LedgerHQ · lewisd5 · Apr 30, 2026 · Apr 24, 2026 · Apr 24, 2026 · Apr 29, 2026
diff --git a/.changeset/nx-enforce-module-boundaries-new-arch.md b/.changeset/nx-enforce-module-boundaries-new-arch.md
@@ -0,0 +1,12 @@
+---
+"@domain/entity-currency": minor
+"@domain/entity-currency-crypto": minor
+"@domain/entity-currency-fiat": minor
+"@domain/entity-currency-token": minor
+"@domain/entity-currency-unit": minor
+"@shared/feature-flags": minor
+"@shared/schema-primitives": minor
+"@features/market-banner": minor
+---
+
+Enforce module boundaries on the new architecture (`domain/`, `shared/`, `features/`) via a pure Nx project-graph validator (LIVE-29780). The project-tags plugin now infers `scope:domain`, `scope:shared`, `type:domain-entity`, and `type:domain-api`; a cacheable `lint:boundaries` Nx target walks the graph and fails CI on any workspace→workspace edge that violates the layered rules (shared leaf, domain depends on shared, features depend on domain+shared, entities cannot import APIs). No ESLint involvement — stays aligned with the ongoing oxlint migration; config ports verbatim to `.oxlintrc.json` when `@nx/oxlint` publishes stable.
@@ -108,6 +108,13 @@ jobs:
     uses: LedgerHQ/ledger-live/.github/workflows/test-domain-reusable.yml@develop
     secrets: inherit
 
+  enforce-boundaries:
+    name: "Enforce Module Boundaries"
+    needs: determine-affected
+    if: ${{(contains(needs.determine-affected.outputs.paths, 'domain') || contains(needs.determine-affected.outputs.paths, 'shared') || contains(needs.determine-affected.outputs.paths, 'features')) && !github.event.pull_request.head.repo.fork}}
+    uses: LedgerHQ/ledger-live/.github/workflows/test-boundaries-reusable.yml@ci/nx-enforce-module-boundaries-new-arch
+    secrets: inherit
+
   test-design-system:
     name: "Test UI Libs"
     needs: determine-affected

@@ -0,0 +1,49 @@
+name: "[Module Boundaries] - Test - Called"
+
+on:
+  workflow_call:
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: |
+          If you run this manually, and want to run on a PR, the correct ref should be refs/pull/{PR_NUMBER}/merge to
+          have the "normal" scenario involving checking out a merge commit between your branch and the base branch.
+          If you want to run only on a branch or specific commit, you can use either the sha or the branch name instead (prefer the first version for PRs).
+        required: false
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  enforce-boundaries:
+    name: Enforce Module Boundaries
+    runs-on: ubuntu-22.04
+    timeout-minutes: 10
+    env:
+      NODE_OPTIONS: "--max-old-space-size=4096"
+      CI_OS: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          ref: ${{ inputs.ref || github.sha }}
+
+      - name: Setup the caches
+        uses: LedgerHQ/ledger-live/tools/actions/composites/setup-caches@develop
+        id: setup-caches
+        with:
+          use-mise: true
+          gh-token: ${{ secrets.GITHUB_TOKEN }}
+          cache-develop-role-arn: ${{ secrets.AWS_CACHE_OIDC_ROLE_ARN_DEVELOP }}
+          cache-branch-role-arn: ${{ secrets.AWS_CACHE_OIDC_ROLE_ARN_BRANCH }}
+          nx-key: ${{ secrets.NX_KEY }}
+          accountId: ${{ secrets.AWS_ACCOUNT_ID_PROD }}
+          roleName: ${{ secrets.AWS_CACHE_ROLE_NAME }}
+          region: ${{ secrets.AWS_CACHE_REGION }}
+
+      - name: Install dependencies
+        run: pnpm i
+
+      - name: Enforce module boundaries
+        run: pnpm exec nx run enforce-boundaries:lint:boundaries
diff --git a/package.json b/package.json
@@ -19,6 +19,7 @@
   "scripts": {
     "nx:write-cache-config": "node tools/nx/write-nx-cache-config.mjs",
     "postinstall": "pnpm run nx:write-cache-config",
+    "lint:boundaries": "nx run enforce-boundaries:lint:boundaries",
     "bump": "changeset version",
     "clean": "git clean -fdX",
     "changelog": "changeset add",

@@ -0,0 +1,30 @@
+"use strict";
+
+/**
+ * Module-boundary dependency constraints for the new architecture
+ * (domain/, shared/, features/). Shape mirrors @nx/enforce-module-boundaries
+ * depConstraints so this config ports verbatim to .oxlintrc.json when
+ * @nx/oxlint publishes stable.
+ *
+ * A rule fires only when the source package has the sourceTag. Legacy
+ * packages without matching tags (libs/, apps/, e2e/, tools/) are
+ * unconstrained on purpose.
+ */
+const DEP_CONSTRAINTS = [
+  { sourceTag: "scope:shared", onlyDependOnLibsWithTags: ["scope:shared"] },
+  { sourceTag: "scope:domain", onlyDependOnLibsWithTags: ["scope:domain", "scope:shared"] },
+  {
+    sourceTag: "scope:features",
+    onlyDependOnLibsWithTags: ["scope:features", "scope:domain", "scope:shared"],
+  },
+  {
+    sourceTag: "type:domain-entity",
+    onlyDependOnLibsWithTags: ["type:domain-entity", "scope:shared"],
+  },
+  {
+    sourceTag: "type:domain-api",
+    onlyDependOnLibsWithTags: ["type:domain-entity", "type:domain-api", "scope:shared"],
+  },
+];
+
+module.exports = { DEP_CONSTRAINTS };
@@ -0,0 +1,26 @@
+{
+  "$schema": "../../../node_modules/nx/schemas/project-schema.json",
+  "name": "enforce-boundaries",
+  "projectType": "library",
+  "targets": {
+    "lint:boundaries": {
+      "executor": "nx:run-commands",
+      "cache": true,
+      "inputs": [
+        "{workspaceRoot}/tools/nx-plugins/enforce-boundaries/**/*",
+        "{workspaceRoot}/tools/nx-plugins/project-tags/plugin.js",
+        "{workspaceRoot}/domain/**/package.json",
+        "{workspaceRoot}/shared/**/package.json",
+        "{workspaceRoot}/features/**/package.json",
+        "{workspaceRoot}/apps/**/package.json",
+        "{workspaceRoot}/libs/**/package.json",
+        "{workspaceRoot}/pnpm-workspace.yaml",
+        "{workspaceRoot}/nx.cache-config.json"
+      ],
+      "options": {
+        "cwd": "{workspaceRoot}",
+        "command": "node tools/nx-plugins/enforce-boundaries/validate.js"
+      }
+    }
+  }
+}
@@ -0,0 +1,72 @@
+"use strict";
+
+const { createProjectGraphAsync } = require("@nx/devkit");
+const { DEP_CONSTRAINTS } = require("./constraints");
+
+/**
+ * @typedef {{ data?: { tags?: string[] } }} GraphNode
+ * @typedef {{ target: string }} GraphEdge
+ * @typedef {{ nodes: Record<string, GraphNode>, dependencies: Record<string, GraphEdge[]> }} ProjectGraphLike
+ * @typedef {{ sourceName: string, sourceTag: string, target: string, targetTags: string[] }} Violation
+ */
+
+/**
+ * Walk the Nx project graph and collect every edge that violates the
+ * DEP_CONSTRAINTS rules. Exported for unit testing against a synthetic graph.
+ *
+ * @param {ProjectGraphLike} graph
+ * @returns {Violation[]}
+ */
+function findViolations(graph) {
+  const violations = [];
+
+  for (const [sourceName, edges] of Object.entries(graph.dependencies)) {
+    const sourceNode = graph.nodes[sourceName];
+    if (!sourceNode) continue;
+    const sourceTags = sourceNode.data?.tags ?? [];
+
+    for (const edge of edges) {
+      const targetNode = graph.nodes[edge.target];
+      if (!targetNode) continue; // external / npm targets carry no tags; skip
+      const targetTags = targetNode.data?.tags ?? [];
+
+      for (const { sourceTag, onlyDependOnLibsWithTags } of DEP_CONSTRAINTS) {
+        if (!sourceTags.includes(sourceTag)) continue;
+        const allowed = targetTags.some(t => onlyDependOnLibsWithTags.includes(t));
+        if (!allowed) {
+          violations.push({ sourceName, sourceTag, target: edge.target, targetTags });
+        }
+      }
+    }
+  }
+
+  return violations;
+}
+
+async function main() {
+  const graph = await createProjectGraphAsync({ exitOnError: true });
+  const violations = findViolations(graph);
+
+  if (violations.length > 0) {
+    console.error(`\n✗ ${violations.length} module-boundary violation(s):\n`);
+    for (const v of violations) {
+      const tgtTags = v.targetTags.length > 0 ? v.targetTags.join(", ") : "untagged";
+      console.error(`  ${v.sourceName} [${v.sourceTag}] → ${v.target} [${tgtTags}]`);
+    }
+    console.error(
+      "\nAllowed edges are defined in tools/nx-plugins/enforce-boundaries/constraints.js\n",
+    );
+    process.exit(1);
+  }
+
+  console.log("✓ module boundaries ok");
+}
+
+module.exports = { findViolations };
+
+if (require.main === module) {
+  main().catch(err => {
+    console.error(err);
+    process.exit(1);
+  });
+}