Danijel Martinek
46e575a5a6
Add four protocol-agnostic handlers (export, delete, rectify, restrict)
returning normalized { status, body, headers } responses, and a tRPC
dsrRouter via createDsrRouter(binding) following the factory pattern.
Auth checks: requireAuthenticated middleware gates all four procedures;
cascade-hard delete additionally requires admin role. Integration tests
assert happy-path response shapes, UNAUTHORIZED/FORBIDDEN error codes,
and error passthrough from the DSR service layer.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
3.2 KiB
package, version, tier, decision, date, deciders, adr, lastRevalidated, is-sub-processor, processes-pii, filter-results, verification-commands, accepted-cves
| package | version | tier | decision | date | deciders | adr | lastRevalidated | is-sub-processor | processes-pii | filter-results | verification-commands | accepted-cves | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| zod | ^3.24.0 | core | approved | 2026-05-14 |
|
null | 2026-05-19 | false | false |
|
|
Filter: license
npm view zod license returns MIT. MIT is on the allowlist.
Filter: types
Zod is authored in TypeScript and ships its own .d.ts declaration files. No separate @types/zod package is needed.
Filter: maintenance
Actively maintained. The 3.x line is the current stable major. Regular releases; the zod 4.x release is in active development. Strong community and ecosystem.
Filter: boundary-fit
Zod is the workspace-standard schema validation library. Every use case exports xInputSchema and xOutputSchema as z.ZodObject instances (CLAUDE.md Key Conventions). Feature packages, core packages, and the tRPC layer all use Zod for input validation and output parsing. No boundary rules restrict Zod to a specific tier.
Filter: shadow-check
Zod is the sole schema validation library in the workspace. No competing validator (Valibot, Yup, Joi, etc.) is present or proposed. The shadow-check filter from _template.md explicitly names Zod as a workspace-locked library.
Filter: eu-residency
Zod is a pure runtime validation library with no network communication, telemetry, or data transmission. EU residency does not apply.
Filter: cve-scan
pnpm audit --audit-level=moderate reports no advisories against zod at the time of this trace.
Filter: named-consumer
All five feature packages use Zod for use-case input/output schemas. core-shared uses Zod for tRPC input validation and error schemas. core-audit uses Zod for audit event schemas. core-dsr uses Zod for dsrRouter procedure input schemas. Named, non-hypothetical consumers exist today.
Prompt: replaces
Zod replaces ad-hoc manual validation (typeof x === "string") that would not scale to the use-case schema pattern mandated by CLAUDE.md. No prior schema library was in the workspace.
Prompt: migration-cost-out
Hard. Zod's z.ZodObject types are woven into the public API surface of every use case (xInputSchema, xOutputSchema, IXUseCase). The tRPC router layer reads Zod schemas directly. Migrating out would require replacing schema definitions across all feature packages, updating the tRPC integration, and touching the conformance ESLint rules that reference Zod types.
Prompt: alternatives-considered
- Valibot — Smaller bundle size but at the time of adoption had less mature TypeScript inference for the factory-function use-case pattern.
- Manual
typeof/ JSON Schema — Zero dependency but does not produce TypeScript types automatically; incompatible with thexInputSchema/xOutputSchemacontract pattern.