If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/PrismLibrary/Prism shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Mixed signals — read the receipts

• Last commit 1d ago
• 9 active contributors
• Distributed ownership (top contributor 36% of recent commits)
• Other licensed
• CI configured
• ⚠ Non-standard license (Other) — review terms
• ⚠ No test directory detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live PrismLibrary/Prism repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/PrismLibrary/Prism.

What it runs against: a local clone of PrismLibrary/Prism — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in PrismLibrary/Prism | Confirms the artifact applies here, not a fork | | 2 | License is still Other | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | Last commit ≤ 31 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of PrismLibrary/Prism. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/PrismLibrary/Prism.git
#   cd Prism
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of PrismLibrary/Prism and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "PrismLibrary/Prism(\\.git)?\\b" \\
  && ok "origin remote is PrismLibrary/Prism" \\
  || miss "origin remote is not PrismLibrary/Prism (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Other)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Other\"" package.json 2>/dev/null) \\
  && ok "license is Other" \\
  || miss "license drift — was Other at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 31 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~1d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/PrismLibrary/Prism"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

Prism is a framework for building loosely coupled, maintainable XAML applications across WPF, Xamarin Forms, Avalonia, MAUI, and Uno/WinUI platforms. It provides implementations of MVVM, dependency injection, commands, EventAggregator, and regional navigation patterns with platform-specific integrations for each target UI framework. The framework is built on .NET Standard 2.0 with platform-specific implementations in separate libraries that share a common core. Monorepo with platform-specific solution filters (.slnf files: PrismLibrary_Core.slnf, PrismLibrary_Wpf.slnf, PrismLibrary_Avalonia.slnf, PrismLibrary_Maui.slnf, PrismLibrary_Uno.slnf). Core library lives in shared .NET Standard namespace, while platform integrations branch into separate folders with platform-specific projects. End-to-end examples in e2e/ folder (e2e/Avalonia/PrismAvaloniaDemo shows reference app structure). Centralized dependency and property configuration via Directory.Build.props, Directory.Build.targets, and Directory.Packages.props.

Enterprise and mid-market developers building WPF or cross-platform XAML applications who need structured MVVM architecture with dependency injection and navigation; framework architects building large-scale maintainable desktop or mobile applications that require loose coupling and testability.

Highly mature and production-ready. Prism is an established Microsoft-endorsed framework with over a decade of history, dual licensing model (v9.0+), active GitHub Sponsors funding, maintained across 5 major platforms with separate build pipelines (.github/workflows/ shows build_core.yml, build_wpf.yml, build_avalonia.yml, build_uno.yml, build_maui.yml), and active contributor community. Recent multi-platform additions (Avalonia, MAUI, Uno) and release infrastructure indicate ongoing active development.

Low-to-moderate risk for established projects, higher for cutting-edge platform support. WPF and core MVVM patterns are stable, but Avalonia, MAUI, and Uno implementations are relatively newer platforms with smaller ecosystems. Dual licensing model (Community vs. Commercial) introduced in v9.0 requires compliance verification for larger organizations. Single repository structure managing 5 divergent platforms increases regression risk; mitigated by separate GitHub Actions workflows per platform. Dependabot is configured (.dependabot/config.yml) indicating active dependency management.

Active multi-platform expansion with recent investments in Avalonia, MAUI, and Uno Platform support visible in separate build workflows and e2e demos. Release automation established (start-release.yml, publish-release.yml workflows) and sponsor-based funding model in place (sponsor-actions.yml). Stale issue management configured (.github/stale.yml) and issue templating standardized (bug_report.yml, feature_request.md). No specific recent commit date visible in data, but infrastructure shows active maintenance cycles.

git clone https://github.com/PrismLibrary/Prism.git && cd Prism && dotnet restore PrismLibrary.sln && dotnet build PrismLibrary.sln For platform-specific work: dotnet restore PrismLibrary_Wpf.slnf && dotnet build PrismLibrary_Wpf.slnf (substitute Avalonia/Maui/Uno/Core as needed).

Daily commands: For full solution: dotnet build PrismLibrary.sln && dotnet test (inferred from CodeCoverage.runsettings presence). For platform-specific: dotnet build PrismLibrary_Wpf.slnf or substitute platform filter. E2E demos: dotnet build e2e/Avalonia/PrismAvaloniaDemo/PrismAvaloniaDemo.csproj && dotnet run. Visual Studio or VS Code (.vscode/launch.json configured for debugging).

• Directory.Build.props: Central package version and property management across all platform-specific projects; changes here affect all 5 platform builds
• PrismLibrary.sln: Master solution file containing all platform projects; required for full codebase builds and understanding project dependencies
• .github/workflows/ci.yml: Main CI pipeline orchestrating all platform builds (core, wpf, avalonia, uno, maui); defines build order and integration testing
• .github/CODEOWNERS: Defines code ownership and mandatory reviewers per platform; critical for PR workflow and maintainer accountability
• e2e/Avalonia/PrismAvaloniaDemo/App.axaml.cs: Concrete example of Prism bootstrapping in Avalonia; reference implementation for new platform onboarding
• Directory.Packages.props: Centralized NuGet dependency version management using PackageReference centralization; prevents version conflicts across 5 platforms
• .github/CONTRIBUTING.md: Establishes contribution guidelines, licensing compliance (Community vs. Commercial), and PR expectations for multi-platform contributions
• CodeCoverage.runsettings: Defines code coverage collection rules for test runs; indicates what test metrics are enforced in CI

Core patterns live in src/ (inferred from standard C# project layout); platform-specific implementations in src/Prism.{Platform}/ folders. For MVVM features: modify core container/navigation/command implementations. For platform integration: edit Prism.Wpf/, Prism.Avalonia/, etc. Tests: follow existing test project adjacency (Prism.Tests/). New platform support: create e2e/{Platform}/ demo first (mirroring e2e/Avalonia structure), then create src/Prism.{Platform}/ library. CI: modify .github/workflows/build_{platform}.yml for new build configurations.

1. Dual licensing model (v9.0+): Community License for most use cases, but Commercial License required for larger organizations—verify organizational size/revenue before production deployment. 2) Platform-specific APIs diverge significantly; code written for WPF may not port directly to Avalonia or MAUI without abstraction. 3) .NET version constraints: Core is .NET Standard 2.0, but individual platforms may require .NET 6.0/.NET 8.0 (check individual platform csproj files). 4) Regional/Navigation API differs across platforms due to framework differences; test navigation thoroughly per platform. 5) Dependabot configured but transitive dependency conflicts possible across 5+ platform ecosystems—pin versions carefully in Directory.Packages.props. 6) Event Aggregator cross-thread marshaling behavior varies; WPF uses Dispatcher, MAUI uses MainThread—platform-specific testing required.

• MVVM (Model-View-ViewModel) Pattern — Prism's entire architecture is built on MVVM; understanding the separation of concerns between View (XAML), ViewModel (presentation logic), and Model (business logic) is foundational to using Prism effectively
• Dependency Injection Container — Prism's ContainerRegistry is the core mechanism for loosely coupling components; understanding container registration, resolution, and lifetime management is essential for architecting Prism applications
• Event Aggregator / Publish-Subscribe — Prism's EventAggregator enables loosely coupled inter-component communication without direct references; critical for decoupling ViewModels and services in large applications
• Navigation Service with Regions — Prism's region-based navigation enables composite UI patterns where multiple XAML regions can be independently populated with views; understanding view discovery, navigation parameters, and region lifecycle is essential for multi-view applications
• DelegateCommand (Routed Commands abstraction) — Prism's DelegateCommand abstracts XAML framework command differences (WPF RoutedCommand vs. Avalonia vs. MAUI); understanding command binding patterns and CanExecute change propagation is needed for reactive UI patterns
• Solution Filters (.slnf) for Monorepo Scoping — Prism uses .slnf files to present platform-specific subsets of the monorepo (PrismLibrary_Wpf.slnf vs. PrismLibrary_Avalonia.slnf); understanding how to work within filtered solutions prevents building unnecessary platform code and speeds local development
• Platform-Specific Abstraction Patterns — Prism abstracts XAML framework differences (WPF Dispatcher vs. MAUI MainThread vs. Avalonia's threading model) behind shared interfaces; understanding when to use platform-specific code vs. shared abstractions is critical for cross-platform contributions

• PrismLibrary/Prism-Documentation — Official documentation repository for all Prism platform variants; where architecture guides, API docs, and platform-specific tutorials are maintained
• microsoft/xaml-standard — Predecessor effort to standardize XAML across platforms; informs Prism's cross-platform abstraction strategy for WPF/UWP/Uno convergence
• unoplatform/uno — Uno Platform framework that Prism integrates with; understanding Uno's XAML transpilation and project structure essential for Prism.Uno platform work
• avaloniaui/avalonia — Avalonia cross-platform framework that Prism targets; critical for understanding Prism.Avalonia's data binding and event model differences from WPF
• dotnet/maui — MAUI (Multi-platform App UI) framework that Prism recently integrated; necessary for Prism.Maui platform-specific navigation and dependency injection patterns

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add missing CI workflow for Avalonia platform

The repo has build workflows for WPF, Uno, MAUI, and Core (build_avalonia.yml exists), but there's no corresponding automated testing or publish workflow specifically for Avalonia like there is for other platforms. The e2e/Avalonia/PrismAvaloniaDemo exists showing active Avalonia support, but the CI/CD coverage appears incomplete compared to other platform folders.

• [ ] Review existing .github/workflows/build_avalonia.yml to understand current coverage
• [ ] Compare against build_wpf.yml and build_uno.yml to identify missing test/publish steps
• [ ] Add integration tests for Avalonia-specific features (region management, MVVM binding, DI)
• [ ] Ensure the workflow publishes Avalonia NuGet packages in publish-release.yml if not already included
• [ ] Test locally using PrismLibrary_Avalonia.slnf solution filter

Add comprehensive unit tests for platform-specific Region and Navigation implementations

The repo supports 5 distinct platforms (WPF, Avalonia, MAUI, Uno, WinUI) but the file structure suggests region/navigation implementations exist in platform-specific projects with potentially incomplete test coverage. New contributors can add focused test suites that validate region attachment, navigation state, and view injection work correctly across platforms.

• [ ] Identify core region/navigation interfaces in src/Core
• [ ] Locate platform-specific implementations (likely in src/Wpf, src/Avalonia, src/Maui, src/Uno directories)
• [ ] Create test projects mirroring structure: tests/Prism.{Platform}.Tests/Navigation and tests/Prism.{Platform}.Tests/Regions
• [ ] Add tests for: region registration, view navigation, navigation parameters passing, and deactivation lifecycle
• [ ] Ensure CodeCoverage.runsettings is updated to include new test projects

Create platform-specific documentation for MAUI and Avalonia implementations in README

The main README.md mentions MAUI and Avalonia support but provides no platform-specific guidance. The repo has e2e demos (e2e/Avalonia/PrismAvaloniaDemo exists) that demonstrate real implementations, but no linked documentation explaining setup, configuration differences, or platform-specific patterns compared to WPF.

• [ ] Create .github/docs/PLATFORM_GUIDE.md or update README.md with platform-specific sections
• [ ] Document MAUI-specific setup: MAUI project structure, platform registration (WindowsHelper, etc.), view/viewmodel routing
• [ ] Document Avalonia-specific setup: Avalonia-specific DI registration, XAML namespace differences, platform bootstrapping
• [ ] Link to corresponding e2e demo projects (e2e/Avalonia/PrismAvaloniaDemo) as reference implementations
• [ ] Include troubleshooting section for platform-specific gotchas (XAML parsing, DI container differences, etc.)

• Add unit test coverage for Prism.Core.Ioc.ContainerRegistry edge cases (null/empty container scenarios); tests are present but coverage gaps visible from untested error paths in dependency resolution
• Document regional navigation differences across platforms in Prism-Documentation repo with concrete before/after examples for WPF vs. Avalonia vs. MAUI region registration
• Create missing integration test for EventAggregator cross-thread subscription behavior in MAUI and Uno platforms; existing WPF tests don't cover platform-specific Dispatcher/MainThread marshaling

The Prism library demonstrates a moderate security posture. Positive aspects include: presence of Dependabot configuration for automated dependency updates, standardized GitHub workflow structure, and open-source transparency. Areas requiring attention: no visible SECURITY.md policy, dependency vulnerability details not provided in analysis, potential secrets management in build workflows, and lack of visible security-specific code patterns. The framework's multi-platform nature (WPF, XAML-based) introduces complexity requiring careful validation of user inputs to prevent XSS-style attacks in XAML bindings. Overall, the project appears well-maintained with established CI/CD practices, but security documentation and dependency auditing procedures should be enhanced.

• Medium · Missing Dependency Vulnerability Scanning — Directory.Packages.props, Package management configuration. No dependency lock files or vulnerability scanning configuration detected in the provided analysis. The codebase lacks visible evidence of dependency pinning or automated security scanning tools like Dependabot configuration specifics, SBOM generation, or regular vulnerability audits. Fix: Implement automated dependency scanning using tools like Dependabot (already present in .dependabot/config.yml), ensure all NuGet packages are pinned to specific versions, and regularly audit dependencies for known vulnerabilities. Enable security alerts in GitHub.
• Low · Insufficient CODEOWNERS Configuration — .github/CODEOWNERS. The .github/CODEOWNERS file exists but its content is not visible. Without proper code owner assignment, critical security-sensitive areas may not receive adequate review. Fix: Ensure CODEOWNERS file includes maintainers for security-sensitive components. Require code reviews from security-aware maintainers for changes to authentication, dependency management, and critical infrastructure code.
• Low · Potential Information Disclosure in GitHub Workflows — .github/workflows/build_*.yml, .github/workflows/publish-release.yml. Multiple GitHub workflow files exist (.github/workflows/*.yml). While not visible in detail, build workflows can inadvertently expose secrets or sensitive information in logs if not properly configured. Fix: Review all workflow files to ensure: secrets are not logged, sensitive data uses GitHub Secrets management, build artifacts don't contain credentials, and logs are properly sanitized. Use GitHub's secret masking features.
• Low · Missing Security Policy — Repository root. No SECURITY.md file is visible in the repository root. This can make it difficult for security researchers to report vulnerabilities responsibly. Fix: Create a SECURITY.md file documenting the vulnerability disclosure process, security contact information, and how to report security issues responsibly.
• Low · Unverified External Framework Dependencies — src/ (not visible in structure), Platform-specific implementations. The Prism framework integrates with multiple platforms (WPF, Avalonia, MAUI, Uno, WinUI) which depend on external ecosystem components. Supply chain risk is inherent. Fix: Maintain an inventory of all transitive dependencies, regularly audit third-party packages for security issues, use dependency validation tools, and consider using package signature verification where available.
• Low · Potential Weak CodeCoverage Configuration — CodeCoverage.runsettings. CodeCoverage.runsettings file exists but its contents are not visible. Insufficient test coverage may allow security vulnerabilities to pass undetected. Fix: Ensure code coverage includes security-sensitive components. Aim for >80% coverage in authentication, validation, and data handling code. Enforce coverage requirements in pull request checks.

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.