TanstackTemplate
Reference Contracts

Template Adoption Governance Extraction Protocol

Candidate: template-adoption-governance

Target owner: cloudflare-saas-core

Target package: cloudflare-saas-core/packages/template-adoption

Purpose

This protocol freezes the shared contract for source-delivered template adoption before adoption tooling moves out of this vertical template. The goal is to help future templates replace product identity, repository metadata, Cloudflare resources, smoke URLs, proof assets, and release gates without hardcoding one product's marker values into core.

Shared Contract

The shared package should own pure schemas and validators for:

  • template adoption manifests
  • instance marker catalogs
  • replacement plan reports
  • strict marker scan reports
  • secret-role documentation checks
  • release gate posture checks

Core may define manifest sections, scanner result shapes, marker ids, strict mode behavior, and report formatting. Core should not own the source template's actual marker values, product copy, package scope, Worker names, bucket names, database names, proof asset prefixes, or public positioning.

Core Inputs

Core can receive structured inputs such as:

  • source template identity without secret values
  • downstream repository and product identity
  • Cloudflare resource descriptors
  • auth, provider, smoke, and release posture choices
  • marker scan findings
  • replacement plan rows

Every input must be safe to commit in a downstream repository. Secret values, private deployment notes, raw database contents, smoke credentials, and provider tokens must stay out of the shared artifact.

Product Adapters

The product template keeps adapters for:

  • listing source template marker values
  • mapping product identity and copy replacements
  • mapping Cloudflare Worker, D1, R2, and workers.dev names
  • mapping proof asset prefixes and capture commands
  • deciding which canary lanes exist for the product

Adapters emit a public-safe marker catalog and adoption manifest into the shared contract. Core validates and formats; it does not know the product's identity.

Privacy Rules

The shared validators must reject artifacts containing:

  • API tokens, bearer tokens, webhook secrets, or provider credentials
  • raw actor, user, account, workspace, customer, subscription, or owner ids
  • raw database rows or storage object keys
  • private smoke credentials or signed URLs
  • provider execution ids or Gateway metadata

Artifacts may include public repository paths, public Worker script names, public domain names, secret role names, marker ids, replacement labels, current commit SHAs, and reviewer-owned reference labels.

Acceptance Fixture

The product-free fixture lives at template-adoption-governance.core-fixture.json. Before extraction, the fixture must keep these constraints true:

  • it references template-adoption-governance
  • it names cloudflare-saas-core/packages/template-adoption as the target
  • it includes manifest, marker catalog, replacement plan, and strict scan stages
  • it keeps source marker values separate from core validators
  • it contains no vertical product name, raw storage key, token marker, or actor identifier

Extraction Sequence

  1. Keep current product-local adoption guide and marker scanner as the source of truth.
  2. Add a second source-delivered template fixture with different marker values.
  3. Move only manifest validation, marker catalog validation, replacement plan formatting, strict scan report validation, and privacy scanning into core.
  4. Keep actual marker values, product copy, package scope, resource names, proof assets, and canary lane choices in each template.
  5. Run the product template's adoption scanner and plan tests before claiming the extraction complete.

Non-Goals

  • No automatic repository rewrite.
  • No secret creation or synchronization.
  • No Cloudflare resource creation.
  • No generic product copy generation.
  • No claim that downstream products inherit this template's release evidence.

On this page