docs: strict dependency allowlist with CI enforcement

STRICT ALLOWLIST policy: Only packages explicitly listed in CONVENTIONS.md
may be imported. No exceptions.

## Changes

- Updates CONVENTIONS.md with strict allowlist language
- Adds scripts/check-deps.sh to enforce the allowlist
- Adds 'make check-deps' and 'make precommit' targets
- CI will fail if any unapproved dependency is detected

## Approved packages

- gopkg.in/yaml.v3 — YAML parsing
- github.com/google/go-cmp — test comparisons

## Process for new dependencies

1. Open a PR that ONLY updates CONVENTIONS.md
2. Requires explicit approval from Aaron
3. After merge, a separate PR may use the package

CONVENTIONS.md

@@ -2,8 +2,22 @@
 
 ## Language & Dependencies
 
-- Go standard library only — no external dependencies.
 - Target the latest stable Go release.
+- **STRICT ALLOWLIST:** Only packages listed below may be imported. No exceptions.
+
+### Approved Third-Party Packages
+
+| Package | Use Case |
+|---------|----------|
+| `gopkg.in/yaml.v3` | YAML parsing (persona files, config) |
+| `github.com/google/go-cmp` | Test comparisons (`cmp.Diff`) |
+
+**Any import not in this table or the Go standard library is forbidden.**
+
+To request a new dependency:
+1. Open a PR that ONLY updates this table with justification
+2. Requires explicit approval from Aaron
+3. After merge, a separate PR may use the package
 
 ## Error Handling
 

Makefile

@@ -1,4 +1,4 @@
-.PHONY: build test test-integration lint clean coverage
+.PHONY: build test test-integration lint clean coverage check-deps
 
 build:
 	go build -o review-bot ./cmd/review-bot/
@@ -12,9 +12,15 @@ test-integration:
 lint:
 	go vet ./...
 
+check-deps:
+	@./scripts/check-deps.sh
+
 clean:
 	rm -f review-bot
 
 coverage:
 	go test -coverprofile=coverage.out ./...
 	go tool cover -func=coverage.out
+
+# Precommit runs all checks required before pushing
+precommit: check-deps lint test

scripts/check-deps.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+# check-deps.sh - Enforces the strict dependency allowlist from CONVENTIONS.md
+# Exit 1 if any unapproved import is found.
+
+set -euo pipefail
+
+# Approved third-party packages (from CONVENTIONS.md)
+ALLOWED=(
+    "gopkg.in/yaml.v3"
+    "github.com/google/go-cmp"
+)
+
+# Build regex pattern from allowed list
+ALLOWED_PATTERN=""
+for pkg in "${ALLOWED[@]}"; do
+    if [ -z "$ALLOWED_PATTERN" ]; then
+        ALLOWED_PATTERN="$pkg"
+    else
+        ALLOWED_PATTERN="$ALLOWED_PATTERN|$pkg"
+    fi
+done
+
+# Get all imports from go.mod (excluding the module itself and stdlib)
+IMPORTS=$(go list -m all 2>/dev/null | tail -n +2 | awk '{print $1}' || true)
+
+if [ -z "$IMPORTS" ]; then
+    echo "✅ No external dependencies"
+    exit 0
+fi
+
+VIOLATIONS=""
+while IFS= read -r import; do
+    # Skip empty lines
+    [ -z "$import" ] && continue
+    
+    # Check if import matches any allowed pattern (prefix match for subpackages)
+    MATCHED=false
+    for allowed in "${ALLOWED[@]}"; do
+        if [[ "$import" == "$allowed" ]] || [[ "$import" == "$allowed/"* ]]; then
+            MATCHED=true
+            break
+        fi
+    done
+    
+    if [ "$MATCHED" = false ]; then
+        VIOLATIONS="$VIOLATIONS\n  - $import"
+    fi
+done <<< "$IMPORTS"
+
+if [ -n "$VIOLATIONS" ]; then
+    echo "❌ UNAPPROVED DEPENDENCIES DETECTED"
+    echo -e "The following imports are not in the allowlist:$VIOLATIONS"
+    echo ""
+    echo "To add a dependency:"
+    echo "  1. Open a PR that ONLY updates CONVENTIONS.md"
+    echo "  2. Get explicit approval from Aaron"
+    echo "  3. After merge, use the package in a separate PR"
+    exit 1
+fi
+
+echo "✅ All dependencies are approved"