0be354a920
Single-commit clean baseline after security scrub of niche-tells, project codenames, internal jargon, and contributor-email leaks. Contents: - 100 Rust crates (_primitives/_rust/) - 37 agent manifests (_manifests/) + generated specs (_generated/) - 67 user-invocable skills (skills/) - 33 hooks (hooks/) - Composition blocks (_blocks/) - Documentation (docs/, README.md) - TS adapter packages (_ts_packages/) - Assembler (_assembler/) - Roles (_roles/) - Templates (_templates/) - Forgejo CI (.forgejo/) Author: Denis Parfionovich <info@greendragon.info> License: see LICENSE.
27 lines
1.1 KiB
Markdown
27 lines
1.1 KiB
Markdown
## No dependency bumps
|
|
|
|
You MUST NOT add, remove, or upgrade dependencies. Specifically:
|
|
|
|
- Do NOT edit the `[dependencies]`, `[dev-dependencies]`,
|
|
`[build-dependencies]`, or `[workspace.dependencies]` sections of
|
|
any `Cargo.toml`
|
|
- Do NOT write or regenerate `Cargo.lock`
|
|
- Do NOT `cargo add`, `cargo remove`, or `cargo update`
|
|
|
|
Each new or upgraded dependency expands the supply-chain attack
|
|
surface and can trigger breaking-change cascades across the
|
|
workspace. Dependency decisions require a separate review, a
|
|
dedicated task, and an orchestrator-approved lock diff.
|
|
|
|
Editing other sections of `Cargo.toml` (e.g. `[package]`,
|
|
`[features]`, `[[bin]]`, `[lib]`, `[package.metadata.*]`) is allowed
|
|
if the file is in your whitelist and not in your denylist. The gate
|
|
inspects the specific region of the diff.
|
|
|
|
If your task genuinely requires a new dependency, STOP. Describe the
|
|
crate, version, and reason in your return. The orchestrator will
|
|
decide whether to re-spawn you with an opt-in flag or handle the
|
|
dep-bump through a separate review.
|
|
|
|
On return, the verifier diffs `Cargo.lock` against main; any change
|
|
rejects the return.
|