phxdeps-vet

Solid

Record a vetted Hex package version in hex_vet.exs after a security review — manages the audit ledger, not the scanner. Use to approve a dep after /phx:deps-audit findings or to initialize hex_vet.exs.

Code & Development 384 stars 25 forks Updated 4 days ago MIT

Install

View on GitHub

Quality Score: 92/100

Stars 20%
86
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Deps Vet — Hex package audit ledger Review a Hex package version, run Phase 1 supply-chain rules against it, prompt the user for a verdict, append the result to `hex_vet.exs` (project-root audit ledger). Vetted versions get downgraded to `INFO` on subsequent `/phx:deps-audit` runs. Run this AFTER `/phx:deps-audit` to clear findings. Run this BEFORE merging a `mix.lock` PR to certify new versions. ## Usage ```text /phx:deps-vet phoenix 1.7.21 # vet a single package version /phx:deps-vet --seed # import curated baseline seed (~30 pkgs) /phx:deps-vet --list # show existing ledger entries /phx:deps-vet --check # cross-check mix.lock vs ledger ``` ## Iron Laws 1. **NEVER auto-approve.** Every entry MUST come from an `AskUserQuestion` confirmation. Drive-by trust ruins the ledger's value. 2. **Lock wins on disagreement.** If `mix.lock` has version X and the ledger vets X-1, emit INFO and treat X as unvetted. Don't silently trust the older entry. 3. **Ledger lives at project root.** `hex_vet.exs` is a first-class security artifact, visible in PR review. Don't move it into `.claude/`. 4. **Round-trip via `inspect/2`.** When appending, read the file with `Code.eval_file/1`, mutate the map, and write back via `inspect(term, pretty: true, limit: :infinity)`. Hand-rolled string appends drift over time. 5. **Always show findings before prompting.** The user must see what's being vetted. No silent `:safe_to_deploy` ...

Details

Author
oliver-kriska
Repository
oliver-kriska/claude-elixir-phoenix
Created
3 months ago
Last Updated
4 days ago
Language
Python
License
MIT

Integrates with

Model Context Protocol · AI

Similar Skills

Semantically similar based on skill content — not just same category

Code & Development Solid

phxdeps-audit

Audit Hex deps for supply-chain security risk — bidi chars, compile-time exec, maintainer changes, typosquats, CVEs. Use after mix deps.update, when checking if a package upgrade is safe, or reviewing mix.lock PR diffs.

384 Updated 4 days ago
oliver-kriska
Code & Development Listed

vet

Thorough codebase investigation that finds and fixes real problems. Maps architecture, scans every layer (structural, correctness, security, reliability, performance, hygiene), prioritized report with evidence, fix plan, executes collaboratively. A senior engineer doing a full review with authority to fix. Use when user says '/vet', 'vet this project', 'check this codebase', 'find all the problems', 'what's broken', 'audit this code', or wants to clean up AI-generated code. NOT for: UI review (/eye), test writing (/fortify), pre-build research (/recon).

2 Updated 1 weeks ago
catcatcatstudio
Code & Development Solid

phxverify

Verify Elixir/Phoenix changes — compile, format, and test in one loop. Use after implementation, before PRs, or after fixing bugs.

384 Updated 4 days ago
oliver-kriska
AI & Automation Listed

vet

Run vet immediately after ANY logical unit of code changes. Do not batch your changes, do not wait to be asked to run vet, make sure you are proactive.

335 Updated today
aiskillstore
Web & Frontend Listed

vet

Vets a PRD, demo brief, or interactive demo through product, design, frontend, backend, and testability perspectives to decide whether it is credible enough for release, TechSpec, or iteration. Product-native by default; in non-product contexts, use only when the user explicitly asks to apply product-thinking as a lens. Not for drafting PRDs, building demos, writing TechSpecs from scratch, release publishing, or professional legal, medical, or financial review.

0 Updated today
chilohwei