القائمة
Pattern for adding a server Route Handler under app/api/** — origin check, zod body, server-only deps, safe responses.
How to move an app component into the headless @jasonyangcis/core-ui library — headless conversion, cross-repo file checklist, treeshake sentinel, changeset, consumer wiring.
How to wire a new Builder.io-rendered route or model — fetch helper, route, registry, config.
Builder.io Gen-2 SDK patterns — fetch, render, register, model guard, preview.
Tokens, cn(), focus rings, shadcn/ui (new-york), insert-menu groups.
TS strict, four-file folder pattern, import boundaries, no console.
Secret hygiene, CSP, CSRF, webhook HMAC, session encryption.
| name | route-handlers |
| description | Pattern for adding a server Route Handler under app/api/** — origin check, zod body, server-only deps, safe responses. |
Every new file under app/api/**/route.ts follows the same shape:
import "server-only" is implicit (Route Handlers run on the server), but any helper they import from lib/{shopify,auth,env} MUST start with import "server-only".POST, PUT, PATCH, DELETE) MUST call verifySameOrigin(req) from lib/auth/csrf before doing anything else. Return 403 on failure.zod schema. On safeParse failure return 400 with a generic message — never echo the raw error to the client.await cookies() / await headers() (Next 16 — they are async).app/api/webhooks/**): read the raw body as text, crypto.timingSafeEqual the HMAC against SHOPIFY_WEBHOOK_SECRET, THEN JSON.parse.Authorization, Set-Cookie, tokens, or anything matching /token|secret|password|cookie/i. Never return tokens in JSON responses.HttpOnly, SameSite=Lax, Secure in production, and encrypt sensitive payloads with jose using SESSION_SECRET.revalidateTag(tag, "max") after Shopify mutations that affect cached reads (cart, customer, product).See app/api/cart/route.ts and app/api/webhooks/shopify/route.ts for canonical examples.