coding-agent-skills 0.2.11 → 0.2.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +41 -0
- package/README.md +8 -0
- package/ROADMAP.md +8 -4
- package/bin/coding-agent-skills +14 -0
- package/docs/adapters/README.md +39 -0
- package/docs/adapters/project-installation.md +25 -0
- package/docs/adapters/real-project-adoption.md +2 -2
- package/docs/architecture/README.md +2 -0
- package/docs/release/README.md +4 -3
- package/docs/release/npm-package.md +11 -2
- package/docs/safety/README.md +11 -1
- package/docs/testing/README.md +15 -0
- package/docs/usage/README.md +24 -5
- package/examples/command-policies/api-contract-audit.json +70 -0
- package/examples/command-policies/migration-review.json +70 -0
- package/examples/evidence-packs/api-contract-audit.json +60 -0
- package/examples/evidence-packs/migration-review.json +60 -0
- package/examples/manifests/api-contract-audit.json +14 -0
- package/examples/manifests/migration-review.json +14 -0
- package/examples/workflows/api-contract-audit.md +8 -0
- package/examples/workflows/migration-review.md +7 -0
- package/package.json +3 -1
- package/runs/skill-runs.md +32 -0
- package/schemas/project-adapter-installation.schema.json +4 -0
- package/schemas/project-adapter.schema.json +4 -0
- package/scripts/lib/api-contract-audit.mjs +651 -0
- package/scripts/lib/migration-review.mjs +641 -0
- package/scripts/lib/pack-rules.mjs +20 -2
- package/scripts/render-api-contract-audit.mjs +8 -0
- package/scripts/render-migration-review.mjs +8 -0
- package/scripts/test-pack.mjs +120 -1
- package/scripts/validate-pack.mjs +8 -2
- package/skills/api-contract-audit/SKILL.md +85 -0
- package/skills/api-contract-audit/adapter-interface.md +16 -0
- package/skills/api-contract-audit/agents/openai.yaml +4 -0
- package/skills/api-contract-audit/checklist.md +7 -0
- package/skills/api-contract-audit/evidence-template.md +13 -0
- package/skills/api-contract-audit/examples.md +20 -0
- package/skills/api-contract-audit/failure-modes.md +5 -0
- package/skills/migration-review/SKILL.md +87 -0
- package/skills/migration-review/adapter-interface.md +16 -0
- package/skills/migration-review/agents/openai.yaml +3 -0
- package/skills/migration-review/checklist.md +8 -0
- package/skills/migration-review/evidence-template.md +12 -0
- package/skills/migration-review/examples.md +20 -0
- package/skills/migration-review/failure-modes.md +5 -0
- package/tests/fixtures/api-contract-audit/adapter-project/.coding-agent/adapters/api-contract-audit-fixture/adapter.json +53 -0
- package/tests/fixtures/api-contract-audit/adapter-project/.coding-agent/skills.json +23 -0
- package/tests/fixtures/api-contract-audit/adapter-project/README.md +3 -0
- package/tests/fixtures/api-contract-audit/adapter-project/package.json +4 -0
- package/tests/fixtures/api-contract-audit/adapter-project/src/routes.ts +1 -0
- package/tests/fixtures/api-contract-audit/static-project/README.md +3 -0
- package/tests/fixtures/api-contract-audit/static-project/app/api/users/route.ts +7 -0
- package/tests/fixtures/api-contract-audit/static-project/docs/openapi.yaml +10 -0
- package/tests/fixtures/api-contract-audit/static-project/package.json +4 -0
- package/tests/fixtures/api-contract-audit/static-project/schemas/user.schema.ts +4 -0
- package/tests/fixtures/api-contract-audit/static-project/src/client.ts +3 -0
- package/tests/fixtures/migration-review/adapter-project/.coding-agent/adapters/migration-review-fixture/adapter.json +56 -0
- package/tests/fixtures/migration-review/adapter-project/.coding-agent/skills.json +23 -0
- package/tests/fixtures/migration-review/adapter-project/README.md +3 -0
- package/tests/fixtures/migration-review/adapter-project/db/migrations/001_create_accounts.sql +3 -0
- package/tests/fixtures/migration-review/adapter-project/ignored/migrations/999_ignore.sql +1 -0
- package/tests/fixtures/migration-review/adapter-project/package.json +3 -0
- package/tests/fixtures/migration-review/static-project/README.md +3 -0
- package/tests/fixtures/migration-review/static-project/drizzle.config.ts +4 -0
- package/tests/fixtures/migration-review/static-project/package.json +7 -0
- package/tests/fixtures/migration-review/static-project/prisma/migrations/20260703010101_init/migration.sql +6 -0
- package/tests/fixtures/migration-review/static-project/prisma/schema.prisma +4 -0
- package/tests/fixtures/triggers/cases.json +25 -1
- package/tests/trigger/README.md +4 -0
- package/work-ledger.md +31 -7
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
import { migrationReviewCliResult } from "./lib/migration-review.mjs";
|
|
2
|
+
|
|
3
|
+
const outcome = migrationReviewCliResult(process.argv[2]);
|
|
4
|
+
for (const line of outcome.lines) {
|
|
5
|
+
if (outcome.stream === "stdout") console.log(line);
|
|
6
|
+
else console.error(line);
|
|
7
|
+
}
|
|
8
|
+
process.exitCode = outcome.exitCode;
|
package/scripts/test-pack.mjs
CHANGED
|
@@ -57,6 +57,16 @@ import {
|
|
|
57
57
|
renderSecretAuditReport,
|
|
58
58
|
secretAuditCliResult,
|
|
59
59
|
} from "./lib/secret-audit.mjs";
|
|
60
|
+
import {
|
|
61
|
+
apiContractAuditCliResult,
|
|
62
|
+
buildApiContractAuditReport,
|
|
63
|
+
renderApiContractAuditReport,
|
|
64
|
+
} from "./lib/api-contract-audit.mjs";
|
|
65
|
+
import {
|
|
66
|
+
buildMigrationReviewReport,
|
|
67
|
+
migrationReviewCliResult,
|
|
68
|
+
renderMigrationReviewReport,
|
|
69
|
+
} from "./lib/migration-review.mjs";
|
|
60
70
|
import {
|
|
61
71
|
adapterUpgradeCliResult,
|
|
62
72
|
checkAdapterUpgrade,
|
|
@@ -274,6 +284,8 @@ test("local CLI maps approved commands to existing safe scripts", () => {
|
|
|
274
284
|
assert.ok(cliText.includes("scripts/render-route-trace.mjs"));
|
|
275
285
|
assert.ok(cliText.includes("scripts/render-env-audit.mjs"));
|
|
276
286
|
assert.ok(cliText.includes("scripts/render-secret-audit.mjs"));
|
|
287
|
+
assert.ok(cliText.includes("scripts/render-api-contract-audit.mjs"));
|
|
288
|
+
assert.ok(cliText.includes("scripts/render-migration-review.mjs"));
|
|
277
289
|
assert.ok(cliText.includes("scripts/validate-adapters.mjs"));
|
|
278
290
|
assert.ok(!cliText.includes(".env"));
|
|
279
291
|
|
|
@@ -307,6 +319,14 @@ test("local CLI maps approved commands to existing safe scripts", () => {
|
|
|
307
319
|
["secret-audit", path.join(fixtureRoot, "secret-audit", "static-project")],
|
|
308
320
|
/# Secret Audit Report/,
|
|
309
321
|
],
|
|
322
|
+
[
|
|
323
|
+
["api-contract-audit", path.join(fixtureRoot, "api-contract-audit", "static-project")],
|
|
324
|
+
/# API Contract Audit Report/,
|
|
325
|
+
],
|
|
326
|
+
[
|
|
327
|
+
["migration-review", path.join(fixtureRoot, "migration-review", "static-project")],
|
|
328
|
+
/# Migration Review Report/,
|
|
329
|
+
],
|
|
310
330
|
];
|
|
311
331
|
|
|
312
332
|
for (const [args, expected] of commands) {
|
|
@@ -331,7 +351,7 @@ test("local CLI maps approved commands to existing safe scripts", () => {
|
|
|
331
351
|
test("npm package metadata is public-ready and dependency-free", () => {
|
|
332
352
|
const packageJson = readJson("package.json");
|
|
333
353
|
assert.equal(packageJson.name, "coding-agent-skills");
|
|
334
|
-
assert.equal(packageJson.version, "0.2.
|
|
354
|
+
assert.equal(packageJson.version, "0.2.13");
|
|
335
355
|
assert.equal(
|
|
336
356
|
packageJson.description,
|
|
337
357
|
"Evidence-first, read-only coding-agent skills and project adapter tooling.",
|
|
@@ -346,6 +366,8 @@ test("npm package metadata is public-ready and dependency-free", () => {
|
|
|
346
366
|
"route-trace",
|
|
347
367
|
"env-audit",
|
|
348
368
|
"secret-audit",
|
|
369
|
+
"api-contract-audit",
|
|
370
|
+
"migration-review",
|
|
349
371
|
"project-adapters",
|
|
350
372
|
"code-validation",
|
|
351
373
|
"cli",
|
|
@@ -589,6 +611,103 @@ test("secret-audit does not broaden a repo-map-only project adapter", () => {
|
|
|
589
611
|
assert.match(renderSecretAuditReport(result), /secret-audit is not enabled/);
|
|
590
612
|
});
|
|
591
613
|
|
|
614
|
+
test("api-contract-audit maps static contract surfaces without runtime behavior", () => {
|
|
615
|
+
const result = buildApiContractAuditReport(
|
|
616
|
+
path.join(root, "tests", "fixtures", "api-contract-audit", "static-project"),
|
|
617
|
+
{ coreRoot: root },
|
|
618
|
+
);
|
|
619
|
+
|
|
620
|
+
assert.equal(result.status, "complete");
|
|
621
|
+
assert.ok(result.contractFiles.some((record) => record.path === "docs/openapi.yaml"));
|
|
622
|
+
assert.ok(
|
|
623
|
+
result.endpointDeclarations.some(
|
|
624
|
+
(record) => record.route === "/api/users" && record.method === "GET",
|
|
625
|
+
),
|
|
626
|
+
);
|
|
627
|
+
assert.ok(result.clientCalls.some((record) => record.target === "/api/users"));
|
|
628
|
+
assert.ok(result.schemaFiles.some((record) => record.path === "schemas/user.schema.ts"));
|
|
629
|
+
assert.match(renderApiContractAuditReport(result), /No target project build/);
|
|
630
|
+
});
|
|
631
|
+
|
|
632
|
+
test("api-contract-audit respects adapter-declared scope", () => {
|
|
633
|
+
const result = buildApiContractAuditReport(
|
|
634
|
+
path.join(root, "tests", "fixtures", "api-contract-audit", "adapter-project"),
|
|
635
|
+
{ coreRoot: root },
|
|
636
|
+
);
|
|
637
|
+
|
|
638
|
+
assert.equal(result.status, "complete");
|
|
639
|
+
assert.equal(result.adapter.enabled, true);
|
|
640
|
+
assert.deepEqual(result.scopePaths, ["src"]);
|
|
641
|
+
assert.deepEqual(result.filesScanned, ["src/routes.ts"]);
|
|
642
|
+
assert.ok(result.endpointDeclarations.some((record) => record.route === "/api/adapter-items"));
|
|
643
|
+
assert.ok(result.warnings.includes("api-contract-audit used adapter-declared safe read paths only"));
|
|
644
|
+
const cli = apiContractAuditCliResult(
|
|
645
|
+
path.join(root, "tests", "fixtures", "api-contract-audit", "adapter-project"),
|
|
646
|
+
{ coreRoot: root },
|
|
647
|
+
);
|
|
648
|
+
assert.equal(cli.exitCode, 0);
|
|
649
|
+
assert.match(cli.lines.join("\n"), /API-contract-audit enabled: yes/);
|
|
650
|
+
});
|
|
651
|
+
|
|
652
|
+
test("api-contract-audit does not broaden a repo-map-only project adapter", () => {
|
|
653
|
+
const result = buildApiContractAuditReport(
|
|
654
|
+
path.join(root, "tests", "fixtures", "project-adapter-installation", "valid-exact-pin"),
|
|
655
|
+
{ coreRoot: root },
|
|
656
|
+
);
|
|
657
|
+
|
|
658
|
+
assert.equal(result.status, "partial");
|
|
659
|
+
assert.equal(result.filesScanned.length, 0);
|
|
660
|
+
assert.equal(result.endpointDeclarations.length, 0);
|
|
661
|
+
assert.match(renderApiContractAuditReport(result), /api-contract-audit is not enabled/);
|
|
662
|
+
});
|
|
663
|
+
|
|
664
|
+
test("migration-review maps static migration surfaces without database access", () => {
|
|
665
|
+
const result = buildMigrationReviewReport(
|
|
666
|
+
path.join(root, "tests", "fixtures", "migration-review", "static-project"),
|
|
667
|
+
{ coreRoot: root },
|
|
668
|
+
);
|
|
669
|
+
|
|
670
|
+
assert.equal(result.status, "complete");
|
|
671
|
+
assert.ok(result.migrationFiles.some((record) => record.path === "prisma/migrations/20260703010101_init/migration.sql"));
|
|
672
|
+
assert.ok(result.schemaFiles.some((record) => record.path === "prisma/schema.prisma"));
|
|
673
|
+
assert.ok(result.configFiles.some((record) => record.path === "drizzle.config.ts"));
|
|
674
|
+
assert.ok(result.packageScriptKeys.some((record) => record.key === "db:migrate"));
|
|
675
|
+
assert.ok(result.riskIndicators.some((record) => record.type === "drop-column"));
|
|
676
|
+
assert.match(renderMigrationReviewReport(result), /No database connection/);
|
|
677
|
+
});
|
|
678
|
+
|
|
679
|
+
test("migration-review respects adapter-declared scope", () => {
|
|
680
|
+
const result = buildMigrationReviewReport(
|
|
681
|
+
path.join(root, "tests", "fixtures", "migration-review", "adapter-project"),
|
|
682
|
+
{ coreRoot: root },
|
|
683
|
+
);
|
|
684
|
+
|
|
685
|
+
assert.equal(result.status, "complete");
|
|
686
|
+
assert.equal(result.adapter.enabled, true);
|
|
687
|
+
assert.deepEqual(result.scopePaths, ["db"]);
|
|
688
|
+
assert.deepEqual(result.filesScanned, ["db/migrations/001_create_accounts.sql"]);
|
|
689
|
+
assert.ok(result.migrationFiles.some((record) => record.path === "db/migrations/001_create_accounts.sql"));
|
|
690
|
+
assert.ok(result.warnings.includes("migration-review used adapter-declared safe read paths only"));
|
|
691
|
+
const cli = migrationReviewCliResult(
|
|
692
|
+
path.join(root, "tests", "fixtures", "migration-review", "adapter-project"),
|
|
693
|
+
{ coreRoot: root },
|
|
694
|
+
);
|
|
695
|
+
assert.equal(cli.exitCode, 0);
|
|
696
|
+
assert.match(cli.lines.join("\n"), /Migration-review enabled: yes/);
|
|
697
|
+
});
|
|
698
|
+
|
|
699
|
+
test("migration-review does not broaden a repo-map-only project adapter", () => {
|
|
700
|
+
const result = buildMigrationReviewReport(
|
|
701
|
+
path.join(root, "tests", "fixtures", "project-adapter-installation", "valid-exact-pin"),
|
|
702
|
+
{ coreRoot: root },
|
|
703
|
+
);
|
|
704
|
+
|
|
705
|
+
assert.equal(result.status, "partial");
|
|
706
|
+
assert.equal(result.filesScanned.length, 0);
|
|
707
|
+
assert.equal(result.migrationFiles.length, 0);
|
|
708
|
+
assert.match(renderMigrationReviewReport(result), /migration-review is not enabled/);
|
|
709
|
+
});
|
|
710
|
+
|
|
592
711
|
test("validate-pack accepts installed package trees without source-only gitignore", () => {
|
|
593
712
|
const temporaryRoot = fs.mkdtempSync(path.join(os.tmpdir(), "installed-package-"));
|
|
594
713
|
const installedRoot = path.join(temporaryRoot, "coding-agent-skills");
|
|
@@ -98,6 +98,8 @@ const requiredRootFiles = [
|
|
|
98
98
|
"scripts/render-route-trace.mjs",
|
|
99
99
|
"scripts/render-env-audit.mjs",
|
|
100
100
|
"scripts/render-secret-audit.mjs",
|
|
101
|
+
"scripts/render-api-contract-audit.mjs",
|
|
102
|
+
"scripts/render-migration-review.mjs",
|
|
101
103
|
"scripts/check-adapter-upgrade.mjs",
|
|
102
104
|
"scripts/check-adapter-upgrade-chain.mjs",
|
|
103
105
|
"scripts/validate-adapters.mjs",
|
|
@@ -106,6 +108,8 @@ const requiredRootFiles = [
|
|
|
106
108
|
"scripts/lib/route-trace.mjs",
|
|
107
109
|
"scripts/lib/env-audit.mjs",
|
|
108
110
|
"scripts/lib/secret-audit.mjs",
|
|
111
|
+
"scripts/lib/api-contract-audit.mjs",
|
|
112
|
+
"scripts/lib/migration-review.mjs",
|
|
109
113
|
"scripts/lib/adapter-upgrade.mjs",
|
|
110
114
|
"scripts/lib/adapter-upgrade-chain.mjs",
|
|
111
115
|
"scripts/lib/adapter-discovery.mjs",
|
|
@@ -679,8 +683,8 @@ if (packageJson) {
|
|
|
679
683
|
if (packageJson.name !== "coding-agent-skills") {
|
|
680
684
|
failures.push("package.json has unexpected package name");
|
|
681
685
|
}
|
|
682
|
-
if (packageJson.version !== "0.2.
|
|
683
|
-
failures.push("package.json version must be 0.2.
|
|
686
|
+
if (packageJson.version !== "0.2.13") {
|
|
687
|
+
failures.push("package.json version must be 0.2.13 for public package validation");
|
|
684
688
|
}
|
|
685
689
|
if (packageJson.type !== "module") failures.push("package.json must preserve ESM mode");
|
|
686
690
|
if (packageJson.private !== false) {
|
|
@@ -701,6 +705,8 @@ if (packageJson) {
|
|
|
701
705
|
"route-trace",
|
|
702
706
|
"env-audit",
|
|
703
707
|
"secret-audit",
|
|
708
|
+
"api-contract-audit",
|
|
709
|
+
"migration-review",
|
|
704
710
|
"project-adapters",
|
|
705
711
|
"code-validation",
|
|
706
712
|
"cli",
|
|
@@ -0,0 +1,85 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: api-contract-audit
|
|
3
|
+
description: Audit statically visible API contract surfaces without running servers, calling APIs, generating schemas, or modifying projects. Use when Codex must map OpenAPI or Swagger files, route handler declarations, client request patterns, and schema/type files before API work or handoff; do not use for runtime verification, network probing, code generation, builds, tests, deployments, migrations, or secret-file reads.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# API Contract Audit
|
|
7
|
+
|
|
8
|
+
Map statically visible API contract evidence and report what is and is not verified. Remain audit-only and avoid turning contract discovery into runtime validation.
|
|
9
|
+
|
|
10
|
+
This skill must not change project files, Git state, dependencies, runtime state, services,
|
|
11
|
+
databases, remotes, generated clients, schemas, or deployment state.
|
|
12
|
+
|
|
13
|
+
## Purpose And Use
|
|
14
|
+
|
|
15
|
+
Use this skill before API work, integration handoff, or contract review when the agent needs
|
|
16
|
+
to understand visible API contracts from source, docs, route handlers, client calls, and
|
|
17
|
+
schema/type files.
|
|
18
|
+
|
|
19
|
+
Do not use it to prove deployed behavior, call endpoints, generate clients, generate
|
|
20
|
+
schemas, run validators, build, test, migrate, deploy, inspect databases, or read secrets.
|
|
21
|
+
|
|
22
|
+
## Inputs
|
|
23
|
+
|
|
24
|
+
Require a project root or starting path. Optionally accept a project adapter, intended scan
|
|
25
|
+
area, documentation precedence, contract-file hints, or known static API boundaries.
|
|
26
|
+
|
|
27
|
+
Do not assume a missing contract file means no API exists, static route declarations match
|
|
28
|
+
runtime behavior, client calls cover all server routes, generated clients are current, or a
|
|
29
|
+
project adapter enables this skill unless validation proves it.
|
|
30
|
+
|
|
31
|
+
## Procedure
|
|
32
|
+
|
|
33
|
+
1. Record user intent, project root, declared scope, adapter state, and safety boundary.
|
|
34
|
+
2. Validate a project adapter when present before reading adapter-declared metadata.
|
|
35
|
+
3. If an adapter is present but does not enable `api-contract-audit`, stop static file
|
|
36
|
+
reading and report the adapter-limited skip.
|
|
37
|
+
4. Build scan scope from adapter safe read paths when available; otherwise use a bounded
|
|
38
|
+
generic static scan.
|
|
39
|
+
5. Exclude `.env`, secret-bearing files, generated output, dependency paths, and oversized
|
|
40
|
+
files before reading.
|
|
41
|
+
6. Identify statically visible OpenAPI/Swagger or API contract files.
|
|
42
|
+
7. Identify route handler declarations and contract path/method declarations from static text.
|
|
43
|
+
8. Identify client request call patterns and schema/type files.
|
|
44
|
+
9. Report skipped items, not-verified runtime surfaces, warnings, and safety refusals.
|
|
45
|
+
10. Emit the shared evidence pack or API contract audit report before claiming completion.
|
|
46
|
+
|
|
47
|
+
Use [checklist.md](checklist.md). Consult [failure-modes.md](failure-modes.md),
|
|
48
|
+
[adapter-interface.md](adapter-interface.md), and [examples.md](examples.md). Format findings
|
|
49
|
+
with [evidence-template.md](evidence-template.md).
|
|
50
|
+
|
|
51
|
+
## Evidence, Recovery, And Dependencies
|
|
52
|
+
|
|
53
|
+
Emit repository identity, adapter state, scan scope, ignored paths, files scanned, contract
|
|
54
|
+
files, endpoint declarations, client-call patterns, schema/type files, skipped items,
|
|
55
|
+
not-verified areas, warnings, and changed-state declaration through the shared evidence-pack
|
|
56
|
+
contract.
|
|
57
|
+
|
|
58
|
+
Recover from missing specs, ambiguous route declarations, unreadable files, or adapter
|
|
59
|
+
limits by reporting uncertainty. Never recover by running a server, calling an endpoint,
|
|
60
|
+
generating a client, generating schemas, installing dependencies, building, testing,
|
|
61
|
+
deploying, migrating, broadening adapter scope, or reading `.env`.
|
|
62
|
+
|
|
63
|
+
This skill depends on the evidence-pack contract and may consume validated project adapters.
|
|
64
|
+
Adapters may add safe paths, ignored paths, documentation precedence, and evidence
|
|
65
|
+
requirements, but cannot weaken policy or turn this skill into runtime or generation work.
|
|
66
|
+
|
|
67
|
+
## Approval Boundary
|
|
68
|
+
|
|
69
|
+
Explicit approval may permit one named non-secret static file read outside normal source
|
|
70
|
+
paths. Approval does not permit `.env` or secret-file reads, URL probes, API calls, schema
|
|
71
|
+
generation, client generation, package installation, builds, tests, runtime checks,
|
|
72
|
+
deployments, migrations, Git mutation, or project writes.
|
|
73
|
+
|
|
74
|
+
## Completion
|
|
75
|
+
|
|
76
|
+
Claim `complete` only when the declared static scan scope was inspected, visible contract
|
|
77
|
+
surfaces are reported, skipped and not-verified areas are explicit, adapter limitations are
|
|
78
|
+
clear, and no project, Git, dependency, runtime, service, remote, generated-code, or
|
|
79
|
+
deployment state changed.
|
|
80
|
+
|
|
81
|
+
Report `partial`, `failed`, or `blocked` when adapter scope prevents scanning, requested
|
|
82
|
+
evidence requires runtime or network behavior, the project root cannot be established, or
|
|
83
|
+
safety exclusions prevent the requested conclusion.
|
|
84
|
+
|
|
85
|
+
These conditions are both the acceptance criteria and definition of done.
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
Adapters may enable `api-contract-audit` only as an audit-only static inspection skill.
|
|
2
|
+
|
|
3
|
+
Allowed adapter extensions:
|
|
4
|
+
|
|
5
|
+
- `safeReadPaths` for source, docs, contract, schema, and client files.
|
|
6
|
+
- `ignoredPaths` for generated, dependency, build, coverage, and output directories.
|
|
7
|
+
- `documentationPrecedence` for API docs or contract references.
|
|
8
|
+
- `requiredEvidence` for contract files, route declarations, client calls, schemas, and not-verified areas.
|
|
9
|
+
|
|
10
|
+
Adapters must not:
|
|
11
|
+
|
|
12
|
+
- Add commands for `api-contract-audit`.
|
|
13
|
+
- Require runtime servers, URL probes, API calls, schema generation, or client generation.
|
|
14
|
+
- Include `.env`, credential, or secret-bearing paths.
|
|
15
|
+
- Change `api-contract-audit` from `audit-only` to action-capable.
|
|
16
|
+
- Expand scope outside the declared project root without named approval.
|
|
@@ -0,0 +1,4 @@
|
|
|
1
|
+
interface:
|
|
2
|
+
display_name: "API Contract Audit"
|
|
3
|
+
short_description: "Map static API contract surfaces without runtime calls"
|
|
4
|
+
default_prompt: "Audit static API contract surfaces in this repository without changing project state. Do not run servers, call APIs, generate clients or schemas, read .env files, or run builds/tests."
|
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
- Confirm the project root and declared static scope.
|
|
2
|
+
- Validate any project adapter before reading adapter metadata.
|
|
3
|
+
- Stop with `partial` if an adapter is present but does not enable `api-contract-audit`.
|
|
4
|
+
- Exclude `.env`, secret-bearing, dependency, generated, output, and oversized files.
|
|
5
|
+
- Report contract files, endpoint declarations, client calls, and schema/type files.
|
|
6
|
+
- Record not-verified runtime, deployment, database, auth, and semantic equivalence gaps.
|
|
7
|
+
- Declare that no build, test, runtime, URL probe, API call, generation, deployment, migration, package install, secret read, or write occurred.
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
- Skill: `api-contract-audit`
|
|
2
|
+
- Status: `complete`, `partial`, `failed`, or `blocked`
|
|
3
|
+
- Project root and branch state
|
|
4
|
+
- Adapter present/enabled state
|
|
5
|
+
- Scope paths and ignored paths
|
|
6
|
+
- Files scanned
|
|
7
|
+
- Contract files found
|
|
8
|
+
- Endpoint declarations found
|
|
9
|
+
- Client-call patterns found
|
|
10
|
+
- Schema/type files found
|
|
11
|
+
- Skipped items and reasons
|
|
12
|
+
- Not-verified runtime, deployment, database, auth, generation, and semantic-equivalence gaps
|
|
13
|
+
- Changed-state declaration: no project, Git, dependency, runtime, service, remote, generated-code, or deployment state changed
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
Safe examples:
|
|
2
|
+
|
|
3
|
+
```bash
|
|
4
|
+
coding-agent-skills api-contract-audit /workspace/app
|
|
5
|
+
```
|
|
6
|
+
|
|
7
|
+
```bash
|
|
8
|
+
node scripts/render-api-contract-audit.mjs tests/fixtures/api-contract-audit/static-project
|
|
9
|
+
```
|
|
10
|
+
|
|
11
|
+
Expected result: a report listing static contract files, endpoint declarations, client call
|
|
12
|
+
patterns, schema/type files, skipped paths, not-verified runtime behavior, and refused
|
|
13
|
+
actions.
|
|
14
|
+
|
|
15
|
+
## Unsafe Examples
|
|
16
|
+
|
|
17
|
+
- Start the API server to verify contract behavior.
|
|
18
|
+
- Call `/api/*` endpoints or remote URLs.
|
|
19
|
+
- Generate an OpenAPI spec or client.
|
|
20
|
+
- Read `.env`, credentials, service keys, or private runtime config.
|
|
@@ -0,0 +1,5 @@
|
|
|
1
|
+
- Adapter present but missing `api-contract-audit`: report `partial` and read no target files.
|
|
2
|
+
- No contract file found: report the absence as static evidence, not proof that no API exists.
|
|
3
|
+
- Route declarations are dynamic: record not-verified runtime behavior.
|
|
4
|
+
- Client calls use variables or generated clients: report the limitation without executing code.
|
|
5
|
+
- Requested proof requires runtime, network, database, generation, build, test, or secret access: stop or report blocked.
|
|
@@ -0,0 +1,87 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: migration-review
|
|
3
|
+
description: Review statically visible database migration and schema evidence without connecting to databases, applying migrations, generating ORM clients, or modifying projects. Use when Codex must map migration files, schema/config files, migration-related package script keys, and static risk indicators before database work or handoff; do not use for runtime database inspection, migration execution, deploys, builds, tests, package installs, or secret-file reads.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# Migration Review
|
|
7
|
+
|
|
8
|
+
Map statically visible migration evidence and report what is and is not verified. Remain
|
|
9
|
+
audit-only and avoid turning migration discovery into database or deployment work.
|
|
10
|
+
|
|
11
|
+
This skill must not change project files, Git state, dependencies, runtime state, services,
|
|
12
|
+
databases, remotes, generated ORM clients, or deployment state.
|
|
13
|
+
|
|
14
|
+
## Purpose And Use
|
|
15
|
+
|
|
16
|
+
Use this skill before database work, migration handoff, or schema review when the agent needs
|
|
17
|
+
to understand visible migration files, schema declarations, migration config, and static
|
|
18
|
+
risk indicators.
|
|
19
|
+
|
|
20
|
+
Do not use it to prove database state, apply or roll back migrations, inspect deployed
|
|
21
|
+
databases, generate ORM clients, build, test, deploy, run package scripts, or read secrets.
|
|
22
|
+
|
|
23
|
+
## Inputs
|
|
24
|
+
|
|
25
|
+
Require a project root or starting path. Optionally accept a project adapter, intended scan
|
|
26
|
+
area, documentation precedence, migration directory hints, or known ORM/database boundaries.
|
|
27
|
+
|
|
28
|
+
Do not assume a missing migration directory means no database exists, migration filenames
|
|
29
|
+
reflect applied state, schema files match production, package script keys are safe to run, or
|
|
30
|
+
a project adapter enables this skill unless validation proves it.
|
|
31
|
+
|
|
32
|
+
## Procedure
|
|
33
|
+
|
|
34
|
+
1. Record user intent, project root, declared scope, adapter state, and safety boundary.
|
|
35
|
+
2. Validate a project adapter when present before reading adapter-declared metadata.
|
|
36
|
+
3. If an adapter is present but does not enable `migration-review`, stop static file reading
|
|
37
|
+
and report the adapter-limited skip.
|
|
38
|
+
4. Build scan scope from adapter safe read paths when available; otherwise use a bounded
|
|
39
|
+
generic static scan.
|
|
40
|
+
5. Exclude `.env`, secret-bearing files, generated output, dependency paths, and oversized
|
|
41
|
+
files before reading.
|
|
42
|
+
6. Identify statically visible migration files and migration directories.
|
|
43
|
+
7. Identify schema and migration config files.
|
|
44
|
+
8. Identify package script keys that mention migration tools without printing command values.
|
|
45
|
+
9. Identify static risk indicators such as drop-column, truncate, rename, or raw data update
|
|
46
|
+
patterns without judging runtime safety.
|
|
47
|
+
10. Emit the shared evidence pack or migration review report before claiming completion.
|
|
48
|
+
|
|
49
|
+
Use [checklist.md](checklist.md). Consult [failure-modes.md](failure-modes.md),
|
|
50
|
+
[adapter-interface.md](adapter-interface.md), and [examples.md](examples.md). Format findings
|
|
51
|
+
with [evidence-template.md](evidence-template.md).
|
|
52
|
+
|
|
53
|
+
## Evidence, Recovery, And Dependencies
|
|
54
|
+
|
|
55
|
+
Emit repository identity, adapter state, scan scope, ignored paths, files scanned, migration
|
|
56
|
+
files, schema files, config files, package script keys, risk indicators, skipped items,
|
|
57
|
+
not-verified areas, warnings, and changed-state declaration through the shared evidence-pack
|
|
58
|
+
contract.
|
|
59
|
+
|
|
60
|
+
Recover from missing migration directories, ambiguous ORM layouts, unreadable files, or
|
|
61
|
+
adapter limits by reporting uncertainty. Never recover by connecting to a database, applying
|
|
62
|
+
migrations, generating ORM clients, installing dependencies, building, testing, deploying,
|
|
63
|
+
broadening adapter scope, or reading `.env`.
|
|
64
|
+
|
|
65
|
+
This skill depends on the evidence-pack contract and may consume validated project adapters.
|
|
66
|
+
Adapters may add safe paths, ignored paths, documentation precedence, and evidence
|
|
67
|
+
requirements, but cannot weaken policy or turn this skill into database work.
|
|
68
|
+
|
|
69
|
+
## Approval Boundary
|
|
70
|
+
|
|
71
|
+
Explicit approval may permit one named non-secret static file read outside normal source
|
|
72
|
+
paths. Approval does not permit `.env` or secret-file reads, database connections, migration
|
|
73
|
+
execution, ORM generation, package installation, builds, tests, runtime checks, deployments,
|
|
74
|
+
Git mutation, or project writes.
|
|
75
|
+
|
|
76
|
+
## Completion
|
|
77
|
+
|
|
78
|
+
Claim `complete` only when the declared static scan scope was inspected, visible migration
|
|
79
|
+
surfaces are reported, skipped and not-verified areas are explicit, adapter limitations are
|
|
80
|
+
clear, and no project, Git, dependency, runtime, service, database, remote, generated-code, or
|
|
81
|
+
deployment state changed.
|
|
82
|
+
|
|
83
|
+
Report `partial`, `failed`, or `blocked` when adapter scope prevents scanning, requested
|
|
84
|
+
evidence requires database/runtime behavior, the project root cannot be established, or
|
|
85
|
+
safety exclusions prevent the requested conclusion.
|
|
86
|
+
|
|
87
|
+
These conditions are both the acceptance criteria and definition of done.
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
Adapters may enable `migration-review` only as an audit-only static inspection skill.
|
|
2
|
+
|
|
3
|
+
Allowed adapter extensions:
|
|
4
|
+
|
|
5
|
+
- `safeReadPaths` for migration, schema, config, and relevant package files.
|
|
6
|
+
- `ignoredPaths` for generated, dependency, build, coverage, and output directories.
|
|
7
|
+
- `documentationPrecedence` for migration runbooks or schema docs.
|
|
8
|
+
- `requiredEvidence` for migration files, schemas, config, risk indicators, and not-verified areas.
|
|
9
|
+
|
|
10
|
+
Adapters must not:
|
|
11
|
+
|
|
12
|
+
- Add commands for `migration-review`.
|
|
13
|
+
- Require database connections, migration execution, ORM generation, or package scripts.
|
|
14
|
+
- Include `.env`, credential, service-key, or secret-bearing paths.
|
|
15
|
+
- Change `migration-review` from `audit-only` to action-capable.
|
|
16
|
+
- Expand scope outside the declared project root without named approval.
|
|
@@ -0,0 +1,3 @@
|
|
|
1
|
+
display_name: Migration Review
|
|
2
|
+
short_description: Review static migration and schema evidence without database access.
|
|
3
|
+
default_prompt: Review this repository's migration and schema evidence as an audit-only pass without modifying files, applying migrations, connecting to databases, generating ORM clients, or reading secrets.
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
- Confirm the project root and declared static scope.
|
|
2
|
+
- Validate any project adapter before reading adapter metadata.
|
|
3
|
+
- Stop with `partial` if an adapter is present but does not enable `migration-review`.
|
|
4
|
+
- Exclude `.env`, secret-bearing, dependency, generated, output, and oversized files.
|
|
5
|
+
- Report migration files, schema files, config files, package script keys, and risk indicators.
|
|
6
|
+
- Do not print package script command values.
|
|
7
|
+
- Record not-verified database state, rollback, generated-client, and production gaps.
|
|
8
|
+
- Declare that no database connection, migration execution, ORM generation, build, test, deploy, package install, secret read, or write occurred.
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
Evidence fields:
|
|
2
|
+
|
|
3
|
+
- Project root and Git branch state.
|
|
4
|
+
- Adapter presence, enabled state, and scope paths.
|
|
5
|
+
- Ignored paths and skipped static files.
|
|
6
|
+
- Migration files and reasons.
|
|
7
|
+
- Schema files and reasons.
|
|
8
|
+
- Migration config files and reasons.
|
|
9
|
+
- Package script keys, without command values.
|
|
10
|
+
- Static risk indicators by file and type.
|
|
11
|
+
- Not-verified database, rollback, generated-client, and production areas.
|
|
12
|
+
- Refused behavior and changed-state declaration.
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
Safe examples:
|
|
2
|
+
|
|
3
|
+
```bash
|
|
4
|
+
coding-agent-skills migration-review /workspace/app
|
|
5
|
+
```
|
|
6
|
+
|
|
7
|
+
```bash
|
|
8
|
+
node scripts/render-migration-review.mjs tests/fixtures/migration-review/static-project
|
|
9
|
+
```
|
|
10
|
+
|
|
11
|
+
Expected result: a report listing static migration files, schema/config files, package
|
|
12
|
+
script keys, risk indicators, skipped paths, not-verified database behavior, and refused
|
|
13
|
+
actions.
|
|
14
|
+
|
|
15
|
+
## Unsafe Examples
|
|
16
|
+
|
|
17
|
+
- Apply database migrations.
|
|
18
|
+
- Connect to a local or remote database to inspect applied state.
|
|
19
|
+
- Generate ORM clients or migration files.
|
|
20
|
+
- Read `.env`, credentials, service keys, or private runtime config.
|
|
@@ -0,0 +1,5 @@
|
|
|
1
|
+
- Missing migration directories: report uncertainty instead of assuming no database exists.
|
|
2
|
+
- Adapter present without `migration-review`: return `partial` and read no target files.
|
|
3
|
+
- Secret-bearing paths: skip and record the exclusion without printing values.
|
|
4
|
+
- Destructive-looking SQL: report the static indicator without judging production safety.
|
|
5
|
+
- Requested database state or rollback proof: stop at the approval boundary because this skill is static only.
|
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
{
|
|
2
|
+
"adapterId": "api-contract-audit-fixture",
|
|
3
|
+
"adapterVersion": "1.0.0",
|
|
4
|
+
"project": {
|
|
5
|
+
"id": "api-contract-audit-fixture",
|
|
6
|
+
"detection": {
|
|
7
|
+
"rootMarkers": [{"kind": "file", "path": "package.json"}],
|
|
8
|
+
"maximumDepth": 1,
|
|
9
|
+
"scope": "declared-project-root",
|
|
10
|
+
"requireApprovalOutsideScope": true
|
|
11
|
+
}
|
|
12
|
+
},
|
|
13
|
+
"supportedSkills": [
|
|
14
|
+
{
|
|
15
|
+
"id": "api-contract-audit",
|
|
16
|
+
"compatibleVersions": ["0.2.3", "0.2.x"],
|
|
17
|
+
"declaredMode": "audit-only"
|
|
18
|
+
}
|
|
19
|
+
],
|
|
20
|
+
"extensions": {
|
|
21
|
+
"safeReadPaths": ["src"],
|
|
22
|
+
"ignoredPaths": ["dist", "build"],
|
|
23
|
+
"documentationPrecedence": ["README.md"],
|
|
24
|
+
"commandAliases": [],
|
|
25
|
+
"safeStatusCommands": [],
|
|
26
|
+
"requiredEvidence": ["project root", "adapter scope", "contract surfaces", "not-verified runtime areas"],
|
|
27
|
+
"expectedRuntimeManagers": [],
|
|
28
|
+
"expectedPackageManagers": ["npm"]
|
|
29
|
+
},
|
|
30
|
+
"approvalRequirements": [],
|
|
31
|
+
"inheritance": {
|
|
32
|
+
"sharedRestrictions": "required",
|
|
33
|
+
"deniedOperationCategories": [
|
|
34
|
+
"file-write",
|
|
35
|
+
"package-install",
|
|
36
|
+
"deployment",
|
|
37
|
+
"git-mutation",
|
|
38
|
+
"unrestricted-scan",
|
|
39
|
+
"secret-read",
|
|
40
|
+
"process-mutation",
|
|
41
|
+
"service-mutation",
|
|
42
|
+
"migration-apply",
|
|
43
|
+
"privileged-api"
|
|
44
|
+
],
|
|
45
|
+
"allowRestrictionRemoval": false,
|
|
46
|
+
"allowModeOverride": false,
|
|
47
|
+
"allowFailureSuppression": false,
|
|
48
|
+
"allowCompletionOverride": false,
|
|
49
|
+
"allowSecretExposure": false,
|
|
50
|
+
"allowRequiredEvidenceRemoval": false,
|
|
51
|
+
"allowScopeExpansionWithoutApproval": false
|
|
52
|
+
}
|
|
53
|
+
}
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
{
|
|
2
|
+
"declarationVersion": "1.0.0",
|
|
3
|
+
"projectId": "api-contract-audit-fixture",
|
|
4
|
+
"adapterRoot": ".coding-agent/adapters",
|
|
5
|
+
"adapterSchemaVersion": "1.0.0",
|
|
6
|
+
"core": {
|
|
7
|
+
"id": "coding-agent-skills",
|
|
8
|
+
"expectedVersion": "0.2.3",
|
|
9
|
+
"versionPin": ">=0.2.2 <0.3.0"
|
|
10
|
+
},
|
|
11
|
+
"compatibleSkillIds": ["api-contract-audit"],
|
|
12
|
+
"adapters": [
|
|
13
|
+
{
|
|
14
|
+
"id": "api-contract-audit-fixture",
|
|
15
|
+
"version": "1.0.0",
|
|
16
|
+
"skillIds": ["api-contract-audit"]
|
|
17
|
+
}
|
|
18
|
+
],
|
|
19
|
+
"validationCommand": "node <shared-core>/scripts/validate-project-adapters.mjs <project-root>",
|
|
20
|
+
"evidenceOutput": ".coding-agent/evidence",
|
|
21
|
+
"approvalPolicyReference": ".coding-agent/approval-policy.md",
|
|
22
|
+
"noSecrets": true
|
|
23
|
+
}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
router.get("/api/adapter-items", () => {});
|