coding-agent-skills 0.2.13 → 0.2.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (44) hide show
  1. package/CHANGELOG.md +20 -0
  2. package/README.md +4 -0
  3. package/ROADMAP.md +5 -3
  4. package/bin/coding-agent-skills +7 -0
  5. package/docs/adapters/README.md +18 -0
  6. package/docs/adapters/project-installation.md +12 -0
  7. package/docs/adapters/real-project-adoption.md +3 -2
  8. package/docs/architecture/README.md +3 -2
  9. package/docs/release/README.md +3 -2
  10. package/docs/release/npm-package.md +7 -2
  11. package/docs/safety/README.md +6 -1
  12. package/docs/testing/README.md +8 -0
  13. package/docs/usage/README.md +15 -5
  14. package/examples/command-policies/github-handoff.json +74 -0
  15. package/examples/evidence-packs/github-handoff.json +67 -0
  16. package/examples/manifests/github-handoff.json +14 -0
  17. package/examples/workflows/github-handoff.md +5 -0
  18. package/package.json +2 -1
  19. package/runs/skill-runs.md +16 -0
  20. package/schemas/project-adapter-installation.schema.json +2 -0
  21. package/schemas/project-adapter.schema.json +2 -0
  22. package/scripts/lib/github-handoff.mjs +446 -0
  23. package/scripts/lib/pack-rules.mjs +11 -2
  24. package/scripts/render-github-handoff.mjs +7 -0
  25. package/scripts/test-pack.mjs +89 -1
  26. package/scripts/validate-pack.mjs +5 -2
  27. package/skills/github-handoff/SKILL.md +95 -0
  28. package/skills/github-handoff/adapter-interface.md +18 -0
  29. package/skills/github-handoff/agents/openai.yaml +3 -0
  30. package/skills/github-handoff/checklist.md +10 -0
  31. package/skills/github-handoff/evidence-template.md +16 -0
  32. package/skills/github-handoff/examples.md +19 -0
  33. package/skills/github-handoff/failure-modes.md +8 -0
  34. package/tests/fixtures/github-handoff/adapter-project/.coding-agent/adapters/github-handoff-fixture/adapter.json +56 -0
  35. package/tests/fixtures/github-handoff/adapter-project/.coding-agent/skills.json +23 -0
  36. package/tests/fixtures/github-handoff/adapter-project/README.md +3 -0
  37. package/tests/fixtures/github-handoff/adapter-project/package.json +4 -0
  38. package/tests/fixtures/github-handoff/adapter-project/src/index.js +1 -0
  39. package/tests/fixtures/github-handoff/static-project/README.md +3 -0
  40. package/tests/fixtures/github-handoff/static-project/package.json +4 -0
  41. package/tests/fixtures/github-handoff/static-project/src/index.js +1 -0
  42. package/tests/fixtures/triggers/cases.json +14 -2
  43. package/tests/trigger/README.md +2 -0
  44. package/work-ledger.md +16 -6
@@ -0,0 +1,95 @@
1
+ ---
2
+ name: github-handoff
3
+ description: Prepare read-only GitHub handoff evidence from local Git metadata. Use when Codex needs to summarize branch state, HEAD, tags at HEAD, remote names, and changed-file status before a separately approved pull request, release, or GitHub workflow handoff without creating commits, pushes, tags, pull requests, API calls, token reads, or file changes.
4
+ ---
5
+
6
+ # GitHub Handoff
7
+
8
+ ## Purpose And Use
9
+
10
+ Use this skill to produce a local, audit-only handoff report before a human or separately approved workflow performs GitHub work.
11
+
12
+ The skill is for local Git evidence only. It does not create pull requests, publish releases, push branches, inspect tokens, or call GitHub APIs.
13
+
14
+ ## Inputs
15
+
16
+ Required:
17
+
18
+ - Project root.
19
+
20
+ Optional:
21
+
22
+ - Project adapter declaration that enables `github-handoff`.
23
+ - Human-provided handoff intent.
24
+
25
+ Do not assume:
26
+
27
+ - GitHub authentication is available.
28
+ - Local commits are pushed.
29
+ - CI status, review status, or PR state is known.
30
+ - Remote URLs are safe to print.
31
+
32
+ ## Procedure
33
+
34
+ 1. Confirm the project root exists.
35
+ 2. Validate the project adapter when one is present.
36
+ 3. If an adapter exists but does not enable `github-handoff`, report `partial` and do not list changed files.
37
+ 4. Inspect local Git metadata only: root, branch state, current branch, HEAD, tags at HEAD, remote names, and status entries.
38
+ 5. Redact secret-bearing changed paths such as `.env`, key files, credential paths, or token paths.
39
+ 6. Summarize changed-file counts by status.
40
+ 7. Record skipped and not-verified GitHub state honestly.
41
+ 8. State refused behavior clearly.
42
+
43
+ ## Evidence, Recovery, And Dependencies
44
+
45
+ Expected evidence:
46
+
47
+ - Git root.
48
+ - Branch state.
49
+ - Current branch.
50
+ - HEAD or short HEAD.
51
+ - Tags at HEAD.
52
+ - Remote names only, not remote URLs.
53
+ - Changed-file summary.
54
+ - Redacted path count when applicable.
55
+
56
+ Recovery:
57
+
58
+ - If the directory is not a Git repository, return `failed` with no mutation.
59
+ - If Git status is unavailable, return a warning and preserve partial evidence.
60
+ - If adapter validation fails, fail closed.
61
+
62
+ Dependencies:
63
+
64
+ - Local Git command-line tool.
65
+ - Node.js 20+ for the packaged renderer.
66
+
67
+ ## Approval Boundary
68
+
69
+ This skill is audit-only.
70
+
71
+ Allowed:
72
+
73
+ - Read local Git metadata.
74
+ - List changed-file paths unless they are secret-bearing.
75
+ - Validate project adapter metadata.
76
+ - Render a handoff report.
77
+
78
+ Forbidden:
79
+
80
+ - Commit.
81
+ - Push.
82
+ - Tag.
83
+ - Checkout, reset, rebase, merge, stash, restore, or clean.
84
+ - Create pull requests.
85
+ - Create releases.
86
+ - Call GitHub APIs.
87
+ - Read tokens, `.env`, `.env.*`, `.npmrc`, keys, or credential files.
88
+ - Print remote URLs.
89
+ - Change project files.
90
+
91
+ ## Completion
92
+
93
+ Complete only after a report states what was verified, what was skipped, and what was not verified.
94
+
95
+ The completion boundary must say that no commit, push, tag, branch change, pull request creation, GitHub API mutation, token read, secret-file read, or project write occurred.
@@ -0,0 +1,18 @@
1
+ # GitHub Handoff Adapter Interface
2
+
3
+ Adapters may enable `github-handoff` as an audit-only skill.
4
+
5
+ Adapters may narrow:
6
+
7
+ - Required evidence labels.
8
+ - Ignored path labels.
9
+ - Documentation precedence used as human context.
10
+
11
+ Adapters must not:
12
+
13
+ - Permit commits, pushes, tags, pull request creation, release creation, or GitHub API mutation.
14
+ - Permit token reads.
15
+ - Permit secret-file reads.
16
+ - Suppress warnings or failures.
17
+ - Redefine completion.
18
+ - Escalate the skill out of audit-only mode.
@@ -0,0 +1,3 @@
1
+ display_name: GitHub Handoff
2
+ short_description: Prepare local Git handoff evidence without GitHub mutation.
3
+ default_prompt: Prepare a GitHub handoff report as an audit-only pass without modifying files, committing, pushing, tagging, creating pull requests, reading tokens, or calling GitHub APIs.
@@ -0,0 +1,10 @@
1
+ # GitHub Handoff Checklist
2
+
3
+ - Confirm the project root.
4
+ - Validate adapter metadata if present.
5
+ - Inspect local Git state only.
6
+ - Summarize changed files without reading file contents.
7
+ - Redact secret-bearing paths.
8
+ - Do not print remote URLs.
9
+ - Report not-verified GitHub state.
10
+ - Confirm no mutation occurred.
@@ -0,0 +1,16 @@
1
+ # GitHub Handoff Evidence Template
2
+
3
+ - Skill: `github-handoff`
4
+ - Status: `complete`, `partial`, or `failed`
5
+ - Project root:
6
+ - Git root:
7
+ - Branch state:
8
+ - HEAD:
9
+ - Tags at HEAD:
10
+ - Remote names:
11
+ - Changed-file summary:
12
+ - Redacted path count:
13
+ - Skipped:
14
+ - Not verified:
15
+ - Refused behavior:
16
+ - Changed state: no project, Git, GitHub, dependency, runtime, service, or remote state changed.
@@ -0,0 +1,19 @@
1
+ # GitHub Handoff Examples
2
+
3
+ ## Safe Examples
4
+
5
+ ```bash
6
+ coding-agent-skills github-handoff /path/to/project
7
+ ```
8
+
9
+ ```bash
10
+ node scripts/render-github-handoff.mjs /path/to/project
11
+ ```
12
+
13
+ ## Unsafe Examples
14
+
15
+ - Create a pull request.
16
+ - Push the current branch.
17
+ - Tag the release.
18
+ - Read GitHub tokens.
19
+ - Print configured remote URLs.
@@ -0,0 +1,8 @@
1
+ # GitHub Handoff Failure Modes
2
+
3
+ - Project root is not a Git repository.
4
+ - Adapter exists but does not enable `github-handoff`.
5
+ - Adapter validation fails.
6
+ - Git status is unavailable.
7
+ - Secret-bearing changed paths are present and must be redacted.
8
+ - Remote PR, CI, and review state cannot be verified without separately approved GitHub access.
@@ -0,0 +1,56 @@
1
+ {
2
+ "adapterId": "github-handoff-fixture",
3
+ "adapterVersion": "1.0.0",
4
+ "project": {
5
+ "id": "fixture-github-handoff",
6
+ "detection": {
7
+ "rootMarkers": [
8
+ {"kind": "file", "path": "package.json"},
9
+ {"kind": "file", "path": "README.md"}
10
+ ],
11
+ "maximumDepth": 1,
12
+ "scope": "declared-project-root",
13
+ "requireApprovalOutsideScope": true
14
+ }
15
+ },
16
+ "supportedSkills": [
17
+ {
18
+ "id": "github-handoff",
19
+ "compatibleVersions": ["0.2.3", "0.2.x"],
20
+ "declaredMode": "audit-only"
21
+ }
22
+ ],
23
+ "extensions": {
24
+ "safeReadPaths": ["README.md", "package.json", "src"],
25
+ "ignoredPaths": ["node_modules", "dist", "build", "tmp"],
26
+ "documentationPrecedence": ["README.md"],
27
+ "commandAliases": [],
28
+ "safeStatusCommands": [],
29
+ "requiredEvidence": ["branch state", "HEAD", "working-tree state", "changed-file summary", "handoff summary"],
30
+ "expectedRuntimeManagers": [],
31
+ "expectedPackageManagers": ["npm"]
32
+ },
33
+ "approvalRequirements": [],
34
+ "inheritance": {
35
+ "sharedRestrictions": "required",
36
+ "deniedOperationCategories": [
37
+ "file-write",
38
+ "package-install",
39
+ "deployment",
40
+ "git-mutation",
41
+ "unrestricted-scan",
42
+ "secret-read",
43
+ "process-mutation",
44
+ "service-mutation",
45
+ "migration-apply",
46
+ "privileged-api"
47
+ ],
48
+ "allowRestrictionRemoval": false,
49
+ "allowModeOverride": false,
50
+ "allowFailureSuppression": false,
51
+ "allowCompletionOverride": false,
52
+ "allowSecretExposure": false,
53
+ "allowRequiredEvidenceRemoval": false,
54
+ "allowScopeExpansionWithoutApproval": false
55
+ }
56
+ }
@@ -0,0 +1,23 @@
1
+ {
2
+ "declarationVersion": "1.0.0",
3
+ "projectId": "fixture-github-handoff",
4
+ "adapterRoot": ".coding-agent/adapters",
5
+ "adapterSchemaVersion": "1.0.0",
6
+ "core": {
7
+ "id": "coding-agent-skills",
8
+ "expectedVersion": "0.2.3",
9
+ "versionPin": ">=0.2.3 <0.3.0"
10
+ },
11
+ "compatibleSkillIds": ["github-handoff"],
12
+ "adapters": [
13
+ {
14
+ "id": "github-handoff-fixture",
15
+ "version": "1.0.0",
16
+ "skillIds": ["github-handoff"]
17
+ }
18
+ ],
19
+ "validationCommand": "node <shared-core>/scripts/validate-project-adapters.mjs <project-root>",
20
+ "evidenceOutput": ".coding-agent/evidence",
21
+ "approvalPolicyReference": ".coding-agent/approval-policy.md",
22
+ "noSecrets": true
23
+ }
@@ -0,0 +1,3 @@
1
+ # GitHub Handoff Adapter Fixture
2
+
3
+ Synthetic adapter-enabled project used to test handoff metadata.
@@ -0,0 +1,4 @@
1
+ {
2
+ "name": "github-handoff-adapter-fixture",
3
+ "private": true
4
+ }
@@ -0,0 +1 @@
1
+ export const adapterFixture = "github-handoff";
@@ -0,0 +1,3 @@
1
+ # GitHub Handoff Static Fixture
2
+
3
+ Synthetic project used to test local Git handoff summaries.
@@ -0,0 +1,4 @@
1
+ {
2
+ "name": "github-handoff-static-fixture",
3
+ "private": true
4
+ }
@@ -0,0 +1 @@
1
+ export const fixture = "github-handoff";
@@ -79,6 +79,18 @@
79
79
  "expectedSkill": "migration-review",
80
80
  "notSkills": ["deployment-preflight", "runtime-truth"]
81
81
  },
82
+ {
83
+ "id": "github-handoff-report",
84
+ "prompt": "Prepare a GitHub handoff report from local branch state and changed files without pushing.",
85
+ "expectedSkill": "github-handoff",
86
+ "notSkills": ["git-preflight", "build-verify"]
87
+ },
88
+ {
89
+ "id": "github-handoff-pr-evidence",
90
+ "prompt": "Summarize handoff evidence for a future PR without creating the pull request.",
91
+ "expectedSkill": "github-handoff",
92
+ "notSkills": ["runtime-truth", "deployment-preflight"]
93
+ },
82
94
  {
83
95
  "id": "build-after-implementation",
84
96
  "prompt": "The implementation is finished. Run the existing typecheck, tests, and build.",
@@ -131,7 +143,7 @@
131
143
  "id": "negative-deploy",
132
144
  "prompt": "Deploy this application to production.",
133
145
  "expectedSkill": null,
134
- "notSkills": ["repo-map", "route-trace", "env-audit", "secret-audit", "api-contract-audit", "migration-review", "build-verify", "git-preflight", "runtime-truth", "llm-drift-control"]
146
+ "notSkills": ["repo-map", "route-trace", "env-audit", "secret-audit", "api-contract-audit", "migration-review", "github-handoff", "build-verify", "git-preflight", "runtime-truth", "llm-drift-control"]
135
147
  },
136
148
  {
137
149
  "id": "negative-install",
@@ -143,7 +155,7 @@
143
155
  "id": "negative-publish",
144
156
  "prompt": "Commit these files and publish the branch.",
145
157
  "expectedSkill": null,
146
- "notSkills": ["git-preflight"]
158
+ "notSkills": ["git-preflight", "github-handoff"]
147
159
  },
148
160
  {
149
161
  "id": "negative-restart",
@@ -12,6 +12,8 @@
12
12
  build verification.
13
13
  - Static migration/schema review must trigger `migration-review`, not runtime truth,
14
14
  deployment, or migration execution.
15
+ - Local GitHub handoff evidence must trigger `github-handoff`, not publication,
16
+ pull request creation, or Git mutation.
15
17
  - Local validation must trigger `build-verify` only when project-native checks are requested.
16
18
  - Git readiness must trigger `git-preflight`, not publication.
17
19
  - Process/listener/health questions must trigger `runtime-truth`, not restart behavior.
package/work-ledger.md CHANGED
@@ -4,13 +4,13 @@
4
4
 
5
5
  - Repository: `coding-agent-skills`
6
6
  - Branch: `main`
7
- - Pilot skills: `repo-map`, `route-trace`, `env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`, `build-verify`, `git-preflight`, `runtime-truth`, `llm-drift-control`
7
+ - Pilot skills: `repo-map`, `route-trace`, `env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`, `github-handoff`, `build-verify`, `git-preflight`, `runtime-truth`, `llm-drift-control`
8
8
  - Adapter discovery, project adapter installation, stale-pin detection, upgrade evidence, compatibility-chain validation, evidence-bundle verification, retention policy, provenance design, archive-report rendering, archive-index fixtures, retention-expiry advisory reporting, and detached-signature verification planning are implemented.
9
9
  - Real-project adapter adoption readiness is documented as a planning-only approval gate.
10
10
  - First external project-owned adapter adoption completed for `/home/oneclickwebsitedesignfactory/tax-lien-platform` at candidate commit `c548b1a6cbb3455a70b89d0e301e22435bfccac9`.
11
11
  - The adopted adapter is `repo-map` only, docs/metadata-only, and contains no commands, runtime checks, build/test/package behavior, platform/deployment behavior, or secret-aware behavior.
12
12
  - The shared repository does not contain real adapter manifests; real project adapters remain owned by their project repositories.
13
- - Public npm package release `v0.2.13` exposes the dependency-free
13
+ - Public npm package release `v0.2.14` exposes the dependency-free
14
14
  `coding-agent-skills` CLI under MIT license.
15
15
  - `route-trace` is implemented as an audit-only static route tracing skill.
16
16
  - `env-audit` is implemented as an audit-only value-free environment variable name mapping
@@ -20,19 +20,20 @@
20
20
  skill.
21
21
  - `migration-review` is implemented as an audit-only static migration and schema evidence
22
22
  review skill.
23
+ - `github-handoff` is implemented as an audit-only local Git handoff evidence skill.
23
24
  - Builder-mode approval: complete the remaining read-only skill wave for
24
25
  `coding-agent-skills` itself. Real-world project execution constraints remain unchanged.
25
26
 
26
27
  ## Last Completed Version
27
28
 
28
- `v0.2.13`
29
+ `v0.2.14`
29
30
 
30
31
  ## Current Recommended Milestone
31
32
 
32
- The `migration-review` public npm release is in progress under builder-mode approval.
33
+ The `github-handoff` public npm release is in progress under builder-mode approval.
33
34
  Continue the remaining read-only skill wave one release at a time unless a real safety,
34
35
  validation, publication, or authentication boundary appears. The next approved wave item is
35
- `github-handoff-skill`.
36
+ `deployment-preflight-skill`.
36
37
 
37
38
  ## Allowed Next Actions
38
39
 
@@ -104,12 +105,21 @@ No next runner command is currently queued.
104
105
 
105
106
  No autonomous maintainer-loop run has been recorded yet.
106
107
 
108
+ ### 2026-07-03T13:00:00Z
109
+
110
+ - Latest tag observed: `v0.2.13`
111
+ - Implemented milestone: `github-handoff` audit-only local Git handoff evidence skill and CLI command.
112
+ - Required permission: `builder-mode-skill-implementation`
113
+ - Validation result: pass pending final publication evidence
114
+ - Next recommended milestone: continue builder-mode wave with `deployment-preflight-skill`
115
+ after `v0.2.14` publication completes.
116
+
107
117
  ### 2026-07-03T12:00:00Z
108
118
 
109
119
  - Latest tag observed: `v0.2.12`
110
120
  - Implemented milestone: `migration-review` audit-only static migration and schema evidence review skill and CLI command.
111
121
  - Required permission: `builder-mode-skill-implementation`
112
- - Validation result: pass pending final publication evidence
122
+ - Validation result: passed; `v0.2.13` commit, tag, npm publication, registry smoke, npm exec, and GitHub Release completed
113
123
  - Next recommended milestone: continue builder-mode wave with `github-handoff-skill`
114
124
  after `v0.2.13` publication completes.
115
125