npm - cp-toolkit - Versions diffs - 2.0.0 - Mend

cp-toolkit 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (196) hide show

package/templates/skills/optional/nextjs-react-expert/3-server-server-side-performance.md ADDED Viewed

@@ -0,0 +1,490 @@
+# 3. Server-Side Performance
+> **Impact:** HIGH
+> **Focus:** Optimizing server-side rendering and data fetching eliminates server-side waterfalls and reduces response times.
+---
+## Overview
+This section contains **7 rules** focused on server-side performance.
+---
+## Rule 3.1: Authenticate Server Actions Like API Routes
+**Impact:** CRITICAL
+**Tags:** server, server-actions, authentication, security, authorization
+## Authenticate Server Actions Like API Routes
+**Impact: CRITICAL (prevents unauthorized access to server mutations)**
+Server Actions (functions with `"use server"`) are exposed as public endpoints, just like API routes. Always verify authentication and authorization **inside** each Server Action—do not rely solely on middleware, layout guards, or page-level checks, as Server Actions can be invoked directly.
+Next.js documentation explicitly states: "Treat Server Actions with the same security considerations as public-facing API endpoints, and verify if the user is allowed to perform a mutation."
+**Incorrect (no authentication check):**
+```typescript
+'use server'
+export async function deleteUser(userId: string) {
+  // Anyone can call this! No auth check
+  await db.user.delete({ where: { id: userId } })
+  return { success: true }
+}
+```
+**Correct (authentication inside the action):**
+```typescript
+'use server'
+import { verifySession } from '@/lib/auth'
+import { unauthorized } from '@/lib/errors'
+export async function deleteUser(userId: string) {
+  // Always check auth inside the action
+  const session = await verifySession()
+  if (!session) {
+    throw unauthorized('Must be logged in')
+  }
+  // Check authorization too
+  if (session.user.role !== 'admin' && session.user.id !== userId) {
+    throw unauthorized('Cannot delete other users')
+  }
+  await db.user.delete({ where: { id: userId } })
+  return { success: true }
+}
+```
+**With input validation:**
+```typescript
+'use server'
+import { verifySession } from '@/lib/auth'
+import { z } from 'zod'
+const updateProfileSchema = z.object({
+  userId: z.string().uuid(),
+  name: z.string().min(1).max(100),
+  email: z.string().email()
+})
+export async function updateProfile(data: unknown) {
+  // Validate input first
+  const validated = updateProfileSchema.parse(data)
+  // Then authenticate
+  const session = await verifySession()
+  if (!session) {
+    throw new Error('Unauthorized')
+  }
+  // Then authorize
+  if (session.user.id !== validated.userId) {
+    throw new Error('Can only update own profile')
+  }
+  // Finally perform the mutation
+  await db.user.update({
+    where: { id: validated.userId },
+    data: {
+      name: validated.name,
+      email: validated.email
+    }
+  })
+  return { success: true }
+}
+```
+Reference: [https://nextjs.org/docs/app/guides/authentication](https://nextjs.org/docs/app/guides/authentication)
+---
+## Rule 3.2: Avoid Duplicate Serialization in RSC Props
+**Impact:** LOW
+**Tags:** server, rsc, serialization, props, client-components
+## Avoid Duplicate Serialization in RSC Props
+**Impact: LOW (reduces network payload by avoiding duplicate serialization)**
+RSC→client serialization deduplicates by object reference, not value. Same reference = serialized once; new reference = serialized again. Do transformations (`.toSorted()`, `.filter()`, `.map()`) in client, not server.
+**Incorrect (duplicates array):**
+```tsx
+// RSC: sends 6 strings (2 arrays × 3 items)
+<ClientList usernames={usernames} usernamesOrdered={usernames.toSorted()} />
+```
+**Correct (sends 3 strings):**
+```tsx
+// RSC: send once
+<ClientList usernames={usernames} />
+// Client: transform there
+'use client'
+const sorted = useMemo(() => [...usernames].sort(), [usernames])
+```
+**Nested deduplication behavior:**
+Deduplication works recursively. Impact varies by data type:
+- `string[]`, `number[]`, `boolean[]`: **HIGH impact** - array + all primitives fully duplicated
+- `object[]`: **LOW impact** - array duplicated, but nested objects deduplicated by reference
+```tsx
+// string[] - duplicates everything
+usernames={['a','b']} sorted={usernames.toSorted()} // sends 4 strings
+// object[] - duplicates array structure only
+users={[{id:1},{id:2}]} sorted={users.toSorted()} // sends 2 arrays + 2 unique objects (not 4)
+```
+**Operations breaking deduplication (create new references):**
+- Arrays: `.toSorted()`, `.filter()`, `.map()`, `.slice()`, `[...arr]`
+- Objects: `{...obj}`, `Object.assign()`, `structuredClone()`, `JSON.parse(JSON.stringify())`
+**More examples:**
+```tsx
+// ❌ Bad
+<C users={users} active={users.filter(u => u.active)} />
+<C product={product} productName={product.name} />
+// ✅ Good
+<C users={users} />
+<C product={product} />
+// Do filtering/destructuring in client
+```
+**Exception:** Pass derived data when transformation is expensive or client doesn't need original.
+---
+## Rule 3.3: Cross-Request LRU Caching
+**Impact:** HIGH
+**Tags:** server, cache, lru, cross-request
+## Cross-Request LRU Caching
+`React.cache()` only works within one request. For data shared across sequential requests (user clicks button A then button B), use an LRU cache.
+**Implementation:**
+```typescript
+import { LRUCache } from 'lru-cache'
+const cache = new LRUCache<string, any>({
+  max: 1000,
+  ttl: 5 * 60 * 1000  // 5 minutes
+})
+export async function getUser(id: string) {
+  const cached = cache.get(id)
+  if (cached) return cached
+  const user = await db.user.findUnique({ where: { id } })
+  cache.set(id, user)
+  return user
+}
+// Request 1: DB query, result cached
+// Request 2: cache hit, no DB query
+```
+Use when sequential user actions hit multiple endpoints needing the same data within seconds.
+**With Vercel's [Fluid Compute](https://vercel.com/docs/fluid-compute):** LRU caching is especially effective because multiple concurrent requests can share the same function instance and cache. This means the cache persists across requests without needing external storage like Redis.
+**In traditional serverless:** Each invocation runs in isolation, so consider Redis for cross-process caching.
+Reference: [https://github.com/isaacs/node-lru-cache](https://github.com/isaacs/node-lru-cache)
+---
+## Rule 3.4: Minimize Serialization at RSC Boundaries
+**Impact:** HIGH
+**Tags:** server, rsc, serialization, props
+## Minimize Serialization at RSC Boundaries
+The React Server/Client boundary serializes all object properties into strings and embeds them in the HTML response and subsequent RSC requests. This serialized data directly impacts page weight and load time, so **size matters a lot**. Only pass fields that the client actually uses.
+**Incorrect (serializes all 50 fields):**
+```tsx
+async function Page() {
+  const user = await fetchUser()  // 50 fields
+  return <Profile user={user} />
+}
+'use client'
+function Profile({ user }: { user: User }) {
+  return <div>{user.name}</div>  // uses 1 field
+}
+```
+**Correct (serializes only 1 field):**
+```tsx
+async function Page() {
+  const user = await fetchUser()
+  return <Profile name={user.name} />
+}
+'use client'
+function Profile({ name }: { name: string }) {
+  return <div>{name}</div>
+}
+```
+---
+## Rule 3.5: Parallel Data Fetching with Component Composition
+**Impact:** CRITICAL
+**Tags:** server, rsc, parallel-fetching, composition
+## Parallel Data Fetching with Component Composition
+React Server Components execute sequentially within a tree. Restructure with composition to parallelize data fetching.
+**Incorrect (Sidebar waits for Page's fetch to complete):**
+```tsx
+export default async function Page() {
+  const header = await fetchHeader()
+  return (
+    <div>
+      <div>{header}</div>
+      <Sidebar />
+    </div>
+  )
+}
+async function Sidebar() {
+  const items = await fetchSidebarItems()
+  return <nav>{items.map(renderItem)}</nav>
+}
+```
+**Correct (both fetch simultaneously):**
+```tsx
+async function Header() {
+  const data = await fetchHeader()
+  return <div>{data}</div>
+}
+async function Sidebar() {
+  const items = await fetchSidebarItems()
+  return <nav>{items.map(renderItem)}</nav>
+}
+export default function Page() {
+  return (
+    <div>
+      <Header />
+      <Sidebar />
+    </div>
+  )
+}
+```
+**Alternative with children prop:**
+```tsx
+async function Header() {
+  const data = await fetchHeader()
+  return <div>{data}</div>
+}
+async function Sidebar() {
+  const items = await fetchSidebarItems()
+  return <nav>{items.map(renderItem)}</nav>
+}
+function Layout({ children }: { children: ReactNode }) {
+  return (
+    <div>
+      <Header />
+      {children}
+    </div>
+  )
+}
+export default function Page() {
+  return (
+    <Layout>
+      <Sidebar />
+    </Layout>
+  )
+}
+```
+---
+## Rule 3.6: Per-Request Deduplication with React.cache()
+**Impact:** MEDIUM
+**Tags:** server, cache, react-cache, deduplication
+## Per-Request Deduplication with React.cache()
+Use `React.cache()` for server-side request deduplication. Authentication and database queries benefit most.
+**Usage:**
+```typescript
+import { cache } from 'react'
+export const getCurrentUser = cache(async () => {
+  const session = await auth()
+  if (!session?.user?.id) return null
+  return await db.user.findUnique({
+    where: { id: session.user.id }
+  })
+})
+```
+Within a single request, multiple calls to `getCurrentUser()` execute the query only once.
+**Avoid inline objects as arguments:**
+`React.cache()` uses shallow equality (`Object.is`) to determine cache hits. Inline objects create new references each call, preventing cache hits.
+**Incorrect (always cache miss):**
+```typescript
+const getUser = cache(async (params: { uid: number }) => {
+  return await db.user.findUnique({ where: { id: params.uid } })
+})
+// Each call creates new object, never hits cache
+getUser({ uid: 1 })
+getUser({ uid: 1 })  // Cache miss, runs query again
+```
+**Correct (cache hit):**
+```typescript
+const getUser = cache(async (uid: number) => {
+  return await db.user.findUnique({ where: { id: uid } })
+})
+// Primitive args use value equality
+getUser(1)
+getUser(1)  // Cache hit, returns cached result
+```
+If you must pass objects, pass the same reference:
+```typescript
+const params = { uid: 1 }
+getUser(params)  // Query runs
+getUser(params)  // Cache hit (same reference)
+```
+**Next.js-Specific Note:**
+In Next.js, the `fetch` API is automatically extended with request memoization. Requests with the same URL and options are automatically deduplicated within a single request, so you don't need `React.cache()` for `fetch` calls. However, `React.cache()` is still essential for other async tasks:
+- Database queries (Prisma, Drizzle, etc.)
+- Heavy computations
+- Authentication checks
+- File system operations
+- Any non-fetch async work
+Use `React.cache()` to deduplicate these operations across your component tree.
+Reference: [React.cache documentation](https://react.dev/reference/react/cache)
+---
+## Rule 3.7: Use after() for Non-Blocking Operations
+**Impact:** MEDIUM
+**Tags:** server, async, logging, analytics, side-effects
+## Use after() for Non-Blocking Operations
+Use Next.js's `after()` to schedule work that should execute after a response is sent. This prevents logging, analytics, and other side effects from blocking the response.
+**Incorrect (blocks response):**
+```tsx
+import { logUserAction } from '@/app/utils'
+export async function POST(request: Request) {
+  // Perform mutation
+  await updateDatabase(request)
+  // Logging blocks the response
+  const userAgent = request.headers.get('user-agent') || 'unknown'
+  await logUserAction({ userAgent })
+  return new Response(JSON.stringify({ status: 'success' }), {
+    status: 200,
+    headers: { 'Content-Type': 'application/json' }
+  })
+}
+```
+**Correct (non-blocking):**
+```tsx
+import { after } from 'next/server'
+import { headers, cookies } from 'next/headers'
+import { logUserAction } from '@/app/utils'
+export async function POST(request: Request) {
+  // Perform mutation
+  await updateDatabase(request)
+  // Log after response is sent
+  after(async () => {
+    const userAgent = (await headers()).get('user-agent') || 'unknown'
+    const sessionCookie = (await cookies()).get('session-id')?.value || 'anonymous'
+    logUserAction({ sessionCookie, userAgent })
+  })
+  return new Response(JSON.stringify({ status: 'success' }), {
+    status: 200,
+    headers: { 'Content-Type': 'application/json' }
+  })
+}
+```
+The response is sent immediately while logging happens in the background.
+**Common use cases:**
+- Analytics tracking
+- Audit logging
+- Sending notifications
+- Cache invalidation
+- Cleanup tasks
+**Important notes:**
+- `after()` runs even if the response fails or redirects
+- Works in Server Actions, Route Handlers, and Server Components
+Reference: [https://nextjs.org/docs/app/api-reference/functions/after](https://nextjs.org/docs/app/api-reference/functions/after)