docs: allow approved third-party packages

Updates dependency policy from 'stdlib only' to 'stdlib preferred,
approved packages allowed'. Adds initial approved list:

- gopkg.in/yaml.v3: YAML parsing for persona files
- github.com/google/go-cmp: Test comparisons with readable diffs

Includes process for adding new dependencies.

CONVENTIONS.md

@@ -3,21 +3,19 @@
 ## Language & Dependencies
 
 - Target the latest stable Go release.
-- **STRICT ALLOWLIST:** Only packages listed below may be imported. No exceptions.
+- Prefer Go standard library; approved third-party packages allowed (see below).
 
 ### Approved Third-Party Packages
 
-| Package | Use Case |
+| Package | Use Case | Notes |
-|---------|----------|
+|---------|----------|-------|
-| `gopkg.in/yaml.v3` | YAML parsing (persona files, config) |
+| `gopkg.in/yaml.v3` | YAML parsing | Persona files, config |
-| `github.com/google/go-cmp` | Test comparisons (`cmp.Diff`) |
+| `github.com/google/go-cmp` | Test comparisons | `cmp.Diff` for readable diffs |
 
-**Any import not in this table or the Go standard library is forbidden.**
+To add a new dependency:
-
+1. Open a PR with justification (why stdlib is insufficient)
-To request a new dependency:
+2. Package must be well-maintained, widely used, minimal transitive deps
-1. Open a PR that ONLY updates this table with justification
+3. Update this table when approved
-2. Requires explicit approval from Aaron
-3. After merge, a separate PR may use the package
 
 ## Error Handling
 

Makefile

@@ -1,4 +1,4 @@
-.PHONY: build test test-integration lint clean coverage check-deps
+.PHONY: build test test-integration lint clean coverage
 
 build:
 	go build -o review-bot ./cmd/review-bot/
@@ -12,15 +12,9 @@ test-integration:
 lint:
 	go vet ./...
 
-check-deps:
-	@./scripts/check-deps.sh
-
 clean:
 	rm -f review-bot
 
 coverage:
 	go test -coverprofile=coverage.out ./...
 	go tool cover -func=coverage.out
-
-# Precommit runs all checks required before pushing
-precommit: check-deps lint test

scripts/check-deps.sh

@@ -1,61 +0,0 @@
-#!/bin/bash
-# check-deps.sh - Enforces the strict dependency allowlist from CONVENTIONS.md
-# Exit 1 if any unapproved import is found.
-
-set -euo pipefail
-
-# Approved third-party packages (from CONVENTIONS.md)
-ALLOWED=(
-    "gopkg.in/yaml.v3"
-    "github.com/google/go-cmp"
-)
-
-# Build regex pattern from allowed list
-ALLOWED_PATTERN=""
-for pkg in "${ALLOWED[@]}"; do
-    if [ -z "$ALLOWED_PATTERN" ]; then
-        ALLOWED_PATTERN="$pkg"
-    else
-        ALLOWED_PATTERN="$ALLOWED_PATTERN|$pkg"
-    fi
-done
-
-# Get all imports from go.mod (excluding the module itself and stdlib)
-IMPORTS=$(go list -m all 2>/dev/null | tail -n +2 | awk '{print $1}' || true)
-
-if [ -z "$IMPORTS" ]; then
-    echo "✅ No external dependencies"
-    exit 0
-fi
-
-VIOLATIONS=""
-while IFS= read -r import; do
-    # Skip empty lines
-    [ -z "$import" ] && continue
-    
-    # Check if import matches any allowed pattern (prefix match for subpackages)
-    MATCHED=false
-    for allowed in "${ALLOWED[@]}"; do
-        if [[ "$import" == "$allowed" ]] || [[ "$import" == "$allowed/"* ]]; then
-            MATCHED=true
-            break
-        fi
-    done
-    
-    if [ "$MATCHED" = false ]; then
-        VIOLATIONS="$VIOLATIONS\n  - $import"
-    fi
-done <<< "$IMPORTS"
-
-if [ -n "$VIOLATIONS" ]; then
-    echo "❌ UNAPPROVED DEPENDENCIES DETECTED"
-    echo -e "The following imports are not in the allowlist:$VIOLATIONS"
-    echo ""
-    echo "To add a dependency:"
-    echo "  1. Open a PR that ONLY updates CONVENTIONS.md"
-    echo "  2. Get explicit approval from Aaron"
-    echo "  3. After merge, use the package in a separate PR"
-    exit 1
-fi
-
-echo "✅ All dependencies are approved"