coding-agent-skills 0.2.13 → 0.2.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (69) hide show
  1. package/CHANGELOG.md +42 -0
  2. package/README.md +9 -1
  3. package/ROADMAP.md +7 -3
  4. package/bin/coding-agent-skills +14 -0
  5. package/docs/adapters/README.md +39 -0
  6. package/docs/adapters/project-installation.md +26 -0
  7. package/docs/adapters/real-project-adoption.md +2 -1
  8. package/docs/architecture/README.md +5 -3
  9. package/docs/release/README.md +3 -2
  10. package/docs/release/npm-package.md +12 -2
  11. package/docs/safety/README.md +11 -1
  12. package/docs/testing/README.md +16 -0
  13. package/docs/usage/README.md +25 -5
  14. package/examples/command-policies/deployment-preflight.json +70 -0
  15. package/examples/command-policies/github-handoff.json +74 -0
  16. package/examples/evidence-packs/deployment-preflight.json +60 -0
  17. package/examples/evidence-packs/github-handoff.json +67 -0
  18. package/examples/manifests/deployment-preflight.json +14 -0
  19. package/examples/manifests/github-handoff.json +14 -0
  20. package/examples/workflows/deployment-preflight.md +8 -0
  21. package/examples/workflows/github-handoff.md +5 -0
  22. package/package.json +3 -1
  23. package/runs/skill-runs.md +35 -0
  24. package/schemas/project-adapter-installation.schema.json +4 -0
  25. package/schemas/project-adapter.schema.json +4 -0
  26. package/scripts/lib/deployment-preflight.mjs +655 -0
  27. package/scripts/lib/github-handoff.mjs +446 -0
  28. package/scripts/lib/pack-rules.mjs +20 -2
  29. package/scripts/render-deployment-preflight.mjs +9 -0
  30. package/scripts/render-github-handoff.mjs +7 -0
  31. package/scripts/test-pack.mjs +148 -1
  32. package/scripts/validate-pack.mjs +8 -2
  33. package/skills/deployment-preflight/SKILL.md +89 -0
  34. package/skills/deployment-preflight/adapter-interface.md +17 -0
  35. package/skills/deployment-preflight/agents/openai.yaml +3 -0
  36. package/skills/deployment-preflight/checklist.md +7 -0
  37. package/skills/deployment-preflight/evidence-template.md +19 -0
  38. package/skills/deployment-preflight/examples.md +11 -0
  39. package/skills/deployment-preflight/failure-modes.md +11 -0
  40. package/skills/github-handoff/SKILL.md +95 -0
  41. package/skills/github-handoff/adapter-interface.md +18 -0
  42. package/skills/github-handoff/agents/openai.yaml +3 -0
  43. package/skills/github-handoff/checklist.md +10 -0
  44. package/skills/github-handoff/evidence-template.md +16 -0
  45. package/skills/github-handoff/examples.md +19 -0
  46. package/skills/github-handoff/failure-modes.md +8 -0
  47. package/tests/fixtures/deployment-preflight/adapter-project/.coding-agent/adapters/deployment-preflight-fixture/adapter.json +56 -0
  48. package/tests/fixtures/deployment-preflight/adapter-project/.coding-agent/skills.json +23 -0
  49. package/tests/fixtures/deployment-preflight/adapter-project/README.md +3 -0
  50. package/tests/fixtures/deployment-preflight/adapter-project/deploy/netlify.toml +3 -0
  51. package/tests/fixtures/deployment-preflight/adapter-project/ignored/render.yaml +3 -0
  52. package/tests/fixtures/deployment-preflight/adapter-project/package.json +5 -0
  53. package/tests/fixtures/deployment-preflight/static-project/Dockerfile +2 -0
  54. package/tests/fixtures/deployment-preflight/static-project/README.md +3 -0
  55. package/tests/fixtures/deployment-preflight/static-project/docs/deployment.md +4 -0
  56. package/tests/fixtures/deployment-preflight/static-project/package.json +6 -0
  57. package/tests/fixtures/deployment-preflight/static-project/src/index.js +1 -0
  58. package/tests/fixtures/deployment-preflight/static-project/wrangler.toml +3 -0
  59. package/tests/fixtures/github-handoff/adapter-project/.coding-agent/adapters/github-handoff-fixture/adapter.json +56 -0
  60. package/tests/fixtures/github-handoff/adapter-project/.coding-agent/skills.json +23 -0
  61. package/tests/fixtures/github-handoff/adapter-project/README.md +3 -0
  62. package/tests/fixtures/github-handoff/adapter-project/package.json +4 -0
  63. package/tests/fixtures/github-handoff/adapter-project/src/index.js +1 -0
  64. package/tests/fixtures/github-handoff/static-project/README.md +3 -0
  65. package/tests/fixtures/github-handoff/static-project/package.json +4 -0
  66. package/tests/fixtures/github-handoff/static-project/src/index.js +1 -0
  67. package/tests/fixtures/triggers/cases.json +26 -2
  68. package/tests/trigger/README.md +4 -0
  69. package/work-ledger.md +28 -6
package/CHANGELOG.md CHANGED
@@ -2,6 +2,48 @@
2
2
 
3
3
  All notable changes follow [Semantic Versioning](docs/versioning/README.md).
4
4
 
5
+ ## [0.2.15] - 2026-07-03
6
+
7
+ ### Added
8
+
9
+ - `deployment-preflight` audit-only skill for static deployment readiness evidence
10
+ mapping before separately approved deployment work.
11
+ - `coding-agent-skills deployment-preflight <project-root>` CLI command.
12
+ - Dependency-free deployment preflight renderer for deployment config files, deployment
13
+ docs, package script keys without command values, platform indicators, static risk
14
+ indicators, adapter-limited scope, skipped paths, not-verified provider/runtime areas,
15
+ and safety refusals.
16
+ - Synthetic deployment-preflight fixtures and release tests for generic static scans,
17
+ adapter-scoped scans, package script key detection, platform indicators, and
18
+ repo-map-only adapter skips.
19
+
20
+ ### Changed
21
+
22
+ - Adapter schemas and validators now recognize `deployment-preflight` as an audit-only
23
+ skill while preserving the existing `0.2.3` adapter contract compatibility baseline.
24
+ - Usage, release, safety, architecture, adapter, roadmap, ledger, and run-log docs now
25
+ describe the new static read-only deployment preflight command.
26
+
27
+ ## [0.2.14] - 2026-07-03
28
+
29
+ ### Added
30
+
31
+ - `github-handoff` audit-only skill for local Git handoff evidence before separately
32
+ approved GitHub work.
33
+ - `coding-agent-skills github-handoff <project-root>` CLI command.
34
+ - Dependency-free GitHub handoff renderer for branch state, HEAD, tags at HEAD, remote
35
+ names, changed-file summaries, secret-bearing path redaction, adapter-limited scope,
36
+ and safety refusals.
37
+ - Synthetic github-handoff fixtures and release tests that create disposable Git
38
+ repositories under `/tmp` for generic, adapter-scoped, and repo-map-only adapter cases.
39
+
40
+ ### Changed
41
+
42
+ - Adapter schemas and validators now recognize `github-handoff` as an audit-only skill
43
+ while preserving the existing `0.2.3` adapter contract compatibility baseline.
44
+ - Usage, release, safety, architecture, adapter, roadmap, ledger, and run-log docs now
45
+ describe the new local Git handoff report command.
46
+
5
47
  ## [0.2.13] - 2026-07-03
6
48
 
7
49
  ### Added
package/README.md CHANGED
@@ -11,12 +11,14 @@ The pilot pack contains:
11
11
  - `secret-audit`: audit-only high-confidence secret exposure detection without values.
12
12
  - `api-contract-audit`: audit-only static API contract surface mapping.
13
13
  - `migration-review`: audit-only static migration and schema evidence review.
14
+ - `github-handoff`: audit-only local Git handoff evidence before separately approved GitHub work.
15
+ - `deployment-preflight`: audit-only static deployment readiness evidence mapping.
14
16
  - `build-verify`: controlled local validation using existing project commands.
15
17
  - `git-preflight`: audit-only Git readiness inspection.
16
18
  - `runtime-truth`: audit-only runtime evidence collection.
17
19
  - `llm-drift-control`: audit-only claim reconciliation.
18
20
 
19
- It does not contain deployment, package installation, Git publication, runtime mutation, migration, privileged API, platform-specific, or project-specific skills.
21
+ It does not contain deployment execution, package installation, Git publication, runtime mutation, migration application, privileged API, platform-specific deployment automation, or project-specific skills.
20
22
 
21
23
  Project-specific adapters will live in their owning repositories and may narrow, but never weaken, shared safety rules.
22
24
 
@@ -48,6 +50,8 @@ Every skill emits the evidence-pack contract. A command being attempted is never
48
50
  - Find redacted secret exposure risks with `coding-agent-skills secret-audit <project-root>`.
49
51
  - Map static API contract surfaces with `coding-agent-skills api-contract-audit <project-root>`.
50
52
  - Review static migration and schema evidence with `coding-agent-skills migration-review <project-root>`.
53
+ - Prepare local Git handoff evidence with `coding-agent-skills github-handoff <project-root>`.
54
+ - Map static deployment readiness evidence with `coding-agent-skills deployment-preflight <project-root>`.
51
55
  - Validate project adapters against [the formal adapter schema](schemas/project-adapter.schema.json).
52
56
  - Review [external adapter discovery](docs/adapters/discovery.md).
53
57
  - Run `node scripts/validate-adapters.mjs <adapter-root>` for a disposable external root.
@@ -63,6 +67,10 @@ Every skill emits the evidence-pack contract. A command being attempted is never
63
67
  `node scripts/render-api-contract-audit.mjs <project-root>`.
64
68
  - Render a static migration review report with
65
69
  `node scripts/render-migration-review.mjs <project-root>`.
70
+ - Render a local GitHub handoff report with
71
+ `node scripts/render-github-handoff.mjs <project-root>`.
72
+ - Render a static deployment preflight report with
73
+ `node scripts/render-deployment-preflight.mjs <project-root>`.
66
74
  - Review [adapter upgrade checks](docs/adapters/upgrades.md).
67
75
  - Run `node scripts/check-adapter-upgrade.mjs <before-project-root> <after-project-root>`
68
76
  for disposable project revisions.
package/ROADMAP.md CHANGED
@@ -1,6 +1,6 @@
1
1
  # Roadmap
2
2
 
3
- The public package now contains ten approved shared skills. Builder-mode approval is
3
+ The public package now contains twelve approved shared skills. Builder-mode approval is
4
4
  active for the remaining read-only skill wave in this repository; real-world project
5
5
  execution constraints remain unchanged.
6
6
 
@@ -38,6 +38,10 @@ execution constraints remain unchanged.
38
38
  contract surface mapping.
39
39
  - `v0.2.13`: audit-only `migration-review` skill and CLI renderer for static migration
40
40
  and schema evidence review.
41
+ - `v0.2.14`: audit-only `github-handoff` skill and CLI renderer for local Git handoff
42
+ evidence before separately approved GitHub work.
43
+ - `v0.2.15`: audit-only `deployment-preflight` skill and CLI renderer for static
44
+ deployment readiness evidence before separately approved deployment work.
41
45
 
42
46
  The next milestone is recorded in [work-ledger.md](work-ledger.md). The
43
47
  [maintainer loop](RUNBOOK.md) may select and evidence that milestone, but it must stop
@@ -83,8 +87,8 @@ Next safe milestone options:
83
87
  | `secret-audit-skill` | General | Audit-only | Implemented in `v0.2.11` |
84
88
  | `api-contract-audit-skill` | General | Audit-only | Implemented in `v0.2.12` |
85
89
  | `migration-review-skill` | General with platform adapters | Audit-only | Implemented in `v0.2.13` |
86
- | `github-handoff-skill` | General | Audit-only | Builder-mode approved; next in wave |
87
- | `deployment-preflight-skill` | General | Audit-only | Builder-mode approved; later in wave |
90
+ | `github-handoff-skill` | General | Audit-only | Implemented in `v0.2.14` |
91
+ | `deployment-preflight-skill` | General | Audit-only | Implemented in `v0.2.15` |
88
92
  | `cloudflare-preflight-skill` | Platform-specific | Audit-only | Builder-mode approved; later in wave |
89
93
  | `cloudflare-deploy-skill` | Platform-specific | Action-capable | Blocked on approval model |
90
94
  | `supabase-rls-audit-skill` | Platform-specific | Audit-only | Builder-mode approved; later in wave |
@@ -53,6 +53,18 @@ const commands = {
53
53
  usage: "coding-agent-skills migration-review <project-root>",
54
54
  requiredArgs: 1,
55
55
  },
56
+ "github-handoff": {
57
+ script: "scripts/render-github-handoff.mjs",
58
+ args: ([projectRoot]) => [projectRoot],
59
+ usage: "coding-agent-skills github-handoff <project-root>",
60
+ requiredArgs: 1,
61
+ },
62
+ "deployment-preflight": {
63
+ script: "scripts/render-deployment-preflight.mjs",
64
+ args: ([projectRoot]) => [projectRoot],
65
+ usage: "coding-agent-skills deployment-preflight <project-root>",
66
+ requiredArgs: 1,
67
+ },
56
68
  "validate-adapters": {
57
69
  script: "scripts/validate-adapters.mjs",
58
70
  args: ([adapterRoot]) => [adapterRoot],
@@ -74,6 +86,8 @@ function usage(exitCode = 0) {
74
86
  " secret-audit <project-root>",
75
87
  " api-contract-audit <project-root>",
76
88
  " migration-review <project-root>",
89
+ " github-handoff <project-root>",
90
+ " deployment-preflight <project-root>",
77
91
  " validate-adapters <adapter-root>",
78
92
  "",
79
93
  "local wrapper for the published coding-agent-skills package",
@@ -122,6 +122,40 @@ skipped paths, and not-verified database behavior. It never connects to database
122
122
  executes migrations, generates ORM clients, builds, tests, deploys, or mutates project
123
123
  files.
124
124
 
125
+ ## Adapter-Aware GitHub Handoff Consumption
126
+
127
+ The shared pack can consume a validated project-owned adapter as bounded context for
128
+ `github-handoff`:
129
+
130
+ ```bash
131
+ node scripts/render-github-handoff.mjs <project-root>
132
+ ```
133
+
134
+ The renderer validates the project declaration when present. If an adapter is present but
135
+ does not enable `github-handoff`, it reports an adapter-limited skip instead of listing
136
+ changed-file details. When enabled, it uses local Git metadata only: branch state, HEAD,
137
+ tags at HEAD, remote names, and changed-file summaries. It never prints remote URLs,
138
+ reads tokens, creates pull requests, commits, pushes, tags, calls GitHub APIs, or mutates
139
+ project files.
140
+
141
+ ## Adapter-Aware Deployment Preflight Consumption
142
+
143
+ The shared pack can consume a validated project-owned adapter as bounded context for
144
+ `deployment-preflight`:
145
+
146
+ ```bash
147
+ node scripts/render-deployment-preflight.mjs <project-root>
148
+ ```
149
+
150
+ The renderer validates the project declaration when present. If an adapter is present but
151
+ does not enable `deployment-preflight`, it reports an adapter-limited skip instead of
152
+ broadening scope. When enabled, it reads only adapter-declared safe paths, excludes `.env`,
153
+ secret-bearing files, generated output, dependency paths, build output, runtime output,
154
+ and oversized files, then reports deployment config files, deployment docs, package
155
+ script keys, platform indicators, risk indicators, skipped paths, and not-verified
156
+ provider/runtime behavior. It never deploys, calls provider APIs, installs packages,
157
+ builds, tests, runs services, migrates, or mutates project files.
158
+
125
159
  ## What Adapters May Do
126
160
 
127
161
  - Add bounded relative read paths and ignored paths.
@@ -135,6 +169,11 @@ files.
135
169
  handlers, client calls, and schema/type files.
136
170
  - Add migration-review safe read paths for static migration, schema, config, and package
137
171
  files while relying on the shared reviewer to exclude secret-bearing paths.
172
+ - Add github-handoff required evidence labels and ignored path labels while relying on the
173
+ shared renderer to avoid remote URLs, tokens, and GitHub mutation.
174
+ - Add deployment-preflight safe read paths for static deployment config, docs, and package
175
+ metadata while relying on the shared preflight renderer to exclude secret-bearing paths
176
+ and avoid deployment behavior.
138
177
  - Add command aliases that already satisfy the shared command policy.
139
178
  - Add status-only runtime commands and manager hints.
140
179
  - Require additional evidence or named approval for exceptional reads.
@@ -170,6 +170,32 @@ files, schema/config files, package script keys, static risk indicators, and not
170
170
  database behavior without connecting to databases, applying migrations, generating ORM
171
171
  clients, or running package scripts.
172
172
 
173
+ A project-owned adapter can also enable read-only `github-handoff` context:
174
+
175
+ ```bash
176
+ node scripts/render-github-handoff.mjs <project-root>
177
+ ```
178
+
179
+ The GitHub handoff renderer validates the project declaration when present. If the adapter
180
+ is present but does not enable `github-handoff`, it reports an adapter-limited skip.
181
+ When enabled, it reports local Git metadata and changed-file summaries without printing
182
+ remote URLs, reading tokens, creating pull requests, committing, pushing, tagging, calling
183
+ GitHub APIs, or changing project files.
184
+
185
+ A project-owned adapter can also enable read-only `deployment-preflight` context:
186
+
187
+ ```bash
188
+ node scripts/render-deployment-preflight.mjs <project-root>
189
+ ```
190
+
191
+ The deployment preflight renderer validates the project declaration when present. If the
192
+ adapter is present but does not enable `deployment-preflight`, it reports an
193
+ adapter-limited skip. When enabled, it reads only adapter-declared safe paths and reports
194
+ static deployment config files, deployment docs, package script keys, platform indicators,
195
+ risk indicators, and not-verified provider/runtime behavior without deploying, calling
196
+ provider APIs, installing packages, building, testing, running services, or reading
197
+ secrets.
198
+
173
199
  ## Safety Boundary
174
200
 
175
201
  Project adapters are extension-only. They cannot remove denied operations, change an
@@ -21,7 +21,8 @@ project repository is touched:
21
21
  - The project can declare exactly one installation file: `.coding-agent/skills.json` or
22
22
  `coding-agent.skills.json`.
23
23
  - The adapter need is bounded to existing pilot skills: `repo-map`, `route-trace`,
24
- `env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`, `build-verify`, `git-preflight`,
24
+ `env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`,
25
+ `github-handoff`, `deployment-preflight`, `build-verify`, `git-preflight`,
25
26
  `runtime-truth`, or `llm-drift-control`.
26
27
  - The adapter can narrow context with relative paths, documentation precedence, safe
27
28
  aliases, status-only hints, or extra evidence requirements.
@@ -17,6 +17,8 @@ Audit-only:
17
17
  - `secret-audit`
18
18
  - `api-contract-audit`
19
19
  - `migration-review`
20
+ - `github-handoff`
21
+ - `deployment-preflight`
20
22
  - `git-preflight`
21
23
  - `runtime-truth`
22
24
  - `llm-drift-control`
@@ -25,6 +27,6 @@ Controlled local validation:
25
27
 
26
28
  - `build-verify`
27
29
 
28
- The evidence pack is a shared output contract, not an executable skill. Deployment
29
- preflight, GitHub handoff, provider operations, and additional project adapters remain
30
- separate future work.
30
+ The evidence pack is a shared output contract, not an executable skill. Provider
31
+ operations, deployment execution, and additional project adapters remain separate future
32
+ work.
@@ -20,8 +20,9 @@
20
20
  folders, generated output, and unrelated repositories.
21
21
  14. Install the tarball into a temporary npm prefix and smoke-test the installed CLI.
22
22
  15. Smoke-test any new CLI command such as `coding-agent-skills route-trace`,
23
- `coding-agent-skills env-audit`, `coding-agent-skills secret-audit`, or
24
- `coding-agent-skills api-contract-audit`, or `coding-agent-skills migration-review`
23
+ `coding-agent-skills env-audit`, `coding-agent-skills secret-audit`,
24
+ `coding-agent-skills api-contract-audit`, `coding-agent-skills migration-review`,
25
+ `coding-agent-skills github-handoff`, or `coding-agent-skills deployment-preflight`
25
26
  against synthetic fixtures only unless a real project read-only smoke is explicitly
26
27
  approved.
27
28
  16. Review changelog, ledger, run evidence, and versioning impact.
@@ -7,7 +7,7 @@ safety model.
7
7
  ## Current Package Shape
8
8
 
9
9
  - Package name: `coding-agent-skills`.
10
- - Package version: `0.2.13`.
10
+ - Package version: `0.2.15`.
11
11
  - CLI bin: `coding-agent-skills` mapped to `bin/coding-agent-skills`.
12
12
  - Module type: `module`.
13
13
  - Dependencies: none.
@@ -32,6 +32,8 @@ coding-agent-skills env-audit /path/to/project
32
32
  coding-agent-skills secret-audit /path/to/project
33
33
  coding-agent-skills api-contract-audit /path/to/project
34
34
  coding-agent-skills migration-review /path/to/project
35
+ coding-agent-skills github-handoff /path/to/project
36
+ coding-agent-skills deployment-preflight /path/to/project
35
37
  coding-agent-skills validate-adapters /path/to/adapter-root
36
38
  ```
37
39
 
@@ -56,6 +58,13 @@ without running servers, calling APIs, or generating clients or schemas.
56
58
  files, package script keys, static risk indicators, and not-verified database behavior
57
59
  without connecting to databases, applying migrations, generating ORM clients, or reading
58
60
  secrets.
61
+ `github-handoff` is local Git metadata only; it reports branch state, HEAD, tags at HEAD,
62
+ remote names, and changed-file summaries without printing remote URLs, reading tokens,
63
+ creating pull requests, committing, pushing, tagging, or calling GitHub APIs.
64
+ `deployment-preflight` is static and audit-only; it reports deployment config files,
65
+ deployment docs, package script keys, platform indicators, risk indicators, and
66
+ not-verified provider/runtime behavior without deploying, calling provider APIs,
67
+ installing packages, building, testing, or reading secrets.
59
68
 
60
69
  `coding-agent-skills validate-pack` is package-aware. In a source checkout, it keeps
61
70
  source-only checks such as `.gitignore` validation. In an installed package tree, where
@@ -90,7 +99,8 @@ included.
90
99
 
91
100
  The public CLI remains read-only for target projects unless a specific underlying skill
92
101
  already permits a bounded local validation action. The installed `repo-map`,
93
- `route-trace`, `env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`, and adapter flows do not:
102
+ `route-trace`, `env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`,
103
+ `github-handoff`, `deployment-preflight`, and adapter flows do not:
94
104
 
95
105
  - deploy
96
106
  - run migrations
@@ -2,7 +2,7 @@
2
2
 
3
3
  ## Audit-Only Rule
4
4
 
5
- `repo-map`, `route-trace`, `env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`, `git-preflight`, `runtime-truth`, and `llm-drift-control` must not alter project files, Git state, dependencies, processes, services, databases, remote systems, or deployment state.
5
+ `repo-map`, `route-trace`, `env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`, `github-handoff`, `deployment-preflight`, `git-preflight`, `runtime-truth`, and `llm-drift-control` must not alter project files, Git state, dependencies, processes, services, databases, remote systems, or deployment state.
6
6
 
7
7
  `route-trace` is static only. It may read bounded non-secret route files and route
8
8
  configuration, but it must not execute app code, run servers, hit URLs, claim runtime
@@ -27,6 +27,16 @@ config, and package files, but it must not connect to databases, apply migration
27
27
  generate ORM clients, run package scripts, build, test, deploy, inspect runtime state, or
28
28
  broaden adapter scope.
29
29
 
30
+ `github-handoff` is local Git metadata only. It may inspect branch state, HEAD, tags at
31
+ HEAD, remote names, and changed-file status, but it must not print remote URLs, read
32
+ tokens, create pull requests, commit, push, tag, call GitHub APIs, mutate Git state, or
33
+ broaden adapter scope.
34
+
35
+ `deployment-preflight` is static only. It may read bounded non-secret deployment config,
36
+ docs, and package metadata, but it must not deploy, run provider CLIs, call cloud APIs,
37
+ install packages, build, test, run services, migrate databases, read secret files, or
38
+ broaden adapter scope.
39
+
30
40
  `build-verify` may run existing project-native validation commands. Build or test tools may create their normal local artifacts, but the skill must declare observed changes and must reject installation, fix modes, snapshot updates, deployment, migration, or unknown scripts.
31
41
 
32
42
  ## Restricted Categories
@@ -67,6 +67,22 @@ adapter-declared scope, and adapter-present-but-not-enabled behavior. Tests must
67
67
  connect to databases, apply migrations, generate ORM clients, run package scripts, build,
68
68
  test, deploy, or read `.env` files.
69
69
 
70
+ ## GitHub Handoff
71
+
72
+ Synthetic github-handoff projects are copied into disposable Git repositories under
73
+ `/tmp` during tests. The harness verifies branch state, HEAD, tags at HEAD, changed-file
74
+ summary, adapter-declared evidence metadata, and adapter-present-but-not-enabled behavior.
75
+ Tests must never commit to the shared repository, push, tag shared history, create pull
76
+ requests, call GitHub APIs, print remote URLs, read tokens, or read `.env` files.
77
+
78
+ ## Deployment Preflight
79
+
80
+ Synthetic deployment-preflight projects cover deployment config detection, deployment docs,
81
+ package script keys without command values, static platform indicators, risk indicators,
82
+ adapter-declared scope, and adapter-present-but-not-enabled behavior. Tests must never
83
+ deploy, call provider APIs, install packages, build, test, run services, migrate, or read
84
+ `.env` files.
85
+
70
86
  ## Privacy And Redaction
71
87
 
72
88
  Sensitive shapes are stored as ordered synthetic parts and reconstructed only in memory. Tests verify type detection, redaction, and absence from reusable skill content without printing fixture values.
@@ -10,6 +10,8 @@ Select the least-privileged skill that matches the request:
10
10
  | Find high-confidence secret exposure risks without values | `secret-audit` |
11
11
  | Map static API contract surfaces | `api-contract-audit` |
12
12
  | Review static migration and schema evidence | `migration-review` |
13
+ | Prepare local GitHub handoff evidence | `github-handoff` |
14
+ | Map static deployment readiness evidence | `deployment-preflight` |
13
15
  | Run existing local validation checks | `build-verify` |
14
16
  | Assess Git handoff readiness | `git-preflight` |
15
17
  | Determine what is actually running | `runtime-truth` |
@@ -27,11 +29,15 @@ Select the least-privileged skill that matches the request:
27
29
  calls, and schema/type files must be mapped without runtime behavior.
28
30
  6. Use `migration-review` when database migration, schema, config, package-script-key,
29
31
  and static risk-indicator evidence must be mapped without database access.
30
- 7. Perform implementation outside this pilot pack.
31
- 8. Use `build-verify` for approved project-native checks.
32
- 9. Use `git-preflight` before handoff or publication.
33
- 10. Use `runtime-truth` only when live local state matters.
34
- 11. Use `llm-drift-control` when claims and evidence may disagree.
32
+ 7. Use `github-handoff` when local Git metadata and changed-file summaries are needed
33
+ before separately approved GitHub work.
34
+ 8. Use `deployment-preflight` when visible deployment config, docs, package script keys,
35
+ and platform hints must be mapped without deployment behavior.
36
+ 9. Perform implementation outside this pilot pack.
37
+ 10. Use `build-verify` for approved project-native checks.
38
+ 11. Use `git-preflight` before handoff or publication.
39
+ 12. Use `runtime-truth` only when live local state matters.
40
+ 13. Use `llm-drift-control` when claims and evidence may disagree.
35
41
 
36
42
  Every skill emits an evidence pack. Read `status`, skipped checks, failures, confidence, and changed state before relying on a completion claim.
37
43
 
@@ -67,6 +73,8 @@ coding-agent-skills env-audit /path/to/project
67
73
  coding-agent-skills secret-audit /path/to/project
68
74
  coding-agent-skills api-contract-audit /path/to/project
69
75
  coding-agent-skills migration-review /path/to/project
76
+ coding-agent-skills github-handoff /path/to/project
77
+ coding-agent-skills deployment-preflight /path/to/project
70
78
  coding-agent-skills validate-adapters /path/to/adapter-root
71
79
  ```
72
80
 
@@ -96,6 +104,14 @@ client-call patterns, schema/type files, skipped paths, and not-verified runtime
96
104
  paths when enabled, and statically reports migration files, schema/config files, package
97
105
  script keys, risk indicators, skipped paths, and not-verified database behavior without
98
106
  database access or migration execution.
107
+ `github-handoff` validates a project adapter when present, then reports local Git branch
108
+ state, HEAD, tags at HEAD, remote names, and changed-file summaries without printing
109
+ remote URLs, committing, pushing, tagging, creating pull requests, calling GitHub APIs,
110
+ or reading tokens.
111
+ `deployment-preflight` validates a project adapter when present, uses adapter-declared
112
+ safe paths when enabled, and statically reports deployment config files, deployment docs,
113
+ package script keys, platform indicators, risk indicators, skipped paths, and
114
+ not-verified provider/runtime behavior without deploying or calling provider APIs.
99
115
 
100
116
  The installed CLI does not run target project builds or tests, perform runtime checks,
101
117
  deploy, migrate, mutate services or processes, or read `.env` files. Project adapters
@@ -114,6 +130,8 @@ bin/coding-agent-skills env-audit /path/to/project
114
130
  bin/coding-agent-skills secret-audit /path/to/project
115
131
  bin/coding-agent-skills api-contract-audit /path/to/project
116
132
  bin/coding-agent-skills migration-review /path/to/project
133
+ bin/coding-agent-skills github-handoff /path/to/project
134
+ bin/coding-agent-skills deployment-preflight /path/to/project
117
135
  bin/coding-agent-skills validate-adapters /path/to/adapter-root
118
136
  ```
119
137
 
@@ -129,6 +147,8 @@ coding-agent-skills env-audit /path/to/project
129
147
  coding-agent-skills secret-audit /path/to/project
130
148
  coding-agent-skills api-contract-audit /path/to/project
131
149
  coding-agent-skills migration-review /path/to/project
150
+ coding-agent-skills github-handoff /path/to/project
151
+ coding-agent-skills deployment-preflight /path/to/project
132
152
  coding-agent-skills validate-adapters /path/to/adapter-root
133
153
  ```
134
154
 
@@ -0,0 +1,70 @@
1
+ {
2
+ "version": "0.2.3",
3
+ "mode": "audit-only",
4
+ "parserPolicy": {
5
+ "inspectEverySegment": true,
6
+ "inspectScriptBodies": true,
7
+ "rejectUnknownExecutables": true,
8
+ "rejectShellWrappers": true,
9
+ "rejectHeredocs": true,
10
+ "rejectRedirection": true,
11
+ "providerSpecificNpx": true,
12
+ "authenticatedCurlRequiresApproval": true,
13
+ "boundedReadsRequired": true,
14
+ "allowedComposition": "read-only"
15
+ },
16
+ "allowedFamilies": [
17
+ {
18
+ "name": "bounded-deployment-preflight-inspection",
19
+ "executables": ["pwd", "ls", "rg", "find", "sed", "head"],
20
+ "argumentPolicy": {
21
+ "strategy": "pattern",
22
+ "allowedPatterns": ["bounded repository-local static deployment config, docs, and package metadata inspection"],
23
+ "deniedPatterns": ["deployments, provider APIs, package installs, builds, tests, runtime checks, secret files, and unbounded traversal"]
24
+ },
25
+ "constraints": [
26
+ "Remain inside the declared project scope.",
27
+ "Bound traversal depth and output.",
28
+ "Exclude .env, secret-bearing, generated, dependency, build, and runtime-output paths."
29
+ ]
30
+ },
31
+ {
32
+ "name": "git-identity-inspection",
33
+ "executables": ["git"],
34
+ "argumentPolicy": {
35
+ "strategy": "exact",
36
+ "allowedPatterns": ["rev-parse and status --short --branch"],
37
+ "deniedPatterns": ["all Git mutation and publication subcommands"]
38
+ },
39
+ "constraints": ["Allow only read-only repository identity and branch-state inspection."]
40
+ },
41
+ {
42
+ "name": "deployment-preflight-renderer",
43
+ "executables": ["node", "coding-agent-skills"],
44
+ "argumentPolicy": {
45
+ "strategy": "exact",
46
+ "allowedPatterns": ["node scripts/render-deployment-preflight.mjs <project-root>; coding-agent-skills deployment-preflight <project-root>"],
47
+ "deniedPatterns": ["deployments, provider APIs, package installs, builds, tests, runtime checks, migrations, service mutation, and secret-file reads"]
48
+ },
49
+ "constraints": [
50
+ "The renderer must remain static and read-only.",
51
+ "Do not run provider CLIs, deploy, build, test, or inspect secrets."
52
+ ]
53
+ }
54
+ ],
55
+ "restrictedCategories": [
56
+ "file-write",
57
+ "package-install",
58
+ "deployment",
59
+ "git-mutation",
60
+ "unrestricted-scan",
61
+ "secret-read",
62
+ "process-mutation",
63
+ "service-mutation",
64
+ "migration-apply",
65
+ "privileged-api"
66
+ ],
67
+ "approvalExceptions": [
68
+ "A named-file approval may permit one otherwise excluded non-mutating static read when the file is not secret-bearing."
69
+ ]
70
+ }
@@ -0,0 +1,74 @@
1
+ {
2
+ "version": "0.2.3",
3
+ "mode": "audit-only",
4
+ "parserPolicy": {
5
+ "inspectEverySegment": true,
6
+ "inspectScriptBodies": true,
7
+ "rejectUnknownExecutables": true,
8
+ "rejectShellWrappers": true,
9
+ "rejectHeredocs": true,
10
+ "rejectRedirection": true,
11
+ "providerSpecificNpx": true,
12
+ "authenticatedCurlRequiresApproval": true,
13
+ "boundedReadsRequired": true,
14
+ "allowedComposition": "read-only"
15
+ },
16
+ "allowedFamilies": [
17
+ {
18
+ "name": "local-git-handoff-inspection",
19
+ "executables": ["git"],
20
+ "argumentPolicy": {
21
+ "strategy": "exact",
22
+ "allowedPatterns": [
23
+ "status --short --branch",
24
+ "rev-parse --show-toplevel",
25
+ "rev-parse --abbrev-ref HEAD",
26
+ "rev-parse HEAD",
27
+ "log -1 --format=%s",
28
+ "tag --points-at HEAD",
29
+ "remote"
30
+ ],
31
+ "deniedPatterns": [
32
+ "remote URL printing, commits, pushes, tags, branch changes, pull requests, releases, and GitHub API calls"
33
+ ]
34
+ },
35
+ "constraints": [
36
+ "Inspect local Git metadata only.",
37
+ "Do not print remote URLs.",
38
+ "Do not mutate Git state."
39
+ ]
40
+ },
41
+ {
42
+ "name": "github-handoff-renderer",
43
+ "executables": ["node", "coding-agent-skills"],
44
+ "argumentPolicy": {
45
+ "strategy": "exact",
46
+ "allowedPatterns": [
47
+ "node scripts/render-github-handoff.mjs <project-root>; coding-agent-skills github-handoff <project-root>"
48
+ ],
49
+ "deniedPatterns": [
50
+ "PR creation, release creation, GitHub API mutation, token reads, secret-file reads, commits, pushes, and tags"
51
+ ]
52
+ },
53
+ "constraints": [
54
+ "The renderer must remain audit-only.",
55
+ "Do not read tokens, print remote URLs, create pull requests, commit, push, or tag."
56
+ ]
57
+ }
58
+ ],
59
+ "restrictedCategories": [
60
+ "file-write",
61
+ "package-install",
62
+ "deployment",
63
+ "git-mutation",
64
+ "unrestricted-scan",
65
+ "secret-read",
66
+ "process-mutation",
67
+ "service-mutation",
68
+ "migration-apply",
69
+ "privileged-api"
70
+ ],
71
+ "approvalExceptions": [
72
+ "No approval exception may turn github-handoff into a GitHub mutation workflow."
73
+ ]
74
+ }
@@ -0,0 +1,60 @@
1
+ {
2
+ "contractVersion": "1.0.0",
3
+ "skill": {"name": "deployment-preflight", "version": "0.2.3"},
4
+ "invocation": {
5
+ "id": "example-deployment-preflight",
6
+ "startedAt": "2026-07-03T12:00:00Z",
7
+ "endedAt": "2026-07-03T12:01:00Z"
8
+ },
9
+ "repository": {
10
+ "root": "/workspace/example-project",
11
+ "branch": "main",
12
+ "head": "0123456789abcdef",
13
+ "workingTreeState": "clean"
14
+ },
15
+ "userIntent": "Map static deployment readiness evidence before deployment planning.",
16
+ "declaredScope": ["/workspace/example-project"],
17
+ "projectAdapter": "example-deployment-preflight-adapter",
18
+ "environmentSummary": {"platform": "linux", "shell": "bash"},
19
+ "status": "complete",
20
+ "confidence": {
21
+ "level": "medium",
22
+ "reason": "Static deployment evidence was inspected, but provider credentials and deployed state were not verified."
23
+ },
24
+ "commands": [
25
+ {
26
+ "command": "coding-agent-skills deployment-preflight /workspace/example-project",
27
+ "family": "deployment-preflight-renderer",
28
+ "workingDirectory": "/workspace/example-project",
29
+ "startedAt": "2026-07-03T12:00:20Z",
30
+ "endedAt": "2026-07-03T12:00:21Z",
31
+ "exitStatus": 0,
32
+ "resultStatus": "success",
33
+ "safetyClass": "allowed",
34
+ "approvalReference": null,
35
+ "purpose": "Render a static deployment preflight report.",
36
+ "outputSummary": "Reported static deployment config files, docs, platform indicators, risk indicators, skipped items, and not-verified provider areas."
37
+ }
38
+ ],
39
+ "skippedChecks": [],
40
+ "findings": [
41
+ {
42
+ "summary": "Static deployment evidence was mapped without deployment behavior.",
43
+ "evidence": ["wrangler.toml", "docs/deployment.md"]
44
+ }
45
+ ],
46
+ "risks": [
47
+ {
48
+ "summary": "Provider and deployed service state may differ from static repository evidence.",
49
+ "evidence": ["provider APIs were not called", "runtime health checks were not performed"]
50
+ }
51
+ ],
52
+ "failures": [],
53
+ "unresolvedQuestions": [],
54
+ "changedState": {
55
+ "changed": false,
56
+ "summary": "No project, Git, dependency, runtime, service, database, cloud provider, remote, deployment, or generated-output state changed."
57
+ },
58
+ "handoffSummary": "Static deployment evidence is mapped; deployment execution and provider state remain unverified.",
59
+ "recommendedNextAction": "Review reported deployment surfaces before separately approving any platform-specific deployment work."
60
+ }