coding-agent-skills 0.2.12 → 0.2.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +21 -0
- package/README.md +4 -0
- package/ROADMAP.md +5 -3
- package/bin/coding-agent-skills +7 -0
- package/docs/adapters/README.md +20 -0
- package/docs/adapters/project-installation.md +13 -0
- package/docs/adapters/real-project-adoption.md +1 -1
- package/docs/architecture/README.md +1 -0
- package/docs/release/README.md +3 -2
- package/docs/release/npm-package.md +7 -2
- package/docs/safety/README.md +6 -1
- package/docs/testing/README.md +8 -0
- package/docs/usage/README.md +15 -5
- package/examples/command-policies/migration-review.json +70 -0
- package/examples/evidence-packs/migration-review.json +60 -0
- package/examples/manifests/migration-review.json +14 -0
- package/examples/workflows/migration-review.md +7 -0
- package/package.json +2 -1
- package/runs/skill-runs.md +16 -0
- package/schemas/project-adapter-installation.schema.json +2 -0
- package/schemas/project-adapter.schema.json +2 -0
- package/scripts/lib/migration-review.mjs +641 -0
- package/scripts/lib/pack-rules.mjs +11 -2
- package/scripts/render-migration-review.mjs +8 -0
- package/scripts/test-pack.mjs +59 -1
- package/scripts/validate-pack.mjs +5 -2
- package/skills/migration-review/SKILL.md +87 -0
- package/skills/migration-review/adapter-interface.md +16 -0
- package/skills/migration-review/agents/openai.yaml +3 -0
- package/skills/migration-review/checklist.md +8 -0
- package/skills/migration-review/evidence-template.md +12 -0
- package/skills/migration-review/examples.md +20 -0
- package/skills/migration-review/failure-modes.md +5 -0
- package/tests/fixtures/migration-review/adapter-project/.coding-agent/adapters/migration-review-fixture/adapter.json +56 -0
- package/tests/fixtures/migration-review/adapter-project/.coding-agent/skills.json +23 -0
- package/tests/fixtures/migration-review/adapter-project/README.md +3 -0
- package/tests/fixtures/migration-review/adapter-project/db/migrations/001_create_accounts.sql +3 -0
- package/tests/fixtures/migration-review/adapter-project/ignored/migrations/999_ignore.sql +1 -0
- package/tests/fixtures/migration-review/adapter-project/package.json +3 -0
- package/tests/fixtures/migration-review/static-project/README.md +3 -0
- package/tests/fixtures/migration-review/static-project/drizzle.config.ts +4 -0
- package/tests/fixtures/migration-review/static-project/package.json +7 -0
- package/tests/fixtures/migration-review/static-project/prisma/migrations/20260703010101_init/migration.sql +6 -0
- package/tests/fixtures/migration-review/static-project/prisma/schema.prisma +4 -0
- package/tests/fixtures/triggers/cases.json +13 -1
- package/tests/trigger/README.md +2 -0
- package/work-ledger.md +17 -5
package/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,27 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes follow [Semantic Versioning](docs/versioning/README.md).
|
|
4
4
|
|
|
5
|
+
## [0.2.13] - 2026-07-03
|
|
6
|
+
|
|
7
|
+
### Added
|
|
8
|
+
|
|
9
|
+
- `migration-review` audit-only skill for static database migration and schema evidence
|
|
10
|
+
review.
|
|
11
|
+
- `coding-agent-skills migration-review <project-root>` CLI command.
|
|
12
|
+
- Dependency-free migration review renderer for migration files, schema/config files,
|
|
13
|
+
package script keys without command values, static risk indicators, skipped paths,
|
|
14
|
+
not-verified database behavior, adapter-limited scope, and safety refusals.
|
|
15
|
+
- Synthetic migration-review fixtures and release tests for generic static scans,
|
|
16
|
+
adapter-scoped scans, destructive-looking SQL indicators, package script key detection,
|
|
17
|
+
and repo-map-only adapter skips.
|
|
18
|
+
|
|
19
|
+
### Changed
|
|
20
|
+
|
|
21
|
+
- Adapter schemas and validators now recognize `migration-review` as an audit-only skill
|
|
22
|
+
while preserving the existing `0.2.3` adapter contract compatibility baseline.
|
|
23
|
+
- Usage, release, safety, architecture, adapter, roadmap, ledger, and run-log docs now
|
|
24
|
+
describe the new static read-only migration review command.
|
|
25
|
+
|
|
5
26
|
## [0.2.12] - 2026-07-03
|
|
6
27
|
|
|
7
28
|
### Added
|
package/README.md
CHANGED
|
@@ -10,6 +10,7 @@ The pilot pack contains:
|
|
|
10
10
|
- `env-audit`: audit-only environment variable name mapping without values.
|
|
11
11
|
- `secret-audit`: audit-only high-confidence secret exposure detection without values.
|
|
12
12
|
- `api-contract-audit`: audit-only static API contract surface mapping.
|
|
13
|
+
- `migration-review`: audit-only static migration and schema evidence review.
|
|
13
14
|
- `build-verify`: controlled local validation using existing project commands.
|
|
14
15
|
- `git-preflight`: audit-only Git readiness inspection.
|
|
15
16
|
- `runtime-truth`: audit-only runtime evidence collection.
|
|
@@ -46,6 +47,7 @@ Every skill emits the evidence-pack contract. A command being attempted is never
|
|
|
46
47
|
- Map environment variable names with `coding-agent-skills env-audit <project-root>`.
|
|
47
48
|
- Find redacted secret exposure risks with `coding-agent-skills secret-audit <project-root>`.
|
|
48
49
|
- Map static API contract surfaces with `coding-agent-skills api-contract-audit <project-root>`.
|
|
50
|
+
- Review static migration and schema evidence with `coding-agent-skills migration-review <project-root>`.
|
|
49
51
|
- Validate project adapters against [the formal adapter schema](schemas/project-adapter.schema.json).
|
|
50
52
|
- Review [external adapter discovery](docs/adapters/discovery.md).
|
|
51
53
|
- Run `node scripts/validate-adapters.mjs <adapter-root>` for a disposable external root.
|
|
@@ -59,6 +61,8 @@ Every skill emits the evidence-pack contract. A command being attempted is never
|
|
|
59
61
|
`node scripts/render-secret-audit.mjs <project-root>`.
|
|
60
62
|
- Render a static API contract audit report with
|
|
61
63
|
`node scripts/render-api-contract-audit.mjs <project-root>`.
|
|
64
|
+
- Render a static migration review report with
|
|
65
|
+
`node scripts/render-migration-review.mjs <project-root>`.
|
|
62
66
|
- Review [adapter upgrade checks](docs/adapters/upgrades.md).
|
|
63
67
|
- Run `node scripts/check-adapter-upgrade.mjs <before-project-root> <after-project-root>`
|
|
64
68
|
for disposable project revisions.
|
package/ROADMAP.md
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# Roadmap
|
|
2
2
|
|
|
3
|
-
The public package now contains
|
|
3
|
+
The public package now contains ten approved shared skills. Builder-mode approval is
|
|
4
4
|
active for the remaining read-only skill wave in this repository; real-world project
|
|
5
5
|
execution constraints remain unchanged.
|
|
6
6
|
|
|
@@ -36,6 +36,8 @@ execution constraints remain unchanged.
|
|
|
36
36
|
exposure detection.
|
|
37
37
|
- `v0.2.12`: audit-only `api-contract-audit` skill and CLI renderer for static API
|
|
38
38
|
contract surface mapping.
|
|
39
|
+
- `v0.2.13`: audit-only `migration-review` skill and CLI renderer for static migration
|
|
40
|
+
and schema evidence review.
|
|
39
41
|
|
|
40
42
|
The next milestone is recorded in [work-ledger.md](work-ledger.md). The
|
|
41
43
|
[maintainer loop](RUNBOOK.md) may select and evidence that milestone, but it must stop
|
|
@@ -80,8 +82,8 @@ Next safe milestone options:
|
|
|
80
82
|
| `env-audit-skill` | General | Audit-only | Implemented in `v0.2.10` |
|
|
81
83
|
| `secret-audit-skill` | General | Audit-only | Implemented in `v0.2.11` |
|
|
82
84
|
| `api-contract-audit-skill` | General | Audit-only | Implemented in `v0.2.12` |
|
|
83
|
-
| `migration-review-skill` | General with platform adapters | Audit-only |
|
|
84
|
-
| `github-handoff-skill` | General | Audit-only | Builder-mode approved;
|
|
85
|
+
| `migration-review-skill` | General with platform adapters | Audit-only | Implemented in `v0.2.13` |
|
|
86
|
+
| `github-handoff-skill` | General | Audit-only | Builder-mode approved; next in wave |
|
|
85
87
|
| `deployment-preflight-skill` | General | Audit-only | Builder-mode approved; later in wave |
|
|
86
88
|
| `cloudflare-preflight-skill` | Platform-specific | Audit-only | Builder-mode approved; later in wave |
|
|
87
89
|
| `cloudflare-deploy-skill` | Platform-specific | Action-capable | Blocked on approval model |
|
package/bin/coding-agent-skills
CHANGED
|
@@ -47,6 +47,12 @@ const commands = {
|
|
|
47
47
|
usage: "coding-agent-skills api-contract-audit <project-root>",
|
|
48
48
|
requiredArgs: 1,
|
|
49
49
|
},
|
|
50
|
+
"migration-review": {
|
|
51
|
+
script: "scripts/render-migration-review.mjs",
|
|
52
|
+
args: ([projectRoot]) => [projectRoot],
|
|
53
|
+
usage: "coding-agent-skills migration-review <project-root>",
|
|
54
|
+
requiredArgs: 1,
|
|
55
|
+
},
|
|
50
56
|
"validate-adapters": {
|
|
51
57
|
script: "scripts/validate-adapters.mjs",
|
|
52
58
|
args: ([adapterRoot]) => [adapterRoot],
|
|
@@ -67,6 +73,7 @@ function usage(exitCode = 0) {
|
|
|
67
73
|
" env-audit <project-root>",
|
|
68
74
|
" secret-audit <project-root>",
|
|
69
75
|
" api-contract-audit <project-root>",
|
|
76
|
+
" migration-review <project-root>",
|
|
70
77
|
" validate-adapters <adapter-root>",
|
|
71
78
|
"",
|
|
72
79
|
"local wrapper for the published coding-agent-skills package",
|
package/docs/adapters/README.md
CHANGED
|
@@ -104,6 +104,24 @@ reports contract files, endpoint declarations, client-call patterns, schema/type
|
|
|
104
104
|
skipped paths, and not-verified runtime behavior. It never runs servers, calls APIs,
|
|
105
105
|
generates schemas or clients, builds, tests, deploys, migrates, or mutates project files.
|
|
106
106
|
|
|
107
|
+
## Adapter-Aware Migration Review Consumption
|
|
108
|
+
|
|
109
|
+
The shared pack can consume a validated project-owned adapter as bounded context for
|
|
110
|
+
`migration-review`:
|
|
111
|
+
|
|
112
|
+
```bash
|
|
113
|
+
node scripts/render-migration-review.mjs <project-root>
|
|
114
|
+
```
|
|
115
|
+
|
|
116
|
+
The renderer validates the project declaration when present. If an adapter is present but
|
|
117
|
+
does not enable `migration-review`, it reports an adapter-limited skip instead of
|
|
118
|
+
broadening scope. When enabled, it reads only adapter-declared safe paths, excludes `.env`,
|
|
119
|
+
secret-bearing files, generated output, dependency paths, and oversized files, then
|
|
120
|
+
reports migration files, schema/config files, package script keys, static risk indicators,
|
|
121
|
+
skipped paths, and not-verified database behavior. It never connects to databases,
|
|
122
|
+
executes migrations, generates ORM clients, builds, tests, deploys, or mutates project
|
|
123
|
+
files.
|
|
124
|
+
|
|
107
125
|
## What Adapters May Do
|
|
108
126
|
|
|
109
127
|
- Add bounded relative read paths and ignored paths.
|
|
@@ -115,6 +133,8 @@ generates schemas or clients, builds, tests, deploys, migrates, or mutates proje
|
|
|
115
133
|
while relying on the shared scanner to exclude secret-bearing paths.
|
|
116
134
|
- Add api-contract-audit safe read paths for static API docs, contract files, route
|
|
117
135
|
handlers, client calls, and schema/type files.
|
|
136
|
+
- Add migration-review safe read paths for static migration, schema, config, and package
|
|
137
|
+
files while relying on the shared reviewer to exclude secret-bearing paths.
|
|
118
138
|
- Add command aliases that already satisfy the shared command policy.
|
|
119
139
|
- Add status-only runtime commands and manager hints.
|
|
120
140
|
- Require additional evidence or named approval for exceptional reads.
|
|
@@ -157,6 +157,19 @@ skip. When enabled, it reads only adapter-declared safe paths and reports static
|
|
|
157
157
|
files, endpoint declarations, client-call patterns, schema/type files, and not-verified
|
|
158
158
|
runtime behavior without running servers, calling APIs, or generating code.
|
|
159
159
|
|
|
160
|
+
A project-owned adapter can also enable read-only `migration-review` context:
|
|
161
|
+
|
|
162
|
+
```bash
|
|
163
|
+
node scripts/render-migration-review.mjs <project-root>
|
|
164
|
+
```
|
|
165
|
+
|
|
166
|
+
The migration review renderer validates the project declaration when present. If the
|
|
167
|
+
adapter is present but does not enable `migration-review`, it reports an adapter-limited
|
|
168
|
+
skip. When enabled, it reads only adapter-declared safe paths and reports static migration
|
|
169
|
+
files, schema/config files, package script keys, static risk indicators, and not-verified
|
|
170
|
+
database behavior without connecting to databases, applying migrations, generating ORM
|
|
171
|
+
clients, or running package scripts.
|
|
172
|
+
|
|
160
173
|
## Safety Boundary
|
|
161
174
|
|
|
162
175
|
Project adapters are extension-only. They cannot remove denied operations, change an
|
|
@@ -21,7 +21,7 @@ project repository is touched:
|
|
|
21
21
|
- The project can declare exactly one installation file: `.coding-agent/skills.json` or
|
|
22
22
|
`coding-agent.skills.json`.
|
|
23
23
|
- The adapter need is bounded to existing pilot skills: `repo-map`, `route-trace`,
|
|
24
|
-
`env-audit`, `secret-audit`, `api-contract-audit`, `build-verify`, `git-preflight`,
|
|
24
|
+
`env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`, `build-verify`, `git-preflight`,
|
|
25
25
|
`runtime-truth`, or `llm-drift-control`.
|
|
26
26
|
- The adapter can narrow context with relative paths, documentation precedence, safe
|
|
27
27
|
aliases, status-only hints, or extra evidence requirements.
|
package/docs/release/README.md
CHANGED
|
@@ -21,8 +21,9 @@
|
|
|
21
21
|
14. Install the tarball into a temporary npm prefix and smoke-test the installed CLI.
|
|
22
22
|
15. Smoke-test any new CLI command such as `coding-agent-skills route-trace`,
|
|
23
23
|
`coding-agent-skills env-audit`, `coding-agent-skills secret-audit`, or
|
|
24
|
-
`coding-agent-skills api-contract-audit
|
|
25
|
-
read-only smoke is explicitly
|
|
24
|
+
`coding-agent-skills api-contract-audit`, or `coding-agent-skills migration-review`
|
|
25
|
+
against synthetic fixtures only unless a real project read-only smoke is explicitly
|
|
26
|
+
approved.
|
|
26
27
|
16. Review changelog, ledger, run evidence, and versioning impact.
|
|
27
28
|
17. Commit with approved identity.
|
|
28
29
|
18. Push `main` using credential-free remotes.
|
|
@@ -7,7 +7,7 @@ safety model.
|
|
|
7
7
|
## Current Package Shape
|
|
8
8
|
|
|
9
9
|
- Package name: `coding-agent-skills`.
|
|
10
|
-
- Package version: `0.2.
|
|
10
|
+
- Package version: `0.2.13`.
|
|
11
11
|
- CLI bin: `coding-agent-skills` mapped to `bin/coding-agent-skills`.
|
|
12
12
|
- Module type: `module`.
|
|
13
13
|
- Dependencies: none.
|
|
@@ -31,6 +31,7 @@ coding-agent-skills route-trace /path/to/project
|
|
|
31
31
|
coding-agent-skills env-audit /path/to/project
|
|
32
32
|
coding-agent-skills secret-audit /path/to/project
|
|
33
33
|
coding-agent-skills api-contract-audit /path/to/project
|
|
34
|
+
coding-agent-skills migration-review /path/to/project
|
|
34
35
|
coding-agent-skills validate-adapters /path/to/adapter-root
|
|
35
36
|
```
|
|
36
37
|
|
|
@@ -51,6 +52,10 @@ validating credentials.
|
|
|
51
52
|
`api-contract-audit` is static and audit-only; it reports contract files, endpoint
|
|
52
53
|
declarations, client-call patterns, schema/type files, and not-verified runtime behavior
|
|
53
54
|
without running servers, calling APIs, or generating clients or schemas.
|
|
55
|
+
`migration-review` is static and audit-only; it reports migration files, schema/config
|
|
56
|
+
files, package script keys, static risk indicators, and not-verified database behavior
|
|
57
|
+
without connecting to databases, applying migrations, generating ORM clients, or reading
|
|
58
|
+
secrets.
|
|
54
59
|
|
|
55
60
|
`coding-agent-skills validate-pack` is package-aware. In a source checkout, it keeps
|
|
56
61
|
source-only checks such as `.gitignore` validation. In an installed package tree, where
|
|
@@ -85,7 +90,7 @@ included.
|
|
|
85
90
|
|
|
86
91
|
The public CLI remains read-only for target projects unless a specific underlying skill
|
|
87
92
|
already permits a bounded local validation action. The installed `repo-map`,
|
|
88
|
-
`route-trace`, `env-audit`, `secret-audit`, `api-contract-audit`, and adapter flows do not:
|
|
93
|
+
`route-trace`, `env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`, and adapter flows do not:
|
|
89
94
|
|
|
90
95
|
- deploy
|
|
91
96
|
- run migrations
|
package/docs/safety/README.md
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
## Audit-Only Rule
|
|
4
4
|
|
|
5
|
-
`repo-map`, `route-trace`, `env-audit`, `secret-audit`, `api-contract-audit`, `git-preflight`, `runtime-truth`, and `llm-drift-control` must not alter project files, Git state, dependencies, processes, services, databases, remote systems, or deployment state.
|
|
5
|
+
`repo-map`, `route-trace`, `env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`, `git-preflight`, `runtime-truth`, and `llm-drift-control` must not alter project files, Git state, dependencies, processes, services, databases, remote systems, or deployment state.
|
|
6
6
|
|
|
7
7
|
`route-trace` is static only. It may read bounded non-secret route files and route
|
|
8
8
|
configuration, but it must not execute app code, run servers, hit URLs, claim runtime
|
|
@@ -22,6 +22,11 @@ files, route handlers, client calls, and schema/type files, but it must not run
|
|
|
22
22
|
call APIs, probe URLs, generate schemas or clients, build, test, deploy, migrate, inspect
|
|
23
23
|
databases, or broaden adapter scope.
|
|
24
24
|
|
|
25
|
+
`migration-review` is static only. It may read bounded non-secret migration, schema,
|
|
26
|
+
config, and package files, but it must not connect to databases, apply migrations,
|
|
27
|
+
generate ORM clients, run package scripts, build, test, deploy, inspect runtime state, or
|
|
28
|
+
broaden adapter scope.
|
|
29
|
+
|
|
25
30
|
`build-verify` may run existing project-native validation commands. Build or test tools may create their normal local artifacts, but the skill must declare observed changes and must reject installation, fix modes, snapshot updates, deployment, migration, or unknown scripts.
|
|
26
31
|
|
|
27
32
|
## Restricted Categories
|
package/docs/testing/README.md
CHANGED
|
@@ -59,6 +59,14 @@ declarations, client-call patterns, schema/type files, adapter-declared scope, a
|
|
|
59
59
|
adapter-present-but-not-enabled behavior. Tests must never run servers, call endpoints,
|
|
60
60
|
generate schemas or clients, build, test, deploy, migrate, or read `.env` files.
|
|
61
61
|
|
|
62
|
+
## Migration Review
|
|
63
|
+
|
|
64
|
+
Synthetic migration-review projects cover migration file detection, schema/config file
|
|
65
|
+
detection, package script keys without command values, static risk indicators,
|
|
66
|
+
adapter-declared scope, and adapter-present-but-not-enabled behavior. Tests must never
|
|
67
|
+
connect to databases, apply migrations, generate ORM clients, run package scripts, build,
|
|
68
|
+
test, deploy, or read `.env` files.
|
|
69
|
+
|
|
62
70
|
## Privacy And Redaction
|
|
63
71
|
|
|
64
72
|
Sensitive shapes are stored as ordered synthetic parts and reconstructed only in memory. Tests verify type detection, redaction, and absence from reusable skill content without printing fixture values.
|
package/docs/usage/README.md
CHANGED
|
@@ -9,6 +9,7 @@ Select the least-privileged skill that matches the request:
|
|
|
9
9
|
| Map environment variable names without values | `env-audit` |
|
|
10
10
|
| Find high-confidence secret exposure risks without values | `secret-audit` |
|
|
11
11
|
| Map static API contract surfaces | `api-contract-audit` |
|
|
12
|
+
| Review static migration and schema evidence | `migration-review` |
|
|
12
13
|
| Run existing local validation checks | `build-verify` |
|
|
13
14
|
| Assess Git handoff readiness | `git-preflight` |
|
|
14
15
|
| Determine what is actually running | `runtime-truth` |
|
|
@@ -24,11 +25,13 @@ Select the least-privileged skill that matches the request:
|
|
|
24
25
|
by path, type, and count without printing matched values.
|
|
25
26
|
5. Use `api-contract-audit` when OpenAPI/Swagger files, endpoint declarations, client
|
|
26
27
|
calls, and schema/type files must be mapped without runtime behavior.
|
|
27
|
-
6.
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
28
|
+
6. Use `migration-review` when database migration, schema, config, package-script-key,
|
|
29
|
+
and static risk-indicator evidence must be mapped without database access.
|
|
30
|
+
7. Perform implementation outside this pilot pack.
|
|
31
|
+
8. Use `build-verify` for approved project-native checks.
|
|
32
|
+
9. Use `git-preflight` before handoff or publication.
|
|
33
|
+
10. Use `runtime-truth` only when live local state matters.
|
|
34
|
+
11. Use `llm-drift-control` when claims and evidence may disagree.
|
|
32
35
|
|
|
33
36
|
Every skill emits an evidence pack. Read `status`, skipped checks, failures, confidence, and changed state before relying on a completion claim.
|
|
34
37
|
|
|
@@ -63,6 +66,7 @@ coding-agent-skills route-trace /path/to/project
|
|
|
63
66
|
coding-agent-skills env-audit /path/to/project
|
|
64
67
|
coding-agent-skills secret-audit /path/to/project
|
|
65
68
|
coding-agent-skills api-contract-audit /path/to/project
|
|
69
|
+
coding-agent-skills migration-review /path/to/project
|
|
66
70
|
coding-agent-skills validate-adapters /path/to/adapter-root
|
|
67
71
|
```
|
|
68
72
|
|
|
@@ -88,6 +92,10 @@ counts without printing matched values or validating credentials.
|
|
|
88
92
|
`api-contract-audit` validates a project adapter when present, uses adapter-declared safe
|
|
89
93
|
paths when enabled, and statically reports contract files, endpoint declarations,
|
|
90
94
|
client-call patterns, schema/type files, skipped paths, and not-verified runtime behavior.
|
|
95
|
+
`migration-review` validates a project adapter when present, uses adapter-declared safe
|
|
96
|
+
paths when enabled, and statically reports migration files, schema/config files, package
|
|
97
|
+
script keys, risk indicators, skipped paths, and not-verified database behavior without
|
|
98
|
+
database access or migration execution.
|
|
91
99
|
|
|
92
100
|
The installed CLI does not run target project builds or tests, perform runtime checks,
|
|
93
101
|
deploy, migrate, mutate services or processes, or read `.env` files. Project adapters
|
|
@@ -105,6 +113,7 @@ bin/coding-agent-skills route-trace /path/to/project
|
|
|
105
113
|
bin/coding-agent-skills env-audit /path/to/project
|
|
106
114
|
bin/coding-agent-skills secret-audit /path/to/project
|
|
107
115
|
bin/coding-agent-skills api-contract-audit /path/to/project
|
|
116
|
+
bin/coding-agent-skills migration-review /path/to/project
|
|
108
117
|
bin/coding-agent-skills validate-adapters /path/to/adapter-root
|
|
109
118
|
```
|
|
110
119
|
|
|
@@ -119,6 +128,7 @@ coding-agent-skills route-trace /path/to/project
|
|
|
119
128
|
coding-agent-skills env-audit /path/to/project
|
|
120
129
|
coding-agent-skills secret-audit /path/to/project
|
|
121
130
|
coding-agent-skills api-contract-audit /path/to/project
|
|
131
|
+
coding-agent-skills migration-review /path/to/project
|
|
122
132
|
coding-agent-skills validate-adapters /path/to/adapter-root
|
|
123
133
|
```
|
|
124
134
|
|
|
@@ -0,0 +1,70 @@
|
|
|
1
|
+
{
|
|
2
|
+
"version": "0.2.3",
|
|
3
|
+
"mode": "audit-only",
|
|
4
|
+
"parserPolicy": {
|
|
5
|
+
"inspectEverySegment": true,
|
|
6
|
+
"inspectScriptBodies": true,
|
|
7
|
+
"rejectUnknownExecutables": true,
|
|
8
|
+
"rejectShellWrappers": true,
|
|
9
|
+
"rejectHeredocs": true,
|
|
10
|
+
"rejectRedirection": true,
|
|
11
|
+
"providerSpecificNpx": true,
|
|
12
|
+
"authenticatedCurlRequiresApproval": true,
|
|
13
|
+
"boundedReadsRequired": true,
|
|
14
|
+
"allowedComposition": "read-only"
|
|
15
|
+
},
|
|
16
|
+
"allowedFamilies": [
|
|
17
|
+
{
|
|
18
|
+
"name": "bounded-migration-review-inspection",
|
|
19
|
+
"executables": ["pwd", "ls", "rg", "find", "sed", "head"],
|
|
20
|
+
"argumentPolicy": {
|
|
21
|
+
"strategy": "pattern",
|
|
22
|
+
"allowedPatterns": ["bounded repository-local static migration, schema, and config inspection"],
|
|
23
|
+
"deniedPatterns": ["database access, migration execution, ORM generation, secret files, credential stores, and unbounded traversal"]
|
|
24
|
+
},
|
|
25
|
+
"constraints": [
|
|
26
|
+
"Remain inside the declared project scope.",
|
|
27
|
+
"Bound traversal depth and output.",
|
|
28
|
+
"Exclude .env, secret-bearing, generated, dependency, build, and runtime-output paths."
|
|
29
|
+
]
|
|
30
|
+
},
|
|
31
|
+
{
|
|
32
|
+
"name": "git-identity-inspection",
|
|
33
|
+
"executables": ["git"],
|
|
34
|
+
"argumentPolicy": {
|
|
35
|
+
"strategy": "exact",
|
|
36
|
+
"allowedPatterns": ["rev-parse and status --short --branch"],
|
|
37
|
+
"deniedPatterns": ["all Git mutation and publication subcommands"]
|
|
38
|
+
},
|
|
39
|
+
"constraints": ["Allow only read-only repository identity and branch-state inspection."]
|
|
40
|
+
},
|
|
41
|
+
{
|
|
42
|
+
"name": "migration-review-renderer",
|
|
43
|
+
"executables": ["node", "coding-agent-skills"],
|
|
44
|
+
"argumentPolicy": {
|
|
45
|
+
"strategy": "exact",
|
|
46
|
+
"allowedPatterns": ["node scripts/render-migration-review.mjs <project-root>; coding-agent-skills migration-review <project-root>"],
|
|
47
|
+
"deniedPatterns": ["database access, migration execution, ORM generation, builds, tests, deployment, package installation, and secret-file reads"]
|
|
48
|
+
},
|
|
49
|
+
"constraints": [
|
|
50
|
+
"The renderer must remain static and read-only.",
|
|
51
|
+
"Do not connect to databases, apply migrations, or generate ORM clients."
|
|
52
|
+
]
|
|
53
|
+
}
|
|
54
|
+
],
|
|
55
|
+
"restrictedCategories": [
|
|
56
|
+
"file-write",
|
|
57
|
+
"package-install",
|
|
58
|
+
"deployment",
|
|
59
|
+
"git-mutation",
|
|
60
|
+
"unrestricted-scan",
|
|
61
|
+
"secret-read",
|
|
62
|
+
"process-mutation",
|
|
63
|
+
"service-mutation",
|
|
64
|
+
"migration-apply",
|
|
65
|
+
"privileged-api"
|
|
66
|
+
],
|
|
67
|
+
"approvalExceptions": [
|
|
68
|
+
"A named-file approval may permit one otherwise excluded non-mutating static read when the file is not secret-bearing."
|
|
69
|
+
]
|
|
70
|
+
}
|
|
@@ -0,0 +1,60 @@
|
|
|
1
|
+
{
|
|
2
|
+
"contractVersion": "1.0.0",
|
|
3
|
+
"skill": {"name": "migration-review", "version": "0.2.3"},
|
|
4
|
+
"invocation": {
|
|
5
|
+
"id": "example-migration-review",
|
|
6
|
+
"startedAt": "2026-07-03T12:00:00Z",
|
|
7
|
+
"endedAt": "2026-07-03T12:01:00Z"
|
|
8
|
+
},
|
|
9
|
+
"repository": {
|
|
10
|
+
"root": "/workspace/example-project",
|
|
11
|
+
"branch": "main",
|
|
12
|
+
"head": "0123456789abcdef",
|
|
13
|
+
"workingTreeState": "clean"
|
|
14
|
+
},
|
|
15
|
+
"userIntent": "Map static migration and schema evidence before database handoff.",
|
|
16
|
+
"declaredScope": ["/workspace/example-project"],
|
|
17
|
+
"projectAdapter": "example-migration-review-adapter",
|
|
18
|
+
"environmentSummary": {"platform": "linux", "shell": "bash"},
|
|
19
|
+
"status": "complete",
|
|
20
|
+
"confidence": {
|
|
21
|
+
"level": "medium",
|
|
22
|
+
"reason": "Static migration and schema files were inspected, but database state was not verified."
|
|
23
|
+
},
|
|
24
|
+
"commands": [
|
|
25
|
+
{
|
|
26
|
+
"command": "coding-agent-skills migration-review /workspace/example-project",
|
|
27
|
+
"family": "migration-review-renderer",
|
|
28
|
+
"workingDirectory": "/workspace/example-project",
|
|
29
|
+
"startedAt": "2026-07-03T12:00:20Z",
|
|
30
|
+
"endedAt": "2026-07-03T12:00:21Z",
|
|
31
|
+
"exitStatus": 0,
|
|
32
|
+
"resultStatus": "success",
|
|
33
|
+
"safetyClass": "allowed",
|
|
34
|
+
"approvalReference": null,
|
|
35
|
+
"purpose": "Render a static migration review report.",
|
|
36
|
+
"outputSummary": "Reported static migration files, schema files, config files, risk indicators, skipped items, and not-verified database areas."
|
|
37
|
+
}
|
|
38
|
+
],
|
|
39
|
+
"skippedChecks": [],
|
|
40
|
+
"findings": [
|
|
41
|
+
{
|
|
42
|
+
"summary": "Static migration evidence was mapped without database access.",
|
|
43
|
+
"evidence": ["prisma/migrations/example/migration.sql", "prisma/schema.prisma"]
|
|
44
|
+
}
|
|
45
|
+
],
|
|
46
|
+
"risks": [
|
|
47
|
+
{
|
|
48
|
+
"summary": "Database state may differ from static migration evidence.",
|
|
49
|
+
"evidence": ["applied migration history was not queried", "runtime database connectivity was not tested"]
|
|
50
|
+
}
|
|
51
|
+
],
|
|
52
|
+
"failures": [],
|
|
53
|
+
"unresolvedQuestions": [],
|
|
54
|
+
"changedState": {
|
|
55
|
+
"changed": false,
|
|
56
|
+
"summary": "No project, Git, dependency, runtime, database, generated-code, service, or remote state changed."
|
|
57
|
+
},
|
|
58
|
+
"handoffSummary": "Static migration evidence is mapped; applied database state remains unverified.",
|
|
59
|
+
"recommendedNextAction": "Review reported migration surfaces before editing database schema or migration files."
|
|
60
|
+
}
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "migration-review",
|
|
3
|
+
"version": "0.2.3",
|
|
4
|
+
"mode": "audit-only",
|
|
5
|
+
"evidenceContract": "../../contracts/evidence-pack/evidence-pack.schema.json",
|
|
6
|
+
"commandPolicy": "../command-policies/migration-review.json",
|
|
7
|
+
"adapterSchema": "../../schemas/project-adapter.schema.json",
|
|
8
|
+
"adapterCompatibility": {
|
|
9
|
+
"contractVersion": "1.0.0",
|
|
10
|
+
"compatibleAdapterVersions": ["1.0.0"]
|
|
11
|
+
},
|
|
12
|
+
"adapterInterface": "../../skills/migration-review/adapter-interface.md",
|
|
13
|
+
"description": "Map static database migration and schema evidence without database access."
|
|
14
|
+
}
|
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
# Migration Review Workflow
|
|
2
|
+
|
|
3
|
+
Use `coding-agent-skills migration-review <project-root>` to map static migration, schema,
|
|
4
|
+
config, package-script-key, and risk-indicator evidence before database work.
|
|
5
|
+
|
|
6
|
+
The workflow remains read-only: no database connections, migration execution, ORM generation,
|
|
7
|
+
package installation, builds, tests, deployments, secret-file reads, or project writes.
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "coding-agent-skills",
|
|
3
|
-
"version": "0.2.
|
|
3
|
+
"version": "0.2.13",
|
|
4
4
|
"description": "Evidence-first, read-only coding-agent skills and project adapter tooling.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"private": false,
|
|
@@ -13,6 +13,7 @@
|
|
|
13
13
|
"env-audit",
|
|
14
14
|
"secret-audit",
|
|
15
15
|
"api-contract-audit",
|
|
16
|
+
"migration-review",
|
|
16
17
|
"project-adapters",
|
|
17
18
|
"code-validation",
|
|
18
19
|
"cli"
|
package/runs/skill-runs.md
CHANGED
|
@@ -229,3 +229,19 @@ This file records bounded maintainer-loop runs. Entries must not contain secrets
|
|
|
229
229
|
- Validation commands: pending final release validation matrix.
|
|
230
230
|
- Result: pass pending final publication evidence.
|
|
231
231
|
- Commit/tag/push status: pending approved release workflow.
|
|
232
|
+
|
|
233
|
+
## implementation-v0.2.13-migration-review
|
|
234
|
+
|
|
235
|
+
- Run ID: `implementation-v0.2.13-migration-review`
|
|
236
|
+
- Repository: `/home/oneclickwebsitedesignfactory/coding-agent-skills`
|
|
237
|
+
- Command used: `builder-mode approval for migration-review-skill implementation and release`
|
|
238
|
+
- Files changed: `migration-review` skill, migration review renderer and library,
|
|
239
|
+
CLI wrapper, adapter schemas, pack rules, release tests, synthetic migration fixtures,
|
|
240
|
+
usage/release/safety/adapter docs, changelog, roadmap, work ledger, run log, and package
|
|
241
|
+
metadata.
|
|
242
|
+
- Safety boundary: read-only, static-analysis only, no `.env` reads, no database
|
|
243
|
+
connections, no migration execution, no ORM generation, no package scripts, no builds,
|
|
244
|
+
no tests in target projects, no deploys, and no target-project mutation.
|
|
245
|
+
- Validation commands: pending final release validation matrix.
|
|
246
|
+
- Result: pass pending final publication evidence.
|
|
247
|
+
- Commit/tag/push status: pending approved release workflow.
|
|
@@ -69,6 +69,7 @@
|
|
|
69
69
|
"env-audit",
|
|
70
70
|
"secret-audit",
|
|
71
71
|
"api-contract-audit",
|
|
72
|
+
"migration-review",
|
|
72
73
|
"build-verify",
|
|
73
74
|
"git-preflight",
|
|
74
75
|
"runtime-truth",
|
|
@@ -105,6 +106,7 @@
|
|
|
105
106
|
"env-audit",
|
|
106
107
|
"secret-audit",
|
|
107
108
|
"api-contract-audit",
|
|
109
|
+
"migration-review",
|
|
108
110
|
"build-verify",
|
|
109
111
|
"git-preflight",
|
|
110
112
|
"runtime-truth",
|
|
@@ -93,6 +93,7 @@
|
|
|
93
93
|
"env-audit",
|
|
94
94
|
"secret-audit",
|
|
95
95
|
"api-contract-audit",
|
|
96
|
+
"migration-review",
|
|
96
97
|
"build-verify",
|
|
97
98
|
"git-preflight",
|
|
98
99
|
"runtime-truth",
|
|
@@ -173,6 +174,7 @@
|
|
|
173
174
|
"env-audit",
|
|
174
175
|
"secret-audit",
|
|
175
176
|
"api-contract-audit",
|
|
177
|
+
"migration-review",
|
|
176
178
|
"build-verify",
|
|
177
179
|
"git-preflight",
|
|
178
180
|
"runtime-truth",
|