Template Adoption Governance Extraction Protocol
Candidate: template-adoption-governance
Target owner: cloudflare-saas-core
Target package: cloudflare-saas-core/packages/template-adoption
Purpose
This protocol freezes the shared contract for source-delivered template adoption before adoption tooling moves out of this vertical template. The goal is to help future templates replace product identity, repository metadata, Cloudflare resources, smoke URLs, proof assets, and release gates without hardcoding one product's marker values into core.
Shared Contract
The shared package should own pure schemas and validators for:
- template adoption manifests
- instance marker catalogs
- replacement plan reports
- strict marker scan reports
- secret-role documentation checks
- release gate posture checks
Core may define manifest sections, scanner result shapes, marker ids, strict mode behavior, and report formatting. Core should not own the source template's actual marker values, product copy, package scope, Worker names, bucket names, database names, proof asset prefixes, or public positioning.
Core Inputs
Core can receive structured inputs such as:
- source template identity without secret values
- downstream repository and product identity
- Cloudflare resource descriptors
- auth, provider, smoke, and release posture choices
- marker scan findings
- replacement plan rows
Every input must be safe to commit in a downstream repository. Secret values, private deployment notes, raw database contents, smoke credentials, and provider tokens must stay out of the shared artifact.
Product Adapters
The product template keeps adapters for:
- listing source template marker values
- mapping product identity and copy replacements
- mapping Cloudflare Worker, D1, R2, and workers.dev names
- mapping proof asset prefixes and capture commands
- deciding which canary lanes exist for the product
Adapters emit a public-safe marker catalog and adoption manifest into the shared contract. Core validates and formats; it does not know the product's identity.
Privacy Rules
The shared validators must reject artifacts containing:
- API tokens, bearer tokens, webhook secrets, or provider credentials
- raw actor, user, account, workspace, customer, subscription, or owner ids
- raw database rows or storage object keys
- private smoke credentials or signed URLs
- provider execution ids or Gateway metadata
Artifacts may include public repository paths, public Worker script names, public domain names, secret role names, marker ids, replacement labels, current commit SHAs, and reviewer-owned reference labels.
Acceptance Fixture
The product-free fixture lives at
template-adoption-governance.core-fixture.json.
Before extraction, the fixture must keep these constraints true:
- it references
template-adoption-governance - it names
cloudflare-saas-core/packages/template-adoptionas the target - it includes manifest, marker catalog, replacement plan, and strict scan stages
- it keeps source marker values separate from core validators
- it contains no vertical product name, raw storage key, token marker, or actor identifier
Extraction Sequence
- Keep current product-local adoption guide and marker scanner as the source of truth.
- Add a second source-delivered template fixture with different marker values.
- Move only manifest validation, marker catalog validation, replacement plan formatting, strict scan report validation, and privacy scanning into core.
- Keep actual marker values, product copy, package scope, resource names, proof assets, and canary lane choices in each template.
- Run the product template's adoption scanner and plan tests before claiming the extraction complete.
Non-Goals
- No automatic repository rewrite.
- No secret creation or synchronization.
- No Cloudflare resource creation.
- No generic product copy generation.
- No claim that downstream products inherit this template's release evidence.