feat(eslint-plugin): Resolve globs relative to the project root instead of /app

[Ephem]

Description

The previous glob pattern behavior was that they resolved from app/, and not from the project root, this had two downsides:

• Patterns like public: ['src/app/sign-in/**'] would fail
  • This is how ESLint resolves paths, so it was a very natural thing to write and expect to work
• Server Functions can live outside app/ and we still want to protect them

This PR makes a breaking change (but in a minor pre-stable version) to always anchor to the project root instead, and changes the default pattern in the Readme to protected: ['**'] to include Server Functions. The reason it's breaking is that you now have to specify src/ if that's what your project is using.

The PR also expands the Readme with some more details and specifics, including on public first patterns and monorepo setups.

The rule still only checks page.jsx, route.js etc if the file is inside of an src/app/ or app/ folder.

I also included some extra validation for the path patterns provided via the config.

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• Documentation
  • Updated configuration examples and guidance for protected/public glob patterns.
  • Added monorepo setup instructions explaining how to use rootDir, including separate vs single top-level ESLint configs.
• Bug Fixes
  • protected/public glob matching now behaves as project-root-relative (with notes for src/app layouts).
  • Improved validation for invalid protected/public/mixedScopeLayouts patterns and App Router file classification.
• Tests
  • Expanded unit test coverage for App Router path utilities and rule behavior.

[changeset-bot]

🦋 Changeset detected

Latest commit: cc25b29

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@clerk/eslint-plugin	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
swingset	Ready	Preview, Comment	Jun 23, 2026 8:34am

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Skipped		Jun 23, 2026 8:34am

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: fbf5682f-7711-477e-a95c-94ec54ef42ed

📥 Commits

Reviewing files that changed from the base of the PR and between c41f2ab and cc25b29.

📒 Files selected for processing (4)

• packages/eslint-plugin/src/next/__tests__/file-info.test.ts
• packages/eslint-plugin/src/next/__tests__/require-auth-protection.test.ts
• packages/eslint-plugin/src/next/lib/file-info.ts
• packages/eslint-plugin/src/next/require-auth-protection.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/eslint-plugin/src/next/tests/file-info.test.ts
• packages/eslint-plugin/src/next/lib/file-info.ts

---

📝 Walkthrough

Walkthrough

The require-auth-protection ESLint rule's glob matching for protected/public patterns is changed from app/-relative to project-root-relative. getRelativeFolder is rewritten to compute POSIX paths from rootDir, two new helpers (isUnderAppRouterRoot, getAppRouterFileKind) classify App Router roots and resources, the rule is updated to use them with new path pattern validation, and docs and tests are updated throughout.

Changes

Project-relative glob matching for require-auth-protection

Layer / File(s)	Summary
Rewritten getRelativeFolder and new App Router helpers packages/eslint-plugin/src/next/lib/file-info.ts	getRelativeFolder now computes a POSIX-relative path from rootDir, returning null when rootDir is absent or the file escapes it. New exports isUnderAppRouterRoot and getAppRouterFileKind detect App Router roots and classify resource file types.
Unit tests for file-info helpers packages/eslint-plugin/src/next/__tests__/file-info.test.ts	getRelativeFolder tests are rewritten for project-root-relative behavior, src/app preservation, null edge cases, and Windows separator handling. New suites cover isUnderAppRouterRoot and getAppRouterFileKind classification.
Rule wiring with path pattern validation packages/eslint-plugin/src/next/require-auth-protection.ts	Imports replace getFileKind with getAppRouterFileKind; the rule's create function calls getAppRouterFileKind(filename, folder) to derive resource kinds and validates protected/public path patterns via new validatePathPatterns() helper. rootDir option comment is reformatted.
Integration tests with rootDir and project-relative globs packages/eslint-plugin/src/next/__tests__/require-auth-protection.test.ts, packages/eslint-plugin/src/next/__tests__/require-auth-protection.suggestions.test.ts	Shared config switches to protected: ['**'] and adds rootDir: projectRoot. New valid/invalid cases cover src/app projects, pages outside the App Router, and server functions under protected: ['**']. Schema validation tests reject invalid path patterns, verify rule-id-prefixed errors, and enforce mixedScopeLayouts path-separator rules.
README and changeset packages/eslint-plugin/README.md, .changeset/eslint-plugin-project-relative-paths.md	README updates all glob examples to src/app/... and ** patterns, revises the options table to clarify project-root-relative matching, adds a Monorepo setups section with rootDir configuration, and updates fixAuthProtection examples. Changeset documents the minor release and breaking-change note for src/app/ users.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐇 A hop through the paths, now rooted at the start,
No more app/ anchor to play the clever part.
src/app and plain app, both properly detected,
Our globs now find their home, correctly redirected.
With rootDir in hand, the monorepo stands tall—
One fuzzy ** pattern, and it covers them all! 🌿

Suggested reviewers

• jacekradko

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: modifying glob pattern resolution to use the project root instead of the /app directory, which aligns with the PR's primary objective.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

---

_{Comment @coderabbitai help to get the list of available commands.}

[pkg-pr-new]

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8942

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8942

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8942

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8942

@clerk/electron

npm i https://pkg.pr.new/@clerk/electron@8942

@clerk/electron-passkeys

npm i https://pkg.pr.new/@clerk/electron-passkeys@8942

@clerk/eslint-plugin

npm i https://pkg.pr.new/@clerk/eslint-plugin@8942

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8942

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8942

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8942

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8942

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8942

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8942

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8942

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8942

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8942

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8942

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8942

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8942

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8942

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8942

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8942

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8942

commit: cc25b29

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/eslint-plugin/src/next/__tests__/file-info.test.ts`:
- Around line 39-56: Add a new test case to cover the edge case where a file is
within the project root but the folder name starts with `..` (e.g.,
`/proj/..internal/actions.ts`). The test should verify that getRelativeFolder
correctly returns the project-relative folder path (`..internal`) rather than
null, ensuring that the function distinguishes between paths that are truly
outside the root versus paths with unusual but valid folder names that contain
`..` as part of the directory name.

In `@packages/eslint-plugin/src/next/lib/file-info.ts`:
- Around line 33-35: The condition in the file-info.ts file that checks
`rel.startsWith('..')` is too broad and incorrectly rejects valid in-root paths
that happen to start with two dots (like `..internal/foo.ts`). Modify the check
to specifically detect actual parent directory traversal by checking for `..`
followed by a path separator (forward slash `/` or backslash `\`) instead of
just checking if the relative path starts with `..`.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 4517c2c6-7ec5-441a-a137-ba9cae90d5f5

📥 Commits

Reviewing files that changed from the base of the PR and between 7e3174a and c41f2ab.

📒 Files selected for processing (7)

• .changeset/eslint-plugin-project-relative-paths.md
• packages/eslint-plugin/README.md
• packages/eslint-plugin/src/next/__tests__/file-info.test.ts
• packages/eslint-plugin/src/next/__tests__/require-auth-protection.suggestions.test.ts
• packages/eslint-plugin/src/next/__tests__/require-auth-protection.test.ts
• packages/eslint-plugin/src/next/lib/file-info.ts
• packages/eslint-plugin/src/next/require-auth-protection.ts