Skip to content

Commit eb4181c

Browse files
author
Carlos Scheidegger
committed
Merge remote-tracking branch 'origin/main'
2 parents 3962461 + 8b385bc commit eb4181c

42 files changed

Lines changed: 676 additions & 1312 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.beads/issues.jsonl

Lines changed: 2 additions & 0 deletions
Large diffs are not rendered by default.
Lines changed: 174 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,174 @@
1+
# Vendored / non-cargo dependency audit — plan
2+
3+
**Date opened:** 2026-05-04
4+
**Beads issue:** bd-xm7l (epic)
5+
**Related skill:** `.claude/skills/upgrade-cargo-deps/SKILL.md`
6+
**Inventory doc:** `claude-notes/research/vendored-dependencies-inventory.md`
7+
8+
## Overview
9+
10+
The existing `upgrade-cargo-deps` skill audits Cargo dependencies but
11+
ignores everything *else* the repo vendors — Bootstrap SCSS, Bootstrap
12+
Icons, the chicago-author-date CSL style, tree-sitter highlight queries,
13+
quarto-cli's built-in extensions, knitr R scripts, etc. These assets
14+
are bundled at compile time via `include_dir!` / `include_str!` /
15+
`include_bytes!` (or copied into static-asset roots) and have no
16+
mechanism notifying us when upstream releases a new version.
17+
18+
Goal of this work: give a future agent enough information to
19+
**audit, refresh, and verify** the vendored set on the same cadence as
20+
the Cargo audit, without re-discovering everything from scratch every
21+
time.
22+
23+
This plan does *not* refresh any vendored asset. It only sets up the
24+
machinery (inventory + audit procedure) that subsequent runs use.
25+
26+
## Outcome of this session
27+
28+
This session produces three artifacts; nothing else changes in the
29+
repo:
30+
31+
1. **Inventory doc** at `claude-notes/research/vendored-dependencies-inventory.md`
32+
cataloguing every vendored asset with its upstream, current
33+
version, bundling mechanism, update procedure, and verification
34+
steps.
35+
2. **This plan doc** describing the discovery strategies and the
36+
future skill expansion.
37+
3. **A beads issue** linking the two and tracking the next concrete
38+
steps (skill expansion + filling inventory gaps).
39+
40+
## Discovery strategies (summarized)
41+
42+
The full strategy list with grep recipes lives in the inventory doc
43+
under § *Discovery strategies*. The five top-level approaches:
44+
45+
1. **Sweep `include_dir!` / `include_str!` / `include_bytes!`** in
46+
`*.rs` files; flag any path pointing outside the crate's own
47+
`src/`.
48+
2. **Walk the repo-root `resources/` tree.** Every immediate
49+
subdirectory must be in the inventory or explicitly excluded.
50+
3. **Walk per-crate `resources/` and `test-data/` directories.**
51+
4. **Grep for provenance headers** (`Source:`, `Vendored:`, `Copied
52+
from:`) in `*.scm`, `*.lua`, `*.css`, `*.scss`, `*.R`, `*.html`.
53+
5. **Inspect static-asset roots** (`hub-client/public/`,
54+
`trace-viewer/public/`).
55+
6. **Find sub-package `package.json`s** outside `hub-client/`
56+
they often produce JS bundles `include_str!`'d into Rust.
57+
7. **Note tree-sitter parser grammar forks** (those are massive;
58+
they appear in the inventory only to silence repeated discovery,
59+
not as audit candidates).
60+
61+
## Categorization
62+
63+
After discovery, each candidate falls into one of:
64+
65+
- **Tracked, version known** — appears in inventory with a current
66+
version/SHA. Audit just re-checks upstream.
67+
- **Tracked, version unknown** — in the inventory but missing a
68+
recorded version (an *inventory gap*). Audit records "unknown" and
69+
files a beads issue if not already filed.
70+
- **Repo-native** — not vendored; once verified, added to inventory's
71+
*not vendored* section so future audits skip it.
72+
- **New** — not in inventory. Audit adds an entry, flags it in the
73+
TL;DR, and (if no clear update mechanism exists) files a beads
74+
issue.
75+
76+
## Future skill expansion
77+
78+
The `upgrade-cargo-deps` skill should grow a sibling phase — call it
79+
**vendored audit** — that runs on the same bi-weekly cadence:
80+
81+
- **Cadence:** same survey run; one extra phase.
82+
- **Read** the inventory doc.
83+
- **For each entry**, perform a lightweight upstream check:
84+
- For HTTP-fetchable refs (Bootstrap, Bootstrap Icons, CSL styles):
85+
fetch a tag/commit listing and compare with the recorded
86+
version.
87+
- For tree-sitter grammars: fetch the upstream commit listing.
88+
- For npm-driven bundles (`quarto-system-runtime/js/`): run
89+
`npm outdated --prefix crates/quarto-system-runtime/js` and
90+
capture the result.
91+
- For quarto-cli-derived assets (extensions, knitr R, Pandoc HTML
92+
template): compare against `external-sources/quarto-cli`'s
93+
current SHA *if* it's checked out; otherwise note as "no
94+
upstream check available this run".
95+
- **Update** the `Last reviewed` date on each entry in the inventory
96+
for entries the audit successfully verified, even if no upgrade
97+
is needed.
98+
- **For each entry where upstream is ahead**, file a `chore` beads
99+
issue (`deps,vendored`, priority `3`) with a one-line "current →
100+
available" description and a pointer to the entry's update
101+
procedure.
102+
- **Do not perform the upgrade.** Vendored upgrades typically
103+
require manual verification (themes, parity tests, citeproc
104+
fixtures) that doesn't fit the "apply patch/minor automatically"
105+
pattern of the cargo side.
106+
- **Inventory hygiene:** the audit also runs the discovery sweeps
107+
and reports any candidate that doesn't appear in the inventory.
108+
109+
This is intentionally separate from the cargo phase — it has a
110+
different failure mode (upstream-fetch failures shouldn't abort the
111+
cargo survey) and produces a different deliverable per entry
112+
(beads-only, no lockfile commit).
113+
114+
## Work items
115+
116+
### Phase 1 — this session
117+
118+
- [x] Survey the workspace for vendored / non-cargo dependencies.
119+
- [x] Identify discovery strategies that future agents can re-run.
120+
- [x] Author `claude-notes/research/vendored-dependencies-inventory.md`
121+
with entries for the assets found (Bootstrap SCSS, Bootstrap
122+
Icons, Quarto extensions, knitr R, Pandoc HTML, chicago
123+
CSL, tree-sitter highlights, tree-sitter grammars,
124+
quarto-system-runtime JS, reveal.js-menu CSS, CSL test
125+
fixtures, Lua filters).
126+
- [x] Author this plan doc.
127+
- [x] File the tracking beads issue and link it from this plan.
128+
- [x] Verify `tree-sitter-qmd` and `tree-sitter-doctemplate` are
129+
repo-native (correcting an earlier misclassification as
130+
vendored). Filed bd-7co9 (`discovered-from:bd-xm7l`) for the
131+
doc cleanup in `tree-sitter-qmd`.
132+
133+
### Phase 2 — next session(s)
134+
135+
- [ ] Fill inventory gaps (record upstream SHAs for
136+
knitr R scripts, Pandoc HTML template, version-less
137+
extensions). Each gap is its own beads sub-issue under the
138+
epic, label `deps,vendored,inventory-gap`.
139+
- [ ] Extend `upgrade-cargo-deps/SKILL.md` (or split into a
140+
separate `audit-vendored-deps/SKILL.md` and have one wrapper
141+
run both) with the vendored-audit phase described above.
142+
- [ ] Decide and implement the upstream-check mechanism per entry
143+
(HTTP-fetch, `npm outdated`, `git ls-remote`, etc.). Some
144+
will require WebFetch; some are local.
145+
- [ ] First real-run of the expanded skill; refine based on
146+
experience.
147+
148+
### Phase 3 — optional / future
149+
150+
- [ ] Consider scripting the discovery sweeps as `cargo xtask
151+
audit-vendored` so the skill calls a single command.
152+
- [ ] Add a CI lint that flags any new `include_dir!`/`include_str!`
153+
pointing into `resources/` *without* a corresponding inventory
154+
entry. (The existing `cargo xtask lint` infrastructure under
155+
`crates/xtask/src/lint/` is a natural home.)
156+
157+
## Notes / decisions
158+
159+
- **Inventory location** is `claude-notes/research/` (per
160+
`CLAUDE.md` § *Where information lives*: "research/ for findings,
161+
audits, reference material"). It is *not* in
162+
`.claude/skills/upgrade-cargo-deps/` because the inventory is
163+
general-purpose reference material, not skill-internal pin data
164+
(cf. `PINS.md`, which is skill-specific).
165+
- **Inventory is data, not prose.** Each entry is structured so the
166+
skill can parse it without much language understanding. Future
167+
refactor: convert to YAML/TOML with a schema if the skill grows
168+
more complex.
169+
- **Tree-sitter parser grammar forks** are explicitly out of scope
170+
for any automated audit — they're rebased manually on a long
171+
cadence. The inventory entry is purely to suppress repeated
172+
discovery.
173+
- **Repo-native Lua filters** are listed under entry L for the same
174+
reason.

0 commit comments

Comments
 (0)