Deterministic Dependency Guardian for AI Coding Agents
AI coding agents are becoming very useful at generating and modifying code, but one recurring weakness is that generated code often changes the required environment without safely updating it.
For example, an AI may add Flask, Express, Playwright, LangChain, or other framework-specific code, but forget to update requirements.txt, pyproject.toml, package.json, Dockerfile, lock files, environment variables, tests, or security checks.
I propose a deterministic support layer for AI coding agents:
A “Dependency / Environment Guardian” that runs after AI-generated code changes and performs deterministic validation.
Core flow:
1. Parse changed files using AST/static analysis.
2. Detect new imports, framework usage, runtime requirements, and environment variables.
3. Map imports to trusted packages.
4. Check package registry trust, known vulnerabilities, licenses, typosquatting risk, and policy rules.
5. Update requirements.txt, pyproject.toml, package.json, lock files, or Dockerfile only through deterministic rules.
6. Build the environment in a sandbox first.
7. Run tests, linting, type checks, and security scans.
8. Produce a patch/report for developer approval.
The key design principle:
AI proposes.
Deterministic tooling verifies.
CI decides.
This tool should not blindly auto-install packages into the developer’s real environment. The safe flow should be:
detect → resolve → verify → lock → sandbox install → test → report → approve
The goal is not to replace package managers. The goal is to create a deterministic bridge between AI-generated code and secure, reproducible development environments.
This would make AI-generated code more buildable, auditable, reproducible, and safer to ship, especially in Codex-style IDE, CLI, GitHub PR, and cloud coding workflows.