jesus/syntaxis
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
syntaxis/DEPENDENCIES.md

600 lines
17 KiB
Markdown
Raw Permalink Normal View History

refactor: consolidate configuration directories Merge _configs/ into config/ for single configuration directory. Update all path references. Changes: - Move _configs/* to config/ - Update .gitignore for new patterns - No code references to _configs/ found Impact: -1 root directory (layout_conventions.md compliance)
2025-12-26 18:36:23 +00:00
# Canonical Dependency Registry - syntaxis
**Last Updated**: 2025-11-15
**Managed By**: dependency-manager tool
**Location**: Root `DEPENDENCIES.md` (with symlink from `.claude/DEPENDENCIES.md`)
---
## Overview
This document defines the canonical dependency registry for all crates in syntaxis. All crate dependencies must use versions and features defined here. This ensures:
- **Single source of truth**: No version conflicts across monorepo
- **Reproducible builds**: Consistent dependency resolution
- **Security**: Centralized vulnerability management
- **Compatibility**: Proven feature combinations
---
## Tier 1: Critical Dependencies (Must Maintain Consistency)
Dependencies that affect runtime behavior, async execution, or critical system functionality.
### Runtime & Async
| Dependency | Version | Features | Rationale |
|-----------|---------|----------|-----------|
| **tokio** | `1.48` | `["full"]` | Stable async runtime; pinned for reproducibility |
| **futures** | `0.3` | (none) | Async utilities and trait implementations |
### Serialization
| Dependency | Version | Features | Rationale |
|-----------|---------|----------|-----------|
| **serde** | `1.0` | `["derive"]` | Universal serialization framework |
| **serde_json** | `1.0` | (none) | JSON serialization |
| **toml** | `0.9` | (none) | TOML configuration parsing |
| **uuid** | `1.18` | `["v4", "serde"]` | Unique ID generation with serialization |
### Error Handling
| Dependency | Version | Features | Rationale |
|-----------|---------|----------|-----------|
| **thiserror** | `2.0` | (none) | **BREAKING from 1.0** - Standard error handling |
| **anyhow** | `1.0` | (none) | Flexible error context and propagation |
### Web Framework Stack
| Dependency | Version | Features | Rationale |
|-----------|---------|----------|-----------|
| **axum** | `0.8` | `["ws"]` | Web framework with WebSocket support |
| **tower** | `0.5` | (none) | HTTP middleware and service traits |
| **tower-http** | `0.6` | `["trace", "cors", "fs"]` | HTTP utilities (tracing, CORS, file serving) |
| **tokio-rustls** | `0.26` | (none) | TLS support for async |
| **rustls** | `0.23` | (none) | Modern TLS library (not OpenSSL) |
| **rustls-pemfile** | `2.2` | (none) | PEM certificate/key parsing |
### HTTP Client
| Dependency | Version | Features | Rationale |
|-----------|---------|----------|-----------|
| **reqwest** | `0.12` | `["json"]` | Async HTTP client with JSON support |
### Database
| Dependency | Version | Features | Rationale |
|-----------|---------|----------|-----------|
| **sqlx** | `0.8` | `["runtime-tokio-native-tls", "sqlite", "macros"]` | Async SQL with SQLite backend |
| **sqlx-sqlite** | `0.8` | (none) | SQLite-specific sqlx features |
| **surrealdb** | `2.3` | `["kv-mem", "kv-rocksdb"]` | Modern multi-backend database with embedded/server modes |
| **serde_bytes** | `0.11` | (none) | Binary data serialization for database fields |
### Authentication
| Dependency | Version | Features | Rationale |
|-----------|---------|----------|-----------|
| **jsonwebtoken** | `10.2` | `["aws_lc_rs"]` | **IMPORTANT: Use aws_lc_rs NOT rust_crypto** - JWT tokens |
---
## Tier 2: Important Dependencies (Frequently Used)
Dependencies that provide core functionality but with less critical version coupling.
### CLI Framework
| Dependency | Version | Features | Rationale |
|-----------|---------|----------|-----------|
| **clap** | `4.5` | `["derive"]` | CLI argument parsing with procedural macros |
| **clap_complete** | `4.5` | (none) | Shell completion generation |
| **colored** | `3.0` | (none) | Terminal color support |
| **prettytable-rs** | `0.10` | (none) | Formatted table output |
| **inquire** | `0.9` | (none) | Interactive CLI prompts |
| **console** | `0.15` | (none) | Console/terminal utilities |
### Terminal UI (TUI)
| Dependency | Version | Features | Rationale |
|-----------|---------|----------|-----------|
| **ratatui** | `0.30.0-beta.0` | `["all-widgets"]` | **BETA** - TUI widgets (latest + experimental) |
| **crossterm** | `0.29` | `["serde"]` | Terminal backend for ratatui |
| **palette** | `0.7` | `["serializing"]` | Color utilities with serialization |
### Web Frontend (Leptos/WASM)
| Dependency | Version | Features | Rationale |
|-----------|---------|----------|-----------|
| **leptos** | `0.8.12` | `["csr"]` | WASM frontend framework (client-side rendering) |
| **leptos_router** | `0.8.9` | (none) | Routing for Leptos applications |
| **leptos_meta** | `0.8.5` | (none) | Meta tag management for Leptos |
| **wasm-bindgen** | `0.2` | (none) | WASM JavaScript bindings |
| **gloo-net** | `0.6` | (none) | HTTP client for WASM |
| **web-sys** | `0.3` | (none) | Web APIs for WASM |
| **wasm-logger** | `0.2` | (none) | Logging for WASM applications |
### Utilities & Helpers
| Dependency | Version | Features | Rationale |
|-----------|---------|----------|-----------|
| **chrono** | `0.4` | `["serde"]` | Date/time handling with serialization |
| **camino** | `1.2` | (none) | UTF-8 paths (safer than std::path) |
| **walkdir** | `2.5` | (none) | Recursive directory iteration |
| **handlebars** | `6.3` | (none) | Template engine |
| **indexmap** | `2.12` | (none) | Ordered maps/sets |
| **regex** | `1.12` | (none) | Regular expressions |
| **once_cell** | `1.21` | (none) | Lazy static initialization |
| **dirs** | `6.0` | (none) | Platform-specific directories |
### Logging & Tracing
| Dependency | Version | Features | Rationale |
|-----------|---------|----------|-----------|
| **tracing** | `0.1` | (none) | Structured logging/tracing |
| **tracing-subscriber** | `0.3` | `["env-filter"]` | Logging subscriber with filtering |
### Metrics & Monitoring
| Dependency | Version | Features | Rationale |
|-----------|---------|----------|-----------|
| **prometheus** | `0.14` | `["process"]` | Prometheus metrics collection |
### Caching
| Dependency | Version | Features | Rationale |
|-----------|---------|----------|-----------|
| **moka** | `0.12` | `["future"]` | High-performance async cache |
### WebSocket
| Dependency | Version | Features | Rationale |
|-----------|---------|----------|-----------|
| **tokio-tungstenite** | `0.28` | (none) | WebSocket support for tokio |
### Messaging
| Dependency | Version | Features | Rationale |
|-----------|---------|----------|-----------|
| **async-nats** | `0.45` | (none) | NATS messaging client |
---
## Tier 3: Stable Dependencies (Dev/Test Only)
Dependencies used exclusively in testing, benchmarking, or development.
| Dependency | Version | Features | Rationale |
|-----------|---------|----------|-----------|
| **tokio-test** | `0.4` | (none) | Tokio async testing utilities |
| **tempfile** | `3.23` | (none) | Temporary files for testing |
| **assert_cmd** | `2.1` | (none) | CLI command assertion testing |
| **predicates** | `3.1` | (none) | Predicate assertions |
| **criterion** | `0.7` | `["html_reports"]` | Benchmarking framework |
| **mockito** | `1.6` | (none) | HTTP mocking for tests |
---
## Breaking Changes & Migration Notes
### ⚠️ SurrealDB 2.3 Upgrade (Recently Applied)
**What Changed**: Major API changes in SurrealDB 2.3 from 1.5
**Key Differences**:
- Parameter binding: `.bind(json!({ "key": value }))` instead of `.bind(("key", value))`
- Query patterns: Parameterized SQL with `$placeholders`
- Builder API: Removed in favor of explicit query methods
- Features: `kv-mem` for in-memory and `kv-rocksdb` for embedded persistence
**Migration Status**: ✅ Complete - syntaxis-core and syntaxis-cli fully migrated
**See Also**: `SURREALDB_2_3_MIGRATION.md` for detailed migration guide
---
### ⚠️ thiserror 2.0 Upgrade (Already Applied)
**What Changed**: API changes from 1.0 to 2.0
**Migration Required**: All error types using `#[error(...)]` macro updated
**Status in syntaxis**: ✅ Complete - all crates use 2.0
---
### ⚠️ jsonwebtoken Features Selection (CRITICAL)
**Always Use**: `features = ["aws_lc_rs"]`
**Never Use**: `features = ["rust_crypto", "use_pem"]`
**Rationale**:
- `aws_lc_rs`: AWS-backed cryptography, better performance, modern
- `rust_crypto`: Legacy pure-Rust implementation, slower
- Feature conflict causes compilation failures
**Current Status**:
- ❌ Root workspace: Still has 9.3 (will be updated to 10.2)
- ✅ syntaxis: Uses 10.2 with `aws_lc_rs`
---
### ⚠️ ratatui Beta Version (0.30.0-beta.0)
**Status**: Using bleeding-edge beta
**Why**: Latest widget support and features required for TUI
**Stability**: Production-ready for syntaxis TUI (heavily tested)
**Migration Path**: Switch to stable 0.30.0 when released (no breaking changes expected)
---
## Workspace Structure
### Root Workspace (`Cargo.toml`)
Defines all canonical versions in `[workspace.dependencies]`:
```toml
[workspace]
members = [
"shared/rust-api/shared-api-lib",
"shared/rust-tui",
"shared/rust",
"core/crates/syntaxis-core",
# ... 10 members total
]
exclude = [
"core/crates/syntaxis-api", # WIP (37 errors)
"core/crates/syntaxis-vapora", # Planned
]
[workspace.dependencies]
# All 50+ dependencies defined here
```
### Nested Workspaces
-`syntaxis/Cargo.toml` should **NOT** have `[workspace]` section
- The root workspace already declares all crates as members
- Nested workspace definition causes anti-pattern warnings
### Shared Libraries
**Location**: `shared/rust/`, `shared/rust-api/shared-api-lib/`, `shared/rust-tui/`
**Strategy**: Portable but aligned
- Each lib maintains its own `Cargo.toml` for independence
- dependency-manager tool validates versions match canonical registry
- No workspace inheritance needed (libs can be used outside monorepo)
---
## Version Selection Rationale
### Tokio: Why 1.48 (not flexible "1")?
- **Stability**: Thoroughly tested production release
- **Compatibility**: All async crates tested against this version
- **Reproducibility**: Pinning prevents unexpected upgrades
- **Performance**: 1.48 has optimizations over 1.40-1.47
### Jsonwebtoken: Why 10.2 with aws_lc_rs?
- **Modern cryptography**: AWS-backed implementation (industry standard)
- **Performance**: 2-3x faster than pure-Rust crypto
- **Security**: Regular audits by AWS
- **Interoperability**: Works with standard JWT libraries
### Axum: Why 0.8 (not 0.9)?
- **Stability**: Mature, battle-tested version
- **Compatibility**: Perfect alignment with tokio 1.48
- **Router API**: Stable and well-documented
- **Upgrade path**: 0.9 can be adopted later if needed
### Leptos: Why 0.8.12?
- **Stability**: Latest stable release
- **WASM support**: Full CSR (client-side rendering) support
- **Component stability**: Core components stable
- **Routing**: Mature routing library included
---
## Dependency Rules
### Rule 1: Use Root Workspace Dependencies
All internal crates must specify dependencies via:
```toml
# ✅ Correct: Use workspace inheritance
[dependencies]
tokio = { workspace = true }
serde = { workspace = true }
# ❌ Wrong: Duplicate version specification
[dependencies]
tokio = "1.48" # Don't do this, use workspace = true
```
### Rule 2: Feature Coordination
When using optional features, ensure consistency:
```toml
# ✅ Correct: Explicit features match canonical registry
[dependencies]
serde = { workspace = true, features = ["derive"] }
# ❌ Wrong: Missing features from canonical registry
[dependencies]
serde = { workspace = true } # Missing derive feature
```
### Rule 3: No Version Overrides
Never override workspace dependency versions in individual crates:
```toml
# ❌ Wrong: Causes conflicts
[dependencies]
tokio = "1.45" # Different from workspace 1.48
# ✅ Correct: Use workspace version
[dependencies]
tokio = { workspace = true }
```
### Rule 4: Shared Library Independence
Shared libraries should remain portable:
```toml
# shared/rust-api/shared-api-lib/Cargo.toml
[dependencies]
# These can be specified independently for portability
# But dependency-manager validates they match canonical registry
axum = "0.8"
tokio = "1.48"
# When used in monorepo, these versions must match canonical registry
```
---
## Managing Dependencies
### Adding New Dependencies
**Process**:
1. **Evaluate necessity**: Do we really need this?
2. **Check alternatives**: Use existing dependencies if possible
3. **Research stability**: Check GitHub, reviews, update frequency
4. **Add to canonical registry**: Update this document (Tier 1, 2, or 3)
5. **Add to root workspace**: Add to `Cargo.toml [workspace.dependencies]`
6. **Use in crates**: Add to crate with `{ workspace = true }`
7. **Test**: Run `cargo test --workspace`
8. **Document**: Explain in this file why it was added
**Example**:
```toml
# .claude/DEPENDENCIES.md - Add to appropriate tier
| **my-new-lib** | `1.0` | `["feature"]` | Brief rationale for why needed |
# Cargo.toml - Add to [workspace.dependencies]
my-new-lib = { version = "1.0", features = ["feature"] }
# syntaxis-core/Cargo.toml (or relevant crate)
my-new-lib = { workspace = true }
```
### Updating Existing Dependencies
**Process**:
1. **Check for breaking changes**: Review release notes
2. **Test locally**: `cargo update -p my-lib && cargo test --workspace`
3. **Plan migration**: If breaking changes, create task
4. **Update DEPENDENCIES.md**: Document new version and changes
5. **Update Cargo.toml**: Change version in `[workspace.dependencies]`
6. **Run full validation**: `just check-all`
**Commands**:
```bash
# Check outdated dependencies
cargo outdated
# Update one dependency
cargo update -p tokio
# Update all dependencies
cargo update
# Check security vulnerabilities
cargo audit
# Fix security issues
cargo audit fix
```
### Removing Dependencies
**Process**:
1. **Find usages**: `cargo tree -d my-lib`
2. **Remove from all crates**: Update all `Cargo.toml` files
3. **Remove from workspace**: Delete from `[workspace.dependencies]`
4. **Update this document**: Remove from DEPENDENCIES.md
5. **Test**: `cargo test --workspace`
---
## Synchronization with dependency-manager
### Validation
The `dependency-manager` tool validates that all crates use canonical versions:
```bash
# Check if all dependencies match canonical registry
dependency-manager validate
# Show detailed mismatches
dependency-manager detect
# Show canonical registry
dependency-manager registry
```
### Automatic Synchronization
```bash
# Interactive: Review and approve each change
dependency-manager sync --interactive
# Batch: Update all mismatches
dependency-manager sync --batch
```
### Integration with Git
Pre-commit hook automatically validates:
```bash
# In .git/hooks/pre-commit
dependency-manager validate
```
---
## Testing After Dependency Changes
Always run full validation after updating dependencies:
```bash
# Clean rebuild
cargo clean
cargo check --workspace
# Test all crates
cargo test --workspace --lib
cargo test --workspace # Including integration tests
# Lint and security
cargo clippy --all-targets
cargo audit
# Or use Justfile recipe
just check-all
```
---
## Security Considerations
### Regular Audits
```bash
# Check for known vulnerabilities
cargo audit
# Fix automatically (if available)
cargo audit fix
# Check specific crate
cargo audit -p syntaxis-core
```
### Dependency Trust
When adding new dependencies:
- ✅ Prefer well-maintained libraries
- ✅ Check update frequency (should be recent)
- ✅ Review GitHub repository health
- ✅ Check for security audits or certifications
- ❌ Avoid unmaintained or abandoned projects
- ❌ Avoid highly experimental or unproven libraries
### Feature Security
Some dependencies have security implications:
- `jsonwebtoken`: Must use `aws_lc_rs` for cryptography safety
- `rustls`: Modern TLS (prefer over OpenSSL)
- All crypto: Keep updated for latest security patches
---
## Performance Considerations
### Heavy Dependencies
- **leptos**: Adds 5-10 seconds to compile time (WASM build)
- **criterion**: Only use in `[dev-dependencies]`
- **ratatui beta**: Slightly longer compile than stable
### Optimizing Compile Time
Disable unnecessary features:
```toml
# Instead of:
[dependencies]
tokio = { version = "1.48", features = ["full"] }
# Could use minimal features:
[dependencies]
tokio = { version = "1.48", features = ["rt", "macros", "sync"] }
```
However, syntaxis uses `["full"]` for flexibility.
---
## Current Status
### Version Alignment
- ✅ Most dependencies aligned across workspace
- ⚠️ **jsonwebtoken**: 9.3 (root) vs 10.2 (syntaxis) - **BEING FIXED**
- ⚠️ **tokio**: "1" (flexible) vs "1.48" (pinned) - **BEING STANDARDIZED**
### Compliance
- ✅ No unsafe code (`#![forbid(unsafe_code)]`)
- ✅ All features coordinated
- ✅ No version conflicts in compiled output
- ⚠️ dependency-manager integration pending
---
## Maintenance Schedule
| Task | Frequency | Owner |
|------|-----------|-------|
| Check for vulnerabilities | Weekly | CI/CD |
| Review outdated versions | Monthly | Development Team |
| Security audit reports | Monthly | Development Team |
| Major version evaluations | Quarterly | Architecture Team |
| DEPENDENCIES.md updates | As needed | Committer |
---
## References
- **Cargo.toml**: Root workspace definition
- **PROJECT_RULES.md**: Architecture and module organization
- **CODE_STANDARDS.md**: Build and testing standards
- **dependency-manager**: External tool for validation
- **Cargo Book**: https://doc.rust-lang.org/cargo/
---
**Last Updated**: 2025-11-15
**Next Review**: 2025-12-15
Reference in New Issue Copy Permalink