35 lines
2.0 KiB
Markdown
35 lines
2.0 KiB
Markdown
# Delegation intent: dependency/license audit
|
|
|
|
Intent:
|
|
- Audit Yoi's external dependencies and license posture before public MIT publication.
|
|
|
|
Requirements:
|
|
- Inventory Rust dependencies from `Cargo.lock` / `cargo metadata`, separating direct workspace dependencies from transitive dependencies where practical.
|
|
- Identify direct dependencies that look heavy, weakly justified, redundant, or replaceable with simpler local code or already-present dependencies.
|
|
- Check license metadata for direct and transitive Rust dependencies; flag unknown, missing, copyleft, non-standard, or notice-relevant licenses.
|
|
- Inspect Nix/system dependencies from `flake.nix`, `package.nix`, and `devshell.nix` at a high level.
|
|
- Produce a report at `work-items/open/20260601-123641-dependency-license-audit/artifacts/audit-report.md`.
|
|
|
|
Invariants:
|
|
- Do not modify dependency manifests, source code, lockfiles, docs, or work item files other than the audit report artifact.
|
|
- Do not read ignored secret-like file contents.
|
|
- Treat Cargo/Nix files and command output as current-state evidence; do not rely on resident memory for exact dependency/license facts.
|
|
- Distinguish release blockers from advisory cleanup opportunities.
|
|
|
|
Non-goals:
|
|
- Do not remove dependencies.
|
|
- Do not change licenses.
|
|
- Do not implement replacements.
|
|
- Do not perform a public-release history sanitation audit beyond dependency/license implications.
|
|
|
|
Escalate if:
|
|
- A dependency appears incompatible with MIT publication.
|
|
- License metadata is missing for a significant dependency and cannot be resolved from local registry metadata without web access.
|
|
- A dependency replacement would require design judgment rather than obvious cleanup.
|
|
- Commands require network access or mutation beyond the artifact report.
|
|
|
|
Validation/evidence:
|
|
- Record every command used for inventory/license evidence.
|
|
- Prefer read-only commands such as `cargo metadata --locked`, `cargo tree --locked`, `nix flake metadata`, and direct file reads.
|
|
- If a tool is unavailable, record the fallback method.
|