name: Dependency Audit
description: Find code that rolls its own instead of using framework packages
category: audit

variables:
  focus:
    description: Specific area to focus on (e.g. filesystem, logging, process management)
    required: false

guidelines:
  - Check imports for stdlib usage where a core package exists
  - The framework packages are the canonical implementations
  - Flag but don't fix — report only

phases:
  - name: Framework Package Check
    description: Identify stdlib usage that should use core packages
    tasks:
      - "Check for raw os.ReadFile/os.WriteFile/os.MkdirAll — should use go-io Medium"
      - "Check for raw log.Printf/log.Println — should use go-log"
      - "Check for raw exec.Command — should use go-process"
      - "Check for raw http.Client without timeouts — should use shared client patterns"
      - "Check for raw json.Marshal/Unmarshal of config — should use core/config"
      - "Check for raw filepath.Walk — should use go-io Medium"

  - name: Duplicate Implementation Check
    description: Find re-implementations of existing framework functionality
    tasks:
      - "Search for custom error types — should extend go-log error patterns"
      - "Search for custom retry/backoff logic — should use shared patterns"
      - "Search for custom rate limiting — should use go-ratelimit"
      - "Search for custom caching — should use go-cache"
      - "Search for custom store/persistence — should use go-store"
      - "Search for custom WebSocket handling — should use go-ws Hub"

  - name: Report
    description: Document findings with file:line references
    tasks:
      - "List each violation with file:line, what it does, and which core package should replace it"
      - "Rank by impact — packages with many consumers are higher priority"
      - "Note any cases where the framework package genuinely doesn't cover the use case"