Summary
Introduce agr.lock that pins exact git commit SHAs for every resolved dependency. When a lockfile exists, agr sync should produce byte-identical results across machines and over time.
Why
Without a lockfile, teams cannot guarantee reproducibility. The existing .agr.json content hash is a step toward integrity checking, but it does not pin resolved versions. This is a core package manager feature (npm has package-lock.json, pip has requirements.txt, cargo has Cargo.lock).
Scope
- Define lockfile format (TOML or YAML) storing: handle, resolved commit SHA, content hash, source
- Generate/update lockfile on
agr add and agr update
- Read lockfile in
agr sync to install exact pinned versions
- Add
agr sync --frozen mode that fails if lockfile is out of date (for CI)
- Depends on: version refs (#ref syntax in handles)
🤖 Generated with Claude Code
Summary
Introduce
agr.lockthat pins exact git commit SHAs for every resolved dependency. When a lockfile exists,agr syncshould produce byte-identical results across machines and over time.Why
Without a lockfile, teams cannot guarantee reproducibility. The existing
.agr.jsoncontent hash is a step toward integrity checking, but it does not pin resolved versions. This is a core package manager feature (npm has package-lock.json, pip has requirements.txt, cargo has Cargo.lock).Scope
agr addandagr updateagr syncto install exact pinned versionsagr sync --frozenmode that fails if lockfile is out of date (for CI)🤖 Generated with Claude Code