Framework scope scaffolding + move DevTools to tools/#115
Merged
antosubash merged 10 commits intomainfrom Apr 20, 2026
Merged
Conversation
Design for shrinking framework/ to four projects (Core, Database, Generator, Hosting) and moving provider packages into their owning modules. Defines sub-project convention, new tools/ category for non-module utilities, and CI-enforced allowlist to prevent regression.
Frees the tools/ directory for non-module .NET projects (per the framework scope minimization design). The existing Node build scripts are genuinely scripts, not tools. - 11 .mjs files moved via git mv (history preserved) - package.json npm scripts updated (9 entries) - SimpleModule.Hosting.targets MSBuild paths updated - CLAUDE.md, README.md, Dockerfile.worker, and frontend docs updated - Script header comments updated
…move Covers Phase 0 (allowlist file, validation script, CI wiring, Constitution Section 13) and Phase 1 (DevTools -> tools/). Phases 2-4 (Storage, Agents, Rag absorptions) will get their own plans once this lands.
Scaffolds the invariant that framework/ contains only foundational
plumbing. Script enforces four rules:
- framework/ directory allowlisted in framework/.allowed-projects
- sub-projects named SimpleModule.{Module}[.{Suffix}]
- sub-projects do not declare [Module]
- tools/ flat-layout, no [Module], not referenced from modules/
Allowlist starts permissive (all 18 current framework projects) and
shrinks as projects migrate to modules/ or tools/.
Grandfathers two known legacy sub-projects (SimpleModule.Agents.Module,
SimpleModule.Rag.Module) that predate this work. They will be removed
from the grandfather set by phases 3 and 4 of the migration.
Previously, a missing framework/.allowed-projects would die with a Node ENOENT stack trace. Now it reports a clean script-level error pointing to the fix. Matters for CI, where the stack trace would be the first thing a reviewer sees. Raised in code review of 8a08248.
Adds validate-framework-scope to the lint job and to the local npm run check pipeline so violations fail fast before PR review.
Documents the framework allowlist, tools/ category, sub-project convention, and validation mechanism that enforces them.
First application of the tools/ category. DevTools is a dev-time utility (Vite dev middleware, live reload, file watchers), not foundational plumbing, so it belongs in tools/ rather than framework/. - git mv framework/SimpleModule.DevTools tools/SimpleModule.DevTools - Updated ProjectReference paths in Hosting and DevTools.Tests - Updated SimpleModule.slnx (moved under new /tools/ folder) - Removed SimpleModule.DevTools from framework/.allowed-projects Framework is now down to 17 allowlisted projects; phases 2-4 will absorb the remaining provider projects into their owning modules.
The two Dockerfiles still COPY'd from framework/SimpleModule.DevTools after the move to tools/. Restore-stage fails because the source glob matches nothing AND because SimpleModule.Hosting's ProjectReference to ..\..\tools\SimpleModule.DevTools can't resolve inside the Docker build context. Caught in code review of 666984c.
MailKit 4.15.1 has a known moderate severity vulnerability (GHSA-9j88-vvj5-vhgr — STARTTLS Response Injection via unflushed stream buffer that enables SASL mechanism downgrade). Fixed in 4.16.0. MailKit 4.16.0 tightens nullability on MailService.AuthenticateAsync, so the SMTP provider now also checks smtp.Password is non-empty before authenticating (previously the method was called with a potentially null password when only Username was configured).
Deploying simplemodule-website with
|
| Latest commit: |
7f717a2
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://b16dee18.simplemodule-website.pages.dev |
| Branch Preview URL: | https://feature-eloquent-torvalds-f3.simplemodule-website.pages.dev |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Phase 0 + Phase 1 of the framework scope minimization work (design, plan).
framework/.allowed-projects+scripts/validate-framework-scope.mjs+ Constitution §13 to enforce what may live underframework/. Four checks: allowlist, sub-project naming, sub-project no-[Module], andtools/layering.npm run check.SimpleModule.DevToolsout offramework/into a newtools/directory — first application of thetools/category.tools/(Node build scripts) →scripts/to free up the name.Framework allowlist shrinks from 19 → 17 permitted projects. Phases 2-4 (follow-up PRs) will absorb the remaining provider projects (Storage, Agents, Rag) into their owning modules and drain the allowlist to the final 4 foundational projects.
Test plan
Validate framework scopesteptools/SimpleModule.DevToolspathSimpleModule.DevTools.Tests(37 tests) still passes against the moved projectSM0025failures onAgents,Rag,BackgroundJobsandMailKit NU1902are not introduced by this PR — they exist on main and are flagged in the spec for Phases 2-4 to resolve