coding-agent-skills 0.2.14 → 0.2.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (48) hide show
  1. package/CHANGELOG.md +22 -0
  2. package/README.md +5 -1
  3. package/ROADMAP.md +4 -2
  4. package/bin/coding-agent-skills +7 -0
  5. package/docs/adapters/README.md +21 -0
  6. package/docs/adapters/project-installation.md +14 -0
  7. package/docs/adapters/real-project-adoption.md +2 -2
  8. package/docs/architecture/README.md +3 -2
  9. package/docs/release/README.md +1 -1
  10. package/docs/release/npm-package.md +7 -2
  11. package/docs/safety/README.md +6 -1
  12. package/docs/testing/README.md +8 -0
  13. package/docs/usage/README.md +15 -5
  14. package/examples/command-policies/deployment-preflight.json +70 -0
  15. package/examples/evidence-packs/deployment-preflight.json +60 -0
  16. package/examples/manifests/deployment-preflight.json +14 -0
  17. package/examples/workflows/deployment-preflight.md +8 -0
  18. package/package.json +2 -1
  19. package/runs/skill-runs.md +19 -0
  20. package/schemas/project-adapter-installation.schema.json +2 -0
  21. package/schemas/project-adapter.schema.json +2 -0
  22. package/scripts/lib/deployment-preflight.mjs +655 -0
  23. package/scripts/lib/pack-rules.mjs +11 -2
  24. package/scripts/render-deployment-preflight.mjs +9 -0
  25. package/scripts/test-pack.mjs +60 -1
  26. package/scripts/validate-pack.mjs +5 -2
  27. package/skills/deployment-preflight/SKILL.md +89 -0
  28. package/skills/deployment-preflight/adapter-interface.md +17 -0
  29. package/skills/deployment-preflight/agents/openai.yaml +3 -0
  30. package/skills/deployment-preflight/checklist.md +7 -0
  31. package/skills/deployment-preflight/evidence-template.md +19 -0
  32. package/skills/deployment-preflight/examples.md +11 -0
  33. package/skills/deployment-preflight/failure-modes.md +11 -0
  34. package/tests/fixtures/deployment-preflight/adapter-project/.coding-agent/adapters/deployment-preflight-fixture/adapter.json +56 -0
  35. package/tests/fixtures/deployment-preflight/adapter-project/.coding-agent/skills.json +23 -0
  36. package/tests/fixtures/deployment-preflight/adapter-project/README.md +3 -0
  37. package/tests/fixtures/deployment-preflight/adapter-project/deploy/netlify.toml +3 -0
  38. package/tests/fixtures/deployment-preflight/adapter-project/ignored/render.yaml +3 -0
  39. package/tests/fixtures/deployment-preflight/adapter-project/package.json +5 -0
  40. package/tests/fixtures/deployment-preflight/static-project/Dockerfile +2 -0
  41. package/tests/fixtures/deployment-preflight/static-project/README.md +3 -0
  42. package/tests/fixtures/deployment-preflight/static-project/docs/deployment.md +4 -0
  43. package/tests/fixtures/deployment-preflight/static-project/package.json +6 -0
  44. package/tests/fixtures/deployment-preflight/static-project/src/index.js +1 -0
  45. package/tests/fixtures/deployment-preflight/static-project/wrangler.toml +3 -0
  46. package/tests/fixtures/triggers/cases.json +13 -1
  47. package/tests/trigger/README.md +2 -0
  48. package/work-ledger.md +18 -6
package/CHANGELOG.md CHANGED
@@ -2,6 +2,28 @@
2
2
 
3
3
  All notable changes follow [Semantic Versioning](docs/versioning/README.md).
4
4
 
5
+ ## [0.2.15] - 2026-07-03
6
+
7
+ ### Added
8
+
9
+ - `deployment-preflight` audit-only skill for static deployment readiness evidence
10
+ mapping before separately approved deployment work.
11
+ - `coding-agent-skills deployment-preflight <project-root>` CLI command.
12
+ - Dependency-free deployment preflight renderer for deployment config files, deployment
13
+ docs, package script keys without command values, platform indicators, static risk
14
+ indicators, adapter-limited scope, skipped paths, not-verified provider/runtime areas,
15
+ and safety refusals.
16
+ - Synthetic deployment-preflight fixtures and release tests for generic static scans,
17
+ adapter-scoped scans, package script key detection, platform indicators, and
18
+ repo-map-only adapter skips.
19
+
20
+ ### Changed
21
+
22
+ - Adapter schemas and validators now recognize `deployment-preflight` as an audit-only
23
+ skill while preserving the existing `0.2.3` adapter contract compatibility baseline.
24
+ - Usage, release, safety, architecture, adapter, roadmap, ledger, and run-log docs now
25
+ describe the new static read-only deployment preflight command.
26
+
5
27
  ## [0.2.14] - 2026-07-03
6
28
 
7
29
  ### Added
package/README.md CHANGED
@@ -12,12 +12,13 @@ The pilot pack contains:
12
12
  - `api-contract-audit`: audit-only static API contract surface mapping.
13
13
  - `migration-review`: audit-only static migration and schema evidence review.
14
14
  - `github-handoff`: audit-only local Git handoff evidence before separately approved GitHub work.
15
+ - `deployment-preflight`: audit-only static deployment readiness evidence mapping.
15
16
  - `build-verify`: controlled local validation using existing project commands.
16
17
  - `git-preflight`: audit-only Git readiness inspection.
17
18
  - `runtime-truth`: audit-only runtime evidence collection.
18
19
  - `llm-drift-control`: audit-only claim reconciliation.
19
20
 
20
- It does not contain deployment, package installation, Git publication, runtime mutation, migration, privileged API, platform-specific, or project-specific skills.
21
+ It does not contain deployment execution, package installation, Git publication, runtime mutation, migration application, privileged API, platform-specific deployment automation, or project-specific skills.
21
22
 
22
23
  Project-specific adapters will live in their owning repositories and may narrow, but never weaken, shared safety rules.
23
24
 
@@ -50,6 +51,7 @@ Every skill emits the evidence-pack contract. A command being attempted is never
50
51
  - Map static API contract surfaces with `coding-agent-skills api-contract-audit <project-root>`.
51
52
  - Review static migration and schema evidence with `coding-agent-skills migration-review <project-root>`.
52
53
  - Prepare local Git handoff evidence with `coding-agent-skills github-handoff <project-root>`.
54
+ - Map static deployment readiness evidence with `coding-agent-skills deployment-preflight <project-root>`.
53
55
  - Validate project adapters against [the formal adapter schema](schemas/project-adapter.schema.json).
54
56
  - Review [external adapter discovery](docs/adapters/discovery.md).
55
57
  - Run `node scripts/validate-adapters.mjs <adapter-root>` for a disposable external root.
@@ -67,6 +69,8 @@ Every skill emits the evidence-pack contract. A command being attempted is never
67
69
  `node scripts/render-migration-review.mjs <project-root>`.
68
70
  - Render a local GitHub handoff report with
69
71
  `node scripts/render-github-handoff.mjs <project-root>`.
72
+ - Render a static deployment preflight report with
73
+ `node scripts/render-deployment-preflight.mjs <project-root>`.
70
74
  - Review [adapter upgrade checks](docs/adapters/upgrades.md).
71
75
  - Run `node scripts/check-adapter-upgrade.mjs <before-project-root> <after-project-root>`
72
76
  for disposable project revisions.
package/ROADMAP.md CHANGED
@@ -1,6 +1,6 @@
1
1
  # Roadmap
2
2
 
3
- The public package now contains eleven approved shared skills. Builder-mode approval is
3
+ The public package now contains twelve approved shared skills. Builder-mode approval is
4
4
  active for the remaining read-only skill wave in this repository; real-world project
5
5
  execution constraints remain unchanged.
6
6
 
@@ -40,6 +40,8 @@ execution constraints remain unchanged.
40
40
  and schema evidence review.
41
41
  - `v0.2.14`: audit-only `github-handoff` skill and CLI renderer for local Git handoff
42
42
  evidence before separately approved GitHub work.
43
+ - `v0.2.15`: audit-only `deployment-preflight` skill and CLI renderer for static
44
+ deployment readiness evidence before separately approved deployment work.
43
45
 
44
46
  The next milestone is recorded in [work-ledger.md](work-ledger.md). The
45
47
  [maintainer loop](RUNBOOK.md) may select and evidence that milestone, but it must stop
@@ -86,7 +88,7 @@ Next safe milestone options:
86
88
  | `api-contract-audit-skill` | General | Audit-only | Implemented in `v0.2.12` |
87
89
  | `migration-review-skill` | General with platform adapters | Audit-only | Implemented in `v0.2.13` |
88
90
  | `github-handoff-skill` | General | Audit-only | Implemented in `v0.2.14` |
89
- | `deployment-preflight-skill` | General | Audit-only | Builder-mode approved; next in wave |
91
+ | `deployment-preflight-skill` | General | Audit-only | Implemented in `v0.2.15` |
90
92
  | `cloudflare-preflight-skill` | Platform-specific | Audit-only | Builder-mode approved; later in wave |
91
93
  | `cloudflare-deploy-skill` | Platform-specific | Action-capable | Blocked on approval model |
92
94
  | `supabase-rls-audit-skill` | Platform-specific | Audit-only | Builder-mode approved; later in wave |
@@ -59,6 +59,12 @@ const commands = {
59
59
  usage: "coding-agent-skills github-handoff <project-root>",
60
60
  requiredArgs: 1,
61
61
  },
62
+ "deployment-preflight": {
63
+ script: "scripts/render-deployment-preflight.mjs",
64
+ args: ([projectRoot]) => [projectRoot],
65
+ usage: "coding-agent-skills deployment-preflight <project-root>",
66
+ requiredArgs: 1,
67
+ },
62
68
  "validate-adapters": {
63
69
  script: "scripts/validate-adapters.mjs",
64
70
  args: ([adapterRoot]) => [adapterRoot],
@@ -81,6 +87,7 @@ function usage(exitCode = 0) {
81
87
  " api-contract-audit <project-root>",
82
88
  " migration-review <project-root>",
83
89
  " github-handoff <project-root>",
90
+ " deployment-preflight <project-root>",
84
91
  " validate-adapters <adapter-root>",
85
92
  "",
86
93
  "local wrapper for the published coding-agent-skills package",
@@ -138,6 +138,24 @@ tags at HEAD, remote names, and changed-file summaries. It never prints remote U
138
138
  reads tokens, creates pull requests, commits, pushes, tags, calls GitHub APIs, or mutates
139
139
  project files.
140
140
 
141
+ ## Adapter-Aware Deployment Preflight Consumption
142
+
143
+ The shared pack can consume a validated project-owned adapter as bounded context for
144
+ `deployment-preflight`:
145
+
146
+ ```bash
147
+ node scripts/render-deployment-preflight.mjs <project-root>
148
+ ```
149
+
150
+ The renderer validates the project declaration when present. If an adapter is present but
151
+ does not enable `deployment-preflight`, it reports an adapter-limited skip instead of
152
+ broadening scope. When enabled, it reads only adapter-declared safe paths, excludes `.env`,
153
+ secret-bearing files, generated output, dependency paths, build output, runtime output,
154
+ and oversized files, then reports deployment config files, deployment docs, package
155
+ script keys, platform indicators, risk indicators, skipped paths, and not-verified
156
+ provider/runtime behavior. It never deploys, calls provider APIs, installs packages,
157
+ builds, tests, runs services, migrates, or mutates project files.
158
+
141
159
  ## What Adapters May Do
142
160
 
143
161
  - Add bounded relative read paths and ignored paths.
@@ -153,6 +171,9 @@ project files.
153
171
  files while relying on the shared reviewer to exclude secret-bearing paths.
154
172
  - Add github-handoff required evidence labels and ignored path labels while relying on the
155
173
  shared renderer to avoid remote URLs, tokens, and GitHub mutation.
174
+ - Add deployment-preflight safe read paths for static deployment config, docs, and package
175
+ metadata while relying on the shared preflight renderer to exclude secret-bearing paths
176
+ and avoid deployment behavior.
156
177
  - Add command aliases that already satisfy the shared command policy.
157
178
  - Add status-only runtime commands and manager hints.
158
179
  - Require additional evidence or named approval for exceptional reads.
@@ -182,6 +182,20 @@ When enabled, it reports local Git metadata and changed-file summaries without p
182
182
  remote URLs, reading tokens, creating pull requests, committing, pushing, tagging, calling
183
183
  GitHub APIs, or changing project files.
184
184
 
185
+ A project-owned adapter can also enable read-only `deployment-preflight` context:
186
+
187
+ ```bash
188
+ node scripts/render-deployment-preflight.mjs <project-root>
189
+ ```
190
+
191
+ The deployment preflight renderer validates the project declaration when present. If the
192
+ adapter is present but does not enable `deployment-preflight`, it reports an
193
+ adapter-limited skip. When enabled, it reads only adapter-declared safe paths and reports
194
+ static deployment config files, deployment docs, package script keys, platform indicators,
195
+ risk indicators, and not-verified provider/runtime behavior without deploying, calling
196
+ provider APIs, installing packages, building, testing, running services, or reading
197
+ secrets.
198
+
185
199
  ## Safety Boundary
186
200
 
187
201
  Project adapters are extension-only. They cannot remove denied operations, change an
@@ -22,8 +22,8 @@ project repository is touched:
22
22
  `coding-agent.skills.json`.
23
23
  - The adapter need is bounded to existing pilot skills: `repo-map`, `route-trace`,
24
24
  `env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`,
25
- `github-handoff`, `build-verify`, `git-preflight`, `runtime-truth`, or
26
- `llm-drift-control`.
25
+ `github-handoff`, `deployment-preflight`, `build-verify`, `git-preflight`,
26
+ `runtime-truth`, or `llm-drift-control`.
27
27
  - The adapter can narrow context with relative paths, documentation precedence, safe
28
28
  aliases, status-only hints, or extra evidence requirements.
29
29
  - The adapter does not require deployment, migration, package installation, Git
@@ -18,6 +18,7 @@ Audit-only:
18
18
  - `api-contract-audit`
19
19
  - `migration-review`
20
20
  - `github-handoff`
21
+ - `deployment-preflight`
21
22
  - `git-preflight`
22
23
  - `runtime-truth`
23
24
  - `llm-drift-control`
@@ -26,6 +27,6 @@ Controlled local validation:
26
27
 
27
28
  - `build-verify`
28
29
 
29
- The evidence pack is a shared output contract, not an executable skill. Deployment
30
- preflight, provider operations, and additional project adapters remain separate future
30
+ The evidence pack is a shared output contract, not an executable skill. Provider
31
+ operations, deployment execution, and additional project adapters remain separate future
31
32
  work.
@@ -22,7 +22,7 @@
22
22
  15. Smoke-test any new CLI command such as `coding-agent-skills route-trace`,
23
23
  `coding-agent-skills env-audit`, `coding-agent-skills secret-audit`,
24
24
  `coding-agent-skills api-contract-audit`, `coding-agent-skills migration-review`,
25
- or `coding-agent-skills github-handoff`
25
+ `coding-agent-skills github-handoff`, or `coding-agent-skills deployment-preflight`
26
26
  against synthetic fixtures only unless a real project read-only smoke is explicitly
27
27
  approved.
28
28
  16. Review changelog, ledger, run evidence, and versioning impact.
@@ -7,7 +7,7 @@ safety model.
7
7
  ## Current Package Shape
8
8
 
9
9
  - Package name: `coding-agent-skills`.
10
- - Package version: `0.2.14`.
10
+ - Package version: `0.2.15`.
11
11
  - CLI bin: `coding-agent-skills` mapped to `bin/coding-agent-skills`.
12
12
  - Module type: `module`.
13
13
  - Dependencies: none.
@@ -33,6 +33,7 @@ coding-agent-skills secret-audit /path/to/project
33
33
  coding-agent-skills api-contract-audit /path/to/project
34
34
  coding-agent-skills migration-review /path/to/project
35
35
  coding-agent-skills github-handoff /path/to/project
36
+ coding-agent-skills deployment-preflight /path/to/project
36
37
  coding-agent-skills validate-adapters /path/to/adapter-root
37
38
  ```
38
39
 
@@ -60,6 +61,10 @@ secrets.
60
61
  `github-handoff` is local Git metadata only; it reports branch state, HEAD, tags at HEAD,
61
62
  remote names, and changed-file summaries without printing remote URLs, reading tokens,
62
63
  creating pull requests, committing, pushing, tagging, or calling GitHub APIs.
64
+ `deployment-preflight` is static and audit-only; it reports deployment config files,
65
+ deployment docs, package script keys, platform indicators, risk indicators, and
66
+ not-verified provider/runtime behavior without deploying, calling provider APIs,
67
+ installing packages, building, testing, or reading secrets.
63
68
 
64
69
  `coding-agent-skills validate-pack` is package-aware. In a source checkout, it keeps
65
70
  source-only checks such as `.gitignore` validation. In an installed package tree, where
@@ -95,7 +100,7 @@ included.
95
100
  The public CLI remains read-only for target projects unless a specific underlying skill
96
101
  already permits a bounded local validation action. The installed `repo-map`,
97
102
  `route-trace`, `env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`,
98
- `github-handoff`, and adapter flows do not:
103
+ `github-handoff`, `deployment-preflight`, and adapter flows do not:
99
104
 
100
105
  - deploy
101
106
  - run migrations
@@ -2,7 +2,7 @@
2
2
 
3
3
  ## Audit-Only Rule
4
4
 
5
- `repo-map`, `route-trace`, `env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`, `github-handoff`, `git-preflight`, `runtime-truth`, and `llm-drift-control` must not alter project files, Git state, dependencies, processes, services, databases, remote systems, or deployment state.
5
+ `repo-map`, `route-trace`, `env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`, `github-handoff`, `deployment-preflight`, `git-preflight`, `runtime-truth`, and `llm-drift-control` must not alter project files, Git state, dependencies, processes, services, databases, remote systems, or deployment state.
6
6
 
7
7
  `route-trace` is static only. It may read bounded non-secret route files and route
8
8
  configuration, but it must not execute app code, run servers, hit URLs, claim runtime
@@ -32,6 +32,11 @@ HEAD, remote names, and changed-file status, but it must not print remote URLs,
32
32
  tokens, create pull requests, commit, push, tag, call GitHub APIs, mutate Git state, or
33
33
  broaden adapter scope.
34
34
 
35
+ `deployment-preflight` is static only. It may read bounded non-secret deployment config,
36
+ docs, and package metadata, but it must not deploy, run provider CLIs, call cloud APIs,
37
+ install packages, build, test, run services, migrate databases, read secret files, or
38
+ broaden adapter scope.
39
+
35
40
  `build-verify` may run existing project-native validation commands. Build or test tools may create their normal local artifacts, but the skill must declare observed changes and must reject installation, fix modes, snapshot updates, deployment, migration, or unknown scripts.
36
41
 
37
42
  ## Restricted Categories
@@ -75,6 +75,14 @@ summary, adapter-declared evidence metadata, and adapter-present-but-not-enabled
75
75
  Tests must never commit to the shared repository, push, tag shared history, create pull
76
76
  requests, call GitHub APIs, print remote URLs, read tokens, or read `.env` files.
77
77
 
78
+ ## Deployment Preflight
79
+
80
+ Synthetic deployment-preflight projects cover deployment config detection, deployment docs,
81
+ package script keys without command values, static platform indicators, risk indicators,
82
+ adapter-declared scope, and adapter-present-but-not-enabled behavior. Tests must never
83
+ deploy, call provider APIs, install packages, build, test, run services, migrate, or read
84
+ `.env` files.
85
+
78
86
  ## Privacy And Redaction
79
87
 
80
88
  Sensitive shapes are stored as ordered synthetic parts and reconstructed only in memory. Tests verify type detection, redaction, and absence from reusable skill content without printing fixture values.
@@ -11,6 +11,7 @@ Select the least-privileged skill that matches the request:
11
11
  | Map static API contract surfaces | `api-contract-audit` |
12
12
  | Review static migration and schema evidence | `migration-review` |
13
13
  | Prepare local GitHub handoff evidence | `github-handoff` |
14
+ | Map static deployment readiness evidence | `deployment-preflight` |
14
15
  | Run existing local validation checks | `build-verify` |
15
16
  | Assess Git handoff readiness | `git-preflight` |
16
17
  | Determine what is actually running | `runtime-truth` |
@@ -30,11 +31,13 @@ Select the least-privileged skill that matches the request:
30
31
  and static risk-indicator evidence must be mapped without database access.
31
32
  7. Use `github-handoff` when local Git metadata and changed-file summaries are needed
32
33
  before separately approved GitHub work.
33
- 8. Perform implementation outside this pilot pack.
34
- 9. Use `build-verify` for approved project-native checks.
35
- 10. Use `git-preflight` before handoff or publication.
36
- 11. Use `runtime-truth` only when live local state matters.
37
- 12. Use `llm-drift-control` when claims and evidence may disagree.
34
+ 8. Use `deployment-preflight` when visible deployment config, docs, package script keys,
35
+ and platform hints must be mapped without deployment behavior.
36
+ 9. Perform implementation outside this pilot pack.
37
+ 10. Use `build-verify` for approved project-native checks.
38
+ 11. Use `git-preflight` before handoff or publication.
39
+ 12. Use `runtime-truth` only when live local state matters.
40
+ 13. Use `llm-drift-control` when claims and evidence may disagree.
38
41
 
39
42
  Every skill emits an evidence pack. Read `status`, skipped checks, failures, confidence, and changed state before relying on a completion claim.
40
43
 
@@ -71,6 +74,7 @@ coding-agent-skills secret-audit /path/to/project
71
74
  coding-agent-skills api-contract-audit /path/to/project
72
75
  coding-agent-skills migration-review /path/to/project
73
76
  coding-agent-skills github-handoff /path/to/project
77
+ coding-agent-skills deployment-preflight /path/to/project
74
78
  coding-agent-skills validate-adapters /path/to/adapter-root
75
79
  ```
76
80
 
@@ -104,6 +108,10 @@ database access or migration execution.
104
108
  state, HEAD, tags at HEAD, remote names, and changed-file summaries without printing
105
109
  remote URLs, committing, pushing, tagging, creating pull requests, calling GitHub APIs,
106
110
  or reading tokens.
111
+ `deployment-preflight` validates a project adapter when present, uses adapter-declared
112
+ safe paths when enabled, and statically reports deployment config files, deployment docs,
113
+ package script keys, platform indicators, risk indicators, skipped paths, and
114
+ not-verified provider/runtime behavior without deploying or calling provider APIs.
107
115
 
108
116
  The installed CLI does not run target project builds or tests, perform runtime checks,
109
117
  deploy, migrate, mutate services or processes, or read `.env` files. Project adapters
@@ -123,6 +131,7 @@ bin/coding-agent-skills secret-audit /path/to/project
123
131
  bin/coding-agent-skills api-contract-audit /path/to/project
124
132
  bin/coding-agent-skills migration-review /path/to/project
125
133
  bin/coding-agent-skills github-handoff /path/to/project
134
+ bin/coding-agent-skills deployment-preflight /path/to/project
126
135
  bin/coding-agent-skills validate-adapters /path/to/adapter-root
127
136
  ```
128
137
 
@@ -139,6 +148,7 @@ coding-agent-skills secret-audit /path/to/project
139
148
  coding-agent-skills api-contract-audit /path/to/project
140
149
  coding-agent-skills migration-review /path/to/project
141
150
  coding-agent-skills github-handoff /path/to/project
151
+ coding-agent-skills deployment-preflight /path/to/project
142
152
  coding-agent-skills validate-adapters /path/to/adapter-root
143
153
  ```
144
154
 
@@ -0,0 +1,70 @@
1
+ {
2
+ "version": "0.2.3",
3
+ "mode": "audit-only",
4
+ "parserPolicy": {
5
+ "inspectEverySegment": true,
6
+ "inspectScriptBodies": true,
7
+ "rejectUnknownExecutables": true,
8
+ "rejectShellWrappers": true,
9
+ "rejectHeredocs": true,
10
+ "rejectRedirection": true,
11
+ "providerSpecificNpx": true,
12
+ "authenticatedCurlRequiresApproval": true,
13
+ "boundedReadsRequired": true,
14
+ "allowedComposition": "read-only"
15
+ },
16
+ "allowedFamilies": [
17
+ {
18
+ "name": "bounded-deployment-preflight-inspection",
19
+ "executables": ["pwd", "ls", "rg", "find", "sed", "head"],
20
+ "argumentPolicy": {
21
+ "strategy": "pattern",
22
+ "allowedPatterns": ["bounded repository-local static deployment config, docs, and package metadata inspection"],
23
+ "deniedPatterns": ["deployments, provider APIs, package installs, builds, tests, runtime checks, secret files, and unbounded traversal"]
24
+ },
25
+ "constraints": [
26
+ "Remain inside the declared project scope.",
27
+ "Bound traversal depth and output.",
28
+ "Exclude .env, secret-bearing, generated, dependency, build, and runtime-output paths."
29
+ ]
30
+ },
31
+ {
32
+ "name": "git-identity-inspection",
33
+ "executables": ["git"],
34
+ "argumentPolicy": {
35
+ "strategy": "exact",
36
+ "allowedPatterns": ["rev-parse and status --short --branch"],
37
+ "deniedPatterns": ["all Git mutation and publication subcommands"]
38
+ },
39
+ "constraints": ["Allow only read-only repository identity and branch-state inspection."]
40
+ },
41
+ {
42
+ "name": "deployment-preflight-renderer",
43
+ "executables": ["node", "coding-agent-skills"],
44
+ "argumentPolicy": {
45
+ "strategy": "exact",
46
+ "allowedPatterns": ["node scripts/render-deployment-preflight.mjs <project-root>; coding-agent-skills deployment-preflight <project-root>"],
47
+ "deniedPatterns": ["deployments, provider APIs, package installs, builds, tests, runtime checks, migrations, service mutation, and secret-file reads"]
48
+ },
49
+ "constraints": [
50
+ "The renderer must remain static and read-only.",
51
+ "Do not run provider CLIs, deploy, build, test, or inspect secrets."
52
+ ]
53
+ }
54
+ ],
55
+ "restrictedCategories": [
56
+ "file-write",
57
+ "package-install",
58
+ "deployment",
59
+ "git-mutation",
60
+ "unrestricted-scan",
61
+ "secret-read",
62
+ "process-mutation",
63
+ "service-mutation",
64
+ "migration-apply",
65
+ "privileged-api"
66
+ ],
67
+ "approvalExceptions": [
68
+ "A named-file approval may permit one otherwise excluded non-mutating static read when the file is not secret-bearing."
69
+ ]
70
+ }
@@ -0,0 +1,60 @@
1
+ {
2
+ "contractVersion": "1.0.0",
3
+ "skill": {"name": "deployment-preflight", "version": "0.2.3"},
4
+ "invocation": {
5
+ "id": "example-deployment-preflight",
6
+ "startedAt": "2026-07-03T12:00:00Z",
7
+ "endedAt": "2026-07-03T12:01:00Z"
8
+ },
9
+ "repository": {
10
+ "root": "/workspace/example-project",
11
+ "branch": "main",
12
+ "head": "0123456789abcdef",
13
+ "workingTreeState": "clean"
14
+ },
15
+ "userIntent": "Map static deployment readiness evidence before deployment planning.",
16
+ "declaredScope": ["/workspace/example-project"],
17
+ "projectAdapter": "example-deployment-preflight-adapter",
18
+ "environmentSummary": {"platform": "linux", "shell": "bash"},
19
+ "status": "complete",
20
+ "confidence": {
21
+ "level": "medium",
22
+ "reason": "Static deployment evidence was inspected, but provider credentials and deployed state were not verified."
23
+ },
24
+ "commands": [
25
+ {
26
+ "command": "coding-agent-skills deployment-preflight /workspace/example-project",
27
+ "family": "deployment-preflight-renderer",
28
+ "workingDirectory": "/workspace/example-project",
29
+ "startedAt": "2026-07-03T12:00:20Z",
30
+ "endedAt": "2026-07-03T12:00:21Z",
31
+ "exitStatus": 0,
32
+ "resultStatus": "success",
33
+ "safetyClass": "allowed",
34
+ "approvalReference": null,
35
+ "purpose": "Render a static deployment preflight report.",
36
+ "outputSummary": "Reported static deployment config files, docs, platform indicators, risk indicators, skipped items, and not-verified provider areas."
37
+ }
38
+ ],
39
+ "skippedChecks": [],
40
+ "findings": [
41
+ {
42
+ "summary": "Static deployment evidence was mapped without deployment behavior.",
43
+ "evidence": ["wrangler.toml", "docs/deployment.md"]
44
+ }
45
+ ],
46
+ "risks": [
47
+ {
48
+ "summary": "Provider and deployed service state may differ from static repository evidence.",
49
+ "evidence": ["provider APIs were not called", "runtime health checks were not performed"]
50
+ }
51
+ ],
52
+ "failures": [],
53
+ "unresolvedQuestions": [],
54
+ "changedState": {
55
+ "changed": false,
56
+ "summary": "No project, Git, dependency, runtime, service, database, cloud provider, remote, deployment, or generated-output state changed."
57
+ },
58
+ "handoffSummary": "Static deployment evidence is mapped; deployment execution and provider state remain unverified.",
59
+ "recommendedNextAction": "Review reported deployment surfaces before separately approving any platform-specific deployment work."
60
+ }
@@ -0,0 +1,14 @@
1
+ {
2
+ "name": "deployment-preflight",
3
+ "version": "0.2.3",
4
+ "mode": "audit-only",
5
+ "evidenceContract": "../../contracts/evidence-pack/evidence-pack.schema.json",
6
+ "commandPolicy": "../command-policies/deployment-preflight.json",
7
+ "adapterSchema": "../../schemas/project-adapter.schema.json",
8
+ "adapterCompatibility": {
9
+ "contractVersion": "1.0.0",
10
+ "compatibleAdapterVersions": ["1.0.0"]
11
+ },
12
+ "adapterInterface": "../../skills/deployment-preflight/adapter-interface.md",
13
+ "description": "Map static deployment readiness evidence without deployment behavior."
14
+ }
@@ -0,0 +1,8 @@
1
+ # Deployment Preflight Workflow
2
+
3
+ ```bash
4
+ coding-agent-skills deployment-preflight /workspace/project
5
+ ```
6
+
7
+ Use the output as static deployment orientation only. It does not deploy, call provider APIs,
8
+ install packages, run builds, run tests, start services, run migrations, or read secrets.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "coding-agent-skills",
3
- "version": "0.2.14",
3
+ "version": "0.2.15",
4
4
  "description": "Evidence-first, read-only coding-agent skills and project adapter tooling.",
5
5
  "type": "module",
6
6
  "private": false,
@@ -15,6 +15,7 @@
15
15
  "api-contract-audit",
16
16
  "migration-review",
17
17
  "github-handoff",
18
+ "deployment-preflight",
18
19
  "project-adapters",
19
20
  "code-validation",
20
21
  "cli"
@@ -258,6 +258,25 @@ This file records bounded maintainer-loop runs. Entries must not contain secrets
258
258
  - Safety boundary: read-only local Git metadata only, no `.env` reads, no token reads, no
259
259
  remote URL printing, no commits, no pushes, no tags, no pull request creation, no GitHub
260
260
  API calls, and no target-project mutation.
261
+ - Validation commands: full source validation, package dry-run, tarball smoke, registry
262
+ install smoke, npm exec, and GitHub Release verification.
263
+ - Result: passed; `v0.2.14` was committed, pushed, tagged, published to npm, smoke-tested
264
+ from the registry, and released on GitHub.
265
+ - Commit/tag/push status: complete.
266
+
267
+ ## implementation-v0.2.15-deployment-preflight
268
+
269
+ - Run ID: `implementation-v0.2.15-deployment-preflight`
270
+ - Repository: `/home/oneclickwebsitedesignfactory/coding-agent-skills`
271
+ - Command used: `builder-mode approval for deployment-preflight-skill implementation and release`
272
+ - Files changed: `deployment-preflight` skill, deployment preflight renderer and library,
273
+ CLI wrapper, adapter schemas, pack rules, release tests, synthetic deployment fixtures,
274
+ usage/release/safety/adapter docs, changelog, roadmap, work ledger, run log, and package
275
+ metadata.
276
+ - Safety boundary: read-only static deployment evidence only, no `.env` reads, no provider
277
+ API calls, no provider CLI execution, no package installs, no builds, no tests, no
278
+ runtime checks, no service mutation, no deployments, no migrations, and no target-project
279
+ mutation.
261
280
  - Validation commands: pending final release validation matrix.
262
281
  - Result: pass pending final publication evidence.
263
282
  - Commit/tag/push status: pending approved release workflow.
@@ -71,6 +71,7 @@
71
71
  "api-contract-audit",
72
72
  "migration-review",
73
73
  "github-handoff",
74
+ "deployment-preflight",
74
75
  "build-verify",
75
76
  "git-preflight",
76
77
  "runtime-truth",
@@ -109,6 +110,7 @@
109
110
  "api-contract-audit",
110
111
  "migration-review",
111
112
  "github-handoff",
113
+ "deployment-preflight",
112
114
  "build-verify",
113
115
  "git-preflight",
114
116
  "runtime-truth",
@@ -95,6 +95,7 @@
95
95
  "api-contract-audit",
96
96
  "migration-review",
97
97
  "github-handoff",
98
+ "deployment-preflight",
98
99
  "build-verify",
99
100
  "git-preflight",
100
101
  "runtime-truth",
@@ -177,6 +178,7 @@
177
178
  "api-contract-audit",
178
179
  "migration-review",
179
180
  "github-handoff",
181
+ "deployment-preflight",
180
182
  "build-verify",
181
183
  "git-preflight",
182
184
  "runtime-truth",