A Roslyn-based analyzer that enforces architectural boundaries at compile time.
Many architectural patterns divide code into layers where access between them should be controlled. In practice this breaks down at one specific place: types that must be public for technical reasons, but were never meant to be used everywhere.
A common example is EF Core — entity classes must be public for the ORM to work, but that makes them accessible from any layer in the solution:
// In a UI controller — this compiles fine, but violates your architecture
var user = new UserRepository().GetById(id);
Console.WriteLine(user.PasswordHash); // Domain internals, exposed to the UIThe type is public because it has to be. But it was never meant to be used here.
ScopeGuard introduces a [VisibleTo] attribute that lets you declare which namespaces are allowed to use a type. Any violation becomes a compile-time error — not a code review comment, not a runtime exception, a build failure.
using ScopeGuard.Attributes;
namespace MyApp.Domain
{
[VisibleTo("MyApp.Application.**")]
public class User
{
public string PasswordHash { get; set; }
}
}Any of the following from an unauthorized namespace now fails to build:
// In MyApp.UI.Controllers
var user = new User(); // error SG001 — object creation
var hash = user.PasswordHash; // error SG001 — member access// In MyApp.UI
class AdminUser : User { } // error SG001 — inheritance
class UserList : IEnumerable<User> { } // error SG001 — generic type argument
void Handle(User user) { } // error SG001 — method parameter
User GetCurrent() => null!; // error SG001 — return type
private User _current; // error SG001 — field typeScopeGuard catches every place a restricted type appears:
- Member access — calling a method, reading or writing a property or field on a restricted type
- Object creation —
new RestrictedType() - Inheritance and interface implementation —
class Sub : RestrictedType,class Impl : IRestrictedInterface - Method signatures — a restricted type as a parameter type or return type, including constructors
- Field and property types —
private User _user,public User Current { get; set; } - Delegate signatures — a restricted type as a parameter or return type of a delegate declaration
- Event types —
public event UserChanged OnChanged - Generic type arguments — in all of the above:
List<User>,IRepository<User>,Action<User>,IHandler<Command<User>>
The attribute is placed on the type, not on individual members. All uses of the type are restricted.
| Pattern | Matches |
|---|---|
MyApp.Application |
Exactly that namespace |
MyApp.Application.* |
Any single segment under Application (e.g. MyApp.Application.Handlers, but not MyApp.Application.Sub.Handlers) |
MyApp.Application.** |
Any namespace rooted at Application, at any depth |
Multiple patterns are combined with OR logic — access is granted if the caller matches any of them.
[VisibleTo("MyApp.Application.**", "MyApp.Tests.**")]
public class Order { ... }[VisibleTo]can only be applied to classes and structs. It cannot be placed on methods, properties, or fields.- The attribute is not inherited — subclasses of a restricted type are not themselves restricted unless they carry their own
[VisibleTo]. - Same-layer references: because member signatures are checked, types in the same layer that reference each other must include their own namespace in the allowed list. For example, if
UserandOrderare both inMyApp.DomainandOrderappears in aUsermethod signature,Order's[VisibleTo]must include"MyApp.Domain.**"alongside any other allowed namespaces.
| ID | Severity | Message |
|---|---|---|
| SG001 | Error | Member '{0}' is available to '{1}', but is being accessed by '{2}'. Access denied by ScopeGuard. |