docs: strict dependency allowlist with CI enforcement

STRICT ALLOWLIST policy: Only packages explicitly listed in CONVENTIONS.md may be imported. No exceptions. ## Changes - Updates CONVENTIONS.md with strict allowlist language - Adds scripts/check-deps.sh to enforce the allowlist - Adds 'make check-deps' and 'make precommit' targets - CI will fail if any unapproved dependency is detected ## Approved packages - gopkg.in/yaml.v3 — YAML parsing - github.com/google/go-cmp — test comparisons ## Process for new dependencies 1. Open a PR that ONLY updates CONVENTIONS.md 2. Requires explicit approval from Aaron 3. After merge, a separate PR may use the package
2026-05-10 13:43:59 -07:00
parent 230419f0e2
commit 4b96231b32
3 changed files with 83 additions and 2 deletions
@@ -2,8 +2,22 @@

 ## Language & Dependencies

- Go standard library only — no external dependencies.
 - Target the latest stable Go release.
+- **STRICT ALLOWLIST:** Only packages listed below may be imported. No exceptions.
+
+### Approved Third-Party Packages
+
+| Package | Use Case |
+|---------|----------|
+| `gopkg.in/yaml.v3` | YAML parsing (persona files, config) |
+| `github.com/google/go-cmp` | Test comparisons (`cmp.Diff`) |
+
+**Any import not in this table or the Go standard library is forbidden.**
+
+To request a new dependency:
+1. Open a PR that ONLY updates this table with justification
+2. Requires explicit approval from Aaron
+3. After merge, a separate PR may use the package

 ## Error Handling