review-bot/scripts/check-deps.sh

#!/bin/bash
# check-deps.sh - Enforces the strict dependency allowlist from CONVENTIONS.md
# Exit 1 if any unapproved import is found.

set -euo pipefail

# Approved third-party packages (from CONVENTIONS.md)
ALLOWED=(
    "gopkg.in/yaml.v3"
    "github.com/google/go-cmp"
)

# Build regex pattern from allowed list
ALLOWED_PATTERN=""
for pkg in "${ALLOWED[@]}"; do
    if [ -z "$ALLOWED_PATTERN" ]; then
        ALLOWED_PATTERN="$pkg"
    else
        ALLOWED_PATTERN="$ALLOWED_PATTERN|$pkg"
    fi
done

# Get all imports from go.mod (excluding the module itself and stdlib)
IMPORTS=$(go list -m all 2>/dev/null | tail -n +2 | awk '{print $1}' || true)

if [ -z "$IMPORTS" ]; then
    echo "✅ No external dependencies"
    exit 0
fi

VIOLATIONS=""
while IFS= read -r import; do
    # Skip empty lines
    [ -z "$import" ] && continue
    
    # Check if import matches any allowed pattern (prefix match for subpackages)
    MATCHED=false
    for allowed in "${ALLOWED[@]}"; do
        if [[ "$import" == "$allowed" ]] || [[ "$import" == "$allowed/"* ]]; then
            MATCHED=true
            break
        fi
    done
    
    if [ "$MATCHED" = false ]; then
        VIOLATIONS="$VIOLATIONS\n  - $import"
    fi
done <<< "$IMPORTS"

if [ -n "$VIOLATIONS" ]; then
    echo "❌ UNAPPROVED DEPENDENCIES DETECTED"
    echo -e "The following imports are not in the allowlist:$VIOLATIONS"
    echo ""
    echo "To add a dependency:"
    echo "  1. Open a PR that ONLY updates CONVENTIONS.md"
    echo "  2. Get explicit approval from Aaron"
    echo "  3. After merge, use the package in a separate PR"
    exit 1
fi

echo "✅ All dependencies are approved"