coding-agent-skills 0.2.12 → 0.2.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (68) hide show
  1. package/CHANGELOG.md +41 -0
  2. package/README.md +8 -0
  3. package/ROADMAP.md +8 -4
  4. package/bin/coding-agent-skills +14 -0
  5. package/docs/adapters/README.md +38 -0
  6. package/docs/adapters/project-installation.md +25 -0
  7. package/docs/adapters/real-project-adoption.md +3 -2
  8. package/docs/architecture/README.md +4 -2
  9. package/docs/release/README.md +5 -3
  10. package/docs/release/npm-package.md +12 -2
  11. package/docs/safety/README.md +11 -1
  12. package/docs/testing/README.md +16 -0
  13. package/docs/usage/README.md +25 -5
  14. package/examples/command-policies/github-handoff.json +74 -0
  15. package/examples/command-policies/migration-review.json +70 -0
  16. package/examples/evidence-packs/github-handoff.json +67 -0
  17. package/examples/evidence-packs/migration-review.json +60 -0
  18. package/examples/manifests/github-handoff.json +14 -0
  19. package/examples/manifests/migration-review.json +14 -0
  20. package/examples/workflows/github-handoff.md +5 -0
  21. package/examples/workflows/migration-review.md +7 -0
  22. package/package.json +3 -1
  23. package/runs/skill-runs.md +32 -0
  24. package/schemas/project-adapter-installation.schema.json +4 -0
  25. package/schemas/project-adapter.schema.json +4 -0
  26. package/scripts/lib/github-handoff.mjs +446 -0
  27. package/scripts/lib/migration-review.mjs +641 -0
  28. package/scripts/lib/pack-rules.mjs +20 -2
  29. package/scripts/render-github-handoff.mjs +7 -0
  30. package/scripts/render-migration-review.mjs +8 -0
  31. package/scripts/test-pack.mjs +147 -1
  32. package/scripts/validate-pack.mjs +8 -2
  33. package/skills/github-handoff/SKILL.md +95 -0
  34. package/skills/github-handoff/adapter-interface.md +18 -0
  35. package/skills/github-handoff/agents/openai.yaml +3 -0
  36. package/skills/github-handoff/checklist.md +10 -0
  37. package/skills/github-handoff/evidence-template.md +16 -0
  38. package/skills/github-handoff/examples.md +19 -0
  39. package/skills/github-handoff/failure-modes.md +8 -0
  40. package/skills/migration-review/SKILL.md +87 -0
  41. package/skills/migration-review/adapter-interface.md +16 -0
  42. package/skills/migration-review/agents/openai.yaml +3 -0
  43. package/skills/migration-review/checklist.md +8 -0
  44. package/skills/migration-review/evidence-template.md +12 -0
  45. package/skills/migration-review/examples.md +20 -0
  46. package/skills/migration-review/failure-modes.md +5 -0
  47. package/tests/fixtures/github-handoff/adapter-project/.coding-agent/adapters/github-handoff-fixture/adapter.json +56 -0
  48. package/tests/fixtures/github-handoff/adapter-project/.coding-agent/skills.json +23 -0
  49. package/tests/fixtures/github-handoff/adapter-project/README.md +3 -0
  50. package/tests/fixtures/github-handoff/adapter-project/package.json +4 -0
  51. package/tests/fixtures/github-handoff/adapter-project/src/index.js +1 -0
  52. package/tests/fixtures/github-handoff/static-project/README.md +3 -0
  53. package/tests/fixtures/github-handoff/static-project/package.json +4 -0
  54. package/tests/fixtures/github-handoff/static-project/src/index.js +1 -0
  55. package/tests/fixtures/migration-review/adapter-project/.coding-agent/adapters/migration-review-fixture/adapter.json +56 -0
  56. package/tests/fixtures/migration-review/adapter-project/.coding-agent/skills.json +23 -0
  57. package/tests/fixtures/migration-review/adapter-project/README.md +3 -0
  58. package/tests/fixtures/migration-review/adapter-project/db/migrations/001_create_accounts.sql +3 -0
  59. package/tests/fixtures/migration-review/adapter-project/ignored/migrations/999_ignore.sql +1 -0
  60. package/tests/fixtures/migration-review/adapter-project/package.json +3 -0
  61. package/tests/fixtures/migration-review/static-project/README.md +3 -0
  62. package/tests/fixtures/migration-review/static-project/drizzle.config.ts +4 -0
  63. package/tests/fixtures/migration-review/static-project/package.json +7 -0
  64. package/tests/fixtures/migration-review/static-project/prisma/migrations/20260703010101_init/migration.sql +6 -0
  65. package/tests/fixtures/migration-review/static-project/prisma/schema.prisma +4 -0
  66. package/tests/fixtures/triggers/cases.json +26 -2
  67. package/tests/trigger/README.md +4 -0
  68. package/work-ledger.md +27 -5
@@ -0,0 +1,8 @@
1
+ import { migrationReviewCliResult } from "./lib/migration-review.mjs";
2
+
3
+ const outcome = migrationReviewCliResult(process.argv[2]);
4
+ for (const line of outcome.lines) {
5
+ if (outcome.stream === "stdout") console.log(line);
6
+ else console.error(line);
7
+ }
8
+ process.exitCode = outcome.exitCode;
@@ -62,6 +62,16 @@ import {
62
62
  buildApiContractAuditReport,
63
63
  renderApiContractAuditReport,
64
64
  } from "./lib/api-contract-audit.mjs";
65
+ import {
66
+ buildMigrationReviewReport,
67
+ migrationReviewCliResult,
68
+ renderMigrationReviewReport,
69
+ } from "./lib/migration-review.mjs";
70
+ import {
71
+ buildGithubHandoffReport,
72
+ githubHandoffCliResult,
73
+ renderGithubHandoffReport,
74
+ } from "./lib/github-handoff.mjs";
65
75
  import {
66
76
  adapterUpgradeCliResult,
67
77
  checkAdapterUpgrade,
@@ -128,6 +138,27 @@ function readJson(relativePath) {
128
138
  return JSON.parse(read(relativePath));
129
139
  }
130
140
 
141
+ function runGitFixtureCommand(cwd, args) {
142
+ const result = spawnSync("git", args, {
143
+ cwd,
144
+ encoding: "utf8",
145
+ stdio: "pipe",
146
+ });
147
+ assert.equal(result.status, 0, `git ${args.join(" ")}\n${result.stderr}`);
148
+ return result.stdout.trim();
149
+ }
150
+
151
+ function createGitFixture(sourceRelativePath) {
152
+ const temporary = fs.mkdtempSync(path.join(os.tmpdir(), "github-handoff-fixture-"));
153
+ fs.cpSync(path.join(root, sourceRelativePath), temporary, { recursive: true });
154
+ runGitFixtureCommand(temporary, ["init", "-b", "main"]);
155
+ runGitFixtureCommand(temporary, ["config", "user.name", "Fixture User"]);
156
+ runGitFixtureCommand(temporary, ["config", "user.email", "fixture@example.invalid"]);
157
+ runGitFixtureCommand(temporary, ["add", "."]);
158
+ runGitFixtureCommand(temporary, ["commit", "-m", "initial fixture commit"]);
159
+ return temporary;
160
+ }
161
+
131
162
  function walk(directory, output = []) {
132
163
  for (const entry of fs.readdirSync(directory, { withFileTypes: true })) {
133
164
  if ([".git", "node_modules", "validation-output"].includes(entry.name)) continue;
@@ -280,10 +311,17 @@ test("local CLI maps approved commands to existing safe scripts", () => {
280
311
  assert.ok(cliText.includes("scripts/render-env-audit.mjs"));
281
312
  assert.ok(cliText.includes("scripts/render-secret-audit.mjs"));
282
313
  assert.ok(cliText.includes("scripts/render-api-contract-audit.mjs"));
314
+ assert.ok(cliText.includes("scripts/render-migration-review.mjs"));
315
+ assert.ok(cliText.includes("scripts/render-github-handoff.mjs"));
283
316
  assert.ok(cliText.includes("scripts/validate-adapters.mjs"));
284
317
  assert.ok(!cliText.includes(".env"));
285
318
 
286
319
  const fixtureRoot = path.join(root, "tests", "fixtures");
320
+ const githubHandoffFixture = createGitFixture(
321
+ path.join("tests", "fixtures", "github-handoff", "static-project"),
322
+ );
323
+ fs.appendFileSync(path.join(githubHandoffFixture, "README.md"), "\nLocal handoff change.\n");
324
+
287
325
  const commands = [
288
326
  [["validate-pack"], /pilot pack valid/],
289
327
  [
@@ -317,6 +355,14 @@ test("local CLI maps approved commands to existing safe scripts", () => {
317
355
  ["api-contract-audit", path.join(fixtureRoot, "api-contract-audit", "static-project")],
318
356
  /# API Contract Audit Report/,
319
357
  ],
358
+ [
359
+ ["migration-review", path.join(fixtureRoot, "migration-review", "static-project")],
360
+ /# Migration Review Report/,
361
+ ],
362
+ [
363
+ ["github-handoff", githubHandoffFixture],
364
+ /# GitHub Handoff Report/,
365
+ ],
320
366
  ];
321
367
 
322
368
  for (const [args, expected] of commands) {
@@ -341,7 +387,7 @@ test("local CLI maps approved commands to existing safe scripts", () => {
341
387
  test("npm package metadata is public-ready and dependency-free", () => {
342
388
  const packageJson = readJson("package.json");
343
389
  assert.equal(packageJson.name, "coding-agent-skills");
344
- assert.equal(packageJson.version, "0.2.12");
390
+ assert.equal(packageJson.version, "0.2.14");
345
391
  assert.equal(
346
392
  packageJson.description,
347
393
  "Evidence-first, read-only coding-agent skills and project adapter tooling.",
@@ -357,6 +403,8 @@ test("npm package metadata is public-ready and dependency-free", () => {
357
403
  "env-audit",
358
404
  "secret-audit",
359
405
  "api-contract-audit",
406
+ "migration-review",
407
+ "github-handoff",
360
408
  "project-adapters",
361
409
  "code-validation",
362
410
  "cli",
@@ -650,6 +698,104 @@ test("api-contract-audit does not broaden a repo-map-only project adapter", () =
650
698
  assert.match(renderApiContractAuditReport(result), /api-contract-audit is not enabled/);
651
699
  });
652
700
 
701
+ test("migration-review maps static migration surfaces without database access", () => {
702
+ const result = buildMigrationReviewReport(
703
+ path.join(root, "tests", "fixtures", "migration-review", "static-project"),
704
+ { coreRoot: root },
705
+ );
706
+
707
+ assert.equal(result.status, "complete");
708
+ assert.ok(result.migrationFiles.some((record) => record.path === "prisma/migrations/20260703010101_init/migration.sql"));
709
+ assert.ok(result.schemaFiles.some((record) => record.path === "prisma/schema.prisma"));
710
+ assert.ok(result.configFiles.some((record) => record.path === "drizzle.config.ts"));
711
+ assert.ok(result.packageScriptKeys.some((record) => record.key === "db:migrate"));
712
+ assert.ok(result.riskIndicators.some((record) => record.type === "drop-column"));
713
+ assert.match(renderMigrationReviewReport(result), /No database connection/);
714
+ });
715
+
716
+ test("migration-review respects adapter-declared scope", () => {
717
+ const result = buildMigrationReviewReport(
718
+ path.join(root, "tests", "fixtures", "migration-review", "adapter-project"),
719
+ { coreRoot: root },
720
+ );
721
+
722
+ assert.equal(result.status, "complete");
723
+ assert.equal(result.adapter.enabled, true);
724
+ assert.deepEqual(result.scopePaths, ["db"]);
725
+ assert.deepEqual(result.filesScanned, ["db/migrations/001_create_accounts.sql"]);
726
+ assert.ok(result.migrationFiles.some((record) => record.path === "db/migrations/001_create_accounts.sql"));
727
+ assert.ok(result.warnings.includes("migration-review used adapter-declared safe read paths only"));
728
+ const cli = migrationReviewCliResult(
729
+ path.join(root, "tests", "fixtures", "migration-review", "adapter-project"),
730
+ { coreRoot: root },
731
+ );
732
+ assert.equal(cli.exitCode, 0);
733
+ assert.match(cli.lines.join("\n"), /Migration-review enabled: yes/);
734
+ });
735
+
736
+ test("migration-review does not broaden a repo-map-only project adapter", () => {
737
+ const result = buildMigrationReviewReport(
738
+ path.join(root, "tests", "fixtures", "project-adapter-installation", "valid-exact-pin"),
739
+ { coreRoot: root },
740
+ );
741
+
742
+ assert.equal(result.status, "partial");
743
+ assert.equal(result.filesScanned.length, 0);
744
+ assert.equal(result.migrationFiles.length, 0);
745
+ assert.match(renderMigrationReviewReport(result), /migration-review is not enabled/);
746
+ });
747
+
748
+ test("github-handoff summarizes local git state without mutating remotes", () => {
749
+ const fixture = createGitFixture(path.join("tests", "fixtures", "github-handoff", "static-project"));
750
+ runGitFixtureCommand(fixture, ["tag", "v0.0.0"]);
751
+ fs.appendFileSync(path.join(fixture, "README.md"), "\nChanged for handoff.\n");
752
+ fs.writeFileSync(path.join(fixture, "src", "new-file.js"), "export const handoff = true;\n");
753
+
754
+ const result = buildGithubHandoffReport(fixture, { coreRoot: root });
755
+
756
+ assert.equal(result.status, "complete");
757
+ assert.equal(result.git.branch, "main");
758
+ assert.ok(result.git.head);
759
+ assert.ok(result.git.tagsAtHead.includes("v0.0.0"));
760
+ assert.equal(result.changeSummary.total, 2);
761
+ assert.equal(result.changeSummary.modified, 1);
762
+ assert.equal(result.changeSummary.untracked, 1);
763
+ assert.ok(result.changedFiles.some((record) => record.path === "README.md"));
764
+ assert.ok(result.changedFiles.some((record) => record.path === "src/new-file.js"));
765
+ assert.match(renderGithubHandoffReport(result), /No commit, push, tag/);
766
+ });
767
+
768
+ test("github-handoff respects adapter-declared handoff metadata", () => {
769
+ const fixture = createGitFixture(path.join("tests", "fixtures", "github-handoff", "adapter-project"));
770
+ fs.appendFileSync(path.join(fixture, "src", "index.js"), "\nexport const changed = true;\n");
771
+
772
+ const result = buildGithubHandoffReport(fixture, { coreRoot: root });
773
+
774
+ assert.equal(result.status, "complete");
775
+ assert.equal(result.adapter.enabled, true);
776
+ assert.ok(result.requiredEvidence.includes("handoff summary"));
777
+ assert.ok(result.ignoredPaths.includes("tmp"));
778
+ assert.equal(result.changeSummary.modified, 1);
779
+ assert.ok(result.warnings.includes("github-handoff used adapter-declared handoff evidence metadata"));
780
+ const cli = githubHandoffCliResult(fixture, { coreRoot: root });
781
+ assert.equal(cli.exitCode, 0);
782
+ assert.match(cli.lines.join("\n"), /Github-handoff enabled: yes/);
783
+ });
784
+
785
+ test("github-handoff does not broaden a repo-map-only project adapter", () => {
786
+ const fixture = createGitFixture(
787
+ path.join("tests", "fixtures", "project-adapter-installation", "valid-exact-pin"),
788
+ );
789
+ fs.appendFileSync(path.join(fixture, "README.md"), "\nShould not be listed.\n");
790
+
791
+ const result = buildGithubHandoffReport(fixture, { coreRoot: root });
792
+
793
+ assert.equal(result.status, "partial");
794
+ assert.equal(result.changedFiles.length, 0);
795
+ assert.equal(result.changeSummary.total, 0);
796
+ assert.match(renderGithubHandoffReport(result), /github-handoff is not enabled/);
797
+ });
798
+
653
799
  test("validate-pack accepts installed package trees without source-only gitignore", () => {
654
800
  const temporaryRoot = fs.mkdtempSync(path.join(os.tmpdir(), "installed-package-"));
655
801
  const installedRoot = path.join(temporaryRoot, "coding-agent-skills");
@@ -99,6 +99,8 @@ const requiredRootFiles = [
99
99
  "scripts/render-env-audit.mjs",
100
100
  "scripts/render-secret-audit.mjs",
101
101
  "scripts/render-api-contract-audit.mjs",
102
+ "scripts/render-migration-review.mjs",
103
+ "scripts/render-github-handoff.mjs",
102
104
  "scripts/check-adapter-upgrade.mjs",
103
105
  "scripts/check-adapter-upgrade-chain.mjs",
104
106
  "scripts/validate-adapters.mjs",
@@ -108,6 +110,8 @@ const requiredRootFiles = [
108
110
  "scripts/lib/env-audit.mjs",
109
111
  "scripts/lib/secret-audit.mjs",
110
112
  "scripts/lib/api-contract-audit.mjs",
113
+ "scripts/lib/migration-review.mjs",
114
+ "scripts/lib/github-handoff.mjs",
111
115
  "scripts/lib/adapter-upgrade.mjs",
112
116
  "scripts/lib/adapter-upgrade-chain.mjs",
113
117
  "scripts/lib/adapter-discovery.mjs",
@@ -681,8 +685,8 @@ if (packageJson) {
681
685
  if (packageJson.name !== "coding-agent-skills") {
682
686
  failures.push("package.json has unexpected package name");
683
687
  }
684
- if (packageJson.version !== "0.2.12") {
685
- failures.push("package.json version must be 0.2.12 for public package validation");
688
+ if (packageJson.version !== "0.2.14") {
689
+ failures.push("package.json version must be 0.2.14 for public package validation");
686
690
  }
687
691
  if (packageJson.type !== "module") failures.push("package.json must preserve ESM mode");
688
692
  if (packageJson.private !== false) {
@@ -704,6 +708,8 @@ if (packageJson) {
704
708
  "env-audit",
705
709
  "secret-audit",
706
710
  "api-contract-audit",
711
+ "migration-review",
712
+ "github-handoff",
707
713
  "project-adapters",
708
714
  "code-validation",
709
715
  "cli",
@@ -0,0 +1,95 @@
1
+ ---
2
+ name: github-handoff
3
+ description: Prepare read-only GitHub handoff evidence from local Git metadata. Use when Codex needs to summarize branch state, HEAD, tags at HEAD, remote names, and changed-file status before a separately approved pull request, release, or GitHub workflow handoff without creating commits, pushes, tags, pull requests, API calls, token reads, or file changes.
4
+ ---
5
+
6
+ # GitHub Handoff
7
+
8
+ ## Purpose And Use
9
+
10
+ Use this skill to produce a local, audit-only handoff report before a human or separately approved workflow performs GitHub work.
11
+
12
+ The skill is for local Git evidence only. It does not create pull requests, publish releases, push branches, inspect tokens, or call GitHub APIs.
13
+
14
+ ## Inputs
15
+
16
+ Required:
17
+
18
+ - Project root.
19
+
20
+ Optional:
21
+
22
+ - Project adapter declaration that enables `github-handoff`.
23
+ - Human-provided handoff intent.
24
+
25
+ Do not assume:
26
+
27
+ - GitHub authentication is available.
28
+ - Local commits are pushed.
29
+ - CI status, review status, or PR state is known.
30
+ - Remote URLs are safe to print.
31
+
32
+ ## Procedure
33
+
34
+ 1. Confirm the project root exists.
35
+ 2. Validate the project adapter when one is present.
36
+ 3. If an adapter exists but does not enable `github-handoff`, report `partial` and do not list changed files.
37
+ 4. Inspect local Git metadata only: root, branch state, current branch, HEAD, tags at HEAD, remote names, and status entries.
38
+ 5. Redact secret-bearing changed paths such as `.env`, key files, credential paths, or token paths.
39
+ 6. Summarize changed-file counts by status.
40
+ 7. Record skipped and not-verified GitHub state honestly.
41
+ 8. State refused behavior clearly.
42
+
43
+ ## Evidence, Recovery, And Dependencies
44
+
45
+ Expected evidence:
46
+
47
+ - Git root.
48
+ - Branch state.
49
+ - Current branch.
50
+ - HEAD or short HEAD.
51
+ - Tags at HEAD.
52
+ - Remote names only, not remote URLs.
53
+ - Changed-file summary.
54
+ - Redacted path count when applicable.
55
+
56
+ Recovery:
57
+
58
+ - If the directory is not a Git repository, return `failed` with no mutation.
59
+ - If Git status is unavailable, return a warning and preserve partial evidence.
60
+ - If adapter validation fails, fail closed.
61
+
62
+ Dependencies:
63
+
64
+ - Local Git command-line tool.
65
+ - Node.js 20+ for the packaged renderer.
66
+
67
+ ## Approval Boundary
68
+
69
+ This skill is audit-only.
70
+
71
+ Allowed:
72
+
73
+ - Read local Git metadata.
74
+ - List changed-file paths unless they are secret-bearing.
75
+ - Validate project adapter metadata.
76
+ - Render a handoff report.
77
+
78
+ Forbidden:
79
+
80
+ - Commit.
81
+ - Push.
82
+ - Tag.
83
+ - Checkout, reset, rebase, merge, stash, restore, or clean.
84
+ - Create pull requests.
85
+ - Create releases.
86
+ - Call GitHub APIs.
87
+ - Read tokens, `.env`, `.env.*`, `.npmrc`, keys, or credential files.
88
+ - Print remote URLs.
89
+ - Change project files.
90
+
91
+ ## Completion
92
+
93
+ Complete only after a report states what was verified, what was skipped, and what was not verified.
94
+
95
+ The completion boundary must say that no commit, push, tag, branch change, pull request creation, GitHub API mutation, token read, secret-file read, or project write occurred.
@@ -0,0 +1,18 @@
1
+ # GitHub Handoff Adapter Interface
2
+
3
+ Adapters may enable `github-handoff` as an audit-only skill.
4
+
5
+ Adapters may narrow:
6
+
7
+ - Required evidence labels.
8
+ - Ignored path labels.
9
+ - Documentation precedence used as human context.
10
+
11
+ Adapters must not:
12
+
13
+ - Permit commits, pushes, tags, pull request creation, release creation, or GitHub API mutation.
14
+ - Permit token reads.
15
+ - Permit secret-file reads.
16
+ - Suppress warnings or failures.
17
+ - Redefine completion.
18
+ - Escalate the skill out of audit-only mode.
@@ -0,0 +1,3 @@
1
+ display_name: GitHub Handoff
2
+ short_description: Prepare local Git handoff evidence without GitHub mutation.
3
+ default_prompt: Prepare a GitHub handoff report as an audit-only pass without modifying files, committing, pushing, tagging, creating pull requests, reading tokens, or calling GitHub APIs.
@@ -0,0 +1,10 @@
1
+ # GitHub Handoff Checklist
2
+
3
+ - Confirm the project root.
4
+ - Validate adapter metadata if present.
5
+ - Inspect local Git state only.
6
+ - Summarize changed files without reading file contents.
7
+ - Redact secret-bearing paths.
8
+ - Do not print remote URLs.
9
+ - Report not-verified GitHub state.
10
+ - Confirm no mutation occurred.
@@ -0,0 +1,16 @@
1
+ # GitHub Handoff Evidence Template
2
+
3
+ - Skill: `github-handoff`
4
+ - Status: `complete`, `partial`, or `failed`
5
+ - Project root:
6
+ - Git root:
7
+ - Branch state:
8
+ - HEAD:
9
+ - Tags at HEAD:
10
+ - Remote names:
11
+ - Changed-file summary:
12
+ - Redacted path count:
13
+ - Skipped:
14
+ - Not verified:
15
+ - Refused behavior:
16
+ - Changed state: no project, Git, GitHub, dependency, runtime, service, or remote state changed.
@@ -0,0 +1,19 @@
1
+ # GitHub Handoff Examples
2
+
3
+ ## Safe Examples
4
+
5
+ ```bash
6
+ coding-agent-skills github-handoff /path/to/project
7
+ ```
8
+
9
+ ```bash
10
+ node scripts/render-github-handoff.mjs /path/to/project
11
+ ```
12
+
13
+ ## Unsafe Examples
14
+
15
+ - Create a pull request.
16
+ - Push the current branch.
17
+ - Tag the release.
18
+ - Read GitHub tokens.
19
+ - Print configured remote URLs.
@@ -0,0 +1,8 @@
1
+ # GitHub Handoff Failure Modes
2
+
3
+ - Project root is not a Git repository.
4
+ - Adapter exists but does not enable `github-handoff`.
5
+ - Adapter validation fails.
6
+ - Git status is unavailable.
7
+ - Secret-bearing changed paths are present and must be redacted.
8
+ - Remote PR, CI, and review state cannot be verified without separately approved GitHub access.
@@ -0,0 +1,87 @@
1
+ ---
2
+ name: migration-review
3
+ description: Review statically visible database migration and schema evidence without connecting to databases, applying migrations, generating ORM clients, or modifying projects. Use when Codex must map migration files, schema/config files, migration-related package script keys, and static risk indicators before database work or handoff; do not use for runtime database inspection, migration execution, deploys, builds, tests, package installs, or secret-file reads.
4
+ ---
5
+
6
+ # Migration Review
7
+
8
+ Map statically visible migration evidence and report what is and is not verified. Remain
9
+ audit-only and avoid turning migration discovery into database or deployment work.
10
+
11
+ This skill must not change project files, Git state, dependencies, runtime state, services,
12
+ databases, remotes, generated ORM clients, or deployment state.
13
+
14
+ ## Purpose And Use
15
+
16
+ Use this skill before database work, migration handoff, or schema review when the agent needs
17
+ to understand visible migration files, schema declarations, migration config, and static
18
+ risk indicators.
19
+
20
+ Do not use it to prove database state, apply or roll back migrations, inspect deployed
21
+ databases, generate ORM clients, build, test, deploy, run package scripts, or read secrets.
22
+
23
+ ## Inputs
24
+
25
+ Require a project root or starting path. Optionally accept a project adapter, intended scan
26
+ area, documentation precedence, migration directory hints, or known ORM/database boundaries.
27
+
28
+ Do not assume a missing migration directory means no database exists, migration filenames
29
+ reflect applied state, schema files match production, package script keys are safe to run, or
30
+ a project adapter enables this skill unless validation proves it.
31
+
32
+ ## Procedure
33
+
34
+ 1. Record user intent, project root, declared scope, adapter state, and safety boundary.
35
+ 2. Validate a project adapter when present before reading adapter-declared metadata.
36
+ 3. If an adapter is present but does not enable `migration-review`, stop static file reading
37
+ and report the adapter-limited skip.
38
+ 4. Build scan scope from adapter safe read paths when available; otherwise use a bounded
39
+ generic static scan.
40
+ 5. Exclude `.env`, secret-bearing files, generated output, dependency paths, and oversized
41
+ files before reading.
42
+ 6. Identify statically visible migration files and migration directories.
43
+ 7. Identify schema and migration config files.
44
+ 8. Identify package script keys that mention migration tools without printing command values.
45
+ 9. Identify static risk indicators such as drop-column, truncate, rename, or raw data update
46
+ patterns without judging runtime safety.
47
+ 10. Emit the shared evidence pack or migration review report before claiming completion.
48
+
49
+ Use [checklist.md](checklist.md). Consult [failure-modes.md](failure-modes.md),
50
+ [adapter-interface.md](adapter-interface.md), and [examples.md](examples.md). Format findings
51
+ with [evidence-template.md](evidence-template.md).
52
+
53
+ ## Evidence, Recovery, And Dependencies
54
+
55
+ Emit repository identity, adapter state, scan scope, ignored paths, files scanned, migration
56
+ files, schema files, config files, package script keys, risk indicators, skipped items,
57
+ not-verified areas, warnings, and changed-state declaration through the shared evidence-pack
58
+ contract.
59
+
60
+ Recover from missing migration directories, ambiguous ORM layouts, unreadable files, or
61
+ adapter limits by reporting uncertainty. Never recover by connecting to a database, applying
62
+ migrations, generating ORM clients, installing dependencies, building, testing, deploying,
63
+ broadening adapter scope, or reading `.env`.
64
+
65
+ This skill depends on the evidence-pack contract and may consume validated project adapters.
66
+ Adapters may add safe paths, ignored paths, documentation precedence, and evidence
67
+ requirements, but cannot weaken policy or turn this skill into database work.
68
+
69
+ ## Approval Boundary
70
+
71
+ Explicit approval may permit one named non-secret static file read outside normal source
72
+ paths. Approval does not permit `.env` or secret-file reads, database connections, migration
73
+ execution, ORM generation, package installation, builds, tests, runtime checks, deployments,
74
+ Git mutation, or project writes.
75
+
76
+ ## Completion
77
+
78
+ Claim `complete` only when the declared static scan scope was inspected, visible migration
79
+ surfaces are reported, skipped and not-verified areas are explicit, adapter limitations are
80
+ clear, and no project, Git, dependency, runtime, service, database, remote, generated-code, or
81
+ deployment state changed.
82
+
83
+ Report `partial`, `failed`, or `blocked` when adapter scope prevents scanning, requested
84
+ evidence requires database/runtime behavior, the project root cannot be established, or
85
+ safety exclusions prevent the requested conclusion.
86
+
87
+ These conditions are both the acceptance criteria and definition of done.
@@ -0,0 +1,16 @@
1
+ Adapters may enable `migration-review` only as an audit-only static inspection skill.
2
+
3
+ Allowed adapter extensions:
4
+
5
+ - `safeReadPaths` for migration, schema, config, and relevant package files.
6
+ - `ignoredPaths` for generated, dependency, build, coverage, and output directories.
7
+ - `documentationPrecedence` for migration runbooks or schema docs.
8
+ - `requiredEvidence` for migration files, schemas, config, risk indicators, and not-verified areas.
9
+
10
+ Adapters must not:
11
+
12
+ - Add commands for `migration-review`.
13
+ - Require database connections, migration execution, ORM generation, or package scripts.
14
+ - Include `.env`, credential, service-key, or secret-bearing paths.
15
+ - Change `migration-review` from `audit-only` to action-capable.
16
+ - Expand scope outside the declared project root without named approval.
@@ -0,0 +1,3 @@
1
+ display_name: Migration Review
2
+ short_description: Review static migration and schema evidence without database access.
3
+ default_prompt: Review this repository's migration and schema evidence as an audit-only pass without modifying files, applying migrations, connecting to databases, generating ORM clients, or reading secrets.
@@ -0,0 +1,8 @@
1
+ - Confirm the project root and declared static scope.
2
+ - Validate any project adapter before reading adapter metadata.
3
+ - Stop with `partial` if an adapter is present but does not enable `migration-review`.
4
+ - Exclude `.env`, secret-bearing, dependency, generated, output, and oversized files.
5
+ - Report migration files, schema files, config files, package script keys, and risk indicators.
6
+ - Do not print package script command values.
7
+ - Record not-verified database state, rollback, generated-client, and production gaps.
8
+ - Declare that no database connection, migration execution, ORM generation, build, test, deploy, package install, secret read, or write occurred.
@@ -0,0 +1,12 @@
1
+ Evidence fields:
2
+
3
+ - Project root and Git branch state.
4
+ - Adapter presence, enabled state, and scope paths.
5
+ - Ignored paths and skipped static files.
6
+ - Migration files and reasons.
7
+ - Schema files and reasons.
8
+ - Migration config files and reasons.
9
+ - Package script keys, without command values.
10
+ - Static risk indicators by file and type.
11
+ - Not-verified database, rollback, generated-client, and production areas.
12
+ - Refused behavior and changed-state declaration.
@@ -0,0 +1,20 @@
1
+ Safe examples:
2
+
3
+ ```bash
4
+ coding-agent-skills migration-review /workspace/app
5
+ ```
6
+
7
+ ```bash
8
+ node scripts/render-migration-review.mjs tests/fixtures/migration-review/static-project
9
+ ```
10
+
11
+ Expected result: a report listing static migration files, schema/config files, package
12
+ script keys, risk indicators, skipped paths, not-verified database behavior, and refused
13
+ actions.
14
+
15
+ ## Unsafe Examples
16
+
17
+ - Apply database migrations.
18
+ - Connect to a local or remote database to inspect applied state.
19
+ - Generate ORM clients or migration files.
20
+ - Read `.env`, credentials, service keys, or private runtime config.
@@ -0,0 +1,5 @@
1
+ - Missing migration directories: report uncertainty instead of assuming no database exists.
2
+ - Adapter present without `migration-review`: return `partial` and read no target files.
3
+ - Secret-bearing paths: skip and record the exclusion without printing values.
4
+ - Destructive-looking SQL: report the static indicator without judging production safety.
5
+ - Requested database state or rollback proof: stop at the approval boundary because this skill is static only.
@@ -0,0 +1,56 @@
1
+ {
2
+ "adapterId": "github-handoff-fixture",
3
+ "adapterVersion": "1.0.0",
4
+ "project": {
5
+ "id": "fixture-github-handoff",
6
+ "detection": {
7
+ "rootMarkers": [
8
+ {"kind": "file", "path": "package.json"},
9
+ {"kind": "file", "path": "README.md"}
10
+ ],
11
+ "maximumDepth": 1,
12
+ "scope": "declared-project-root",
13
+ "requireApprovalOutsideScope": true
14
+ }
15
+ },
16
+ "supportedSkills": [
17
+ {
18
+ "id": "github-handoff",
19
+ "compatibleVersions": ["0.2.3", "0.2.x"],
20
+ "declaredMode": "audit-only"
21
+ }
22
+ ],
23
+ "extensions": {
24
+ "safeReadPaths": ["README.md", "package.json", "src"],
25
+ "ignoredPaths": ["node_modules", "dist", "build", "tmp"],
26
+ "documentationPrecedence": ["README.md"],
27
+ "commandAliases": [],
28
+ "safeStatusCommands": [],
29
+ "requiredEvidence": ["branch state", "HEAD", "working-tree state", "changed-file summary", "handoff summary"],
30
+ "expectedRuntimeManagers": [],
31
+ "expectedPackageManagers": ["npm"]
32
+ },
33
+ "approvalRequirements": [],
34
+ "inheritance": {
35
+ "sharedRestrictions": "required",
36
+ "deniedOperationCategories": [
37
+ "file-write",
38
+ "package-install",
39
+ "deployment",
40
+ "git-mutation",
41
+ "unrestricted-scan",
42
+ "secret-read",
43
+ "process-mutation",
44
+ "service-mutation",
45
+ "migration-apply",
46
+ "privileged-api"
47
+ ],
48
+ "allowRestrictionRemoval": false,
49
+ "allowModeOverride": false,
50
+ "allowFailureSuppression": false,
51
+ "allowCompletionOverride": false,
52
+ "allowSecretExposure": false,
53
+ "allowRequiredEvidenceRemoval": false,
54
+ "allowScopeExpansionWithoutApproval": false
55
+ }
56
+ }
@@ -0,0 +1,23 @@
1
+ {
2
+ "declarationVersion": "1.0.0",
3
+ "projectId": "fixture-github-handoff",
4
+ "adapterRoot": ".coding-agent/adapters",
5
+ "adapterSchemaVersion": "1.0.0",
6
+ "core": {
7
+ "id": "coding-agent-skills",
8
+ "expectedVersion": "0.2.3",
9
+ "versionPin": ">=0.2.3 <0.3.0"
10
+ },
11
+ "compatibleSkillIds": ["github-handoff"],
12
+ "adapters": [
13
+ {
14
+ "id": "github-handoff-fixture",
15
+ "version": "1.0.0",
16
+ "skillIds": ["github-handoff"]
17
+ }
18
+ ],
19
+ "validationCommand": "node <shared-core>/scripts/validate-project-adapters.mjs <project-root>",
20
+ "evidenceOutput": ".coding-agent/evidence",
21
+ "approvalPolicyReference": ".coding-agent/approval-policy.md",
22
+ "noSecrets": true
23
+ }