---
id: library-evaluation-policy
prd: docs/work/prds/library-evaluation-policy.prd.md
title: Library evaluation policy — skill, traces, enforcement stack
type: epic
status: done
features: [scripts, tooling, docs]
created: 2026-05-14T00:00:00Z
updated: 2026-05-14T19:16:52.691Z
---

## Goal

Implement a four-layer enforcement stack — Claude hook, skill, pre-commit hook, sandcastle reviewer prompt — that makes every new runtime dependency in a feature- or core-tier package produce a permanent **library trace** at `docs/library-decisions/<YYYY-MM-DD>-<package-name>.md`. Rejection traces are first-class records. Codifies ADR-022.

## Why

The repo's narrow third-party surface is uncodified. New dependencies enter via `pnpm add` with no checkpoint. Three signals exposed the gap: a near-miss adding a build-time-only library, post-hoc ADR records (002/014/017), and a silent EU-data-residency risk from US-only SaaS defaults. The enforcement stack mirrors the 5-gate conformance pattern — same vocabulary, same agent feedback loop.

## Stories

- [x] [01 — Trace schema module + docs/library-decisions/ foundation](01-trace-schema-foundation/_story.md)
- [x] [02 — Pre-commit check script](02-pre-commit-check-script/_story.md)
- [x] [03 — Claude PreToolUse / PostToolUse hooks](03-claude-hooks/_story.md)
- [x] [04 — evaluate-library skill](04-evaluate-library-skill/_story.md)
- [x] [05 — Human guide: docs/guides/adding-a-library.md](05-human-guide/_story.md)
- [x] [06 — Sandcastle reviewer prompt update](06-sandcastle-reviewer-prompt/_story.md)
- [x] [07 — Generator pre-shipped traces for optional cores](07-generator-pre-shipped-traces/_story.md)
- [x] [08 — Backfill traces for existing runtime deps](08-backfill-traces/_story.md)
- [x] [09 — CLAUDE.md Key Conventions bullet](09-claude-md-update/_story.md)