playbooks

home / skills / rubenpenap / epic-stack-agent-skills / epic-forms

epic-forms skill

/skills/epic-forms

This skill guides you through building Epic Stack forms with Zod validation and Conform for progressive enhancement, including file uploads and honeypot

npx playbooks add skill rubenpenap/epic-stack-agent-skills --skill epic-forms

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
18.5 KB
---
name: epic-forms
description: Guide on forms with Conform and validation with Zod for Epic Stack
categories:
  - forms
  - conform
  - zod
  - validation
---

# Epic Stack: Forms

## When to use this skill

Use this skill when you need to:
- Create forms in an Epic Stack application
- Implement form validation with Zod
- Work with Conform for progressively enhanced forms
- Handle file uploads
- Implement honeypot fields for spam protection
- Handle form errors
- Work with complex forms (fieldsets, arrays)

## Patterns and conventions

### Validation Philosophy

Following Epic Web principles:

**Explicit is better than implicit** - Make validation rules clear and explicit using Zod schemas. Every validation rule should be visible in the schema, not hidden in business logic. Error messages should be specific and helpful, telling users exactly what went wrong and how to fix it.

**Design to fail fast and early** - Validate input as early as possible, ideally on the client side before submission, and always on the server side. Return clear, specific error messages immediately so users can fix issues without frustration.

**Example - Explicit validation:**
```typescript
// ✅ Good - Explicit validation with clear error messages
const SignupSchema = z.object({
	email: z
		.string({ required_error: 'Email is required' })
		.email({ message: 'Please enter a valid email address' })
		.min(3, { message: 'Email must be at least 3 characters' })
		.max(100, { message: 'Email must be less than 100 characters' })
		.transform((val) => val.toLowerCase().trim()),
	password: z
		.string({ required_error: 'Password is required' })
		.min(6, { message: 'Password must be at least 6 characters' })
		.max(72, { message: 'Password must be less than 72 characters' }),
})

// ❌ Avoid - Implicit validation
const SignupSchema = z.object({
	email: z.string().email(), // No clear error messages
	password: z.string().min(6), // Generic error
})
```

**Example - Fail fast validation:**
```typescript
// ✅ Good - Validate early and return specific errors immediately
export async function action({ request }: Route.ActionArgs) {
	const formData = await request.formData()

	// Validate immediately - fail fast
	const submission = await parseWithZod(formData, {
		schema: SignupSchema,
	})

	// Return errors immediately if validation fails
	if (submission.status !== 'success') {
		return data(
			{ result: submission.reply() },
			{ status: 400 }, // Clear error status
		)
	}

	// Only proceed if validation passed
	const { email, password } = submission.value
	// ... continue with signup
}

// ❌ Avoid - Delayed or unclear validation
export async function action({ request }: Route.ActionArgs) {
	const formData = await request.formData()
	const email = formData.get('email')
	const password = formData.get('password')

	// Validation scattered throughout the function
	if (!email) {
		// Generic error, not specific
		return json({ error: 'Invalid' }, { status: 400 })
	}
	// ... more scattered validation
}
```

### Basic setup with Conform

Epic Stack uses [Conform](https://conform.guide/) to handle forms with progressive enhancement.

**Basic setup:**
```typescript
import { getFormProps, useForm } from '@conform-to/react'
import { getZodConstraint, parseWithZod } from '@conform-to/zod'
import { z } from 'zod'
import { Form } from 'react-router'

const SignupSchema = z.object({
	email: z.string().email(),
	password: z.string().min(6),
})

export default function SignupRoute({ actionData }: Route.ComponentProps) {
	const [form, fields] = useForm({
		id: 'signup-form',
		constraint: getZodConstraint(SignupSchema),
		lastResult: actionData?.result,
		onValidate({ formData }) {
			return parseWithZod(formData, { schema: SignupSchema })
		},
		shouldRevalidate: 'onBlur',
	})

	return (
		<Form method="POST" {...getFormProps(form)}>
			{/* Form fields */}
		</Form>
	)
}
```

### Integration with Zod

Conform integrates seamlessly with Zod for validation.

**Define schema:**
```typescript
import { z } from 'zod'

const SignupSchema = z.object({
	email: z.string().email('Invalid email'),
	password: z.string().min(6, 'Password must be at least 6 characters'),
	confirmPassword: z.string(),
}).superRefine(({ confirmPassword, password }, ctx) => {
	if (confirmPassword !== password) {
		ctx.addIssue({
			path: ['confirmPassword'],
			code: 'custom',
			message: 'Passwords must match',
		})
	}
})
```

**Validation in action (fail fast):**
```typescript
export async function action({ request }: Route.ActionArgs) {
	const formData = await request.formData()

	// Validate immediately - explicit and fail fast
	const submission = await parseWithZod(formData, {
		schema: SignupSchema,
	})

	// Return explicit errors immediately if validation fails
	if (submission.status !== 'success') {
		return data(
			{ result: submission.reply() },
			{ status: submission.status === 'error' ? 400 : 200 },
		)
	}

	// Only proceed if validation passed - submission.value is type-safe
	const { email, password } = submission.value
	// ... process with validated data
}
```

### Async validation

For validations that require querying the database:

```typescript
export async function action({ request }: Route.ActionArgs) {
	const formData = await request.formData()

	const submission = await parseWithZod(formData, {
		schema: SignupSchema.superRefine(async (data, ctx) => {
			const existingUser = await prisma.user.findUnique({
				where: { email: data.email },
				select: { id: true },
			})
			if (existingUser) {
				ctx.addIssue({
					path: ['email'],
					code: z.ZodIssueCode.custom,
					message: 'A user already exists with this email',
				})
			}
		}),
		async: true, // Important: enable async validation
	})

	if (submission.status !== 'success') {
		return data(
			{ result: submission.reply() },
			{ status: submission.status === 'error' ? 400 : 200 },
		)
	}

	// ...
}
```

### Field Components

Epic Stack provides pre-built field components:

**Basic Field:**
```typescript
import { Field, ErrorList } from '#app/components/forms.tsx'
import { getInputProps } from '@conform-to/react'

<Field
	labelProps={{
		htmlFor: fields.email.id,
		children: 'Email',
	}}
	inputProps={{
		...getInputProps(fields.email, { type: 'email' }),
		autoFocus: true,
		autoComplete: 'email',
	}}
	errors={fields.email.errors}
/>
```

**TextareaField:**
```typescript
import { TextareaField } from '#app/components/forms.tsx'
import { getTextareaProps } from '@conform-to/react'

<TextareaField
	labelProps={{
		htmlFor: fields.content.id,
		children: 'Content',
	}}
	textareaProps={{
		...getTextareaProps(fields.content),
		rows: 10,
	}}
	errors={fields.content.errors}
/>
```

**CheckboxField:**
```typescript
import { CheckboxField } from '#app/components/forms.tsx'
import { getInputProps } from '@conform-to/react'

<CheckboxField
	labelProps={{
		htmlFor: fields.remember.id,
		children: 'Remember me',
	}}
	buttonProps={getInputProps(fields.remember, { type: 'checkbox' })}
	errors={fields.remember.errors}
/>
```

**OTPField:**
```typescript
import { OTPField } from '#app/components/forms.tsx'

<OTPField
	labelProps={{
		htmlFor: fields.code.id,
		children: 'Verification Code',
	}}
	inputProps={{
		...getInputProps(fields.code),
		maxLength: 6,
	}}
	errors={fields.code.errors}
/>
```

### Error Handling

**Display field errors:**
```typescript
<Field
	// ... props
	errors={fields.email.errors} // Errores específicos del campo
/>
```

**Display form errors:**
```typescript
import { ErrorList } from '#app/components/forms.tsx'

<ErrorList errors={form.errors} id={form.errorId} />
```

**Error structure:**
- `fields.fieldName.errors` - Errors for a specific field
- `form.errors` - General form errors (like `formErrors`)

### Honeypot Fields

Epic Stack includes spam protection with honeypot fields.

**In the form:**
```typescript
import { HoneypotInputs } from 'remix-utils/honeypot/react'

<Form method="POST" {...getFormProps(form)}>
	<HoneypotInputs /> {/* Always include in public forms */}
	{/* Rest of fields */}
</Form>
```

**In the action:**
```typescript
import { checkHoneypot } from '#app/utils/honeypot.server.ts'

export async function action({ request }: Route.ActionArgs) {
	const formData = await request.formData()

	await checkHoneypot(formData) // Throws error if spam

	// ... rest of code
}
```

### File Uploads

For forms with file uploads, use `encType="multipart/form-data"`.

**Schema for files:**
```typescript
const MAX_UPLOAD_SIZE = 1024 * 1024 * 3 // 3MB

const ImageFieldsetSchema = z.object({
	id: z.string().optional(),
	file: z
		.instanceof(File)
		.optional()
		.refine((file) => {
			return !file || file.size <= MAX_UPLOAD_SIZE
		}, 'File must be less than 3MB'),
	altText: z.string().optional(),
})

const NoteEditorSchema = z.object({
	title: z.string().min(1).max(100),
	content: z.string().min(1).max(10000),
	images: z.array(ImageFieldsetSchema).max(5).optional(),
})
```

**Form with file upload:**
```typescript
<Form
	method="POST"
	encType="multipart/form-data"
	{...getFormProps(form)}
>
	{/* Fields */}
</Form>
```

**Process files in action:**
```typescript
export async function action({ request }: Route.ActionArgs) {
	const formData = await request.formData()

	const submission = await parseWithZod(formData, {
		schema: NoteEditorSchema,
	})

	if (submission.status !== 'success') {
		return data({ result: submission.reply() }, { status: 400 })
	}

	const { images } = submission.value

	// Process files
	for (const image of images ?? []) {
		if (image.file) {
			// Upload file, save to storage, etc.
		}
	}

	// ...
}
```

### Fieldsets y Arrays

For forms with repetitive fields (like multiple images):

**Schema:**
```typescript
const ImageFieldsetSchema = z.object({
	id: z.string().optional(),
	file: z.instanceof(File).optional(),
	altText: z.string().optional(),
})

const FormSchema = z.object({
	images: z.array(ImageFieldsetSchema).max(5).optional(),
})
```

**In the component:**
```typescript
import { FormProvider, getFieldsetProps } from '@conform-to/react'

const [form, fields] = useForm({
	// ...
	defaultValue: {
		images: note?.images ?? [{}],
	},
})

const imageList = fields.images.getFieldList()

return (
	<FormProvider context={form.context}>
		<Form method="POST" {...getFormProps(form)}>
			{imageList.map((image, index) => {
				const imageFieldset = getFieldsetProps(fields.images[index])
				return (
					<fieldset key={image.key} {...imageFieldset}>
						<input
							{...getInputProps(fields.images[index].file, { type: 'file' })}
						/>
						<input
							{...getInputProps(fields.images[index].altText, { type: 'text' })}
							placeholder="Alt text"
						/>
					</fieldset>
				)
			})}

			<button
				type="button"
				onClick={() => fields.images.append()}
			>
				Add Image
			</button>
		</Form>
	</FormProvider>
)
```

### StatusButton

Use `StatusButton` to display submission status:

```typescript
import { StatusButton } from '#app/components/ui/status-button.tsx'
import { useIsPending } from '#app/utils/misc.tsx'

const isPending = useIsPending()

<StatusButton
	className="w-full"
	status={isPending ? 'pending' : (form.status ?? 'idle')}
	type="submit"
	disabled={isPending}
>
	Submit
</StatusButton>
```

### Progressive Enhancement

Forms work without JavaScript thanks to Conform:

- Native HTML5 validation
- Server-side validation
- Enhancements with JavaScript when available

**You don't need to do anything special** - Conform handles this automatically.

### Reusable Schema Validation

Create reusable schemas in `app/utils/user-validation.ts`:

```typescript
// app/utils/user-validation.ts
import { z } from 'zod'

export const EmailSchema = z
	.string({ required_error: 'Email is required' })
	.email({ message: 'Email is invalid' })
	.min(3, { message: 'Email is too short' })
	.max(100, { message: 'Email is too long' })
	.transform((value) => value.toLowerCase())

export const PasswordSchema = z
	.string({ required_error: 'Password is required' })
	.min(6, { message: 'Password is too short' })
	.refine((val) => new TextEncoder().encode(val).length <= 72, {
		message: 'Password is too long',
	})

export const PasswordAndConfirmPasswordSchema = z
	.object({ password: PasswordSchema, confirmPassword: PasswordSchema })
	.superRefine(({ confirmPassword, password }, ctx) => {
		if (confirmPassword !== password) {
			ctx.addIssue({
				path: ['confirmPassword'],
				code: 'custom',
				message: 'The passwords must match',
			})
		}
	})
```

**Use in forms:**
```typescript
import { EmailSchema, PasswordAndConfirmPasswordSchema } from '#app/utils/user-validation.ts'

const SignupSchema = z
	.object({
		email: EmailSchema,
		username: UsernameSchema,
	})
	.and(PasswordAndConfirmPasswordSchema)
```

## Common examples

### Example 1: Simple login form

```typescript
// app/routes/_auth/login.tsx
import { getFormProps, getInputProps, useForm } from '@conform-to/react'
import { getZodConstraint, parseWithZod } from '@conform-to/zod'
import { z } from 'zod'
import { Field, ErrorList } from '#app/components/forms.tsx'
import { StatusButton } from '#app/components/ui/status-button.tsx'

const LoginSchema = z.object({
	email: z.string().email(),
	password: z.string().min(1),
})

export default function LoginRoute({ actionData }: Route.ComponentProps) {
	const isPending = useIsPending()

	const [form, fields] = useForm({
		id: 'login-form',
		constraint: getZodConstraint(LoginSchema),
		lastResult: actionData?.result,
		onValidate({ formData }) {
			return parseWithZod(formData, { schema: LoginSchema })
		},
		shouldRevalidate: 'onBlur',
	})

	return (
		<Form method="POST" {...getFormProps(form)}>
			<Field
				labelProps={{ htmlFor: fields.email.id, children: 'Email' }}
				inputProps={{
					...getInputProps(fields.email, { type: 'email' }),
					autoFocus: true,
					autoComplete: 'email',
				}}
				errors={fields.email.errors}
			/>
			<Field
				labelProps={{ htmlFor: fields.password.id, children: 'Password' }}
				inputProps={{
					...getInputProps(fields.password, { type: 'password' }),
					autoComplete: 'current-password',
				}}
				errors={fields.password.errors}
			/>
			<ErrorList errors={form.errors} id={form.errorId} />
			<StatusButton
				status={isPending ? 'pending' : (form.status ?? 'idle')}
				type="submit"
			>
				Login
			</StatusButton>
		</Form>
	)
}
```

### Example 2: Form with async validation

```typescript
// app/routes/_auth/signup.tsx
export async function action({ request }: Route.ActionArgs) {
	const formData = await request.formData()
	await checkHoneypot(formData)

	const submission = await parseWithZod(formData, {
		schema: SignupSchema.superRefine(async (data, ctx) => {
			const existingUser = await prisma.user.findUnique({
				where: { email: data.email },
				select: { id: true },
			})
			if (existingUser) {
				ctx.addIssue({
					path: ['email'],
					code: z.ZodIssueCode.custom,
					message: 'A user already exists with this email',
				})
			}
		}),
		async: true,
	})

	if (submission.status !== 'success') {
		return data(
			{ result: submission.reply() },
			{ status: submission.status === 'error' ? 400 : 200 },
		)
	}

	// Procesar signup...
}
```

### Example 3: Form with file upload

```typescript
// app/routes/users/$username/notes/new.tsx
const NoteEditorSchema = z.object({
	title: z.string().min(1).max(100),
	content: z.string().min(1).max(10000),
	images: z.array(ImageFieldsetSchema).max(5).optional(),
})

export default function NewNoteRoute({ actionData }: Route.ComponentProps) {
	const [form, fields] = useForm({
		id: 'note-editor',
		constraint: getZodConstraint(NoteEditorSchema),
		lastResult: actionData?.result,
		onValidate({ formData }) {
			return parseWithZod(formData, { schema: NoteEditorSchema })
		},
		defaultValue: {
			images: [{}],
		},
		shouldRevalidate: 'onBlur',
	})

	const imageList = fields.images.getFieldList()

	return (
		<FormProvider context={form.context}>
			<Form
				method="POST"
				encType="multipart/form-data"
				{...getFormProps(form)}
			>
				<Field
					labelProps={{ children: 'Title' }}
					inputProps={{
						autoFocus: true,
						...getInputProps(fields.title, { type: 'text' }),
					}}
					errors={fields.title.errors}
				/>
				<TextareaField
					labelProps={{ children: 'Content' }}
					textareaProps={{
						...getTextareaProps(fields.content),
						rows: 10,
					}}
					errors={fields.content.errors}
				/>

				{imageList.map((image, index) => {
					const imageFieldset = getFieldsetProps(fields.images[index])
					return (
						<fieldset key={image.key} {...imageFieldset}>
							<input
								{...getInputProps(fields.images[index].file, { type: 'file' })}
								accept="image/*"
							/>
							<input
								{...getInputProps(fields.images[index].altText, { type: 'text' })}
								placeholder="Alt text"
							/>
						</fieldset>
					)
				})}

				<button
					type="button"
					onClick={() => fields.images.append()}
					disabled={imageList.length >= 5}
				>
					Add Image
				</button>

				<ErrorList errors={form.errors} id={form.errorId} />
				<StatusButton type="submit">Create Note</StatusButton>
			</Form>
		</FormProvider>
	)
}
```

## Common mistakes to avoid

- ❌ **Implicit validation**: Always use explicit Zod schemas with clear error messages, not hidden validation logic
- ❌ **Delayed validation**: Validate input immediately and fail fast - don't wait until the end of the function
- ❌ **Generic error messages**: Use specific, helpful error messages that tell users exactly what's wrong
- ❌ **Forgetting `async: true` in async validation**: Always include `async: true` when using `superRefine` with async
- ❌ **Not including `HoneypotInputs` in public forms**: Always include honeypot in forms accessible without authentication
- ❌ **Forgetting `encType="multipart/form-data"`**: Required for file uploads
- ❌ **Not validating file sizes**: Always validate size in the schema
- ❌ **Not using `getZodConstraint`**: Required for native HTML5 validation
- ❌ **Forgetting `lastResult` in `useForm`**: Required to display server errors
- ❌ **Not using `shouldRevalidate: 'onBlur'`**: Improves UX by validating on field blur
- ❌ **Not using pre-built field components**: `Field`, `TextareaField`, etc. already handle accessibility and errors

## References

- [Conform Documentation](https://conform.guide/)
- [Zod Documentation](https://zod.dev/)
- [Epic Web Principles](https://www.epicweb.dev/principles)
- `app/components/forms.tsx` - Field components
- `app/routes/_auth/signup.tsx` - Complete signup example
- `app/routes/_auth/onboarding/index.tsx` - Complex form example
- `app/routes/users/$username/notes/+shared/note-editor.tsx` - File uploads example
- `app/utils/user-validation.ts` - Reusable schemas
- `docs/decisions/033-honeypot.md` - Honeypot documentation

Overview

This skill guides building robust forms for Epic Stack apps using Conform and Zod. It covers schema-driven validation, progressive enhancement, file uploads, honeypots, fieldsets/arrays, and practical error handling. Follow the patterns to fail fast, keep validation explicit, and deliver clear user feedback.

How this skill works

Define Zod schemas for every form and wire them into Conform via getZodConstraint and parseWithZod. Conform provides form state, props helpers, and progressive enhancement so forms work without JavaScript while validating client- and server-side. Use provided field components, file handling patterns, honeypot checks, and fieldset helpers to manage complex, repeatable inputs.

When to use it

  • Creating any user-facing form in an Epic Stack application
  • Enforcing clear, type-safe validation with Zod on client and server
  • Handling file uploads with size limits and multipart forms
  • Protecting public forms from spam using honeypot fields
  • Building complex forms with arrays or dynamic fieldsets
  • Providing progressive enhancement so forms work without JS

Best practices

  • Make validation explicit: put rules and user-friendly messages in Zod schemas
  • Validate early and fail fast: run parseWithZod on request.formData() in action handlers
  • Always revalidate on the server even if client-side checks run
  • Use HoneypotInputs in public forms and checkHoneypot in actions
  • Limit file sizes in schemas and use encType='multipart/form-data' for uploads
  • Reuse schemas for consistency (e.g., EmailSchema, PasswordSchema) and superRefine for cross-field checks

Example use cases

  • Signup and login flows with email/password validation and friendly error messages
  • Note editor with multiple image uploads, per-image alt text, and file size enforcement
  • Profile update form that accepts optional avatar files and validates size/types
  • Admin interfaces that need dynamic repeated fieldsets (tags, images, or options)
  • Public contact or comment forms protected by honeypot fields and server-side checks

FAQ

How do I validate files with Zod?

Declare file fields as z.instanceof(File) and refine size/type constraints in the schema; use multipart/form-data on the Form and process File objects in the action after parseWithZod.

Can I run async validation (e.g., unique email) with Zod?

Yes — use superRefine with async logic and set async: true when calling parseWithZod so database lookups can add issues before submission succeeds.

What ensures forms work without JavaScript?

Conform provides progressive enhancement: native HTML5 validation and server-side validation still run if JavaScript is disabled, while Conform enhances behavior when JS is available.