deps

Source contract preview

This generated excerpt gives readers the beginning of the live primitive contract before they jump to GitHub.

Analyze, test, and upgrade dependencies. One curated PR, not 47 version bumps.

**Target:** $ARGUMENTS

## Execution Stance

You are the executive orchestrator.
- Keep upgrade policy, risk acceptance, and final merge-readiness judgment on the lead model.
- Delegate package analysis and bounded upgrade work to focused subagents.
- Parallelize across disjoint packages/ecosystems where safe.

## Delegation Floor

Delegation floor applies: probe the roster first; dispatch two or more
providers for substantive work; direct solo only for mechanical, emergency,
user-forbidden, or fewer-than-two-providers cases. See
`harnesses/shared/AGENTS.md` (Roster).

Local lane guidance: Use specialized lanes for ecosystem discovery,
changelog/release-note analysis, CVE reachability, behavioral diffing,
upgrade-builder work, and regression-risk critique. Split by package or
ecosystem when independent; do not let any lane apply broad version churn
without the lead's curated upgrade policy.

## Routing

| Mode | Intent |
|------|--------|
| **audit** (default) | Full: discover outdated, analyze risk, upgrade, test, PR |
| **security** | Security-only: CVE/advisory-affected deps with reachability analysis |
| **upgrade** [pkg] | Targeted: upgrade a specific package with full analysis |
| **report** | Analysis only, no upgrades — produce the report |

If `--ecosystem` is specified, limit analysis to that ecosystem.
Otherwise, detect all ecosystems present.

### Mode → Phase Matrix

| Mode | Phase 0 | Phase 1 | Phase 2 | Phase 3 | Phase 4 | Phase 5 |
|------|---------|---------|---------|---------|---------|--------|
| audit | ✓ | ✓ | ✓ | ✓ | ✓ | PR |
| security | ✓ | ✓ (security only) | ✓ | ✓ | ✓ | PR |
| upgrade [pkg] | ✓ | skip | ✓ | ✓ | ✓ | PR |
| report | skip | ✓ | ✓ | skip | skip | Report only |
...