Platform core
The shared Effect v4 RPC API, auth, database, and cross-cutting utility packages every app in the monorepo is built on.
These eight packages are the load-bearing layer under every app: the typed RPC contract, the database, authentication, and the small constants/utils/logger/security helpers that keep app code from reinventing them.
@repo/api
The shared Effect v4 RPC surface consumed by apps/web. ApiRpc
(rpc/schema.ts) is an RpcGroup merging per-domain slices (todo, travel,
deals, ai-sessions, plans, telemetry, health) with typed Schema in/out and
per-group middleware; ApiRpcHandlers/ApiRpcLive (rpc/router.ts)
implement them by composing per-domain handler builders under
rpc/handlers/. A browser-side client runtime wires the same group to a
transport, so both sides type against one contract.
.— HTTP adapters (toJsonRoute,toStreamRoute,makeErrorMapper) and plainResponse.jsonerror helpers./client—makeRpcRuntime/makeRpcAtomRuntime, the browser RPC runtime./*— subpath access torpc/schema,rpc/router,rpc/errors,rpc/middleware, etc.
@repo/auth
Better Auth configuration and helpers shared across apps: the server auth
instance, an Effect-wrapped AuthService, browser/server auth clients,
role-based access control, and transactional auth email. server.ts's
auth() routes session lookups through the retry-wrapped
getSessionFromHeaders rather than calling authInstance.api.getSession
directly, so pooler connection drops are retried instead of throwing.
.—auth-instance.ts(Better Auth server instance),effect.ts(AuthService/AuthServiceLive),client.ts,server.ts,next.ts./keys— env schema (@t3-oss/env-nextjs+ Effect Schema)./feature-access—lib/feature-access.ts./*— subpath access to the rest ofsrc/(e.g.lib/access-control,lib/reset-password-email)
@repo/db
Drizzle ORM (drizzle-orm/node-postgres) over Supabase Postgres. Table
schemas live under src/schema/ (auth, todo, image, travel, audio,
channels/chat+RBAC, blog tasks, plus a blog.ts alias re-export module),
and SQL migrations under src/migrations/, managed by Drizzle Kit. A
separate src/effect/ tree provides Effect-native repos with shared
helpers (pgRepoLayerWith, makeRepoError) and pool-resilience/retry
layers for the Supavisor session-mode pooler.
.— thedbDrizzle client singleton (server-only) plus schema re-exports./effect— EffectPgDrizzle-backed layer, pool resilience, connection retry./*— subpath access toschema/<table>,avatar-storage, etc.
@repo/contracts
Thin, still-small package for cross-app domain schemas shared outside the
RPC boundary. Today it holds a single module, the e-commerce checkout
address form: an Effect Schema builder for a localized address form
(getAddressSchemaEffect), its field list/type guards, and a
parseAddressForm helper. Expect this package to grow as more
non-RPC contracts are shared between apps.
./*— e.g../store/address-effect
@repo/constants
Plain shared constants — no logic, no dependencies beyond
@repo/typescript-config. Covers UI opacity/icon sizes, timing/timeout
values, rate-limit defaults, percentage/aspect-ratio math, and day-offset
values, plus a small urls map.
.— the constants above (src/index.ts)./urls—urls(external link map)
@repo/utils
General-purpose helpers used across apps: string/format utilities, a
cn Tailwind class merger, date/duration/file-size/millis formatters, an
Effect-aware react-hook-form resolver, crypto-backed id/random helpers,
and a constant-time string comparison.
.—getStatusText,capitalize,cn,effectResolver,formatDate,formatDuration,formatFileSize,formatMillis,isDefined,optionalRedacted,compactId,randomInt,secureId,sha256,slugify,timingSafeStringEqual./format-code,./random,./timing-safe-equal— direct subpath access to the same helpers, useful when importing a single leaf without pulling in the rest of the barrel
@repo/logger
A single logger with debug/info/warn/error, backed by pino +
pino-pretty on the server and by console in the browser (the one
sanctioned console boundary in the codebase). Picks the implementation
at runtime based on whether window is defined, so the same import works
in server and client code.
src/index.ts— theloggerinstancesrc/keys.ts—LOG_LEVEL/env schema consumed by the server logger
@repo/security
Arcjet + Nosecone wrappers for bot/rate-limit protection and security
headers. secure() runs Arcjet shield + bot detection against a request,
enforcing only in production (DRY_RUN elsewhere) and allowing read (GET/
HEAD) requests through even when flagged as a bot, since the site is
declared open to AI agents and crawlers. middleware.ts re-exports
Nosecone's createMiddleware as securityMiddleware and exports a CSP
options object (Nosecone defaults extended with the Supabase image host).
index.ts—secure()(Arcjet shield + bot/rate-limit check)middleware.ts—securityMiddleware,noseconeOptions,noseconeOptionsWithToolbarkeys.ts—ARCJET_KEYenv schema
@repo/security has no exports map in its package.json — it is consumed by importing the
root-level index.ts / middleware.ts / keys.ts files directly rather than through package
subpaths.
See the packages overview and the architecture guide.