tRPC Guidelines
Authentication
All authenticated procedures verify Ed25519 signatures:
- •Verify signature matches pubkeyHash
- •Verify timestamp is recent (prevent replay)
- •Verify message matches request
Patterns
Router:
typescript
export const vaultRouter = router({
create: authedProcedure
.input(createVaultSchema)
.mutation(async ({ ctx, input }) => { ... }),
});
Schema:
typescript
export const createVaultSchema = z.object({
name: z.string().min(1).max(100),
encryptedSnapshot: z.string(),
wrappedKey: z.string(),
});
Critical Rules
- •Never trust client data - always validate with Zod
- •Never store unencrypted data - all sensitive data comes pre-encrypted
- •Verify signatures - every mutation must be signed
- •Check permissions - verify user has vault access
- •Use transactions - wrap multi-step operations
Error Handling
typescript
throw new TRPCError({
code: "NOT_FOUND", // or "FORBIDDEN"
message: "Vault not found",
});