|
| 1 | +# Vendored / non-cargo dependency audit — plan |
| 2 | + |
| 3 | +**Date opened:** 2026-05-04 |
| 4 | +**Beads issue:** bd-xm7l (epic) |
| 5 | +**Related skill:** `.claude/skills/upgrade-cargo-deps/SKILL.md` |
| 6 | +**Inventory doc:** `claude-notes/research/vendored-dependencies-inventory.md` |
| 7 | + |
| 8 | +## Overview |
| 9 | + |
| 10 | +The existing `upgrade-cargo-deps` skill audits Cargo dependencies but |
| 11 | +ignores everything *else* the repo vendors — Bootstrap SCSS, Bootstrap |
| 12 | +Icons, the chicago-author-date CSL style, tree-sitter highlight queries, |
| 13 | +quarto-cli's built-in extensions, knitr R scripts, etc. These assets |
| 14 | +are bundled at compile time via `include_dir!` / `include_str!` / |
| 15 | +`include_bytes!` (or copied into static-asset roots) and have no |
| 16 | +mechanism notifying us when upstream releases a new version. |
| 17 | + |
| 18 | +Goal of this work: give a future agent enough information to |
| 19 | +**audit, refresh, and verify** the vendored set on the same cadence as |
| 20 | +the Cargo audit, without re-discovering everything from scratch every |
| 21 | +time. |
| 22 | + |
| 23 | +This plan does *not* refresh any vendored asset. It only sets up the |
| 24 | +machinery (inventory + audit procedure) that subsequent runs use. |
| 25 | + |
| 26 | +## Outcome of this session |
| 27 | + |
| 28 | +This session produces three artifacts; nothing else changes in the |
| 29 | +repo: |
| 30 | + |
| 31 | +1. **Inventory doc** at `claude-notes/research/vendored-dependencies-inventory.md` |
| 32 | + cataloguing every vendored asset with its upstream, current |
| 33 | + version, bundling mechanism, update procedure, and verification |
| 34 | + steps. |
| 35 | +2. **This plan doc** describing the discovery strategies and the |
| 36 | + future skill expansion. |
| 37 | +3. **A beads issue** linking the two and tracking the next concrete |
| 38 | + steps (skill expansion + filling inventory gaps). |
| 39 | + |
| 40 | +## Discovery strategies (summarized) |
| 41 | + |
| 42 | +The full strategy list with grep recipes lives in the inventory doc |
| 43 | +under § *Discovery strategies*. The five top-level approaches: |
| 44 | + |
| 45 | +1. **Sweep `include_dir!` / `include_str!` / `include_bytes!`** in |
| 46 | + `*.rs` files; flag any path pointing outside the crate's own |
| 47 | + `src/`. |
| 48 | +2. **Walk the repo-root `resources/` tree.** Every immediate |
| 49 | + subdirectory must be in the inventory or explicitly excluded. |
| 50 | +3. **Walk per-crate `resources/` and `test-data/` directories.** |
| 51 | +4. **Grep for provenance headers** (`Source:`, `Vendored:`, `Copied |
| 52 | + from:`) in `*.scm`, `*.lua`, `*.css`, `*.scss`, `*.R`, `*.html`. |
| 53 | +5. **Inspect static-asset roots** (`hub-client/public/`, |
| 54 | + `trace-viewer/public/`). |
| 55 | +6. **Find sub-package `package.json`s** outside `hub-client/` — |
| 56 | + they often produce JS bundles `include_str!`'d into Rust. |
| 57 | +7. **Note tree-sitter parser grammar forks** (those are massive; |
| 58 | + they appear in the inventory only to silence repeated discovery, |
| 59 | + not as audit candidates). |
| 60 | + |
| 61 | +## Categorization |
| 62 | + |
| 63 | +After discovery, each candidate falls into one of: |
| 64 | + |
| 65 | +- **Tracked, version known** — appears in inventory with a current |
| 66 | + version/SHA. Audit just re-checks upstream. |
| 67 | +- **Tracked, version unknown** — in the inventory but missing a |
| 68 | + recorded version (an *inventory gap*). Audit records "unknown" and |
| 69 | + files a beads issue if not already filed. |
| 70 | +- **Repo-native** — not vendored; once verified, added to inventory's |
| 71 | + *not vendored* section so future audits skip it. |
| 72 | +- **New** — not in inventory. Audit adds an entry, flags it in the |
| 73 | + TL;DR, and (if no clear update mechanism exists) files a beads |
| 74 | + issue. |
| 75 | + |
| 76 | +## Future skill expansion |
| 77 | + |
| 78 | +The `upgrade-cargo-deps` skill should grow a sibling phase — call it |
| 79 | +**vendored audit** — that runs on the same bi-weekly cadence: |
| 80 | + |
| 81 | +- **Cadence:** same survey run; one extra phase. |
| 82 | +- **Read** the inventory doc. |
| 83 | +- **For each entry**, perform a lightweight upstream check: |
| 84 | + - For HTTP-fetchable refs (Bootstrap, Bootstrap Icons, CSL styles): |
| 85 | + fetch a tag/commit listing and compare with the recorded |
| 86 | + version. |
| 87 | + - For tree-sitter grammars: fetch the upstream commit listing. |
| 88 | + - For npm-driven bundles (`quarto-system-runtime/js/`): run |
| 89 | + `npm outdated --prefix crates/quarto-system-runtime/js` and |
| 90 | + capture the result. |
| 91 | + - For quarto-cli-derived assets (extensions, knitr R, Pandoc HTML |
| 92 | + template): compare against `external-sources/quarto-cli`'s |
| 93 | + current SHA *if* it's checked out; otherwise note as "no |
| 94 | + upstream check available this run". |
| 95 | +- **Update** the `Last reviewed` date on each entry in the inventory |
| 96 | + for entries the audit successfully verified, even if no upgrade |
| 97 | + is needed. |
| 98 | +- **For each entry where upstream is ahead**, file a `chore` beads |
| 99 | + issue (`deps,vendored`, priority `3`) with a one-line "current → |
| 100 | + available" description and a pointer to the entry's update |
| 101 | + procedure. |
| 102 | +- **Do not perform the upgrade.** Vendored upgrades typically |
| 103 | + require manual verification (themes, parity tests, citeproc |
| 104 | + fixtures) that doesn't fit the "apply patch/minor automatically" |
| 105 | + pattern of the cargo side. |
| 106 | +- **Inventory hygiene:** the audit also runs the discovery sweeps |
| 107 | + and reports any candidate that doesn't appear in the inventory. |
| 108 | + |
| 109 | +This is intentionally separate from the cargo phase — it has a |
| 110 | +different failure mode (upstream-fetch failures shouldn't abort the |
| 111 | +cargo survey) and produces a different deliverable per entry |
| 112 | +(beads-only, no lockfile commit). |
| 113 | + |
| 114 | +## Work items |
| 115 | + |
| 116 | +### Phase 1 — this session |
| 117 | + |
| 118 | +- [x] Survey the workspace for vendored / non-cargo dependencies. |
| 119 | +- [x] Identify discovery strategies that future agents can re-run. |
| 120 | +- [x] Author `claude-notes/research/vendored-dependencies-inventory.md` |
| 121 | + with entries for the assets found (Bootstrap SCSS, Bootstrap |
| 122 | + Icons, Quarto extensions, knitr R, Pandoc HTML, chicago |
| 123 | + CSL, tree-sitter highlights, tree-sitter grammars, |
| 124 | + quarto-system-runtime JS, reveal.js-menu CSS, CSL test |
| 125 | + fixtures, Lua filters). |
| 126 | +- [x] Author this plan doc. |
| 127 | +- [x] File the tracking beads issue and link it from this plan. |
| 128 | +- [x] Verify `tree-sitter-qmd` and `tree-sitter-doctemplate` are |
| 129 | + repo-native (correcting an earlier misclassification as |
| 130 | + vendored). Filed bd-7co9 (`discovered-from:bd-xm7l`) for the |
| 131 | + doc cleanup in `tree-sitter-qmd`. |
| 132 | + |
| 133 | +### Phase 2 — next session(s) |
| 134 | + |
| 135 | +- [ ] Fill inventory gaps (record upstream SHAs for |
| 136 | + knitr R scripts, Pandoc HTML template, version-less |
| 137 | + extensions). Each gap is its own beads sub-issue under the |
| 138 | + epic, label `deps,vendored,inventory-gap`. |
| 139 | +- [ ] Extend `upgrade-cargo-deps/SKILL.md` (or split into a |
| 140 | + separate `audit-vendored-deps/SKILL.md` and have one wrapper |
| 141 | + run both) with the vendored-audit phase described above. |
| 142 | +- [ ] Decide and implement the upstream-check mechanism per entry |
| 143 | + (HTTP-fetch, `npm outdated`, `git ls-remote`, etc.). Some |
| 144 | + will require WebFetch; some are local. |
| 145 | +- [ ] First real-run of the expanded skill; refine based on |
| 146 | + experience. |
| 147 | + |
| 148 | +### Phase 3 — optional / future |
| 149 | + |
| 150 | +- [ ] Consider scripting the discovery sweeps as `cargo xtask |
| 151 | + audit-vendored` so the skill calls a single command. |
| 152 | +- [ ] Add a CI lint that flags any new `include_dir!`/`include_str!` |
| 153 | + pointing into `resources/` *without* a corresponding inventory |
| 154 | + entry. (The existing `cargo xtask lint` infrastructure under |
| 155 | + `crates/xtask/src/lint/` is a natural home.) |
| 156 | + |
| 157 | +## Notes / decisions |
| 158 | + |
| 159 | +- **Inventory location** is `claude-notes/research/` (per |
| 160 | + `CLAUDE.md` § *Where information lives*: "research/ for findings, |
| 161 | + audits, reference material"). It is *not* in |
| 162 | + `.claude/skills/upgrade-cargo-deps/` because the inventory is |
| 163 | + general-purpose reference material, not skill-internal pin data |
| 164 | + (cf. `PINS.md`, which is skill-specific). |
| 165 | +- **Inventory is data, not prose.** Each entry is structured so the |
| 166 | + skill can parse it without much language understanding. Future |
| 167 | + refactor: convert to YAML/TOML with a schema if the skill grows |
| 168 | + more complex. |
| 169 | +- **Tree-sitter parser grammar forks** are explicitly out of scope |
| 170 | + for any automated audit — they're rebased manually on a long |
| 171 | + cadence. The inventory entry is purely to suppress repeated |
| 172 | + discovery. |
| 173 | +- **Repo-native Lua filters** are listed under entry L for the same |
| 174 | + reason. |
0 commit comments