If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/lepoco/wpfui shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

GO — Healthy across the board

• Last commit 5d ago
• 24+ active contributors
• Distributed ownership (top contributor 47% of recent commits)
• MIT licensed
• CI configured
• Tests present

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live lepoco/wpfui repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/lepoco/wpfui.

What it runs against: a local clone of lepoco/wpfui — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in lepoco/wpfui | Confirms the artifact applies here, not a fork | | 2 | License is still MIT | Catches relicense before you depend on it | | 3 | Default branch main exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 35 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of lepoco/wpfui. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/lepoco/wpfui.git
#   cd wpfui
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of lepoco/wpfui and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "lepoco/wpfui(\\.git)?\\b" \\
  && ok "origin remote is lepoco/wpfui" \\
  || miss "origin remote is not lepoco/wpfui (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(MIT)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"MIT\"" package.json 2>/dev/null) \\
  && ok "license is MIT" \\
  || miss "license drift — was MIT at generation time"

# 3. Default branch
git rev-parse --verify main >/dev/null 2>&1 \\
  && ok "default branch main exists" \\
  || miss "default branch main no longer exists"

# 4. Critical files exist
test -f "Directory.Build.props" \\
  && ok "Directory.Build.props" \\
  || miss "missing critical file: Directory.Build.props"
test -f "Wpf.Ui.sln" \\
  && ok "Wpf.Ui.sln" \\
  || miss "missing critical file: Wpf.Ui.sln"
test -f ".github/workflows/wpf-ui-cd-nuget.yaml" \\
  && ok ".github/workflows/wpf-ui-cd-nuget.yaml" \\
  || miss "missing critical file: .github/workflows/wpf-ui-cd-nuget.yaml"
test -f "docs/architecture/CONSTITUTION.md" \\
  && ok "docs/architecture/CONSTITUTION.md" \\
  || miss "missing critical file: docs/architecture/CONSTITUTION.md"
test -f ".github/copilot-instructions.md" \\
  && ok ".github/copilot-instructions.md" \\
  || miss "missing critical file: .github/copilot-instructions.md"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 35 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~5d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/lepoco/wpfui"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

WPF UI is a C# library that brings Microsoft Fluent Design System components and theming to the WPF framework, replacing base controls like Page, ToggleButton, and List with Fluent-styled equivalents, plus adding new controls like Navigation, NumberBox, Dialog, and Snackbar. It eliminates the need to build modern UI experiences from scratch in WPF by providing native, polished Fluent controls that work seamlessly with existing WPF applications. Monorepo structure with Wpf.Ui.sln as main solution and filtered solution files (Wpf.Ui.Library.slnf for library, Wpf.Ui.Gallery.slnf for demo app). Core library lives in main projects with XAML-based controls, themes in theme files, and a full Gallery demo application. Centralized build configuration via Directory.Build.props, Directory.Build.targets, and Directory.Packages.props; documentation built separately with DocFX (package.json templates in root).

WPF desktop application developers who need to modernize their Windows apps with contemporary Fluent Design aesthetics and controls without rewriting in newer frameworks like WinUI. Enterprise developers maintaining legacy WPF codebases that want current UX without migrating away from WPF.

Production-ready and actively maintained. The project is published on NuGet (https://www.nuget.org/packages/wpf-ui/), has a free companion Gallery app in the Microsoft Store, includes a Visual Studio 2022 plugin, and maintains comprehensive CI/CD pipelines (.github/workflows/ with CD for NuGet, docs, and extensions). Recent activity shows active development with labeler workflows and PR validation.

Low risk for core stability but moderate organizational risk: the project centers around creator Leszek Pomianowski with community contributors, creating single-person-of-trust dynamics. Dependencies are managed centrally (Directory.Packages.props) and pinned (e.g., Bootstrap 5.3.1, jQuery 3.7.0 in docs build), reducing supply-chain breakage. The codebase enforces code style via .csharpierrc and includes banned symbols enforcement (BannedSymbols.txt), indicating mature governance.

Active development with GitHub Actions workflows for automated NuGet publishing (wpf-ui-cd-nuget.yaml), documentation deployment (wpf-ui-cd-docs.yaml), Visual Studio extension updates (wpf-ui-cd-extension.yaml), and PR validation. The project includes Dependabot configuration for dependency updates and automated labeling/locking workflows. Recent additions include Copilot instructions (.github/copilot-instructions.md) and devcontainer support for reproducible environments.

git clone https://github.com/lepoco/wpfui.git cd wpfui dotnet restore dotnet build Wpf.Ui.sln

Daily commands: dotnet build Wpf.Ui.sln (build entire solution); dotnet run --project src/Wpf.Ui.Gallery/Wpf.Ui.Gallery.csproj (run Gallery demo). For documentation: npm install then npm run build in the docs template directory (.claude and .github/chatmodes contain local config).

• Directory.Build.props — Central build configuration defining target frameworks, NuGet package metadata, and shared compilation settings for all WPF UI projects
• Wpf.Ui.sln — Master solution file that orchestrates all library, gallery, and documentation projects; essential for understanding project dependencies
• .github/workflows/wpf-ui-cd-nuget.yaml — Continuous delivery pipeline for NuGet package release; defines how code reaches production consumers
• docs/architecture/CONSTITUTION.md — Foundational architecture document establishing design principles, constraints, and decision-making framework for all contributions
• .github/copilot-instructions.md — AI assistant guidelines and project conventions that shape code style, naming, and architectural decisions across the codebase
• docs/architecture/decisions/ADR-004-static-managers-for-theming.md — Key architectural decision record explaining theming system design, critical for understanding immersive control behavior

Add a New Fluent Control

1. Create feature folder structure under src/Wpf.Ui/Controls/YourControl/ with XAML and C# files (ADR-005) (docs/architecture/decisions/ADR-005-feature-folder-controls.md)
2. Define control class inheriting from base WPF control, apply Fluent styling in theme dictionaries (Light/Dark XAML) (docs/architecture/cross-cutting/theming-and-appearance.md)
3. Register control in Gallery application (Wpf.Ui.Gallery project) with demo page and code snippets (docs/documentation/gallery.md)
4. Add API documentation and usage examples in docs/documentation/, update docfx.json if adding new namespace (docs/docfx.json)
5. Update MODULE-INTERFACES.md with public contract and validate compliance with architecture guidelines (docs/architecture/MODULE-INTERFACES.md)

Integrate Win32 Native Feature

1. Define P/Invoke or COM interop bindings using CsWin32 (ADR-003) in appropriate module (docs/architecture/decisions/ADR-003-win32-interop-via-cswin32.md)
2. Wrap native calls in managed abstraction layer to isolate platform-specific code (docs/architecture/cross-cutting/win32-interop.md)
3. Add feature detection and graceful fallback for non-Windows platforms (multi-target support) (docs/architecture/decisions/ADR-001-multi-target-framework.md)
4. Create unit tests validating interop behavior and document in TESTING-SPEC.md (docs/architecture/TESTING-SPEC.md)

Enhance Theming System

1. Review static manager architecture (ADR-004) and update ThemeManager or AppearanceManager if adding new theme property (docs/architecture/decisions/ADR-004-static-managers-for-theming.md)
2. Define theme resource in Light.xaml and Dark.xaml dictionaries, register in resource system (docs/architecture/cross-cutting/theming-and-appearance.md)
3. Update accent.md documentation if adding new accent/color customization capability (docs/documentation/accent.md)
4. Add Gallery theme editor UI to showcase new theming option, validate consistency across all controls (docs/documentation/gallery-editor.md)

Release New NuGet Package Version

1. Update version in Directory.Build.props (shared across all projects) (Directory.Build.props)
2. Document breaking changes and features in docs/documentation/releases.md (docs/documentation/releases.md)
3. Push to main branch; GitHub Actions wpf-ui-cd-nuget.yaml automatically builds and publishes to nuget.org (.github/workflows/wpf-ui-cd-nuget.yaml)
4. Verify NuGet publish action completes successfully and package appears on nuget.org within 5 minutes (.github/workflows/wpf-ui-cd-nuget.yaml)

• WPF (.NET Framework, .NET 5+) — Brings modern Fluent Design System to existing Windows desktop applications; multi-targeting (ADR-001) ensures backward compatibility with legacy projects while supporting latest .NET
• CsWin32 for P/Invoke/COM — Type-safe, source-generated Win32 bindings (ADR-003) enabling modern Windows 11 features (BackdropMaterial, Mica) without manual interop boilerplate
• Static Manager Pattern (ThemeManager, AppearanceManager) — Centralized, application-wide state management for themes without dependency injection complexity (ADR-004); fits WPF's XAML-first paradigm
• XAML-based Control Theming (Light/Dark dictionaries) — Native WPF approach to runtime theme switching; resource dictionaries enable seamless accent and appearance changes without code recompilation
• DocFX + GitHub Pages — Generates professional API documentation from XML comments and markdown; integrates with CI/CD for automatic deployment on main branch commits
• Roslyn Code Analyzers + CSharpier — Enforces code quality and consistent formatting; BannedSymbols.txt

Markup language integration: XAML files require proper namespace declarations (xmlns) and control hierarchy understanding; incorrect namespacing will cause silent runtime failures. Resource dictionary loading order matters—styles in theme files must be merged in correct dependency order or controls won't apply expected styling. The solution uses filtered solution files (.slnf extension) for different workflows (Wpf.Ui.Library.slnf vs. Wpf.Ui.Gallery.slnf)—loading the wrong .sln can hide projects. DevContainer post-create.sh may have environment setup expectations; check it before running locally.

• XAML Resource Dictionaries and Theming — WPF UI's entire theming system (light/dark modes, Fluent color palettes) is built on merged resource dictionaries; understanding ResourceDictionary composition is essential to customizing or extending themes
• Dependency Injection in WPF — Modern WPF UI projects use DI containers (likely Microsoft.Extensions.DependencyInjection) for service registration and control initialization, changing how configuration and lifecycle work compared to older WPF patterns
• Fluent Design System — The entire visual and interaction language of WPF UI is based on Microsoft's Fluent Design principles (light, depth, motion, scale); understanding these principles explains why controls look and behave as they do
• MVVM (Model-View-ViewModel) — WPF applications and the Gallery demo rely on MVVM patterns with data binding and command patterns; WPF UI controls are designed to integrate seamlessly with this architectural pattern
• Control Inheritance and Template Replacement in WPF — WPF UI achieves Fluent styling by inheriting from native WPF controls (Button, ToggleButton, etc.) and replacing their ControlTemplate; understanding template binding and attached behaviors is critical for customization
• Central Package Version Management (CPMV) — The project uses Directory.Packages.props for centralized NuGet versioning across projects; this modern MSBuild feature prevents dependency version conflicts and simplifies updates
• Attached Behaviors and Attached Properties — WPF UI likely uses attached properties and behaviors to extend control functionality (e.g., validation, theme application) without modifying control inheritance chains; essential for understanding non-obvious control customization points

• microsoft/WinUI-Gallery — Official Microsoft gallery app showcasing WinUI 3 controls—the modern successor to WPF's fluent design approach, useful for comparing design patterns and component APIs
• AvaloniaUI/Avalonia — Cross-platform XAML framework that also modernizes .NET UI; alternative to WPF for greenfield projects but uses different rendering and theming architecture
• jamesmontemagno/app-accelerator — Visual Studio project template generator; WPF UI integrates with VS 2022 via an extension that likely uses similar template scaffolding patterns
• microsoft/microsoft-ui-xaml — Core WinUI library providing the Fluent design system primitives that WPF UI adapts for WPF's native controls—canonical source for design tokens and control specs
• lepoco/csharp-style-guide — Companion repository by the same author documenting C# coding standards enforced in WPF UI via .editorconfig and CSharpier

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add comprehensive unit tests for WPF UI control behaviors

The repo has extensive architecture documentation (docs/architecture/TESTING-SPEC.md exists) but no visible test files in the partial file structure. Given that this is a WPF control library with custom controls like Navigation, NumberBox, Dialog, and Snackbar, there should be unit tests validating control initialization, property binding, event handling, and theme application. This is critical for a UI library where visual regressions could break user applications.

• [ ] Review docs/architecture/TESTING-SPEC.md to understand testing requirements and patterns
• [ ] Create test project structure following .NET conventions (e.g., Wpf.Ui.Tests)
• [ ] Add unit tests for core controls: Navigation (selection, routing), NumberBox (validation, bounds), Dialog (lifecycle, result handling)
• [ ] Add theme application tests to validate Fluent design system application across controls
• [ ] Ensure tests run in existing CI/CD pipelines (validate against .github/workflows/wpf-ui-pr-validator.yaml)

Create GitHub Actions workflow for API breaking change detection

The repo has NuGet CD workflow (.github/workflows/wpf-ui-cd-nuget.yaml) and PR validation, but no automated API compatibility checking. As a public NuGet library, detecting breaking changes (removed/renamed public members) before release is critical. The BannedSymbols.txt file suggests infrastructure exists for this analysis.

• [ ] Leverage BannedSymbols.txt and create a workflow that runs on PRs targeting main/master branches
• [ ] Integrate a .NET API analyzer tool (e.g., Microsoft.Cci.MetadataReader or Roslyn-based analysis) to compare public API surface
• [ ] Generate a report showing added/removed/changed public methods, properties, and events
• [ ] Add workflow step to fail PR if breaking changes detected without explicit approval label
• [ ] Add this workflow to .github/workflows/ (e.g., wpf-ui-api-compat-check.yaml)

Add missing documentation for Navigation and Dialog control integration patterns

The docs/architecture/ folder has IMPLEMENTATION-GUIDE.md and MODULE-INTERFACES.md, but based on the README highlighting Navigation and Dialog as key controls, there's likely missing user-facing documentation on how to implement these in real applications. The docs/.gitignore suggests a DocFX site, but routing/navigation patterns and dialog result handling patterns aren't documented in the visible structure.

• [ ] Review docs/architecture/IMPLEMENTATION-GUIDE.md to understand current coverage
• [ ] Create docs/controls/navigation-guide.md covering: defining navigation items, handling selection, implementing breadcrumb integration, theme-aware icon usage
• [ ] Create docs/controls/dialog-guide.md covering: opening dialogs, passing parameters, handling results, supporting async operations, keyboard navigation
• [ ] Add code examples from Gallery application (Wpf.Ui.Gallery.slnf) demonstrating these patterns
• [ ] Update or create docs/architecture/MODULE-INTERFACES.md section for these controls if missing

• Add comprehensive unit tests for newly contributed controls in src/Wpf.Ui/Controls/ by examining Gallery demo usage patterns and creating corresponding test files in a tests/ directory following the existing project structure
• Expand inline documentation for public APIs using XML comments (///) on control properties and methods that currently lack them, enabling IntelliSense tooltips for library consumers
• Create focused documentation pages in the docs/ build system (DocFX templates in root) for underutilized controls like NumberBox or Dialog, with working XAML code examples copied from Gallery source

The WPF UI project has a moderate security posture with some areas of concern. The primary issues relate to outdated npm dependencies (Bootstrap 3.4.1, jQuery), lack of dependency version pinning in devDependencies, and missing security configuration for the documentation site. The .NET/WPF components are not visible in this analysis, but the npm-based documentation infrastructure shows good practices with linting tools configured. Immediate actions: remove Bootstrap 3.4.1, verify jQuery

• High · jQuery 3.7.0 with Known Vulnerabilities — package.json - dependencies.jquery. jQuery 3.7.0 contains known security vulnerabilities including prototype pollution and XSS issues. While version 3.7.0 is relatively recent, the dependency should be verified against current CVE databases. Fix: Verify jQuery 3.7.0 against CVE databases. Consider upgrading to the latest stable version and implementing Content Security Policy (CSP) headers.
• High · Outdated Bootstrap Version in Dependencies — package.json - dependencies[@default/bootstrap]. Bootstrap 3.4.1 is outdated and contains multiple known vulnerabilities. While Bootstrap 5.3.1 is also included, the presence of the older version suggests potential compatibility issues and unpatched security flaws. Fix: Remove Bootstrap 3.4.1 dependency. Ensure all code uses Bootstrap 5.3.1 exclusively. Audit codebase for Bootstrap 3 specific code patterns.
• Medium · Missing npm Lockfile in Repository — Documentation structure - package.json location. No package-lock.json or yarn.lock file is mentioned in the provided file structure. This introduces supply chain risks as dependency versions could vary across builds and environments. Fix: Ensure package-lock.json is committed to repository and all CI/CD pipelines use npm ci instead of npm install. This guarantees reproducible builds.
• Medium · Potential Information Disclosure via Settings Files — .claude/settings.local.json. .claude/settings.local.json may contain sensitive configuration. Local settings files should not be committed to version control if they contain secrets or personal configurations. Fix: Verify the file is in .gitignore. If it contains sensitive data, add to .gitignore immediately. Use environment variables or secure vaults for sensitive configuration.
• Medium · No Version Pinning for Development Dependencies — package.json - devDependencies. Several critical devDependencies use caret (^) ranges (ESLint, TypeScript, etc.) which allow minor and patch updates automatically. This could introduce breaking changes or security vulnerabilities. Fix: Pin major versions of security-sensitive tools: ESLint, TypeScript, and @typescript-eslint packages. Use exact versions or tilde ranges (~) instead of caret (^).
• Medium · Missing Security Headers Configuration — Documentation build configuration. The DocFX template configuration (package.json) lacks explicit security headers for the generated static website. No mention of CSP, X-Frame-Options, or other protective headers. Fix: Configure web server (IIS/nginx) with security headers: Content-Security-Policy, X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Strict-Transport-Security.
• Low · ESLint and Stylelint Configuration Not Provided — .eslintrc, .stylelintrc (missing from structure). The .eslintrc and .stylelintrc files are not included in the provided structure. Without visible security-focused linting rules, potential code quality and security issues may not be caught automatically. Fix: Ensure ESLint includes security plugins like eslint-plugin-security. Configure stylelint to catch potential CSS injection vectors.
• Low · Highlight.js XSS Risk — package.json - dependencies[@default/highlight.js]. Highlight.js (v11.8.0) is used for code highlighting. If user-supplied code is highlighted without proper sanitization, XSS vulnerabilities could occur. Fix: Ensure all code passed to Highlight.js is properly escaped. Use DOMPurify or similar library for sanitization if processing untrusted content.

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.