@oddessentials/repo-standards 1.1.0 → 1.2.1

package/dist/config/standards.json

@@ -1517,6 +1517,220 @@
       }
     ],
     "recommended": [
+      {
+        "appliesTo": {
+          "stacks": [
+            "typescript-js",
+            "csharp-dotnet",
+            "python",
+            "rust",
+            "go"
+          ]
+        },
+        "ciHints": {
+          "azure-devops": {
+            "notes": "CI hints are suggested mappings; adjust to your pipeline topology.",
+            "stage": "quality"
+          },
+          "github-actions": {
+            "job": "ci",
+            "notes": "CI hints are suggested mappings; adjust to your workflow structure."
+          }
+        },
+        "description": "Automate dependency updates using Renovate or Dependabot to keep dependencies current and reduce security exposure window.",
+        "id": "dependency-update-automation",
+        "label": "Dependency Update Automation",
+        "stackHints": {
+          "csharp-dotnet": {
+            "anyOfFiles": [
+              "renovate.json",
+              ".renovaterc.json",
+              ".github/dependabot.yml"
+            ],
+            "exampleConfigFiles": [
+              "renovate.json",
+              ".github/dependabot.yml"
+            ],
+            "exampleTools": [
+              "renovate",
+              "dependabot"
+            ],
+            "notes": "Both support NuGet packages. Renovate has better Central Package Management (Directory.Packages.props) support. For AzDO: use self-hosted Renovate runner.",
+            "pinningNotes": "Pin Renovate version in pipeline definition.",
+            "verification": "Check for renovate.json OR .github/dependabot.yml. Verify NuGet update PRs."
+          },
+          "go": {
+            "anyOfFiles": [
+              "renovate.json",
+              ".renovaterc.json",
+              ".github/dependabot.yml"
+            ],
+            "exampleConfigFiles": [
+              "renovate.json",
+              ".github/dependabot.yml"
+            ],
+            "exampleTools": [
+              "renovate",
+              "dependabot"
+            ],
+            "notes": "Both support go.mod/go.sum. Renovate handles replace directives better. Security scanning is covered by dependency-security (govulncheck).",
+            "verification": "Check for renovate.json OR .github/dependabot.yml. Verify Go module PRs."
+          },
+          "python": {
+            "anyOfFiles": [
+              "renovate.json",
+              ".renovaterc.json",
+              ".github/dependabot.yml"
+            ],
+            "exampleConfigFiles": [
+              "renovate.json",
+              ".github/dependabot.yml"
+            ],
+            "exampleTools": [
+              "renovate",
+              "dependabot"
+            ],
+            "notes": "Renovate supports pyproject.toml, requirements.txt, Pipfile, poetry.lock. For AzDO: self-hosted Renovate or schedule-triggered pipeline.",
+            "pinningNotes": "Use requirements.txt with pinned versions or poetry.lock for deterministic installs.",
+            "verification": "Check for renovate.json OR .github/dependabot.yml. Verify Python dependency PRs."
+          },
+          "rust": {
+            "anyOfFiles": [
+              "renovate.json",
+              ".renovaterc.json",
+              ".github/dependabot.yml"
+            ],
+            "exampleConfigFiles": [
+              "renovate.json",
+              ".github/dependabot.yml"
+            ],
+            "exampleTools": [
+              "renovate",
+              "dependabot"
+            ],
+            "notes": "Both support Cargo.toml/Cargo.lock. Works with cargo workspaces. Security scanning is covered by dependency-security (cargo-audit/cargo-deny).",
+            "verification": "Check for renovate.json OR .github/dependabot.yml. Verify Cargo dependency PRs."
+          },
+          "typescript-js": {
+            "anyOfFiles": [
+              "renovate.json",
+              ".renovaterc.json",
+              "renovate.json5",
+              ".renovaterc.json5",
+              ".github/dependabot.yml"
+            ],
+            "exampleConfigFiles": [
+              "renovate.json",
+              ".github/dependabot.yml"
+            ],
+            "exampleTools": [
+              "renovate",
+              "dependabot"
+            ],
+            "notes": "Renovate supports GHA + AzDO (self-hosted or Mend Renovate App). Dependabot is GitHub-native only. For AzDO: use Renovate via self-hosted runner, Docker container job, or Mend's hosted service.",
+            "pinningNotes": "Pin Renovate Docker image version in AzDO pipelines for determinism.",
+            "verification": "Check for renovate.json (or .renovaterc.json) OR .github/dependabot.yml. Verify dependency update PRs are being created."
+          }
+        }
+      },
+      {
+        "appliesTo": {
+          "stacks": [
+            "typescript-js",
+            "csharp-dotnet",
+            "python",
+            "rust",
+            "go"
+          ]
+        },
+        "ciHints": {
+          "azure-devops": {
+            "notes": "CI hints are suggested mappings; adjust to your pipeline topology.",
+            "stage": "quality"
+          },
+          "github-actions": {
+            "job": "ci",
+            "notes": "CI hints are suggested mappings; adjust to your workflow structure."
+          }
+        },
+        "description": "Enforce module boundaries and import constraints to prevent architectural drift and unwanted coupling.",
+        "id": "dependency-architecture-rules",
+        "label": "Dependency Architecture Rules",
+        "stackHints": {
+          "csharp-dotnet": {
+            "exampleConfigFiles": [
+              "NsDepCop.config.nsdepcop",
+              "ArchitectureTests.cs"
+            ],
+            "exampleTools": [
+              "NsDepCop",
+              "ArchUnitNET"
+            ],
+            "notes": "NsDepCop enforces namespace dependency rules via config file. ArchUnitNET uses test code for architectural assertions.",
+            "optionalFiles": [
+              "NsDepCop.config.nsdepcop"
+            ],
+            "verification": "Build fails on namespace violations, or architecture tests run as part of test suite."
+          },
+          "go": {
+            "exampleConfigFiles": [],
+            "exampleTools": [
+              "depaware",
+              "go-mod-check"
+            ],
+            "notes": "Go's module system is simpler. Use internal/ packages for visibility. depaware provides transitive dep analysis. Standard practice: 'go mod tidy && git diff --exit-code go.mod go.sum'.",
+            "verification": "Run 'go mod verify' and 'go mod tidy' with diff check in CI."
+          },
+          "python": {
+            "exampleConfigFiles": [
+              "pyproject.toml",
+              ".importlinter"
+            ],
+            "exampleTools": [
+              "import-linter",
+              "pydeps"
+            ],
+            "notes": "Configure [tool.importlinter] in pyproject.toml OR use standalone .importlinter file. pydeps is visualization-only.",
+            "optionalFiles": [
+              "pyproject.toml",
+              ".importlinter"
+            ],
+            "verification": "Run 'lint-imports' successfully. Config must exist in pyproject.toml [tool.importlinter] section OR .importlinter file."
+          },
+          "rust": {
+            "exampleConfigFiles": [
+              "deny.toml"
+            ],
+            "exampleTools": [
+              "cargo-deny"
+            ],
+            "notes": "cargo-deny's [bans] section enforces dependency graph rules (deny specific crates, wildcards). Extend existing config if using for security scanning.",
+            "optionalFiles": [
+              "deny.toml"
+            ],
+            "verification": "Run 'cargo deny check bans' to verify dependency constraints."
+          },
+          "typescript-js": {
+            "anyOfFiles": [
+              ".dependency-cruiser.cjs",
+              ".dependency-cruiser.js",
+              "dependency-cruiser.config.cjs",
+              ".dependency-cruiser.mjs"
+            ],
+            "exampleConfigFiles": [
+              ".dependency-cruiser.cjs",
+              ".dependency-cruiser.js",
+              "dependency-cruiser.config.cjs"
+            ],
+            "exampleTools": [
+              "dependency-cruiser"
+            ],
+            "notes": "Define forbidden imports, layer rules, and circular dependency bans. Run in CI as blocking check.",
+            "pinningNotes": "Pin dependency-cruiser version in package.json devDependencies.",
+            "verification": "Run 'npx depcruise --validate' or equivalent. Verify architectural rules are documented and enforced."
+          }
+        }
+      },
       {
         "appliesTo": {
           "stacks": [
@@ -1864,7 +2078,8 @@
           "type-checking",
           "unit-test-runner",
           "unit-test-reporter",
-          "dependency-security"
+          "dependency-security",
+          "dependency-update-automation"
         ],
         "notes": "Pin tool and runtime versions in CI and containers to avoid flaky differences across environments.",
         "step": 3,
@@ -1912,5 +2127,5 @@
       "languageFamily": "js"
     }
   },
-  "version": 1
+  "version": 2
 }

package/dist/config/standards.python.azure-devops.json

@@ -404,6 +404,62 @@
       }
     ],
     "recommended": [
+      {
+        "ciHints": {
+          "azure-devops": {
+            "notes": "CI hints are suggested mappings; adjust to your pipeline topology.",
+            "stage": "quality"
+          }
+        },
+        "description": "Automate dependency updates using Renovate or Dependabot to keep dependencies current and reduce security exposure window.",
+        "id": "dependency-update-automation",
+        "label": "Dependency Update Automation",
+        "stack": {
+          "anyOfFiles": [
+            "renovate.json",
+            ".renovaterc.json",
+            ".github/dependabot.yml"
+          ],
+          "exampleConfigFiles": [
+            "renovate.json",
+            ".github/dependabot.yml"
+          ],
+          "exampleTools": [
+            "renovate",
+            "dependabot"
+          ],
+          "notes": "Renovate supports pyproject.toml, requirements.txt, Pipfile, poetry.lock. For AzDO: self-hosted Renovate or schedule-triggered pipeline.",
+          "pinningNotes": "Use requirements.txt with pinned versions or poetry.lock for deterministic installs.",
+          "verification": "Check for renovate.json OR .github/dependabot.yml. Verify Python dependency PRs."
+        }
+      },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "notes": "CI hints are suggested mappings; adjust to your pipeline topology.",
+            "stage": "quality"
+          }
+        },
+        "description": "Enforce module boundaries and import constraints to prevent architectural drift and unwanted coupling.",
+        "id": "dependency-architecture-rules",
+        "label": "Dependency Architecture Rules",
+        "stack": {
+          "exampleConfigFiles": [
+            "pyproject.toml",
+            ".importlinter"
+          ],
+          "exampleTools": [
+            "import-linter",
+            "pydeps"
+          ],
+          "notes": "Configure [tool.importlinter] in pyproject.toml OR use standalone .importlinter file. pydeps is visualization-only.",
+          "optionalFiles": [
+            "pyproject.toml",
+            ".importlinter"
+          ],
+          "verification": "Run 'lint-imports' successfully. Config must exist in pyproject.toml [tool.importlinter] section OR .importlinter file."
+        }
+      },
       {
         "ciHints": {
           "azure-devops": {
@@ -525,7 +581,8 @@
           "type-checking",
           "unit-test-runner",
           "unit-test-reporter",
-          "dependency-security"
+          "dependency-security",
+          "dependency-update-automation"
         ],
         "notes": "Pin tool and runtime versions in CI and containers to avoid flaky differences across environments.",
         "step": 3,
@@ -553,5 +610,5 @@
   },
   "stack": "python",
   "stackLabel": "Python",
-  "version": 1
+  "version": 2
 }

package/dist/config/standards.python.github-actions.json

@@ -404,6 +404,62 @@
       }
     ],
     "recommended": [
+      {
+        "ciHints": {
+          "github-actions": {
+            "job": "ci",
+            "notes": "CI hints are suggested mappings; adjust to your workflow structure."
+          }
+        },
+        "description": "Automate dependency updates using Renovate or Dependabot to keep dependencies current and reduce security exposure window.",
+        "id": "dependency-update-automation",
+        "label": "Dependency Update Automation",
+        "stack": {
+          "anyOfFiles": [
+            "renovate.json",
+            ".renovaterc.json",
+            ".github/dependabot.yml"
+          ],
+          "exampleConfigFiles": [
+            "renovate.json",
+            ".github/dependabot.yml"
+          ],
+          "exampleTools": [
+            "renovate",
+            "dependabot"
+          ],
+          "notes": "Renovate supports pyproject.toml, requirements.txt, Pipfile, poetry.lock. For AzDO: self-hosted Renovate or schedule-triggered pipeline.",
+          "pinningNotes": "Use requirements.txt with pinned versions or poetry.lock for deterministic installs.",
+          "verification": "Check for renovate.json OR .github/dependabot.yml. Verify Python dependency PRs."
+        }
+      },
+      {
+        "ciHints": {
+          "github-actions": {
+            "job": "ci",
+            "notes": "CI hints are suggested mappings; adjust to your workflow structure."
+          }
+        },
+        "description": "Enforce module boundaries and import constraints to prevent architectural drift and unwanted coupling.",
+        "id": "dependency-architecture-rules",
+        "label": "Dependency Architecture Rules",
+        "stack": {
+          "exampleConfigFiles": [
+            "pyproject.toml",
+            ".importlinter"
+          ],
+          "exampleTools": [
+            "import-linter",
+            "pydeps"
+          ],
+          "notes": "Configure [tool.importlinter] in pyproject.toml OR use standalone .importlinter file. pydeps is visualization-only.",
+          "optionalFiles": [
+            "pyproject.toml",
+            ".importlinter"
+          ],
+          "verification": "Run 'lint-imports' successfully. Config must exist in pyproject.toml [tool.importlinter] section OR .importlinter file."
+        }
+      },
       {
         "ciHints": {
           "github-actions": {
@@ -525,7 +581,8 @@
           "type-checking",
           "unit-test-runner",
           "unit-test-reporter",
-          "dependency-security"
+          "dependency-security",
+          "dependency-update-automation"
         ],
         "notes": "Pin tool and runtime versions in CI and containers to avoid flaky differences across environments.",
         "step": 3,
@@ -553,5 +610,5 @@
   },
   "stack": "python",
   "stackLabel": "Python",
-  "version": 1
+  "version": 2
 }

package/dist/config/standards.python.json

@@ -452,6 +452,70 @@
       }
     ],
     "recommended": [
+      {
+        "ciHints": {
+          "azure-devops": {
+            "notes": "CI hints are suggested mappings; adjust to your pipeline topology.",
+            "stage": "quality"
+          },
+          "github-actions": {
+            "job": "ci",
+            "notes": "CI hints are suggested mappings; adjust to your workflow structure."
+          }
+        },
+        "description": "Automate dependency updates using Renovate or Dependabot to keep dependencies current and reduce security exposure window.",
+        "id": "dependency-update-automation",
+        "label": "Dependency Update Automation",
+        "stack": {
+          "anyOfFiles": [
+            "renovate.json",
+            ".renovaterc.json",
+            ".github/dependabot.yml"
+          ],
+          "exampleConfigFiles": [
+            "renovate.json",
+            ".github/dependabot.yml"
+          ],
+          "exampleTools": [
+            "renovate",
+            "dependabot"
+          ],
+          "notes": "Renovate supports pyproject.toml, requirements.txt, Pipfile, poetry.lock. For AzDO: self-hosted Renovate or schedule-triggered pipeline.",
+          "pinningNotes": "Use requirements.txt with pinned versions or poetry.lock for deterministic installs.",
+          "verification": "Check for renovate.json OR .github/dependabot.yml. Verify Python dependency PRs."
+        }
+      },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "notes": "CI hints are suggested mappings; adjust to your pipeline topology.",
+            "stage": "quality"
+          },
+          "github-actions": {
+            "job": "ci",
+            "notes": "CI hints are suggested mappings; adjust to your workflow structure."
+          }
+        },
+        "description": "Enforce module boundaries and import constraints to prevent architectural drift and unwanted coupling.",
+        "id": "dependency-architecture-rules",
+        "label": "Dependency Architecture Rules",
+        "stack": {
+          "exampleConfigFiles": [
+            "pyproject.toml",
+            ".importlinter"
+          ],
+          "exampleTools": [
+            "import-linter",
+            "pydeps"
+          ],
+          "notes": "Configure [tool.importlinter] in pyproject.toml OR use standalone .importlinter file. pydeps is visualization-only.",
+          "optionalFiles": [
+            "pyproject.toml",
+            ".importlinter"
+          ],
+          "verification": "Run 'lint-imports' successfully. Config must exist in pyproject.toml [tool.importlinter] section OR .importlinter file."
+        }
+      },
       {
         "ciHints": {
           "azure-devops": {
@@ -586,7 +650,8 @@
           "type-checking",
           "unit-test-runner",
           "unit-test-reporter",
-          "dependency-security"
+          "dependency-security",
+          "dependency-update-automation"
         ],
         "notes": "Pin tool and runtime versions in CI and containers to avoid flaky differences across environments.",
         "step": 3,
@@ -614,5 +679,5 @@
   },
   "stack": "python",
   "stackLabel": "Python",
-  "version": 1
+  "version": 2
 }

package/dist/config/standards.rust.azure-devops.json

@@ -385,6 +385,58 @@
       }
     ],
     "recommended": [
+      {
+        "ciHints": {
+          "azure-devops": {
+            "notes": "CI hints are suggested mappings; adjust to your pipeline topology.",
+            "stage": "quality"
+          }
+        },
+        "description": "Automate dependency updates using Renovate or Dependabot to keep dependencies current and reduce security exposure window.",
+        "id": "dependency-update-automation",
+        "label": "Dependency Update Automation",
+        "stack": {
+          "anyOfFiles": [
+            "renovate.json",
+            ".renovaterc.json",
+            ".github/dependabot.yml"
+          ],
+          "exampleConfigFiles": [
+            "renovate.json",
+            ".github/dependabot.yml"
+          ],
+          "exampleTools": [
+            "renovate",
+            "dependabot"
+          ],
+          "notes": "Both support Cargo.toml/Cargo.lock. Works with cargo workspaces. Security scanning is covered by dependency-security (cargo-audit/cargo-deny).",
+          "verification": "Check for renovate.json OR .github/dependabot.yml. Verify Cargo dependency PRs."
+        }
+      },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "notes": "CI hints are suggested mappings; adjust to your pipeline topology.",
+            "stage": "quality"
+          }
+        },
+        "description": "Enforce module boundaries and import constraints to prevent architectural drift and unwanted coupling.",
+        "id": "dependency-architecture-rules",
+        "label": "Dependency Architecture Rules",
+        "stack": {
+          "exampleConfigFiles": [
+            "deny.toml"
+          ],
+          "exampleTools": [
+            "cargo-deny"
+          ],
+          "notes": "cargo-deny's [bans] section enforces dependency graph rules (deny specific crates, wildcards). Extend existing config if using for security scanning.",
+          "optionalFiles": [
+            "deny.toml"
+          ],
+          "verification": "Run 'cargo deny check bans' to verify dependency constraints."
+        }
+      },
       {
         "ciHints": {
           "azure-devops": {
@@ -507,7 +559,8 @@
           "type-checking",
           "unit-test-runner",
           "unit-test-reporter",
-          "dependency-security"
+          "dependency-security",
+          "dependency-update-automation"
         ],
         "notes": "Pin tool and runtime versions in CI and containers to avoid flaky differences across environments.",
         "step": 3,
@@ -535,5 +588,5 @@
   },
   "stack": "rust",
   "stackLabel": "Rust",
-  "version": 1
+  "version": 2
 }

package/dist/config/standards.rust.github-actions.json

@@ -385,6 +385,58 @@
       }
     ],
     "recommended": [
+      {
+        "ciHints": {
+          "github-actions": {
+            "job": "ci",
+            "notes": "CI hints are suggested mappings; adjust to your workflow structure."
+          }
+        },
+        "description": "Automate dependency updates using Renovate or Dependabot to keep dependencies current and reduce security exposure window.",
+        "id": "dependency-update-automation",
+        "label": "Dependency Update Automation",
+        "stack": {
+          "anyOfFiles": [
+            "renovate.json",
+            ".renovaterc.json",
+            ".github/dependabot.yml"
+          ],
+          "exampleConfigFiles": [
+            "renovate.json",
+            ".github/dependabot.yml"
+          ],
+          "exampleTools": [
+            "renovate",
+            "dependabot"
+          ],
+          "notes": "Both support Cargo.toml/Cargo.lock. Works with cargo workspaces. Security scanning is covered by dependency-security (cargo-audit/cargo-deny).",
+          "verification": "Check for renovate.json OR .github/dependabot.yml. Verify Cargo dependency PRs."
+        }
+      },
+      {
+        "ciHints": {
+          "github-actions": {
+            "job": "ci",
+            "notes": "CI hints are suggested mappings; adjust to your workflow structure."
+          }
+        },
+        "description": "Enforce module boundaries and import constraints to prevent architectural drift and unwanted coupling.",
+        "id": "dependency-architecture-rules",
+        "label": "Dependency Architecture Rules",
+        "stack": {
+          "exampleConfigFiles": [
+            "deny.toml"
+          ],
+          "exampleTools": [
+            "cargo-deny"
+          ],
+          "notes": "cargo-deny's [bans] section enforces dependency graph rules (deny specific crates, wildcards). Extend existing config if using for security scanning.",
+          "optionalFiles": [
+            "deny.toml"
+          ],
+          "verification": "Run 'cargo deny check bans' to verify dependency constraints."
+        }
+      },
       {
         "ciHints": {
           "github-actions": {
@@ -507,7 +559,8 @@
           "type-checking",
           "unit-test-runner",
           "unit-test-reporter",
-          "dependency-security"
+          "dependency-security",
+          "dependency-update-automation"
         ],
         "notes": "Pin tool and runtime versions in CI and containers to avoid flaky differences across environments.",
         "step": 3,
@@ -535,5 +588,5 @@
   },
   "stack": "rust",
   "stackLabel": "Rust",
-  "version": 1
+  "version": 2
 }