[ci] Enforce architecture boundaries with depguard in CI #119
Description
Enhancement Description
Enforce architecture boundaries in CI with depguard rules to prevent application/ports from importing forbidden packages.
Scope type: CI automation for architectural compliance
Background
Architecture boundaries are currently enforced manually. Automated checks reduce review burden and prevent regressions in clean architecture rules.
Scope
Add depguard rules to golangci-lint configuration
Files: .golangci.yml
Rules
- internal/application cannot import internal/infrastructure, internal/daemon, internal/plugin
- internal/application/ports cannot import internal/daemon, internal/plugin (and other forbidden layers)
- Provide clear denylist messages to aid remediation
Ensure golangci-lint runs in CI for PRs
Files: .github/workflows/*
Document boundaries
Files: CONTRIBUTING.md
Non-Goals
Fixing all existing violations in this issue (link to Issue 3.1/3.2 instead)
Adding new linters unrelated to architecture enforcement
Changing repository layout
Risks and Open Questions
Depguard rules must match actual layering decisions; avoid overblocking legitimate imports
Existing violations must be addressed first or rules staged to avoid blocking all PRs
CI environment must include golangci-lint and run consistently
Validation Plan
Unit and Integration Checks
golangci-lint run locally and in CI
Add a small “known violation” test case (optional) to confirm rule triggers
End-to-End Checks
Try a PR introducing a forbidden import and confirm CI blocks it (controlled test)
Ensure existing code passes after dependent refactors are merged
Evidence Required in Issue Updates
CI logs showing depguard executed
Example depguard failure message for a forbidden import (from a controlled test)
Acceptance Criteria
CI fails on new boundary violations
Rules are documented and produce clear error messages
golangci-lint runs on all PRs
Deliverables
PR adding depguard rules and CI wiring
Documentation updates describing boundaries and remediation