coding-agent-skills 0.2.12 → 0.2.14
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +41 -0
- package/README.md +8 -0
- package/ROADMAP.md +8 -4
- package/bin/coding-agent-skills +14 -0
- package/docs/adapters/README.md +38 -0
- package/docs/adapters/project-installation.md +25 -0
- package/docs/adapters/real-project-adoption.md +3 -2
- package/docs/architecture/README.md +4 -2
- package/docs/release/README.md +5 -3
- package/docs/release/npm-package.md +12 -2
- package/docs/safety/README.md +11 -1
- package/docs/testing/README.md +16 -0
- package/docs/usage/README.md +25 -5
- package/examples/command-policies/github-handoff.json +74 -0
- package/examples/command-policies/migration-review.json +70 -0
- package/examples/evidence-packs/github-handoff.json +67 -0
- package/examples/evidence-packs/migration-review.json +60 -0
- package/examples/manifests/github-handoff.json +14 -0
- package/examples/manifests/migration-review.json +14 -0
- package/examples/workflows/github-handoff.md +5 -0
- package/examples/workflows/migration-review.md +7 -0
- package/package.json +3 -1
- package/runs/skill-runs.md +32 -0
- package/schemas/project-adapter-installation.schema.json +4 -0
- package/schemas/project-adapter.schema.json +4 -0
- package/scripts/lib/github-handoff.mjs +446 -0
- package/scripts/lib/migration-review.mjs +641 -0
- package/scripts/lib/pack-rules.mjs +20 -2
- package/scripts/render-github-handoff.mjs +7 -0
- package/scripts/render-migration-review.mjs +8 -0
- package/scripts/test-pack.mjs +147 -1
- package/scripts/validate-pack.mjs +8 -2
- package/skills/github-handoff/SKILL.md +95 -0
- package/skills/github-handoff/adapter-interface.md +18 -0
- package/skills/github-handoff/agents/openai.yaml +3 -0
- package/skills/github-handoff/checklist.md +10 -0
- package/skills/github-handoff/evidence-template.md +16 -0
- package/skills/github-handoff/examples.md +19 -0
- package/skills/github-handoff/failure-modes.md +8 -0
- package/skills/migration-review/SKILL.md +87 -0
- package/skills/migration-review/adapter-interface.md +16 -0
- package/skills/migration-review/agents/openai.yaml +3 -0
- package/skills/migration-review/checklist.md +8 -0
- package/skills/migration-review/evidence-template.md +12 -0
- package/skills/migration-review/examples.md +20 -0
- package/skills/migration-review/failure-modes.md +5 -0
- package/tests/fixtures/github-handoff/adapter-project/.coding-agent/adapters/github-handoff-fixture/adapter.json +56 -0
- package/tests/fixtures/github-handoff/adapter-project/.coding-agent/skills.json +23 -0
- package/tests/fixtures/github-handoff/adapter-project/README.md +3 -0
- package/tests/fixtures/github-handoff/adapter-project/package.json +4 -0
- package/tests/fixtures/github-handoff/adapter-project/src/index.js +1 -0
- package/tests/fixtures/github-handoff/static-project/README.md +3 -0
- package/tests/fixtures/github-handoff/static-project/package.json +4 -0
- package/tests/fixtures/github-handoff/static-project/src/index.js +1 -0
- package/tests/fixtures/migration-review/adapter-project/.coding-agent/adapters/migration-review-fixture/adapter.json +56 -0
- package/tests/fixtures/migration-review/adapter-project/.coding-agent/skills.json +23 -0
- package/tests/fixtures/migration-review/adapter-project/README.md +3 -0
- package/tests/fixtures/migration-review/adapter-project/db/migrations/001_create_accounts.sql +3 -0
- package/tests/fixtures/migration-review/adapter-project/ignored/migrations/999_ignore.sql +1 -0
- package/tests/fixtures/migration-review/adapter-project/package.json +3 -0
- package/tests/fixtures/migration-review/static-project/README.md +3 -0
- package/tests/fixtures/migration-review/static-project/drizzle.config.ts +4 -0
- package/tests/fixtures/migration-review/static-project/package.json +7 -0
- package/tests/fixtures/migration-review/static-project/prisma/migrations/20260703010101_init/migration.sql +6 -0
- package/tests/fixtures/migration-review/static-project/prisma/schema.prisma +4 -0
- package/tests/fixtures/triggers/cases.json +26 -2
- package/tests/trigger/README.md +4 -0
- package/work-ledger.md +27 -5
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
import { migrationReviewCliResult } from "./lib/migration-review.mjs";
|
|
2
|
+
|
|
3
|
+
const outcome = migrationReviewCliResult(process.argv[2]);
|
|
4
|
+
for (const line of outcome.lines) {
|
|
5
|
+
if (outcome.stream === "stdout") console.log(line);
|
|
6
|
+
else console.error(line);
|
|
7
|
+
}
|
|
8
|
+
process.exitCode = outcome.exitCode;
|
package/scripts/test-pack.mjs
CHANGED
|
@@ -62,6 +62,16 @@ import {
|
|
|
62
62
|
buildApiContractAuditReport,
|
|
63
63
|
renderApiContractAuditReport,
|
|
64
64
|
} from "./lib/api-contract-audit.mjs";
|
|
65
|
+
import {
|
|
66
|
+
buildMigrationReviewReport,
|
|
67
|
+
migrationReviewCliResult,
|
|
68
|
+
renderMigrationReviewReport,
|
|
69
|
+
} from "./lib/migration-review.mjs";
|
|
70
|
+
import {
|
|
71
|
+
buildGithubHandoffReport,
|
|
72
|
+
githubHandoffCliResult,
|
|
73
|
+
renderGithubHandoffReport,
|
|
74
|
+
} from "./lib/github-handoff.mjs";
|
|
65
75
|
import {
|
|
66
76
|
adapterUpgradeCliResult,
|
|
67
77
|
checkAdapterUpgrade,
|
|
@@ -128,6 +138,27 @@ function readJson(relativePath) {
|
|
|
128
138
|
return JSON.parse(read(relativePath));
|
|
129
139
|
}
|
|
130
140
|
|
|
141
|
+
function runGitFixtureCommand(cwd, args) {
|
|
142
|
+
const result = spawnSync("git", args, {
|
|
143
|
+
cwd,
|
|
144
|
+
encoding: "utf8",
|
|
145
|
+
stdio: "pipe",
|
|
146
|
+
});
|
|
147
|
+
assert.equal(result.status, 0, `git ${args.join(" ")}\n${result.stderr}`);
|
|
148
|
+
return result.stdout.trim();
|
|
149
|
+
}
|
|
150
|
+
|
|
151
|
+
function createGitFixture(sourceRelativePath) {
|
|
152
|
+
const temporary = fs.mkdtempSync(path.join(os.tmpdir(), "github-handoff-fixture-"));
|
|
153
|
+
fs.cpSync(path.join(root, sourceRelativePath), temporary, { recursive: true });
|
|
154
|
+
runGitFixtureCommand(temporary, ["init", "-b", "main"]);
|
|
155
|
+
runGitFixtureCommand(temporary, ["config", "user.name", "Fixture User"]);
|
|
156
|
+
runGitFixtureCommand(temporary, ["config", "user.email", "fixture@example.invalid"]);
|
|
157
|
+
runGitFixtureCommand(temporary, ["add", "."]);
|
|
158
|
+
runGitFixtureCommand(temporary, ["commit", "-m", "initial fixture commit"]);
|
|
159
|
+
return temporary;
|
|
160
|
+
}
|
|
161
|
+
|
|
131
162
|
function walk(directory, output = []) {
|
|
132
163
|
for (const entry of fs.readdirSync(directory, { withFileTypes: true })) {
|
|
133
164
|
if ([".git", "node_modules", "validation-output"].includes(entry.name)) continue;
|
|
@@ -280,10 +311,17 @@ test("local CLI maps approved commands to existing safe scripts", () => {
|
|
|
280
311
|
assert.ok(cliText.includes("scripts/render-env-audit.mjs"));
|
|
281
312
|
assert.ok(cliText.includes("scripts/render-secret-audit.mjs"));
|
|
282
313
|
assert.ok(cliText.includes("scripts/render-api-contract-audit.mjs"));
|
|
314
|
+
assert.ok(cliText.includes("scripts/render-migration-review.mjs"));
|
|
315
|
+
assert.ok(cliText.includes("scripts/render-github-handoff.mjs"));
|
|
283
316
|
assert.ok(cliText.includes("scripts/validate-adapters.mjs"));
|
|
284
317
|
assert.ok(!cliText.includes(".env"));
|
|
285
318
|
|
|
286
319
|
const fixtureRoot = path.join(root, "tests", "fixtures");
|
|
320
|
+
const githubHandoffFixture = createGitFixture(
|
|
321
|
+
path.join("tests", "fixtures", "github-handoff", "static-project"),
|
|
322
|
+
);
|
|
323
|
+
fs.appendFileSync(path.join(githubHandoffFixture, "README.md"), "\nLocal handoff change.\n");
|
|
324
|
+
|
|
287
325
|
const commands = [
|
|
288
326
|
[["validate-pack"], /pilot pack valid/],
|
|
289
327
|
[
|
|
@@ -317,6 +355,14 @@ test("local CLI maps approved commands to existing safe scripts", () => {
|
|
|
317
355
|
["api-contract-audit", path.join(fixtureRoot, "api-contract-audit", "static-project")],
|
|
318
356
|
/# API Contract Audit Report/,
|
|
319
357
|
],
|
|
358
|
+
[
|
|
359
|
+
["migration-review", path.join(fixtureRoot, "migration-review", "static-project")],
|
|
360
|
+
/# Migration Review Report/,
|
|
361
|
+
],
|
|
362
|
+
[
|
|
363
|
+
["github-handoff", githubHandoffFixture],
|
|
364
|
+
/# GitHub Handoff Report/,
|
|
365
|
+
],
|
|
320
366
|
];
|
|
321
367
|
|
|
322
368
|
for (const [args, expected] of commands) {
|
|
@@ -341,7 +387,7 @@ test("local CLI maps approved commands to existing safe scripts", () => {
|
|
|
341
387
|
test("npm package metadata is public-ready and dependency-free", () => {
|
|
342
388
|
const packageJson = readJson("package.json");
|
|
343
389
|
assert.equal(packageJson.name, "coding-agent-skills");
|
|
344
|
-
assert.equal(packageJson.version, "0.2.
|
|
390
|
+
assert.equal(packageJson.version, "0.2.14");
|
|
345
391
|
assert.equal(
|
|
346
392
|
packageJson.description,
|
|
347
393
|
"Evidence-first, read-only coding-agent skills and project adapter tooling.",
|
|
@@ -357,6 +403,8 @@ test("npm package metadata is public-ready and dependency-free", () => {
|
|
|
357
403
|
"env-audit",
|
|
358
404
|
"secret-audit",
|
|
359
405
|
"api-contract-audit",
|
|
406
|
+
"migration-review",
|
|
407
|
+
"github-handoff",
|
|
360
408
|
"project-adapters",
|
|
361
409
|
"code-validation",
|
|
362
410
|
"cli",
|
|
@@ -650,6 +698,104 @@ test("api-contract-audit does not broaden a repo-map-only project adapter", () =
|
|
|
650
698
|
assert.match(renderApiContractAuditReport(result), /api-contract-audit is not enabled/);
|
|
651
699
|
});
|
|
652
700
|
|
|
701
|
+
test("migration-review maps static migration surfaces without database access", () => {
|
|
702
|
+
const result = buildMigrationReviewReport(
|
|
703
|
+
path.join(root, "tests", "fixtures", "migration-review", "static-project"),
|
|
704
|
+
{ coreRoot: root },
|
|
705
|
+
);
|
|
706
|
+
|
|
707
|
+
assert.equal(result.status, "complete");
|
|
708
|
+
assert.ok(result.migrationFiles.some((record) => record.path === "prisma/migrations/20260703010101_init/migration.sql"));
|
|
709
|
+
assert.ok(result.schemaFiles.some((record) => record.path === "prisma/schema.prisma"));
|
|
710
|
+
assert.ok(result.configFiles.some((record) => record.path === "drizzle.config.ts"));
|
|
711
|
+
assert.ok(result.packageScriptKeys.some((record) => record.key === "db:migrate"));
|
|
712
|
+
assert.ok(result.riskIndicators.some((record) => record.type === "drop-column"));
|
|
713
|
+
assert.match(renderMigrationReviewReport(result), /No database connection/);
|
|
714
|
+
});
|
|
715
|
+
|
|
716
|
+
test("migration-review respects adapter-declared scope", () => {
|
|
717
|
+
const result = buildMigrationReviewReport(
|
|
718
|
+
path.join(root, "tests", "fixtures", "migration-review", "adapter-project"),
|
|
719
|
+
{ coreRoot: root },
|
|
720
|
+
);
|
|
721
|
+
|
|
722
|
+
assert.equal(result.status, "complete");
|
|
723
|
+
assert.equal(result.adapter.enabled, true);
|
|
724
|
+
assert.deepEqual(result.scopePaths, ["db"]);
|
|
725
|
+
assert.deepEqual(result.filesScanned, ["db/migrations/001_create_accounts.sql"]);
|
|
726
|
+
assert.ok(result.migrationFiles.some((record) => record.path === "db/migrations/001_create_accounts.sql"));
|
|
727
|
+
assert.ok(result.warnings.includes("migration-review used adapter-declared safe read paths only"));
|
|
728
|
+
const cli = migrationReviewCliResult(
|
|
729
|
+
path.join(root, "tests", "fixtures", "migration-review", "adapter-project"),
|
|
730
|
+
{ coreRoot: root },
|
|
731
|
+
);
|
|
732
|
+
assert.equal(cli.exitCode, 0);
|
|
733
|
+
assert.match(cli.lines.join("\n"), /Migration-review enabled: yes/);
|
|
734
|
+
});
|
|
735
|
+
|
|
736
|
+
test("migration-review does not broaden a repo-map-only project adapter", () => {
|
|
737
|
+
const result = buildMigrationReviewReport(
|
|
738
|
+
path.join(root, "tests", "fixtures", "project-adapter-installation", "valid-exact-pin"),
|
|
739
|
+
{ coreRoot: root },
|
|
740
|
+
);
|
|
741
|
+
|
|
742
|
+
assert.equal(result.status, "partial");
|
|
743
|
+
assert.equal(result.filesScanned.length, 0);
|
|
744
|
+
assert.equal(result.migrationFiles.length, 0);
|
|
745
|
+
assert.match(renderMigrationReviewReport(result), /migration-review is not enabled/);
|
|
746
|
+
});
|
|
747
|
+
|
|
748
|
+
test("github-handoff summarizes local git state without mutating remotes", () => {
|
|
749
|
+
const fixture = createGitFixture(path.join("tests", "fixtures", "github-handoff", "static-project"));
|
|
750
|
+
runGitFixtureCommand(fixture, ["tag", "v0.0.0"]);
|
|
751
|
+
fs.appendFileSync(path.join(fixture, "README.md"), "\nChanged for handoff.\n");
|
|
752
|
+
fs.writeFileSync(path.join(fixture, "src", "new-file.js"), "export const handoff = true;\n");
|
|
753
|
+
|
|
754
|
+
const result = buildGithubHandoffReport(fixture, { coreRoot: root });
|
|
755
|
+
|
|
756
|
+
assert.equal(result.status, "complete");
|
|
757
|
+
assert.equal(result.git.branch, "main");
|
|
758
|
+
assert.ok(result.git.head);
|
|
759
|
+
assert.ok(result.git.tagsAtHead.includes("v0.0.0"));
|
|
760
|
+
assert.equal(result.changeSummary.total, 2);
|
|
761
|
+
assert.equal(result.changeSummary.modified, 1);
|
|
762
|
+
assert.equal(result.changeSummary.untracked, 1);
|
|
763
|
+
assert.ok(result.changedFiles.some((record) => record.path === "README.md"));
|
|
764
|
+
assert.ok(result.changedFiles.some((record) => record.path === "src/new-file.js"));
|
|
765
|
+
assert.match(renderGithubHandoffReport(result), /No commit, push, tag/);
|
|
766
|
+
});
|
|
767
|
+
|
|
768
|
+
test("github-handoff respects adapter-declared handoff metadata", () => {
|
|
769
|
+
const fixture = createGitFixture(path.join("tests", "fixtures", "github-handoff", "adapter-project"));
|
|
770
|
+
fs.appendFileSync(path.join(fixture, "src", "index.js"), "\nexport const changed = true;\n");
|
|
771
|
+
|
|
772
|
+
const result = buildGithubHandoffReport(fixture, { coreRoot: root });
|
|
773
|
+
|
|
774
|
+
assert.equal(result.status, "complete");
|
|
775
|
+
assert.equal(result.adapter.enabled, true);
|
|
776
|
+
assert.ok(result.requiredEvidence.includes("handoff summary"));
|
|
777
|
+
assert.ok(result.ignoredPaths.includes("tmp"));
|
|
778
|
+
assert.equal(result.changeSummary.modified, 1);
|
|
779
|
+
assert.ok(result.warnings.includes("github-handoff used adapter-declared handoff evidence metadata"));
|
|
780
|
+
const cli = githubHandoffCliResult(fixture, { coreRoot: root });
|
|
781
|
+
assert.equal(cli.exitCode, 0);
|
|
782
|
+
assert.match(cli.lines.join("\n"), /Github-handoff enabled: yes/);
|
|
783
|
+
});
|
|
784
|
+
|
|
785
|
+
test("github-handoff does not broaden a repo-map-only project adapter", () => {
|
|
786
|
+
const fixture = createGitFixture(
|
|
787
|
+
path.join("tests", "fixtures", "project-adapter-installation", "valid-exact-pin"),
|
|
788
|
+
);
|
|
789
|
+
fs.appendFileSync(path.join(fixture, "README.md"), "\nShould not be listed.\n");
|
|
790
|
+
|
|
791
|
+
const result = buildGithubHandoffReport(fixture, { coreRoot: root });
|
|
792
|
+
|
|
793
|
+
assert.equal(result.status, "partial");
|
|
794
|
+
assert.equal(result.changedFiles.length, 0);
|
|
795
|
+
assert.equal(result.changeSummary.total, 0);
|
|
796
|
+
assert.match(renderGithubHandoffReport(result), /github-handoff is not enabled/);
|
|
797
|
+
});
|
|
798
|
+
|
|
653
799
|
test("validate-pack accepts installed package trees without source-only gitignore", () => {
|
|
654
800
|
const temporaryRoot = fs.mkdtempSync(path.join(os.tmpdir(), "installed-package-"));
|
|
655
801
|
const installedRoot = path.join(temporaryRoot, "coding-agent-skills");
|
|
@@ -99,6 +99,8 @@ const requiredRootFiles = [
|
|
|
99
99
|
"scripts/render-env-audit.mjs",
|
|
100
100
|
"scripts/render-secret-audit.mjs",
|
|
101
101
|
"scripts/render-api-contract-audit.mjs",
|
|
102
|
+
"scripts/render-migration-review.mjs",
|
|
103
|
+
"scripts/render-github-handoff.mjs",
|
|
102
104
|
"scripts/check-adapter-upgrade.mjs",
|
|
103
105
|
"scripts/check-adapter-upgrade-chain.mjs",
|
|
104
106
|
"scripts/validate-adapters.mjs",
|
|
@@ -108,6 +110,8 @@ const requiredRootFiles = [
|
|
|
108
110
|
"scripts/lib/env-audit.mjs",
|
|
109
111
|
"scripts/lib/secret-audit.mjs",
|
|
110
112
|
"scripts/lib/api-contract-audit.mjs",
|
|
113
|
+
"scripts/lib/migration-review.mjs",
|
|
114
|
+
"scripts/lib/github-handoff.mjs",
|
|
111
115
|
"scripts/lib/adapter-upgrade.mjs",
|
|
112
116
|
"scripts/lib/adapter-upgrade-chain.mjs",
|
|
113
117
|
"scripts/lib/adapter-discovery.mjs",
|
|
@@ -681,8 +685,8 @@ if (packageJson) {
|
|
|
681
685
|
if (packageJson.name !== "coding-agent-skills") {
|
|
682
686
|
failures.push("package.json has unexpected package name");
|
|
683
687
|
}
|
|
684
|
-
if (packageJson.version !== "0.2.
|
|
685
|
-
failures.push("package.json version must be 0.2.
|
|
688
|
+
if (packageJson.version !== "0.2.14") {
|
|
689
|
+
failures.push("package.json version must be 0.2.14 for public package validation");
|
|
686
690
|
}
|
|
687
691
|
if (packageJson.type !== "module") failures.push("package.json must preserve ESM mode");
|
|
688
692
|
if (packageJson.private !== false) {
|
|
@@ -704,6 +708,8 @@ if (packageJson) {
|
|
|
704
708
|
"env-audit",
|
|
705
709
|
"secret-audit",
|
|
706
710
|
"api-contract-audit",
|
|
711
|
+
"migration-review",
|
|
712
|
+
"github-handoff",
|
|
707
713
|
"project-adapters",
|
|
708
714
|
"code-validation",
|
|
709
715
|
"cli",
|
|
@@ -0,0 +1,95 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: github-handoff
|
|
3
|
+
description: Prepare read-only GitHub handoff evidence from local Git metadata. Use when Codex needs to summarize branch state, HEAD, tags at HEAD, remote names, and changed-file status before a separately approved pull request, release, or GitHub workflow handoff without creating commits, pushes, tags, pull requests, API calls, token reads, or file changes.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# GitHub Handoff
|
|
7
|
+
|
|
8
|
+
## Purpose And Use
|
|
9
|
+
|
|
10
|
+
Use this skill to produce a local, audit-only handoff report before a human or separately approved workflow performs GitHub work.
|
|
11
|
+
|
|
12
|
+
The skill is for local Git evidence only. It does not create pull requests, publish releases, push branches, inspect tokens, or call GitHub APIs.
|
|
13
|
+
|
|
14
|
+
## Inputs
|
|
15
|
+
|
|
16
|
+
Required:
|
|
17
|
+
|
|
18
|
+
- Project root.
|
|
19
|
+
|
|
20
|
+
Optional:
|
|
21
|
+
|
|
22
|
+
- Project adapter declaration that enables `github-handoff`.
|
|
23
|
+
- Human-provided handoff intent.
|
|
24
|
+
|
|
25
|
+
Do not assume:
|
|
26
|
+
|
|
27
|
+
- GitHub authentication is available.
|
|
28
|
+
- Local commits are pushed.
|
|
29
|
+
- CI status, review status, or PR state is known.
|
|
30
|
+
- Remote URLs are safe to print.
|
|
31
|
+
|
|
32
|
+
## Procedure
|
|
33
|
+
|
|
34
|
+
1. Confirm the project root exists.
|
|
35
|
+
2. Validate the project adapter when one is present.
|
|
36
|
+
3. If an adapter exists but does not enable `github-handoff`, report `partial` and do not list changed files.
|
|
37
|
+
4. Inspect local Git metadata only: root, branch state, current branch, HEAD, tags at HEAD, remote names, and status entries.
|
|
38
|
+
5. Redact secret-bearing changed paths such as `.env`, key files, credential paths, or token paths.
|
|
39
|
+
6. Summarize changed-file counts by status.
|
|
40
|
+
7. Record skipped and not-verified GitHub state honestly.
|
|
41
|
+
8. State refused behavior clearly.
|
|
42
|
+
|
|
43
|
+
## Evidence, Recovery, And Dependencies
|
|
44
|
+
|
|
45
|
+
Expected evidence:
|
|
46
|
+
|
|
47
|
+
- Git root.
|
|
48
|
+
- Branch state.
|
|
49
|
+
- Current branch.
|
|
50
|
+
- HEAD or short HEAD.
|
|
51
|
+
- Tags at HEAD.
|
|
52
|
+
- Remote names only, not remote URLs.
|
|
53
|
+
- Changed-file summary.
|
|
54
|
+
- Redacted path count when applicable.
|
|
55
|
+
|
|
56
|
+
Recovery:
|
|
57
|
+
|
|
58
|
+
- If the directory is not a Git repository, return `failed` with no mutation.
|
|
59
|
+
- If Git status is unavailable, return a warning and preserve partial evidence.
|
|
60
|
+
- If adapter validation fails, fail closed.
|
|
61
|
+
|
|
62
|
+
Dependencies:
|
|
63
|
+
|
|
64
|
+
- Local Git command-line tool.
|
|
65
|
+
- Node.js 20+ for the packaged renderer.
|
|
66
|
+
|
|
67
|
+
## Approval Boundary
|
|
68
|
+
|
|
69
|
+
This skill is audit-only.
|
|
70
|
+
|
|
71
|
+
Allowed:
|
|
72
|
+
|
|
73
|
+
- Read local Git metadata.
|
|
74
|
+
- List changed-file paths unless they are secret-bearing.
|
|
75
|
+
- Validate project adapter metadata.
|
|
76
|
+
- Render a handoff report.
|
|
77
|
+
|
|
78
|
+
Forbidden:
|
|
79
|
+
|
|
80
|
+
- Commit.
|
|
81
|
+
- Push.
|
|
82
|
+
- Tag.
|
|
83
|
+
- Checkout, reset, rebase, merge, stash, restore, or clean.
|
|
84
|
+
- Create pull requests.
|
|
85
|
+
- Create releases.
|
|
86
|
+
- Call GitHub APIs.
|
|
87
|
+
- Read tokens, `.env`, `.env.*`, `.npmrc`, keys, or credential files.
|
|
88
|
+
- Print remote URLs.
|
|
89
|
+
- Change project files.
|
|
90
|
+
|
|
91
|
+
## Completion
|
|
92
|
+
|
|
93
|
+
Complete only after a report states what was verified, what was skipped, and what was not verified.
|
|
94
|
+
|
|
95
|
+
The completion boundary must say that no commit, push, tag, branch change, pull request creation, GitHub API mutation, token read, secret-file read, or project write occurred.
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
# GitHub Handoff Adapter Interface
|
|
2
|
+
|
|
3
|
+
Adapters may enable `github-handoff` as an audit-only skill.
|
|
4
|
+
|
|
5
|
+
Adapters may narrow:
|
|
6
|
+
|
|
7
|
+
- Required evidence labels.
|
|
8
|
+
- Ignored path labels.
|
|
9
|
+
- Documentation precedence used as human context.
|
|
10
|
+
|
|
11
|
+
Adapters must not:
|
|
12
|
+
|
|
13
|
+
- Permit commits, pushes, tags, pull request creation, release creation, or GitHub API mutation.
|
|
14
|
+
- Permit token reads.
|
|
15
|
+
- Permit secret-file reads.
|
|
16
|
+
- Suppress warnings or failures.
|
|
17
|
+
- Redefine completion.
|
|
18
|
+
- Escalate the skill out of audit-only mode.
|
|
@@ -0,0 +1,3 @@
|
|
|
1
|
+
display_name: GitHub Handoff
|
|
2
|
+
short_description: Prepare local Git handoff evidence without GitHub mutation.
|
|
3
|
+
default_prompt: Prepare a GitHub handoff report as an audit-only pass without modifying files, committing, pushing, tagging, creating pull requests, reading tokens, or calling GitHub APIs.
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
# GitHub Handoff Checklist
|
|
2
|
+
|
|
3
|
+
- Confirm the project root.
|
|
4
|
+
- Validate adapter metadata if present.
|
|
5
|
+
- Inspect local Git state only.
|
|
6
|
+
- Summarize changed files without reading file contents.
|
|
7
|
+
- Redact secret-bearing paths.
|
|
8
|
+
- Do not print remote URLs.
|
|
9
|
+
- Report not-verified GitHub state.
|
|
10
|
+
- Confirm no mutation occurred.
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
# GitHub Handoff Evidence Template
|
|
2
|
+
|
|
3
|
+
- Skill: `github-handoff`
|
|
4
|
+
- Status: `complete`, `partial`, or `failed`
|
|
5
|
+
- Project root:
|
|
6
|
+
- Git root:
|
|
7
|
+
- Branch state:
|
|
8
|
+
- HEAD:
|
|
9
|
+
- Tags at HEAD:
|
|
10
|
+
- Remote names:
|
|
11
|
+
- Changed-file summary:
|
|
12
|
+
- Redacted path count:
|
|
13
|
+
- Skipped:
|
|
14
|
+
- Not verified:
|
|
15
|
+
- Refused behavior:
|
|
16
|
+
- Changed state: no project, Git, GitHub, dependency, runtime, service, or remote state changed.
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
# GitHub Handoff Examples
|
|
2
|
+
|
|
3
|
+
## Safe Examples
|
|
4
|
+
|
|
5
|
+
```bash
|
|
6
|
+
coding-agent-skills github-handoff /path/to/project
|
|
7
|
+
```
|
|
8
|
+
|
|
9
|
+
```bash
|
|
10
|
+
node scripts/render-github-handoff.mjs /path/to/project
|
|
11
|
+
```
|
|
12
|
+
|
|
13
|
+
## Unsafe Examples
|
|
14
|
+
|
|
15
|
+
- Create a pull request.
|
|
16
|
+
- Push the current branch.
|
|
17
|
+
- Tag the release.
|
|
18
|
+
- Read GitHub tokens.
|
|
19
|
+
- Print configured remote URLs.
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
# GitHub Handoff Failure Modes
|
|
2
|
+
|
|
3
|
+
- Project root is not a Git repository.
|
|
4
|
+
- Adapter exists but does not enable `github-handoff`.
|
|
5
|
+
- Adapter validation fails.
|
|
6
|
+
- Git status is unavailable.
|
|
7
|
+
- Secret-bearing changed paths are present and must be redacted.
|
|
8
|
+
- Remote PR, CI, and review state cannot be verified without separately approved GitHub access.
|
|
@@ -0,0 +1,87 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: migration-review
|
|
3
|
+
description: Review statically visible database migration and schema evidence without connecting to databases, applying migrations, generating ORM clients, or modifying projects. Use when Codex must map migration files, schema/config files, migration-related package script keys, and static risk indicators before database work or handoff; do not use for runtime database inspection, migration execution, deploys, builds, tests, package installs, or secret-file reads.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# Migration Review
|
|
7
|
+
|
|
8
|
+
Map statically visible migration evidence and report what is and is not verified. Remain
|
|
9
|
+
audit-only and avoid turning migration discovery into database or deployment work.
|
|
10
|
+
|
|
11
|
+
This skill must not change project files, Git state, dependencies, runtime state, services,
|
|
12
|
+
databases, remotes, generated ORM clients, or deployment state.
|
|
13
|
+
|
|
14
|
+
## Purpose And Use
|
|
15
|
+
|
|
16
|
+
Use this skill before database work, migration handoff, or schema review when the agent needs
|
|
17
|
+
to understand visible migration files, schema declarations, migration config, and static
|
|
18
|
+
risk indicators.
|
|
19
|
+
|
|
20
|
+
Do not use it to prove database state, apply or roll back migrations, inspect deployed
|
|
21
|
+
databases, generate ORM clients, build, test, deploy, run package scripts, or read secrets.
|
|
22
|
+
|
|
23
|
+
## Inputs
|
|
24
|
+
|
|
25
|
+
Require a project root or starting path. Optionally accept a project adapter, intended scan
|
|
26
|
+
area, documentation precedence, migration directory hints, or known ORM/database boundaries.
|
|
27
|
+
|
|
28
|
+
Do not assume a missing migration directory means no database exists, migration filenames
|
|
29
|
+
reflect applied state, schema files match production, package script keys are safe to run, or
|
|
30
|
+
a project adapter enables this skill unless validation proves it.
|
|
31
|
+
|
|
32
|
+
## Procedure
|
|
33
|
+
|
|
34
|
+
1. Record user intent, project root, declared scope, adapter state, and safety boundary.
|
|
35
|
+
2. Validate a project adapter when present before reading adapter-declared metadata.
|
|
36
|
+
3. If an adapter is present but does not enable `migration-review`, stop static file reading
|
|
37
|
+
and report the adapter-limited skip.
|
|
38
|
+
4. Build scan scope from adapter safe read paths when available; otherwise use a bounded
|
|
39
|
+
generic static scan.
|
|
40
|
+
5. Exclude `.env`, secret-bearing files, generated output, dependency paths, and oversized
|
|
41
|
+
files before reading.
|
|
42
|
+
6. Identify statically visible migration files and migration directories.
|
|
43
|
+
7. Identify schema and migration config files.
|
|
44
|
+
8. Identify package script keys that mention migration tools without printing command values.
|
|
45
|
+
9. Identify static risk indicators such as drop-column, truncate, rename, or raw data update
|
|
46
|
+
patterns without judging runtime safety.
|
|
47
|
+
10. Emit the shared evidence pack or migration review report before claiming completion.
|
|
48
|
+
|
|
49
|
+
Use [checklist.md](checklist.md). Consult [failure-modes.md](failure-modes.md),
|
|
50
|
+
[adapter-interface.md](adapter-interface.md), and [examples.md](examples.md). Format findings
|
|
51
|
+
with [evidence-template.md](evidence-template.md).
|
|
52
|
+
|
|
53
|
+
## Evidence, Recovery, And Dependencies
|
|
54
|
+
|
|
55
|
+
Emit repository identity, adapter state, scan scope, ignored paths, files scanned, migration
|
|
56
|
+
files, schema files, config files, package script keys, risk indicators, skipped items,
|
|
57
|
+
not-verified areas, warnings, and changed-state declaration through the shared evidence-pack
|
|
58
|
+
contract.
|
|
59
|
+
|
|
60
|
+
Recover from missing migration directories, ambiguous ORM layouts, unreadable files, or
|
|
61
|
+
adapter limits by reporting uncertainty. Never recover by connecting to a database, applying
|
|
62
|
+
migrations, generating ORM clients, installing dependencies, building, testing, deploying,
|
|
63
|
+
broadening adapter scope, or reading `.env`.
|
|
64
|
+
|
|
65
|
+
This skill depends on the evidence-pack contract and may consume validated project adapters.
|
|
66
|
+
Adapters may add safe paths, ignored paths, documentation precedence, and evidence
|
|
67
|
+
requirements, but cannot weaken policy or turn this skill into database work.
|
|
68
|
+
|
|
69
|
+
## Approval Boundary
|
|
70
|
+
|
|
71
|
+
Explicit approval may permit one named non-secret static file read outside normal source
|
|
72
|
+
paths. Approval does not permit `.env` or secret-file reads, database connections, migration
|
|
73
|
+
execution, ORM generation, package installation, builds, tests, runtime checks, deployments,
|
|
74
|
+
Git mutation, or project writes.
|
|
75
|
+
|
|
76
|
+
## Completion
|
|
77
|
+
|
|
78
|
+
Claim `complete` only when the declared static scan scope was inspected, visible migration
|
|
79
|
+
surfaces are reported, skipped and not-verified areas are explicit, adapter limitations are
|
|
80
|
+
clear, and no project, Git, dependency, runtime, service, database, remote, generated-code, or
|
|
81
|
+
deployment state changed.
|
|
82
|
+
|
|
83
|
+
Report `partial`, `failed`, or `blocked` when adapter scope prevents scanning, requested
|
|
84
|
+
evidence requires database/runtime behavior, the project root cannot be established, or
|
|
85
|
+
safety exclusions prevent the requested conclusion.
|
|
86
|
+
|
|
87
|
+
These conditions are both the acceptance criteria and definition of done.
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
Adapters may enable `migration-review` only as an audit-only static inspection skill.
|
|
2
|
+
|
|
3
|
+
Allowed adapter extensions:
|
|
4
|
+
|
|
5
|
+
- `safeReadPaths` for migration, schema, config, and relevant package files.
|
|
6
|
+
- `ignoredPaths` for generated, dependency, build, coverage, and output directories.
|
|
7
|
+
- `documentationPrecedence` for migration runbooks or schema docs.
|
|
8
|
+
- `requiredEvidence` for migration files, schemas, config, risk indicators, and not-verified areas.
|
|
9
|
+
|
|
10
|
+
Adapters must not:
|
|
11
|
+
|
|
12
|
+
- Add commands for `migration-review`.
|
|
13
|
+
- Require database connections, migration execution, ORM generation, or package scripts.
|
|
14
|
+
- Include `.env`, credential, service-key, or secret-bearing paths.
|
|
15
|
+
- Change `migration-review` from `audit-only` to action-capable.
|
|
16
|
+
- Expand scope outside the declared project root without named approval.
|
|
@@ -0,0 +1,3 @@
|
|
|
1
|
+
display_name: Migration Review
|
|
2
|
+
short_description: Review static migration and schema evidence without database access.
|
|
3
|
+
default_prompt: Review this repository's migration and schema evidence as an audit-only pass without modifying files, applying migrations, connecting to databases, generating ORM clients, or reading secrets.
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
- Confirm the project root and declared static scope.
|
|
2
|
+
- Validate any project adapter before reading adapter metadata.
|
|
3
|
+
- Stop with `partial` if an adapter is present but does not enable `migration-review`.
|
|
4
|
+
- Exclude `.env`, secret-bearing, dependency, generated, output, and oversized files.
|
|
5
|
+
- Report migration files, schema files, config files, package script keys, and risk indicators.
|
|
6
|
+
- Do not print package script command values.
|
|
7
|
+
- Record not-verified database state, rollback, generated-client, and production gaps.
|
|
8
|
+
- Declare that no database connection, migration execution, ORM generation, build, test, deploy, package install, secret read, or write occurred.
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
Evidence fields:
|
|
2
|
+
|
|
3
|
+
- Project root and Git branch state.
|
|
4
|
+
- Adapter presence, enabled state, and scope paths.
|
|
5
|
+
- Ignored paths and skipped static files.
|
|
6
|
+
- Migration files and reasons.
|
|
7
|
+
- Schema files and reasons.
|
|
8
|
+
- Migration config files and reasons.
|
|
9
|
+
- Package script keys, without command values.
|
|
10
|
+
- Static risk indicators by file and type.
|
|
11
|
+
- Not-verified database, rollback, generated-client, and production areas.
|
|
12
|
+
- Refused behavior and changed-state declaration.
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
Safe examples:
|
|
2
|
+
|
|
3
|
+
```bash
|
|
4
|
+
coding-agent-skills migration-review /workspace/app
|
|
5
|
+
```
|
|
6
|
+
|
|
7
|
+
```bash
|
|
8
|
+
node scripts/render-migration-review.mjs tests/fixtures/migration-review/static-project
|
|
9
|
+
```
|
|
10
|
+
|
|
11
|
+
Expected result: a report listing static migration files, schema/config files, package
|
|
12
|
+
script keys, risk indicators, skipped paths, not-verified database behavior, and refused
|
|
13
|
+
actions.
|
|
14
|
+
|
|
15
|
+
## Unsafe Examples
|
|
16
|
+
|
|
17
|
+
- Apply database migrations.
|
|
18
|
+
- Connect to a local or remote database to inspect applied state.
|
|
19
|
+
- Generate ORM clients or migration files.
|
|
20
|
+
- Read `.env`, credentials, service keys, or private runtime config.
|
|
@@ -0,0 +1,5 @@
|
|
|
1
|
+
- Missing migration directories: report uncertainty instead of assuming no database exists.
|
|
2
|
+
- Adapter present without `migration-review`: return `partial` and read no target files.
|
|
3
|
+
- Secret-bearing paths: skip and record the exclusion without printing values.
|
|
4
|
+
- Destructive-looking SQL: report the static indicator without judging production safety.
|
|
5
|
+
- Requested database state or rollback proof: stop at the approval boundary because this skill is static only.
|
|
@@ -0,0 +1,56 @@
|
|
|
1
|
+
{
|
|
2
|
+
"adapterId": "github-handoff-fixture",
|
|
3
|
+
"adapterVersion": "1.0.0",
|
|
4
|
+
"project": {
|
|
5
|
+
"id": "fixture-github-handoff",
|
|
6
|
+
"detection": {
|
|
7
|
+
"rootMarkers": [
|
|
8
|
+
{"kind": "file", "path": "package.json"},
|
|
9
|
+
{"kind": "file", "path": "README.md"}
|
|
10
|
+
],
|
|
11
|
+
"maximumDepth": 1,
|
|
12
|
+
"scope": "declared-project-root",
|
|
13
|
+
"requireApprovalOutsideScope": true
|
|
14
|
+
}
|
|
15
|
+
},
|
|
16
|
+
"supportedSkills": [
|
|
17
|
+
{
|
|
18
|
+
"id": "github-handoff",
|
|
19
|
+
"compatibleVersions": ["0.2.3", "0.2.x"],
|
|
20
|
+
"declaredMode": "audit-only"
|
|
21
|
+
}
|
|
22
|
+
],
|
|
23
|
+
"extensions": {
|
|
24
|
+
"safeReadPaths": ["README.md", "package.json", "src"],
|
|
25
|
+
"ignoredPaths": ["node_modules", "dist", "build", "tmp"],
|
|
26
|
+
"documentationPrecedence": ["README.md"],
|
|
27
|
+
"commandAliases": [],
|
|
28
|
+
"safeStatusCommands": [],
|
|
29
|
+
"requiredEvidence": ["branch state", "HEAD", "working-tree state", "changed-file summary", "handoff summary"],
|
|
30
|
+
"expectedRuntimeManagers": [],
|
|
31
|
+
"expectedPackageManagers": ["npm"]
|
|
32
|
+
},
|
|
33
|
+
"approvalRequirements": [],
|
|
34
|
+
"inheritance": {
|
|
35
|
+
"sharedRestrictions": "required",
|
|
36
|
+
"deniedOperationCategories": [
|
|
37
|
+
"file-write",
|
|
38
|
+
"package-install",
|
|
39
|
+
"deployment",
|
|
40
|
+
"git-mutation",
|
|
41
|
+
"unrestricted-scan",
|
|
42
|
+
"secret-read",
|
|
43
|
+
"process-mutation",
|
|
44
|
+
"service-mutation",
|
|
45
|
+
"migration-apply",
|
|
46
|
+
"privileged-api"
|
|
47
|
+
],
|
|
48
|
+
"allowRestrictionRemoval": false,
|
|
49
|
+
"allowModeOverride": false,
|
|
50
|
+
"allowFailureSuppression": false,
|
|
51
|
+
"allowCompletionOverride": false,
|
|
52
|
+
"allowSecretExposure": false,
|
|
53
|
+
"allowRequiredEvidenceRemoval": false,
|
|
54
|
+
"allowScopeExpansionWithoutApproval": false
|
|
55
|
+
}
|
|
56
|
+
}
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
{
|
|
2
|
+
"declarationVersion": "1.0.0",
|
|
3
|
+
"projectId": "fixture-github-handoff",
|
|
4
|
+
"adapterRoot": ".coding-agent/adapters",
|
|
5
|
+
"adapterSchemaVersion": "1.0.0",
|
|
6
|
+
"core": {
|
|
7
|
+
"id": "coding-agent-skills",
|
|
8
|
+
"expectedVersion": "0.2.3",
|
|
9
|
+
"versionPin": ">=0.2.3 <0.3.0"
|
|
10
|
+
},
|
|
11
|
+
"compatibleSkillIds": ["github-handoff"],
|
|
12
|
+
"adapters": [
|
|
13
|
+
{
|
|
14
|
+
"id": "github-handoff-fixture",
|
|
15
|
+
"version": "1.0.0",
|
|
16
|
+
"skillIds": ["github-handoff"]
|
|
17
|
+
}
|
|
18
|
+
],
|
|
19
|
+
"validationCommand": "node <shared-core>/scripts/validate-project-adapters.mjs <project-root>",
|
|
20
|
+
"evidenceOutput": ".coding-agent/evidence",
|
|
21
|
+
"approvalPolicyReference": ".coding-agent/approval-policy.md",
|
|
22
|
+
"noSecrets": true
|
|
23
|
+
}
|