Document keep-rationale for justified hand-rolled code (crypto, paths, CI writers, schema)

[ChrisonSimtian]

Tier 3 — Keep, but document. The audit confirmed several hand-rolled areas are justified. Record the rationale (code comments + a short docs/ note) so they aren't re-litigated in future "use a library" passes.

Keep + reason

• Security/EncryptionUtility.cs — AES-GCM + PBKDF2, OWASP-aligned, security-audited (Security audit: pen-test EncryptionUtility (the existing 'v1:' secret format) #212). Correct BCL crypto; no swap.
• IO/AbsolutePath.* + PathConstruction.cs (~500 LOC) — type-safe, OS-independent path API; a core selling point. BCL paths are string-typed and OS-dependent.
• CI config writers — CICD/CustomFileWriter.cs + ~1,800 LOC of *Configuration.cs. TeamCity/SpaceAutomation emit Kotlin DSL (YamlDotNet can't help); YAML targets need exact comment/quote/indent control a serializer would silently change.
• SchemaUtility.cs (~393 LOC) — emits the legacy NJsonSchema-shaped envelope consumed by Fallout.Cli; the exact output shape is a contract.

Acceptance

• Brief "why hand-rolled" note added to each area (XML-doc or header comment)
• Short docs/ entry (or section in conventions) listing these deliberate keeps

From dependency-consolidation audit, 2026-06-02.

[ChrisonSimtian]

Insights from a discarded prototype (old paths; map to onion structure after #359).

• Added docs/dependencies-kept.md, cross-linked from docs/dependencies.md.
• Keep-rationale documented for: crypto (EncryptionUtility), path handling (AbsolutePath/PathConstruction), CI config writers (CustomFileWriter), schema (SchemaUtility) — these stay hand-rolled, no NuGet swap.
• EncryptionUtility + SchemaUtility already had good summaries; just appended explicit "kept hand-rolled" remarks.

[dennisdoomen]

Good to know that I at some point decided to extract the path idea into https://github.com/dennisdoomen/pathy/