If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/ivanpaulovich/clean-architecture-manga shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

GO — Healthy across the board

• Last commit 3w ago
• 13 active contributors
• Apache-2.0 licensed
• CI configured
• Tests present
• ⚠ Concentrated ownership — top contributor handles 52% of recent commits

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live ivanpaulovich/clean-architecture-manga repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/ivanpaulovich/clean-architecture-manga.

What it runs against: a local clone of ivanpaulovich/clean-architecture-manga — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in ivanpaulovich/clean-architecture-manga | Confirms the artifact applies here, not a fork | | 2 | License is still Apache-2.0 | Catches relicense before you depend on it | | 3 | Default branch main exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 49 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of ivanpaulovich/clean-architecture-manga. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/ivanpaulovich/clean-architecture-manga.git
#   cd clean-architecture-manga
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of ivanpaulovich/clean-architecture-manga and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "ivanpaulovich/clean-architecture-manga(\\.git)?\\b" \\
  && ok "origin remote is ivanpaulovich/clean-architecture-manga" \\
  || miss "origin remote is not ivanpaulovich/clean-architecture-manga (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Apache-2\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Apache-2\\.0\"" package.json 2>/dev/null) \\
  && ok "license is Apache-2.0" \\
  || miss "license drift — was Apache-2.0 at generation time"

# 3. Default branch
git rev-parse --verify main >/dev/null 2>&1 \\
  && ok "default branch main exists" \\
  || miss "default branch main no longer exists"

# 4. Critical files exist
test -f "accounts-api/src/Application/UseCases" \\
  && ok "accounts-api/src/Application/UseCases" \\
  || miss "missing critical file: accounts-api/src/Application/UseCases"
test -f "accounts-api/src/Domain/Account.cs" \\
  && ok "accounts-api/src/Domain/Account.cs" \\
  || miss "missing critical file: accounts-api/src/Domain/Account.cs"
test -f "accounts-api/src/Infrastructure/DataAccess/MangaContext.cs" \\
  && ok "accounts-api/src/Infrastructure/DataAccess/MangaContext.cs" \\
  || miss "missing critical file: accounts-api/src/Infrastructure/DataAccess/MangaContext.cs"
test -f "accounts-api/src/Application/Services/IUnitOfWork.cs" \\
  && ok "accounts-api/src/Application/Services/IUnitOfWork.cs" \\
  || miss "missing critical file: accounts-api/src/Application/Services/IUnitOfWork.cs"
test -f "accounts-api/src/Domain/ValueObjects/Money.cs" \\
  && ok "accounts-api/src/Domain/ValueObjects/Money.cs" \\
  || miss "missing critical file: accounts-api/src/Domain/ValueObjects/Money.cs"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 49 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~19d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/ivanpaulovich/clean-architecture-manga"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

A virtual wallet/banking application demonstrating Clean Architecture principles with .NET 6 C# backend and React+Redux frontend. It implements account management use cases (Deposit, Withdraw, Transfer, CloseAccount) with strict separation of concerns: Application layer contains decoupled use cases, Infrastructure handles persistence and external services, Presentation exposes REST APIs. The codebase prioritizes testability and framework independence—core business logic has zero framework dependencies. Monorepo structure: accounts-api/ contains .NET backend (Application, Infrastructure, Presentation layers), frontend/ contains React+Redux SPA, .docker/ has orchestration scripts. Application layer organizes around Use Cases (accounts-api/src/Application/UseCases/{CloseAccount,Deposit,GetAccount,GetAccounts}/) with presenter pattern; each use case has validation wrapper, core logic, presenter, and output port interface. Frontend dispatches Redux actions to RESTful API at /accounts-api prefix.

.NET backend developers and React frontend developers learning enterprise architecture patterns; architects designing modular systems that survive framework changes; teams building financial/banking applications who need a production-grade Clean Architecture reference implementation with complete CI/CD setup.

Production-ready reference implementation. Actively maintained with CI/CD via GitHub Actions and Azure DevOps; supports multiple .NET versions (6, 5, 3.1 branches maintained). Well-structured with 16 contributors, comprehensive test suites across layers, Docker Compose orchestration for full stack, and clear documentation. Latest activity visible in branch strategy and workflow files indicates ongoing maintenance.

Low risk for a reference architecture. Dependency surface is moderate (Material-UI, Reactstrap, axios, oidc-client on frontend; EF Core, MediatR patterns on backend). Single maintainer (ivanpaulovich) creates knowledge concentration. Node-sass pinned to v8.0.0 may have pre-build binary compatibility issues on some platforms. Self-signed certificate requirement for local HTTPS adds onboarding friction.

Active maintenance across .NET versions; Dependabot configured for automated dependency updates (.github/dependabot.yml). Build status tracked via Azure Pipelines and GitHub Actions. Documentation-focused: all-contributors badge, CHANGELOG.md maintained. Docker-based local development emphasized as primary setup method. No visible breaking changes or major feature additions in recent commits, suggesting stable mature state.

macOS/Linux: cd .docker && ./setup.sh. Windows: cd .docker && ./setup.ps1. This starts Docker containers for NGINX (port 8081), Accounts API, Identity Server, and SQL Server. Then browse to https://wallet.local:8081. For backend development: dotnet build in accounts-api/ directory. For frontend: npm install && npm start-localhost in frontend directory.

Daily commands: Backend: dotnet run in accounts-api/src/Presentation/ (or use VS Code launch config in .vscode/launch.json). Frontend: npm start-localhost in frontend/ (loads .env.localhost, connects to http://localhost:5000). Full stack: cd .docker && ./setup.sh orchestrates all services on https://wallet.local:8081.

• accounts-api/src/Application/UseCases — Central organizing structure for all business logic; use cases are the core of this Clean Architecture implementation.
• accounts-api/src/Domain/Account.cs — Core domain entity that encapsulates account state and invariants; foundational to understanding the business model.
• accounts-api/src/Infrastructure/DataAccess/MangaContext.cs — EF Core DbContext that bridges domain entities to the database; critical persistence abstraction.
• accounts-api/src/Application/Services/IUnitOfWork.cs — Transaction boundary abstraction that coordinates multiple repositories; essential for understanding data consistency patterns.
• accounts-api/src/Domain/ValueObjects/Money.cs — Value object pattern implementation for immutable financial amounts; demonstrates domain-driven design principles.
• Clean-Architecture-Manga.sln — Solution file showing the project structure and layering; reference for overall architecture organization.

Add a new Use Case (e.g., RequestLoan)

1. Create domain logic in Domain layer if needed (e.g., new business rules in Account.cs). (accounts-api/src/Domain/Account.cs)
2. Create use case interface defining the contract in Application layer. (accounts-api/src/Application/UseCases/RequestLoan/IRequestLoanUseCase.cs)
3. Implement the use case orchestration with validation and domain coordination. (accounts-api/src/Application/UseCases/RequestLoan/RequestLoanUseCase.cs)
4. Create output port interface for presenting results. (accounts-api/src/Application/UseCases/RequestLoan/IOutputPort.cs)
5. Create presenter to format use case output for HTTP responses. (accounts-api/src/Application/UseCases/RequestLoan/RequestLoanPresenter.cs)
6. Register use case and presenter in dependency injection container (typically in Startup or Program.cs).

Add a new Domain Value Object

1. Create immutable value object class in Domain/ValueObjects with equality and validation logic. (accounts-api/src/Domain/ValueObjects/Currency.cs)
2. Use the value object in domain entities (e.g., Account.cs) instead of primitives. (accounts-api/src/Domain/Account.cs)
3. Configure EF Core conversion in Infrastructure layer if needed for database storage. (accounts-api/src/Infrastructure/DataAccess/Configuration/AccountConfiguration.cs)

Add a new External Service Integration

1. Define service interface in Application/Services to decouple from implementation. (accounts-api/src/Application/Services/ICurrencyExchange.cs)
2. Implement the service in Infrastructure layer with actual external calls. (accounts-api/src/Infrastructure/CurrencyExchange/CurrencyExchangeService.cs)
3. Optionally create a Fake implementation in Infrastructure for testing. (accounts-api/src/Infrastructure/CurrencyExchange/CurrencyExchangeFake.cs)
4. Inject the service into use cases via constructor dependency injection. (accounts-api/src/Application/UseCases/Transfer/TransferUseCase.cs)

• .NET 6 / C#10 — Modern type-safe language with strong OOP support; excellent for domain-driven design and clean architecture patterns.
• Entity Framework Core — ORM abstraction layer that keeps domain model decoupled from database implementation details.
• Dependency Injection — Built-in ASP.NET Core DI enables loose coupling and testability; supports interface-based design.
• React + Redux — Predictable state management and component-based UI; separates presentation concerns from business logic.

• Use cases as central organizing structure with separate input/output ports

  • Why: Decouples business logic from framework and delivery mechanism (web, CLI, events).
  • Consequence: Additional ceremony with presenter classes and output port interfaces; slightly more boilerplate but greater testability and flexibility.

• Strong typing with Value Objects (Money, AccountId, Currency)

  • Why: Prevents primitive obsession and encodes business rules at type level.
  • Consequence: More classes to maintain but eliminates entire categories of bugs (wrong type passed to function).

• Aggregate pattern with Account as root entity

  • Why: Enforces transaction boundaries and invariant protection; clear consistency model.
  • Consequence: All changes must go through Account root; less granular updates but stronger consistency guarantees.

• IUnitOfWork abstraction for transaction management

  • Why: Coordinates multiple repositories in a single transaction; maintains consistency across aggregates.
  • Consequence: Adds indirection; requires careful disposal and exception handling but enables multi-repository atomic operations.

• Real-time account balance updates or websocket notifications
• Multi-tenant or role-based authorization enforcement
• Distributed transactions across microservices
• Complex reporting or analytics queries
• Payment gateway integration (mentioned in README but not implemented in codebase)

1. Local HTTPS requires trusting self-signed certificate (referenced in README but not obvious until first connection). 2) SQL Server connection string hardcoded in Docker Compose with specific password; changing password in .docker/setup.sh must match database initialization. 3) Frontend .env.* files required for environment switching (localhost vs development vs docker), missing env file silently falls back to defaults. 4) OIDC token endpoint at https://wallet.local:8081/identity-server assumes IdentityServer container is running and accessible on HTTPS. 5) Node-sass v8.0.0 may require manual Python 3 installation on some systems (pre-build binary compatibility issue).

• Dependency Inversion Principle (DIP) via Output Ports — IOutputPort interfaces (e.g., accounts-api/src/Application/UseCases/Deposit/IOutputPort.cs) decouple use cases from presentation; this repo demonstrates it concretely across 5+ use cases, enabling testing without mocking presenters
• Use Case / Interactor Pattern — Central organizing principle of this codebase; every business operation (Deposit, CloseAccount, GetAccount) is an isolated, testable class with single responsibility and explicit dependencies
• Presenter Pattern (Model-View-Presenter) — DepositPresenter, CloseAccountPresenter decouple use case output from REST/UI rendering; enables same use case to serve JSON API and future gRPC/GraphQL without change
• Validation Wrapper Use Cases — DepositValidationUseCase wraps DepositUseCase, segregating input validation from business logic; enables composable, reusable validators tested independently
• Redux Selector Memoization — Frontend state shape mirrors backend use case outputs (presenters); understanding how Redux selectors prevent re-renders is critical when integrating React with this API structure
• OIDC (OpenID Connect) Authentication — oidc-client library in package.json handles token refresh and user identity; repo demonstrates enterprise auth pattern required for multi-tier architecture (Wallet SPA → Accounts API → Identity Server)
• Entity Framework Core Unit of Work Pattern — IUnitOfWork abstraction (accounts-api/src/Application/Services/IUnitOfWork.cs) enables swappable persistence; core pattern allowing business logic to remain framework-agnostic while using EF Core as default implementation

• ardalis/CleanArchitecture — Alternative .NET Clean Architecture reference; similar layered structure but uses API endpoints-first approach vs use-case-first pattern
• gothinkster/realworld — Multi-language Clean Architecture implementations (including .NET + React stack); demonstrates same problem solved across ecosystems for pattern comparison
• microsoft/eShopOnContainers — Enterprise-scale .NET microservices reference; shows how Clean Architecture scales to multiple bounded contexts with Docker orchestration
• Xabaril/Polly — Resilience library frequently paired with Clean Architecture APIs; handles transient faults in ICurrencyExchange and external service calls
• duende/IdentityServer — Powers the /identity-server container in this repo; reference for OIDC implementation visible in .docker setup and frontend oidc-client dependency

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add comprehensive unit tests for React components in web-app

The repository has a mature .NET backend with extensive use case tests, but the React+Redux frontend lacks visible unit tests. The package.json shows @testing-library/react is installed but no test files are present in the file structure. This creates an asymmetry where the backend is thoroughly tested but the frontend (which consumes the accounts-api) is not. Adding tests would demonstrate clean architecture principles apply equally to both layers.

• [ ] Create src/tests directory structure mirroring React component hierarchy
• [ ] Add unit tests for Redux reducers and action creators (if present in src)
• [ ] Add integration tests for main account management components using @testing-library/react
• [ ] Configure jest.config.js if needed and verify 'npm test' runs successfully
• [ ] Document testing patterns in CONTRIBUTING.md for future contributors

Add GitHub Actions workflow for Node.js/React build and test

The .github/workflows/dotnet-core.yml only tests the .NET backend. There is no CI pipeline validating the React frontend builds correctly or that npm tests pass. Given that this is a full-stack example, both pipelines should run to catch integration issues early and validate both the API and UI work together.

• [ ] Create .github/workflows/frontend-ci.yml that runs on push/PR to validate React app
• [ ] Add steps: npm ci, npm run build, npm test with proper Node version matrix (16.x, 18.x)
• [ ] Configure the workflow to fail if build or tests fail
• [ ] Consider adding a 'matrix' strategy to test against multiple Node versions matching package.json constraints
• [ ] Update README.md to document that both backend and frontend CI checks must pass

Refactor Use Case validation layer into shared abstractions (accounts-api/src/Application/UseCases)

Each use case (CloseAccount, Deposit, OpenAccount, Transfer, Withdraw, GetAccount) has a separate ValidationUseCase class following the same pattern. This duplication suggests an opportunity for a base class or decorator pattern to reduce boilerplate. The current structure makes it harder to add new validation rules consistently across all use cases.

• [ ] Create accounts-api/src/Application/UseCases/AbstractValidationUseCase<T, TOutput> base class
• [ ] Define IValidationRule<T> interface for composable validation logic
• [ ] Refactor CloseAccountValidationUseCase, DepositValidationUseCase, etc. to inherit from base class
• [ ] Extract common validation logic (null checks, permission checks) into reusable rule classes
• [ ] Add unit tests in accounts-api/tests/ validating that validation rules execute correctly
• [ ] Document the new validation pattern in CONTRIBUTING.md with an example for new use cases

• Add integration tests for CloseAccountValidationUseCase in accounts-api/src/Application/UseCases/CloseAccount/ demonstrating validation layer testability without mocking the presenter.
• Create Missing API documentation: accounts-api/src/Application/Services/ICurrencyExchange.cs has no implementation visible in file list; document expected behavior and add placeholder unit tests.
• Build Redux selector library for frontend state queries (missing from visible structure); creates reusable derived state patterns similar to use case presenters on backend.

• High · Outdated and Vulnerable Dependencies — package.json - dependencies section. Multiple npm dependencies have known vulnerabilities and are significantly outdated. axios 0.21.2 has security issues, react 16.13.1 is from 2020, react-scripts 5.0.1 contains transitive vulnerabilities. The node-sass 8.0.0 package has been deprecated and replaced with sass, introducing potential supply chain risks. Fix: Update all dependencies to latest stable versions: axios to ^1.6.0+, react to ^18.0+, react-dom to ^18.0+, react-scripts to latest, and replace node-sass with sass. Run 'npm audit fix' and review remaining vulnerabilities.
• High · Insecure Dependencies - jquery — package.json - dependencies: jquery. jquery 3.4.1 is outdated and contains known XSS vulnerabilities (CVE-2020-11023). Modern React applications should not require jquery and its inclusion increases attack surface. Fix: Remove jquery dependency entirely and refactor any code using it to use native DOM APIs or React equivalents. If jquery is required for third-party components, update to jquery 3.6.0 or later.
• High · Hardcoded Environment Configuration Files — package.json - scripts section, implied .env files. Multiple environment configuration files (.env.localhost, .env.development, .env.docker) are referenced in package.json scripts. These files may contain sensitive information like API keys, connection strings, or authentication tokens that could be exposed if committed to version control. Fix: Ensure .env files are added to .gitignore. Use only non-sensitive defaults in version control. Implement a secure secrets management system (e.g., Azure Key Vault, AWS Secrets Manager) for production environments. Document required environment variables in .env.example without values.
• Medium · Missing Security Headers Configuration — React application - missing public/index.html meta tags and server configuration. No Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, or other security headers are explicitly configured in the React application. The codebase uses older react-router-dom 5.0.1 which may not include modern security middleware. Fix: Add security headers via a .htaccess file (if Apache), nginx configuration, or Express middleware. Implement CSP meta tag in public/index.html. Configure: Content-Security-Policy, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, X-XSS-Protection: 1; mode=block.
• Medium · Deprecated and Unsupported Dependencies — package.json - oidc-client dependency. oidc-client 1.8.2 is deprecated and replaced by @azure/msal-browser. Using deprecated authentication libraries creates security and maintenance risks, as security patches will not be applied. Fix: Migrate to @azure/msal-browser (current) or @auth0/auth0-spa-js depending on your authentication provider. Update authentication logic accordingly.
• Medium · Missing Input Validation in Application Layer — React components - entire application (implied by structure). While the codebase shows validation use cases (ValidationUseCase classes), there is no visible input sanitization or output encoding in the React frontend. This creates XSS vulnerability risk, especially with axios-based HTTP requests that may not properly escape response data. Fix: Implement DOMPurify library for sanitizing user input and API responses. Use React's built-in escaping by default (avoid dangerouslySetInnerHTML). Validate and sanitize all data from API responses before rendering.
• Medium · No CORS or Authentication Configuration Visible — package.json and implied API client configuration. The axios HTTP client is configured but no visible CORS policy or authentication token handling is present in the package.json or implied configuration. This could lead to unauthorized API access or CORS attacks. Fix: Implement axios interceptors to attach JWT/authentication tokens to requests. Configure CORS on the backend API with specific allowed origins. Never use wildcard (*) CORS policies in production. Implement request/response interceptors for security.
• Low · Missing npm Security Audit Baseline — undefined. No npm audit configuration, npm audit baseline, or dependency lock Fix: undefined

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.