@sagargupta1610/skillcheck 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/LICENSE ADDED
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2026 Sagar Gupta
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
package/README.md ADDED
@@ -0,0 +1,121 @@
1
+ # skillcheck
2
+
3
+ Conformance suite for [Agent Skills](https://agentskills.io) (`SKILL.md`).
4
+
5
+ Linters check syntax. skillcheck checks reality: 36 rules with exact [skills-ref](https://github.com/agentskills/agentskills/tree/main/skills-ref) parity (verified against the reference validator's source, message for message), client-extension awareness across 6 runtimes, structure/reference validation, trigger-test scaffolding, SARIF, and a drop-in GitHub Action.
6
+
7
+ ## Why
8
+
9
+ The Agent Skills standard is adopted by 40+ runtimes (Claude Code, Codex, Gemini CLI, Copilot, Cursor, OpenCode, ...), and its ecosystem has a built-in tension: the official reference validator (`skills-ref`) is **strict** -- unknown frontmatter fields fail -- while real clients are **lenient** -- they warn and load anyway. Claude Code alone ships 18 extension fields that fail strict validation.
10
+
11
+ skillcheck is the only linter that models both tiers:
12
+
13
+ - **error** = skills-ref 0.1.0 strict parity (exact messages, exact check order, exact i18n semantics -- Chinese and lowercase-Cyrillic names are valid, `skill_name` is not)
14
+ - **warning** = client-guide lenient tier + beyond-parity checks (broken references, hidden unicode, portability)
15
+ - **info** = advisory, never gates CI
16
+
17
+ ## Install
18
+
19
+ ```bash
20
+ pnpm add -D @sagargupta1610/skillcheck
21
+ # or run directly
22
+ pnpm dlx @sagargupta1610/skillcheck lint ./skills
23
+ ```
24
+
25
+ ## Usage
26
+
27
+ ```bash
28
+ skillcheck lint ./my-skill # one skill
29
+ skillcheck lint ./skills # every SKILL.md under a tree
30
+ skillcheck lint . --profile lenient # client-guide severities
31
+ skillcheck lint . --format concise # one line per finding
32
+ skillcheck lint . --format json
33
+ skillcheck lint . --format github # Actions inline annotations
34
+ skillcheck lint . --format sarif # SARIF 2.1.0 to stdout
35
+ skillcheck lint . --sarif report.sarif # sidecar SARIF alongside any format
36
+ skillcheck lint . --fail-on warning # stricter CI gate
37
+ skillcheck lint . --max-warnings 10
38
+
39
+ skillcheck eval init ./my-skill # scaffold evals/evals.json
40
+ skillcheck eval check ./my-skill # validate it
41
+ ```
42
+
43
+ Exit codes: `0` clean, `1` findings at/above `--fail-on`, `2` usage/internal error.
44
+
45
+ ## GitHub Action
46
+
47
+ ```yaml
48
+ - uses: Sagargupta16/skillcheck@v0.2.0
49
+ with:
50
+ path: skills/
51
+ fail-on: error
52
+ sarif-file: skillcheck.sarif # optional
53
+
54
+ # optional: upload to code scanning (needs security-events: write)
55
+ - uses: github/codeql-action/upload-sarif@v4
56
+ with:
57
+ sarif_file: skillcheck.sarif
58
+ category: skillcheck
59
+ ```
60
+
61
+ Inline PR annotations come free via `--format github`; a full report lands in the job summary automatically.
62
+
63
+ ## Rules
64
+
65
+ 36 rules with stable codes (never renumbered or recycled) -- see [docs/rules.md](docs/rules.md) for the full table.
66
+
67
+ | Range | Category | Examples |
68
+ | --- | --- | --- |
69
+ | SC0xx | Frontmatter (skills-ref parity) | SC010 name-not-lowercase, SC013 name-invalid-chars, SC018 unknown-frontmatter-field, SC021 unquoted-colon-description |
70
+ | SC1xx | Structure + references | SC101 broken-relative-reference, SC105 duplicate-skill-name, SC107 hidden-unicode (Trojan-Source) |
71
+ | SC2xx | Body | SC202 body-too-many-lines, SC203 body-too-many-tokens |
72
+ | SC3xx | Extensions / portability | SC301 extension-field (per-runtime table), SC302 extension-invalid-value |
73
+ | SC4xx | Evals | SC401 evals-invalid, SC402 evals-advisory |
74
+
75
+ Parity details worth knowing:
76
+
77
+ - Name validation is Unicode-aware, matching skills-ref exactly: `技能` and `мой-навык` pass, `skill_name` and `НАВЫК` fail.
78
+ - NFKC normalization applies to names and directory comparison -- composed vs decomposed `café` never false-positives.
79
+ - The frontmatter splitter replicates skills-ref's `split("---", 2)` semantics, including its known edge case (a literal `---` inside YAML values).
80
+ - Strict-YAML semantics are enforced on top of the JS parser: flow collections, tags, and duplicate keys are rejected, like `strictyaml`.
81
+ - The 18-field extension registry knows which runtimes read each field (`model` is Claude Code only; `paths` is Claude Code + Cursor; OpenCode and Gemini ignore all of them) and validates values (`effort: extreme` flags SC302).
82
+
83
+ ## Config
84
+
85
+ Optional `skillcheck.config.json`:
86
+
87
+ ```json
88
+ {
89
+ "rules": {
90
+ "SC104": "off",
91
+ "extension-field": "error"
92
+ }
93
+ }
94
+ ```
95
+
96
+ Codes and aliases are interchangeable. Zero-config works.
97
+
98
+ ## Evals (trigger tests)
99
+
100
+ `skillcheck eval init` scaffolds `evals/evals.json` -- a strict superset of Anthropic skill-creator's format (anything skill-creator writes, skillcheck validates unchanged), plus a `triggers` array covering the four trigger classes: explicit, implicit, contextual, and negative (the near-misses that catch over-triggering). `skillcheck lint` validates the file automatically when present. Runtime execution of these tests lands in v0.3.
101
+
102
+ ## Roadmap
103
+
104
+ - [x] **v0.1** -- static lint, two-tier severity
105
+ - [x] **v0.2** -- skills-ref parity (verified message-for-message), rule codes, i18n names, structure/reference rules, extension registry with value validation, SARIF 2.1.0, evals scaffold + validation, GitHub Action, profiles, config
106
+ - [ ] **v0.3** -- runtime execution: run trigger tests against Claude Code / OpenCode / Codex headlessly in Docker; `--fix` for safe fixes
107
+ - [ ] **v1.0** -- public caniuse-style compatibility matrix + README badges
108
+
109
+ ## Development
110
+
111
+ ```bash
112
+ pnpm install
113
+ pnpm test # vitest (40 tests incl. skills-ref parity + i18n cases)
114
+ pnpm build # tsup -> dist/
115
+ pnpm lint # biome
116
+ node dist/cli.js lint fixtures/valid-skill
117
+ ```
118
+
119
+ ## License
120
+
121
+ [MIT](LICENSE)