---
package: "@trpc/server"
version: "^11.0.0"
tier: core
decision: approved
date: 2026-05-14
deciders: [Danijel Martinek]
adr: null
filter-results:
  license: MIT
  types: native
  maintenance: active
  boundary-fit: pass
  shadow-check: pass
  eu-residency: n/a
  cve-scan: clean
  named-consumer: pass
  socketRisk: clean
verification-commands:
  - npm view @trpc/server license
  - npm view @trpc/server version
  - pnpm audit --audit-level=moderate
lastRevalidated: 2026-05-19
accepted-cves: []
---

## Filter: license

<!-- Result: MIT -->

`npm view @trpc/server license` returns `MIT`. MIT is on the allowlist.

## Filter: types

<!-- Result: native -->

`@trpc/server` is authored in TypeScript and ships its own `.d.ts` declaration files. No separate `@types/` package is needed.

## Filter: maintenance

<!-- Result: active -->

Actively maintained by the tRPC team. The 11.x line is the current major. Regular releases; strong community adoption in the Next.js ecosystem.

## Filter: boundary-fit

<!-- Result: pass -->

`@trpc/server` is the workspace-standard RPC layer for type-safe client-server communication (ADR-019 references tRPC as the transport for use-case exposure). Feature packages export their tRPC routers; `core-api` aggregates them; apps mount the root router. Feature packages own their error middleware (`integrations/api/procedures.ts`). No boundary rule restricts `@trpc/server` to a specific tier.

## Filter: shadow-check

<!-- Result: pass -->

`@trpc/server` is the sole RPC framework in the workspace. No competing API layer (REST, GraphQL, gRPC) is present for the same purpose.

## Filter: eu-residency

<!-- Result: n/a -->

`@trpc/server` is a pure server-side routing library with no network communication to vendor-controlled endpoints. EU residency does not apply.

## Filter: cve-scan

<!-- Result: clean -->

`pnpm audit --audit-level=moderate` reports no advisories against `@trpc/server` at the time of this trace.

## Filter: named-consumer

<!-- Result: pass -->

All five feature packages export a tRPC router that uses `@trpc/server`. `@repo/core-api` aggregates these routers. `@repo/core-shared` provides the tRPC base instance and error middleware utilities. `@repo/core-dsr` exposes the `dsrRouter` via `createDsrRouter`. Named, non-hypothetical consumers exist today.

## Prompt: replaces

`@trpc/server` replaces a hypothetical hand-written REST API layer. tRPC enables end-to-end type safety between the server use cases and the Next.js client without a separate OpenAPI spec or code generation step.

## Prompt: migration-cost-out

Hard. tRPC router types propagate from the server to the client via TypeScript inference. Every feature package's tRPC router, the root `AppRouter` type in `core-api`, and every client-side query in the apps reference `@trpc/server` types. Migrating to REST would require replacing all router definitions, regenerating types (e.g., via OpenAPI), and updating all client call sites.

## Prompt: alternatives-considered

1. **GraphQL (Apollo/Pothos)** — More complex schema layer required; the resolver pattern does not map cleanly onto the factory-function use-case pattern mandated by CLAUDE.md.
2. **OpenAPI + Zodios** — Requires a separate schema definition step and code generation; tRPC's type inference is more direct for a monorepo where client and server share the same TypeScript project.