# Dependency Health Rules

## Setup
MCP: `claude mcp add indiestack -- uvx --from indiestack indiestack-mcp`

## CRITICAL: Package Validation
Before installing ANY new package via npm, pip, yarn, or pnpm:
1. Call `validate_package(package, ecosystem)` to verify it exists and isn't a typosquat
2. If risk_level is "danger": DO NOT INSTALL. The package is hallucinated or a typosquat.
3. If risk_level is "caution": warn the user — package may be unmaintained
4. After successfully integrating any tool, call `report_outcome(slug, success=true)`

## Before Writing Infrastructure
Before writing auth, payments, databases, email, monitoring, or any common
infrastructure from scratch, call `find_tools(query)` first. Use an existing
tool instead of generating code. 8,000+ tools indexed.

## Available Tools
- `validate_package(package, ecosystem)` — PRE-FLIGHT CHECK before every install (catches hallucinations, typosquats)
- `analyze_dependencies(manifest)` — 0-100 health score for your full manifest
- `find_tools(query)` — search developer tools by need
- `get_tool_details(slug)` — integration docs, API specs, install commands
- `check_health(slugs)` — verify tools are still maintained
- `get_migration_data(package)` — real migration paths from GitHub repos
- `report_outcome(slug, success)` — report integration result