
    <LazySignUpProtectCheck />
  </Route>
  ...

This also needed LazySignUpProtectCheck added to lazy-sign-up.ts and SignUpProtectCheck re-exported from the SignUp barrel (it was only used internally before). Gated on signUp.protectCheck since the combined flow's create/* segment drives the sign-up resource.

[jacekradko]

What spec is this referring to?

[zourzouvillys]

Same as above — internal Protect design doc section. Reworded to explain the behavior directly (OAuth/SAML callbacks can resolve into a protect_check gate that surfaces on the next /v1/client read, so we check before the transfer logic). Fixed in ead7059.

[jacekradko]

@zourzouvillys The core stuff looks good. I think the biggest gap is the routing logic integration. Feels like it this is targeting the standalone <SignIn /> / <SignUp /> , but the combined flows are not hooked up properly.

[github-actions]

API Changes Report

Generated by Break Check on 2026-06-25T21:15:54.629Z

Summary

Metric	Count
Packages analyzed	19
Packages with changes	2
🔴 Breaking changes	2
🟡 Non-breaking changes	4
🟢 Additions	26

Warning
2 breaking change(s) detected - Major version bump required

🤖 This report was reviewed by claude-sonnet-4-6.

🔴 Breaking changes index (2)

Every breaking change, up front. Full diffs are in the package sections below.

Package	Subpath	Change
@clerk/shared	./types	SignInStatus
@clerk/shared	./types	SignUpField

---

@clerk/shared

Current version: 4.21.0
Recommended bump: MAJOR → 5.0.0

Subpath ./types

🔴 Breaking Changes (2)

Changed: SignInStatus

- type SignInStatus = 'needs_identifier' | 'needs_first_factor' | 'needs_second_factor' | 'needs_client_trust' | 'needs_new_password' | 'complete';
+ type SignInStatus = 'needs_identifier' | 'needs_first_factor' | 'needs_second_factor' | 'needs_client_trust' | 'needs_new_password' | 'needs_protect_check' | 'complete';

Static analyzer: Breaking change in type alias SignInStatus: Type changed: 'complete'|'needs_client_trust'|'needs_first_factor'|'needs_identifier'|'needs_new_password'|'needs_second_factor' → 'complete'|'needs_client_trust'|'needs_first_factor'|'needs_identifier'|'needs_new_password'|'needs_protect_check'|'nee…

🤖 AI review (confirmed) (90%): SignInStatus is a union used as a discriminated output field (SignInResource.status, SignInFutureResource.status, SignInJSON.status); consumers with exhaustive switch/if statements over the previous set of variants will not handle the new 'needs_protect_check' member, breaking runtime correctness or TypeScript exhaustiveness checks.

Migration: Add a case for 'needs_protect_check' in any exhaustive switch or conditional logic that handles all SignInStatus values.

Changed: SignUpField

- type SignUpField = SignUpAttributeField | SignUpIdentificationField;
+ type SignUpField = SignUpAttributeField | SignUpIdentificationField | ProtectCheckField;

Static analyzer: Breaking change in type alias SignUpField: Type changed: import("@clerk/shared").SignUpAttributeField|import("@clerk/shared").SignUpIdentificationField → import("@clerk/shared").ProtectCheckField|import("@clerk/shared").SignUpAttributeField|import("@clerk/shared").SignUpId…

🤖 AI review (confirmed) (85%): SignUpField is used as an output type in array fields (missingFields, requiredFields, optionalFields) on SignUpResource/SignUpFutureResource/SignUpJSON; adding ProtectCheckField ('protect_check') to the union means exhaustive consumers reading these arrays must now handle the new member.

Migration: Add handling for the 'protect_check' value wherever SignUpField values are exhaustively matched or narrowed.

🟡 Non-breaking Changes (1)

Modified: __internal_LocalizationResource

Diff (before: 1943 lines, after: 1955 lines). Click to expand.

// ... 332 unchanged lines elided ...
        subtitle: LocalizationValue;
        noAvailableWallets: LocalizationValue;
      };
+     protectCheck: {
+       title: LocalizationValue;
+       subtitle: LocalizationValue;
+       loading: LocalizationValue;
+       retryButton: LocalizationValue;
+     };
    };
    signIn: {
      start: {
        title: LocalizationValue;
        titleCombined: LocalizationValue;
        subtitle: LocalizationValue;
        subtitleCombined: LocalizationValue;
        actionText: LocalizationValue;
        actionLink: LocalizationValue;
        actionLink__use_email: LocalizationValue;
        actionLink__use_phone: LocalizationValue;
        actionLink__use_username: LocalizationValue;
        actionLink__use_email_username: LocalizationValue;
        actionLink__use_passkey: LocalizationValue;
        actionText__join_waitlist: LocalizationValue;
        actionLink__join_waitlist: LocalizationValue;
        alternativePhoneCodeProvider: {
          actionLink: LocalizationValue;
          label: LocalizationValue<'provider'>;
          subtitle: LocalizationValue<'provider'>;
          title: LocalizationValue<'provider'>;
        };
      };
      password: {
        title: LocalizationValue;
        subtitle: LocalizationValue;
        actionLink: LocalizationValue;
      };
      passwordPwned: {
        title: LocalizationValue;
      }; /** @deprecated Use `passwordCompromised` instead */
      passwordUntrusted: {
        title: LocalizationValue;
      };
      passwordCompromised: {
        title: LocalizationValue;
      };
      passkey: {
        title: LocalizationValue;
        subtitle: LocalizationValue;
      };
      forgotPasswordAlternativeMethods: {
        title: LocalizationValue;
        label__alternativeMethods: LocalizationValue;
        blockButton__resetPassword: LocalizationValue;
      };
      forgotPassword: {
        title: LocalizationValue;
        subtitle: LocalizationValue;
        subtitle_email: LocalizationValue;
        subtitle_phone: LocalizationValue;
        formTitle: LocalizationValue;
        resendButton: LocalizationValue;
      };
      resetPassword: {
        title: LocalizationValue;
        formButtonPrimary: LocalizationValue;
        successMessage: LocalizationValue;
        requiredMessage: LocalizationValue;
      };
      resetPasswordMfa: {
        detailsLabel: LocalizationValue;
      };
      emailCode: {
        title: LocalizationValue;
        subtitle: LocalizationValue;
        formTitle: LocalizationValue;
        resendButton: LocalizationValue;
      };
      emailLink: {
        title: LocalizationValue;
        subtitle: LocalizationValue;
        formTitle: LocalizationValue;
        formSubtitle: LocalizationValue;
        resendButton: LocalizationValue;
        unusedTab: {
          title: LocalizationValue;
        };
        verified: {
          title: LocalizationValue;
          subtitle: LocalizationValue;
        };
        verifiedSwitchTab: {
          subtitle: LocalizationValue;
          titleNewTab: LocalizationValue;
          subtitleNewTab: LocalizationValue;
        };
        loading: {
          title: LocalizationValue;
          subtitle: LocalizationValue;
        };
        failed: {
          title: LocalizationValue;
          subtitle: LocalizationValue;
        };
        expired: {
          title: LocalizationValue;
          subtitle: LocalizationValue;
        };
        clientMismatch: {
          title: LocalizationValue;
          subtitle: LocalizationValue;
        };
      };
      phoneCode: {
        title: LocalizationValue;
        subtitle: LocalizationValue;
        formTitle: LocalizationValue;
        resendButton: LocalizationValue;
      };
      alternativePhoneCodeProvider: {
        formTitle: LocalizationValue;
        resendButton: LocalizationValue;
        subtitle: LocalizationValue;
        title: LocalizationValue<'provider'>;
      };
      emailCodeMfa: {
        title: LocalizationValue;
        subtitle: LocalizationValue;
        formTitle: LocalizationValue;
        resendButton: LocalizationValue;
      };
      emailLinkMfa: {
        title: LocalizationValue;
        subtitle: LocalizationValue;
        formSubtitle: LocalizationValue;
        resendButton: LocalizationValue;
      };
      newDeviceVerificationNotice: LocalizationValue;
      phoneCodeMfa: {
        title: LocalizationValue;
        subtitle: LocalizationValue;
        formTitle: LocalizationValue;
        resendButton: LocalizationValue;
      };
      totpMfa: {
        title: LocalizationValue;
        subtitle: LocalizationValue;
        formTitle: LocalizationValue;
      };
      backupCodeMfa: {
        title: LocalizationValue;
        subtitle: LocalizationValue;
      };
      alternativeMethods: {
        title: LocalizationValue;
        subtitle: LocalizationValue;
        actionLink: LocalizationValue;
        actionText: LocalizationValue;
        blockButton__emailLink: LocalizationValue<'identifier'>;
        blockButton__emailCode: LocalizationValue<'identifier'>;
        blockButton__phoneCode: LocalizationValue<'identifier'>;
        blockButton__password: LocalizationValue;
        blockButton__passkey: LocalizationValue;
        blockButton__totp: LocalizationValue;
        blockButton__backupCode: LocalizationValue;
        getHelp: {
          title: LocalizationValue;
          content: LocalizationValue;
          blockButton__emailSupport: LocalizationValue;
        };
      };
      noAvailableMethods: {
        title: LocalizationValue;
        subtitle: LocalizationValue;
        message: LocalizationValue;
      };
      accountSwitcher: {
        title: LocalizationValue;
        subtitle: LocalizationValue;
        action__addAccount: LocalizationValue;
        action__signOutAll: LocalizationValue;
      };
      enterpriseConnections: {
        title: LocalizationValue;
        subtitle: LocalizationValue;
      };
      web3Solana: {
+       title: LocalizationValue;
+       subtitle: LocalizationValue;
+     };
+     protectCheck: {
        title: LocalizationValue;
        subtitle: LocalizationValue;
+       loading: LocalizationValue;
+       retryButton: LocalizationValue;
      };
    };
    reverification: {
// ... 1425 unchanged lines elided ...

Static analyzer: Breaking change in type alias __internal_LocalizationResource: Type changed: {locale:string;maintenanceMode:import("@clerk/shared").LocalizationValue;roles:{[r:string]:import("@clerk/shared").Loca… → {locale:string;maintenanceMode:import("@clerk/shared").LocalizationValue;roles:{[r:string]:import("@clerk/shared").Loca…

🤖 AI review (reclassified as non-breaking) (80%): __internal_LocalizationResource is used only as the source type for LocalizationResource which extends DeepPartial<DeepLocalizationWithoutObjects<__internal_LocalizationResource>>, making consumers read a DeepPartial (output/read direction); the elided diff shows 12 more lines in the after-snippet, consistent with new optional localization keys being added to a large object type, which does not break existing consumers who only read or extend a DeepPartial of it.

🟢 Additions (25)

Click to expand 25 changes

Added: ClerkAuthenticateWithWeb3Params.protectCheckUrl

+ protectCheckUrl?: string;

Added property ClerkAuthenticateWithWeb3Params.protectCheckUrl

Added: ClerkAuthenticateWithWeb3Params.signUpProtectCheckUrl

+ signUpProtectCheckUrl?: string;

Added property ClerkAuthenticateWithWeb3Params.signUpProtectCheckUrl

Added: ProtectCheckField

+ type ProtectCheckField = 'protect_check';

Added type alias ProtectCheckField

Added: ProtectCheckJSON

+ interface ProtectCheckJSON

Added interface ProtectCheckJSON

Added: ProtectCheckJSON.expires_at

+ expires_at?: number;

Added property ProtectCheckJSON.expires_at

Added: ProtectCheckJSON.sdk_url

+ sdk_url: string;

Added property ProtectCheckJSON.sdk_url

Added: ProtectCheckJSON.status

+ status: 'pending';

Added property ProtectCheckJSON.status

Added: ProtectCheckJSON.token

+ token: string;

Added property ProtectCheckJSON.token

Added: ProtectCheckJSON.ui_hints

+ ui_hints?: Record<string, string>;

Added property ProtectCheckJSON.ui_hints

Added: ProtectCheckResource

+ interface ProtectCheckResource

Added interface ProtectCheckResource

Added: ProtectCheckResource.expiresAt

+ expiresAt?: number;

Added property ProtectCheckResource.expiresAt

Added: ProtectCheckResource.sdkUrl

+ sdkUrl: string;

Added property ProtectCheckResource.sdkUrl

Added: ProtectCheckResource.status

+ status: 'pending';

Added property ProtectCheckResource.status

Added: ProtectCheckResource.token

+ token: string;

Added property ProtectCheckResource.token

Added: ProtectCheckResource.uiHints

+ uiHints?: Record<string, string>;

Added property ProtectCheckResource.uiHints

Added: SignInFutureResource.protectCheck

+ readonly protectCheck: ProtectCheckResource | null;

Added property SignInFutureResource.protectCheck

Added: SignInFutureResource.submitProtectCheck

+ submitProtectCheck: (params: {
+     proofToken: string;
+   }) => Promise<{
+     error: ClerkError | null;
+   }>;

Added property SignInFutureResource.submitProtectCheck

Added: SignInJSON.protect_check

+ protect_check?: ProtectCheckJSON | null;

Added property SignInJSON.protect_check

Added: SignInResource.protectCheck

+ protectCheck: ProtectCheckResource | null;

Added property SignInResource.protectCheck

Added: SignInResource.submitProtectCheck

+ submitProtectCheck: (params: {
+     proofToken: string;
+   }) => Promise<SignInResource>;

Added property SignInResource.submitProtectCheck

Added: SignUpFutureResource.protectCheck

+ readonly protectCheck: ProtectCheckResource | null;

Added property SignUpFutureResource.protectCheck

Added: SignUpFutureResource.submitProtectCheck

+ submitProtectCheck: (params: {
+     proofToken: string;
+   }) => Promise<{
+     error: ClerkError | null;
+   }>;

Added property SignUpFutureResource.submitProtectCheck

Added: SignUpJSON.protect_check

+ protect_check?: ProtectCheckJSON | null;

Added property SignUpJSON.protect_check

Added: SignUpResource.protectCheck

+ protectCheck: ProtectCheckResource | null;

Added property SignUpResource.protectCheck

Added: SignUpResource.submitProtectCheck

+ submitProtectCheck: (params: {
+     proofToken: string;
+   }) => Promise<SignUpResource>;

Added property SignUpResource.submitProtectCheck

Subpath ./internal/clerk-js/constants

🟡 Non-breaking Changes (1)

Modified: ERROR_CODES

// ... 21 unchanged lines elided ...
    readonly CAPTCHA_INVALID: "captcha_invalid";
    readonly FRAUD_DEVICE_BLOCKED: "device_blocked";
    readonly FRAUD_ACTION_BLOCKED: "action_blocked";
+   readonly PROTECT_CHECK_ALREADY_RESOLVED: "protect_check_already_resolved";
+   readonly PROTECT_CHECK_TIMED_OUT: "protect_check_timed_out";
+   readonly PROTECT_CHECK_UNSUPPORTED_ENVIRONMENT: "protect_check_unsupported_environment";
    readonly SIGNUP_RATE_LIMIT_EXCEEDED: "signup_rate_limit_exceeded";
    readonly USER_BANNED: "user_banned";
    readonly USER_DEACTIVATED: "user_deactivated";
// ... 1 unchanged line elided ...

Static analyzer: Breaking change in variable ERROR_CODES: Type changed: {readonly FORM_IDENTIFIER_NOT_FOUND:"form_identifier_not_found";readonly FORM_PASSWORD_INCORRECT:"form_password_incorre… → {readonly FORM_IDENTIFIER_NOT_FOUND:"form_identifier_not_found";readonly FORM_PASSWORD_INCORRECT:"form_password_incorre…

🤖 AI review (reclassified as non-breaking) (95%): Three new readonly properties (PROTECT_CHECK_ALREADY_RESOLVED, PROTECT_CHECK_TIMED_OUT, PROTECT_CHECK_UNSUPPORTED_ENVIRONMENT) were added to ERROR_CODES; no existing properties were removed or renamed, so consumers reading any previously-existing key are unaffected.

Subpath ./internal/clerk-js/protectCheck

🟢 Additions (1)

Added: ./internal/clerk-js/protectCheck

New subpath export ./internal/clerk-js/protectCheck (3 exported members)

---

@clerk/clerk-js

Current version: 6.21.0
Recommended bump: MINOR → 6.22.0

Subpath .

🟡 Non-breaking Changes (1)

Modified: Clerk.authenticateWithWeb3

- authenticateWithWeb3: ({ redirectUrl, signUpContinueUrl, customNavigate, unsafeMetadata, strategy, legalAccepted, secondFactorUrl, walletName, }: ClerkAuthenticateWithWeb3Params) => Promise<void>;
+ authenticateWithWeb3: ({ redirectUrl, signUpContinueUrl, customNavigate, unsafeMetadata, strategy, legalAccepted, secondFactorUrl, protectCheckUrl, signUpProtectCheckUrl, walletName, }: ClerkAuthenticateWithWeb3Params) => Promise<void>;

Static analyzer: Breaking change in property Clerk.authenticateWithWeb3: Type changed: ({redirectUrl,signUpContinueUrl,customNavigate,unsafeMetadata,strategy,legalAccepted,secondFactorUrl,walletName,}:impor… → ({redirectUrl,signUpContinueUrl,customNavigate,unsafeMetadata,strategy,legalAccepted,secondFactorUrl,protectCheckUrl,si…

🤖 AI review (reclassified as non-breaking) (85%): The change only adds new optional parameters (protectCheckUrl, signUpProtectCheckUrl) to the destructured ClerkAuthenticateWithWeb3Params input type; existing callers omitting these parameters continue to compile and run correctly, as adding optional input parameters is non-breaking.

Subpath ./no-rhc

🟡 Non-breaking Changes (1)

Modified: Clerk.authenticateWithWeb3

- authenticateWithWeb3: ({ redirectUrl, signUpContinueUrl, customNavigate, unsafeMetadata, strategy, legalAccepted, secondFactorUrl, walletName, }: ClerkAuthenticateWithWeb3Params) => Promise<void>;
+ authenticateWithWeb3: ({ redirectUrl, signUpContinueUrl, customNavigate, unsafeMetadata, strategy, legalAccepted, secondFactorUrl, protectCheckUrl, signUpProtectCheckUrl, walletName, }: ClerkAuthenticateWithWeb3Params) => Promise<void>;

Static analyzer: Breaking change in property Clerk.authenticateWithWeb3: Type changed: ({redirectUrl,signUpContinueUrl,customNavigate,unsafeMetadata,strategy,legalAccepted,secondFactorUrl,walletName,}:impor… → ({redirectUrl,signUpContinueUrl,customNavigate,unsafeMetadata,strategy,legalAccepted,secondFactorUrl,protectCheckUrl,si…

🤖 AI review (reclassified as non-breaking) (85%): The change only adds new optional destructured parameters (protectCheckUrl, signUpProtectCheckUrl) to the function's input type ClerkAuthenticateWithWeb3Params; existing callers passing the same arguments continue to compile and run correctly, as adding optional input properties is non-breaking.

---

Report generated by Break Check

_{Last ran on 3963323.}

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/ui/src/components/SignIn/shared.ts (1)

44-84: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Complete the useCallback dependency array.

The callback captures multiple values—authenticateWithPasskey, navigate, protectCheckPath, setActive, navigateOnSetActive, afterSignInUrl, supportEmail, onSecondFactor, and card.setError—but declares no dependencies. This creates a stale-closure risk: if any of those values change, the callback continues using the old values.

🔧 Suggested fix

-  }, []);
+  }, [authenticateWithPasskey, navigate, protectCheckPath, setActive, navigateOnSetActive, afterSignInUrl, supportEmail, onSecondFactor, card]);

Note: Include card instead of card.setError to satisfy exhaustive-deps; the setError method is stable within the card object's lifetime.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/ui/src/components/SignIn/shared.ts` around lines 44 - 84, The
useCallback returned function closes over many external values but currently has
an empty dependency array, causing stale closures; update the dependency array
for the callback returned by the hook to include authenticateWithPasskey,
navigate, protectCheckPath, setActive, navigateOnSetActive, afterSignInUrl,
supportEmail, onSecondFactor, and card (use card instead of card.setError per
exhaustive-deps guidance) so the callback updates when any of these change;
locate the useCallback invocation in this file (the function that calls
authenticateWithPasskey and uses navigateOnSignInProtectGate, setActive,
navigateOnSetActive, afterSignInUrl, supportEmail, onSecondFactor, and
card.setError) and add those symbols to its dependency array.

🧹 Nitpick comments (5)

packages/shared/src/types/signUp.ts (1)

52-52: ⚡ Quick win

Document new public protect-check members on SignUpResource.

protectCheck and submitProtectCheck are new public API members but currently have no JSDoc here. Please add concise docs (including expected behavior/params/return), and flag for Docs-team visibility since this can affect generated reference docs.

As per coding guidelines, public/reference-facing API changes should include accurate JSDoc and may require docs review.

Also applies to: 109-109

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/shared/src/types/signUp.ts` at line 52, The SignUpResource public
API has new members protectCheck and submitProtectCheck but lacks JSDoc; add
concise JSDoc blocks for both on the SignUpResource type describing purpose,
parameters, return types (e.g., ProtectCheckResource | null for protectCheck and
args/response shape for submitProtectCheck), expected behavior (when null is
returned or when submitProtectCheck should be called), and any errors thrown;
include a docs-team visibility tag or comment to flag this change for generated
reference docs review so it’s captured by the documentation pipeline.

Source: Coding guidelines

packages/shared/src/internal/clerk-js/protectCheck.ts (1)

100-102: 💤 Low value

Consider documenting the webpack magic comment.

The /* webpackIgnore: true */ comment prevents webpack from attempting to bundle this runtime-determined dynamic import. While this is necessary, it's not immediately obvious why. Consider adding a brief inline comment explaining this is required because the URL is determined at runtime from the server response.

Suggested documentation

   let mod: Record<string, unknown>;
   try {
+    // webpackIgnore prevents webpack from trying to bundle this runtime-determined import
     mod = await import(/* webpackIgnore: true */ validated.toString());
   } catch (err) {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/shared/src/internal/clerk-js/protectCheck.ts` around lines 100 -
102, Add a brief inline comment explaining why the webpack magic comment is used
on the dynamic import: annotate the line containing "mod = await import(/*
webpackIgnore: true */ validated.toString());" (or immediately above it) to
state that webpackIgnore:true is required because the import URL is determined
at runtime from the server response and must not be bundled or rewritten by the
bundler; keep the comment short and focused.

packages/shared/src/internal/clerk-js/completeSignUpFlow.ts (1)

44-46: 💤 Low value

Clarify comment wording.

The comment states "The protect_check field is the authoritative gating signal" but then immediately treats both the protectCheck field and the missingFields entry as equivalent via ||. Consider rewording to avoid the implication that one is more authoritative than the other.

Suggested rewording

-    // The protect_check field is the authoritative gating signal. Sign-up also surfaces it
-    // via a missing_fields entry; treat either as equivalent.
+    // Protect-check gating is signaled by either the `protectCheck` resource field or a
+    // `protect_check` entry in `missingFields`; treat both as equivalent.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/shared/src/internal/clerk-js/completeSignUpFlow.ts` around lines 44
- 46, Update the comment above the isProtectGated computation to remove the
implication that one signal is "authoritative" since the code treats
signUp.protectCheck and signUp.missingFields equivalently; reword to explain
that protect_check can be present either as protectCheck or as an entry in
missingFields and both should be treated the same (referencing
signUp.protectCheck, signUp.missingFields, and the isProtectGated boolean) so
the comment accurately reflects the logic.

packages/ui/src/components/SignIn/SignInProtectCheck.tsx (1)

33-56: 💤 Low value

Consider adding an explicit return type to navigateNext.

The function's return type (Promise<unknown>) is easily inferred, but adding it explicitly aligns with the TypeScript coding guideline: "Always define explicit return types for functions."

📝 Suggested addition

-function navigateNext(signIn: SignInResource, navigate: (to: string) => Promise<unknown>) {
+function navigateNext(signIn: SignInResource, navigate: (to: string) => Promise<unknown>): Promise<unknown> {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/ui/src/components/SignIn/SignInProtectCheck.tsx` around lines 33 -
56, Add an explicit return type to the navigateNext function signature to
satisfy the TypeScript guideline; update the declaration of navigateNext(signIn:
SignInResource, navigate: (to: string) => Promise<unknown>) to include an
explicit return type (e.g., : Promise<unknown> or a more specific Promise<void>
if appropriate) so the function signature clearly documents its async/navigation
return contract.

packages/ui/src/components/SignIn/handleProtectCheck.ts (1)

28-38: ⚡ Quick win

Add error handling for the navigation call.

The voided navigate() call on line 34 silently ignores promise rejections. If navigation fails (rare, but possible with route guards or malformed paths), the function returns true, the caller stops processing, but the user remains stranded on the current screen with no error message or recovery path.

Add a .catch() handler to log the error or surface feedback to the user:

-    void navigate(protectCheckPath);
+    navigate(protectCheckPath).catch(err => {
+      console.error('Protect check navigation failed:', err);
+    });

Consider whether to return false on navigation failure so the caller can continue with status-based routing, or surface the error to the user.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/ui/src/components/SignIn/handleProtectCheck.ts` around lines 28 -
38, The navigateOnSignInProtectGate function currently voids the
navigate(protectCheckPath) promise which discards rejections; update it to
attach a .catch handler to the returned promise (from navigate) to log the error
(using the app logger or console.error) and surface user feedback if available,
and on navigation failure return false so the caller can continue processing;
specifically modify navigateOnSignInProtectGate to call
navigate(protectCheckPath).catch(err => { /* log and surface error */ }) and
ensure the function returns false when the catch handler runs instead of
returning true unconditionally.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/clerk-js/src/core/clerk.ts`:
- Around line 2853-2859: The guard that skips navigateToSignInProtectCheck when
viaSignUp is true causes a protect-gated fallback from
signIn.authenticateWithWeb3() -> signUp.authenticateWithWeb3() to leave the user
stranded; update the logic around the signInOrSignUp check so that if
signInOrSignUp.protectCheck is true or signInOrSignUp.status ===
'needs_protect_check' you always call await navigateToSignInProtectCheck()
(regardless of viaSignUp) before returning, and ensure the subsequent status
switch handles a missing_requirements case if applicable; also add a regression
test that simulates identifier_not_found leading to
signUp.authenticateWithWeb3() which returns protectCheck, asserting that
navigateToSignInProtectCheck() is invoked and the flow does not remain on the
wallet step.

In `@packages/clerk-js/src/core/resources/SignUp.ts`:
- Around line 1176-1183: Add a JSDoc block above the public method
submitProtectCheck on SignUpFutureResource (in SignUp.ts) describing what the
method does, the params shape (params: { proofToken: string }), the return type
(Promise<{ error: ClerkError | null }>), and a short usage example showing
awaiting the call and handling the error; ensure the JSDoc includes `@param` and
`@returns` annotations and a brief one-line description of the method's behavior.
- Around line 200-206: Add a JSDoc comment for the public method
SignUp.submitProtectCheck describing the purpose, parameters, return type, and a
short usage example; specifically document the params object with proofToken:
string, indicate it returns Promise<SignUpResource>, and include a brief example
like const updatedSignUp = await signUp.submitProtectCheck({ proofToken:
'proof_...' }); Place the JSDoc immediately above the submitProtectCheck method
so it appears in generated reference docs.

In `@packages/ui/src/components/SignIn/shared.ts`:
- Around line 26-29: Add an explicit return type to the exported function
useHandleAuthenticateWithPasskey: change its signature to annotate the return as
the callback type returned by useCallback, i.e. (...args: Parameters<typeof
authenticateWithPasskey>) => Promise<void>; ensure the annotation is placed on
the function declaration for useHandleAuthenticateWithPasskey and references
authenticateWithPasskey for the Parameters<> utility so the exported function
complies with the coding guideline.

---

Outside diff comments:
In `@packages/ui/src/components/SignIn/shared.ts`:
- Around line 44-84: The useCallback returned function closes over many external
values but currently has an empty dependency array, causing stale closures;
update the dependency array for the callback returned by the hook to include
authenticateWithPasskey, navigate, protectCheckPath, setActive,
navigateOnSetActive, afterSignInUrl, supportEmail, onSecondFactor, and card (use
card instead of card.setError per exhaustive-deps guidance) so the callback
updates when any of these change; locate the useCallback invocation in this file
(the function that calls authenticateWithPasskey and uses
navigateOnSignInProtectGate, setActive, navigateOnSetActive, afterSignInUrl,
supportEmail, onSecondFactor, and card.setError) and add those symbols to its
dependency array.

---

Nitpick comments:
In `@packages/shared/src/internal/clerk-js/completeSignUpFlow.ts`:
- Around line 44-46: Update the comment above the isProtectGated computation to
remove the implication that one signal is "authoritative" since the code treats
signUp.protectCheck and signUp.missingFields equivalently; reword to explain
that protect_check can be present either as protectCheck or as an entry in
missingFields and both should be treated the same (referencing
signUp.protectCheck, signUp.missingFields, and the isProtectGated boolean) so
the comment accurately reflects the logic.

In `@packages/shared/src/internal/clerk-js/protectCheck.ts`:
- Around line 100-102: Add a brief inline comment explaining why the webpack
magic comment is used on the dynamic import: annotate the line containing "mod =
await import(/* webpackIgnore: true */ validated.toString());" (or immediately
above it) to state that webpackIgnore:true is required because the import URL is
determined at runtime from the server response and must not be bundled or
rewritten by the bundler; keep the comment short and focused.

In `@packages/shared/src/types/signUp.ts`:
- Line 52: The SignUpResource public API has new members protectCheck and
submitProtectCheck but lacks JSDoc; add concise JSDoc blocks for both on the
SignUpResource type describing purpose, parameters, return types (e.g.,
ProtectCheckResource | null for protectCheck and args/response shape for
submitProtectCheck), expected behavior (when null is returned or when
submitProtectCheck should be called), and any errors thrown; include a docs-team
visibility tag or comment to flag this change for generated reference docs
review so it’s captured by the documentation pipeline.

In `@packages/ui/src/components/SignIn/handleProtectCheck.ts`:
- Around line 28-38: The navigateOnSignInProtectGate function currently voids
the navigate(protectCheckPath) promise which discards rejections; update it to
attach a .catch handler to the returned promise (from navigate) to log the error
(using the app logger or console.error) and surface user feedback if available,
and on navigation failure return false so the caller can continue processing;
specifically modify navigateOnSignInProtectGate to call
navigate(protectCheckPath).catch(err => { /* log and surface error */ }) and
ensure the function returns false when the catch handler runs instead of
returning true unconditionally.

In `@packages/ui/src/components/SignIn/SignInProtectCheck.tsx`:
- Around line 33-56: Add an explicit return type to the navigateNext function
signature to satisfy the TypeScript guideline; update the declaration of
navigateNext(signIn: SignInResource, navigate: (to: string) => Promise<unknown>)
to include an explicit return type (e.g., : Promise<unknown> or a more specific
Promise<void> if appropriate) so the function signature clearly documents its
async/navigation return contract.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: f20032a1-6063-45e7-932e-d891e6a37b1e

📥 Commits

Reviewing files that changed from the base of the PR and between be44bae and dba89a2.

📒 Files selected for processing (52)

• .changeset/protect-check-support.md
• packages/clerk-js/src/core/__tests__/clerk.test.ts
• packages/clerk-js/src/core/clerk.ts
• packages/clerk-js/src/core/resources/SignIn.ts
• packages/clerk-js/src/core/resources/SignUp.ts
• packages/clerk-js/src/core/resources/__tests__/SignIn.test.ts
• packages/clerk-js/src/core/resources/__tests__/SignUp.test.ts
• packages/localizations/src/en-US.ts
• packages/react/src/stateProxy.ts
• packages/shared/src/internal/clerk-js/__tests__/completeSignUpFlow.test.ts
• packages/shared/src/internal/clerk-js/__tests__/protectCheck.test.ts
• packages/shared/src/internal/clerk-js/completeSignUpFlow.ts
• packages/shared/src/internal/clerk-js/constants.ts
• packages/shared/src/internal/clerk-js/protectCheck.ts
• packages/shared/src/types/clerk.ts
• packages/shared/src/types/json.ts
• packages/shared/src/types/localization.ts
• packages/shared/src/types/signIn.ts
• packages/shared/src/types/signInCommon.ts
• packages/shared/src/types/signInFuture.ts
• packages/shared/src/types/signUp.ts
• packages/shared/src/types/signUpCommon.ts
• packages/shared/src/types/signUpFuture.ts
• packages/ui/src/common/EmailLinkVerify.tsx
• packages/ui/src/components/SignIn/ResetPassword.tsx
• packages/ui/src/components/SignIn/SignInFactorOneAlternativeChannelCodeForm.tsx
• packages/ui/src/components/SignIn/SignInFactorOneCodeForm.tsx
• packages/ui/src/components/SignIn/SignInFactorOneEmailLinkCard.tsx
• packages/ui/src/components/SignIn/SignInFactorOnePasswordCard.tsx
• packages/ui/src/components/SignIn/SignInFactorOneSolanaWalletsCard.tsx
• packages/ui/src/components/SignIn/SignInFactorTwoBackupCodeCard.tsx
• packages/ui/src/components/SignIn/SignInFactorTwoCodeForm.tsx
• packages/ui/src/components/SignIn/SignInProtectCheck.tsx
• packages/ui/src/components/SignIn/SignInSocialButtons.tsx
• packages/ui/src/components/SignIn/SignInStart.tsx
• packages/ui/src/components/SignIn/__tests__/SignInProtectCheck.test.tsx
• packages/ui/src/components/SignIn/handleCombinedFlowTransfer.ts
• packages/ui/src/components/SignIn/handleProtectCheck.ts
• packages/ui/src/components/SignIn/index.tsx
• packages/ui/src/components/SignIn/lazy-sign-up.ts
• packages/ui/src/components/SignIn/shared.ts
• packages/ui/src/components/SignUp/SignUpContinue.tsx
• packages/ui/src/components/SignUp/SignUpEmailLinkCard.tsx
• packages/ui/src/components/SignUp/SignUpProtectCheck.tsx
• packages/ui/src/components/SignUp/SignUpStart.tsx
• packages/ui/src/components/SignUp/SignUpVerificationCodeForm.tsx
• packages/ui/src/components/SignUp/__tests__/SignUpProtectCheck.test.tsx
• packages/ui/src/components/SignUp/index.tsx
• packages/ui/src/elements/contexts/index.tsx
• packages/ui/src/hooks/useProtectCheckRunner.ts
• packages/ui/src/test/fixture-helpers.ts
• references/mosaic-architecture.md

[Ephem]

@zourzouvillys Alright, that makes it clearer, thanks! Some follow up questions.

the server emits it only behind a feature gate

So if a customer is currently using a custom flow and not handling it, flipping that feature gate is the potential breaking change? I'm guessing we do that pretty intentionally though so doesn't seem like a problem, just something to be aware of.

The one surface is strict-TypeScript consumers with an exhaustive switch (signIn.status), who'll get a new unhandled-branch hint

So some small subset of users might perceive this as a breaking change if they see that? This part of the changeset kinda explains it: "surfaced when the server-side SDK-version gate is enabled", but it's not entirely clear that's something we only enable in dialogue with the customer, so might be worth adding some extra clarity there that this is not something we'll turn on randomly. If I see that TS hint after an upgrade I might go to the changeset and will want to know what to do. Could maybe include info in the typedoc too if there is none already (didn't check)?

That's just a small NIT though. 😄

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/ui/src/components/SignIn/__tests__/SignInFactorOne.test.tsx`:
- Around line 110-136: Test fixture mismatch: the test sets up an email/password
user via withEmailAddress() and withPassword() but then starts a phone-number
sign-in with f.startSignInWithPhoneNumber(...), which is inconsistent and can
cause flakiness; update the fixture to start an email sign-in instead (e.g.,
replace f.startSignInWithPhoneNumber({ supportPassword: true }) with the
corresponding email flow call such as f.startSignInWithEmailAddress({
supportPassword: true }) or alternatively remove
withEmailAddress()/withPassword() if you intend to test phone sign-in) so the
created user fixtures and the started sign-in method (referenced in this test
around createFixtures and SignInFactorOne) match.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 33c86caf-00aa-4fa8-91aa-dde663fa0259

📥 Commits

Reviewing files that changed from the base of the PR and between b745323 and 03b90bb.

📒 Files selected for processing (2)

• packages/ui/src/components/SignIn/__tests__/SignInFactorOne.test.tsx
• packages/ui/src/components/SignIn/__tests__/handleProtectCheck.test.ts

[zourzouvillys]

@Ephem Yep, exactly right — the npm upgrade itself is type-only. The runtime change only ever happens when Protect mid-flow challenges are explicitly enabled for an instance: it's currently behind a flag and not enabled for existing instances, so nothing turns on by itself. There's a second layer too — the server only emits the new status value to SDK versions that understand it, so older clients never receive an unknown status either way.

Good call on the changeset — "surfaced when the server-side SDK-version gate is enabled" didn't really tell an upgrading user what they needed to know. Pushed c2795e4:

• Changeset now says explicitly: upgrading is type-only, the feature is off by default and must be explicitly enabled per instance, and if an exhaustive switch on signIn.status flags the new value, handle it via protectCheck + submitProtectCheck() (the prebuilt components do it automatically).
• Typedoc: there was some on protectCheck/submitProtectCheck but nothing on the status itself — added 'needs_protect_check' to the documented SignInStatus list and put the same "only when explicitly enabled for the instance; upgrading alone doesn't enable it" note on the status/protectCheck properties and ProtectCheckResource.

[Ephem]

@zourzouvillys Sounds great, thanks! 🙏