Blog
Notes on the build
Engineering notes, architecture deep-dives and product updates from the team building the Slicekit SaaS template.
We do not ship MediatR. Here is what we ship instead, and the catch
Why Slicekit builds on Wolverine instead of MediatR-plus-a-bus, the 2024-25 licensing shift that makes it a buying concern, and an honest look at what you give up.
Read post-
Assume the token is stolen: passkeys, cookies and refresh-token rotation
Start from the worst case, a credential already in the wrong hands, and work backward: passkeys with no stealable secret, HttpOnly cookies XSS cannot read, and family-based refresh-token rotation as a tripwire.
securityauthenticationpasskeys -
CQRS is not your mediator, and the outbox is not magic
Two misconceptions trip up most CQRS posts: that routing commands through a mediator is CQRS, and that an outbox gives exactly-once delivery. Here is what each pattern actually is, and what Slicekit relies on.
architecturecqrsoutbox -
One typed contract, and the one interceptor that makes auth invisible
The engineering case for a single typed client between .NET and React: one place for cookies, CSRF and a 401 silent-refresh interceptor, hand-mirrored types you keep honest against the API, and server validation errors mapped back onto form fields.
architecturereactdotnet -
Permissions, not roles, but we stopped short of Zanzibar
Slicekit sits between coarse RBAC and relationship-based auth: a flat permission catalogue enforced on the API and mirrored in the UI. Here is what that buys you, and the day you should outgrow it.
securitypermissionsarchitecture -
Architecture tests that fail CI, and the violations they cannot catch
NetArchTest turns Slicekit layer and slice boundaries into build-failing fitness functions, Testcontainers keeps integration tests honest, and a passing rule is still only a floor.
testingarchitectureci -
Tamper-evident, not tamper-proof: where the audit line really is
A hash-chained audit log makes tampering detectable, not impossible. Here is the exact limit, and what Slicekit does to push past it.
securityauditingcompliance -
GDPR erasure breaks your foreign keys
Why deleting a user is a data-modeling problem, not a one-line DELETE, and how Slicekit fails the build when a new personal-data field goes unclassified.
compliancegdprdata-modeling -
OpenTelemetry from day one, and the cardinality mistake that blows up your bill
Wiring traces, metrics and logs in before the first feature is the easy part. The expensive trap is high-cardinality metric labels, and one rule keeps it from wrecking your storage bill.
observabilityopentelemetryoperations -
Why .NET and a modular monolith for a base you keep
A base you run for years is judged on year three, not the first hour. Here is the case for the runtime and the architecture shape behind Slicekit.
dotnetarchitecture -
An AI can navigate this codebase. Here is where it still cannot be trusted
A predictable slice-per-feature layout makes Slicekit navigable for a coding agent, and the guardrails catch a narrow class of mistakes. A green build is not a correct feature, so human review of behavior stays essential.
ai-assistedarchitecturedotnet -
Vertical slices without the cargo cult
Vertical slices are a cohesion rule, not a war on Clean Architecture or DDD. The myths, the one principle that matters, and where slices actually bite.
architecturevertical-slicesddd -
Introducing Slicekit: ship the product, not the plumbing
Why we built a premium, opinionated full-stack SaaS boilerplate around .NET 10 and React, and an honest account of what a template can and cannot do for you.
announcementarchitecturedotnet