[TECH DEBT] Automate Vendor Library Version Management with Git Submodules

[humanauction]

---

Context

MVP uses manually-copied vendor libraries (bcrypt, uuid_gen) in include/net-net/vendor/.
This approach requires manual tracking of upstream changes and lacks version control integration.
No automated mechanism exists to check for updates or ensure consistent dependency versions across environments.

Motivation

• Version control: Git submodules provide explicit commit-hash tracking of dependencies
• Auditing: Changes to vendor code are tracked in project history
• Simplified updates: git submodule update --remote handles upstream changes
• No manual file copying: Reduces human error and maintenance burden
• Offline builds: Dependencies available without internet after initial clone
• Industry standard: Used by major projects (LLVM, Chromium, Linux kernel)

Proposed Changes

• Convert existing vendor bcrypt files to Git submodule
• Add bcrypt upstream repository as submodule: git submodule add https://github.com/hilch/Bcrypt.cpp.git include/net-net/vendor/bcrypt
• Update CMakeLists.txt to reference submodule paths instead of direct file includes
• Add .gitmodules configuration file with submodule tracking
• Update README Quick Start section with git clone --recurse-submodules instructions
• Add fallback instructions for users who already cloned without submodules
• Create scripts/update_vendor.sh helper script to update all submodules
• Add CI check to verify submodules are initialized and at expected commits
• Document submodule workflow in docs/development.md

Priority

Medium (improves maintainability and professionalism of dependency management)

References

• Git Submodules Documentation
• LLVM Submodule Usage
• CMake ExternalProject vs FetchContent vs Submodules
• Bcrypt.cpp Repository