fraqtal/agentic-dev-template
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
main
agentic-dev-template/docs/library-decisions/2026-05-14-zod.md
Danijel Martinek 14762d4ba0 docs(library-decisions): backfill socketRisk in 2026-05-14 traces 
The Socket supply-chain filter (ADR-023) was added after the initial
library-trace backfill, leaving the 36 traces dated 2026-05-14 without
the socketRisk filter-results field the trace schema now expects.
Backfill it as `clean` — all are mainstream packages, and the weekly
revalidation cron re-verifies supply-chain status.
2026-05-20 17:02:13 +02:00

3.2 KiB
Raw Permalink Blame History

package, version, tier, decision, date, deciders, adr, lastRevalidated, is-sub-processor, processes-pii, filter-results, verification-commands, accepted-cves
package version tier decision date deciders adr lastRevalidated is-sub-processor processes-pii filter-results verification-commands accepted-cves
zod ^3.24.0 core approved 2026-05-14
Danijel Martinek
null 2026-05-19 false false
license types maintenance boundary-fit shadow-check eu-residency cve-scan named-consumer socketRisk
MIT native active pass pass n/a clean pass clean
npm view zod license
npm view zod version
pnpm audit --audit-level=moderate

Filter: license

npm view zod license returns MIT. MIT is on the allowlist.

Filter: types

Zod is authored in TypeScript and ships its own .d.ts declaration files. No separate @types/zod package is needed.

Filter: maintenance

Actively maintained. The 3.x line is the current stable major. Regular releases; the zod 4.x release is in active development. Strong community and ecosystem.

Filter: boundary-fit

Zod is the workspace-standard schema validation library. Every use case exports xInputSchema and xOutputSchema as z.ZodObject instances (CLAUDE.md Key Conventions). Feature packages, core packages, and the tRPC layer all use Zod for input validation and output parsing. No boundary rules restrict Zod to a specific tier.

Filter: shadow-check

Zod is the sole schema validation library in the workspace. No competing validator (Valibot, Yup, Joi, etc.) is present or proposed. The shadow-check filter from _template.md explicitly names Zod as a workspace-locked library.

Filter: eu-residency

Zod is a pure runtime validation library with no network communication, telemetry, or data transmission. EU residency does not apply.

Filter: cve-scan

pnpm audit --audit-level=moderate reports no advisories against zod at the time of this trace.

Filter: named-consumer

All five feature packages use Zod for use-case input/output schemas. core-shared uses Zod for tRPC input validation and error schemas. core-audit uses Zod for audit event schemas. core-dsr uses Zod for dsrRouter procedure input schemas. Named, non-hypothetical consumers exist today.

Prompt: replaces

Zod replaces ad-hoc manual validation (typeof x === "string") that would not scale to the use-case schema pattern mandated by CLAUDE.md. No prior schema library was in the workspace.

Prompt: migration-cost-out

Hard. Zod's z.ZodObject types are woven into the public API surface of every use case (xInputSchema, xOutputSchema, IXUseCase). The tRPC router layer reads Zod schemas directly. Migrating out would require replacing schema definitions across all feature packages, updating the tRPC integration, and touching the conformance ESLint rules that reference Zod types.

Prompt: alternatives-considered

  1. Valibot — Smaller bundle size but at the time of adoption had less mature TypeScript inference for the factory-function use-case pattern.
  2. Manual typeof / JSON Schema — Zero dependency but does not produce TypeScript types automatically; incompatible with the xInputSchema/xOutputSchema contract pattern.