Package Manager Safety Wrapper
sfw is a safety wrapper for package-manager commands. It is strictly intended
to sit in front of supported package managers only during the installation of
new packages, ensuring that new dependency downloads and additions go through
the wrapper before reaching the underlying tool.
Before running any command to add or install a new dependency via a supported
package manager, prefix the command with sfw. Routine commands like build,
test, or run should be executed normally without the wrapper.
Supported package managers:
- JavaScript/TypeScript:
npm,yarn,pnpm - Python:
pip,uv - Rust:
cargo
Examples:
- Installing new packages: use
sfw npm install --save some-package@1.33.7, notnpm install --save some-package@1.33.7 - Adding new packages: use
sfw cargo add serde, notcargo add serde - Installing new packages: use
sfw uv pip install flask, notuv pip install flask - Running routine commands: run
npm testorcargo buildnormally
This applies strictly to subcommands that introduce new dependencies, such as
install and add. It does not apply to update, fetch, build, test,
run, and other routine package-manager subcommands unless the user explicitly
asks to bypass this rule.
pgGraph Source-Of-Truth Principle
PostgreSQL source tables are the source of truth. pgGraph should feel like a full graph layer, but graph-style operations must map to PostgreSQL-first behavior whenever they mutate data.
When adding graph write features:
- expose graph ergonomics when labels, relationship types, properties, and identities can map cleanly to registered PostgreSQL tables and columns;
- route writes through PostgreSQL DML first, so constraints, triggers, ACLs, RLS, MVCC, and indexes remain authoritative;
- update pgGraph projections through sync, deltas, or rebuilds after the PostgreSQL write boundary accepts the change;
- reject unmapped graph writes with clear errors and mapping guidance;
- do not create durable graph-only state that can diverge from PostgreSQL as a second source of truth.