rename inputValidator to validator (#7566)

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

Author: schiller-manuel

.changeset/clean-rules-warn.md

@@ -0,0 +1,9 @@
+---
+'@tanstack/react-start': patch
+'@tanstack/solid-start': patch
+'@tanstack/vue-start': patch
+'@tanstack/start-client-core': patch
+'@tanstack/start-plugin-core': patch
+---
+
+Add `validator()` as the canonical server function and middleware validator method. Deprecate `inputValidator()` and emit compiler warnings for remaining uses.

_artifacts/start_domain_map.yaml

@@ -134,7 +134,7 @@ skills:
       - '@tanstack/start-server-core'
     covers:
       - createServerFn (GET/POST)
-      - inputValidator (Zod or function)
+      - validator (Zod or function)
       - useServerFn hook
       - Server context utilities (getRequest, getRequestHeader, setResponseHeader, setResponseStatus)
       - Error handling (throw errors, redirect, notFound)
@@ -229,7 +229,7 @@ skills:
       - Middleware factories
       - Fetch override precedence
       - Header merging
-      - Method order enforcement (middleware → inputValidator → client → server)
+      - Method order enforcement (middleware → validator → client → server)
     tasks:
       - 'Add authentication middleware'
       - 'Pass context through middleware chain'
@@ -247,7 +247,7 @@ skills:
 
       - mistake: 'Wrong middleware method order'
         mechanism: >-
-          TypeScript enforces method order: middleware → inputValidator
+          TypeScript enforces method order: middleware → validator
           → client → server. Wrong order causes type errors and
           runtime failures.
         source: 'docs/start/framework/react/guide/middleware.md'

_artifacts/start_skill_tree.yaml

@@ -37,7 +37,7 @@ skills:
     path: 'skills/start-core/server-functions/SKILL.md'
     package: 'packages/start-client-core'
     description: >-
-      createServerFn (GET/POST), inputValidator (Zod or function),
+      createServerFn (GET/POST), validator (Zod or function),
       useServerFn hook, server context utilities (getRequest,
       getRequestHeader, setResponseHeader, setResponseStatus), error
       handling (throw errors, redirect, notFound), streaming

docs/start/framework/react/build-from-scratch.md

@@ -290,7 +290,7 @@ const getCount = createServerFn({
 })
 
 const updateCount = createServerFn({ method: 'POST' })
-  .inputValidator((d: number) => d)
+  .validator((d: number) => d)
   .handler(async ({ data }) => {
     const count = await readCount()
     await fs.promises.writeFile(filePath, `${count + data}`)

docs/start/framework/react/comparison.md

@@ -188,7 +188,7 @@ function Post() {
 
 ```tsx
 export const getTodos = createServerFn({ method: 'GET' })
-  .inputValidator(zodValidator(z.object({ userId: z.string() })))
+  .validator(zodValidator(z.object({ userId: z.string() })))
   .middleware([authMiddleware])
   .handler(async ({ data, context }) => {
     // Fully typed data and context

docs/start/framework/react/guide/authentication-overview.md

@@ -212,7 +212,7 @@ Build your own authentication system using TanStack Start's server functions and
 - Use HTTPS in production and set a strong session secret.
 - Store sessions in `HttpOnly`, `Secure`, `SameSite` cookies. Do not store session tokens in `localStorage` or `sessionStorage`.
 - Enforce auth in every server function, server route, or API endpoint that reads or writes private user, tenant, or account data. Use `beforeLoad` for page UX, not as the data boundary.
-- Use `.inputValidator()` on every server function that accepts input.
+- Use `.validator()` on every server function that accepts input.
 - Hash passwords with bcrypt, scrypt, or Argon2. For missing users, verify against a dummy hash and return the same login/reset message.
 - Rate limit login, registration, and password-reset endpoints.
 - Use CSRF or same-origin protections for non-GET server functions and server routes.

docs/start/framework/react/guide/authentication-server-primitives.md

@@ -119,7 +119,7 @@ import { z } from 'zod'
 import { setSessionCookie } from './session'
 
 export const login = createServerFn({ method: 'POST' })
-  .inputValidator(z.object({ email: z.string().email(), password: z.string() }))
+  .validator(z.object({ email: z.string().email(), password: z.string() }))
   .handler(async ({ data }) => {
     const user = await db.users.findByEmail(data.email)
     // Always run verifyPasswordHash — even when the user doesn't exist —
@@ -228,7 +228,7 @@ import { createServerFn } from '@tanstack/react-start'
 import { z } from 'zod'
 
 export const requestPasswordReset = createServerFn({ method: 'POST' })
-  .inputValidator(z.object({ email: z.string().email() }))
+  .validator(z.object({ email: z.string().email() }))
   .handler(async ({ data }) => {
     const user = await db.users.findByEmail(data.email)
     if (user) {

docs/start/framework/react/guide/authentication.md

@@ -50,7 +50,7 @@ import { redirect } from '@tanstack/react-router'
 
 // Login server function
 export const loginFn = createServerFn({ method: 'POST' })
-  .inputValidator((data: { email: string; password: string }) => data)
+  .validator((data: { email: string; password: string }) => data)
   .handler(async ({ data }) => {
     // Verify credentials (replace with your auth logic)
     const user = await authenticateUser(data.email, data.password)
@@ -221,9 +221,7 @@ import { createServerFn } from '@tanstack/react-start'
 
 // User registration
 export const registerFn = createServerFn({ method: 'POST' })
-  .inputValidator(
-    (data: { email: string; password: string; name: string }) => data,
-  )
+  .validator((data: { email: string; password: string; name: string }) => data)
   .handler(async ({ data }) => {
     // Check if user exists
     const existingUser = await getUserByEmail(data.email)
@@ -305,7 +303,7 @@ export const authProviders = {
 }
 
 export const initiateOAuthFn = createServerFn({ method: 'POST' })
-  .inputValidator((data: { provider: 'google' | 'github' }) => data)
+  .validator((data: { provider: 'google' | 'github' }) => data)
   .handler(async ({ data }) => {
     const provider = authProviders[data.provider]
     const state = generateRandomState()
@@ -326,7 +324,7 @@ export const initiateOAuthFn = createServerFn({ method: 'POST' })
 ```tsx
 // Password reset request
 export const requestPasswordResetFn = createServerFn({ method: 'POST' })
-  .inputValidator((data: { email: string }) => data)
+  .validator((data: { email: string }) => data)
   .handler(async ({ data }) => {
     const user = await getUserByEmail(data.email)
     if (!user) {
@@ -345,7 +343,7 @@ export const requestPasswordResetFn = createServerFn({ method: 'POST' })
 
 // Password reset confirmation
 export const resetPasswordFn = createServerFn({ method: 'POST' })
-  .inputValidator((data: { token: string; newPassword: string }) => data)
+  .validator((data: { token: string; newPassword: string }) => data)
   .handler(async ({ data }) => {
     const resetToken = await getPasswordResetToken(data.token)
 
@@ -426,7 +424,7 @@ const loginSchema = z.object({
 })
 
 export const loginFn = createServerFn({ method: 'POST' })
-  .inputValidator((data) => loginSchema.parse(data))
+  .validator((data) => loginSchema.parse(data))
   .handler(async ({ data }) => {
     // data is now validated
   })
@@ -522,7 +520,7 @@ function LoginForm() {
 
 ```tsx
 export const loginFn = createServerFn({ method: 'POST' })
-  .inputValidator(
+  .validator(
     (data: { email: string; password: string; rememberMe?: boolean }) => data,
   )
   .handler(async ({ data }) => {

docs/start/framework/react/guide/environment-variables.md

@@ -77,7 +77,7 @@ const connectToDatabase = createServerFn().handler(async () => {
 
 // Authentication (server-only)
 const authenticateUser = createServerFn()
-  .inputValidator(z.object({ token: z.string() }))
+  .validator(z.object({ token: z.string() }))
   .handler(async ({ data }) => {
     const jwtSecret = process.env.JWT_SECRET // Server-only
     return jwt.verify(data.token, jwtSecret)
@@ -257,7 +257,7 @@ import { createServerFn } from '@tanstack/react-start'
 
 // Server-side API calls (can use secret keys)
 const fetchUserData = createServerFn()
-  .inputValidator(z.object({ userId: z.string() }))
+  .validator(z.object({ userId: z.string() }))
   .handler(async ({ data }) => {
     const response = await fetch(
       `${process.env.EXTERNAL_API_URL}/users/${data.userId}`,

docs/start/framework/react/guide/execution-model.md

@@ -62,7 +62,7 @@ import { createServerFn, createServerOnlyFn } from '@tanstack/react-start'
 
 // RPC: Server execution, callable from client
 const updateUser = createServerFn({ method: 'POST' })
-  .inputValidator((data: UserData) => data)
+  .validator((data: UserData) => data)
   .handler(async ({ data }) => {
     // Only runs on server, but client can call it
     return await db.users.update(data)