coding-agent-skills 0.2.13 → 0.2.14
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +20 -0
- package/README.md +4 -0
- package/ROADMAP.md +5 -3
- package/bin/coding-agent-skills +7 -0
- package/docs/adapters/README.md +18 -0
- package/docs/adapters/project-installation.md +12 -0
- package/docs/adapters/real-project-adoption.md +3 -2
- package/docs/architecture/README.md +3 -2
- package/docs/release/README.md +3 -2
- package/docs/release/npm-package.md +7 -2
- package/docs/safety/README.md +6 -1
- package/docs/testing/README.md +8 -0
- package/docs/usage/README.md +15 -5
- package/examples/command-policies/github-handoff.json +74 -0
- package/examples/evidence-packs/github-handoff.json +67 -0
- package/examples/manifests/github-handoff.json +14 -0
- package/examples/workflows/github-handoff.md +5 -0
- package/package.json +2 -1
- package/runs/skill-runs.md +16 -0
- package/schemas/project-adapter-installation.schema.json +2 -0
- package/schemas/project-adapter.schema.json +2 -0
- package/scripts/lib/github-handoff.mjs +446 -0
- package/scripts/lib/pack-rules.mjs +11 -2
- package/scripts/render-github-handoff.mjs +7 -0
- package/scripts/test-pack.mjs +89 -1
- package/scripts/validate-pack.mjs +5 -2
- package/skills/github-handoff/SKILL.md +95 -0
- package/skills/github-handoff/adapter-interface.md +18 -0
- package/skills/github-handoff/agents/openai.yaml +3 -0
- package/skills/github-handoff/checklist.md +10 -0
- package/skills/github-handoff/evidence-template.md +16 -0
- package/skills/github-handoff/examples.md +19 -0
- package/skills/github-handoff/failure-modes.md +8 -0
- package/tests/fixtures/github-handoff/adapter-project/.coding-agent/adapters/github-handoff-fixture/adapter.json +56 -0
- package/tests/fixtures/github-handoff/adapter-project/.coding-agent/skills.json +23 -0
- package/tests/fixtures/github-handoff/adapter-project/README.md +3 -0
- package/tests/fixtures/github-handoff/adapter-project/package.json +4 -0
- package/tests/fixtures/github-handoff/adapter-project/src/index.js +1 -0
- package/tests/fixtures/github-handoff/static-project/README.md +3 -0
- package/tests/fixtures/github-handoff/static-project/package.json +4 -0
- package/tests/fixtures/github-handoff/static-project/src/index.js +1 -0
- package/tests/fixtures/triggers/cases.json +14 -2
- package/tests/trigger/README.md +2 -0
- package/work-ledger.md +16 -6
package/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,26 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes follow [Semantic Versioning](docs/versioning/README.md).
|
|
4
4
|
|
|
5
|
+
## [0.2.14] - 2026-07-03
|
|
6
|
+
|
|
7
|
+
### Added
|
|
8
|
+
|
|
9
|
+
- `github-handoff` audit-only skill for local Git handoff evidence before separately
|
|
10
|
+
approved GitHub work.
|
|
11
|
+
- `coding-agent-skills github-handoff <project-root>` CLI command.
|
|
12
|
+
- Dependency-free GitHub handoff renderer for branch state, HEAD, tags at HEAD, remote
|
|
13
|
+
names, changed-file summaries, secret-bearing path redaction, adapter-limited scope,
|
|
14
|
+
and safety refusals.
|
|
15
|
+
- Synthetic github-handoff fixtures and release tests that create disposable Git
|
|
16
|
+
repositories under `/tmp` for generic, adapter-scoped, and repo-map-only adapter cases.
|
|
17
|
+
|
|
18
|
+
### Changed
|
|
19
|
+
|
|
20
|
+
- Adapter schemas and validators now recognize `github-handoff` as an audit-only skill
|
|
21
|
+
while preserving the existing `0.2.3` adapter contract compatibility baseline.
|
|
22
|
+
- Usage, release, safety, architecture, adapter, roadmap, ledger, and run-log docs now
|
|
23
|
+
describe the new local Git handoff report command.
|
|
24
|
+
|
|
5
25
|
## [0.2.13] - 2026-07-03
|
|
6
26
|
|
|
7
27
|
### Added
|
package/README.md
CHANGED
|
@@ -11,6 +11,7 @@ The pilot pack contains:
|
|
|
11
11
|
- `secret-audit`: audit-only high-confidence secret exposure detection without values.
|
|
12
12
|
- `api-contract-audit`: audit-only static API contract surface mapping.
|
|
13
13
|
- `migration-review`: audit-only static migration and schema evidence review.
|
|
14
|
+
- `github-handoff`: audit-only local Git handoff evidence before separately approved GitHub work.
|
|
14
15
|
- `build-verify`: controlled local validation using existing project commands.
|
|
15
16
|
- `git-preflight`: audit-only Git readiness inspection.
|
|
16
17
|
- `runtime-truth`: audit-only runtime evidence collection.
|
|
@@ -48,6 +49,7 @@ Every skill emits the evidence-pack contract. A command being attempted is never
|
|
|
48
49
|
- Find redacted secret exposure risks with `coding-agent-skills secret-audit <project-root>`.
|
|
49
50
|
- Map static API contract surfaces with `coding-agent-skills api-contract-audit <project-root>`.
|
|
50
51
|
- Review static migration and schema evidence with `coding-agent-skills migration-review <project-root>`.
|
|
52
|
+
- Prepare local Git handoff evidence with `coding-agent-skills github-handoff <project-root>`.
|
|
51
53
|
- Validate project adapters against [the formal adapter schema](schemas/project-adapter.schema.json).
|
|
52
54
|
- Review [external adapter discovery](docs/adapters/discovery.md).
|
|
53
55
|
- Run `node scripts/validate-adapters.mjs <adapter-root>` for a disposable external root.
|
|
@@ -63,6 +65,8 @@ Every skill emits the evidence-pack contract. A command being attempted is never
|
|
|
63
65
|
`node scripts/render-api-contract-audit.mjs <project-root>`.
|
|
64
66
|
- Render a static migration review report with
|
|
65
67
|
`node scripts/render-migration-review.mjs <project-root>`.
|
|
68
|
+
- Render a local GitHub handoff report with
|
|
69
|
+
`node scripts/render-github-handoff.mjs <project-root>`.
|
|
66
70
|
- Review [adapter upgrade checks](docs/adapters/upgrades.md).
|
|
67
71
|
- Run `node scripts/check-adapter-upgrade.mjs <before-project-root> <after-project-root>`
|
|
68
72
|
for disposable project revisions.
|
package/ROADMAP.md
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# Roadmap
|
|
2
2
|
|
|
3
|
-
The public package now contains
|
|
3
|
+
The public package now contains eleven approved shared skills. Builder-mode approval is
|
|
4
4
|
active for the remaining read-only skill wave in this repository; real-world project
|
|
5
5
|
execution constraints remain unchanged.
|
|
6
6
|
|
|
@@ -38,6 +38,8 @@ execution constraints remain unchanged.
|
|
|
38
38
|
contract surface mapping.
|
|
39
39
|
- `v0.2.13`: audit-only `migration-review` skill and CLI renderer for static migration
|
|
40
40
|
and schema evidence review.
|
|
41
|
+
- `v0.2.14`: audit-only `github-handoff` skill and CLI renderer for local Git handoff
|
|
42
|
+
evidence before separately approved GitHub work.
|
|
41
43
|
|
|
42
44
|
The next milestone is recorded in [work-ledger.md](work-ledger.md). The
|
|
43
45
|
[maintainer loop](RUNBOOK.md) may select and evidence that milestone, but it must stop
|
|
@@ -83,8 +85,8 @@ Next safe milestone options:
|
|
|
83
85
|
| `secret-audit-skill` | General | Audit-only | Implemented in `v0.2.11` |
|
|
84
86
|
| `api-contract-audit-skill` | General | Audit-only | Implemented in `v0.2.12` |
|
|
85
87
|
| `migration-review-skill` | General with platform adapters | Audit-only | Implemented in `v0.2.13` |
|
|
86
|
-
| `github-handoff-skill` | General | Audit-only |
|
|
87
|
-
| `deployment-preflight-skill` | General | Audit-only | Builder-mode approved;
|
|
88
|
+
| `github-handoff-skill` | General | Audit-only | Implemented in `v0.2.14` |
|
|
89
|
+
| `deployment-preflight-skill` | General | Audit-only | Builder-mode approved; next in wave |
|
|
88
90
|
| `cloudflare-preflight-skill` | Platform-specific | Audit-only | Builder-mode approved; later in wave |
|
|
89
91
|
| `cloudflare-deploy-skill` | Platform-specific | Action-capable | Blocked on approval model |
|
|
90
92
|
| `supabase-rls-audit-skill` | Platform-specific | Audit-only | Builder-mode approved; later in wave |
|
package/bin/coding-agent-skills
CHANGED
|
@@ -53,6 +53,12 @@ const commands = {
|
|
|
53
53
|
usage: "coding-agent-skills migration-review <project-root>",
|
|
54
54
|
requiredArgs: 1,
|
|
55
55
|
},
|
|
56
|
+
"github-handoff": {
|
|
57
|
+
script: "scripts/render-github-handoff.mjs",
|
|
58
|
+
args: ([projectRoot]) => [projectRoot],
|
|
59
|
+
usage: "coding-agent-skills github-handoff <project-root>",
|
|
60
|
+
requiredArgs: 1,
|
|
61
|
+
},
|
|
56
62
|
"validate-adapters": {
|
|
57
63
|
script: "scripts/validate-adapters.mjs",
|
|
58
64
|
args: ([adapterRoot]) => [adapterRoot],
|
|
@@ -74,6 +80,7 @@ function usage(exitCode = 0) {
|
|
|
74
80
|
" secret-audit <project-root>",
|
|
75
81
|
" api-contract-audit <project-root>",
|
|
76
82
|
" migration-review <project-root>",
|
|
83
|
+
" github-handoff <project-root>",
|
|
77
84
|
" validate-adapters <adapter-root>",
|
|
78
85
|
"",
|
|
79
86
|
"local wrapper for the published coding-agent-skills package",
|
package/docs/adapters/README.md
CHANGED
|
@@ -122,6 +122,22 @@ skipped paths, and not-verified database behavior. It never connects to database
|
|
|
122
122
|
executes migrations, generates ORM clients, builds, tests, deploys, or mutates project
|
|
123
123
|
files.
|
|
124
124
|
|
|
125
|
+
## Adapter-Aware GitHub Handoff Consumption
|
|
126
|
+
|
|
127
|
+
The shared pack can consume a validated project-owned adapter as bounded context for
|
|
128
|
+
`github-handoff`:
|
|
129
|
+
|
|
130
|
+
```bash
|
|
131
|
+
node scripts/render-github-handoff.mjs <project-root>
|
|
132
|
+
```
|
|
133
|
+
|
|
134
|
+
The renderer validates the project declaration when present. If an adapter is present but
|
|
135
|
+
does not enable `github-handoff`, it reports an adapter-limited skip instead of listing
|
|
136
|
+
changed-file details. When enabled, it uses local Git metadata only: branch state, HEAD,
|
|
137
|
+
tags at HEAD, remote names, and changed-file summaries. It never prints remote URLs,
|
|
138
|
+
reads tokens, creates pull requests, commits, pushes, tags, calls GitHub APIs, or mutates
|
|
139
|
+
project files.
|
|
140
|
+
|
|
125
141
|
## What Adapters May Do
|
|
126
142
|
|
|
127
143
|
- Add bounded relative read paths and ignored paths.
|
|
@@ -135,6 +151,8 @@ files.
|
|
|
135
151
|
handlers, client calls, and schema/type files.
|
|
136
152
|
- Add migration-review safe read paths for static migration, schema, config, and package
|
|
137
153
|
files while relying on the shared reviewer to exclude secret-bearing paths.
|
|
154
|
+
- Add github-handoff required evidence labels and ignored path labels while relying on the
|
|
155
|
+
shared renderer to avoid remote URLs, tokens, and GitHub mutation.
|
|
138
156
|
- Add command aliases that already satisfy the shared command policy.
|
|
139
157
|
- Add status-only runtime commands and manager hints.
|
|
140
158
|
- Require additional evidence or named approval for exceptional reads.
|
|
@@ -170,6 +170,18 @@ files, schema/config files, package script keys, static risk indicators, and not
|
|
|
170
170
|
database behavior without connecting to databases, applying migrations, generating ORM
|
|
171
171
|
clients, or running package scripts.
|
|
172
172
|
|
|
173
|
+
A project-owned adapter can also enable read-only `github-handoff` context:
|
|
174
|
+
|
|
175
|
+
```bash
|
|
176
|
+
node scripts/render-github-handoff.mjs <project-root>
|
|
177
|
+
```
|
|
178
|
+
|
|
179
|
+
The GitHub handoff renderer validates the project declaration when present. If the adapter
|
|
180
|
+
is present but does not enable `github-handoff`, it reports an adapter-limited skip.
|
|
181
|
+
When enabled, it reports local Git metadata and changed-file summaries without printing
|
|
182
|
+
remote URLs, reading tokens, creating pull requests, committing, pushing, tagging, calling
|
|
183
|
+
GitHub APIs, or changing project files.
|
|
184
|
+
|
|
173
185
|
## Safety Boundary
|
|
174
186
|
|
|
175
187
|
Project adapters are extension-only. They cannot remove denied operations, change an
|
|
@@ -21,8 +21,9 @@ project repository is touched:
|
|
|
21
21
|
- The project can declare exactly one installation file: `.coding-agent/skills.json` or
|
|
22
22
|
`coding-agent.skills.json`.
|
|
23
23
|
- The adapter need is bounded to existing pilot skills: `repo-map`, `route-trace`,
|
|
24
|
-
`env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`,
|
|
25
|
-
`
|
|
24
|
+
`env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`,
|
|
25
|
+
`github-handoff`, `build-verify`, `git-preflight`, `runtime-truth`, or
|
|
26
|
+
`llm-drift-control`.
|
|
26
27
|
- The adapter can narrow context with relative paths, documentation precedence, safe
|
|
27
28
|
aliases, status-only hints, or extra evidence requirements.
|
|
28
29
|
- The adapter does not require deployment, migration, package installation, Git
|
|
@@ -17,6 +17,7 @@ Audit-only:
|
|
|
17
17
|
- `secret-audit`
|
|
18
18
|
- `api-contract-audit`
|
|
19
19
|
- `migration-review`
|
|
20
|
+
- `github-handoff`
|
|
20
21
|
- `git-preflight`
|
|
21
22
|
- `runtime-truth`
|
|
22
23
|
- `llm-drift-control`
|
|
@@ -26,5 +27,5 @@ Controlled local validation:
|
|
|
26
27
|
- `build-verify`
|
|
27
28
|
|
|
28
29
|
The evidence pack is a shared output contract, not an executable skill. Deployment
|
|
29
|
-
preflight,
|
|
30
|
-
|
|
30
|
+
preflight, provider operations, and additional project adapters remain separate future
|
|
31
|
+
work.
|
package/docs/release/README.md
CHANGED
|
@@ -20,8 +20,9 @@
|
|
|
20
20
|
folders, generated output, and unrelated repositories.
|
|
21
21
|
14. Install the tarball into a temporary npm prefix and smoke-test the installed CLI.
|
|
22
22
|
15. Smoke-test any new CLI command such as `coding-agent-skills route-trace`,
|
|
23
|
-
`coding-agent-skills env-audit`, `coding-agent-skills secret-audit`,
|
|
24
|
-
`coding-agent-skills api-contract-audit`,
|
|
23
|
+
`coding-agent-skills env-audit`, `coding-agent-skills secret-audit`,
|
|
24
|
+
`coding-agent-skills api-contract-audit`, `coding-agent-skills migration-review`,
|
|
25
|
+
or `coding-agent-skills github-handoff`
|
|
25
26
|
against synthetic fixtures only unless a real project read-only smoke is explicitly
|
|
26
27
|
approved.
|
|
27
28
|
16. Review changelog, ledger, run evidence, and versioning impact.
|
|
@@ -7,7 +7,7 @@ safety model.
|
|
|
7
7
|
## Current Package Shape
|
|
8
8
|
|
|
9
9
|
- Package name: `coding-agent-skills`.
|
|
10
|
-
- Package version: `0.2.
|
|
10
|
+
- Package version: `0.2.14`.
|
|
11
11
|
- CLI bin: `coding-agent-skills` mapped to `bin/coding-agent-skills`.
|
|
12
12
|
- Module type: `module`.
|
|
13
13
|
- Dependencies: none.
|
|
@@ -32,6 +32,7 @@ coding-agent-skills env-audit /path/to/project
|
|
|
32
32
|
coding-agent-skills secret-audit /path/to/project
|
|
33
33
|
coding-agent-skills api-contract-audit /path/to/project
|
|
34
34
|
coding-agent-skills migration-review /path/to/project
|
|
35
|
+
coding-agent-skills github-handoff /path/to/project
|
|
35
36
|
coding-agent-skills validate-adapters /path/to/adapter-root
|
|
36
37
|
```
|
|
37
38
|
|
|
@@ -56,6 +57,9 @@ without running servers, calling APIs, or generating clients or schemas.
|
|
|
56
57
|
files, package script keys, static risk indicators, and not-verified database behavior
|
|
57
58
|
without connecting to databases, applying migrations, generating ORM clients, or reading
|
|
58
59
|
secrets.
|
|
60
|
+
`github-handoff` is local Git metadata only; it reports branch state, HEAD, tags at HEAD,
|
|
61
|
+
remote names, and changed-file summaries without printing remote URLs, reading tokens,
|
|
62
|
+
creating pull requests, committing, pushing, tagging, or calling GitHub APIs.
|
|
59
63
|
|
|
60
64
|
`coding-agent-skills validate-pack` is package-aware. In a source checkout, it keeps
|
|
61
65
|
source-only checks such as `.gitignore` validation. In an installed package tree, where
|
|
@@ -90,7 +94,8 @@ included.
|
|
|
90
94
|
|
|
91
95
|
The public CLI remains read-only for target projects unless a specific underlying skill
|
|
92
96
|
already permits a bounded local validation action. The installed `repo-map`,
|
|
93
|
-
`route-trace`, `env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`,
|
|
97
|
+
`route-trace`, `env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`,
|
|
98
|
+
`github-handoff`, and adapter flows do not:
|
|
94
99
|
|
|
95
100
|
- deploy
|
|
96
101
|
- run migrations
|
package/docs/safety/README.md
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
## Audit-Only Rule
|
|
4
4
|
|
|
5
|
-
`repo-map`, `route-trace`, `env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`, `git-preflight`, `runtime-truth`, and `llm-drift-control` must not alter project files, Git state, dependencies, processes, services, databases, remote systems, or deployment state.
|
|
5
|
+
`repo-map`, `route-trace`, `env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`, `github-handoff`, `git-preflight`, `runtime-truth`, and `llm-drift-control` must not alter project files, Git state, dependencies, processes, services, databases, remote systems, or deployment state.
|
|
6
6
|
|
|
7
7
|
`route-trace` is static only. It may read bounded non-secret route files and route
|
|
8
8
|
configuration, but it must not execute app code, run servers, hit URLs, claim runtime
|
|
@@ -27,6 +27,11 @@ config, and package files, but it must not connect to databases, apply migration
|
|
|
27
27
|
generate ORM clients, run package scripts, build, test, deploy, inspect runtime state, or
|
|
28
28
|
broaden adapter scope.
|
|
29
29
|
|
|
30
|
+
`github-handoff` is local Git metadata only. It may inspect branch state, HEAD, tags at
|
|
31
|
+
HEAD, remote names, and changed-file status, but it must not print remote URLs, read
|
|
32
|
+
tokens, create pull requests, commit, push, tag, call GitHub APIs, mutate Git state, or
|
|
33
|
+
broaden adapter scope.
|
|
34
|
+
|
|
30
35
|
`build-verify` may run existing project-native validation commands. Build or test tools may create their normal local artifacts, but the skill must declare observed changes and must reject installation, fix modes, snapshot updates, deployment, migration, or unknown scripts.
|
|
31
36
|
|
|
32
37
|
## Restricted Categories
|
package/docs/testing/README.md
CHANGED
|
@@ -67,6 +67,14 @@ adapter-declared scope, and adapter-present-but-not-enabled behavior. Tests must
|
|
|
67
67
|
connect to databases, apply migrations, generate ORM clients, run package scripts, build,
|
|
68
68
|
test, deploy, or read `.env` files.
|
|
69
69
|
|
|
70
|
+
## GitHub Handoff
|
|
71
|
+
|
|
72
|
+
Synthetic github-handoff projects are copied into disposable Git repositories under
|
|
73
|
+
`/tmp` during tests. The harness verifies branch state, HEAD, tags at HEAD, changed-file
|
|
74
|
+
summary, adapter-declared evidence metadata, and adapter-present-but-not-enabled behavior.
|
|
75
|
+
Tests must never commit to the shared repository, push, tag shared history, create pull
|
|
76
|
+
requests, call GitHub APIs, print remote URLs, read tokens, or read `.env` files.
|
|
77
|
+
|
|
70
78
|
## Privacy And Redaction
|
|
71
79
|
|
|
72
80
|
Sensitive shapes are stored as ordered synthetic parts and reconstructed only in memory. Tests verify type detection, redaction, and absence from reusable skill content without printing fixture values.
|
package/docs/usage/README.md
CHANGED
|
@@ -10,6 +10,7 @@ Select the least-privileged skill that matches the request:
|
|
|
10
10
|
| Find high-confidence secret exposure risks without values | `secret-audit` |
|
|
11
11
|
| Map static API contract surfaces | `api-contract-audit` |
|
|
12
12
|
| Review static migration and schema evidence | `migration-review` |
|
|
13
|
+
| Prepare local GitHub handoff evidence | `github-handoff` |
|
|
13
14
|
| Run existing local validation checks | `build-verify` |
|
|
14
15
|
| Assess Git handoff readiness | `git-preflight` |
|
|
15
16
|
| Determine what is actually running | `runtime-truth` |
|
|
@@ -27,11 +28,13 @@ Select the least-privileged skill that matches the request:
|
|
|
27
28
|
calls, and schema/type files must be mapped without runtime behavior.
|
|
28
29
|
6. Use `migration-review` when database migration, schema, config, package-script-key,
|
|
29
30
|
and static risk-indicator evidence must be mapped without database access.
|
|
30
|
-
7.
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
31
|
+
7. Use `github-handoff` when local Git metadata and changed-file summaries are needed
|
|
32
|
+
before separately approved GitHub work.
|
|
33
|
+
8. Perform implementation outside this pilot pack.
|
|
34
|
+
9. Use `build-verify` for approved project-native checks.
|
|
35
|
+
10. Use `git-preflight` before handoff or publication.
|
|
36
|
+
11. Use `runtime-truth` only when live local state matters.
|
|
37
|
+
12. Use `llm-drift-control` when claims and evidence may disagree.
|
|
35
38
|
|
|
36
39
|
Every skill emits an evidence pack. Read `status`, skipped checks, failures, confidence, and changed state before relying on a completion claim.
|
|
37
40
|
|
|
@@ -67,6 +70,7 @@ coding-agent-skills env-audit /path/to/project
|
|
|
67
70
|
coding-agent-skills secret-audit /path/to/project
|
|
68
71
|
coding-agent-skills api-contract-audit /path/to/project
|
|
69
72
|
coding-agent-skills migration-review /path/to/project
|
|
73
|
+
coding-agent-skills github-handoff /path/to/project
|
|
70
74
|
coding-agent-skills validate-adapters /path/to/adapter-root
|
|
71
75
|
```
|
|
72
76
|
|
|
@@ -96,6 +100,10 @@ client-call patterns, schema/type files, skipped paths, and not-verified runtime
|
|
|
96
100
|
paths when enabled, and statically reports migration files, schema/config files, package
|
|
97
101
|
script keys, risk indicators, skipped paths, and not-verified database behavior without
|
|
98
102
|
database access or migration execution.
|
|
103
|
+
`github-handoff` validates a project adapter when present, then reports local Git branch
|
|
104
|
+
state, HEAD, tags at HEAD, remote names, and changed-file summaries without printing
|
|
105
|
+
remote URLs, committing, pushing, tagging, creating pull requests, calling GitHub APIs,
|
|
106
|
+
or reading tokens.
|
|
99
107
|
|
|
100
108
|
The installed CLI does not run target project builds or tests, perform runtime checks,
|
|
101
109
|
deploy, migrate, mutate services or processes, or read `.env` files. Project adapters
|
|
@@ -114,6 +122,7 @@ bin/coding-agent-skills env-audit /path/to/project
|
|
|
114
122
|
bin/coding-agent-skills secret-audit /path/to/project
|
|
115
123
|
bin/coding-agent-skills api-contract-audit /path/to/project
|
|
116
124
|
bin/coding-agent-skills migration-review /path/to/project
|
|
125
|
+
bin/coding-agent-skills github-handoff /path/to/project
|
|
117
126
|
bin/coding-agent-skills validate-adapters /path/to/adapter-root
|
|
118
127
|
```
|
|
119
128
|
|
|
@@ -129,6 +138,7 @@ coding-agent-skills env-audit /path/to/project
|
|
|
129
138
|
coding-agent-skills secret-audit /path/to/project
|
|
130
139
|
coding-agent-skills api-contract-audit /path/to/project
|
|
131
140
|
coding-agent-skills migration-review /path/to/project
|
|
141
|
+
coding-agent-skills github-handoff /path/to/project
|
|
132
142
|
coding-agent-skills validate-adapters /path/to/adapter-root
|
|
133
143
|
```
|
|
134
144
|
|
|
@@ -0,0 +1,74 @@
|
|
|
1
|
+
{
|
|
2
|
+
"version": "0.2.3",
|
|
3
|
+
"mode": "audit-only",
|
|
4
|
+
"parserPolicy": {
|
|
5
|
+
"inspectEverySegment": true,
|
|
6
|
+
"inspectScriptBodies": true,
|
|
7
|
+
"rejectUnknownExecutables": true,
|
|
8
|
+
"rejectShellWrappers": true,
|
|
9
|
+
"rejectHeredocs": true,
|
|
10
|
+
"rejectRedirection": true,
|
|
11
|
+
"providerSpecificNpx": true,
|
|
12
|
+
"authenticatedCurlRequiresApproval": true,
|
|
13
|
+
"boundedReadsRequired": true,
|
|
14
|
+
"allowedComposition": "read-only"
|
|
15
|
+
},
|
|
16
|
+
"allowedFamilies": [
|
|
17
|
+
{
|
|
18
|
+
"name": "local-git-handoff-inspection",
|
|
19
|
+
"executables": ["git"],
|
|
20
|
+
"argumentPolicy": {
|
|
21
|
+
"strategy": "exact",
|
|
22
|
+
"allowedPatterns": [
|
|
23
|
+
"status --short --branch",
|
|
24
|
+
"rev-parse --show-toplevel",
|
|
25
|
+
"rev-parse --abbrev-ref HEAD",
|
|
26
|
+
"rev-parse HEAD",
|
|
27
|
+
"log -1 --format=%s",
|
|
28
|
+
"tag --points-at HEAD",
|
|
29
|
+
"remote"
|
|
30
|
+
],
|
|
31
|
+
"deniedPatterns": [
|
|
32
|
+
"remote URL printing, commits, pushes, tags, branch changes, pull requests, releases, and GitHub API calls"
|
|
33
|
+
]
|
|
34
|
+
},
|
|
35
|
+
"constraints": [
|
|
36
|
+
"Inspect local Git metadata only.",
|
|
37
|
+
"Do not print remote URLs.",
|
|
38
|
+
"Do not mutate Git state."
|
|
39
|
+
]
|
|
40
|
+
},
|
|
41
|
+
{
|
|
42
|
+
"name": "github-handoff-renderer",
|
|
43
|
+
"executables": ["node", "coding-agent-skills"],
|
|
44
|
+
"argumentPolicy": {
|
|
45
|
+
"strategy": "exact",
|
|
46
|
+
"allowedPatterns": [
|
|
47
|
+
"node scripts/render-github-handoff.mjs <project-root>; coding-agent-skills github-handoff <project-root>"
|
|
48
|
+
],
|
|
49
|
+
"deniedPatterns": [
|
|
50
|
+
"PR creation, release creation, GitHub API mutation, token reads, secret-file reads, commits, pushes, and tags"
|
|
51
|
+
]
|
|
52
|
+
},
|
|
53
|
+
"constraints": [
|
|
54
|
+
"The renderer must remain audit-only.",
|
|
55
|
+
"Do not read tokens, print remote URLs, create pull requests, commit, push, or tag."
|
|
56
|
+
]
|
|
57
|
+
}
|
|
58
|
+
],
|
|
59
|
+
"restrictedCategories": [
|
|
60
|
+
"file-write",
|
|
61
|
+
"package-install",
|
|
62
|
+
"deployment",
|
|
63
|
+
"git-mutation",
|
|
64
|
+
"unrestricted-scan",
|
|
65
|
+
"secret-read",
|
|
66
|
+
"process-mutation",
|
|
67
|
+
"service-mutation",
|
|
68
|
+
"migration-apply",
|
|
69
|
+
"privileged-api"
|
|
70
|
+
],
|
|
71
|
+
"approvalExceptions": [
|
|
72
|
+
"No approval exception may turn github-handoff into a GitHub mutation workflow."
|
|
73
|
+
]
|
|
74
|
+
}
|
|
@@ -0,0 +1,67 @@
|
|
|
1
|
+
{
|
|
2
|
+
"contractVersion": "1.0.0",
|
|
3
|
+
"skill": {"name": "github-handoff", "version": "0.2.3"},
|
|
4
|
+
"invocation": {
|
|
5
|
+
"id": "example-github-handoff",
|
|
6
|
+
"startedAt": "2026-07-03T12:00:00Z",
|
|
7
|
+
"endedAt": "2026-07-03T12:01:00Z"
|
|
8
|
+
},
|
|
9
|
+
"repository": {
|
|
10
|
+
"root": "/workspace/example-project",
|
|
11
|
+
"branch": "main",
|
|
12
|
+
"head": "0123456789abcdef",
|
|
13
|
+
"workingTreeState": "dirty"
|
|
14
|
+
},
|
|
15
|
+
"userIntent": "Prepare a read-only GitHub handoff report.",
|
|
16
|
+
"declaredScope": ["/workspace/example-project"],
|
|
17
|
+
"projectAdapter": "none",
|
|
18
|
+
"environmentSummary": {"platform": "linux", "shell": "bash"},
|
|
19
|
+
"status": "complete",
|
|
20
|
+
"confidence": {
|
|
21
|
+
"level": "high",
|
|
22
|
+
"reason": "Local Git metadata and changed-file summary were collected without mutation."
|
|
23
|
+
},
|
|
24
|
+
"commands": [
|
|
25
|
+
{
|
|
26
|
+
"command": "coding-agent-skills github-handoff /workspace/example-project",
|
|
27
|
+
"family": "github-handoff-renderer",
|
|
28
|
+
"workingDirectory": "/workspace/example-project",
|
|
29
|
+
"startedAt": "2026-07-03T12:00:20Z",
|
|
30
|
+
"endedAt": "2026-07-03T12:00:21Z",
|
|
31
|
+
"exitStatus": 0,
|
|
32
|
+
"resultStatus": "success",
|
|
33
|
+
"safetyClass": "allowed",
|
|
34
|
+
"approvalReference": null,
|
|
35
|
+
"purpose": "Render local Git handoff evidence.",
|
|
36
|
+
"outputSummary": "Reported branch state, HEAD, tags at HEAD, remote names, and changed-file summary without printing remote URLs."
|
|
37
|
+
}
|
|
38
|
+
],
|
|
39
|
+
"skippedChecks": [
|
|
40
|
+
{
|
|
41
|
+
"name": "GitHub API state",
|
|
42
|
+
"reason": "The skill is local and read-only.",
|
|
43
|
+
"consequence": "PR, CI, and review state are not verified.",
|
|
44
|
+
"completionPermitted": true
|
|
45
|
+
}
|
|
46
|
+
],
|
|
47
|
+
"findings": [
|
|
48
|
+
{
|
|
49
|
+
"summary": "Working-tree handoff evidence was mapped.",
|
|
50
|
+
"evidence": ["branch state", "HEAD", "changed-file summary"]
|
|
51
|
+
}
|
|
52
|
+
],
|
|
53
|
+
"risks": [
|
|
54
|
+
{
|
|
55
|
+
"summary": "Remote PR and CI state were not checked.",
|
|
56
|
+
"evidence": ["GitHub API access was not used"]
|
|
57
|
+
}
|
|
58
|
+
],
|
|
59
|
+
"failures": [],
|
|
60
|
+
"unresolvedQuestions": [],
|
|
61
|
+
"changedState": {
|
|
62
|
+
"changed": false,
|
|
63
|
+
"summary": "No project, Git, GitHub, dependency, runtime, service, or remote state changed."
|
|
64
|
+
},
|
|
65
|
+
"handoffSummary": "Local Git handoff evidence is available; GitHub remote state remains unverified.",
|
|
66
|
+
"recommendedNextAction": "Review the handoff report before approving any GitHub mutation."
|
|
67
|
+
}
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "github-handoff",
|
|
3
|
+
"version": "0.2.3",
|
|
4
|
+
"mode": "audit-only",
|
|
5
|
+
"evidenceContract": "../../contracts/evidence-pack/evidence-pack.schema.json",
|
|
6
|
+
"commandPolicy": "../command-policies/github-handoff.json",
|
|
7
|
+
"adapterSchema": "../../schemas/project-adapter.schema.json",
|
|
8
|
+
"adapterCompatibility": {
|
|
9
|
+
"contractVersion": "1.0.0",
|
|
10
|
+
"compatibleAdapterVersions": ["1.0.0"]
|
|
11
|
+
},
|
|
12
|
+
"adapterInterface": "../../skills/github-handoff/adapter-interface.md",
|
|
13
|
+
"description": "Prepare local Git handoff evidence without GitHub mutation."
|
|
14
|
+
}
|
|
@@ -0,0 +1,5 @@
|
|
|
1
|
+
# GitHub Handoff Workflow
|
|
2
|
+
|
|
3
|
+
Run `coding-agent-skills github-handoff /path/to/project` to summarize local Git metadata and changed-file status before a separately approved GitHub action.
|
|
4
|
+
|
|
5
|
+
The workflow is audit-only: it does not commit, push, tag, create pull requests, call GitHub APIs, read tokens, read secret files, or write project files.
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "coding-agent-skills",
|
|
3
|
-
"version": "0.2.
|
|
3
|
+
"version": "0.2.14",
|
|
4
4
|
"description": "Evidence-first, read-only coding-agent skills and project adapter tooling.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"private": false,
|
|
@@ -14,6 +14,7 @@
|
|
|
14
14
|
"secret-audit",
|
|
15
15
|
"api-contract-audit",
|
|
16
16
|
"migration-review",
|
|
17
|
+
"github-handoff",
|
|
17
18
|
"project-adapters",
|
|
18
19
|
"code-validation",
|
|
19
20
|
"cli"
|
package/runs/skill-runs.md
CHANGED
|
@@ -243,5 +243,21 @@ This file records bounded maintainer-loop runs. Entries must not contain secrets
|
|
|
243
243
|
connections, no migration execution, no ORM generation, no package scripts, no builds,
|
|
244
244
|
no tests in target projects, no deploys, and no target-project mutation.
|
|
245
245
|
- Validation commands: pending final release validation matrix.
|
|
246
|
+
- Result: passed; `v0.2.13` was committed, pushed, tagged, published to npm, smoke-tested
|
|
247
|
+
from the registry, and released on GitHub.
|
|
248
|
+
- Commit/tag/push status: complete.
|
|
249
|
+
|
|
250
|
+
## implementation-v0.2.14-github-handoff
|
|
251
|
+
|
|
252
|
+
- Run ID: `implementation-v0.2.14-github-handoff`
|
|
253
|
+
- Repository: `/home/oneclickwebsitedesignfactory/coding-agent-skills`
|
|
254
|
+
- Command used: `builder-mode approval for github-handoff-skill implementation and release`
|
|
255
|
+
- Files changed: `github-handoff` skill, GitHub handoff renderer and library, CLI wrapper,
|
|
256
|
+
adapter schemas, pack rules, release tests, synthetic handoff fixtures, usage/release/
|
|
257
|
+
safety/adapter docs, changelog, roadmap, work ledger, run log, and package metadata.
|
|
258
|
+
- Safety boundary: read-only local Git metadata only, no `.env` reads, no token reads, no
|
|
259
|
+
remote URL printing, no commits, no pushes, no tags, no pull request creation, no GitHub
|
|
260
|
+
API calls, and no target-project mutation.
|
|
261
|
+
- Validation commands: pending final release validation matrix.
|
|
246
262
|
- Result: pass pending final publication evidence.
|
|
247
263
|
- Commit/tag/push status: pending approved release workflow.
|
|
@@ -70,6 +70,7 @@
|
|
|
70
70
|
"secret-audit",
|
|
71
71
|
"api-contract-audit",
|
|
72
72
|
"migration-review",
|
|
73
|
+
"github-handoff",
|
|
73
74
|
"build-verify",
|
|
74
75
|
"git-preflight",
|
|
75
76
|
"runtime-truth",
|
|
@@ -107,6 +108,7 @@
|
|
|
107
108
|
"secret-audit",
|
|
108
109
|
"api-contract-audit",
|
|
109
110
|
"migration-review",
|
|
111
|
+
"github-handoff",
|
|
110
112
|
"build-verify",
|
|
111
113
|
"git-preflight",
|
|
112
114
|
"runtime-truth",
|
|
@@ -94,6 +94,7 @@
|
|
|
94
94
|
"secret-audit",
|
|
95
95
|
"api-contract-audit",
|
|
96
96
|
"migration-review",
|
|
97
|
+
"github-handoff",
|
|
97
98
|
"build-verify",
|
|
98
99
|
"git-preflight",
|
|
99
100
|
"runtime-truth",
|
|
@@ -175,6 +176,7 @@
|
|
|
175
176
|
"secret-audit",
|
|
176
177
|
"api-contract-audit",
|
|
177
178
|
"migration-review",
|
|
179
|
+
"github-handoff",
|
|
178
180
|
"build-verify",
|
|
179
181
|
"git-preflight",
|
|
180
182
|
"runtime-truth",
|