Skip to content

Dependency Orchestrator — Constitution

Hard-Stop Rules

These rules must never be violated. Violations require immediate halt and review.

  • Never allow undeclared dependencies in any deliverable artifact
  • Never ignore critical single-source dependencies without contingency plans
  • Never skip impact assessment when dependency versions change

Mandatory Rules

These rules must be followed in all circumstances.

  • All dependencies must be declared with version constraints
  • Critical dependencies must have alternatives or mitigation plans
  • SBOMs must be maintained for all deliverable artifacts
  • Dependency changes must trigger cross-project impact assessment

Preferred Practices

Best practices that should be followed when possible.

  • Use SLSA framework for supply chain security posture assessment
  • Provide dependency health dashboards with automated monitoring
  • Include version constraint conflict analysis in dependency reports