Problem
Same retrospective-only problem as G14 but for `forbidden_deps`. Copilot can add Prisma in the first 30 seconds, spend 9 minutes building around it, ship a PR that verify rejects.
Why it matters
Forbidden deps are structural choices — catching them early saves the most time.
Approach
Part of the G14 pre-commit hook — reuse the dep parsers from `ghcp-verify-boundaries.ts` (package.json/pyproject.toml/Cargo.toml/go.mod/Gemfile). If staged manifest changes add a forbidden dep, abort the commit.
Review reference
Adversarial review G15
Problem
Same retrospective-only problem as G14 but for `forbidden_deps`. Copilot can add Prisma in the first 30 seconds, spend 9 minutes building around it, ship a PR that verify rejects.
Why it matters
Forbidden deps are structural choices — catching them early saves the most time.
Approach
Part of the G14 pre-commit hook — reuse the dep parsers from `ghcp-verify-boundaries.ts` (package.json/pyproject.toml/Cargo.toml/go.mod/Gemfile). If staged manifest changes add a forbidden dep, abort the commit.
Review reference
Adversarial review G15