coding-agent-skills 0.2.12 → 0.2.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (68) hide show
  1. package/CHANGELOG.md +41 -0
  2. package/README.md +8 -0
  3. package/ROADMAP.md +8 -4
  4. package/bin/coding-agent-skills +14 -0
  5. package/docs/adapters/README.md +38 -0
  6. package/docs/adapters/project-installation.md +25 -0
  7. package/docs/adapters/real-project-adoption.md +3 -2
  8. package/docs/architecture/README.md +4 -2
  9. package/docs/release/README.md +5 -3
  10. package/docs/release/npm-package.md +12 -2
  11. package/docs/safety/README.md +11 -1
  12. package/docs/testing/README.md +16 -0
  13. package/docs/usage/README.md +25 -5
  14. package/examples/command-policies/github-handoff.json +74 -0
  15. package/examples/command-policies/migration-review.json +70 -0
  16. package/examples/evidence-packs/github-handoff.json +67 -0
  17. package/examples/evidence-packs/migration-review.json +60 -0
  18. package/examples/manifests/github-handoff.json +14 -0
  19. package/examples/manifests/migration-review.json +14 -0
  20. package/examples/workflows/github-handoff.md +5 -0
  21. package/examples/workflows/migration-review.md +7 -0
  22. package/package.json +3 -1
  23. package/runs/skill-runs.md +32 -0
  24. package/schemas/project-adapter-installation.schema.json +4 -0
  25. package/schemas/project-adapter.schema.json +4 -0
  26. package/scripts/lib/github-handoff.mjs +446 -0
  27. package/scripts/lib/migration-review.mjs +641 -0
  28. package/scripts/lib/pack-rules.mjs +20 -2
  29. package/scripts/render-github-handoff.mjs +7 -0
  30. package/scripts/render-migration-review.mjs +8 -0
  31. package/scripts/test-pack.mjs +147 -1
  32. package/scripts/validate-pack.mjs +8 -2
  33. package/skills/github-handoff/SKILL.md +95 -0
  34. package/skills/github-handoff/adapter-interface.md +18 -0
  35. package/skills/github-handoff/agents/openai.yaml +3 -0
  36. package/skills/github-handoff/checklist.md +10 -0
  37. package/skills/github-handoff/evidence-template.md +16 -0
  38. package/skills/github-handoff/examples.md +19 -0
  39. package/skills/github-handoff/failure-modes.md +8 -0
  40. package/skills/migration-review/SKILL.md +87 -0
  41. package/skills/migration-review/adapter-interface.md +16 -0
  42. package/skills/migration-review/agents/openai.yaml +3 -0
  43. package/skills/migration-review/checklist.md +8 -0
  44. package/skills/migration-review/evidence-template.md +12 -0
  45. package/skills/migration-review/examples.md +20 -0
  46. package/skills/migration-review/failure-modes.md +5 -0
  47. package/tests/fixtures/github-handoff/adapter-project/.coding-agent/adapters/github-handoff-fixture/adapter.json +56 -0
  48. package/tests/fixtures/github-handoff/adapter-project/.coding-agent/skills.json +23 -0
  49. package/tests/fixtures/github-handoff/adapter-project/README.md +3 -0
  50. package/tests/fixtures/github-handoff/adapter-project/package.json +4 -0
  51. package/tests/fixtures/github-handoff/adapter-project/src/index.js +1 -0
  52. package/tests/fixtures/github-handoff/static-project/README.md +3 -0
  53. package/tests/fixtures/github-handoff/static-project/package.json +4 -0
  54. package/tests/fixtures/github-handoff/static-project/src/index.js +1 -0
  55. package/tests/fixtures/migration-review/adapter-project/.coding-agent/adapters/migration-review-fixture/adapter.json +56 -0
  56. package/tests/fixtures/migration-review/adapter-project/.coding-agent/skills.json +23 -0
  57. package/tests/fixtures/migration-review/adapter-project/README.md +3 -0
  58. package/tests/fixtures/migration-review/adapter-project/db/migrations/001_create_accounts.sql +3 -0
  59. package/tests/fixtures/migration-review/adapter-project/ignored/migrations/999_ignore.sql +1 -0
  60. package/tests/fixtures/migration-review/adapter-project/package.json +3 -0
  61. package/tests/fixtures/migration-review/static-project/README.md +3 -0
  62. package/tests/fixtures/migration-review/static-project/drizzle.config.ts +4 -0
  63. package/tests/fixtures/migration-review/static-project/package.json +7 -0
  64. package/tests/fixtures/migration-review/static-project/prisma/migrations/20260703010101_init/migration.sql +6 -0
  65. package/tests/fixtures/migration-review/static-project/prisma/schema.prisma +4 -0
  66. package/tests/fixtures/triggers/cases.json +26 -2
  67. package/tests/trigger/README.md +4 -0
  68. package/work-ledger.md +27 -5
package/CHANGELOG.md CHANGED
@@ -2,6 +2,47 @@
2
2
 
3
3
  All notable changes follow [Semantic Versioning](docs/versioning/README.md).
4
4
 
5
+ ## [0.2.14] - 2026-07-03
6
+
7
+ ### Added
8
+
9
+ - `github-handoff` audit-only skill for local Git handoff evidence before separately
10
+ approved GitHub work.
11
+ - `coding-agent-skills github-handoff <project-root>` CLI command.
12
+ - Dependency-free GitHub handoff renderer for branch state, HEAD, tags at HEAD, remote
13
+ names, changed-file summaries, secret-bearing path redaction, adapter-limited scope,
14
+ and safety refusals.
15
+ - Synthetic github-handoff fixtures and release tests that create disposable Git
16
+ repositories under `/tmp` for generic, adapter-scoped, and repo-map-only adapter cases.
17
+
18
+ ### Changed
19
+
20
+ - Adapter schemas and validators now recognize `github-handoff` as an audit-only skill
21
+ while preserving the existing `0.2.3` adapter contract compatibility baseline.
22
+ - Usage, release, safety, architecture, adapter, roadmap, ledger, and run-log docs now
23
+ describe the new local Git handoff report command.
24
+
25
+ ## [0.2.13] - 2026-07-03
26
+
27
+ ### Added
28
+
29
+ - `migration-review` audit-only skill for static database migration and schema evidence
30
+ review.
31
+ - `coding-agent-skills migration-review <project-root>` CLI command.
32
+ - Dependency-free migration review renderer for migration files, schema/config files,
33
+ package script keys without command values, static risk indicators, skipped paths,
34
+ not-verified database behavior, adapter-limited scope, and safety refusals.
35
+ - Synthetic migration-review fixtures and release tests for generic static scans,
36
+ adapter-scoped scans, destructive-looking SQL indicators, package script key detection,
37
+ and repo-map-only adapter skips.
38
+
39
+ ### Changed
40
+
41
+ - Adapter schemas and validators now recognize `migration-review` as an audit-only skill
42
+ while preserving the existing `0.2.3` adapter contract compatibility baseline.
43
+ - Usage, release, safety, architecture, adapter, roadmap, ledger, and run-log docs now
44
+ describe the new static read-only migration review command.
45
+
5
46
  ## [0.2.12] - 2026-07-03
6
47
 
7
48
  ### Added
package/README.md CHANGED
@@ -10,6 +10,8 @@ The pilot pack contains:
10
10
  - `env-audit`: audit-only environment variable name mapping without values.
11
11
  - `secret-audit`: audit-only high-confidence secret exposure detection without values.
12
12
  - `api-contract-audit`: audit-only static API contract surface mapping.
13
+ - `migration-review`: audit-only static migration and schema evidence review.
14
+ - `github-handoff`: audit-only local Git handoff evidence before separately approved GitHub work.
13
15
  - `build-verify`: controlled local validation using existing project commands.
14
16
  - `git-preflight`: audit-only Git readiness inspection.
15
17
  - `runtime-truth`: audit-only runtime evidence collection.
@@ -46,6 +48,8 @@ Every skill emits the evidence-pack contract. A command being attempted is never
46
48
  - Map environment variable names with `coding-agent-skills env-audit <project-root>`.
47
49
  - Find redacted secret exposure risks with `coding-agent-skills secret-audit <project-root>`.
48
50
  - Map static API contract surfaces with `coding-agent-skills api-contract-audit <project-root>`.
51
+ - Review static migration and schema evidence with `coding-agent-skills migration-review <project-root>`.
52
+ - Prepare local Git handoff evidence with `coding-agent-skills github-handoff <project-root>`.
49
53
  - Validate project adapters against [the formal adapter schema](schemas/project-adapter.schema.json).
50
54
  - Review [external adapter discovery](docs/adapters/discovery.md).
51
55
  - Run `node scripts/validate-adapters.mjs <adapter-root>` for a disposable external root.
@@ -59,6 +63,10 @@ Every skill emits the evidence-pack contract. A command being attempted is never
59
63
  `node scripts/render-secret-audit.mjs <project-root>`.
60
64
  - Render a static API contract audit report with
61
65
  `node scripts/render-api-contract-audit.mjs <project-root>`.
66
+ - Render a static migration review report with
67
+ `node scripts/render-migration-review.mjs <project-root>`.
68
+ - Render a local GitHub handoff report with
69
+ `node scripts/render-github-handoff.mjs <project-root>`.
62
70
  - Review [adapter upgrade checks](docs/adapters/upgrades.md).
63
71
  - Run `node scripts/check-adapter-upgrade.mjs <before-project-root> <after-project-root>`
64
72
  for disposable project revisions.
package/ROADMAP.md CHANGED
@@ -1,6 +1,6 @@
1
1
  # Roadmap
2
2
 
3
- The public package now contains nine approved shared skills. Builder-mode approval is
3
+ The public package now contains eleven approved shared skills. Builder-mode approval is
4
4
  active for the remaining read-only skill wave in this repository; real-world project
5
5
  execution constraints remain unchanged.
6
6
 
@@ -36,6 +36,10 @@ execution constraints remain unchanged.
36
36
  exposure detection.
37
37
  - `v0.2.12`: audit-only `api-contract-audit` skill and CLI renderer for static API
38
38
  contract surface mapping.
39
+ - `v0.2.13`: audit-only `migration-review` skill and CLI renderer for static migration
40
+ and schema evidence review.
41
+ - `v0.2.14`: audit-only `github-handoff` skill and CLI renderer for local Git handoff
42
+ evidence before separately approved GitHub work.
39
43
 
40
44
  The next milestone is recorded in [work-ledger.md](work-ledger.md). The
41
45
  [maintainer loop](RUNBOOK.md) may select and evidence that milestone, but it must stop
@@ -80,9 +84,9 @@ Next safe milestone options:
80
84
  | `env-audit-skill` | General | Audit-only | Implemented in `v0.2.10` |
81
85
  | `secret-audit-skill` | General | Audit-only | Implemented in `v0.2.11` |
82
86
  | `api-contract-audit-skill` | General | Audit-only | Implemented in `v0.2.12` |
83
- | `migration-review-skill` | General with platform adapters | Audit-only | Builder-mode approved; next in wave |
84
- | `github-handoff-skill` | General | Audit-only | Builder-mode approved; later in wave |
85
- | `deployment-preflight-skill` | General | Audit-only | Builder-mode approved; later in wave |
87
+ | `migration-review-skill` | General with platform adapters | Audit-only | Implemented in `v0.2.13` |
88
+ | `github-handoff-skill` | General | Audit-only | Implemented in `v0.2.14` |
89
+ | `deployment-preflight-skill` | General | Audit-only | Builder-mode approved; next in wave |
86
90
  | `cloudflare-preflight-skill` | Platform-specific | Audit-only | Builder-mode approved; later in wave |
87
91
  | `cloudflare-deploy-skill` | Platform-specific | Action-capable | Blocked on approval model |
88
92
  | `supabase-rls-audit-skill` | Platform-specific | Audit-only | Builder-mode approved; later in wave |
@@ -47,6 +47,18 @@ const commands = {
47
47
  usage: "coding-agent-skills api-contract-audit <project-root>",
48
48
  requiredArgs: 1,
49
49
  },
50
+ "migration-review": {
51
+ script: "scripts/render-migration-review.mjs",
52
+ args: ([projectRoot]) => [projectRoot],
53
+ usage: "coding-agent-skills migration-review <project-root>",
54
+ requiredArgs: 1,
55
+ },
56
+ "github-handoff": {
57
+ script: "scripts/render-github-handoff.mjs",
58
+ args: ([projectRoot]) => [projectRoot],
59
+ usage: "coding-agent-skills github-handoff <project-root>",
60
+ requiredArgs: 1,
61
+ },
50
62
  "validate-adapters": {
51
63
  script: "scripts/validate-adapters.mjs",
52
64
  args: ([adapterRoot]) => [adapterRoot],
@@ -67,6 +79,8 @@ function usage(exitCode = 0) {
67
79
  " env-audit <project-root>",
68
80
  " secret-audit <project-root>",
69
81
  " api-contract-audit <project-root>",
82
+ " migration-review <project-root>",
83
+ " github-handoff <project-root>",
70
84
  " validate-adapters <adapter-root>",
71
85
  "",
72
86
  "local wrapper for the published coding-agent-skills package",
@@ -104,6 +104,40 @@ reports contract files, endpoint declarations, client-call patterns, schema/type
104
104
  skipped paths, and not-verified runtime behavior. It never runs servers, calls APIs,
105
105
  generates schemas or clients, builds, tests, deploys, migrates, or mutates project files.
106
106
 
107
+ ## Adapter-Aware Migration Review Consumption
108
+
109
+ The shared pack can consume a validated project-owned adapter as bounded context for
110
+ `migration-review`:
111
+
112
+ ```bash
113
+ node scripts/render-migration-review.mjs <project-root>
114
+ ```
115
+
116
+ The renderer validates the project declaration when present. If an adapter is present but
117
+ does not enable `migration-review`, it reports an adapter-limited skip instead of
118
+ broadening scope. When enabled, it reads only adapter-declared safe paths, excludes `.env`,
119
+ secret-bearing files, generated output, dependency paths, and oversized files, then
120
+ reports migration files, schema/config files, package script keys, static risk indicators,
121
+ skipped paths, and not-verified database behavior. It never connects to databases,
122
+ executes migrations, generates ORM clients, builds, tests, deploys, or mutates project
123
+ files.
124
+
125
+ ## Adapter-Aware GitHub Handoff Consumption
126
+
127
+ The shared pack can consume a validated project-owned adapter as bounded context for
128
+ `github-handoff`:
129
+
130
+ ```bash
131
+ node scripts/render-github-handoff.mjs <project-root>
132
+ ```
133
+
134
+ The renderer validates the project declaration when present. If an adapter is present but
135
+ does not enable `github-handoff`, it reports an adapter-limited skip instead of listing
136
+ changed-file details. When enabled, it uses local Git metadata only: branch state, HEAD,
137
+ tags at HEAD, remote names, and changed-file summaries. It never prints remote URLs,
138
+ reads tokens, creates pull requests, commits, pushes, tags, calls GitHub APIs, or mutates
139
+ project files.
140
+
107
141
  ## What Adapters May Do
108
142
 
109
143
  - Add bounded relative read paths and ignored paths.
@@ -115,6 +149,10 @@ generates schemas or clients, builds, tests, deploys, migrates, or mutates proje
115
149
  while relying on the shared scanner to exclude secret-bearing paths.
116
150
  - Add api-contract-audit safe read paths for static API docs, contract files, route
117
151
  handlers, client calls, and schema/type files.
152
+ - Add migration-review safe read paths for static migration, schema, config, and package
153
+ files while relying on the shared reviewer to exclude secret-bearing paths.
154
+ - Add github-handoff required evidence labels and ignored path labels while relying on the
155
+ shared renderer to avoid remote URLs, tokens, and GitHub mutation.
118
156
  - Add command aliases that already satisfy the shared command policy.
119
157
  - Add status-only runtime commands and manager hints.
120
158
  - Require additional evidence or named approval for exceptional reads.
@@ -157,6 +157,31 @@ skip. When enabled, it reads only adapter-declared safe paths and reports static
157
157
  files, endpoint declarations, client-call patterns, schema/type files, and not-verified
158
158
  runtime behavior without running servers, calling APIs, or generating code.
159
159
 
160
+ A project-owned adapter can also enable read-only `migration-review` context:
161
+
162
+ ```bash
163
+ node scripts/render-migration-review.mjs <project-root>
164
+ ```
165
+
166
+ The migration review renderer validates the project declaration when present. If the
167
+ adapter is present but does not enable `migration-review`, it reports an adapter-limited
168
+ skip. When enabled, it reads only adapter-declared safe paths and reports static migration
169
+ files, schema/config files, package script keys, static risk indicators, and not-verified
170
+ database behavior without connecting to databases, applying migrations, generating ORM
171
+ clients, or running package scripts.
172
+
173
+ A project-owned adapter can also enable read-only `github-handoff` context:
174
+
175
+ ```bash
176
+ node scripts/render-github-handoff.mjs <project-root>
177
+ ```
178
+
179
+ The GitHub handoff renderer validates the project declaration when present. If the adapter
180
+ is present but does not enable `github-handoff`, it reports an adapter-limited skip.
181
+ When enabled, it reports local Git metadata and changed-file summaries without printing
182
+ remote URLs, reading tokens, creating pull requests, committing, pushing, tagging, calling
183
+ GitHub APIs, or changing project files.
184
+
160
185
  ## Safety Boundary
161
186
 
162
187
  Project adapters are extension-only. They cannot remove denied operations, change an
@@ -21,8 +21,9 @@ project repository is touched:
21
21
  - The project can declare exactly one installation file: `.coding-agent/skills.json` or
22
22
  `coding-agent.skills.json`.
23
23
  - The adapter need is bounded to existing pilot skills: `repo-map`, `route-trace`,
24
- `env-audit`, `secret-audit`, `api-contract-audit`, `build-verify`, `git-preflight`,
25
- `runtime-truth`, or `llm-drift-control`.
24
+ `env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`,
25
+ `github-handoff`, `build-verify`, `git-preflight`, `runtime-truth`, or
26
+ `llm-drift-control`.
26
27
  - The adapter can narrow context with relative paths, documentation precedence, safe
27
28
  aliases, status-only hints, or extra evidence requirements.
28
29
  - The adapter does not require deployment, migration, package installation, Git
@@ -16,6 +16,8 @@ Audit-only:
16
16
  - `env-audit`
17
17
  - `secret-audit`
18
18
  - `api-contract-audit`
19
+ - `migration-review`
20
+ - `github-handoff`
19
21
  - `git-preflight`
20
22
  - `runtime-truth`
21
23
  - `llm-drift-control`
@@ -25,5 +27,5 @@ Controlled local validation:
25
27
  - `build-verify`
26
28
 
27
29
  The evidence pack is a shared output contract, not an executable skill. Deployment
28
- preflight, GitHub handoff, provider operations, and additional project adapters remain
29
- separate future work.
30
+ preflight, provider operations, and additional project adapters remain separate future
31
+ work.
@@ -20,9 +20,11 @@
20
20
  folders, generated output, and unrelated repositories.
21
21
  14. Install the tarball into a temporary npm prefix and smoke-test the installed CLI.
22
22
  15. Smoke-test any new CLI command such as `coding-agent-skills route-trace`,
23
- `coding-agent-skills env-audit`, `coding-agent-skills secret-audit`, or
24
- `coding-agent-skills api-contract-audit` against synthetic fixtures only unless a real project
25
- read-only smoke is explicitly approved.
23
+ `coding-agent-skills env-audit`, `coding-agent-skills secret-audit`,
24
+ `coding-agent-skills api-contract-audit`, `coding-agent-skills migration-review`,
25
+ or `coding-agent-skills github-handoff`
26
+ against synthetic fixtures only unless a real project read-only smoke is explicitly
27
+ approved.
26
28
  16. Review changelog, ledger, run evidence, and versioning impact.
27
29
  17. Commit with approved identity.
28
30
  18. Push `main` using credential-free remotes.
@@ -7,7 +7,7 @@ safety model.
7
7
  ## Current Package Shape
8
8
 
9
9
  - Package name: `coding-agent-skills`.
10
- - Package version: `0.2.12`.
10
+ - Package version: `0.2.14`.
11
11
  - CLI bin: `coding-agent-skills` mapped to `bin/coding-agent-skills`.
12
12
  - Module type: `module`.
13
13
  - Dependencies: none.
@@ -31,6 +31,8 @@ coding-agent-skills route-trace /path/to/project
31
31
  coding-agent-skills env-audit /path/to/project
32
32
  coding-agent-skills secret-audit /path/to/project
33
33
  coding-agent-skills api-contract-audit /path/to/project
34
+ coding-agent-skills migration-review /path/to/project
35
+ coding-agent-skills github-handoff /path/to/project
34
36
  coding-agent-skills validate-adapters /path/to/adapter-root
35
37
  ```
36
38
 
@@ -51,6 +53,13 @@ validating credentials.
51
53
  `api-contract-audit` is static and audit-only; it reports contract files, endpoint
52
54
  declarations, client-call patterns, schema/type files, and not-verified runtime behavior
53
55
  without running servers, calling APIs, or generating clients or schemas.
56
+ `migration-review` is static and audit-only; it reports migration files, schema/config
57
+ files, package script keys, static risk indicators, and not-verified database behavior
58
+ without connecting to databases, applying migrations, generating ORM clients, or reading
59
+ secrets.
60
+ `github-handoff` is local Git metadata only; it reports branch state, HEAD, tags at HEAD,
61
+ remote names, and changed-file summaries without printing remote URLs, reading tokens,
62
+ creating pull requests, committing, pushing, tagging, or calling GitHub APIs.
54
63
 
55
64
  `coding-agent-skills validate-pack` is package-aware. In a source checkout, it keeps
56
65
  source-only checks such as `.gitignore` validation. In an installed package tree, where
@@ -85,7 +94,8 @@ included.
85
94
 
86
95
  The public CLI remains read-only for target projects unless a specific underlying skill
87
96
  already permits a bounded local validation action. The installed `repo-map`,
88
- `route-trace`, `env-audit`, `secret-audit`, `api-contract-audit`, and adapter flows do not:
97
+ `route-trace`, `env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`,
98
+ `github-handoff`, and adapter flows do not:
89
99
 
90
100
  - deploy
91
101
  - run migrations
@@ -2,7 +2,7 @@
2
2
 
3
3
  ## Audit-Only Rule
4
4
 
5
- `repo-map`, `route-trace`, `env-audit`, `secret-audit`, `api-contract-audit`, `git-preflight`, `runtime-truth`, and `llm-drift-control` must not alter project files, Git state, dependencies, processes, services, databases, remote systems, or deployment state.
5
+ `repo-map`, `route-trace`, `env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`, `github-handoff`, `git-preflight`, `runtime-truth`, and `llm-drift-control` must not alter project files, Git state, dependencies, processes, services, databases, remote systems, or deployment state.
6
6
 
7
7
  `route-trace` is static only. It may read bounded non-secret route files and route
8
8
  configuration, but it must not execute app code, run servers, hit URLs, claim runtime
@@ -22,6 +22,16 @@ files, route handlers, client calls, and schema/type files, but it must not run
22
22
  call APIs, probe URLs, generate schemas or clients, build, test, deploy, migrate, inspect
23
23
  databases, or broaden adapter scope.
24
24
 
25
+ `migration-review` is static only. It may read bounded non-secret migration, schema,
26
+ config, and package files, but it must not connect to databases, apply migrations,
27
+ generate ORM clients, run package scripts, build, test, deploy, inspect runtime state, or
28
+ broaden adapter scope.
29
+
30
+ `github-handoff` is local Git metadata only. It may inspect branch state, HEAD, tags at
31
+ HEAD, remote names, and changed-file status, but it must not print remote URLs, read
32
+ tokens, create pull requests, commit, push, tag, call GitHub APIs, mutate Git state, or
33
+ broaden adapter scope.
34
+
25
35
  `build-verify` may run existing project-native validation commands. Build or test tools may create their normal local artifacts, but the skill must declare observed changes and must reject installation, fix modes, snapshot updates, deployment, migration, or unknown scripts.
26
36
 
27
37
  ## Restricted Categories
@@ -59,6 +59,22 @@ declarations, client-call patterns, schema/type files, adapter-declared scope, a
59
59
  adapter-present-but-not-enabled behavior. Tests must never run servers, call endpoints,
60
60
  generate schemas or clients, build, test, deploy, migrate, or read `.env` files.
61
61
 
62
+ ## Migration Review
63
+
64
+ Synthetic migration-review projects cover migration file detection, schema/config file
65
+ detection, package script keys without command values, static risk indicators,
66
+ adapter-declared scope, and adapter-present-but-not-enabled behavior. Tests must never
67
+ connect to databases, apply migrations, generate ORM clients, run package scripts, build,
68
+ test, deploy, or read `.env` files.
69
+
70
+ ## GitHub Handoff
71
+
72
+ Synthetic github-handoff projects are copied into disposable Git repositories under
73
+ `/tmp` during tests. The harness verifies branch state, HEAD, tags at HEAD, changed-file
74
+ summary, adapter-declared evidence metadata, and adapter-present-but-not-enabled behavior.
75
+ Tests must never commit to the shared repository, push, tag shared history, create pull
76
+ requests, call GitHub APIs, print remote URLs, read tokens, or read `.env` files.
77
+
62
78
  ## Privacy And Redaction
63
79
 
64
80
  Sensitive shapes are stored as ordered synthetic parts and reconstructed only in memory. Tests verify type detection, redaction, and absence from reusable skill content without printing fixture values.
@@ -9,6 +9,8 @@ Select the least-privileged skill that matches the request:
9
9
  | Map environment variable names without values | `env-audit` |
10
10
  | Find high-confidence secret exposure risks without values | `secret-audit` |
11
11
  | Map static API contract surfaces | `api-contract-audit` |
12
+ | Review static migration and schema evidence | `migration-review` |
13
+ | Prepare local GitHub handoff evidence | `github-handoff` |
12
14
  | Run existing local validation checks | `build-verify` |
13
15
  | Assess Git handoff readiness | `git-preflight` |
14
16
  | Determine what is actually running | `runtime-truth` |
@@ -24,11 +26,15 @@ Select the least-privileged skill that matches the request:
24
26
  by path, type, and count without printing matched values.
25
27
  5. Use `api-contract-audit` when OpenAPI/Swagger files, endpoint declarations, client
26
28
  calls, and schema/type files must be mapped without runtime behavior.
27
- 6. Perform implementation outside this pilot pack.
28
- 7. Use `build-verify` for approved project-native checks.
29
- 8. Use `git-preflight` before handoff or publication.
30
- 9. Use `runtime-truth` only when live local state matters.
31
- 10. Use `llm-drift-control` when claims and evidence may disagree.
29
+ 6. Use `migration-review` when database migration, schema, config, package-script-key,
30
+ and static risk-indicator evidence must be mapped without database access.
31
+ 7. Use `github-handoff` when local Git metadata and changed-file summaries are needed
32
+ before separately approved GitHub work.
33
+ 8. Perform implementation outside this pilot pack.
34
+ 9. Use `build-verify` for approved project-native checks.
35
+ 10. Use `git-preflight` before handoff or publication.
36
+ 11. Use `runtime-truth` only when live local state matters.
37
+ 12. Use `llm-drift-control` when claims and evidence may disagree.
32
38
 
33
39
  Every skill emits an evidence pack. Read `status`, skipped checks, failures, confidence, and changed state before relying on a completion claim.
34
40
 
@@ -63,6 +69,8 @@ coding-agent-skills route-trace /path/to/project
63
69
  coding-agent-skills env-audit /path/to/project
64
70
  coding-agent-skills secret-audit /path/to/project
65
71
  coding-agent-skills api-contract-audit /path/to/project
72
+ coding-agent-skills migration-review /path/to/project
73
+ coding-agent-skills github-handoff /path/to/project
66
74
  coding-agent-skills validate-adapters /path/to/adapter-root
67
75
  ```
68
76
 
@@ -88,6 +96,14 @@ counts without printing matched values or validating credentials.
88
96
  `api-contract-audit` validates a project adapter when present, uses adapter-declared safe
89
97
  paths when enabled, and statically reports contract files, endpoint declarations,
90
98
  client-call patterns, schema/type files, skipped paths, and not-verified runtime behavior.
99
+ `migration-review` validates a project adapter when present, uses adapter-declared safe
100
+ paths when enabled, and statically reports migration files, schema/config files, package
101
+ script keys, risk indicators, skipped paths, and not-verified database behavior without
102
+ database access or migration execution.
103
+ `github-handoff` validates a project adapter when present, then reports local Git branch
104
+ state, HEAD, tags at HEAD, remote names, and changed-file summaries without printing
105
+ remote URLs, committing, pushing, tagging, creating pull requests, calling GitHub APIs,
106
+ or reading tokens.
91
107
 
92
108
  The installed CLI does not run target project builds or tests, perform runtime checks,
93
109
  deploy, migrate, mutate services or processes, or read `.env` files. Project adapters
@@ -105,6 +121,8 @@ bin/coding-agent-skills route-trace /path/to/project
105
121
  bin/coding-agent-skills env-audit /path/to/project
106
122
  bin/coding-agent-skills secret-audit /path/to/project
107
123
  bin/coding-agent-skills api-contract-audit /path/to/project
124
+ bin/coding-agent-skills migration-review /path/to/project
125
+ bin/coding-agent-skills github-handoff /path/to/project
108
126
  bin/coding-agent-skills validate-adapters /path/to/adapter-root
109
127
  ```
110
128
 
@@ -119,6 +137,8 @@ coding-agent-skills route-trace /path/to/project
119
137
  coding-agent-skills env-audit /path/to/project
120
138
  coding-agent-skills secret-audit /path/to/project
121
139
  coding-agent-skills api-contract-audit /path/to/project
140
+ coding-agent-skills migration-review /path/to/project
141
+ coding-agent-skills github-handoff /path/to/project
122
142
  coding-agent-skills validate-adapters /path/to/adapter-root
123
143
  ```
124
144
 
@@ -0,0 +1,74 @@
1
+ {
2
+ "version": "0.2.3",
3
+ "mode": "audit-only",
4
+ "parserPolicy": {
5
+ "inspectEverySegment": true,
6
+ "inspectScriptBodies": true,
7
+ "rejectUnknownExecutables": true,
8
+ "rejectShellWrappers": true,
9
+ "rejectHeredocs": true,
10
+ "rejectRedirection": true,
11
+ "providerSpecificNpx": true,
12
+ "authenticatedCurlRequiresApproval": true,
13
+ "boundedReadsRequired": true,
14
+ "allowedComposition": "read-only"
15
+ },
16
+ "allowedFamilies": [
17
+ {
18
+ "name": "local-git-handoff-inspection",
19
+ "executables": ["git"],
20
+ "argumentPolicy": {
21
+ "strategy": "exact",
22
+ "allowedPatterns": [
23
+ "status --short --branch",
24
+ "rev-parse --show-toplevel",
25
+ "rev-parse --abbrev-ref HEAD",
26
+ "rev-parse HEAD",
27
+ "log -1 --format=%s",
28
+ "tag --points-at HEAD",
29
+ "remote"
30
+ ],
31
+ "deniedPatterns": [
32
+ "remote URL printing, commits, pushes, tags, branch changes, pull requests, releases, and GitHub API calls"
33
+ ]
34
+ },
35
+ "constraints": [
36
+ "Inspect local Git metadata only.",
37
+ "Do not print remote URLs.",
38
+ "Do not mutate Git state."
39
+ ]
40
+ },
41
+ {
42
+ "name": "github-handoff-renderer",
43
+ "executables": ["node", "coding-agent-skills"],
44
+ "argumentPolicy": {
45
+ "strategy": "exact",
46
+ "allowedPatterns": [
47
+ "node scripts/render-github-handoff.mjs <project-root>; coding-agent-skills github-handoff <project-root>"
48
+ ],
49
+ "deniedPatterns": [
50
+ "PR creation, release creation, GitHub API mutation, token reads, secret-file reads, commits, pushes, and tags"
51
+ ]
52
+ },
53
+ "constraints": [
54
+ "The renderer must remain audit-only.",
55
+ "Do not read tokens, print remote URLs, create pull requests, commit, push, or tag."
56
+ ]
57
+ }
58
+ ],
59
+ "restrictedCategories": [
60
+ "file-write",
61
+ "package-install",
62
+ "deployment",
63
+ "git-mutation",
64
+ "unrestricted-scan",
65
+ "secret-read",
66
+ "process-mutation",
67
+ "service-mutation",
68
+ "migration-apply",
69
+ "privileged-api"
70
+ ],
71
+ "approvalExceptions": [
72
+ "No approval exception may turn github-handoff into a GitHub mutation workflow."
73
+ ]
74
+ }
@@ -0,0 +1,70 @@
1
+ {
2
+ "version": "0.2.3",
3
+ "mode": "audit-only",
4
+ "parserPolicy": {
5
+ "inspectEverySegment": true,
6
+ "inspectScriptBodies": true,
7
+ "rejectUnknownExecutables": true,
8
+ "rejectShellWrappers": true,
9
+ "rejectHeredocs": true,
10
+ "rejectRedirection": true,
11
+ "providerSpecificNpx": true,
12
+ "authenticatedCurlRequiresApproval": true,
13
+ "boundedReadsRequired": true,
14
+ "allowedComposition": "read-only"
15
+ },
16
+ "allowedFamilies": [
17
+ {
18
+ "name": "bounded-migration-review-inspection",
19
+ "executables": ["pwd", "ls", "rg", "find", "sed", "head"],
20
+ "argumentPolicy": {
21
+ "strategy": "pattern",
22
+ "allowedPatterns": ["bounded repository-local static migration, schema, and config inspection"],
23
+ "deniedPatterns": ["database access, migration execution, ORM generation, secret files, credential stores, and unbounded traversal"]
24
+ },
25
+ "constraints": [
26
+ "Remain inside the declared project scope.",
27
+ "Bound traversal depth and output.",
28
+ "Exclude .env, secret-bearing, generated, dependency, build, and runtime-output paths."
29
+ ]
30
+ },
31
+ {
32
+ "name": "git-identity-inspection",
33
+ "executables": ["git"],
34
+ "argumentPolicy": {
35
+ "strategy": "exact",
36
+ "allowedPatterns": ["rev-parse and status --short --branch"],
37
+ "deniedPatterns": ["all Git mutation and publication subcommands"]
38
+ },
39
+ "constraints": ["Allow only read-only repository identity and branch-state inspection."]
40
+ },
41
+ {
42
+ "name": "migration-review-renderer",
43
+ "executables": ["node", "coding-agent-skills"],
44
+ "argumentPolicy": {
45
+ "strategy": "exact",
46
+ "allowedPatterns": ["node scripts/render-migration-review.mjs <project-root>; coding-agent-skills migration-review <project-root>"],
47
+ "deniedPatterns": ["database access, migration execution, ORM generation, builds, tests, deployment, package installation, and secret-file reads"]
48
+ },
49
+ "constraints": [
50
+ "The renderer must remain static and read-only.",
51
+ "Do not connect to databases, apply migrations, or generate ORM clients."
52
+ ]
53
+ }
54
+ ],
55
+ "restrictedCategories": [
56
+ "file-write",
57
+ "package-install",
58
+ "deployment",
59
+ "git-mutation",
60
+ "unrestricted-scan",
61
+ "secret-read",
62
+ "process-mutation",
63
+ "service-mutation",
64
+ "migration-apply",
65
+ "privileged-api"
66
+ ],
67
+ "approvalExceptions": [
68
+ "A named-file approval may permit one otherwise excluded non-mutating static read when the file is not secret-bearing."
69
+ ]
70
+ }
@@ -0,0 +1,67 @@
1
+ {
2
+ "contractVersion": "1.0.0",
3
+ "skill": {"name": "github-handoff", "version": "0.2.3"},
4
+ "invocation": {
5
+ "id": "example-github-handoff",
6
+ "startedAt": "2026-07-03T12:00:00Z",
7
+ "endedAt": "2026-07-03T12:01:00Z"
8
+ },
9
+ "repository": {
10
+ "root": "/workspace/example-project",
11
+ "branch": "main",
12
+ "head": "0123456789abcdef",
13
+ "workingTreeState": "dirty"
14
+ },
15
+ "userIntent": "Prepare a read-only GitHub handoff report.",
16
+ "declaredScope": ["/workspace/example-project"],
17
+ "projectAdapter": "none",
18
+ "environmentSummary": {"platform": "linux", "shell": "bash"},
19
+ "status": "complete",
20
+ "confidence": {
21
+ "level": "high",
22
+ "reason": "Local Git metadata and changed-file summary were collected without mutation."
23
+ },
24
+ "commands": [
25
+ {
26
+ "command": "coding-agent-skills github-handoff /workspace/example-project",
27
+ "family": "github-handoff-renderer",
28
+ "workingDirectory": "/workspace/example-project",
29
+ "startedAt": "2026-07-03T12:00:20Z",
30
+ "endedAt": "2026-07-03T12:00:21Z",
31
+ "exitStatus": 0,
32
+ "resultStatus": "success",
33
+ "safetyClass": "allowed",
34
+ "approvalReference": null,
35
+ "purpose": "Render local Git handoff evidence.",
36
+ "outputSummary": "Reported branch state, HEAD, tags at HEAD, remote names, and changed-file summary without printing remote URLs."
37
+ }
38
+ ],
39
+ "skippedChecks": [
40
+ {
41
+ "name": "GitHub API state",
42
+ "reason": "The skill is local and read-only.",
43
+ "consequence": "PR, CI, and review state are not verified.",
44
+ "completionPermitted": true
45
+ }
46
+ ],
47
+ "findings": [
48
+ {
49
+ "summary": "Working-tree handoff evidence was mapped.",
50
+ "evidence": ["branch state", "HEAD", "changed-file summary"]
51
+ }
52
+ ],
53
+ "risks": [
54
+ {
55
+ "summary": "Remote PR and CI state were not checked.",
56
+ "evidence": ["GitHub API access was not used"]
57
+ }
58
+ ],
59
+ "failures": [],
60
+ "unresolvedQuestions": [],
61
+ "changedState": {
62
+ "changed": false,
63
+ "summary": "No project, Git, GitHub, dependency, runtime, service, or remote state changed."
64
+ },
65
+ "handoffSummary": "Local Git handoff evidence is available; GitHub remote state remains unverified.",
66
+ "recommendedNextAction": "Review the handoff report before approving any GitHub mutation."
67
+ }