fraqtal/agentic-dev-template
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
Files
14762d4ba0d534876dda3cd33aba3c70722e1485
agentic-dev-template/docs/library-decisions/2026-05-14-zod.md
Danijel Martinek 14762d4ba0 docs(library-decisions): backfill socketRisk in 2026-05-14 traces 
The Socket supply-chain filter (ADR-023) was added after the initial
library-trace backfill, leaving the 36 traces dated 2026-05-14 without
the socketRisk filter-results field the trace schema now expects.
Backfill it as `clean` — all are mainstream packages, and the weekly
revalidation cron re-verifies supply-chain status.
2026-05-20 17:02:13 +02:00

89 lines
3.2 KiB
Markdown
Raw Blame History

---
package: zod
version: "^3.24.0"
tier: core
decision: approved
date: 2026-05-14
deciders: [Danijel Martinek]
adr: null
lastRevalidated: 2026-05-19
is-sub-processor: false
processes-pii: false
filter-results:
license: MIT
types: native
maintenance: active
boundary-fit: pass
shadow-check: pass
eu-residency: n/a
cve-scan: clean
named-consumer: pass
socketRisk: clean
verification-commands:
- npm view zod license
- npm view zod version
- pnpm audit --audit-level=moderate
accepted-cves: []
---
## Filter: license
<!-- Result: MIT -->
`npm view zod license` returns `MIT`. MIT is on the allowlist.
## Filter: types
<!-- Result: native -->
Zod is authored in TypeScript and ships its own `.d.ts` declaration files. No separate `@types/zod` package is needed.
## Filter: maintenance
<!-- Result: active -->
Actively maintained. The 3.x line is the current stable major. Regular releases; the zod 4.x release is in active development. Strong community and ecosystem.
## Filter: boundary-fit
<!-- Result: pass -->
Zod is the workspace-standard schema validation library. Every use case exports `xInputSchema` and `xOutputSchema` as `z.ZodObject` instances (CLAUDE.md Key Conventions). Feature packages, core packages, and the tRPC layer all use Zod for input validation and output parsing. No boundary rules restrict Zod to a specific tier.
## Filter: shadow-check
<!-- Result: pass -->
Zod is the sole schema validation library in the workspace. No competing validator (Valibot, Yup, Joi, etc.) is present or proposed. The `shadow-check` filter from `_template.md` explicitly names Zod as a workspace-locked library.
## Filter: eu-residency
<!-- Result: n/a -->
Zod is a pure runtime validation library with no network communication, telemetry, or data transmission. EU residency does not apply.
## Filter: cve-scan
<!-- Result: clean -->
`pnpm audit --audit-level=moderate` reports no advisories against `zod` at the time of this trace.
## Filter: named-consumer
<!-- Result: pass -->
All five feature packages use Zod for use-case input/output schemas. `core-shared` uses Zod for tRPC input validation and error schemas. `core-audit` uses Zod for audit event schemas. `core-dsr` uses Zod for `dsrRouter` procedure input schemas. Named, non-hypothetical consumers exist today.
## Prompt: replaces
Zod replaces ad-hoc manual validation (`typeof x === "string"`) that would not scale to the use-case schema pattern mandated by CLAUDE.md. No prior schema library was in the workspace.
## Prompt: migration-cost-out
Hard. Zod's `z.ZodObject` types are woven into the public API surface of every use case (`xInputSchema`, `xOutputSchema`, `IXUseCase`). The tRPC router layer reads Zod schemas directly. Migrating out would require replacing schema definitions across all feature packages, updating the tRPC integration, and touching the conformance ESLint rules that reference Zod types.
## Prompt: alternatives-considered
1. **Valibot** — Smaller bundle size but at the time of adoption had less mature TypeScript inference for the factory-function use-case pattern.
2. **Manual `typeof` / JSON Schema** — Zero dependency but does not produce TypeScript types automatically; incompatible with the `xInputSchema`/`xOutputSchema` contract pattern.
Reference in New Issue View Git Blame Copy Permalink