// Dependency hygiene for the Rocky engine workspace — how to add/update deps via [workspace.dependencies], MSRV 1.88 policy, cargo-audit / cargo-deny / cargo-machete usage, and how the weekly security audit surfaces advisories.
Canonical `rocky.toml` authoring reference. Use when writing or reviewing a Rocky pipeline config — covers the 4 pipeline types (replication, transformation, quality, snapshot), adapter variants (duckdb/databricks/snowflake/fivetran), minimal-config defaults, env-var substitution, governance, checks, hooks, and the ${VAR:-default} syntax.
Dagster integration test fixture lifecycle. Use when regenerating live-binary fixtures via `just regen-fixtures` / `scripts/regen_fixtures.sh`, debugging why a generated fixture differs across runs, or adding scenario data for new CLI commands. Covers determinism (zeroed timings, sentinel timestamps), the relationship between `tests/scenarios.py` and `tests/fixtures_generated/`, and the two POCs that back the corpus.
Using TailwindPlus Elements (@tailwindplus/elements) in the Rocky VS Code webviews. Use when building or upgrading an interactive webview component — a command palette / model search, a confirmation dialog, an autocomplete or select model picker, a dropdown/popover menu, a collapsible disclosure, or tabs. Covers the esbuild-bundle install (no CSP change vs the CDN), the --vscode-* theming + Tailwind v3.4 data-variant nuance, React 19 custom-element interop (boolean attrs, native events via ref, the elements:ready gate), and which element fits which Rocky surface.
How an AI agent should author or modify a Rocky data model. Use when building, fixing, or evolving a model on behalf of a user — covers the inspect → sample → write SQL → compile-loop → plan → propose → review → apply workflow, the reconcile discipline (check the data, not just the schema), and the AI-authored-plan safety gate. SQL-first.
Rocky CLI JSON-output schema cascade. Use when editing any `*Output` struct in `engine/crates/rocky-cli/src/output.rs` (or `commands/doctor.rs`), adding a new CLI command schema, or when a change could affect `schemas/*.schema.json`, `integrations/dagster/src/dagster_rocky/types_generated/`, or `editors/vscode/src/types/generated/`. Also use when CI reports `codegen-drift`.
Top-level router for Rocky development tasks. Use this FIRST for any request to change Rocky — it points at the right subskill based on what's being touched. Also use for quick monorepo orientation (build, test, lint, install, where-is-what).
| name | rust-dep-hygiene |
| description | Dependency hygiene for the Rocky engine workspace — how to add/update deps via [workspace.dependencies], MSRV 1.88 policy, cargo-audit / cargo-deny / cargo-machete usage, and how the weekly security audit surfaces advisories. |
All dependencies go through [workspace.dependencies] in engine/Cargo.toml. Individual crates under engine/crates/* inherit versions by referencing the workspace:
# In crates/rocky-fivetran/Cargo.toml
[dependencies]
reqwest = { workspace = true }
tokio = { workspace = true }
thiserror = { workspace = true }
Never do this in a leaf crate:
# DON'T — bypasses the workspace pin
[dependencies]
reqwest = "0.12"
Why: the workspace is 22 crates. Per-crate version pins drift, cause duplicate dep compilations, and break the MSRV contract.
engine/Cargo.toml and add the dep to [workspace.dependencies] with the exact version and feature set you need.<dep> = { workspace = true } (plus a features = [...] override if the crate needs a narrower subset — it's allowed to turn features on, never off).cargo build -p <crate> to confirm resolution.cargo tree -d to check you haven't introduced a duplicate version of anything (see "Duplicates" below).cargo add inside a sub-crate without the --workspace or without editing [workspace.dependencies] first.# From engine/
cargo update -p <crate_name> # Minor/patch only — respects the Cargo.toml version req.
cargo update # Everything — use with care, always review Cargo.lock diff.
Major version bumps require editing engine/Cargo.toml directly and checking the changelog for breaking changes. Pin the version in [workspace.dependencies], not in individual crates.
engine/Cargo.toml declares:
[workspace.package]
edition = "2024"
rust-version = "1.88"
Bumped 1.85.1 → 1.88 on 2026-05-24: the
rocky-mcpcrate'srmcp 1.7tree (rmcp-macros→darling 0.23, plustime 0.3.47) requires rustc 1.88, so the effective workspace MSRV was already 1.88.
Rules:
cargo tree and the dep's changelog) or propose an MSRV bump.[workspace.package] line and the CI toolchain installer in .github/workflows/engine-ci.yml in the same PR.cargo auditRocky runs cargo audit weekly, not on every PR. From .github/workflows/engine-weekly.yml:
schedule:
- cron: '0 8 * * 1' # Monday 08:00 UTC
- name: Run cargo audit
run: cargo audit
The workflow is also manually dispatchable (workflow_dispatch) and marked continue-on-error: true, so advisories don't block PRs — they surface as a Monday morning report.
To run it locally:
cargo install cargo-audit # first time only
cd engine
cargo audit
When to react:
critical or high — fix this week. Either bump the transitive dep (via cargo update -p or a workspace bump) or vendor a patch.medium — schedule a fix in the current iteration.low / informational — note, don't drop everything.unsound advisories on a library dep are different from vulnerabilities — they indicate soundness bugs in the dep, and the right fix is usually a version bump or a report upstream, not a workspace allowlist.cargo audit does not currently have an allow-list for accepted advisories in Rocky. If you want to ignore a specific advisory with a reason, that's a policy change — propose it to Hugo first. (The mechanism is audit.toml with ignore = ["RUSTSEC-YYYY-NNNN"] and a reason = "..." line.)
cargo-deny (not currently configured)Rocky does not ship a deny.toml or run cargo-deny in CI as of this skill's authoring. The project's license is Apache-2.0 (engine/Cargo.toml → [workspace.package]). If you want to enforce license compatibility or a banned-deps policy, proposing cargo-deny adoption is the right move — but do it as a dedicated PR, not smuggled into an unrelated change. A minimal deny.toml for Rocky would cover:
licenses: allow Apache-2.0, MIT, BSD-3-Clause, ISC, Unicode-DFS-2016; deny GPL-* / AGPL-* (Rocky is Apache-2.0 and can't take copyleft deps).bans: ban known-bad crates (e.g. openssl-sys when rustls is already the chosen TLS stack — Rocky uses reqwest = { features = ["rustls-tls"] }).advisories: fail on unmaintained + unsound (beyond what cargo audit already catches).sources: restrict to crates-io unless explicit git deps are reviewed.Don't enable this without Hugo's sign-off — it's the kind of change that turns a clean workspace red on day one.
cargo-machetecargo-machete finds unused dependencies per crate. Run it when you've done a large refactor and want to clean up:
cargo install cargo-machete # first time only
cd engine
cargo machete
Caveats:
cargo-machete looks at Cargo.toml vs. actual use statements. It sometimes false-positives on deps that are used only through macros (e.g. serde_json via json!) or only behind #[cfg(...)] feature gates.Cargo.toml is fine, but removing it from [workspace.dependencies] may break another crate.cargo build --all-targets after any deletion to confirm nothing broke.cargo tree -dcd engine
cargo tree -d # show duplicate versions of any transitive dep
cargo tree -d -e features # include feature-flag differences
Duplicates bloat compile time and binary size. The common causes:
[workspace.dependencies].Fix by unifying on one version at the workspace level. Sometimes you can't — two upstreams depend on incompatible ranges of the same crate — in which case document it as a known duplicate and move on.
| Check | Frequency | Blocking? | Tool |
|---|---|---|---|
| Security advisories | Weekly (Monday UTC) | No (continue-on-error) | cargo-audit |
| MSRV compliance | Every PR | Yes (via CI cargo build) | Cargo built-in |
| Clippy on deps | Every PR | Yes (-D warnings) | cargo clippy — see rust-clippy-triage |
| License compatibility | — | Not enforced | cargo-deny (not configured) |
| Unused deps | Ad hoc | No | cargo-machete |
| Duplicate versions | Ad hoc | No | cargo tree -d |
rust-clippy-triage — deprecated-API warnings from bumped deps often surface as clippy lints first.rust-error-handling — when upgrading thiserror or anyhow specifically, read the release notes for breaking changes in derive syntax.rocky-release (monorepo root) — release-time dep pinning and lockfile policy for the engine-v* tag.