ln-820-dependency-optimization-coordinator
Paths: File paths (
shared/,references/,../ln-*) are relative to skills repo root. If not found at CWD, locate this SKILL.md directory and go up one level for repo root. Ifshared/is missing, fetch files via WebFetch fromhttps://raw.githubusercontent.com/levnikolaevich/claude-code-skills/master/skills/{path}.
ln-820-dependency-optimization-coordinator
Type: L2 Domain Coordinator Category: 8XX Optimization
Runtime-backed coordinator for cross-stack dependency upgrades. Detects package managers, delegates to one worker per manager, records machine-readable worker summaries, and emits a final coordinator summary.
Overview
| Aspect | Details |
|---|---|
| Input | Project path plus optional upgrade policy |
| Output | Aggregated dependency upgrade report with per-worker results |
| Workers | ln-821 (npm), ln-822 (nuget), ln-823 (pip) |
| Runtime | .hex-skills/dependency/runtime/runs/{run_id}/ |
Workflow
Phases: Pre-flight -> Detect Package Managers -> Security Audit -> Delegate Upgrades -> Collect Results -> Verify Summary -> Report
Runtime Contract
MANDATORY READ: Load shared/references/ci_tool_detection.md
MANDATORY READ: Load shared/references/coordinator_runtime_contract.md, shared/references/dependency_runtime_contract.md, shared/references/coordinator_summary_contract.md
Runtime CLI:
node shared/scripts/dependency-runtime/cli.mjs start --identifier repo-deps --manifest-file <file>
node shared/scripts/dependency-runtime/cli.mjs status --identifier repo-deps
node shared/scripts/dependency-runtime/cli.mjs checkpoint --phase PHASE_3_DELEGATE_UPGRADES --payload '{...}'
node shared/scripts/dependency-runtime/cli.mjs record-worker-result --payload '{...}'
node shared/scripts/dependency-runtime/cli.mjs record-summary --payload '{...}'
node shared/scripts/dependency-runtime/cli.mjs advance --to PHASE_4_COLLECT_RESULTS
node shared/scripts/dependency-runtime/cli.mjs complete
Required state fields:
worker_planworker_resultschild_runsverification_passedreport_readysummary_recorded
Domain checkpoints:
PHASE_1_DETECT_PACKAGE_MANAGERS: detected managers, indicator files, skipped managersPHASE_2_SECURITY_AUDIT: per-manager audit verdicts, blocking findings, release-age policyPHASE_3_DELEGATE_UPGRADES: onechild_runper delegated worker with worker name, identifier,runId, andsummaryArtifactPathPHASE_4_COLLECT_RESULTS: recorded worker summaries plus unresolved failures or warningsPHASE_5_VERIFY_SUMMARY: final report path, verification verdict, summary readiness
Guard rules:
- do not advance from
PHASE_3_DELEGATE_UPGRADESuntil every planned worker emitted a validdependency-workersummary - do not complete until the final report checkpoint exists and the
dependency-coordinatorsummary was recorded - consume worker JSON summaries only; never infer worker status from prose output
Phase 0: Pre-flight
Confirm the project is a valid candidate for dependency work before starting the runtime.
| Check | Method | Block if |
|---|---|---|
| Manifest exists | Runtime start validation |
Missing |
| Project path exists | File inspection | Missing |
| Upgrade policy provided | Manifest or defaults | No |
| Existing active run for identifier | Runtime active pointer | Conflicting active run |
Default options:
| Option | Default | Meaning |
|---|---|---|
upgradeType |
major |
major, minor, or patch |
allowBreaking |
true |
allow major-version migrations |
minimumReleaseAge |
14 |
skip very recent releases unless security requires them |
testAfterUpgrade |
true |
workers verify build/tests after changes |
Phase 1: Detect Package Managers
Detect one worker target per package-manager family.
| Package Manager | Indicator Files | Worker |
|---|---|---|
| npm | package.json + package-lock.json |
ln-821 |
| yarn | package.json + yarn.lock |
ln-821 |
| pnpm | package.json + pnpm-lock.yaml |
ln-821 |
| nuget | *.csproj or *.sln |
ln-822 |
| pip | requirements.txt |
ln-823 |
| poetry | pyproject.toml + poetry.lock |
ln-823 |
| pipenv | Pipfile + Pipfile.lock |
ln-823 |
Checkpoint payload must include:
detected_managersindicator_pathsworker_planskipped_reasons
Phase 2: Security Audit
Perform lightweight pre-flight security and freshness checks before delegating heavy upgrade work.
| Manager Family | Command | Block Condition |
|---|---|---|
| Node.js | npm audit --audit-level=high or manager equivalent |
Critical vulnerability with no allowed override |
| NuGet | dotnet list package --vulnerable |
Critical vulnerability with no allowed override |
| Python | pip-audit --json or manager equivalent |
Critical vulnerability with no allowed override |
Release-age gate:
| Option | Default | Description |
|---|---|---|
minimumReleaseAge |
14 days |
Skip packages released too recently |
ignoreReleaseAge |
false |
Override for urgent security patches |
Checkpoint payload must include:
audit_resultsblocking_findingsrelease_age_policymanagers_cleared_for_delegation
Phase 3: Delegate Upgrades
Delegate one child run per worker family. Child runs must be deterministic and artifact-driven.
Delegate using the concrete worker identities selected by the routing table below. Do not synthesize family placeholders or guessed skill IDs in prompts.
Delegation context:
| Field | Type | Description |
|---|---|---|
projectPath |
string | Absolute path to target project |
packageManager |
enum | npm, yarn, pnpm, nuget, pip, poetry, pipenv |
identifier |
string | Stable worker identifier inside the run |
runId |
string | Deterministic child run id |
summaryArtifactPath |
string | Exact JSON path for the worker summary |
options |
object | Upgrade policy, verification flags, safety flags |
Worker selection:
| Manager Family | Worker | Notes |
|---|---|---|
| npm, yarn, pnpm | ln-821-npm-upgrader | One child run per detected Node manager |
| nuget | ln-822-nuget-upgrader | One child run for .NET |
| pip, poetry, pipenv | ln-823-pip-upgrader | One child run per detected Python manager |
After launching each worker:
- Checkpoint
child_rununderPHASE_3_DELEGATE_UPGRADES. - Wait for the emitted
dependency-workersummary envelope. - Record the worker summary with
record-worker-result.
Phase 4: Collect Results
Aggregate validated worker summaries only.
Worker summary fields consumed by the coordinator:
| Field | Description |
|---|---|
producer_skill |
worker identity (ln-821, ln-822, ln-823) |
summary_kind |
must be dependency-worker |
identifier |
stable worker identifier |
payload.status |
completed, partial, or failed |
payload.upgrades |
applied upgrades with before/after versions |
payload.warnings |
non-blocking issues |
payload.verification |
build/test verification result |
payload.artifact_path |
worker-owned durable report path, if any |
Collection output:
worker_resultssuccess_countpartial_countfailed_countblocking_failures
Phase 5: Verify Summary
Prepare the final durable report and verify the coordinator can finish deterministically.
Verification checklist:
- every planned worker produced one valid summary envelope
- aggregate counts match recorded worker results
- final report path exists or is ready to be written
report_readyandverification_passedare true before completion
Failure handling:
- Keep successful worker results intact.
- Mark failed workers explicitly in the coordinator report.
- Do not invent rollback actions beyond what workers already verified.
Phase 6: Report
Coordinator report schema:
| Field | Description |
|---|---|
package_managers |
detected managers handled in this run |
workers_activated |
delegated workers |
total_packages |
packages analyzed across workers |
upgraded |
successful upgrades |
skipped |
already latest or policy-skipped packages |
failed |
packages or worker runs that failed |
breaking_changes |
major-version upgrades or migrations |
verification_passed |
aggregate verification verdict |
per_worker[] |
machine-readable worker result summaries |
warnings[] |
cross-worker warnings |
Completion sequence:
- Write the durable report.
- Checkpoint the report path and verification verdict.
- Record the
dependency-coordinatorsummary envelope withrecord-summary. - Complete runtime only after the report checkpoint and coordinator summary exist.
Configuration
Options:
upgradeType: major # major | minor | patch
allowBreaking: true
minimumReleaseAge: 14
auditLevel: high # none | low | moderate | high | critical
testAfterUpgrade: true
buildAfterUpgrade: true
rollbackOnFailure: true
skipDev: false
skipOptional: true
Error Handling
Recoverable:
| Error | Recovery |
|---|---|
| Peer dependency conflict | Keep worker result as partial, continue collecting |
| Build failure in one worker | Preserve failure, continue other workers |
| Network timeout | Worker retries locally, then reports failure |
Fatal:
| Error | Action |
|---|---|
| No package managers found | Finish with empty-result report |
| Runtime validation failure | Pause run and require intervention |
| Missing worker summary for planned child run | Do not advance from collection |
References
TodoWrite format (mandatory):
- Detect package managers (in_progress)
- Delegate ln-821-npm-upgrader child runs (pending)
- Delegate ln-822-nuget-upgrader child runs (pending)
- Delegate ln-823-pip-upgrader child runs (pending)
- Aggregate dependency-worker summaries (pending)
Worker Invocation (MANDATORY)
| Phase | Worker | Context |
|---|---|---|
| 3 | ln-821-npm-upgrader | Isolated child run with packageManager, runId, and exact summaryArtifactPath |
| 3 | ln-822-nuget-upgrader | Isolated child run with packageManager, runId, and exact summaryArtifactPath |
| 3 | ln-823-pip-upgrader | Isolated child run with packageManager, runId, and exact summaryArtifactPath |
All workers: start the child runtime, checkpoint the child_run metadata, then invoke the worker skill explicitly and consume the emitted dependency-worker summary envelope via record-worker-result.
# One invocation per detected package manager (sequential per family):
node shared/scripts/dependency-runtime/cli.mjs start --skill {worker} --identifier {packageManager} --manifest-file {workerManifestPath} --run-id {childRunId} --summary-artifact-path {childSummaryArtifactPath}
node shared/scripts/optimization-runtime/cli.mjs checkpoint --phase PHASE_3_DELEGATE --payload '{"child_run":{"worker":"{worker}","run_id":"{childRunId}","summary_artifact_path":"{childSummaryArtifactPath}","package_manager":"{packageManager}"}}'
Skill(skill: "{worker}", args: "{packageManager} --run-id {childRunId} --summary-artifact-path {childSummaryArtifactPath}")
Read {childSummaryArtifactPath}
node shared/scripts/optimization-runtime/cli.mjs record-worker-result --payload-file {childSummaryArtifactPath}
Worker token substitution: {worker} is one of ln-821-npm-upgrader, ln-822-nuget-upgrader, ln-823-pip-upgrader.
Definition of Done
- Runtime started with a validated manifest and stable identifier
- Package managers detected from project indicators
- Pre-flight security and release-age checks completed
- One child run delegated per planned worker family
- Every child run emitted a valid
dependency-workersummary - Coordinator report aggregates per-worker upgrades, warnings, and verification results
- Final
dependency-coordinatorsummary recorded before completion
Phase 7: Meta-Analysis
MANDATORY READ: Load shared/references/meta_analysis_protocol.md
Skill type: optimization-coordinator. Run after all phases complete. Output to chat using the optimization-coordinator format.
Version: 1.1.0 Last Updated: 2026-01-10