coding-agent-skills 0.2.14 → 0.2.15
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +22 -0
- package/README.md +5 -1
- package/ROADMAP.md +4 -2
- package/bin/coding-agent-skills +7 -0
- package/docs/adapters/README.md +21 -0
- package/docs/adapters/project-installation.md +14 -0
- package/docs/adapters/real-project-adoption.md +2 -2
- package/docs/architecture/README.md +3 -2
- package/docs/release/README.md +1 -1
- package/docs/release/npm-package.md +7 -2
- package/docs/safety/README.md +6 -1
- package/docs/testing/README.md +8 -0
- package/docs/usage/README.md +15 -5
- package/examples/command-policies/deployment-preflight.json +70 -0
- package/examples/evidence-packs/deployment-preflight.json +60 -0
- package/examples/manifests/deployment-preflight.json +14 -0
- package/examples/workflows/deployment-preflight.md +8 -0
- package/package.json +2 -1
- package/runs/skill-runs.md +19 -0
- package/schemas/project-adapter-installation.schema.json +2 -0
- package/schemas/project-adapter.schema.json +2 -0
- package/scripts/lib/deployment-preflight.mjs +655 -0
- package/scripts/lib/pack-rules.mjs +11 -2
- package/scripts/render-deployment-preflight.mjs +9 -0
- package/scripts/test-pack.mjs +60 -1
- package/scripts/validate-pack.mjs +5 -2
- package/skills/deployment-preflight/SKILL.md +89 -0
- package/skills/deployment-preflight/adapter-interface.md +17 -0
- package/skills/deployment-preflight/agents/openai.yaml +3 -0
- package/skills/deployment-preflight/checklist.md +7 -0
- package/skills/deployment-preflight/evidence-template.md +19 -0
- package/skills/deployment-preflight/examples.md +11 -0
- package/skills/deployment-preflight/failure-modes.md +11 -0
- package/tests/fixtures/deployment-preflight/adapter-project/.coding-agent/adapters/deployment-preflight-fixture/adapter.json +56 -0
- package/tests/fixtures/deployment-preflight/adapter-project/.coding-agent/skills.json +23 -0
- package/tests/fixtures/deployment-preflight/adapter-project/README.md +3 -0
- package/tests/fixtures/deployment-preflight/adapter-project/deploy/netlify.toml +3 -0
- package/tests/fixtures/deployment-preflight/adapter-project/ignored/render.yaml +3 -0
- package/tests/fixtures/deployment-preflight/adapter-project/package.json +5 -0
- package/tests/fixtures/deployment-preflight/static-project/Dockerfile +2 -0
- package/tests/fixtures/deployment-preflight/static-project/README.md +3 -0
- package/tests/fixtures/deployment-preflight/static-project/docs/deployment.md +4 -0
- package/tests/fixtures/deployment-preflight/static-project/package.json +6 -0
- package/tests/fixtures/deployment-preflight/static-project/src/index.js +1 -0
- package/tests/fixtures/deployment-preflight/static-project/wrangler.toml +3 -0
- package/tests/fixtures/triggers/cases.json +13 -1
- package/tests/trigger/README.md +2 -0
- package/work-ledger.md +18 -6
package/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,28 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes follow [Semantic Versioning](docs/versioning/README.md).
|
|
4
4
|
|
|
5
|
+
## [0.2.15] - 2026-07-03
|
|
6
|
+
|
|
7
|
+
### Added
|
|
8
|
+
|
|
9
|
+
- `deployment-preflight` audit-only skill for static deployment readiness evidence
|
|
10
|
+
mapping before separately approved deployment work.
|
|
11
|
+
- `coding-agent-skills deployment-preflight <project-root>` CLI command.
|
|
12
|
+
- Dependency-free deployment preflight renderer for deployment config files, deployment
|
|
13
|
+
docs, package script keys without command values, platform indicators, static risk
|
|
14
|
+
indicators, adapter-limited scope, skipped paths, not-verified provider/runtime areas,
|
|
15
|
+
and safety refusals.
|
|
16
|
+
- Synthetic deployment-preflight fixtures and release tests for generic static scans,
|
|
17
|
+
adapter-scoped scans, package script key detection, platform indicators, and
|
|
18
|
+
repo-map-only adapter skips.
|
|
19
|
+
|
|
20
|
+
### Changed
|
|
21
|
+
|
|
22
|
+
- Adapter schemas and validators now recognize `deployment-preflight` as an audit-only
|
|
23
|
+
skill while preserving the existing `0.2.3` adapter contract compatibility baseline.
|
|
24
|
+
- Usage, release, safety, architecture, adapter, roadmap, ledger, and run-log docs now
|
|
25
|
+
describe the new static read-only deployment preflight command.
|
|
26
|
+
|
|
5
27
|
## [0.2.14] - 2026-07-03
|
|
6
28
|
|
|
7
29
|
### Added
|
package/README.md
CHANGED
|
@@ -12,12 +12,13 @@ The pilot pack contains:
|
|
|
12
12
|
- `api-contract-audit`: audit-only static API contract surface mapping.
|
|
13
13
|
- `migration-review`: audit-only static migration and schema evidence review.
|
|
14
14
|
- `github-handoff`: audit-only local Git handoff evidence before separately approved GitHub work.
|
|
15
|
+
- `deployment-preflight`: audit-only static deployment readiness evidence mapping.
|
|
15
16
|
- `build-verify`: controlled local validation using existing project commands.
|
|
16
17
|
- `git-preflight`: audit-only Git readiness inspection.
|
|
17
18
|
- `runtime-truth`: audit-only runtime evidence collection.
|
|
18
19
|
- `llm-drift-control`: audit-only claim reconciliation.
|
|
19
20
|
|
|
20
|
-
It does not contain deployment, package installation, Git publication, runtime mutation, migration, privileged API, platform-specific, or project-specific skills.
|
|
21
|
+
It does not contain deployment execution, package installation, Git publication, runtime mutation, migration application, privileged API, platform-specific deployment automation, or project-specific skills.
|
|
21
22
|
|
|
22
23
|
Project-specific adapters will live in their owning repositories and may narrow, but never weaken, shared safety rules.
|
|
23
24
|
|
|
@@ -50,6 +51,7 @@ Every skill emits the evidence-pack contract. A command being attempted is never
|
|
|
50
51
|
- Map static API contract surfaces with `coding-agent-skills api-contract-audit <project-root>`.
|
|
51
52
|
- Review static migration and schema evidence with `coding-agent-skills migration-review <project-root>`.
|
|
52
53
|
- Prepare local Git handoff evidence with `coding-agent-skills github-handoff <project-root>`.
|
|
54
|
+
- Map static deployment readiness evidence with `coding-agent-skills deployment-preflight <project-root>`.
|
|
53
55
|
- Validate project adapters against [the formal adapter schema](schemas/project-adapter.schema.json).
|
|
54
56
|
- Review [external adapter discovery](docs/adapters/discovery.md).
|
|
55
57
|
- Run `node scripts/validate-adapters.mjs <adapter-root>` for a disposable external root.
|
|
@@ -67,6 +69,8 @@ Every skill emits the evidence-pack contract. A command being attempted is never
|
|
|
67
69
|
`node scripts/render-migration-review.mjs <project-root>`.
|
|
68
70
|
- Render a local GitHub handoff report with
|
|
69
71
|
`node scripts/render-github-handoff.mjs <project-root>`.
|
|
72
|
+
- Render a static deployment preflight report with
|
|
73
|
+
`node scripts/render-deployment-preflight.mjs <project-root>`.
|
|
70
74
|
- Review [adapter upgrade checks](docs/adapters/upgrades.md).
|
|
71
75
|
- Run `node scripts/check-adapter-upgrade.mjs <before-project-root> <after-project-root>`
|
|
72
76
|
for disposable project revisions.
|
package/ROADMAP.md
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# Roadmap
|
|
2
2
|
|
|
3
|
-
The public package now contains
|
|
3
|
+
The public package now contains twelve approved shared skills. Builder-mode approval is
|
|
4
4
|
active for the remaining read-only skill wave in this repository; real-world project
|
|
5
5
|
execution constraints remain unchanged.
|
|
6
6
|
|
|
@@ -40,6 +40,8 @@ execution constraints remain unchanged.
|
|
|
40
40
|
and schema evidence review.
|
|
41
41
|
- `v0.2.14`: audit-only `github-handoff` skill and CLI renderer for local Git handoff
|
|
42
42
|
evidence before separately approved GitHub work.
|
|
43
|
+
- `v0.2.15`: audit-only `deployment-preflight` skill and CLI renderer for static
|
|
44
|
+
deployment readiness evidence before separately approved deployment work.
|
|
43
45
|
|
|
44
46
|
The next milestone is recorded in [work-ledger.md](work-ledger.md). The
|
|
45
47
|
[maintainer loop](RUNBOOK.md) may select and evidence that milestone, but it must stop
|
|
@@ -86,7 +88,7 @@ Next safe milestone options:
|
|
|
86
88
|
| `api-contract-audit-skill` | General | Audit-only | Implemented in `v0.2.12` |
|
|
87
89
|
| `migration-review-skill` | General with platform adapters | Audit-only | Implemented in `v0.2.13` |
|
|
88
90
|
| `github-handoff-skill` | General | Audit-only | Implemented in `v0.2.14` |
|
|
89
|
-
| `deployment-preflight-skill` | General | Audit-only |
|
|
91
|
+
| `deployment-preflight-skill` | General | Audit-only | Implemented in `v0.2.15` |
|
|
90
92
|
| `cloudflare-preflight-skill` | Platform-specific | Audit-only | Builder-mode approved; later in wave |
|
|
91
93
|
| `cloudflare-deploy-skill` | Platform-specific | Action-capable | Blocked on approval model |
|
|
92
94
|
| `supabase-rls-audit-skill` | Platform-specific | Audit-only | Builder-mode approved; later in wave |
|
package/bin/coding-agent-skills
CHANGED
|
@@ -59,6 +59,12 @@ const commands = {
|
|
|
59
59
|
usage: "coding-agent-skills github-handoff <project-root>",
|
|
60
60
|
requiredArgs: 1,
|
|
61
61
|
},
|
|
62
|
+
"deployment-preflight": {
|
|
63
|
+
script: "scripts/render-deployment-preflight.mjs",
|
|
64
|
+
args: ([projectRoot]) => [projectRoot],
|
|
65
|
+
usage: "coding-agent-skills deployment-preflight <project-root>",
|
|
66
|
+
requiredArgs: 1,
|
|
67
|
+
},
|
|
62
68
|
"validate-adapters": {
|
|
63
69
|
script: "scripts/validate-adapters.mjs",
|
|
64
70
|
args: ([adapterRoot]) => [adapterRoot],
|
|
@@ -81,6 +87,7 @@ function usage(exitCode = 0) {
|
|
|
81
87
|
" api-contract-audit <project-root>",
|
|
82
88
|
" migration-review <project-root>",
|
|
83
89
|
" github-handoff <project-root>",
|
|
90
|
+
" deployment-preflight <project-root>",
|
|
84
91
|
" validate-adapters <adapter-root>",
|
|
85
92
|
"",
|
|
86
93
|
"local wrapper for the published coding-agent-skills package",
|
package/docs/adapters/README.md
CHANGED
|
@@ -138,6 +138,24 @@ tags at HEAD, remote names, and changed-file summaries. It never prints remote U
|
|
|
138
138
|
reads tokens, creates pull requests, commits, pushes, tags, calls GitHub APIs, or mutates
|
|
139
139
|
project files.
|
|
140
140
|
|
|
141
|
+
## Adapter-Aware Deployment Preflight Consumption
|
|
142
|
+
|
|
143
|
+
The shared pack can consume a validated project-owned adapter as bounded context for
|
|
144
|
+
`deployment-preflight`:
|
|
145
|
+
|
|
146
|
+
```bash
|
|
147
|
+
node scripts/render-deployment-preflight.mjs <project-root>
|
|
148
|
+
```
|
|
149
|
+
|
|
150
|
+
The renderer validates the project declaration when present. If an adapter is present but
|
|
151
|
+
does not enable `deployment-preflight`, it reports an adapter-limited skip instead of
|
|
152
|
+
broadening scope. When enabled, it reads only adapter-declared safe paths, excludes `.env`,
|
|
153
|
+
secret-bearing files, generated output, dependency paths, build output, runtime output,
|
|
154
|
+
and oversized files, then reports deployment config files, deployment docs, package
|
|
155
|
+
script keys, platform indicators, risk indicators, skipped paths, and not-verified
|
|
156
|
+
provider/runtime behavior. It never deploys, calls provider APIs, installs packages,
|
|
157
|
+
builds, tests, runs services, migrates, or mutates project files.
|
|
158
|
+
|
|
141
159
|
## What Adapters May Do
|
|
142
160
|
|
|
143
161
|
- Add bounded relative read paths and ignored paths.
|
|
@@ -153,6 +171,9 @@ project files.
|
|
|
153
171
|
files while relying on the shared reviewer to exclude secret-bearing paths.
|
|
154
172
|
- Add github-handoff required evidence labels and ignored path labels while relying on the
|
|
155
173
|
shared renderer to avoid remote URLs, tokens, and GitHub mutation.
|
|
174
|
+
- Add deployment-preflight safe read paths for static deployment config, docs, and package
|
|
175
|
+
metadata while relying on the shared preflight renderer to exclude secret-bearing paths
|
|
176
|
+
and avoid deployment behavior.
|
|
156
177
|
- Add command aliases that already satisfy the shared command policy.
|
|
157
178
|
- Add status-only runtime commands and manager hints.
|
|
158
179
|
- Require additional evidence or named approval for exceptional reads.
|
|
@@ -182,6 +182,20 @@ When enabled, it reports local Git metadata and changed-file summaries without p
|
|
|
182
182
|
remote URLs, reading tokens, creating pull requests, committing, pushing, tagging, calling
|
|
183
183
|
GitHub APIs, or changing project files.
|
|
184
184
|
|
|
185
|
+
A project-owned adapter can also enable read-only `deployment-preflight` context:
|
|
186
|
+
|
|
187
|
+
```bash
|
|
188
|
+
node scripts/render-deployment-preflight.mjs <project-root>
|
|
189
|
+
```
|
|
190
|
+
|
|
191
|
+
The deployment preflight renderer validates the project declaration when present. If the
|
|
192
|
+
adapter is present but does not enable `deployment-preflight`, it reports an
|
|
193
|
+
adapter-limited skip. When enabled, it reads only adapter-declared safe paths and reports
|
|
194
|
+
static deployment config files, deployment docs, package script keys, platform indicators,
|
|
195
|
+
risk indicators, and not-verified provider/runtime behavior without deploying, calling
|
|
196
|
+
provider APIs, installing packages, building, testing, running services, or reading
|
|
197
|
+
secrets.
|
|
198
|
+
|
|
185
199
|
## Safety Boundary
|
|
186
200
|
|
|
187
201
|
Project adapters are extension-only. They cannot remove denied operations, change an
|
|
@@ -22,8 +22,8 @@ project repository is touched:
|
|
|
22
22
|
`coding-agent.skills.json`.
|
|
23
23
|
- The adapter need is bounded to existing pilot skills: `repo-map`, `route-trace`,
|
|
24
24
|
`env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`,
|
|
25
|
-
`github-handoff`, `build-verify`, `git-preflight`,
|
|
26
|
-
`llm-drift-control`.
|
|
25
|
+
`github-handoff`, `deployment-preflight`, `build-verify`, `git-preflight`,
|
|
26
|
+
`runtime-truth`, or `llm-drift-control`.
|
|
27
27
|
- The adapter can narrow context with relative paths, documentation precedence, safe
|
|
28
28
|
aliases, status-only hints, or extra evidence requirements.
|
|
29
29
|
- The adapter does not require deployment, migration, package installation, Git
|
|
@@ -18,6 +18,7 @@ Audit-only:
|
|
|
18
18
|
- `api-contract-audit`
|
|
19
19
|
- `migration-review`
|
|
20
20
|
- `github-handoff`
|
|
21
|
+
- `deployment-preflight`
|
|
21
22
|
- `git-preflight`
|
|
22
23
|
- `runtime-truth`
|
|
23
24
|
- `llm-drift-control`
|
|
@@ -26,6 +27,6 @@ Controlled local validation:
|
|
|
26
27
|
|
|
27
28
|
- `build-verify`
|
|
28
29
|
|
|
29
|
-
The evidence pack is a shared output contract, not an executable skill.
|
|
30
|
-
|
|
30
|
+
The evidence pack is a shared output contract, not an executable skill. Provider
|
|
31
|
+
operations, deployment execution, and additional project adapters remain separate future
|
|
31
32
|
work.
|
package/docs/release/README.md
CHANGED
|
@@ -22,7 +22,7 @@
|
|
|
22
22
|
15. Smoke-test any new CLI command such as `coding-agent-skills route-trace`,
|
|
23
23
|
`coding-agent-skills env-audit`, `coding-agent-skills secret-audit`,
|
|
24
24
|
`coding-agent-skills api-contract-audit`, `coding-agent-skills migration-review`,
|
|
25
|
-
|
|
25
|
+
`coding-agent-skills github-handoff`, or `coding-agent-skills deployment-preflight`
|
|
26
26
|
against synthetic fixtures only unless a real project read-only smoke is explicitly
|
|
27
27
|
approved.
|
|
28
28
|
16. Review changelog, ledger, run evidence, and versioning impact.
|
|
@@ -7,7 +7,7 @@ safety model.
|
|
|
7
7
|
## Current Package Shape
|
|
8
8
|
|
|
9
9
|
- Package name: `coding-agent-skills`.
|
|
10
|
-
- Package version: `0.2.
|
|
10
|
+
- Package version: `0.2.15`.
|
|
11
11
|
- CLI bin: `coding-agent-skills` mapped to `bin/coding-agent-skills`.
|
|
12
12
|
- Module type: `module`.
|
|
13
13
|
- Dependencies: none.
|
|
@@ -33,6 +33,7 @@ coding-agent-skills secret-audit /path/to/project
|
|
|
33
33
|
coding-agent-skills api-contract-audit /path/to/project
|
|
34
34
|
coding-agent-skills migration-review /path/to/project
|
|
35
35
|
coding-agent-skills github-handoff /path/to/project
|
|
36
|
+
coding-agent-skills deployment-preflight /path/to/project
|
|
36
37
|
coding-agent-skills validate-adapters /path/to/adapter-root
|
|
37
38
|
```
|
|
38
39
|
|
|
@@ -60,6 +61,10 @@ secrets.
|
|
|
60
61
|
`github-handoff` is local Git metadata only; it reports branch state, HEAD, tags at HEAD,
|
|
61
62
|
remote names, and changed-file summaries without printing remote URLs, reading tokens,
|
|
62
63
|
creating pull requests, committing, pushing, tagging, or calling GitHub APIs.
|
|
64
|
+
`deployment-preflight` is static and audit-only; it reports deployment config files,
|
|
65
|
+
deployment docs, package script keys, platform indicators, risk indicators, and
|
|
66
|
+
not-verified provider/runtime behavior without deploying, calling provider APIs,
|
|
67
|
+
installing packages, building, testing, or reading secrets.
|
|
63
68
|
|
|
64
69
|
`coding-agent-skills validate-pack` is package-aware. In a source checkout, it keeps
|
|
65
70
|
source-only checks such as `.gitignore` validation. In an installed package tree, where
|
|
@@ -95,7 +100,7 @@ included.
|
|
|
95
100
|
The public CLI remains read-only for target projects unless a specific underlying skill
|
|
96
101
|
already permits a bounded local validation action. The installed `repo-map`,
|
|
97
102
|
`route-trace`, `env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`,
|
|
98
|
-
`github-handoff`, and adapter flows do not:
|
|
103
|
+
`github-handoff`, `deployment-preflight`, and adapter flows do not:
|
|
99
104
|
|
|
100
105
|
- deploy
|
|
101
106
|
- run migrations
|
package/docs/safety/README.md
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
## Audit-Only Rule
|
|
4
4
|
|
|
5
|
-
`repo-map`, `route-trace`, `env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`, `github-handoff`, `git-preflight`, `runtime-truth`, and `llm-drift-control` must not alter project files, Git state, dependencies, processes, services, databases, remote systems, or deployment state.
|
|
5
|
+
`repo-map`, `route-trace`, `env-audit`, `secret-audit`, `api-contract-audit`, `migration-review`, `github-handoff`, `deployment-preflight`, `git-preflight`, `runtime-truth`, and `llm-drift-control` must not alter project files, Git state, dependencies, processes, services, databases, remote systems, or deployment state.
|
|
6
6
|
|
|
7
7
|
`route-trace` is static only. It may read bounded non-secret route files and route
|
|
8
8
|
configuration, but it must not execute app code, run servers, hit URLs, claim runtime
|
|
@@ -32,6 +32,11 @@ HEAD, remote names, and changed-file status, but it must not print remote URLs,
|
|
|
32
32
|
tokens, create pull requests, commit, push, tag, call GitHub APIs, mutate Git state, or
|
|
33
33
|
broaden adapter scope.
|
|
34
34
|
|
|
35
|
+
`deployment-preflight` is static only. It may read bounded non-secret deployment config,
|
|
36
|
+
docs, and package metadata, but it must not deploy, run provider CLIs, call cloud APIs,
|
|
37
|
+
install packages, build, test, run services, migrate databases, read secret files, or
|
|
38
|
+
broaden adapter scope.
|
|
39
|
+
|
|
35
40
|
`build-verify` may run existing project-native validation commands. Build or test tools may create their normal local artifacts, but the skill must declare observed changes and must reject installation, fix modes, snapshot updates, deployment, migration, or unknown scripts.
|
|
36
41
|
|
|
37
42
|
## Restricted Categories
|
package/docs/testing/README.md
CHANGED
|
@@ -75,6 +75,14 @@ summary, adapter-declared evidence metadata, and adapter-present-but-not-enabled
|
|
|
75
75
|
Tests must never commit to the shared repository, push, tag shared history, create pull
|
|
76
76
|
requests, call GitHub APIs, print remote URLs, read tokens, or read `.env` files.
|
|
77
77
|
|
|
78
|
+
## Deployment Preflight
|
|
79
|
+
|
|
80
|
+
Synthetic deployment-preflight projects cover deployment config detection, deployment docs,
|
|
81
|
+
package script keys without command values, static platform indicators, risk indicators,
|
|
82
|
+
adapter-declared scope, and adapter-present-but-not-enabled behavior. Tests must never
|
|
83
|
+
deploy, call provider APIs, install packages, build, test, run services, migrate, or read
|
|
84
|
+
`.env` files.
|
|
85
|
+
|
|
78
86
|
## Privacy And Redaction
|
|
79
87
|
|
|
80
88
|
Sensitive shapes are stored as ordered synthetic parts and reconstructed only in memory. Tests verify type detection, redaction, and absence from reusable skill content without printing fixture values.
|
package/docs/usage/README.md
CHANGED
|
@@ -11,6 +11,7 @@ Select the least-privileged skill that matches the request:
|
|
|
11
11
|
| Map static API contract surfaces | `api-contract-audit` |
|
|
12
12
|
| Review static migration and schema evidence | `migration-review` |
|
|
13
13
|
| Prepare local GitHub handoff evidence | `github-handoff` |
|
|
14
|
+
| Map static deployment readiness evidence | `deployment-preflight` |
|
|
14
15
|
| Run existing local validation checks | `build-verify` |
|
|
15
16
|
| Assess Git handoff readiness | `git-preflight` |
|
|
16
17
|
| Determine what is actually running | `runtime-truth` |
|
|
@@ -30,11 +31,13 @@ Select the least-privileged skill that matches the request:
|
|
|
30
31
|
and static risk-indicator evidence must be mapped without database access.
|
|
31
32
|
7. Use `github-handoff` when local Git metadata and changed-file summaries are needed
|
|
32
33
|
before separately approved GitHub work.
|
|
33
|
-
8.
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
34
|
+
8. Use `deployment-preflight` when visible deployment config, docs, package script keys,
|
|
35
|
+
and platform hints must be mapped without deployment behavior.
|
|
36
|
+
9. Perform implementation outside this pilot pack.
|
|
37
|
+
10. Use `build-verify` for approved project-native checks.
|
|
38
|
+
11. Use `git-preflight` before handoff or publication.
|
|
39
|
+
12. Use `runtime-truth` only when live local state matters.
|
|
40
|
+
13. Use `llm-drift-control` when claims and evidence may disagree.
|
|
38
41
|
|
|
39
42
|
Every skill emits an evidence pack. Read `status`, skipped checks, failures, confidence, and changed state before relying on a completion claim.
|
|
40
43
|
|
|
@@ -71,6 +74,7 @@ coding-agent-skills secret-audit /path/to/project
|
|
|
71
74
|
coding-agent-skills api-contract-audit /path/to/project
|
|
72
75
|
coding-agent-skills migration-review /path/to/project
|
|
73
76
|
coding-agent-skills github-handoff /path/to/project
|
|
77
|
+
coding-agent-skills deployment-preflight /path/to/project
|
|
74
78
|
coding-agent-skills validate-adapters /path/to/adapter-root
|
|
75
79
|
```
|
|
76
80
|
|
|
@@ -104,6 +108,10 @@ database access or migration execution.
|
|
|
104
108
|
state, HEAD, tags at HEAD, remote names, and changed-file summaries without printing
|
|
105
109
|
remote URLs, committing, pushing, tagging, creating pull requests, calling GitHub APIs,
|
|
106
110
|
or reading tokens.
|
|
111
|
+
`deployment-preflight` validates a project adapter when present, uses adapter-declared
|
|
112
|
+
safe paths when enabled, and statically reports deployment config files, deployment docs,
|
|
113
|
+
package script keys, platform indicators, risk indicators, skipped paths, and
|
|
114
|
+
not-verified provider/runtime behavior without deploying or calling provider APIs.
|
|
107
115
|
|
|
108
116
|
The installed CLI does not run target project builds or tests, perform runtime checks,
|
|
109
117
|
deploy, migrate, mutate services or processes, or read `.env` files. Project adapters
|
|
@@ -123,6 +131,7 @@ bin/coding-agent-skills secret-audit /path/to/project
|
|
|
123
131
|
bin/coding-agent-skills api-contract-audit /path/to/project
|
|
124
132
|
bin/coding-agent-skills migration-review /path/to/project
|
|
125
133
|
bin/coding-agent-skills github-handoff /path/to/project
|
|
134
|
+
bin/coding-agent-skills deployment-preflight /path/to/project
|
|
126
135
|
bin/coding-agent-skills validate-adapters /path/to/adapter-root
|
|
127
136
|
```
|
|
128
137
|
|
|
@@ -139,6 +148,7 @@ coding-agent-skills secret-audit /path/to/project
|
|
|
139
148
|
coding-agent-skills api-contract-audit /path/to/project
|
|
140
149
|
coding-agent-skills migration-review /path/to/project
|
|
141
150
|
coding-agent-skills github-handoff /path/to/project
|
|
151
|
+
coding-agent-skills deployment-preflight /path/to/project
|
|
142
152
|
coding-agent-skills validate-adapters /path/to/adapter-root
|
|
143
153
|
```
|
|
144
154
|
|
|
@@ -0,0 +1,70 @@
|
|
|
1
|
+
{
|
|
2
|
+
"version": "0.2.3",
|
|
3
|
+
"mode": "audit-only",
|
|
4
|
+
"parserPolicy": {
|
|
5
|
+
"inspectEverySegment": true,
|
|
6
|
+
"inspectScriptBodies": true,
|
|
7
|
+
"rejectUnknownExecutables": true,
|
|
8
|
+
"rejectShellWrappers": true,
|
|
9
|
+
"rejectHeredocs": true,
|
|
10
|
+
"rejectRedirection": true,
|
|
11
|
+
"providerSpecificNpx": true,
|
|
12
|
+
"authenticatedCurlRequiresApproval": true,
|
|
13
|
+
"boundedReadsRequired": true,
|
|
14
|
+
"allowedComposition": "read-only"
|
|
15
|
+
},
|
|
16
|
+
"allowedFamilies": [
|
|
17
|
+
{
|
|
18
|
+
"name": "bounded-deployment-preflight-inspection",
|
|
19
|
+
"executables": ["pwd", "ls", "rg", "find", "sed", "head"],
|
|
20
|
+
"argumentPolicy": {
|
|
21
|
+
"strategy": "pattern",
|
|
22
|
+
"allowedPatterns": ["bounded repository-local static deployment config, docs, and package metadata inspection"],
|
|
23
|
+
"deniedPatterns": ["deployments, provider APIs, package installs, builds, tests, runtime checks, secret files, and unbounded traversal"]
|
|
24
|
+
},
|
|
25
|
+
"constraints": [
|
|
26
|
+
"Remain inside the declared project scope.",
|
|
27
|
+
"Bound traversal depth and output.",
|
|
28
|
+
"Exclude .env, secret-bearing, generated, dependency, build, and runtime-output paths."
|
|
29
|
+
]
|
|
30
|
+
},
|
|
31
|
+
{
|
|
32
|
+
"name": "git-identity-inspection",
|
|
33
|
+
"executables": ["git"],
|
|
34
|
+
"argumentPolicy": {
|
|
35
|
+
"strategy": "exact",
|
|
36
|
+
"allowedPatterns": ["rev-parse and status --short --branch"],
|
|
37
|
+
"deniedPatterns": ["all Git mutation and publication subcommands"]
|
|
38
|
+
},
|
|
39
|
+
"constraints": ["Allow only read-only repository identity and branch-state inspection."]
|
|
40
|
+
},
|
|
41
|
+
{
|
|
42
|
+
"name": "deployment-preflight-renderer",
|
|
43
|
+
"executables": ["node", "coding-agent-skills"],
|
|
44
|
+
"argumentPolicy": {
|
|
45
|
+
"strategy": "exact",
|
|
46
|
+
"allowedPatterns": ["node scripts/render-deployment-preflight.mjs <project-root>; coding-agent-skills deployment-preflight <project-root>"],
|
|
47
|
+
"deniedPatterns": ["deployments, provider APIs, package installs, builds, tests, runtime checks, migrations, service mutation, and secret-file reads"]
|
|
48
|
+
},
|
|
49
|
+
"constraints": [
|
|
50
|
+
"The renderer must remain static and read-only.",
|
|
51
|
+
"Do not run provider CLIs, deploy, build, test, or inspect secrets."
|
|
52
|
+
]
|
|
53
|
+
}
|
|
54
|
+
],
|
|
55
|
+
"restrictedCategories": [
|
|
56
|
+
"file-write",
|
|
57
|
+
"package-install",
|
|
58
|
+
"deployment",
|
|
59
|
+
"git-mutation",
|
|
60
|
+
"unrestricted-scan",
|
|
61
|
+
"secret-read",
|
|
62
|
+
"process-mutation",
|
|
63
|
+
"service-mutation",
|
|
64
|
+
"migration-apply",
|
|
65
|
+
"privileged-api"
|
|
66
|
+
],
|
|
67
|
+
"approvalExceptions": [
|
|
68
|
+
"A named-file approval may permit one otherwise excluded non-mutating static read when the file is not secret-bearing."
|
|
69
|
+
]
|
|
70
|
+
}
|
|
@@ -0,0 +1,60 @@
|
|
|
1
|
+
{
|
|
2
|
+
"contractVersion": "1.0.0",
|
|
3
|
+
"skill": {"name": "deployment-preflight", "version": "0.2.3"},
|
|
4
|
+
"invocation": {
|
|
5
|
+
"id": "example-deployment-preflight",
|
|
6
|
+
"startedAt": "2026-07-03T12:00:00Z",
|
|
7
|
+
"endedAt": "2026-07-03T12:01:00Z"
|
|
8
|
+
},
|
|
9
|
+
"repository": {
|
|
10
|
+
"root": "/workspace/example-project",
|
|
11
|
+
"branch": "main",
|
|
12
|
+
"head": "0123456789abcdef",
|
|
13
|
+
"workingTreeState": "clean"
|
|
14
|
+
},
|
|
15
|
+
"userIntent": "Map static deployment readiness evidence before deployment planning.",
|
|
16
|
+
"declaredScope": ["/workspace/example-project"],
|
|
17
|
+
"projectAdapter": "example-deployment-preflight-adapter",
|
|
18
|
+
"environmentSummary": {"platform": "linux", "shell": "bash"},
|
|
19
|
+
"status": "complete",
|
|
20
|
+
"confidence": {
|
|
21
|
+
"level": "medium",
|
|
22
|
+
"reason": "Static deployment evidence was inspected, but provider credentials and deployed state were not verified."
|
|
23
|
+
},
|
|
24
|
+
"commands": [
|
|
25
|
+
{
|
|
26
|
+
"command": "coding-agent-skills deployment-preflight /workspace/example-project",
|
|
27
|
+
"family": "deployment-preflight-renderer",
|
|
28
|
+
"workingDirectory": "/workspace/example-project",
|
|
29
|
+
"startedAt": "2026-07-03T12:00:20Z",
|
|
30
|
+
"endedAt": "2026-07-03T12:00:21Z",
|
|
31
|
+
"exitStatus": 0,
|
|
32
|
+
"resultStatus": "success",
|
|
33
|
+
"safetyClass": "allowed",
|
|
34
|
+
"approvalReference": null,
|
|
35
|
+
"purpose": "Render a static deployment preflight report.",
|
|
36
|
+
"outputSummary": "Reported static deployment config files, docs, platform indicators, risk indicators, skipped items, and not-verified provider areas."
|
|
37
|
+
}
|
|
38
|
+
],
|
|
39
|
+
"skippedChecks": [],
|
|
40
|
+
"findings": [
|
|
41
|
+
{
|
|
42
|
+
"summary": "Static deployment evidence was mapped without deployment behavior.",
|
|
43
|
+
"evidence": ["wrangler.toml", "docs/deployment.md"]
|
|
44
|
+
}
|
|
45
|
+
],
|
|
46
|
+
"risks": [
|
|
47
|
+
{
|
|
48
|
+
"summary": "Provider and deployed service state may differ from static repository evidence.",
|
|
49
|
+
"evidence": ["provider APIs were not called", "runtime health checks were not performed"]
|
|
50
|
+
}
|
|
51
|
+
],
|
|
52
|
+
"failures": [],
|
|
53
|
+
"unresolvedQuestions": [],
|
|
54
|
+
"changedState": {
|
|
55
|
+
"changed": false,
|
|
56
|
+
"summary": "No project, Git, dependency, runtime, service, database, cloud provider, remote, deployment, or generated-output state changed."
|
|
57
|
+
},
|
|
58
|
+
"handoffSummary": "Static deployment evidence is mapped; deployment execution and provider state remain unverified.",
|
|
59
|
+
"recommendedNextAction": "Review reported deployment surfaces before separately approving any platform-specific deployment work."
|
|
60
|
+
}
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "deployment-preflight",
|
|
3
|
+
"version": "0.2.3",
|
|
4
|
+
"mode": "audit-only",
|
|
5
|
+
"evidenceContract": "../../contracts/evidence-pack/evidence-pack.schema.json",
|
|
6
|
+
"commandPolicy": "../command-policies/deployment-preflight.json",
|
|
7
|
+
"adapterSchema": "../../schemas/project-adapter.schema.json",
|
|
8
|
+
"adapterCompatibility": {
|
|
9
|
+
"contractVersion": "1.0.0",
|
|
10
|
+
"compatibleAdapterVersions": ["1.0.0"]
|
|
11
|
+
},
|
|
12
|
+
"adapterInterface": "../../skills/deployment-preflight/adapter-interface.md",
|
|
13
|
+
"description": "Map static deployment readiness evidence without deployment behavior."
|
|
14
|
+
}
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
# Deployment Preflight Workflow
|
|
2
|
+
|
|
3
|
+
```bash
|
|
4
|
+
coding-agent-skills deployment-preflight /workspace/project
|
|
5
|
+
```
|
|
6
|
+
|
|
7
|
+
Use the output as static deployment orientation only. It does not deploy, call provider APIs,
|
|
8
|
+
install packages, run builds, run tests, start services, run migrations, or read secrets.
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "coding-agent-skills",
|
|
3
|
-
"version": "0.2.
|
|
3
|
+
"version": "0.2.15",
|
|
4
4
|
"description": "Evidence-first, read-only coding-agent skills and project adapter tooling.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"private": false,
|
|
@@ -15,6 +15,7 @@
|
|
|
15
15
|
"api-contract-audit",
|
|
16
16
|
"migration-review",
|
|
17
17
|
"github-handoff",
|
|
18
|
+
"deployment-preflight",
|
|
18
19
|
"project-adapters",
|
|
19
20
|
"code-validation",
|
|
20
21
|
"cli"
|
package/runs/skill-runs.md
CHANGED
|
@@ -258,6 +258,25 @@ This file records bounded maintainer-loop runs. Entries must not contain secrets
|
|
|
258
258
|
- Safety boundary: read-only local Git metadata only, no `.env` reads, no token reads, no
|
|
259
259
|
remote URL printing, no commits, no pushes, no tags, no pull request creation, no GitHub
|
|
260
260
|
API calls, and no target-project mutation.
|
|
261
|
+
- Validation commands: full source validation, package dry-run, tarball smoke, registry
|
|
262
|
+
install smoke, npm exec, and GitHub Release verification.
|
|
263
|
+
- Result: passed; `v0.2.14` was committed, pushed, tagged, published to npm, smoke-tested
|
|
264
|
+
from the registry, and released on GitHub.
|
|
265
|
+
- Commit/tag/push status: complete.
|
|
266
|
+
|
|
267
|
+
## implementation-v0.2.15-deployment-preflight
|
|
268
|
+
|
|
269
|
+
- Run ID: `implementation-v0.2.15-deployment-preflight`
|
|
270
|
+
- Repository: `/home/oneclickwebsitedesignfactory/coding-agent-skills`
|
|
271
|
+
- Command used: `builder-mode approval for deployment-preflight-skill implementation and release`
|
|
272
|
+
- Files changed: `deployment-preflight` skill, deployment preflight renderer and library,
|
|
273
|
+
CLI wrapper, adapter schemas, pack rules, release tests, synthetic deployment fixtures,
|
|
274
|
+
usage/release/safety/adapter docs, changelog, roadmap, work ledger, run log, and package
|
|
275
|
+
metadata.
|
|
276
|
+
- Safety boundary: read-only static deployment evidence only, no `.env` reads, no provider
|
|
277
|
+
API calls, no provider CLI execution, no package installs, no builds, no tests, no
|
|
278
|
+
runtime checks, no service mutation, no deployments, no migrations, and no target-project
|
|
279
|
+
mutation.
|
|
261
280
|
- Validation commands: pending final release validation matrix.
|
|
262
281
|
- Result: pass pending final publication evidence.
|
|
263
282
|
- Commit/tag/push status: pending approved release workflow.
|
|
@@ -71,6 +71,7 @@
|
|
|
71
71
|
"api-contract-audit",
|
|
72
72
|
"migration-review",
|
|
73
73
|
"github-handoff",
|
|
74
|
+
"deployment-preflight",
|
|
74
75
|
"build-verify",
|
|
75
76
|
"git-preflight",
|
|
76
77
|
"runtime-truth",
|
|
@@ -109,6 +110,7 @@
|
|
|
109
110
|
"api-contract-audit",
|
|
110
111
|
"migration-review",
|
|
111
112
|
"github-handoff",
|
|
113
|
+
"deployment-preflight",
|
|
112
114
|
"build-verify",
|
|
113
115
|
"git-preflight",
|
|
114
116
|
"runtime-truth",
|
|
@@ -95,6 +95,7 @@
|
|
|
95
95
|
"api-contract-audit",
|
|
96
96
|
"migration-review",
|
|
97
97
|
"github-handoff",
|
|
98
|
+
"deployment-preflight",
|
|
98
99
|
"build-verify",
|
|
99
100
|
"git-preflight",
|
|
100
101
|
"runtime-truth",
|
|
@@ -177,6 +178,7 @@
|
|
|
177
178
|
"api-contract-audit",
|
|
178
179
|
"migration-review",
|
|
179
180
|
"github-handoff",
|
|
181
|
+
"deployment-preflight",
|
|
180
182
|
"build-verify",
|
|
181
183
|
"git-preflight",
|
|
182
184
|
"runtime-truth",
|