docs: document extension npm dep bundling strategy#693
Conversation
Add Rule 6 to the generated CLAUDE.md template explaining that extension npm dependencies are inlined by swamp's bundler at bundle time and are not tracked in deno.lock or package.json. This prevents AI code reviewers from flagging the missing lockfile entries as a reproducibility gap. Closes #617
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Adversarial Review
Critical / High
None.
Medium
None.
Low
None.
Analysis
This PR adds a single documentation line to the generateInstructionsBody() method in src/domain/repo/repo_service.ts:575. The change is a static string literal that becomes part of generated CLAUDE.md files.
I systematically attempted to break this code:
-
Logic & Correctness: No logic to break - this is a string literal. No operators, no branches, no edge cases.
-
Error Handling: No error paths involved - string concatenation in TypeScript cannot fail.
-
Security: No user input is interpolated. The backtick-escaped content (`npm:lodash-es@4.17.21`) is static documentation text, not executable code.
-
Concurrency & State: No state mutations, no async operations.
-
Data Integrity: No data transformations.
-
Resource Management: No resources acquired or released.
-
API Contract: The
generateInstructionsBody()method is private. Its return type (string) is unchanged. No external callers are affected.
Verdict
PASS - This is a documentation-only change to a template string. There is no logic to break because there is no logic - just static text. The code is genuinely solid.
There was a problem hiding this comment.
Review Summary
This is a clean, focused documentation change that adds Rule 6 to the generated CLAUDE.md template, explaining that extension npm dependencies are bundled by swamp's bundler rather than tracked in deno.lock or package.json.
Blocking Issues
None.
Code Quality Check
- ✅ TypeScript strict mode: No issues (CI "Lint, Test, and Format Check" passed)
- ✅ No
anytypes: Verified via grep search - ✅ AGPLv3 copyright header: Present in file
- ✅ Named exports: No changes to export pattern
- ✅ Formatting/Linting: CI checks passed
- ✅ Tests: 77/77 repo_service tests passing (verified via CI)
DDD Review
RepoServiceis correctly a Domain Service (stateless, handles repository operations)- The
generateInstructionsBody()method appropriately produces template content - Change is a documentation addition within existing method boundaries
Security
No concerns — this is purely documentation text.
Test Coverage
Existing tests verify the structure of generated CLAUDE.md (markers, merging behavior). Specific rule content verification would be brittle for evolving documentation — current coverage is appropriate.
Suggestions
None — this is a clean change that adds useful documentation to prevent AI reviewers from flagging extension npm dependencies as a reproducibility gap.
LGTM! 🤖
1 participant
Summary
deno.lockorpackage.jsonCloses #617
Test Plan
deno checkpassesdeno lintpassesdeno fmtpassesdeno run compilesucceeds🤖 Generated with Claude Code