docs: allow approved third-party packages

Updates dependency policy from 'stdlib only' to 'stdlib preferred,
approved packages allowed'. Adds initial approved list:

- gopkg.in/yaml.v3: YAML parsing for persona files
- github.com/google/go-cmp: Test comparisons with readable diffs

Includes process for adding new dependencies.

CONVENTIONS.md

@@ -2,8 +2,20 @@
 
 ## Language & Dependencies
 
-- Go standard library only — no external dependencies.
 - Target the latest stable Go release.
+- Prefer Go standard library; approved third-party packages allowed (see below).
+
+### Approved Third-Party Packages
+
+| Package | Use Case | Notes |
+|---------|----------|-------|
+| `gopkg.in/yaml.v3` | YAML parsing | Persona files, config |
+| `github.com/google/go-cmp` | Test comparisons | `cmp.Diff` for readable diffs |
+
+To add a new dependency:
+1. Open a PR with justification (why stdlib is insufficient)
+2. Package must be well-maintained, widely used, minimal transitive deps
+3. Update this table when approved
 
 ## Error Handling