Skip to content

Dependency Governance

Dependency changes in bijux-canon-agent should be treated as contract changes when they alter package authority, operational risk, or public setup expectations.

This page should keep dependency review from feeling bureaucratic. Dependencies matter because they reshape what the package relies on, what it exposes, and what downstream maintainers must now trust.

Treat the quality pages for bijux-canon-agent as the proof frame around the package. They should show how trust is earned and where skepticism still belongs.

Visual Summary

flowchart RL
    page["Dependency Governance<br/>clarifies: see proof | see limitations | judge done-ness"]
    classDef page fill:#dbeafe,stroke:#1d4ed8,color:#1e3a8a,stroke-width:2px;
    classDef positive fill:#dcfce7,stroke:#16a34a,color:#14532d;
    classDef caution fill:#fee2e2,stroke:#dc2626,color:#7f1d1d;
    classDef anchor fill:#ede9fe,stroke:#7c3aed,color:#4c1d95;
    classDef action fill:#fef3c7,stroke:#d97706,color:#7c2d12;
    proof1["tests/invariants for package promises that should not drift"]
    proof1 --> page
    proof2["tests/unit for local behavior and utility coverage"]
    proof2 --> page
    proof3["tests/integration and tests/e2e for end-to-end workflow behavior"]
    proof3 --> page
    risk1["CHANGELOG.md"]
    risk1 -.keeps trust honest.-> page
    risk2["pyproject.toml"]
    risk2 -.keeps trust honest.-> page
    risk3["README.md"]
    risk3 -.keeps trust honest.-> page
    bar1["package trust after change"]
    page --> bar1
    bar2["proof before confidence"]
    page --> bar2
    bar3["done means defended behavior"]
    page --> bar3
    class page page;
    class proof1,proof2,proof3 positive;
    class risk1,risk2,risk3 caution;
    class bar1,bar2,bar3 action;

Current Dependency Themes

  • aiohttp
  • typer
  • click
  • pydantic
  • fastapi
  • openai
  • structlog
  • pluggy

Concrete Anchors

  • tests/unit for local behavior and utility coverage
  • tests/integration and tests/e2e for end-to-end workflow behavior
  • README.md

Use This Page When

  • you are reviewing tests, invariants, limitations, or ongoing risks
  • you need evidence that the documented contract is actually defended
  • you are deciding whether a change is truly done rather than merely implemented

Decision Rule

Use Dependency Governance to decide whether bijux-canon-agent has actually earned trust after a change. If one narrow green check hides a wider contract, risk, or validation gap, the work is not done yet.

What This Page Answers

  • what currently proves the bijux-canon-agent contract instead of merely describing it
  • which risks, limits, and assumptions still need explicit skepticism
  • what a reviewer should be able to say before accepting a change as done

Reviewer Lens

  • compare the documented proof story with the actual test layout and release posture
  • look for limitations or risks that should have moved with recent behavior changes
  • verify that the claimed done-ness standard still reflects real validation practice

Honesty Boundary

This page explains how bijux-canon-agent is supposed to earn trust, but it does not claim that prose alone is enough. If the listed tests, checks, and review practice stop backing the story, the story has to change.

Next Checks

  • move to foundation when the risk appears to be boundary confusion rather than missing tests
  • move to architecture when the proof gap points to structural drift
  • move to interfaces or operations when the proof question is really about a contract or workflow

Purpose

This page explains why dependency review matters for the package.

Stability

Keep it aligned with pyproject.toml and the package's real dependency posture.