Danijel Martinek
98d96d2e19
Amends ADR-022 §9 with the `is-sub-processor` / `processes-pii` discriminated union spec, including the five conditional fields required when a library is a true GDPR sub-processor. Updates the evaluate-library skill to prompt for these fields during every trace authoring pass and adds the updated frontmatter template. Backfills all nine existing library-decision traces with the new fields; payload gets `processes-pii: true` (self-hosted CMS that stores user data); all pure in-process libraries get `false / false`. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
3.2 KiB
package, version, tier, decision, date, deciders, adr, lastRevalidated, is-sub-processor, processes-pii, filter-results, verification-commands, accepted-cves
| package | version | tier | decision | date | deciders | adr | lastRevalidated | is-sub-processor | processes-pii | filter-results | verification-commands | accepted-cves | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| reflect-metadata | ^0.2.2 | feature | approved | 2026-05-14 |
|
adr-002 | null | false | false |
|
|
Filter: license
npm view reflect-metadata license returns Apache-2.0. Apache-2.0 is on the allowlist.
Filter: types
reflect-metadata ships its own .d.ts declaration files. Types are bundled with the package.
Filter: maintenance
reflect-metadata implements the TC39 Metadata Reflection API proposal polyfill. The library is intentionally stable; new releases are rare because the spec is frozen pending TC39 progress. dormant is the accurate classification for a finished polyfill — this is not a concern for a library at this maturity level.
Filter: boundary-fit
reflect-metadata is a required peer of InversifyJS (ADR-002). Feature packages importing inversify are expected to also import reflect-metadata once at the entry point of each feature's DI layer. No boundary rule restricts it.
Filter: shadow-check
reflect-metadata is the only metadata polyfill in the workspace. It is explicitly paired with inversify per ADR-002 and has no competing alternative present.
Filter: eu-residency
reflect-metadata is a pure runtime polyfill with no network communication, telemetry, or data transmission. EU residency does not apply.
Filter: cve-scan
pnpm audit --audit-level=moderate reports no advisories against reflect-metadata at the time of this trace.
Filter: named-consumer
All five feature packages — @repo/auth, @repo/blog, @repo/media, @repo/marketing-pages, @repo/navigation — list reflect-metadata as a runtime dependency. It is imported at each feature's DI entry point to activate the metadata polyfill required by inversify decorators.
Prompt: replaces
No prior metadata polyfill was in use. reflect-metadata is a direct requirement of InversifyJS's decorator-based binding — there is no alternative polyfill to retire.
Prompt: migration-cost-out
Mechanical, but coupled to inversify removal. If InversifyJS is ever replaced with a DI approach that does not rely on the Reflect API (e.g., a factory-only approach), reflect-metadata can be removed by deleting one import per feature entry point. The removal is straightforward once the parent dependency (inversify) is gone.
Prompt: alternatives-considered
- No polyfill / TC39 native — The TC39 Metadata Reflection API is not yet at Stage 4; native support is not available in target runtimes. Not viable.
core-jsreflect subset — Does not provide the completeReflect.metadataAPI surface required by inversify. Not a functional alternative.