@oddessentials/repo-standards 1.0.1 → 1.2.0

package/README.md

@@ -68,7 +68,7 @@ The master spec includes a `meta` block that defines system-wide expectations:
 
 ## Structure of `config/standards.json`
 
-- `version` — schema version
+- `version` — schema version (currently `2`)
 - `meta` — global rules and migration policy
 - `ciSystems` — supported CI platforms
   _(currently `github-actions`, `azure-devops`)_
@@ -76,6 +76,8 @@ The master spec includes a `meta` block that defines system-wide expectations:
   - `typescript-js`
   - `csharp-dotnet`
   - `python`
+  - `rust`
+  - `go`
 
 - `checklist`
   - `core` — must-have requirements
@@ -91,6 +93,54 @@ Each checklist item includes:
   - example tools
   - example config files
   - notes and trade-offs (including ML variants for Python)
+  - `anyOfFiles` — either-or file compliance hints (v2+)
+  - `pinningNotes` — version pinning guidance (v2+)
+
+### Schema Version
+
+The `version` field indicates schema compatibility:
+
+- `1` — Original schema
+- `2` — Adds `anyOfFiles` and `pinningNotes` fields (additive, non-breaking)
+
+Consumers should ignore unknown fields for forward compatibility.
+
+---
+
+## Dependency Governance (Recommended Items)
+
+Two recommended checklist items support supply-chain governance:
+
+| Item                            | Scope             | Primary Tools                            |
+| ------------------------------- | ----------------- | ---------------------------------------- |
+| `dependency-update-automation`  | Automated PR bots | Renovate (cross-CI), Dependabot (GitHub) |
+| `dependency-architecture-rules` | Import boundaries | Varies by stack                          |
+
+> **Note**: `dependency-security` (core) covers vulnerability scanning and lockfiles.
+> These recommended items are complementary, not overlapping.
+
+### Renovate vs Dependabot
+
+| Factor             | Renovate            | Dependabot  |
+| ------------------ | ------------------- | ----------- |
+| CI Support         | GHA + AzDO + GitLab | GitHub only |
+| Config Flexibility | High                | Medium      |
+| Grouping           | Advanced            | Basic       |
+| Automerge          | Configurable        | Limited     |
+
+**Recommendation**: Use Renovate for cross-CI portability.
+
+### Azure DevOps Renovate Setup
+
+For Azure DevOps, Renovate requires one of:
+
+1. **Mend Renovate Hosted Service** — Install from Azure Marketplace
+2. **Self-Hosted Runner** — Scheduled pipeline with `renovate/renovate` Docker image
+3. **Container Job** — Run Renovate in a container step
+
+Required secrets:
+
+- `AZURE_DEVOPS_TOKEN` (PAT with Code Read/Write, PR Contribute)
 
 ---
 
@@ -153,7 +203,7 @@ Typical usage:
 - Load a **stack-specific view** as:
   - a CI contract
   - an onboarding checklist
-  - input to autonomous agents (e.g. Odd Hive Mind)
+  - input to autonomous agents
 
 This package is intentionally **read-only** and **side-effect free**.
 

package/dist/config/standards.csharp-dotnet.azure-devops.json

@@ -387,6 +387,61 @@
       }
     ],
     "recommended": [
+      {
+        "ciHints": {
+          "azure-devops": {
+            "notes": "CI hints are suggested mappings; adjust to your pipeline topology.",
+            "stage": "quality"
+          }
+        },
+        "description": "Automate dependency updates using Renovate or Dependabot to keep dependencies current and reduce security exposure window.",
+        "id": "dependency-update-automation",
+        "label": "Dependency Update Automation",
+        "stack": {
+          "anyOfFiles": [
+            "renovate.json",
+            ".renovaterc.json",
+            ".github/dependabot.yml"
+          ],
+          "exampleConfigFiles": [
+            "renovate.json",
+            ".github/dependabot.yml"
+          ],
+          "exampleTools": [
+            "renovate",
+            "dependabot"
+          ],
+          "notes": "Both support NuGet packages. Renovate has better Central Package Management (Directory.Packages.props) support. For AzDO: use self-hosted Renovate runner.",
+          "pinningNotes": "Pin Renovate version in pipeline definition.",
+          "verification": "Check for renovate.json OR .github/dependabot.yml. Verify NuGet update PRs."
+        }
+      },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "notes": "CI hints are suggested mappings; adjust to your pipeline topology.",
+            "stage": "quality"
+          }
+        },
+        "description": "Enforce module boundaries and import constraints to prevent architectural drift and unwanted coupling.",
+        "id": "dependency-architecture-rules",
+        "label": "Dependency Architecture Rules",
+        "stack": {
+          "exampleConfigFiles": [
+            "NsDepCop.config.nsdepcop",
+            "ArchitectureTests.cs"
+          ],
+          "exampleTools": [
+            "NsDepCop",
+            "ArchUnitNET"
+          ],
+          "notes": "NsDepCop enforces namespace dependency rules via config file. ArchUnitNET uses test code for architectural assertions.",
+          "optionalFiles": [
+            "NsDepCop.config.nsdepcop"
+          ],
+          "verification": "Build fails on namespace violations, or architecture tests run as part of test suite."
+        }
+      },
       {
         "ciHints": {
           "azure-devops": {
@@ -510,7 +565,8 @@
           "type-checking",
           "unit-test-runner",
           "unit-test-reporter",
-          "dependency-security"
+          "dependency-security",
+          "dependency-update-automation"
         ],
         "notes": "Pin tool and runtime versions in CI and containers to avoid flaky differences across environments.",
         "step": 3,
@@ -538,5 +594,5 @@
   },
   "stack": "csharp-dotnet",
   "stackLabel": "C# / .NET",
-  "version": 1
+  "version": 2
 }

package/dist/config/standards.csharp-dotnet.github-actions.json

@@ -387,6 +387,61 @@
       }
     ],
     "recommended": [
+      {
+        "ciHints": {
+          "github-actions": {
+            "job": "ci",
+            "notes": "CI hints are suggested mappings; adjust to your workflow structure."
+          }
+        },
+        "description": "Automate dependency updates using Renovate or Dependabot to keep dependencies current and reduce security exposure window.",
+        "id": "dependency-update-automation",
+        "label": "Dependency Update Automation",
+        "stack": {
+          "anyOfFiles": [
+            "renovate.json",
+            ".renovaterc.json",
+            ".github/dependabot.yml"
+          ],
+          "exampleConfigFiles": [
+            "renovate.json",
+            ".github/dependabot.yml"
+          ],
+          "exampleTools": [
+            "renovate",
+            "dependabot"
+          ],
+          "notes": "Both support NuGet packages. Renovate has better Central Package Management (Directory.Packages.props) support. For AzDO: use self-hosted Renovate runner.",
+          "pinningNotes": "Pin Renovate version in pipeline definition.",
+          "verification": "Check for renovate.json OR .github/dependabot.yml. Verify NuGet update PRs."
+        }
+      },
+      {
+        "ciHints": {
+          "github-actions": {
+            "job": "ci",
+            "notes": "CI hints are suggested mappings; adjust to your workflow structure."
+          }
+        },
+        "description": "Enforce module boundaries and import constraints to prevent architectural drift and unwanted coupling.",
+        "id": "dependency-architecture-rules",
+        "label": "Dependency Architecture Rules",
+        "stack": {
+          "exampleConfigFiles": [
+            "NsDepCop.config.nsdepcop",
+            "ArchitectureTests.cs"
+          ],
+          "exampleTools": [
+            "NsDepCop",
+            "ArchUnitNET"
+          ],
+          "notes": "NsDepCop enforces namespace dependency rules via config file. ArchUnitNET uses test code for architectural assertions.",
+          "optionalFiles": [
+            "NsDepCop.config.nsdepcop"
+          ],
+          "verification": "Build fails on namespace violations, or architecture tests run as part of test suite."
+        }
+      },
       {
         "ciHints": {
           "github-actions": {
@@ -510,7 +565,8 @@
           "type-checking",
           "unit-test-runner",
           "unit-test-reporter",
-          "dependency-security"
+          "dependency-security",
+          "dependency-update-automation"
         ],
         "notes": "Pin tool and runtime versions in CI and containers to avoid flaky differences across environments.",
         "step": 3,
@@ -538,5 +594,5 @@
   },
   "stack": "csharp-dotnet",
   "stackLabel": "C# / .NET",
-  "version": 1
+  "version": 2
 }

package/dist/config/standards.csharp-dotnet.json

@@ -435,6 +435,69 @@
       }
     ],
     "recommended": [
+      {
+        "ciHints": {
+          "azure-devops": {
+            "notes": "CI hints are suggested mappings; adjust to your pipeline topology.",
+            "stage": "quality"
+          },
+          "github-actions": {
+            "job": "ci",
+            "notes": "CI hints are suggested mappings; adjust to your workflow structure."
+          }
+        },
+        "description": "Automate dependency updates using Renovate or Dependabot to keep dependencies current and reduce security exposure window.",
+        "id": "dependency-update-automation",
+        "label": "Dependency Update Automation",
+        "stack": {
+          "anyOfFiles": [
+            "renovate.json",
+            ".renovaterc.json",
+            ".github/dependabot.yml"
+          ],
+          "exampleConfigFiles": [
+            "renovate.json",
+            ".github/dependabot.yml"
+          ],
+          "exampleTools": [
+            "renovate",
+            "dependabot"
+          ],
+          "notes": "Both support NuGet packages. Renovate has better Central Package Management (Directory.Packages.props) support. For AzDO: use self-hosted Renovate runner.",
+          "pinningNotes": "Pin Renovate version in pipeline definition.",
+          "verification": "Check for renovate.json OR .github/dependabot.yml. Verify NuGet update PRs."
+        }
+      },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "notes": "CI hints are suggested mappings; adjust to your pipeline topology.",
+            "stage": "quality"
+          },
+          "github-actions": {
+            "job": "ci",
+            "notes": "CI hints are suggested mappings; adjust to your workflow structure."
+          }
+        },
+        "description": "Enforce module boundaries and import constraints to prevent architectural drift and unwanted coupling.",
+        "id": "dependency-architecture-rules",
+        "label": "Dependency Architecture Rules",
+        "stack": {
+          "exampleConfigFiles": [
+            "NsDepCop.config.nsdepcop",
+            "ArchitectureTests.cs"
+          ],
+          "exampleTools": [
+            "NsDepCop",
+            "ArchUnitNET"
+          ],
+          "notes": "NsDepCop enforces namespace dependency rules via config file. ArchUnitNET uses test code for architectural assertions.",
+          "optionalFiles": [
+            "NsDepCop.config.nsdepcop"
+          ],
+          "verification": "Build fails on namespace violations, or architecture tests run as part of test suite."
+        }
+      },
       {
         "ciHints": {
           "azure-devops": {
@@ -571,7 +634,8 @@
           "type-checking",
           "unit-test-runner",
           "unit-test-reporter",
-          "dependency-security"
+          "dependency-security",
+          "dependency-update-automation"
         ],
         "notes": "Pin tool and runtime versions in CI and containers to avoid flaky differences across environments.",
         "step": 3,
@@ -599,5 +663,5 @@
   },
   "stack": "csharp-dotnet",
   "stackLabel": "C# / .NET",
-  "version": 1
+  "version": 2
 }