3672e92b7e
Tauri + Svelte 5 + Rust application for orchestrating multiple AI coding agents. Includes Claude, Aider, Codex, and Ollama provider support, multi-agent communication (btmsg/bttask), session anchors, plugin sandbox, FTS5 search, Landlock sandboxing, and 507 vitest + 110 cargo tests.
17 lines
855 B
Markdown
17 lines
855 B
Markdown
# Dependency Discipline
|
|
|
|
Add dependencies only with explicit user consent.
|
|
|
|
## Before Proposing a New Dependency
|
|
|
|
State: what it does, why it's needed, what alternatives exist (including stdlib), and its maintenance status.
|
|
|
|
## Rules
|
|
|
|
- Prefer stdlib and existing project dependencies over new ones.
|
|
- When a dependency is approved, document why in the commit message.
|
|
- Pin versions explicitly. Avoid floating ranges (`^`, `~`, `*`) in production dependencies.
|
|
- Commit lock files (package-lock.json, poetry.lock, Cargo.lock, go.sum). They enforce reproducible installs and pin transitive dependencies.
|
|
- Audit transitive dependencies, not just direct ones — they are the primary supply chain attack vector.
|
|
- Run vulnerability scanning in CI on every PR, not just periodically.
|
|
- Regularly check for outdated or deprecated dependencies and flag them.
|