coding-agent-skills 0.2.10 → 0.2.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (69) hide show
  1. package/CHANGELOG.md +40 -0
  2. package/README.md +8 -0
  3. package/ROADMAP.md +9 -5
  4. package/bin/coding-agent-skills +14 -0
  5. package/docs/adapters/README.md +38 -0
  6. package/docs/adapters/project-installation.md +24 -0
  7. package/docs/adapters/real-project-adoption.md +2 -2
  8. package/docs/architecture/README.md +5 -3
  9. package/docs/release/README.md +3 -2
  10. package/docs/release/npm-package.md +10 -2
  11. package/docs/safety/README.md +11 -1
  12. package/docs/testing/README.md +15 -0
  13. package/docs/usage/README.md +23 -5
  14. package/examples/command-policies/api-contract-audit.json +70 -0
  15. package/examples/command-policies/secret-audit.json +71 -0
  16. package/examples/evidence-packs/api-contract-audit.json +60 -0
  17. package/examples/evidence-packs/secret-audit.json +55 -0
  18. package/examples/manifests/api-contract-audit.json +14 -0
  19. package/examples/manifests/secret-audit.json +14 -0
  20. package/examples/workflows/api-contract-audit.md +8 -0
  21. package/examples/workflows/secret-audit.md +10 -0
  22. package/package.json +3 -1
  23. package/runs/skill-runs.md +32 -0
  24. package/schemas/project-adapter-installation.schema.json +4 -0
  25. package/schemas/project-adapter.schema.json +4 -0
  26. package/scripts/lib/api-contract-audit.mjs +651 -0
  27. package/scripts/lib/pack-rules.mjs +20 -2
  28. package/scripts/lib/secret-audit.mjs +510 -0
  29. package/scripts/render-api-contract-audit.mjs +8 -0
  30. package/scripts/render-secret-audit.mjs +8 -0
  31. package/scripts/test-pack.mjs +130 -1
  32. package/scripts/validate-pack.mjs +8 -2
  33. package/skills/api-contract-audit/SKILL.md +85 -0
  34. package/skills/api-contract-audit/adapter-interface.md +16 -0
  35. package/skills/api-contract-audit/agents/openai.yaml +4 -0
  36. package/skills/api-contract-audit/checklist.md +7 -0
  37. package/skills/api-contract-audit/evidence-template.md +13 -0
  38. package/skills/api-contract-audit/examples.md +20 -0
  39. package/skills/api-contract-audit/failure-modes.md +5 -0
  40. package/skills/secret-audit/SKILL.md +57 -0
  41. package/skills/secret-audit/adapter-interface.md +12 -0
  42. package/skills/secret-audit/agents/openai.yaml +4 -0
  43. package/skills/secret-audit/checklist.md +7 -0
  44. package/skills/secret-audit/evidence-template.md +15 -0
  45. package/skills/secret-audit/examples.md +27 -0
  46. package/skills/secret-audit/failure-modes.md +5 -0
  47. package/tests/fixtures/api-contract-audit/adapter-project/.coding-agent/adapters/api-contract-audit-fixture/adapter.json +53 -0
  48. package/tests/fixtures/api-contract-audit/adapter-project/.coding-agent/skills.json +23 -0
  49. package/tests/fixtures/api-contract-audit/adapter-project/README.md +3 -0
  50. package/tests/fixtures/api-contract-audit/adapter-project/package.json +4 -0
  51. package/tests/fixtures/api-contract-audit/adapter-project/src/routes.ts +1 -0
  52. package/tests/fixtures/api-contract-audit/static-project/README.md +3 -0
  53. package/tests/fixtures/api-contract-audit/static-project/app/api/users/route.ts +7 -0
  54. package/tests/fixtures/api-contract-audit/static-project/docs/openapi.yaml +10 -0
  55. package/tests/fixtures/api-contract-audit/static-project/package.json +4 -0
  56. package/tests/fixtures/api-contract-audit/static-project/schemas/user.schema.ts +4 -0
  57. package/tests/fixtures/api-contract-audit/static-project/src/client.ts +3 -0
  58. package/tests/fixtures/secret-audit/adapter-project/.coding-agent/adapters/secret-audit-fixture/adapter.json +53 -0
  59. package/tests/fixtures/secret-audit/adapter-project/.coding-agent/skills.json +23 -0
  60. package/tests/fixtures/secret-audit/adapter-project/README.md +3 -0
  61. package/tests/fixtures/secret-audit/adapter-project/package.json +4 -0
  62. package/tests/fixtures/secret-audit/adapter-project/src/placeholder.ts +1 -0
  63. package/tests/fixtures/secret-audit/static-project/.env.example +1 -0
  64. package/tests/fixtures/secret-audit/static-project/README.md +3 -0
  65. package/tests/fixtures/secret-audit/static-project/package.json +4 -0
  66. package/tests/fixtures/secret-audit/static-project/src/config.ts +1 -0
  67. package/tests/fixtures/triggers/cases.json +25 -1
  68. package/tests/trigger/README.md +4 -0
  69. package/work-ledger.md +30 -6
@@ -0,0 +1,55 @@
1
+ {
2
+ "contractVersion": "1.0.0",
3
+ "skill": {"name": "secret-audit", "version": "0.2.3"},
4
+ "invocation": {
5
+ "id": "example-secret-audit",
6
+ "startedAt": "2026-07-03T11:00:00Z",
7
+ "endedAt": "2026-07-03T11:01:00Z"
8
+ },
9
+ "repository": {
10
+ "root": "/workspace/example-project",
11
+ "branch": "main",
12
+ "head": "0123456789abcdef",
13
+ "workingTreeState": "clean"
14
+ },
15
+ "userIntent": "Find possible tracked secret exposure before handoff.",
16
+ "declaredScope": ["/workspace/example-project"],
17
+ "projectAdapter": "example-secret-adapter",
18
+ "environmentSummary": {"platform": "linux", "shell": "bash"},
19
+ "status": "complete",
20
+ "confidence": {
21
+ "level": "high",
22
+ "reason": "Static files were scanned for high-confidence secret-like patterns with matched values omitted."
23
+ },
24
+ "commands": [
25
+ {
26
+ "command": "coding-agent-skills secret-audit /workspace/example-project",
27
+ "family": "secret-audit-renderer",
28
+ "workingDirectory": "/workspace/example-project",
29
+ "startedAt": "2026-07-03T11:00:20Z",
30
+ "endedAt": "2026-07-03T11:00:21Z",
31
+ "exitStatus": 0,
32
+ "resultStatus": "success",
33
+ "safetyClass": "allowed",
34
+ "approvalReference": null,
35
+ "purpose": "Render a redacted static secret-audit report.",
36
+ "outputSummary": "Reported finding paths, types, and counts without matched values."
37
+ }
38
+ ],
39
+ "skippedChecks": [],
40
+ "findings": [
41
+ {
42
+ "summary": "Potential secret exposure was reported by file path, type, and count only.",
43
+ "evidence": ["src/example.ts"]
44
+ }
45
+ ],
46
+ "risks": [],
47
+ "failures": [],
48
+ "unresolvedQuestions": [],
49
+ "changedState": {
50
+ "changed": false,
51
+ "summary": "No project, Git, dependency, runtime, service, or remote state changed."
52
+ },
53
+ "handoffSummary": "Secret-like findings require human review; matched values were omitted.",
54
+ "recommendedNextAction": "Review flagged files locally and rotate credentials only through approved project procedures."
55
+ }
@@ -0,0 +1,14 @@
1
+ {
2
+ "name": "api-contract-audit",
3
+ "version": "0.2.3",
4
+ "mode": "audit-only",
5
+ "evidenceContract": "../../contracts/evidence-pack/evidence-pack.schema.json",
6
+ "commandPolicy": "../command-policies/api-contract-audit.json",
7
+ "adapterSchema": "../../schemas/project-adapter.schema.json",
8
+ "adapterCompatibility": {
9
+ "contractVersion": "1.0.0",
10
+ "compatibleAdapterVersions": ["1.0.0"]
11
+ },
12
+ "adapterInterface": "../../skills/api-contract-audit/adapter-interface.md",
13
+ "description": "Map static API contract surfaces without runtime calls or generation."
14
+ }
@@ -0,0 +1,14 @@
1
+ {
2
+ "name": "secret-audit",
3
+ "version": "0.2.3",
4
+ "mode": "audit-only",
5
+ "evidenceContract": "../../contracts/evidence-pack/evidence-pack.schema.json",
6
+ "commandPolicy": "../command-policies/secret-audit.json",
7
+ "adapterSchema": "../../schemas/project-adapter.schema.json",
8
+ "adapterCompatibility": {
9
+ "contractVersion": "1.0.0",
10
+ "compatibleAdapterVersions": ["1.0.0"]
11
+ },
12
+ "adapterInterface": "../../skills/secret-audit/adapter-interface.md",
13
+ "description": "Find high-confidence secret exposure risks without printing values."
14
+ }
@@ -0,0 +1,8 @@
1
+ Use `api-contract-audit` before API work or handoff:
2
+
3
+ ```bash
4
+ coding-agent-skills api-contract-audit /workspace/project
5
+ ```
6
+
7
+ Review contract files, endpoint declarations, client-call patterns, schema/type files,
8
+ skipped paths, and not-verified runtime behavior before making API claims.
@@ -0,0 +1,10 @@
1
+ # Secret Audit Workflow
2
+
3
+ Use `secret-audit` before handoff or publication:
4
+
5
+ ```bash
6
+ coding-agent-skills secret-audit /workspace/project
7
+ ```
8
+
9
+ Review file paths, types, counts, skipped secret-bearing paths, and not-verified stores.
10
+ Do not ask the tool to print matched values or rotate credentials.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "coding-agent-skills",
3
- "version": "0.2.10",
3
+ "version": "0.2.12",
4
4
  "description": "Evidence-first, read-only coding-agent skills and project adapter tooling.",
5
5
  "type": "module",
6
6
  "private": false,
@@ -11,6 +11,8 @@
11
11
  "repo-map",
12
12
  "route-trace",
13
13
  "env-audit",
14
+ "secret-audit",
15
+ "api-contract-audit",
14
16
  "project-adapters",
15
17
  "code-validation",
16
18
  "cli"
@@ -197,3 +197,35 @@ This file records bounded maintainer-loop runs. Entries must not contain secrets
197
197
  - Validation commands: pending final release validation matrix.
198
198
  - Result: pass pending final publication evidence.
199
199
  - Commit/tag/push status: pending approved release workflow.
200
+
201
+ ## implementation-v0.2.11-secret-audit
202
+
203
+ - Run ID: `implementation-v0.2.11-secret-audit`
204
+ - Repository: `/home/oneclickwebsitedesignfactory/coding-agent-skills`
205
+ - Command used: `builder-mode approval for secret-audit-skill implementation and release`
206
+ - Files changed: `secret-audit` skill, secret-audit renderer and library, CLI wrapper,
207
+ adapter schemas, pack rules, release tests, synthetic secret fixtures, usage/release/
208
+ safety/adapter docs, changelog, roadmap, work ledger, run log, and package metadata.
209
+ - Safety boundary: read-only, static-analysis only, no `.env` reads, no secret-file
210
+ reads, no matched value printing, no credential validation or rotation, no API calls,
211
+ no builds, no tests in target projects, no deploys, no migrations, and no
212
+ target-project mutation.
213
+ - Validation commands: pending final release validation matrix.
214
+ - Result: pass pending final publication evidence.
215
+ - Commit/tag/push status: pending approved release workflow.
216
+
217
+ ## implementation-v0.2.12-api-contract-audit
218
+
219
+ - Run ID: `implementation-v0.2.12-api-contract-audit`
220
+ - Repository: `/home/oneclickwebsitedesignfactory/coding-agent-skills`
221
+ - Command used: `builder-mode approval for api-contract-audit-skill implementation and release`
222
+ - Files changed: `api-contract-audit` skill, API contract audit renderer and library,
223
+ CLI wrapper, adapter schemas, pack rules, release tests, synthetic API contract fixtures,
224
+ usage/release/safety/adapter docs, changelog, roadmap, work ledger, run log, and package
225
+ metadata.
226
+ - Safety boundary: read-only, static-analysis only, no `.env` reads, no target runtime,
227
+ no URL probes, no API calls, no schema/client generation, no builds, no tests in target
228
+ projects, no deploys, no migrations, and no target-project mutation.
229
+ - Validation commands: pending final release validation matrix.
230
+ - Result: pass pending final publication evidence.
231
+ - Commit/tag/push status: pending approved release workflow.
@@ -67,6 +67,8 @@
67
67
  "repo-map",
68
68
  "route-trace",
69
69
  "env-audit",
70
+ "secret-audit",
71
+ "api-contract-audit",
70
72
  "build-verify",
71
73
  "git-preflight",
72
74
  "runtime-truth",
@@ -101,6 +103,8 @@
101
103
  "repo-map",
102
104
  "route-trace",
103
105
  "env-audit",
106
+ "secret-audit",
107
+ "api-contract-audit",
104
108
  "build-verify",
105
109
  "git-preflight",
106
110
  "runtime-truth",
@@ -91,6 +91,8 @@
91
91
  "repo-map",
92
92
  "route-trace",
93
93
  "env-audit",
94
+ "secret-audit",
95
+ "api-contract-audit",
94
96
  "build-verify",
95
97
  "git-preflight",
96
98
  "runtime-truth",
@@ -169,6 +171,8 @@
169
171
  "repo-map",
170
172
  "route-trace",
171
173
  "env-audit",
174
+ "secret-audit",
175
+ "api-contract-audit",
172
176
  "build-verify",
173
177
  "git-preflight",
174
178
  "runtime-truth",