coding-agent-skills 0.2.10 → 0.2.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (69) hide show
  1. package/CHANGELOG.md +40 -0
  2. package/README.md +8 -0
  3. package/ROADMAP.md +9 -5
  4. package/bin/coding-agent-skills +14 -0
  5. package/docs/adapters/README.md +38 -0
  6. package/docs/adapters/project-installation.md +24 -0
  7. package/docs/adapters/real-project-adoption.md +2 -2
  8. package/docs/architecture/README.md +5 -3
  9. package/docs/release/README.md +3 -2
  10. package/docs/release/npm-package.md +10 -2
  11. package/docs/safety/README.md +11 -1
  12. package/docs/testing/README.md +15 -0
  13. package/docs/usage/README.md +23 -5
  14. package/examples/command-policies/api-contract-audit.json +70 -0
  15. package/examples/command-policies/secret-audit.json +71 -0
  16. package/examples/evidence-packs/api-contract-audit.json +60 -0
  17. package/examples/evidence-packs/secret-audit.json +55 -0
  18. package/examples/manifests/api-contract-audit.json +14 -0
  19. package/examples/manifests/secret-audit.json +14 -0
  20. package/examples/workflows/api-contract-audit.md +8 -0
  21. package/examples/workflows/secret-audit.md +10 -0
  22. package/package.json +3 -1
  23. package/runs/skill-runs.md +32 -0
  24. package/schemas/project-adapter-installation.schema.json +4 -0
  25. package/schemas/project-adapter.schema.json +4 -0
  26. package/scripts/lib/api-contract-audit.mjs +651 -0
  27. package/scripts/lib/pack-rules.mjs +20 -2
  28. package/scripts/lib/secret-audit.mjs +510 -0
  29. package/scripts/render-api-contract-audit.mjs +8 -0
  30. package/scripts/render-secret-audit.mjs +8 -0
  31. package/scripts/test-pack.mjs +130 -1
  32. package/scripts/validate-pack.mjs +8 -2
  33. package/skills/api-contract-audit/SKILL.md +85 -0
  34. package/skills/api-contract-audit/adapter-interface.md +16 -0
  35. package/skills/api-contract-audit/agents/openai.yaml +4 -0
  36. package/skills/api-contract-audit/checklist.md +7 -0
  37. package/skills/api-contract-audit/evidence-template.md +13 -0
  38. package/skills/api-contract-audit/examples.md +20 -0
  39. package/skills/api-contract-audit/failure-modes.md +5 -0
  40. package/skills/secret-audit/SKILL.md +57 -0
  41. package/skills/secret-audit/adapter-interface.md +12 -0
  42. package/skills/secret-audit/agents/openai.yaml +4 -0
  43. package/skills/secret-audit/checklist.md +7 -0
  44. package/skills/secret-audit/evidence-template.md +15 -0
  45. package/skills/secret-audit/examples.md +27 -0
  46. package/skills/secret-audit/failure-modes.md +5 -0
  47. package/tests/fixtures/api-contract-audit/adapter-project/.coding-agent/adapters/api-contract-audit-fixture/adapter.json +53 -0
  48. package/tests/fixtures/api-contract-audit/adapter-project/.coding-agent/skills.json +23 -0
  49. package/tests/fixtures/api-contract-audit/adapter-project/README.md +3 -0
  50. package/tests/fixtures/api-contract-audit/adapter-project/package.json +4 -0
  51. package/tests/fixtures/api-contract-audit/adapter-project/src/routes.ts +1 -0
  52. package/tests/fixtures/api-contract-audit/static-project/README.md +3 -0
  53. package/tests/fixtures/api-contract-audit/static-project/app/api/users/route.ts +7 -0
  54. package/tests/fixtures/api-contract-audit/static-project/docs/openapi.yaml +10 -0
  55. package/tests/fixtures/api-contract-audit/static-project/package.json +4 -0
  56. package/tests/fixtures/api-contract-audit/static-project/schemas/user.schema.ts +4 -0
  57. package/tests/fixtures/api-contract-audit/static-project/src/client.ts +3 -0
  58. package/tests/fixtures/secret-audit/adapter-project/.coding-agent/adapters/secret-audit-fixture/adapter.json +53 -0
  59. package/tests/fixtures/secret-audit/adapter-project/.coding-agent/skills.json +23 -0
  60. package/tests/fixtures/secret-audit/adapter-project/README.md +3 -0
  61. package/tests/fixtures/secret-audit/adapter-project/package.json +4 -0
  62. package/tests/fixtures/secret-audit/adapter-project/src/placeholder.ts +1 -0
  63. package/tests/fixtures/secret-audit/static-project/.env.example +1 -0
  64. package/tests/fixtures/secret-audit/static-project/README.md +3 -0
  65. package/tests/fixtures/secret-audit/static-project/package.json +4 -0
  66. package/tests/fixtures/secret-audit/static-project/src/config.ts +1 -0
  67. package/tests/fixtures/triggers/cases.json +25 -1
  68. package/tests/trigger/README.md +4 -0
  69. package/work-ledger.md +30 -6
@@ -97,6 +97,8 @@ const requiredRootFiles = [
97
97
  "scripts/render-adapter-repo-map.mjs",
98
98
  "scripts/render-route-trace.mjs",
99
99
  "scripts/render-env-audit.mjs",
100
+ "scripts/render-secret-audit.mjs",
101
+ "scripts/render-api-contract-audit.mjs",
100
102
  "scripts/check-adapter-upgrade.mjs",
101
103
  "scripts/check-adapter-upgrade-chain.mjs",
102
104
  "scripts/validate-adapters.mjs",
@@ -104,6 +106,8 @@ const requiredRootFiles = [
104
106
  "scripts/lib/adapter-repo-map.mjs",
105
107
  "scripts/lib/route-trace.mjs",
106
108
  "scripts/lib/env-audit.mjs",
109
+ "scripts/lib/secret-audit.mjs",
110
+ "scripts/lib/api-contract-audit.mjs",
107
111
  "scripts/lib/adapter-upgrade.mjs",
108
112
  "scripts/lib/adapter-upgrade-chain.mjs",
109
113
  "scripts/lib/adapter-discovery.mjs",
@@ -677,8 +681,8 @@ if (packageJson) {
677
681
  if (packageJson.name !== "coding-agent-skills") {
678
682
  failures.push("package.json has unexpected package name");
679
683
  }
680
- if (packageJson.version !== "0.2.10") {
681
- failures.push("package.json version must be 0.2.10 for public package validation");
684
+ if (packageJson.version !== "0.2.12") {
685
+ failures.push("package.json version must be 0.2.12 for public package validation");
682
686
  }
683
687
  if (packageJson.type !== "module") failures.push("package.json must preserve ESM mode");
684
688
  if (packageJson.private !== false) {
@@ -698,6 +702,8 @@ if (packageJson) {
698
702
  "repo-map",
699
703
  "route-trace",
700
704
  "env-audit",
705
+ "secret-audit",
706
+ "api-contract-audit",
701
707
  "project-adapters",
702
708
  "code-validation",
703
709
  "cli",
@@ -0,0 +1,85 @@
1
+ ---
2
+ name: api-contract-audit
3
+ description: Audit statically visible API contract surfaces without running servers, calling APIs, generating schemas, or modifying projects. Use when Codex must map OpenAPI or Swagger files, route handler declarations, client request patterns, and schema/type files before API work or handoff; do not use for runtime verification, network probing, code generation, builds, tests, deployments, migrations, or secret-file reads.
4
+ ---
5
+
6
+ # API Contract Audit
7
+
8
+ Map statically visible API contract evidence and report what is and is not verified. Remain audit-only and avoid turning contract discovery into runtime validation.
9
+
10
+ This skill must not change project files, Git state, dependencies, runtime state, services,
11
+ databases, remotes, generated clients, schemas, or deployment state.
12
+
13
+ ## Purpose And Use
14
+
15
+ Use this skill before API work, integration handoff, or contract review when the agent needs
16
+ to understand visible API contracts from source, docs, route handlers, client calls, and
17
+ schema/type files.
18
+
19
+ Do not use it to prove deployed behavior, call endpoints, generate clients, generate
20
+ schemas, run validators, build, test, migrate, deploy, inspect databases, or read secrets.
21
+
22
+ ## Inputs
23
+
24
+ Require a project root or starting path. Optionally accept a project adapter, intended scan
25
+ area, documentation precedence, contract-file hints, or known static API boundaries.
26
+
27
+ Do not assume a missing contract file means no API exists, static route declarations match
28
+ runtime behavior, client calls cover all server routes, generated clients are current, or a
29
+ project adapter enables this skill unless validation proves it.
30
+
31
+ ## Procedure
32
+
33
+ 1. Record user intent, project root, declared scope, adapter state, and safety boundary.
34
+ 2. Validate a project adapter when present before reading adapter-declared metadata.
35
+ 3. If an adapter is present but does not enable `api-contract-audit`, stop static file
36
+ reading and report the adapter-limited skip.
37
+ 4. Build scan scope from adapter safe read paths when available; otherwise use a bounded
38
+ generic static scan.
39
+ 5. Exclude `.env`, secret-bearing files, generated output, dependency paths, and oversized
40
+ files before reading.
41
+ 6. Identify statically visible OpenAPI/Swagger or API contract files.
42
+ 7. Identify route handler declarations and contract path/method declarations from static text.
43
+ 8. Identify client request call patterns and schema/type files.
44
+ 9. Report skipped items, not-verified runtime surfaces, warnings, and safety refusals.
45
+ 10. Emit the shared evidence pack or API contract audit report before claiming completion.
46
+
47
+ Use [checklist.md](checklist.md). Consult [failure-modes.md](failure-modes.md),
48
+ [adapter-interface.md](adapter-interface.md), and [examples.md](examples.md). Format findings
49
+ with [evidence-template.md](evidence-template.md).
50
+
51
+ ## Evidence, Recovery, And Dependencies
52
+
53
+ Emit repository identity, adapter state, scan scope, ignored paths, files scanned, contract
54
+ files, endpoint declarations, client-call patterns, schema/type files, skipped items,
55
+ not-verified areas, warnings, and changed-state declaration through the shared evidence-pack
56
+ contract.
57
+
58
+ Recover from missing specs, ambiguous route declarations, unreadable files, or adapter
59
+ limits by reporting uncertainty. Never recover by running a server, calling an endpoint,
60
+ generating a client, generating schemas, installing dependencies, building, testing,
61
+ deploying, migrating, broadening adapter scope, or reading `.env`.
62
+
63
+ This skill depends on the evidence-pack contract and may consume validated project adapters.
64
+ Adapters may add safe paths, ignored paths, documentation precedence, and evidence
65
+ requirements, but cannot weaken policy or turn this skill into runtime or generation work.
66
+
67
+ ## Approval Boundary
68
+
69
+ Explicit approval may permit one named non-secret static file read outside normal source
70
+ paths. Approval does not permit `.env` or secret-file reads, URL probes, API calls, schema
71
+ generation, client generation, package installation, builds, tests, runtime checks,
72
+ deployments, migrations, Git mutation, or project writes.
73
+
74
+ ## Completion
75
+
76
+ Claim `complete` only when the declared static scan scope was inspected, visible contract
77
+ surfaces are reported, skipped and not-verified areas are explicit, adapter limitations are
78
+ clear, and no project, Git, dependency, runtime, service, remote, generated-code, or
79
+ deployment state changed.
80
+
81
+ Report `partial`, `failed`, or `blocked` when adapter scope prevents scanning, requested
82
+ evidence requires runtime or network behavior, the project root cannot be established, or
83
+ safety exclusions prevent the requested conclusion.
84
+
85
+ These conditions are both the acceptance criteria and definition of done.
@@ -0,0 +1,16 @@
1
+ Adapters may enable `api-contract-audit` only as an audit-only static inspection skill.
2
+
3
+ Allowed adapter extensions:
4
+
5
+ - `safeReadPaths` for source, docs, contract, schema, and client files.
6
+ - `ignoredPaths` for generated, dependency, build, coverage, and output directories.
7
+ - `documentationPrecedence` for API docs or contract references.
8
+ - `requiredEvidence` for contract files, route declarations, client calls, schemas, and not-verified areas.
9
+
10
+ Adapters must not:
11
+
12
+ - Add commands for `api-contract-audit`.
13
+ - Require runtime servers, URL probes, API calls, schema generation, or client generation.
14
+ - Include `.env`, credential, or secret-bearing paths.
15
+ - Change `api-contract-audit` from `audit-only` to action-capable.
16
+ - Expand scope outside the declared project root without named approval.
@@ -0,0 +1,4 @@
1
+ interface:
2
+ display_name: "API Contract Audit"
3
+ short_description: "Map static API contract surfaces without runtime calls"
4
+ default_prompt: "Audit static API contract surfaces in this repository without changing project state. Do not run servers, call APIs, generate clients or schemas, read .env files, or run builds/tests."
@@ -0,0 +1,7 @@
1
+ - Confirm the project root and declared static scope.
2
+ - Validate any project adapter before reading adapter metadata.
3
+ - Stop with `partial` if an adapter is present but does not enable `api-contract-audit`.
4
+ - Exclude `.env`, secret-bearing, dependency, generated, output, and oversized files.
5
+ - Report contract files, endpoint declarations, client calls, and schema/type files.
6
+ - Record not-verified runtime, deployment, database, auth, and semantic equivalence gaps.
7
+ - Declare that no build, test, runtime, URL probe, API call, generation, deployment, migration, package install, secret read, or write occurred.
@@ -0,0 +1,13 @@
1
+ - Skill: `api-contract-audit`
2
+ - Status: `complete`, `partial`, `failed`, or `blocked`
3
+ - Project root and branch state
4
+ - Adapter present/enabled state
5
+ - Scope paths and ignored paths
6
+ - Files scanned
7
+ - Contract files found
8
+ - Endpoint declarations found
9
+ - Client-call patterns found
10
+ - Schema/type files found
11
+ - Skipped items and reasons
12
+ - Not-verified runtime, deployment, database, auth, generation, and semantic-equivalence gaps
13
+ - Changed-state declaration: no project, Git, dependency, runtime, service, remote, generated-code, or deployment state changed
@@ -0,0 +1,20 @@
1
+ Safe examples:
2
+
3
+ ```bash
4
+ coding-agent-skills api-contract-audit /workspace/app
5
+ ```
6
+
7
+ ```bash
8
+ node scripts/render-api-contract-audit.mjs tests/fixtures/api-contract-audit/static-project
9
+ ```
10
+
11
+ Expected result: a report listing static contract files, endpoint declarations, client call
12
+ patterns, schema/type files, skipped paths, not-verified runtime behavior, and refused
13
+ actions.
14
+
15
+ ## Unsafe Examples
16
+
17
+ - Start the API server to verify contract behavior.
18
+ - Call `/api/*` endpoints or remote URLs.
19
+ - Generate an OpenAPI spec or client.
20
+ - Read `.env`, credentials, service keys, or private runtime config.
@@ -0,0 +1,5 @@
1
+ - Adapter present but missing `api-contract-audit`: report `partial` and read no target files.
2
+ - No contract file found: report the absence as static evidence, not proof that no API exists.
3
+ - Route declarations are dynamic: record not-verified runtime behavior.
4
+ - Client calls use variables or generated clients: report the limitation without executing code.
5
+ - Requested proof requires runtime, network, database, generation, build, test, or secret access: stop or report blocked.
@@ -0,0 +1,57 @@
1
+ ---
2
+ name: secret-audit
3
+ description: Find high-confidence secret exposure risks in static tracked files without printing matched values. Use when Codex must identify possible token, key, credential, or private-key exposure by file path and count before handoff or cleanup; do not use for reading .env files, credential stores, rotation, validation, API calls, builds, tests, deployments, migrations, or mutation.
4
+ ---
5
+
6
+ # Secret Audit
7
+
8
+ Identify high-confidence secret-like patterns from bounded static evidence and emit a redacted report. Remain audit-only and fail closed when evidence would require reading secret files or printing values.
9
+
10
+ This skill must not change project files, Git state, dependencies, runtime state, services,
11
+ databases, remotes, or deployment state.
12
+
13
+ ## Purpose And Use
14
+
15
+ Use this skill to find possible tracked secret exposure by file path, pattern type, and count before handoff, publication, or cleanup. It can report suspicious files and categories, but it must not print matched values or claim whether a credential is active.
16
+
17
+ Do not use this skill for credential validation, token rotation, secret-store inspection, runtime truth claims, deployment readiness, migrations, builds, tests, or package installation.
18
+
19
+ ## Inputs
20
+
21
+ Require a project root or starting path. Optionally accept a project adapter, intended scan area, maximum static scan depth, or known synthetic fixture allowance.
22
+
23
+ Do not assume ignored secret files may be read, high-confidence patterns prove exploitability, absence of findings proves absence of secrets, package contents match Git contents, or a project adapter covers every exposure surface.
24
+
25
+ ## Procedure
26
+
27
+ 1. Record user intent, project root, declared scope, adapter state, and safety boundary.
28
+ 2. Validate a project adapter when present before reading adapter-declared metadata.
29
+ 3. If an adapter is present but does not enable `secret-audit`, stop static file reading and report the adapter-limited skip.
30
+ 4. Build scan scope from adapter safe read paths when available; otherwise use a bounded generic static scan.
31
+ 5. Exclude `.env`, `.env.*` except deliberate `.env.example`, secret-bearing paths, generated paths, dependency paths, and oversized files before reading.
32
+ 6. Scan safe static text files for high-confidence secret-like shapes.
33
+ 7. Report only file path, finding type, and count. Never print matched values, snippets, tokens, credentials, or raw secret-like content.
34
+ 8. Label findings, skipped items, not-verified areas, warnings, and safety refusals.
35
+ 9. Emit the shared evidence pack or secret-audit report before claiming completion.
36
+
37
+ Use [checklist.md](checklist.md). Consult [failure-modes.md](failure-modes.md), [adapter-interface.md](adapter-interface.md), and [examples.md](examples.md). Format findings with [evidence-template.md](evidence-template.md).
38
+
39
+ ## Evidence, Recovery, And Dependencies
40
+
41
+ Emit repository identity, adapter state, scan scope, ignored paths, files scanned, finding path/type/count, skipped items, not-verified areas, warnings, and changed-state declaration through the shared evidence-pack contract.
42
+
43
+ Recover from missing adapters, unreadable files, ambiguous patterns, or secret-bearing paths by narrowing scope and reporting uncertainty. Never recover by reading `.env`, printing values, validating credentials, rotating tokens, contacting APIs, installing dependencies, running builds/tests, broadening adapter scope, or mutating files.
44
+
45
+ This skill depends on the evidence-pack contract and may consume validated project adapters. Adapters may add safe paths, ignored paths, documentation precedence, and evidence requirements, but cannot weaken policy or turn this skill into credential handling.
46
+
47
+ ## Approval Boundary
48
+
49
+ Explicit approval may permit one named non-secret static file read outside normal source paths. Approval does not permit `.env` or secret-file reads, value printing, credential validation, token rotation, API calls, builds, tests, package installation, runtime checks, deployments, migrations, Git mutation, or project writes.
50
+
51
+ ## Completion
52
+
53
+ Claim `complete` only when the declared static scan scope was inspected, all findings are path/type/count only, skipped and not-verified areas are recorded with consequences, adapter limitations are explicit, and no project, Git, dependency, runtime, service, or remote state changed.
54
+
55
+ Report `partial`, `failed`, or `blocked` when adapter scope prevents scanning, requested evidence requires secret files or credential stores, the project root cannot be established, or safety exclusions prevent a requested conclusion. Never claim credential validity, revocation, or full absence of secrets from static findings alone.
56
+
57
+ These conditions are both the acceptance criteria and definition of done.
@@ -0,0 +1,12 @@
1
+ Adapters may enable `secret-audit` by declaring the skill ID with unchanged `audit-only`
2
+ mode and compatible version `0.2.3` or `0.2.x`.
3
+
4
+ Useful extension fields:
5
+
6
+ - `safeReadPaths`: source, docs, sample, and config paths safe for static pattern scanning.
7
+ - `ignoredPaths`: generated, dependency, runtime-output, and secret-bearing paths to skip.
8
+ - `documentationPrecedence`: docs that explain known synthetic fixtures or report policy.
9
+ - `requiredEvidence`: evidence the report must include before completion.
10
+
11
+ Adapters must not add `.env`, credentials, secret stores, credential API calls, rotation,
12
+ builds, tests, deployments, migrations, or project writes.
@@ -0,0 +1,4 @@
1
+ interface:
2
+ display_name: "Secret Audit"
3
+ short_description: "Find secret exposure risks without printing values"
4
+ default_prompt: "Audit high-confidence secret exposure risks in this repository without changing project state. Do not read .env files, print matched values, or rotate credentials."
@@ -0,0 +1,7 @@
1
+ - Confirm project root, branch state, and adapter state.
2
+ - Validate adapter before consuming any adapter-declared paths.
3
+ - Refuse `.env`, `.env.*` except `.env.example`, secret-bearing paths, and generated outputs.
4
+ - Scan only bounded static text files.
5
+ - Record file path, finding type, and count only.
6
+ - Record skipped files and secret stores/history that were not verified.
7
+ - Confirm no files, dependencies, runtime state, services, remotes, or databases changed.
@@ -0,0 +1,15 @@
1
+ ## Secret Audit Evidence
2
+
3
+ - Repository root:
4
+ - Branch state:
5
+ - Adapter state:
6
+ - Scan scope:
7
+ - Ignored paths:
8
+ - Static files scanned:
9
+ - Finding paths:
10
+ - Finding types:
11
+ - Finding counts:
12
+ - Skipped items:
13
+ - Not verified:
14
+ - Safety refusals:
15
+ - Changed state: none
@@ -0,0 +1,27 @@
1
+ ## Safe
2
+
3
+ ```bash
4
+ coding-agent-skills secret-audit /workspace/app
5
+ ```
6
+
7
+ Reports possible secret exposure by path, type, and count only.
8
+
9
+ ```bash
10
+ node scripts/render-secret-audit.mjs tests/fixtures/secret-audit/static-project
11
+ ```
12
+
13
+ Runs the synthetic fixture scanner without reading `.env` files or printing matches.
14
+
15
+ ## Unsafe
16
+
17
+ ```bash
18
+ cat .env
19
+ ```
20
+
21
+ Secret-file reads are forbidden.
22
+
23
+ ```bash
24
+ gh secret list
25
+ ```
26
+
27
+ Credential-store and API inspection are outside this skill.
@@ -0,0 +1,5 @@
1
+ - **Adapter not enabled:** report `partial` and do not broaden target-project scanning.
2
+ - **Secret-bearing path requested:** skip the file and record the safety exclusion.
3
+ - **Synthetic test token needed:** generate it in a temporary test directory, never package it.
4
+ - **Credential validation requested:** refuse and explain that only static path/count evidence is in scope.
5
+ - **No findings:** report that no high-confidence matches were found in scanned files, not that the repo is secret-free.
@@ -0,0 +1,53 @@
1
+ {
2
+ "adapterId": "api-contract-audit-fixture",
3
+ "adapterVersion": "1.0.0",
4
+ "project": {
5
+ "id": "api-contract-audit-fixture",
6
+ "detection": {
7
+ "rootMarkers": [{"kind": "file", "path": "package.json"}],
8
+ "maximumDepth": 1,
9
+ "scope": "declared-project-root",
10
+ "requireApprovalOutsideScope": true
11
+ }
12
+ },
13
+ "supportedSkills": [
14
+ {
15
+ "id": "api-contract-audit",
16
+ "compatibleVersions": ["0.2.3", "0.2.x"],
17
+ "declaredMode": "audit-only"
18
+ }
19
+ ],
20
+ "extensions": {
21
+ "safeReadPaths": ["src"],
22
+ "ignoredPaths": ["dist", "build"],
23
+ "documentationPrecedence": ["README.md"],
24
+ "commandAliases": [],
25
+ "safeStatusCommands": [],
26
+ "requiredEvidence": ["project root", "adapter scope", "contract surfaces", "not-verified runtime areas"],
27
+ "expectedRuntimeManagers": [],
28
+ "expectedPackageManagers": ["npm"]
29
+ },
30
+ "approvalRequirements": [],
31
+ "inheritance": {
32
+ "sharedRestrictions": "required",
33
+ "deniedOperationCategories": [
34
+ "file-write",
35
+ "package-install",
36
+ "deployment",
37
+ "git-mutation",
38
+ "unrestricted-scan",
39
+ "secret-read",
40
+ "process-mutation",
41
+ "service-mutation",
42
+ "migration-apply",
43
+ "privileged-api"
44
+ ],
45
+ "allowRestrictionRemoval": false,
46
+ "allowModeOverride": false,
47
+ "allowFailureSuppression": false,
48
+ "allowCompletionOverride": false,
49
+ "allowSecretExposure": false,
50
+ "allowRequiredEvidenceRemoval": false,
51
+ "allowScopeExpansionWithoutApproval": false
52
+ }
53
+ }
@@ -0,0 +1,23 @@
1
+ {
2
+ "declarationVersion": "1.0.0",
3
+ "projectId": "api-contract-audit-fixture",
4
+ "adapterRoot": ".coding-agent/adapters",
5
+ "adapterSchemaVersion": "1.0.0",
6
+ "core": {
7
+ "id": "coding-agent-skills",
8
+ "expectedVersion": "0.2.3",
9
+ "versionPin": ">=0.2.2 <0.3.0"
10
+ },
11
+ "compatibleSkillIds": ["api-contract-audit"],
12
+ "adapters": [
13
+ {
14
+ "id": "api-contract-audit-fixture",
15
+ "version": "1.0.0",
16
+ "skillIds": ["api-contract-audit"]
17
+ }
18
+ ],
19
+ "validationCommand": "node <shared-core>/scripts/validate-project-adapters.mjs <project-root>",
20
+ "evidenceOutput": ".coding-agent/evidence",
21
+ "approvalPolicyReference": ".coding-agent/approval-policy.md",
22
+ "noSecrets": true
23
+ }
@@ -0,0 +1,3 @@
1
+ # API Contract Audit Adapter Fixture
2
+
3
+ Synthetic adapter-scoped fixture.
@@ -0,0 +1,4 @@
1
+ {
2
+ "name": "api-contract-audit-adapter-fixture",
3
+ "type": "module"
4
+ }
@@ -0,0 +1 @@
1
+ router.get("/api/adapter-items", () => {});
@@ -0,0 +1,3 @@
1
+ # API Contract Audit Static Fixture
2
+
3
+ Synthetic fixture for static API contract discovery.
@@ -0,0 +1,7 @@
1
+ export async function GET() {
2
+ return Response.json([]);
3
+ }
4
+
5
+ export async function POST() {
6
+ return Response.json({ok: true});
7
+ }
@@ -0,0 +1,10 @@
1
+ openapi: 3.1.0
2
+ info:
3
+ title: Fixture API
4
+ version: 1.0.0
5
+ paths:
6
+ /api/users:
7
+ get:
8
+ summary: List users
9
+ post:
10
+ summary: Create user
@@ -0,0 +1,4 @@
1
+ {
2
+ "name": "api-contract-audit-static-fixture",
3
+ "type": "module"
4
+ }
@@ -0,0 +1,4 @@
1
+ export interface UserDto {
2
+ id: string;
3
+ email: string;
4
+ }
@@ -0,0 +1,3 @@
1
+ export async function loadUsers() {
2
+ return fetch("/api/users");
3
+ }
@@ -0,0 +1,53 @@
1
+ {
2
+ "adapterId": "secret-audit-fixture",
3
+ "adapterVersion": "1.0.0",
4
+ "project": {
5
+ "id": "secret-audit-fixture",
6
+ "detection": {
7
+ "rootMarkers": [{"kind": "file", "path": "package.json"}],
8
+ "maximumDepth": 1,
9
+ "scope": "declared-project-root",
10
+ "requireApprovalOutsideScope": true
11
+ }
12
+ },
13
+ "supportedSkills": [
14
+ {
15
+ "id": "secret-audit",
16
+ "compatibleVersions": ["0.2.3", "0.2.x"],
17
+ "declaredMode": "audit-only"
18
+ }
19
+ ],
20
+ "extensions": {
21
+ "safeReadPaths": ["src"],
22
+ "ignoredPaths": ["dist", "build"],
23
+ "documentationPrecedence": ["README.md"],
24
+ "commandAliases": [],
25
+ "safeStatusCommands": [],
26
+ "requiredEvidence": ["project root", "adapter scope", "finding paths", "redaction statement"],
27
+ "expectedRuntimeManagers": [],
28
+ "expectedPackageManagers": ["npm"]
29
+ },
30
+ "approvalRequirements": [],
31
+ "inheritance": {
32
+ "sharedRestrictions": "required",
33
+ "deniedOperationCategories": [
34
+ "file-write",
35
+ "package-install",
36
+ "deployment",
37
+ "git-mutation",
38
+ "unrestricted-scan",
39
+ "secret-read",
40
+ "process-mutation",
41
+ "service-mutation",
42
+ "migration-apply",
43
+ "privileged-api"
44
+ ],
45
+ "allowRestrictionRemoval": false,
46
+ "allowModeOverride": false,
47
+ "allowFailureSuppression": false,
48
+ "allowCompletionOverride": false,
49
+ "allowSecretExposure": false,
50
+ "allowRequiredEvidenceRemoval": false,
51
+ "allowScopeExpansionWithoutApproval": false
52
+ }
53
+ }
@@ -0,0 +1,23 @@
1
+ {
2
+ "declarationVersion": "1.0.0",
3
+ "projectId": "secret-audit-fixture",
4
+ "adapterRoot": ".coding-agent/adapters",
5
+ "adapterSchemaVersion": "1.0.0",
6
+ "core": {
7
+ "id": "coding-agent-skills",
8
+ "expectedVersion": "0.2.3",
9
+ "versionPin": ">=0.2.3 <0.3.0"
10
+ },
11
+ "compatibleSkillIds": ["secret-audit"],
12
+ "adapters": [
13
+ {
14
+ "id": "secret-audit-fixture",
15
+ "version": "1.0.0",
16
+ "skillIds": ["secret-audit"]
17
+ }
18
+ ],
19
+ "validationCommand": "node <shared-core>/scripts/validate-project-adapters.mjs <project-root>",
20
+ "evidenceOutput": "validation-output/project-adapters.json",
21
+ "approvalPolicyReference": "docs/coding-agent-approval-policy.md",
22
+ "noSecrets": true
23
+ }
@@ -0,0 +1,3 @@
1
+ # Secret Audit Adapter Fixture
2
+
3
+ This fixture narrows secret scanning to `src`.
@@ -0,0 +1,4 @@
1
+ {
2
+ "name": "fixture-secret-audit-adapter",
3
+ "type": "module"
4
+ }
@@ -0,0 +1 @@
1
+ export const placeholder = "safe-placeholder-only";
@@ -0,0 +1,3 @@
1
+ # Secret Audit Static Fixture
2
+
3
+ This fixture intentionally contains no packaged secret-like values.
@@ -0,0 +1,4 @@
1
+ {
2
+ "name": "fixture-secret-audit-static",
3
+ "type": "module"
4
+ }
@@ -0,0 +1 @@
1
+ export const placeholder = "replace-with-token-at-runtime";
@@ -43,6 +43,30 @@
43
43
  "expectedSkill": "env-audit",
44
44
  "notSkills": ["build-verify", "deployment-preflight"]
45
45
  },
46
+ {
47
+ "id": "secret-audit-exposure",
48
+ "prompt": "Run a secret audit for hardcoded tokens and private keys without printing matched values.",
49
+ "expectedSkill": "secret-audit",
50
+ "notSkills": ["env-audit", "runtime-truth"]
51
+ },
52
+ {
53
+ "id": "secret-audit-tracked-secrets",
54
+ "prompt": "Check for tracked secret exposure in source files without reading .env or credential stores.",
55
+ "expectedSkill": "secret-audit",
56
+ "notSkills": ["repo-map", "build-verify"]
57
+ },
58
+ {
59
+ "id": "api-contract-audit-openapi",
60
+ "prompt": "Audit the OpenAPI file, endpoint declarations, client calls, and API schema files without running the server.",
61
+ "expectedSkill": "api-contract-audit",
62
+ "notSkills": ["route-trace", "runtime-truth"]
63
+ },
64
+ {
65
+ "id": "api-contract-audit-drift",
66
+ "prompt": "Map possible API contract drift between static route handlers and client calls before handoff.",
67
+ "expectedSkill": "api-contract-audit",
68
+ "notSkills": ["build-verify", "llm-drift-control"]
69
+ },
46
70
  {
47
71
  "id": "build-after-implementation",
48
72
  "prompt": "The implementation is finished. Run the existing typecheck, tests, and build.",
@@ -95,7 +119,7 @@
95
119
  "id": "negative-deploy",
96
120
  "prompt": "Deploy this application to production.",
97
121
  "expectedSkill": null,
98
- "notSkills": ["repo-map", "route-trace", "env-audit", "build-verify", "git-preflight", "runtime-truth", "llm-drift-control"]
122
+ "notSkills": ["repo-map", "route-trace", "env-audit", "secret-audit", "api-contract-audit", "build-verify", "git-preflight", "runtime-truth", "llm-drift-control"]
99
123
  },
100
124
  {
101
125
  "id": "negative-install",
@@ -6,6 +6,10 @@
6
6
  - Static route-surface tracing must trigger `route-trace`, not repository mapping or runtime truth.
7
7
  - Value-free environment variable mapping must trigger `env-audit`, not runtime truth or
8
8
  secret-value inspection.
9
+ - Redacted high-confidence secret exposure detection must trigger `secret-audit`, not
10
+ environment variable mapping or runtime truth.
11
+ - Static API contract mapping must trigger `api-contract-audit`, not runtime truth or
12
+ build verification.
9
13
  - Local validation must trigger `build-verify` only when project-native checks are requested.
10
14
  - Git readiness must trigger `git-preflight`, not publication.
11
15
  - Process/listener/health questions must trigger `runtime-truth`, not restart behavior.