How Tanstack Start fits into a Paperclip company.

Tanstack Start drops into any Paperclip agent that handles this kind of work. Assign it to a specialist inside a pre-configured PaperclipOrg company and the skill becomes available on every heartbeat — no prompt engineering, no tool wiring.
SaaS FactoryPaired
Pre-configured AI company — 18 agents, 18 skills, one-time purchase.
$27$59
Explore pack
Source file
SKILL.md543 linesmarkdown
Expand
1---2name: tanstack-start3description: "Build a full-stack TanStack Start app on Cloudflare Workers from scratch — SSR, file-based routing, server functions, D1+Drizzle, better-auth, Tailwind v4+shadcn/ui. No template repo — Claude generates every file fresh per project."4compatibility: claude-code-only5---6 7# TanStack Start on Cloudflare8 9Build a complete full-stack app from nothing. Claude generates every file — no template clone, no scaffold command. Each project gets exactly what it needs.10 11## What You Get12 13| Layer | Technology |14|-------|-----------|15| Framework | TanStack Start v1 (SSR, file-based routing, server functions) |16| Frontend | React 19, Tailwind v4, shadcn/ui |17| Backend | Server functions (via Nitro on Cloudflare Workers) |18| Database | D1 + Drizzle ORM |19| Auth | better-auth (Google OAuth + email/password) |20| Deployment | Cloudflare Workers |21 22## Project File Tree23 24```25PROJECT_NAME/26├── src/27│   ├── routes/28│   │   ├── __root.tsx              # Root layout (HTML shell, theme, CSS import)29│   │   ├── index.tsx               # Landing / auth redirect30│   │   ├── login.tsx               # Login page31│   │   ├── register.tsx            # Register page32│   │   ├── _authed.tsx             # Auth guard layout route33│   │   ├── _authed/34│   │   │   ├── dashboard.tsx       # Dashboard with stat cards35│   │   │   ├── items.tsx           # Items list table36│   │   │   ├── items.$id.tsx       # Edit item37│   │   │   └── items.new.tsx       # Create item38│   │   └── api/39│   │       └── auth/40│   │           └── $.ts            # better-auth API catch-all41│   ├── components/42│   │   ├── ui/                     # shadcn/ui components (auto-installed)43│   │   ├── app-sidebar.tsx         # Navigation sidebar44│   │   ├── theme-toggle.tsx        # Light/dark/system toggle45│   │   ├── user-nav.tsx            # User dropdown menu46│   │   └── stat-card.tsx           # Dashboard stat card47│   ├── db/48│   │   ├── schema.ts               # Drizzle schema (all tables)49│   │   └── index.ts                # Drizzle client factory50│   ├── lib/51│   │   ├── auth.server.ts          # better-auth server config52│   │   ├── auth.client.ts          # better-auth React hooks53│   │   └── utils.ts                # cn() helper for shadcn/ui54│   ├── server/55│   │   └── functions.ts            # Server functions (CRUD, auth checks)56│   ├── styles/57│   │   └── app.css                 # Tailwind v4 + shadcn/ui CSS variables58│   ├── router.tsx                  # TanStack Router configuration59│   ├── client.tsx                  # Client entry (hydrateRoot)60│   ├── ssr.tsx                     # SSR entry61│   └── routeTree.gen.ts            # Auto-generated route tree (do not edit)62├── drizzle/                        # Generated migrations63├── public/                         # Static assets (favicon, etc.)64├── vite.config.ts65├── wrangler.jsonc66├── drizzle.config.ts67├── tsconfig.json68├── package.json69├── .dev.vars                       # Local env vars (NOT committed)70└── .gitignore71```72 73## Dependencies74 75**Runtime:**76```json77{78  "react": "^19.0.0",79  "react-dom": "^19.0.0",80  "@tanstack/react-router": "^1.120.0",81  "@tanstack/react-start": "^1.120.0",82  "drizzle-orm": "^0.38.0",83  "better-auth": "^1.2.0",84  "zod": "^3.24.0",85  "class-variance-authority": "^0.7.0",86  "clsx": "^2.1.0",87  "tailwind-merge": "^3.0.0",88  "lucide-react": "^0.480.0"89}90```91 92**Dev:**93```json94{95  "@cloudflare/vite-plugin": "^1.0.0",96  "@tailwindcss/vite": "^4.0.0",97  "@vitejs/plugin-react": "^4.4.0",98  "tailwindcss": "^4.0.0",99  "typescript": "^5.7.0",100  "drizzle-kit": "^0.30.0",101  "wrangler": "^4.0.0",102  "tw-animate-css": "^1.2.0"103}104```105 106**Scripts:**107```json108{109  "dev": "vite",110  "build": "vite build",111  "preview": "vite preview",112  "deploy": "wrangler deploy",113  "db:generate": "drizzle-kit generate",114  "db:migrate:local": "wrangler d1 migrations apply PROJECT_NAME-db --local",115  "db:migrate:remote": "wrangler d1 migrations apply PROJECT_NAME-db --remote"116}117```118 119## Workflow120 121### Step 1: Gather Project Info122 123| Required | Optional |124|----------|----------|125| Project name (kebab-case) | Google OAuth credentials |126| One-line description | Custom domain |127| Cloudflare account | R2 storage needed? |128| Auth method: Google OAuth, email/password, or both | Admin email |129 130### Step 2: Initialise Project131 132Create the project directory and all config files from scratch.133 134**`vite.config.ts`** — Plugin order matters. Cloudflare MUST be first:135 136```typescript137import { defineConfig } from "vite";138import { cloudflare } from "@cloudflare/vite-plugin";139import { tanstackStart } from "@tanstack/react-start/plugin/vite";140import tailwindcss from "@tailwindcss/vite";141import viteReact from "@vitejs/plugin-react";142 143export default defineConfig({144  plugins: [145    cloudflare({ viteEnvironment: { name: "ssr" } }),146    tailwindcss(),147    tanstackStart(),148    viteReact(),149  ],150});151```152 153**`wrangler.jsonc`**:154 155```jsonc156{157  "$schema": "node_modules/wrangler/config-schema.json",158  "name": "PROJECT_NAME",159  "compatibility_date": "2025-04-01",160  "compatibility_flags": ["nodejs_compat"],161  "main": "@tanstack/react-start/server-entry",162  "account_id": "ACCOUNT_ID",163  "d1_databases": [164    {165      "binding": "DB",166      "database_name": "PROJECT_NAME-db",167      "database_id": "DATABASE_ID",168      "migrations_dir": "drizzle"169    }170  ]171}172```173 174Key points: `main` MUST be `"@tanstack/react-start/server-entry"` (Nitro server entry). Use `nodejs_compat` (NOT `node_compat`). Add `account_id` to avoid interactive prompts.175 176**`tsconfig.json`**:177 178```json179{180  "compilerOptions": {181    "target": "ES2022",182    "module": "ESNext",183    "moduleResolution": "bundler",184    "jsx": "react-jsx",185    "strict": true,186    "skipLibCheck": true,187    "esModuleInterop": true,188    "resolveJsonModule": true,189    "isolatedModules": true,190    "noEmit": true,191    "paths": { "@/*": ["./src/*"] },192    "types": ["@cloudflare/workers-types/2023-07-01"]193  },194  "include": ["src/**/*", "vite.config.ts"]195}196```197 198**`.dev.vars`** — generate `BETTER_AUTH_SECRET` with `openssl rand -hex 32`:199 200```201BETTER_AUTH_SECRET=<generated-hex-32>202BETTER_AUTH_URL=http://localhost:3000203TRUSTED_ORIGINS=http://localhost:3000204# GOOGLE_CLIENT_ID=205# GOOGLE_CLIENT_SECRET=206```207 208**`.gitignore`** — node_modules, .wrangler, dist, .output, .dev.vars, .vinxi, .DS_Store209 210Then install and create the D1 database:211 212```bash213cd PROJECT_NAME && pnpm install214npx wrangler d1 create PROJECT_NAME-db215# Copy the database_id into wrangler.jsonc d1_databases binding216```217 218### Step 3: Database Schema219 220**`src/db/schema.ts`** — All tables. better-auth requires: `users`, `sessions`, `accounts`, `verifications`. Add application tables (e.g. `items`) for CRUD demo.221 222D1-specific rules:223- Use `integer` for timestamps (Unix epoch), NOT Date objects224- Use `text` for primary keys (nanoid/cuid2), NOT autoincrement225- Keep bound parameters under 100 per query (batch large inserts)226- Foreign keys are always ON in D1227 228**`src/db/index.ts`** — Drizzle client factory:229 230```typescript231import { drizzle } from "drizzle-orm/d1";232import { env } from "cloudflare:workers";233import * as schema from "./schema";234 235export function getDb() {236  return drizzle(env.DB, { schema });237}238```239 240**CRITICAL**: Use `import { env } from "cloudflare:workers"` — NOT `process.env`. Create the Drizzle client inside each server function (per-request), not at module level.241 242**`drizzle.config.ts`**:243 244```typescript245import { defineConfig } from "drizzle-kit";246 247export default defineConfig({248  schema: "./src/db/schema.ts",249  out: "./drizzle",250  dialect: "sqlite",251});252```253 254Generate and apply the initial migration:255 256```bash257pnpm db:generate258pnpm db:migrate:local259```260 261### Step 4: Configure Auth262 263**`src/lib/auth.server.ts`** — Server-side better-auth:264 265```typescript266import { betterAuth } from "better-auth";267import { drizzleAdapter } from "better-auth/adapters/drizzle";268import { drizzle } from "drizzle-orm/d1";269import { env } from "cloudflare:workers";270import * as schema from "../db/schema";271 272export function getAuth() {273  const db = drizzle(env.DB, { schema });274  return betterAuth({275    database: drizzleAdapter(db, { provider: "sqlite" }),276    secret: env.BETTER_AUTH_SECRET,277    baseURL: env.BETTER_AUTH_URL,278    trustedOrigins: env.TRUSTED_ORIGINS?.split(",") ?? [],279    emailAndPassword: { enabled: true },280    socialProviders: {281      // Add Google OAuth if credentials provided282    },283  });284}285```286 287**CRITICAL**: `getAuth()` must be called per-request (inside handler/loader), NOT at module level.288 289**`src/lib/auth.client.ts`** — Client-side auth hooks:290 291```typescript292import { createAuthClient } from "better-auth/react";293 294export const { useSession, signIn, signOut, signUp } = createAuthClient();295```296 297**`src/routes/api/auth/$.ts`** — API catch-all for better-auth:298 299```typescript300import { createAPIFileRoute } from "@tanstack/react-start/api";301import { getAuth } from "../../../lib/auth.server";302 303export const APIRoute = createAPIFileRoute("/api/auth/$")({304  GET: ({ request }) => getAuth().handler(request),305  POST: ({ request }) => getAuth().handler(request),306});307```308 309**CRITICAL**: Auth MUST use an API route (`createAPIFileRoute`), NOT a server function (`createServerFn`). better-auth needs direct request/response access.310 311### Step 5: Server Functions312 313**Core pattern** — always create DB client inside the handler:314 315```typescript316import { createServerFn } from "@tanstack/react-start";317import { getDb } from "../db";318 319export const getItems = createServerFn({ method: "GET" }).handler(async () => {320  const db = getDb();321  return db.select().from(items).all();322});323```324 325**Input validation** with Zod:326 327```typescript328export const createItem = createServerFn({ method: "POST" })329  .inputValidator(330    z.object({331      name: z.string().min(1),332      description: z.string().optional(),333    })334  )335  .handler(async ({ data }) => {336    const db = getDb();337    const id = crypto.randomUUID();338    await db.insert(items).values({ id, ...data, createdAt: Date.now() });339    return { id };340  });341```342 343**Protected server functions** — check auth, throw redirect if unauthenticated:344 345```typescript346import { redirect } from "@tanstack/react-router";347import { getAuth } from "../lib/auth.server";348 349async function requireSession(request?: Request) {350  const auth = getAuth();351  const session = await auth.api.getSession({352    headers: request?.headers ?? new Headers(),353  });354  if (!session) {355    throw redirect({ to: "/login" });356  }357  return session;358}359 360export const getSessionFn = createServerFn({ method: "GET" }).handler(361  async ({ request }) => {362    const auth = getAuth();363    return auth.api.getSession({ headers: request.headers });364  }365);366 367export const getItems = createServerFn({ method: "GET" }).handler(368  async ({ request }) => {369    const session = await requireSession(request);370    const db = getDb();371    return db.select().from(items).where(eq(items.userId, session.user.id)).all();372  }373);374```375 376**Route loader pattern** — server functions in route `loader`:377 378```typescript379export const Route = createFileRoute("/_authed/items")({380  loader: () => getItems(),381  component: ItemsPage,382});383 384function ItemsPage() {385  const items = Route.useLoaderData();386  return <div>{items.map((item) => <div key={item.id}>{item.name}</div>)}</div>;387}388```389 390**Auth guard** (`_authed.tsx`) — use `beforeLoad`:391 392```typescript393export const Route = createFileRoute("/_authed")({394  beforeLoad: async () => {395    const session = await getSessionFn();396    if (!session) {397      throw redirect({ to: "/login" });398    }399    return { session };400  },401});402```403 404Child routes access session via `Route.useRouteContext()`.405 406**Mutation + invalidation** — after mutations, invalidate router to refetch loaders:407 408```typescript409function CreateItemForm() {410  const router = useRouter();411  const handleSubmit = async (data: NewItem) => {412    await createItem({ data });413    router.invalidate();414    router.navigate({ to: "/items" });415  };416  return <form onSubmit={...}>...</form>;417}418```419 420**Type safety** — use Drizzle's `InferSelectModel` / `InferInsertModel` for server function input/output types. For auth failures, always use `throw redirect()` — not error responses.421 422### Step 6: App Shell + Theme423 424**`src/routes/__root.tsx`** — Root layout with full HTML document, `<HeadContent />` and `<Scripts />` from `@tanstack/react-router`. Add `suppressHydrationWarning` on `<html>` for SSR + theme toggle compatibility. Import global CSS. Include inline theme init script to prevent flash.425 426**`src/styles/app.css`** — `@import "tailwindcss"` (v4 syntax), CSS variables for shadcn/ui tokens in `:root` and `.dark`, neutral/monochrome palette. Use semantic tokens only.427 428**`src/router.tsx`**:429 430```typescript431import { createRouter as createTanStackRouter } from "@tanstack/react-router";432import { routeTree } from "./routeTree.gen";433 434export function createRouter() {435  return createTanStackRouter({ routeTree });436}437 438declare module "@tanstack/react-router" {439  interface Register {440    router: ReturnType<typeof createRouter>;441  }442}443```444 445**`src/client.tsx`** and **`src/ssr.tsx`** — standard TanStack Start entry point boilerplate.446 447Install shadcn/ui (configure to use `src/components`):448 449```bash450pnpm dlx shadcn@latest init --defaults451pnpm dlx shadcn@latest add button card input label sidebar table dropdown-menu form separator sheet452```453 454**Theme toggle**: three-state (light -> dark -> system -> light). Store in localStorage. Apply `.dark` class on `<html>`. Use JS-only system preference detection — NO CSS `@media (prefers-color-scheme)` queries.455 456**Components** in `src/components/`: `app-sidebar.tsx` (navigation), `theme-toggle.tsx`, `user-nav.tsx` (dropdown with sign-out), `stat-card.tsx`.457 458### Step 7: CRUD Server Functions459 460| Function | Method | Purpose |461|----------|--------|---------|462| `getItems` | GET | List all items for current user |463| `getItem` | GET | Get single item by ID |464| `createItem` | POST | Create new item |465| `updateItem` | POST | Update existing item |466| `deleteItem` | POST | Delete item by ID |467 468Each server function: (1) gets auth session, (2) creates per-request Drizzle client via `getDb()`, (3) performs DB operation, (4) returns typed data. Route loaders call GET functions. Mutations call POST functions then `router.invalidate()`.469 470### Step 8: Verify Locally471 472```bash473pnpm dev474```475 476- [ ] App loads at http://localhost:3000477- [ ] Register a new account (email/password)478- [ ] Login and logout work479- [ ] Dashboard loads with stat cards480- [ ] Create, list, edit, delete items481- [ ] Theme toggle cycles: light -> dark -> system482- [ ] Sidebar collapses on mobile483- [ ] No console errors484 485### Step 9: Deploy to Production486 487**Pre-deploy checklist:**488- [ ] `wrangler.jsonc` has correct `account_id`489- [ ] D1 database created and `database_id` set490- [ ] `main` is `"@tanstack/react-start/server-entry"`491- [ ] `nodejs_compat` in `compatibility_flags`492- [ ] `.dev.vars` is in `.gitignore`493- [ ] No hardcoded secrets in source494 495**Set production secrets:**496 497```bash498openssl rand -hex 32 | npx wrangler secret put BETTER_AUTH_SECRET499echo "https://PROJECT.SUBDOMAIN.workers.dev" | npx wrangler secret put BETTER_AUTH_URL500echo "http://localhost:3000,https://PROJECT.SUBDOMAIN.workers.dev" | npx wrangler secret put TRUSTED_ORIGINS501```502 503If using Google OAuth:504```bash505echo "your-client-id" | npx wrangler secret put GOOGLE_CLIENT_ID506echo "your-client-secret" | npx wrangler secret put GOOGLE_CLIENT_SECRET507```508 509Add production redirect URI in Google Cloud Console: `https://PROJECT.SUBDOMAIN.workers.dev/api/auth/callback/google`510 511**Migrate and deploy:**512 513```bash514pnpm db:migrate:remote515pnpm build && npx wrangler deploy516```517 518After first deploy: update `BETTER_AUTH_URL` with actual Worker URL, then redeploy.519 520**Post-deploy verification:**521- [ ] App loads at production URL522- [ ] Auth login/register works523- [ ] CRUD operations work524- [ ] Theme persists across page loads525 526**Custom domain** (optional): Add in Cloudflare Dashboard -> Workers -> Triggers -> Custom Domains. Update `BETTER_AUTH_URL` and `TRUSTED_ORIGINS` secrets with the custom domain. Update Google OAuth redirect URI. Redeploy.527 528## Common Issues529 530| Symptom | Cause | Fix |531|---------|-------|-----|532| `env` is undefined | Accessed at module level | Use `import { env } from "cloudflare:workers"` inside request handler only |533| D1 database not found | Binding mismatch | Check `d1_databases` binding name in wrangler.jsonc matches code |534| Auth redirect loop | URL mismatch | `BETTER_AUTH_URL` must match actual URL exactly (protocol + domain, no trailing slash) |535| Auth silently fails | Missing origins | Set `TRUSTED_ORIGINS` secret with all valid URLs (comma-separated) |536| Styles not loading | Missing plugin | Ensure `@tailwindcss/vite` plugin is in vite.config.ts |537| SSR hydration mismatch | Theme flash | Add `suppressHydrationWarning` to `<html>` element |538| Build fails on Cloudflare | Bad config | Check `nodejs_compat` flag and `main` field in wrangler.jsonc |539| Secrets not taking effect | No redeploy | `wrangler secret put` does NOT redeploy — run `npx wrangler deploy` after |540| Auth endpoints return 404 | Wrong route type | Use `createAPIFileRoute` (API route), not `createServerFn` for better-auth |541| "redirect_uri_mismatch" | Missing URI | Add production URL to Google Cloud Console OAuth redirect URIs |542| Cryptic Vite errors | Plugin order | Must be: `cloudflare()` -> `tailwindcss()` -> `tanstackStart()` -> `viteReact()` |543| "Table not found" 500s | Missing migration | Run `pnpm db:migrate:remote` before deploying |
Related skills
Cloudflare Worker Builder

Install Cloudflare Worker Builder skill for Claude Code from jezweb/claude-skills.
Color Palette

Install Color Palette skill for Claude Code from jezweb/claude-skills.
D1 Drizzle Schema

Install D1 Drizzle Schema skill for Claude Code from jezweb/claude-skills.