Paths: File paths (
references/,../ln-*) are relative to this skill directory.
ln-820-dependency-optimization-coordinator
Type: L2 Domain Coordinator Category: 8XX Optimization
Runtime-backed coordinator for cross-stack dependency upgrades. Detects package managers, delegates to one worker per manager, records machine-readable worker summaries, and emits a final coordinator summary.
Overview
| Aspect | Details |
|---|---|
| Input | Project path plus optional upgrade policy |
| Output | Aggregated dependency upgrade report with per-worker results |
| Workers | ln-821 (npm), ln-822 (nuget), ln-823 (pip) |
| Runtime | .hex-skills/dependency/runtime/runs/{run_id}/ |
Workflow
Phases: Pre-flight -> Detect Package Managers -> Security Audit -> Delegate Upgrades -> Collect Results -> Verify Summary -> Report
Runtime Contract
MANDATORY READ: Load references/ci_tool_detection.md
MANDATORY READ: Load references/coordinator_runtime_contract.md, references/dependency_runtime_contract.md, references/coordinator_summary_contract.md
Runtime CLI:
node references/scripts/dependency-runtime/cli.mjs start --identifier repo-deps --manifest-file <file>
node references/scripts/dependency-runtime/cli.mjs status --identifier repo-deps
node references/scripts/dependency-runtime/cli.mjs checkpoint --phase PHASE_3_DELEGATE_UPGRADES --payload '{...}'
node references/scripts/dependency-runtime/cli.mjs record-worker-result --payload '{...}'
node references/scripts/dependency-runtime/cli.mjs record-summary --payload '{...}'
node references/scripts/dependency-runtime/cli.mjs advance --to PHASE_4_COLLECT_RESULTS
node references/scripts/dependency-runtime/cli.mjs complete
Required state fields:
worker_planworker_resultschild_runsverification_passedreport_readysummary_recorded
Domain checkpoints:
PHASE_1_DETECT_PACKAGE_MANAGERS: detected managers, indicator files, skipped managersPHASE_2_SECURITY_AUDIT: per-manager audit verdicts, blocking findings, release-age policyPHASE_3_DELEGATE_UPGRADES: onechild_runper delegated worker with worker name, identifier,runId, andsummaryArtifactPathPHASE_4_COLLECT_RESULTS: recorded worker summaries plus unresolved failures or warningsPHASE_5_VERIFY_SUMMARY: final report path, verification verdict, summary readiness
Guard rules:
- do not advance from
PHASE_3_DELEGATE_UPGRADESuntil every planned worker emitted a validdependency-workersummary - do not complete until the final report checkpoint exists and the
dependency-coordinatorsummary was recorded - consume worker JSON summaries only; never infer worker status from prose output
Phase 0: Pre-flight
Confirm the project is a valid candidate for dependency work before starting the runtime.
| Check | Method | Block if |
|---|---|---|
| Manifest exists | Runtime start validation | Missing |
| Project path exists | File inspection | Missing |
| Upgrade policy provided | Manifest or defaults | No |
| Existing active run for identifier | Runtime active pointer | Conflicting active run |
Default options:
| Option | Default | Meaning |
|---|---|---|
upgradeType | major | major, minor, or patch |
allowBreaking | true | allow major-version migrations |
minimumReleaseAge | 14 | skip very recent releases unless security requires them |
testAfterUpgrade | true | workers verify build/tests after changes |
Phase 1: Detect Package Managers
Detect one worker target per package-manager family.
| Package Manager | Indicator Files | Worker |
|---|---|---|
| npm | package.json + package-lock.json | ln-821 |
| yarn | package.json + yarn.lock | ln-821 |
| pnpm | package.json + pnpm-lock.yaml | ln-821 |
| nuget | *.csproj or *.sln | ln-822 |
| pip | requirements.txt | ln-823 |
| poetry | pyproject.toml + poetry.lock | ln-823 |
| pipenv | Pipfile + Pipfile.lock | ln-823 |
Checkpoint payload must include:
detected_managersindicator_pathsworker_planskipped_reasons
Phase 2: Security Audit
Perform lightweight pre-flight security and freshness checks before delegating heavy upgrade work.
| Manager Family | Command | Block Condition |
|---|---|---|
| Node.js | npm audit --audit-level=high or manager equivalent | Critical vulnerability with no allowed override |
| NuGet | dotnet list package --vulnerable | Critical vulnerability with no allowed override |
| Python | pip-audit --json or manager equivalent | Critical vulnerability with no allowed override |
Release-age gate:
| Option | Default | Description |
|---|---|---|
minimumReleaseAge | 14 days | Skip packages released too recently |
ignoreReleaseAge | false | Override for urgent security patches |
Checkpoint payload must include:
audit_resultsblocking_findingsrelease_age_policymanagers_cleared_for_delegation
Phase 3: Delegate Upgrades
Delegate one child run per worker family. Child runs must be deterministic and artifact-driven.
Delegate using the concrete worker identities selected by the routing table below. Do not synthesize family placeholders or guessed skill IDs in prompts.
Delegation context:
| Field | Type | Description |
|---|---|---|
projectPath | string | Absolute path to target project |
packageManager | enum | npm, yarn, pnpm, nuget, pip, poetry, pipenv |
identifier | string | Stable worker identifier inside the run |
runId | string | Deterministic child run id |
summaryArtifactPath | string | Exact JSON path for the worker summary |
options | object | Upgrade policy, verification flags, safety flags |
Worker selection:
| Manager Family | Worker | Notes |
|---|---|---|
| npm, yarn, pnpm | ln-821-npm-upgrader | One child run per detected Node manager |
| nuget | ln-822-nuget-upgrader | One child run for .NET |
| pip, poetry, pipenv | ln-823-pip-upgrader | One child run per detected Python manager |
After launching each worker:
- Checkpoint
child_rununderPHASE_3_DELEGATE_UPGRADES. - Wait for the emitted
dependency-workersummary envelope. - Record the worker summary with
record-worker-result.
Phase 4: Collect Results
Aggregate validated worker summaries only.
Worker summary fields consumed by the coordinator:
| Field | Description |
|---|---|
producer_skill | worker identity (ln-821, ln-822, ln-823) |
summary_kind | must be dependency-worker |
identifier | stable worker identifier |
payload.status | completed, partial, or failed |
payload.upgrades | applied upgrades with before/after versions |
payload.warnings | non-blocking issues |
payload.verification | build/test verification result |
payload.artifact_path | worker-owned durable report path, if any |
Collection output:
worker_resultssuccess_countpartial_countfailed_countblocking_failures
Phase 5: Verify Summary
Prepare the final durable report and verify the coordinator can finish deterministically.
Verification checklist:
- every planned worker produced one valid summary envelope
- aggregate counts match recorded worker results
- final report path exists or is ready to be written
report_readyandverification_passedare true before completion
Failure handling:
- Keep successful worker results intact.
- Mark failed workers explicitly in the coordinator report.
- Do not invent rollback actions beyond what workers already verified.
Phase 6: Report
Coordinator report schema:
| Field | Description |
|---|---|
package_managers | detected managers handled in this run |
workers_activated | delegated workers |
total_packages | package |