coding-agent-skills 0.2.10 → 0.2.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +40 -0
- package/README.md +8 -0
- package/ROADMAP.md +9 -5
- package/bin/coding-agent-skills +14 -0
- package/docs/adapters/README.md +38 -0
- package/docs/adapters/project-installation.md +24 -0
- package/docs/adapters/real-project-adoption.md +2 -2
- package/docs/architecture/README.md +5 -3
- package/docs/release/README.md +3 -2
- package/docs/release/npm-package.md +10 -2
- package/docs/safety/README.md +11 -1
- package/docs/testing/README.md +15 -0
- package/docs/usage/README.md +23 -5
- package/examples/command-policies/api-contract-audit.json +70 -0
- package/examples/command-policies/secret-audit.json +71 -0
- package/examples/evidence-packs/api-contract-audit.json +60 -0
- package/examples/evidence-packs/secret-audit.json +55 -0
- package/examples/manifests/api-contract-audit.json +14 -0
- package/examples/manifests/secret-audit.json +14 -0
- package/examples/workflows/api-contract-audit.md +8 -0
- package/examples/workflows/secret-audit.md +10 -0
- package/package.json +3 -1
- package/runs/skill-runs.md +32 -0
- package/schemas/project-adapter-installation.schema.json +4 -0
- package/schemas/project-adapter.schema.json +4 -0
- package/scripts/lib/api-contract-audit.mjs +651 -0
- package/scripts/lib/pack-rules.mjs +20 -2
- package/scripts/lib/secret-audit.mjs +510 -0
- package/scripts/render-api-contract-audit.mjs +8 -0
- package/scripts/render-secret-audit.mjs +8 -0
- package/scripts/test-pack.mjs +130 -1
- package/scripts/validate-pack.mjs +8 -2
- package/skills/api-contract-audit/SKILL.md +85 -0
- package/skills/api-contract-audit/adapter-interface.md +16 -0
- package/skills/api-contract-audit/agents/openai.yaml +4 -0
- package/skills/api-contract-audit/checklist.md +7 -0
- package/skills/api-contract-audit/evidence-template.md +13 -0
- package/skills/api-contract-audit/examples.md +20 -0
- package/skills/api-contract-audit/failure-modes.md +5 -0
- package/skills/secret-audit/SKILL.md +57 -0
- package/skills/secret-audit/adapter-interface.md +12 -0
- package/skills/secret-audit/agents/openai.yaml +4 -0
- package/skills/secret-audit/checklist.md +7 -0
- package/skills/secret-audit/evidence-template.md +15 -0
- package/skills/secret-audit/examples.md +27 -0
- package/skills/secret-audit/failure-modes.md +5 -0
- package/tests/fixtures/api-contract-audit/adapter-project/.coding-agent/adapters/api-contract-audit-fixture/adapter.json +53 -0
- package/tests/fixtures/api-contract-audit/adapter-project/.coding-agent/skills.json +23 -0
- package/tests/fixtures/api-contract-audit/adapter-project/README.md +3 -0
- package/tests/fixtures/api-contract-audit/adapter-project/package.json +4 -0
- package/tests/fixtures/api-contract-audit/adapter-project/src/routes.ts +1 -0
- package/tests/fixtures/api-contract-audit/static-project/README.md +3 -0
- package/tests/fixtures/api-contract-audit/static-project/app/api/users/route.ts +7 -0
- package/tests/fixtures/api-contract-audit/static-project/docs/openapi.yaml +10 -0
- package/tests/fixtures/api-contract-audit/static-project/package.json +4 -0
- package/tests/fixtures/api-contract-audit/static-project/schemas/user.schema.ts +4 -0
- package/tests/fixtures/api-contract-audit/static-project/src/client.ts +3 -0
- package/tests/fixtures/secret-audit/adapter-project/.coding-agent/adapters/secret-audit-fixture/adapter.json +53 -0
- package/tests/fixtures/secret-audit/adapter-project/.coding-agent/skills.json +23 -0
- package/tests/fixtures/secret-audit/adapter-project/README.md +3 -0
- package/tests/fixtures/secret-audit/adapter-project/package.json +4 -0
- package/tests/fixtures/secret-audit/adapter-project/src/placeholder.ts +1 -0
- package/tests/fixtures/secret-audit/static-project/.env.example +1 -0
- package/tests/fixtures/secret-audit/static-project/README.md +3 -0
- package/tests/fixtures/secret-audit/static-project/package.json +4 -0
- package/tests/fixtures/secret-audit/static-project/src/config.ts +1 -0
- package/tests/fixtures/triggers/cases.json +25 -1
- package/tests/trigger/README.md +4 -0
- package/work-ledger.md +30 -6
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
{
|
|
2
|
+
"contractVersion": "1.0.0",
|
|
3
|
+
"skill": {"name": "secret-audit", "version": "0.2.3"},
|
|
4
|
+
"invocation": {
|
|
5
|
+
"id": "example-secret-audit",
|
|
6
|
+
"startedAt": "2026-07-03T11:00:00Z",
|
|
7
|
+
"endedAt": "2026-07-03T11:01:00Z"
|
|
8
|
+
},
|
|
9
|
+
"repository": {
|
|
10
|
+
"root": "/workspace/example-project",
|
|
11
|
+
"branch": "main",
|
|
12
|
+
"head": "0123456789abcdef",
|
|
13
|
+
"workingTreeState": "clean"
|
|
14
|
+
},
|
|
15
|
+
"userIntent": "Find possible tracked secret exposure before handoff.",
|
|
16
|
+
"declaredScope": ["/workspace/example-project"],
|
|
17
|
+
"projectAdapter": "example-secret-adapter",
|
|
18
|
+
"environmentSummary": {"platform": "linux", "shell": "bash"},
|
|
19
|
+
"status": "complete",
|
|
20
|
+
"confidence": {
|
|
21
|
+
"level": "high",
|
|
22
|
+
"reason": "Static files were scanned for high-confidence secret-like patterns with matched values omitted."
|
|
23
|
+
},
|
|
24
|
+
"commands": [
|
|
25
|
+
{
|
|
26
|
+
"command": "coding-agent-skills secret-audit /workspace/example-project",
|
|
27
|
+
"family": "secret-audit-renderer",
|
|
28
|
+
"workingDirectory": "/workspace/example-project",
|
|
29
|
+
"startedAt": "2026-07-03T11:00:20Z",
|
|
30
|
+
"endedAt": "2026-07-03T11:00:21Z",
|
|
31
|
+
"exitStatus": 0,
|
|
32
|
+
"resultStatus": "success",
|
|
33
|
+
"safetyClass": "allowed",
|
|
34
|
+
"approvalReference": null,
|
|
35
|
+
"purpose": "Render a redacted static secret-audit report.",
|
|
36
|
+
"outputSummary": "Reported finding paths, types, and counts without matched values."
|
|
37
|
+
}
|
|
38
|
+
],
|
|
39
|
+
"skippedChecks": [],
|
|
40
|
+
"findings": [
|
|
41
|
+
{
|
|
42
|
+
"summary": "Potential secret exposure was reported by file path, type, and count only.",
|
|
43
|
+
"evidence": ["src/example.ts"]
|
|
44
|
+
}
|
|
45
|
+
],
|
|
46
|
+
"risks": [],
|
|
47
|
+
"failures": [],
|
|
48
|
+
"unresolvedQuestions": [],
|
|
49
|
+
"changedState": {
|
|
50
|
+
"changed": false,
|
|
51
|
+
"summary": "No project, Git, dependency, runtime, service, or remote state changed."
|
|
52
|
+
},
|
|
53
|
+
"handoffSummary": "Secret-like findings require human review; matched values were omitted.",
|
|
54
|
+
"recommendedNextAction": "Review flagged files locally and rotate credentials only through approved project procedures."
|
|
55
|
+
}
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "api-contract-audit",
|
|
3
|
+
"version": "0.2.3",
|
|
4
|
+
"mode": "audit-only",
|
|
5
|
+
"evidenceContract": "../../contracts/evidence-pack/evidence-pack.schema.json",
|
|
6
|
+
"commandPolicy": "../command-policies/api-contract-audit.json",
|
|
7
|
+
"adapterSchema": "../../schemas/project-adapter.schema.json",
|
|
8
|
+
"adapterCompatibility": {
|
|
9
|
+
"contractVersion": "1.0.0",
|
|
10
|
+
"compatibleAdapterVersions": ["1.0.0"]
|
|
11
|
+
},
|
|
12
|
+
"adapterInterface": "../../skills/api-contract-audit/adapter-interface.md",
|
|
13
|
+
"description": "Map static API contract surfaces without runtime calls or generation."
|
|
14
|
+
}
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "secret-audit",
|
|
3
|
+
"version": "0.2.3",
|
|
4
|
+
"mode": "audit-only",
|
|
5
|
+
"evidenceContract": "../../contracts/evidence-pack/evidence-pack.schema.json",
|
|
6
|
+
"commandPolicy": "../command-policies/secret-audit.json",
|
|
7
|
+
"adapterSchema": "../../schemas/project-adapter.schema.json",
|
|
8
|
+
"adapterCompatibility": {
|
|
9
|
+
"contractVersion": "1.0.0",
|
|
10
|
+
"compatibleAdapterVersions": ["1.0.0"]
|
|
11
|
+
},
|
|
12
|
+
"adapterInterface": "../../skills/secret-audit/adapter-interface.md",
|
|
13
|
+
"description": "Find high-confidence secret exposure risks without printing values."
|
|
14
|
+
}
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
Use `api-contract-audit` before API work or handoff:
|
|
2
|
+
|
|
3
|
+
```bash
|
|
4
|
+
coding-agent-skills api-contract-audit /workspace/project
|
|
5
|
+
```
|
|
6
|
+
|
|
7
|
+
Review contract files, endpoint declarations, client-call patterns, schema/type files,
|
|
8
|
+
skipped paths, and not-verified runtime behavior before making API claims.
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
# Secret Audit Workflow
|
|
2
|
+
|
|
3
|
+
Use `secret-audit` before handoff or publication:
|
|
4
|
+
|
|
5
|
+
```bash
|
|
6
|
+
coding-agent-skills secret-audit /workspace/project
|
|
7
|
+
```
|
|
8
|
+
|
|
9
|
+
Review file paths, types, counts, skipped secret-bearing paths, and not-verified stores.
|
|
10
|
+
Do not ask the tool to print matched values or rotate credentials.
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "coding-agent-skills",
|
|
3
|
-
"version": "0.2.
|
|
3
|
+
"version": "0.2.12",
|
|
4
4
|
"description": "Evidence-first, read-only coding-agent skills and project adapter tooling.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"private": false,
|
|
@@ -11,6 +11,8 @@
|
|
|
11
11
|
"repo-map",
|
|
12
12
|
"route-trace",
|
|
13
13
|
"env-audit",
|
|
14
|
+
"secret-audit",
|
|
15
|
+
"api-contract-audit",
|
|
14
16
|
"project-adapters",
|
|
15
17
|
"code-validation",
|
|
16
18
|
"cli"
|
package/runs/skill-runs.md
CHANGED
|
@@ -197,3 +197,35 @@ This file records bounded maintainer-loop runs. Entries must not contain secrets
|
|
|
197
197
|
- Validation commands: pending final release validation matrix.
|
|
198
198
|
- Result: pass pending final publication evidence.
|
|
199
199
|
- Commit/tag/push status: pending approved release workflow.
|
|
200
|
+
|
|
201
|
+
## implementation-v0.2.11-secret-audit
|
|
202
|
+
|
|
203
|
+
- Run ID: `implementation-v0.2.11-secret-audit`
|
|
204
|
+
- Repository: `/home/oneclickwebsitedesignfactory/coding-agent-skills`
|
|
205
|
+
- Command used: `builder-mode approval for secret-audit-skill implementation and release`
|
|
206
|
+
- Files changed: `secret-audit` skill, secret-audit renderer and library, CLI wrapper,
|
|
207
|
+
adapter schemas, pack rules, release tests, synthetic secret fixtures, usage/release/
|
|
208
|
+
safety/adapter docs, changelog, roadmap, work ledger, run log, and package metadata.
|
|
209
|
+
- Safety boundary: read-only, static-analysis only, no `.env` reads, no secret-file
|
|
210
|
+
reads, no matched value printing, no credential validation or rotation, no API calls,
|
|
211
|
+
no builds, no tests in target projects, no deploys, no migrations, and no
|
|
212
|
+
target-project mutation.
|
|
213
|
+
- Validation commands: pending final release validation matrix.
|
|
214
|
+
- Result: pass pending final publication evidence.
|
|
215
|
+
- Commit/tag/push status: pending approved release workflow.
|
|
216
|
+
|
|
217
|
+
## implementation-v0.2.12-api-contract-audit
|
|
218
|
+
|
|
219
|
+
- Run ID: `implementation-v0.2.12-api-contract-audit`
|
|
220
|
+
- Repository: `/home/oneclickwebsitedesignfactory/coding-agent-skills`
|
|
221
|
+
- Command used: `builder-mode approval for api-contract-audit-skill implementation and release`
|
|
222
|
+
- Files changed: `api-contract-audit` skill, API contract audit renderer and library,
|
|
223
|
+
CLI wrapper, adapter schemas, pack rules, release tests, synthetic API contract fixtures,
|
|
224
|
+
usage/release/safety/adapter docs, changelog, roadmap, work ledger, run log, and package
|
|
225
|
+
metadata.
|
|
226
|
+
- Safety boundary: read-only, static-analysis only, no `.env` reads, no target runtime,
|
|
227
|
+
no URL probes, no API calls, no schema/client generation, no builds, no tests in target
|
|
228
|
+
projects, no deploys, no migrations, and no target-project mutation.
|
|
229
|
+
- Validation commands: pending final release validation matrix.
|
|
230
|
+
- Result: pass pending final publication evidence.
|
|
231
|
+
- Commit/tag/push status: pending approved release workflow.
|
|
@@ -67,6 +67,8 @@
|
|
|
67
67
|
"repo-map",
|
|
68
68
|
"route-trace",
|
|
69
69
|
"env-audit",
|
|
70
|
+
"secret-audit",
|
|
71
|
+
"api-contract-audit",
|
|
70
72
|
"build-verify",
|
|
71
73
|
"git-preflight",
|
|
72
74
|
"runtime-truth",
|
|
@@ -101,6 +103,8 @@
|
|
|
101
103
|
"repo-map",
|
|
102
104
|
"route-trace",
|
|
103
105
|
"env-audit",
|
|
106
|
+
"secret-audit",
|
|
107
|
+
"api-contract-audit",
|
|
104
108
|
"build-verify",
|
|
105
109
|
"git-preflight",
|
|
106
110
|
"runtime-truth",
|
|
@@ -91,6 +91,8 @@
|
|
|
91
91
|
"repo-map",
|
|
92
92
|
"route-trace",
|
|
93
93
|
"env-audit",
|
|
94
|
+
"secret-audit",
|
|
95
|
+
"api-contract-audit",
|
|
94
96
|
"build-verify",
|
|
95
97
|
"git-preflight",
|
|
96
98
|
"runtime-truth",
|
|
@@ -169,6 +171,8 @@
|
|
|
169
171
|
"repo-map",
|
|
170
172
|
"route-trace",
|
|
171
173
|
"env-audit",
|
|
174
|
+
"secret-audit",
|
|
175
|
+
"api-contract-audit",
|
|
172
176
|
"build-verify",
|
|
173
177
|
"git-preflight",
|
|
174
178
|
"runtime-truth",
|