coding-agent-skills 0.2.11 → 0.2.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (71) hide show
  1. package/CHANGELOG.md +41 -0
  2. package/README.md +8 -0
  3. package/ROADMAP.md +8 -4
  4. package/bin/coding-agent-skills +14 -0
  5. package/docs/adapters/README.md +39 -0
  6. package/docs/adapters/project-installation.md +25 -0
  7. package/docs/adapters/real-project-adoption.md +2 -2
  8. package/docs/architecture/README.md +2 -0
  9. package/docs/release/README.md +4 -3
  10. package/docs/release/npm-package.md +11 -2
  11. package/docs/safety/README.md +11 -1
  12. package/docs/testing/README.md +15 -0
  13. package/docs/usage/README.md +24 -5
  14. package/examples/command-policies/api-contract-audit.json +70 -0
  15. package/examples/command-policies/migration-review.json +70 -0
  16. package/examples/evidence-packs/api-contract-audit.json +60 -0
  17. package/examples/evidence-packs/migration-review.json +60 -0
  18. package/examples/manifests/api-contract-audit.json +14 -0
  19. package/examples/manifests/migration-review.json +14 -0
  20. package/examples/workflows/api-contract-audit.md +8 -0
  21. package/examples/workflows/migration-review.md +7 -0
  22. package/package.json +3 -1
  23. package/runs/skill-runs.md +32 -0
  24. package/schemas/project-adapter-installation.schema.json +4 -0
  25. package/schemas/project-adapter.schema.json +4 -0
  26. package/scripts/lib/api-contract-audit.mjs +651 -0
  27. package/scripts/lib/migration-review.mjs +641 -0
  28. package/scripts/lib/pack-rules.mjs +20 -2
  29. package/scripts/render-api-contract-audit.mjs +8 -0
  30. package/scripts/render-migration-review.mjs +8 -0
  31. package/scripts/test-pack.mjs +120 -1
  32. package/scripts/validate-pack.mjs +8 -2
  33. package/skills/api-contract-audit/SKILL.md +85 -0
  34. package/skills/api-contract-audit/adapter-interface.md +16 -0
  35. package/skills/api-contract-audit/agents/openai.yaml +4 -0
  36. package/skills/api-contract-audit/checklist.md +7 -0
  37. package/skills/api-contract-audit/evidence-template.md +13 -0
  38. package/skills/api-contract-audit/examples.md +20 -0
  39. package/skills/api-contract-audit/failure-modes.md +5 -0
  40. package/skills/migration-review/SKILL.md +87 -0
  41. package/skills/migration-review/adapter-interface.md +16 -0
  42. package/skills/migration-review/agents/openai.yaml +3 -0
  43. package/skills/migration-review/checklist.md +8 -0
  44. package/skills/migration-review/evidence-template.md +12 -0
  45. package/skills/migration-review/examples.md +20 -0
  46. package/skills/migration-review/failure-modes.md +5 -0
  47. package/tests/fixtures/api-contract-audit/adapter-project/.coding-agent/adapters/api-contract-audit-fixture/adapter.json +53 -0
  48. package/tests/fixtures/api-contract-audit/adapter-project/.coding-agent/skills.json +23 -0
  49. package/tests/fixtures/api-contract-audit/adapter-project/README.md +3 -0
  50. package/tests/fixtures/api-contract-audit/adapter-project/package.json +4 -0
  51. package/tests/fixtures/api-contract-audit/adapter-project/src/routes.ts +1 -0
  52. package/tests/fixtures/api-contract-audit/static-project/README.md +3 -0
  53. package/tests/fixtures/api-contract-audit/static-project/app/api/users/route.ts +7 -0
  54. package/tests/fixtures/api-contract-audit/static-project/docs/openapi.yaml +10 -0
  55. package/tests/fixtures/api-contract-audit/static-project/package.json +4 -0
  56. package/tests/fixtures/api-contract-audit/static-project/schemas/user.schema.ts +4 -0
  57. package/tests/fixtures/api-contract-audit/static-project/src/client.ts +3 -0
  58. package/tests/fixtures/migration-review/adapter-project/.coding-agent/adapters/migration-review-fixture/adapter.json +56 -0
  59. package/tests/fixtures/migration-review/adapter-project/.coding-agent/skills.json +23 -0
  60. package/tests/fixtures/migration-review/adapter-project/README.md +3 -0
  61. package/tests/fixtures/migration-review/adapter-project/db/migrations/001_create_accounts.sql +3 -0
  62. package/tests/fixtures/migration-review/adapter-project/ignored/migrations/999_ignore.sql +1 -0
  63. package/tests/fixtures/migration-review/adapter-project/package.json +3 -0
  64. package/tests/fixtures/migration-review/static-project/README.md +3 -0
  65. package/tests/fixtures/migration-review/static-project/drizzle.config.ts +4 -0
  66. package/tests/fixtures/migration-review/static-project/package.json +7 -0
  67. package/tests/fixtures/migration-review/static-project/prisma/migrations/20260703010101_init/migration.sql +6 -0
  68. package/tests/fixtures/migration-review/static-project/prisma/schema.prisma +4 -0
  69. package/tests/fixtures/triggers/cases.json +25 -1
  70. package/tests/trigger/README.md +4 -0
  71. package/work-ledger.md +31 -7
package/CHANGELOG.md CHANGED
@@ -2,6 +2,47 @@
2
2
 
3
3
  All notable changes follow [Semantic Versioning](docs/versioning/README.md).
4
4
 
5
+ ## [0.2.13] - 2026-07-03
6
+
7
+ ### Added
8
+
9
+ - `migration-review` audit-only skill for static database migration and schema evidence
10
+ review.
11
+ - `coding-agent-skills migration-review <project-root>` CLI command.
12
+ - Dependency-free migration review renderer for migration files, schema/config files,
13
+ package script keys without command values, static risk indicators, skipped paths,
14
+ not-verified database behavior, adapter-limited scope, and safety refusals.
15
+ - Synthetic migration-review fixtures and release tests for generic static scans,
16
+ adapter-scoped scans, destructive-looking SQL indicators, package script key detection,
17
+ and repo-map-only adapter skips.
18
+
19
+ ### Changed
20
+
21
+ - Adapter schemas and validators now recognize `migration-review` as an audit-only skill
22
+ while preserving the existing `0.2.3` adapter contract compatibility baseline.
23
+ - Usage, release, safety, architecture, adapter, roadmap, ledger, and run-log docs now
24
+ describe the new static read-only migration review command.
25
+
26
+ ## [0.2.12] - 2026-07-03
27
+
28
+ ### Added
29
+
30
+ - `api-contract-audit` audit-only skill for static API contract surface mapping.
31
+ - `coding-agent-skills api-contract-audit <project-root>` CLI command.
32
+ - Dependency-free API contract audit renderer for contract files, endpoint declarations,
33
+ client-call patterns, schema/type files, skipped paths, not-verified runtime behavior,
34
+ adapter-limited scope, and safety refusals.
35
+ - Synthetic API contract fixtures and release tests for generic static scans,
36
+ adapter-scoped scans, OpenAPI files, route handlers, client calls, schema/type files,
37
+ and repo-map-only adapter skips.
38
+
39
+ ### Changed
40
+
41
+ - Adapter schemas and validators now recognize `api-contract-audit` as an audit-only skill
42
+ while preserving the existing `0.2.3` adapter contract compatibility baseline.
43
+ - Usage, release, safety, architecture, adapter, roadmap, ledger, and run-log docs now
44
+ describe the new static read-only API contract audit command.
45
+
5
46
  ## [0.2.11] - 2026-07-03
6
47
 
7
48
  ### Added
package/README.md CHANGED
@@ -9,6 +9,8 @@ The pilot pack contains:
9
9
  - `route-trace`: audit-only static route surface tracing.
10
10
  - `env-audit`: audit-only environment variable name mapping without values.
11
11
  - `secret-audit`: audit-only high-confidence secret exposure detection without values.
12
+ - `api-contract-audit`: audit-only static API contract surface mapping.
13
+ - `migration-review`: audit-only static migration and schema evidence review.
12
14
  - `build-verify`: controlled local validation using existing project commands.
13
15
  - `git-preflight`: audit-only Git readiness inspection.
14
16
  - `runtime-truth`: audit-only runtime evidence collection.
@@ -44,6 +46,8 @@ Every skill emits the evidence-pack contract. A command being attempted is never
44
46
  - Trace static route surfaces with `coding-agent-skills route-trace <project-root>`.
45
47
  - Map environment variable names with `coding-agent-skills env-audit <project-root>`.
46
48
  - Find redacted secret exposure risks with `coding-agent-skills secret-audit <project-root>`.
49
+ - Map static API contract surfaces with `coding-agent-skills api-contract-audit <project-root>`.
50
+ - Review static migration and schema evidence with `coding-agent-skills migration-review <project-root>`.
47
51
  - Validate project adapters against [the formal adapter schema](schemas/project-adapter.schema.json).
48
52
  - Review [external adapter discovery](docs/adapters/discovery.md).
49
53
  - Run `node scripts/validate-adapters.mjs <adapter-root>` for a disposable external root.
@@ -55,6 +59,10 @@ Every skill emits the evidence-pack contract. A command being attempted is never
55
59
  `node scripts/render-route-trace.mjs <project-root>`.
56
60
  - Render a redacted secret-audit report with
57
61
  `node scripts/render-secret-audit.mjs <project-root>`.
62
+ - Render a static API contract audit report with
63
+ `node scripts/render-api-contract-audit.mjs <project-root>`.
64
+ - Render a static migration review report with
65
+ `node scripts/render-migration-review.mjs <project-root>`.
58
66
  - Review [adapter upgrade checks](docs/adapters/upgrades.md).
59
67
  - Run `node scripts/check-adapter-upgrade.mjs <before-project-root> <after-project-root>`
60
68
  for disposable project revisions.
package/ROADMAP.md CHANGED
@@ -1,6 +1,6 @@
1
1
  # Roadmap
2
2
 
3
- The public package now contains eight approved shared skills. Builder-mode approval is
3
+ The public package now contains ten approved shared skills. Builder-mode approval is
4
4
  active for the remaining read-only skill wave in this repository; real-world project
5
5
  execution constraints remain unchanged.
6
6
 
@@ -34,6 +34,10 @@ execution constraints remain unchanged.
34
34
  variable name mapping.
35
35
  - `v0.2.11`: audit-only `secret-audit` skill and CLI renderer for redacted secret
36
36
  exposure detection.
37
+ - `v0.2.12`: audit-only `api-contract-audit` skill and CLI renderer for static API
38
+ contract surface mapping.
39
+ - `v0.2.13`: audit-only `migration-review` skill and CLI renderer for static migration
40
+ and schema evidence review.
37
41
 
38
42
  The next milestone is recorded in [work-ledger.md](work-ledger.md). The
39
43
  [maintainer loop](RUNBOOK.md) may select and evidence that milestone, but it must stop
@@ -77,9 +81,9 @@ Next safe milestone options:
77
81
  | `route-trace-skill` | General | Audit-only | Implemented in `v0.2.9` |
78
82
  | `env-audit-skill` | General | Audit-only | Implemented in `v0.2.10` |
79
83
  | `secret-audit-skill` | General | Audit-only | Implemented in `v0.2.11` |
80
- | `api-contract-audit-skill` | General | Audit-only | Builder-mode approved; next in wave |
81
- | `migration-review-skill` | General with platform adapters | Audit-only | Builder-mode approved; later in wave |
82
- | `github-handoff-skill` | General | Audit-only | Builder-mode approved; later in wave |
84
+ | `api-contract-audit-skill` | General | Audit-only | Implemented in `v0.2.12` |
85
+ | `migration-review-skill` | General with platform adapters | Audit-only | Implemented in `v0.2.13` |
86
+ | `github-handoff-skill` | General | Audit-only | Builder-mode approved; next in wave |
83
87
  | `deployment-preflight-skill` | General | Audit-only | Builder-mode approved; later in wave |
84
88
  | `cloudflare-preflight-skill` | Platform-specific | Audit-only | Builder-mode approved; later in wave |
85
89
  | `cloudflare-deploy-skill` | Platform-specific | Action-capable | Blocked on approval model |
@@ -41,6 +41,18 @@ const commands = {
41
41
  usage: "coding-agent-skills secret-audit <project-root>",
42
42
  requiredArgs: 1,
43
43
  },
44
+ "api-contract-audit": {
45
+ script: "scripts/render-api-contract-audit.mjs",
46
+ args: ([projectRoot]) => [projectRoot],
47
+ usage: "coding-agent-skills api-contract-audit <project-root>",
48
+ requiredArgs: 1,
49
+ },
50
+ "migration-review": {
51
+ script: "scripts/render-migration-review.mjs",
52
+ args: ([projectRoot]) => [projectRoot],
53
+ usage: "coding-agent-skills migration-review <project-root>",
54
+ requiredArgs: 1,
55
+ },
44
56
  "validate-adapters": {
45
57
  script: "scripts/validate-adapters.mjs",
46
58
  args: ([adapterRoot]) => [adapterRoot],
@@ -60,6 +72,8 @@ function usage(exitCode = 0) {
60
72
  " route-trace <project-root>",
61
73
  " env-audit <project-root>",
62
74
  " secret-audit <project-root>",
75
+ " api-contract-audit <project-root>",
76
+ " migration-review <project-root>",
63
77
  " validate-adapters <adapter-root>",
64
78
  "",
65
79
  "local wrapper for the published coding-agent-skills package",
@@ -87,6 +87,41 @@ reports finding paths, types, and counts. It never prints matched values, valida
87
87
  credentials, rotates secrets, contacts APIs, deploys, migrates, builds, tests, or mutates
88
88
  project files.
89
89
 
90
+ ## Adapter-Aware API Contract Audit Consumption
91
+
92
+ The shared pack can consume a validated project-owned adapter as bounded context for
93
+ `api-contract-audit`:
94
+
95
+ ```bash
96
+ node scripts/render-api-contract-audit.mjs <project-root>
97
+ ```
98
+
99
+ The renderer validates the project declaration when present. If an adapter is present but
100
+ does not enable `api-contract-audit`, it reports an adapter-limited skip instead of
101
+ broadening scope. When enabled, it reads only adapter-declared safe paths, excludes `.env`,
102
+ secret-bearing files, generated output, dependency paths, and oversized files, then
103
+ reports contract files, endpoint declarations, client-call patterns, schema/type files,
104
+ skipped paths, and not-verified runtime behavior. It never runs servers, calls APIs,
105
+ generates schemas or clients, builds, tests, deploys, migrates, or mutates project files.
106
+
107
+ ## Adapter-Aware Migration Review Consumption
108
+
109
+ The shared pack can consume a validated project-owned adapter as bounded context for
110
+ `migration-review`:
111
+
112
+ ```bash
113
+ node scripts/render-migration-review.mjs <project-root>
114
+ ```
115
+
116
+ The renderer validates the project declaration when present. If an adapter is present but
117
+ does not enable `migration-review`, it reports an adapter-limited skip instead of
118
+ broadening scope. When enabled, it reads only adapter-declared safe paths, excludes `.env`,
119
+ secret-bearing files, generated output, dependency paths, and oversized files, then
120
+ reports migration files, schema/config files, package script keys, static risk indicators,
121
+ skipped paths, and not-verified database behavior. It never connects to databases,
122
+ executes migrations, generates ORM clients, builds, tests, deploys, or mutates project
123
+ files.
124
+
90
125
  ## What Adapters May Do
91
126
 
92
127
  - Add bounded relative read paths and ignored paths.
@@ -96,6 +131,10 @@ project files.
96
131
  - Add env-audit safe read paths for static source, docs, sample, and config files.
97
132
  - Add secret-audit safe read paths for static source, docs, sample, and config files
98
133
  while relying on the shared scanner to exclude secret-bearing paths.
134
+ - Add api-contract-audit safe read paths for static API docs, contract files, route
135
+ handlers, client calls, and schema/type files.
136
+ - Add migration-review safe read paths for static migration, schema, config, and package
137
+ files while relying on the shared reviewer to exclude secret-bearing paths.
99
138
  - Add command aliases that already satisfy the shared command policy.
100
139
  - Add status-only runtime commands and manager hints.
101
140
  - Require additional evidence or named approval for exceptional reads.
@@ -145,6 +145,31 @@ enabled, it reads only adapter-declared safe paths, refuses `.env` and secret-be
145
145
  files, and reports high-confidence finding paths, types, and counts without matched
146
146
  values or credential validation.
147
147
 
148
+ A project-owned adapter can also enable read-only `api-contract-audit` context:
149
+
150
+ ```bash
151
+ node scripts/render-api-contract-audit.mjs <project-root>
152
+ ```
153
+
154
+ The API contract audit renderer validates the project declaration when present. If the
155
+ adapter is present but does not enable `api-contract-audit`, it reports an adapter-limited
156
+ skip. When enabled, it reads only adapter-declared safe paths and reports static contract
157
+ files, endpoint declarations, client-call patterns, schema/type files, and not-verified
158
+ runtime behavior without running servers, calling APIs, or generating code.
159
+
160
+ A project-owned adapter can also enable read-only `migration-review` context:
161
+
162
+ ```bash
163
+ node scripts/render-migration-review.mjs <project-root>
164
+ ```
165
+
166
+ The migration review renderer validates the project declaration when present. If the
167
+ adapter is present but does not enable `migration-review`, it reports an adapter-limited
168
+ skip. When enabled, it reads only adapter-declared safe paths and reports static migration
169
+ files, schema/config files, package script keys, static risk indicators, and not-verified
170
+ database behavior without connecting to databases, applying migrations, generating ORM
171
+ clients, or running package scripts.
172
+
148
173
  ## Safety Boundary
149
174
 
150
175
  Project adapters are extension-only. They cannot remove denied operations, change an
@@ -21,8 +21,8 @@ project repository is touched:
21
21
  - The project can declare exactly one installation file: `.coding-agent/skills.json` or
22
22
  `coding-agent.skills.json`.
23
23
  - The adapter need is bounded to existing pilot skills: `repo-map`, `route-trace`,
24
- `env-audit`, `secret-audit`, `build-verify`, `git-preflight`, `runtime-truth`, or
25
- `llm-drift-control`.
24
+ `env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`, `build-verify`, `git-preflight`,
25
+ `runtime-truth`, or `llm-drift-control`.
26
26
  - The adapter can narrow context with relative paths, documentation precedence, safe
27
27
  aliases, status-only hints, or extra evidence requirements.
28
28
  - The adapter does not require deployment, migration, package installation, Git
@@ -15,6 +15,8 @@ Audit-only:
15
15
  - `route-trace`
16
16
  - `env-audit`
17
17
  - `secret-audit`
18
+ - `api-contract-audit`
19
+ - `migration-review`
18
20
  - `git-preflight`
19
21
  - `runtime-truth`
20
22
  - `llm-drift-control`
@@ -20,9 +20,10 @@
20
20
  folders, generated output, and unrelated repositories.
21
21
  14. Install the tarball into a temporary npm prefix and smoke-test the installed CLI.
22
22
  15. Smoke-test any new CLI command such as `coding-agent-skills route-trace`,
23
- `coding-agent-skills env-audit`, or `coding-agent-skills secret-audit` against
24
- synthetic fixtures only unless a real project
25
- read-only smoke is explicitly approved.
23
+ `coding-agent-skills env-audit`, `coding-agent-skills secret-audit`, or
24
+ `coding-agent-skills api-contract-audit`, or `coding-agent-skills migration-review`
25
+ against synthetic fixtures only unless a real project read-only smoke is explicitly
26
+ approved.
26
27
  16. Review changelog, ledger, run evidence, and versioning impact.
27
28
  17. Commit with approved identity.
28
29
  18. Push `main` using credential-free remotes.
@@ -7,7 +7,7 @@ safety model.
7
7
  ## Current Package Shape
8
8
 
9
9
  - Package name: `coding-agent-skills`.
10
- - Package version: `0.2.11`.
10
+ - Package version: `0.2.13`.
11
11
  - CLI bin: `coding-agent-skills` mapped to `bin/coding-agent-skills`.
12
12
  - Module type: `module`.
13
13
  - Dependencies: none.
@@ -30,6 +30,8 @@ coding-agent-skills repo-map /path/to/project
30
30
  coding-agent-skills route-trace /path/to/project
31
31
  coding-agent-skills env-audit /path/to/project
32
32
  coding-agent-skills secret-audit /path/to/project
33
+ coding-agent-skills api-contract-audit /path/to/project
34
+ coding-agent-skills migration-review /path/to/project
33
35
  coding-agent-skills validate-adapters /path/to/adapter-root
34
36
  ```
35
37
 
@@ -47,6 +49,13 @@ printing values.
47
49
  `secret-audit` is static and audit-only; it reports high-confidence secret-like finding
48
50
  paths, types, and counts without printing matched values, reading `.env` files, or
49
51
  validating credentials.
52
+ `api-contract-audit` is static and audit-only; it reports contract files, endpoint
53
+ declarations, client-call patterns, schema/type files, and not-verified runtime behavior
54
+ without running servers, calling APIs, or generating clients or schemas.
55
+ `migration-review` is static and audit-only; it reports migration files, schema/config
56
+ files, package script keys, static risk indicators, and not-verified database behavior
57
+ without connecting to databases, applying migrations, generating ORM clients, or reading
58
+ secrets.
50
59
 
51
60
  `coding-agent-skills validate-pack` is package-aware. In a source checkout, it keeps
52
61
  source-only checks such as `.gitignore` validation. In an installed package tree, where
@@ -81,7 +90,7 @@ included.
81
90
 
82
91
  The public CLI remains read-only for target projects unless a specific underlying skill
83
92
  already permits a bounded local validation action. The installed `repo-map`,
84
- `route-trace`, `env-audit`, `secret-audit`, and adapter flows do not:
93
+ `route-trace`, `env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`, and adapter flows do not:
85
94
 
86
95
  - deploy
87
96
  - run migrations
@@ -2,7 +2,7 @@
2
2
 
3
3
  ## Audit-Only Rule
4
4
 
5
- `repo-map`, `route-trace`, `env-audit`, `secret-audit`, `git-preflight`, `runtime-truth`, and `llm-drift-control` must not alter project files, Git state, dependencies, processes, services, databases, remote systems, or deployment state.
5
+ `repo-map`, `route-trace`, `env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`, `git-preflight`, `runtime-truth`, and `llm-drift-control` must not alter project files, Git state, dependencies, processes, services, databases, remote systems, or deployment state.
6
6
 
7
7
  `route-trace` is static only. It may read bounded non-secret route files and route
8
8
  configuration, but it must not execute app code, run servers, hit URLs, claim runtime
@@ -17,6 +17,16 @@ files and report high-confidence secret-like finding paths, types, and counts, b
17
17
  not print matched values, read `.env` or secret-bearing files, inspect credential stores,
18
18
  validate or rotate credentials, contact APIs, or broaden adapter scope.
19
19
 
20
+ `api-contract-audit` is static only. It may read bounded non-secret API docs, contract
21
+ files, route handlers, client calls, and schema/type files, but it must not run servers,
22
+ call APIs, probe URLs, generate schemas or clients, build, test, deploy, migrate, inspect
23
+ databases, or broaden adapter scope.
24
+
25
+ `migration-review` is static only. It may read bounded non-secret migration, schema,
26
+ config, and package files, but it must not connect to databases, apply migrations,
27
+ generate ORM clients, run package scripts, build, test, deploy, inspect runtime state, or
28
+ broaden adapter scope.
29
+
20
30
  `build-verify` may run existing project-native validation commands. Build or test tools may create their normal local artifacts, but the skill must declare observed changes and must reject installation, fix modes, snapshot updates, deployment, migration, or unknown scripts.
21
31
 
22
32
  ## Restricted Categories
@@ -52,6 +52,21 @@ behavior. Secret-audit tests construct synthetic secret-like values only in temp
52
52
  directories and assert that rendered reports include paths, types, and counts without
53
53
  printing matched values.
54
54
 
55
+ ## API Contract Audit
56
+
57
+ Synthetic api-contract-audit projects cover OpenAPI file detection, static route handler
58
+ declarations, client-call patterns, schema/type files, adapter-declared scope, and
59
+ adapter-present-but-not-enabled behavior. Tests must never run servers, call endpoints,
60
+ generate schemas or clients, build, test, deploy, migrate, or read `.env` files.
61
+
62
+ ## Migration Review
63
+
64
+ Synthetic migration-review projects cover migration file detection, schema/config file
65
+ detection, package script keys without command values, static risk indicators,
66
+ adapter-declared scope, and adapter-present-but-not-enabled behavior. Tests must never
67
+ connect to databases, apply migrations, generate ORM clients, run package scripts, build,
68
+ test, deploy, or read `.env` files.
69
+
55
70
  ## Privacy And Redaction
56
71
 
57
72
  Sensitive shapes are stored as ordered synthetic parts and reconstructed only in memory. Tests verify type detection, redaction, and absence from reusable skill content without printing fixture values.
@@ -8,6 +8,8 @@ Select the least-privileged skill that matches the request:
8
8
  | Trace statically visible route surfaces | `route-trace` |
9
9
  | Map environment variable names without values | `env-audit` |
10
10
  | Find high-confidence secret exposure risks without values | `secret-audit` |
11
+ | Map static API contract surfaces | `api-contract-audit` |
12
+ | Review static migration and schema evidence | `migration-review` |
11
13
  | Run existing local validation checks | `build-verify` |
12
14
  | Assess Git handoff readiness | `git-preflight` |
13
15
  | Determine what is actually running | `runtime-truth` |
@@ -21,11 +23,15 @@ Select the least-privileged skill that matches the request:
21
23
  mapped without reading values.
22
24
  4. Use `secret-audit` when high-confidence tracked secret exposure risk must be reported
23
25
  by path, type, and count without printing matched values.
24
- 5. Perform implementation outside this pilot pack.
25
- 6. Use `build-verify` for approved project-native checks.
26
- 7. Use `git-preflight` before handoff or publication.
27
- 8. Use `runtime-truth` only when live local state matters.
28
- 9. Use `llm-drift-control` when claims and evidence may disagree.
26
+ 5. Use `api-contract-audit` when OpenAPI/Swagger files, endpoint declarations, client
27
+ calls, and schema/type files must be mapped without runtime behavior.
28
+ 6. Use `migration-review` when database migration, schema, config, package-script-key,
29
+ and static risk-indicator evidence must be mapped without database access.
30
+ 7. Perform implementation outside this pilot pack.
31
+ 8. Use `build-verify` for approved project-native checks.
32
+ 9. Use `git-preflight` before handoff or publication.
33
+ 10. Use `runtime-truth` only when live local state matters.
34
+ 11. Use `llm-drift-control` when claims and evidence may disagree.
29
35
 
30
36
  Every skill emits an evidence pack. Read `status`, skipped checks, failures, confidence, and changed state before relying on a completion claim.
31
37
 
@@ -59,6 +65,8 @@ coding-agent-skills repo-map /path/to/project
59
65
  coding-agent-skills route-trace /path/to/project
60
66
  coding-agent-skills env-audit /path/to/project
61
67
  coding-agent-skills secret-audit /path/to/project
68
+ coding-agent-skills api-contract-audit /path/to/project
69
+ coding-agent-skills migration-review /path/to/project
62
70
  coding-agent-skills validate-adapters /path/to/adapter-root
63
71
  ```
64
72
 
@@ -81,6 +89,13 @@ stores without printing values.
81
89
  `secret-audit` validates a project adapter when present, uses adapter-declared safe paths
82
90
  when enabled, and statically reports high-confidence secret-like finding paths, types, and
83
91
  counts without printing matched values or validating credentials.
92
+ `api-contract-audit` validates a project adapter when present, uses adapter-declared safe
93
+ paths when enabled, and statically reports contract files, endpoint declarations,
94
+ client-call patterns, schema/type files, skipped paths, and not-verified runtime behavior.
95
+ `migration-review` validates a project adapter when present, uses adapter-declared safe
96
+ paths when enabled, and statically reports migration files, schema/config files, package
97
+ script keys, risk indicators, skipped paths, and not-verified database behavior without
98
+ database access or migration execution.
84
99
 
85
100
  The installed CLI does not run target project builds or tests, perform runtime checks,
86
101
  deploy, migrate, mutate services or processes, or read `.env` files. Project adapters
@@ -97,6 +112,8 @@ bin/coding-agent-skills repo-map /path/to/project
97
112
  bin/coding-agent-skills route-trace /path/to/project
98
113
  bin/coding-agent-skills env-audit /path/to/project
99
114
  bin/coding-agent-skills secret-audit /path/to/project
115
+ bin/coding-agent-skills api-contract-audit /path/to/project
116
+ bin/coding-agent-skills migration-review /path/to/project
100
117
  bin/coding-agent-skills validate-adapters /path/to/adapter-root
101
118
  ```
102
119
 
@@ -110,6 +127,8 @@ coding-agent-skills repo-map /path/to/project
110
127
  coding-agent-skills route-trace /path/to/project
111
128
  coding-agent-skills env-audit /path/to/project
112
129
  coding-agent-skills secret-audit /path/to/project
130
+ coding-agent-skills api-contract-audit /path/to/project
131
+ coding-agent-skills migration-review /path/to/project
113
132
  coding-agent-skills validate-adapters /path/to/adapter-root
114
133
  ```
115
134
 
@@ -0,0 +1,70 @@
1
+ {
2
+ "version": "0.2.3",
3
+ "mode": "audit-only",
4
+ "parserPolicy": {
5
+ "inspectEverySegment": true,
6
+ "inspectScriptBodies": true,
7
+ "rejectUnknownExecutables": true,
8
+ "rejectShellWrappers": true,
9
+ "rejectHeredocs": true,
10
+ "rejectRedirection": true,
11
+ "providerSpecificNpx": true,
12
+ "authenticatedCurlRequiresApproval": true,
13
+ "boundedReadsRequired": true,
14
+ "allowedComposition": "read-only"
15
+ },
16
+ "allowedFamilies": [
17
+ {
18
+ "name": "bounded-api-contract-inspection",
19
+ "executables": ["pwd", "ls", "rg", "find", "sed", "head"],
20
+ "argumentPolicy": {
21
+ "strategy": "pattern",
22
+ "allowedPatterns": ["bounded repository-local static contract, route, client, and schema inspection"],
23
+ "deniedPatterns": ["runtime calls, API calls, generation, secret files, credential stores, and unbounded traversal"]
24
+ },
25
+ "constraints": [
26
+ "Remain inside the declared project scope.",
27
+ "Bound traversal depth and output.",
28
+ "Exclude .env, secret-bearing, generated, dependency, build, and runtime-output paths."
29
+ ]
30
+ },
31
+ {
32
+ "name": "git-identity-inspection",
33
+ "executables": ["git"],
34
+ "argumentPolicy": {
35
+ "strategy": "exact",
36
+ "allowedPatterns": ["rev-parse and status --short --branch"],
37
+ "deniedPatterns": ["all Git mutation and publication subcommands"]
38
+ },
39
+ "constraints": ["Allow only read-only repository identity and branch-state inspection."]
40
+ },
41
+ {
42
+ "name": "api-contract-audit-renderer",
43
+ "executables": ["node", "coding-agent-skills"],
44
+ "argumentPolicy": {
45
+ "strategy": "exact",
46
+ "allowedPatterns": ["node scripts/render-api-contract-audit.mjs <project-root>; coding-agent-skills api-contract-audit <project-root>"],
47
+ "deniedPatterns": ["runtime calls, URL probes, API calls, generation, builds, tests, deployment, migration, package installation, and secret-file reads"]
48
+ },
49
+ "constraints": [
50
+ "The renderer must remain static and read-only.",
51
+ "Do not run servers, call endpoints, or generate clients or schemas."
52
+ ]
53
+ }
54
+ ],
55
+ "restrictedCategories": [
56
+ "file-write",
57
+ "package-install",
58
+ "deployment",
59
+ "git-mutation",
60
+ "unrestricted-scan",
61
+ "secret-read",
62
+ "process-mutation",
63
+ "service-mutation",
64
+ "migration-apply",
65
+ "privileged-api"
66
+ ],
67
+ "approvalExceptions": [
68
+ "A named-file approval may permit one otherwise excluded non-mutating static read when the file is not secret-bearing."
69
+ ]
70
+ }
@@ -0,0 +1,70 @@
1
+ {
2
+ "version": "0.2.3",
3
+ "mode": "audit-only",
4
+ "parserPolicy": {
5
+ "inspectEverySegment": true,
6
+ "inspectScriptBodies": true,
7
+ "rejectUnknownExecutables": true,
8
+ "rejectShellWrappers": true,
9
+ "rejectHeredocs": true,
10
+ "rejectRedirection": true,
11
+ "providerSpecificNpx": true,
12
+ "authenticatedCurlRequiresApproval": true,
13
+ "boundedReadsRequired": true,
14
+ "allowedComposition": "read-only"
15
+ },
16
+ "allowedFamilies": [
17
+ {
18
+ "name": "bounded-migration-review-inspection",
19
+ "executables": ["pwd", "ls", "rg", "find", "sed", "head"],
20
+ "argumentPolicy": {
21
+ "strategy": "pattern",
22
+ "allowedPatterns": ["bounded repository-local static migration, schema, and config inspection"],
23
+ "deniedPatterns": ["database access, migration execution, ORM generation, secret files, credential stores, and unbounded traversal"]
24
+ },
25
+ "constraints": [
26
+ "Remain inside the declared project scope.",
27
+ "Bound traversal depth and output.",
28
+ "Exclude .env, secret-bearing, generated, dependency, build, and runtime-output paths."
29
+ ]
30
+ },
31
+ {
32
+ "name": "git-identity-inspection",
33
+ "executables": ["git"],
34
+ "argumentPolicy": {
35
+ "strategy": "exact",
36
+ "allowedPatterns": ["rev-parse and status --short --branch"],
37
+ "deniedPatterns": ["all Git mutation and publication subcommands"]
38
+ },
39
+ "constraints": ["Allow only read-only repository identity and branch-state inspection."]
40
+ },
41
+ {
42
+ "name": "migration-review-renderer",
43
+ "executables": ["node", "coding-agent-skills"],
44
+ "argumentPolicy": {
45
+ "strategy": "exact",
46
+ "allowedPatterns": ["node scripts/render-migration-review.mjs <project-root>; coding-agent-skills migration-review <project-root>"],
47
+ "deniedPatterns": ["database access, migration execution, ORM generation, builds, tests, deployment, package installation, and secret-file reads"]
48
+ },
49
+ "constraints": [
50
+ "The renderer must remain static and read-only.",
51
+ "Do not connect to databases, apply migrations, or generate ORM clients."
52
+ ]
53
+ }
54
+ ],
55
+ "restrictedCategories": [
56
+ "file-write",
57
+ "package-install",
58
+ "deployment",
59
+ "git-mutation",
60
+ "unrestricted-scan",
61
+ "secret-read",
62
+ "process-mutation",
63
+ "service-mutation",
64
+ "migration-apply",
65
+ "privileged-api"
66
+ ],
67
+ "approvalExceptions": [
68
+ "A named-file approval may permit one otherwise excluded non-mutating static read when the file is not secret-bearing."
69
+ ]
70
+ }
@@ -0,0 +1,60 @@
1
+ {
2
+ "contractVersion": "1.0.0",
3
+ "skill": {"name": "api-contract-audit", "version": "0.2.3"},
4
+ "invocation": {
5
+ "id": "example-api-contract-audit",
6
+ "startedAt": "2026-07-03T12:00:00Z",
7
+ "endedAt": "2026-07-03T12:01:00Z"
8
+ },
9
+ "repository": {
10
+ "root": "/workspace/example-project",
11
+ "branch": "main",
12
+ "head": "0123456789abcdef",
13
+ "workingTreeState": "clean"
14
+ },
15
+ "userIntent": "Map static API contract surfaces before API handoff.",
16
+ "declaredScope": ["/workspace/example-project"],
17
+ "projectAdapter": "example-api-contract-adapter",
18
+ "environmentSummary": {"platform": "linux", "shell": "bash"},
19
+ "status": "complete",
20
+ "confidence": {
21
+ "level": "medium",
22
+ "reason": "Static contract, route, client, and schema files were inspected, but runtime behavior was not verified."
23
+ },
24
+ "commands": [
25
+ {
26
+ "command": "coding-agent-skills api-contract-audit /workspace/example-project",
27
+ "family": "api-contract-audit-renderer",
28
+ "workingDirectory": "/workspace/example-project",
29
+ "startedAt": "2026-07-03T12:00:20Z",
30
+ "endedAt": "2026-07-03T12:00:21Z",
31
+ "exitStatus": 0,
32
+ "resultStatus": "success",
33
+ "safetyClass": "allowed",
34
+ "approvalReference": null,
35
+ "purpose": "Render a static API contract audit report.",
36
+ "outputSummary": "Reported static contract files, endpoint declarations, client calls, schemas, skipped items, and not-verified runtime areas."
37
+ }
38
+ ],
39
+ "skippedChecks": [],
40
+ "findings": [
41
+ {
42
+ "summary": "Static API contract surfaces were mapped without runtime verification.",
43
+ "evidence": ["docs/openapi.yaml", "app/api/example/route.ts", "src/client.ts"]
44
+ }
45
+ ],
46
+ "risks": [
47
+ {
48
+ "summary": "Runtime API behavior may differ from static contract evidence.",
49
+ "evidence": ["runtime route registration was not executed", "deployed API behavior was not probed"]
50
+ }
51
+ ],
52
+ "failures": [],
53
+ "unresolvedQuestions": [],
54
+ "changedState": {
55
+ "changed": false,
56
+ "summary": "No project, Git, dependency, runtime, generated-code, service, or remote state changed."
57
+ },
58
+ "handoffSummary": "Static API contract evidence is mapped; runtime equivalence remains unverified.",
59
+ "recommendedNextAction": "Review reported contract surfaces before editing API handlers or clients."
60
+ }