coding-agent-skills 0.2.8 → 0.2.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (78) hide show
  1. package/CHANGELOG.md +38 -0
  2. package/README.md +6 -0
  3. package/ROADMAP.md +21 -15
  4. package/bin/coding-agent-skills +15 -1
  5. package/docs/adapters/README.md +34 -0
  6. package/docs/adapters/project-installation.md +25 -1
  7. package/docs/adapters/real-project-adoption.md +3 -2
  8. package/docs/architecture/README.md +5 -1
  9. package/docs/release/README.md +11 -8
  10. package/docs/release/npm-package.md +10 -4
  11. package/docs/safety/README.md +9 -1
  12. package/docs/testing/README.md +15 -0
  13. package/docs/usage/README.md +23 -5
  14. package/examples/command-policies/env-audit.json +73 -0
  15. package/examples/command-policies/route-trace.json +72 -0
  16. package/examples/evidence-packs/env-audit.json +55 -0
  17. package/examples/evidence-packs/route-trace.json +55 -0
  18. package/examples/manifests/env-audit.json +14 -0
  19. package/examples/manifests/route-trace.json +14 -0
  20. package/examples/workflows/env-audit.md +16 -0
  21. package/examples/workflows/route-trace.md +20 -0
  22. package/package.json +3 -1
  23. package/runs/skill-runs.md +37 -0
  24. package/schemas/project-adapter-installation.schema.json +7 -3
  25. package/schemas/project-adapter.schema.json +4 -0
  26. package/scripts/lib/env-audit.mjs +640 -0
  27. package/scripts/lib/pack-rules.mjs +20 -2
  28. package/scripts/lib/route-trace.mjs +785 -0
  29. package/scripts/render-env-audit.mjs +8 -0
  30. package/scripts/render-route-trace.mjs +8 -0
  31. package/scripts/test-pack.mjs +159 -1
  32. package/scripts/validate-pack.mjs +8 -2
  33. package/skills/env-audit/SKILL.md +58 -0
  34. package/skills/env-audit/adapter-interface.md +12 -0
  35. package/skills/env-audit/agents/openai.yaml +4 -0
  36. package/skills/env-audit/checklist.md +7 -0
  37. package/skills/env-audit/evidence-template.md +17 -0
  38. package/skills/env-audit/examples.md +28 -0
  39. package/skills/env-audit/failure-modes.md +5 -0
  40. package/skills/route-trace/SKILL.md +58 -0
  41. package/skills/route-trace/adapter-interface.md +20 -0
  42. package/skills/route-trace/agents/openai.yaml +4 -0
  43. package/skills/route-trace/checklist.md +11 -0
  44. package/skills/route-trace/evidence-template.md +18 -0
  45. package/skills/route-trace/examples.md +32 -0
  46. package/skills/route-trace/failure-modes.md +9 -0
  47. package/tests/fixtures/env-audit/adapter-project/.coding-agent/adapters/env-audit-fixture/adapter.json +56 -0
  48. package/tests/fixtures/env-audit/adapter-project/.coding-agent/skills.json +23 -0
  49. package/tests/fixtures/env-audit/adapter-project/README.md +3 -0
  50. package/tests/fixtures/env-audit/adapter-project/package.json +4 -0
  51. package/tests/fixtures/env-audit/adapter-project/src/config.ts +2 -0
  52. package/tests/fixtures/env-audit/static-project/.env.example +3 -0
  53. package/tests/fixtures/env-audit/static-project/README.md +3 -0
  54. package/tests/fixtures/env-audit/static-project/docs/setup.md +3 -0
  55. package/tests/fixtures/env-audit/static-project/package.json +4 -0
  56. package/tests/fixtures/env-audit/static-project/src/config.ts +4 -0
  57. package/tests/fixtures/env-audit/static-project/src/deno.ts +1 -0
  58. package/tests/fixtures/route-trace/adapter-project/.coding-agent/adapters/route-trace-fixture/adapter.json +59 -0
  59. package/tests/fixtures/route-trace/adapter-project/.coding-agent/skills.json +23 -0
  60. package/tests/fixtures/route-trace/adapter-project/README.md +3 -0
  61. package/tests/fixtures/route-trace/adapter-project/app/api/items/route.ts +3 -0
  62. package/tests/fixtures/route-trace/adapter-project/package.json +5 -0
  63. package/tests/fixtures/route-trace/adapter-project/pages/index.tsx +3 -0
  64. package/tests/fixtures/route-trace/adapter-project/src/routes.ts +3 -0
  65. package/tests/fixtures/route-trace/static-project/.env.example +1 -0
  66. package/tests/fixtures/route-trace/static-project/README.md +3 -0
  67. package/tests/fixtures/route-trace/static-project/app/api/users/route.ts +3 -0
  68. package/tests/fixtures/route-trace/static-project/app/blog/[slug]/page.tsx +3 -0
  69. package/tests/fixtures/route-trace/static-project/app/page.tsx +3 -0
  70. package/tests/fixtures/route-trace/static-project/package.json +5 -0
  71. package/tests/fixtures/route-trace/static-project/pages/about.tsx +3 -0
  72. package/tests/fixtures/route-trace/static-project/pages/api/hello.ts +3 -0
  73. package/tests/fixtures/route-trace/static-project/server/routes.ts +4 -0
  74. package/tests/fixtures/route-trace/static-project/src/route-config.ts +4 -0
  75. package/tests/fixtures/route-trace/static-project/src/router.tsx +10 -0
  76. package/tests/fixtures/triggers/cases.json +25 -1
  77. package/tests/trigger/README.md +3 -0
  78. package/work-ledger.md +35 -10
package/CHANGELOG.md CHANGED
@@ -2,6 +2,44 @@
2
2
 
3
3
  All notable changes follow [Semantic Versioning](docs/versioning/README.md).
4
4
 
5
+ ## [0.2.10] - 2026-07-03
6
+
7
+ ### Added
8
+
9
+ - `env-audit` audit-only skill for static environment variable name mapping without values.
10
+ - `coding-agent-skills env-audit <project-root>` CLI command.
11
+ - Dependency-free env audit renderer for variable names, classifications, sample files,
12
+ skipped secret-bearing paths, not-verified runtime stores, adapter-limited scope, and
13
+ safety refusals.
14
+ - Synthetic env-audit fixtures and release tests for generic static scans, adapter-scoped
15
+ scans, `.env` exclusion, `.env.example` inspection, and repo-map-only adapter skips.
16
+
17
+ ### Changed
18
+
19
+ - Adapter schemas and validators now recognize `env-audit` as an audit-only skill while
20
+ preserving the existing `0.2.3` adapter contract compatibility baseline.
21
+ - Builder-mode approval for completing the remaining read-only skill wave is recorded in
22
+ the roadmap, ledger, and run log.
23
+
24
+ ## [0.2.9] - 2026-07-03
25
+
26
+ ### Added
27
+
28
+ - `route-trace` audit-only skill for static route surface tracing.
29
+ - `coding-agent-skills route-trace <project-root>` CLI command.
30
+ - Dependency-free route trace renderer for verified route files, inferred route patterns,
31
+ skipped paths, not-verified runtime route classes, adapter-limited scope, and safety
32
+ refusals.
33
+ - Synthetic route-trace fixtures and release tests for generic static scans, adapter-scoped
34
+ scans, and repo-map-only adapter skips.
35
+
36
+ ### Changed
37
+
38
+ - Adapter schemas and validators now recognize `route-trace` as an audit-only skill while
39
+ preserving the existing `0.2.3` adapter contract compatibility baseline.
40
+ - Package metadata, usage docs, release docs, roadmap, ledger, and run log now describe the
41
+ new read-only route-trace command.
42
+
5
43
  ## [0.2.8] - 2026-06-19
6
44
 
7
45
  ### Added
package/README.md CHANGED
@@ -6,6 +6,8 @@ The pilot pack contains:
6
6
 
7
7
  - Shared evidence-pack contract.
8
8
  - `repo-map`: audit-only repository orientation.
9
+ - `route-trace`: audit-only static route surface tracing.
10
+ - `env-audit`: audit-only environment variable name mapping without values.
9
11
  - `build-verify`: controlled local validation using existing project commands.
10
12
  - `git-preflight`: audit-only Git readiness inspection.
11
13
  - `runtime-truth`: audit-only runtime evidence collection.
@@ -38,6 +40,8 @@ Every skill emits the evidence-pack contract. A command being attempted is never
38
40
  - Run `coding-agent-skills validate-pack` to validate the installed pack.
39
41
  - Run `npx coding-agent-skills validate-pack` when a one-off npm execution is preferred.
40
42
  - From a clone, the same wrapper is available as `bin/coding-agent-skills validate-pack`.
43
+ - Trace static route surfaces with `coding-agent-skills route-trace <project-root>`.
44
+ - Map environment variable names with `coding-agent-skills env-audit <project-root>`.
41
45
  - Validate project adapters against [the formal adapter schema](schemas/project-adapter.schema.json).
42
46
  - Review [external adapter discovery](docs/adapters/discovery.md).
43
47
  - Run `node scripts/validate-adapters.mjs <adapter-root>` for a disposable external root.
@@ -45,6 +49,8 @@ Every skill emits the evidence-pack contract. A command being attempted is never
45
49
  - Run `node scripts/validate-project-adapters.mjs <project-root>` for a declared project root.
46
50
  - Render adapter-aware `repo-map` orientation with
47
51
  `node scripts/render-adapter-repo-map.mjs <project-root>`.
52
+ - Render a static route-trace report with
53
+ `node scripts/render-route-trace.mjs <project-root>`.
48
54
  - Review [adapter upgrade checks](docs/adapters/upgrades.md).
49
55
  - Run `node scripts/check-adapter-upgrade.mjs <before-project-root> <after-project-root>`
50
56
  for disposable project revisions.
package/ROADMAP.md CHANGED
@@ -1,6 +1,8 @@
1
1
  # Roadmap
2
2
 
3
- The pilot release remains limited to five approved skills. Future work requires separate design and approval.
3
+ The public package now contains seven approved shared skills. Builder-mode approval is
4
+ active for the remaining read-only skill wave in this repository; real-world project
5
+ execution constraints remain unchanged.
4
6
 
5
7
  ## Released Harness Milestones
6
8
 
@@ -26,15 +28,18 @@ The pilot release remains limited to five approved skills. Future work requires
26
28
  - `v0.2.7`: package-installed `validate-pack` support for tarball/global installs.
27
29
  - `v0.2.8`: first public npm release with MIT license, public metadata, and registry
28
30
  install smoke coverage.
31
+ - `v0.2.9`: audit-only `route-trace` skill and CLI renderer for static route surface
32
+ tracing.
33
+ - `v0.2.10`: audit-only `env-audit` skill and CLI renderer for value-free environment
34
+ variable name mapping.
29
35
 
30
36
  The next milestone is recorded in [work-ledger.md](work-ledger.md). The
31
37
  [maintainer loop](RUNBOOK.md) may select and evidence that milestone, but it must stop
32
38
  before implementation until the relevant human approval is granted.
33
39
 
34
- No evidence-harness milestone is queued after `v0.2.3`. Additional real project adapters,
35
- new skills, platform work, deployment/preflight work, and signing infrastructure remain
36
- separately gated. The public npm package exposes the existing read-only CLI surface; it
37
- does not approve new skills or target-project mutation.
40
+ No evidence-harness milestone is queued after `v0.2.3`. Builder-mode approval permits the
41
+ listed read-only skill wave inside this repository. Real project adapters, target-project
42
+ mutation, signing infrastructure, and action-capable platform work remain separately gated.
38
43
 
39
44
  ## Planning Gates
40
45
 
@@ -67,21 +72,22 @@ Next safe milestone options:
67
72
 
68
73
  | Candidate | Scope | Mode | Current gate |
69
74
  |---|---|---|---|
70
- | `route-trace-skill` | General | Audit-only | Needs design review |
71
- | `env-audit-skill` | General | Audit-only | Needs more evidence |
72
- | `secret-audit-skill` | General | Audit-only | Blocked on privacy and approval model |
73
- | `deployment-preflight-skill` | General | Audit-only | Needs design review |
74
- | `cloudflare-preflight-skill` | Platform-specific | Audit-only | Needs more evidence |
75
+ | `route-trace-skill` | General | Audit-only | Implemented in `v0.2.9` |
76
+ | `env-audit-skill` | General | Audit-only | Implemented in `v0.2.10` |
77
+ | `secret-audit-skill` | General | Audit-only | Builder-mode approved; queued after `env-audit` |
78
+ | `deployment-preflight-skill` | General | Audit-only | Builder-mode approved; later in wave |
79
+ | `cloudflare-preflight-skill` | Platform-specific | Audit-only | Builder-mode approved; later in wave |
75
80
  | `cloudflare-deploy-skill` | Platform-specific | Action-capable | Blocked on approval model |
76
- | `supabase-rls-audit-skill` | Platform-specific | Audit-only | Needs more evidence |
77
- | `migration-review-skill` | General with platform adapters | Audit-only | Needs design review |
78
- | `api-contract-audit-skill` | General | Audit-only | Needs design review |
81
+ | `supabase-rls-audit-skill` | Platform-specific | Audit-only | Builder-mode approved; later in wave |
82
+ | `migration-review-skill` | General with platform adapters | Audit-only | Builder-mode approved; later in wave |
83
+ | `api-contract-audit-skill` | General | Audit-only | Builder-mode approved; later in wave |
79
84
  | `repo-knowledge-sync-skill` | General | Action-capable | Blocked on write approval model |
80
85
  | `security-hardening-review-skill` | General coordinator | Audit-only | Needs more evidence |
81
86
  | `worker-queue-debug-skill` | General core with project adapters | Audit-only first | Needs more evidence |
82
87
  | `devvit-ingest-debug-skill` | Project-specific | Audit-only | Needs project evidence |
83
- | `github-handoff-skill` | Platform-specific | Action-capable | Blocked on approval model |
88
+ | `github-handoff-skill` | General | Audit-only | Builder-mode approved; later in wave |
84
89
  | `session-extractor-skill` | General tooling | Action-capable | Blocked on privacy policy and more evidence |
85
90
  | `command-redaction-skill` | General tooling | Action-capable | Needs more evidence |
86
91
 
87
- No roadmap item is implicitly approved for implementation.
92
+ Builder-mode approval applies only to the named read-only wave. No other roadmap item is
93
+ implicitly approved for implementation.
@@ -23,6 +23,18 @@ const commands = {
23
23
  usage: "coding-agent-skills repo-map <project-root>",
24
24
  requiredArgs: 1,
25
25
  },
26
+ "route-trace": {
27
+ script: "scripts/render-route-trace.mjs",
28
+ args: ([projectRoot]) => [projectRoot],
29
+ usage: "coding-agent-skills route-trace <project-root>",
30
+ requiredArgs: 1,
31
+ },
32
+ "env-audit": {
33
+ script: "scripts/render-env-audit.mjs",
34
+ args: ([projectRoot]) => [projectRoot],
35
+ usage: "coding-agent-skills env-audit <project-root>",
36
+ requiredArgs: 1,
37
+ },
26
38
  "validate-adapters": {
27
39
  script: "scripts/validate-adapters.mjs",
28
40
  args: ([adapterRoot]) => [adapterRoot],
@@ -39,9 +51,11 @@ function usage(exitCode = 0) {
39
51
  " validate-pack",
40
52
  " validate-project <project-root>",
41
53
  " repo-map <project-root>",
54
+ " route-trace <project-root>",
55
+ " env-audit <project-root>",
42
56
  " validate-adapters <adapter-root>",
43
57
  "",
44
- "local-only wrapper; no npm package or global install is implied",
58
+ "local wrapper for the published coding-agent-skills package",
45
59
  ];
46
60
  const stream = exitCode === 0 ? process.stdout : process.stderr;
47
61
  stream.write(`${lines.join("\n")}\n`);
@@ -38,11 +38,45 @@ builds, install packages, perform runtime checks, deploy, migrate, or read `.env
38
38
  This is agent context for safer repository understanding. It is not target-application
39
39
  product behavior.
40
40
 
41
+ ## Adapter-Aware Route Trace Consumption
42
+
43
+ The shared pack can consume a validated project-owned adapter as bounded context for
44
+ `route-trace`:
45
+
46
+ ```bash
47
+ node scripts/render-route-trace.mjs <project-root>
48
+ ```
49
+
50
+ The renderer validates the project declaration when present. If an adapter is present but
51
+ does not enable `route-trace`, it reports an adapter-limited skip instead of broadening
52
+ scope. When enabled, it reads only adapter-declared safe paths, applies ignored paths, and
53
+ statically reports verified route files, inferred route patterns, skipped items, and
54
+ not-verified runtime-dependent routing classes. It does not execute target code, run
55
+ servers, hit URLs, build, test, deploy, migrate, inspect databases, or read `.env` files.
56
+
57
+ ## Adapter-Aware Env Audit Consumption
58
+
59
+ The shared pack can consume a validated project-owned adapter as bounded context for
60
+ `env-audit`:
61
+
62
+ ```bash
63
+ node scripts/render-env-audit.mjs <project-root>
64
+ ```
65
+
66
+ The renderer validates the project declaration when present. If an adapter is present but
67
+ does not enable `env-audit`, it reports an adapter-limited skip instead of broadening
68
+ scope. When enabled, it reads only adapter-declared safe paths, excludes `.env` and
69
+ secret-bearing files, and reports variable names, classifications, sample files inspected,
70
+ skipped items, and not-verified runtime or credential stores. It never prints values or
71
+ validates credentials.
72
+
41
73
  ## What Adapters May Do
42
74
 
43
75
  - Add bounded relative read paths and ignored paths.
44
76
  - Declare project-root markers and a bounded detection depth.
45
77
  - Add documentation precedence and package-manager hints.
78
+ - Add route-trace safe read paths for static route files and route config.
79
+ - Add env-audit safe read paths for static source, docs, sample, and config files.
46
80
  - Add command aliases that already satisfy the shared command policy.
47
81
  - Add status-only runtime commands and manager hints.
48
82
  - Require additional evidence or named approval for exceptional reads.
@@ -85,7 +85,7 @@ The dependency-free validator:
85
85
  Exit `0` means the project declaration and all installed adapters are compatible. Exit `1`
86
86
  means validation failed. Exit `2` means the project-root argument is missing.
87
87
 
88
- ## Repo-Map Consumption
88
+ ## Adapter-Aware Consumption
89
89
 
90
90
  After validation passes, a project-owned adapter can be consumed as read-only `repo-map`
91
91
  context:
@@ -109,6 +109,30 @@ The renderer is metadata-only. It does not read target project file contents, ru
109
109
  project tests, run builds, install packages, perform runtime checks, deploy, migrate, read
110
110
  `.env` files, or modify project state.
111
111
 
112
+ A project-owned adapter can also enable read-only `route-trace` context:
113
+
114
+ ```bash
115
+ node scripts/render-route-trace.mjs <project-root>
116
+ ```
117
+
118
+ The route-trace renderer validates the project declaration when present. If the adapter is
119
+ present but does not enable `route-trace`, it reports an adapter-limited skip. When enabled,
120
+ it reads only adapter-declared safe paths and reports verified route files, inferred route
121
+ patterns, skipped paths, and not-verified runtime-dependent route classes. It does not run
122
+ servers, hit URLs, execute app code, build, test, deploy, migrate, inspect databases, read
123
+ `.env` files, or modify project state.
124
+
125
+ A project-owned adapter can also enable read-only `env-audit` context:
126
+
127
+ ```bash
128
+ node scripts/render-env-audit.mjs <project-root>
129
+ ```
130
+
131
+ The env-audit renderer validates the project declaration when present. If the adapter is
132
+ present but does not enable `env-audit`, it reports an adapter-limited skip. When enabled,
133
+ it reads only adapter-declared safe paths, refuses `.env` and secret-bearing files, and
134
+ reports environment variable names without values.
135
+
112
136
  ## Safety Boundary
113
137
 
114
138
  Project adapters are extension-only. They cannot remove denied operations, change an
@@ -20,8 +20,9 @@ project repository is touched:
20
20
  `.coding-agent/adapters/`, `coding-agent/adapters/`, or `adapters/coding-agent/`.
21
21
  - The project can declare exactly one installation file: `.coding-agent/skills.json` or
22
22
  `coding-agent.skills.json`.
23
- - The adapter need is bounded to existing pilot skills: `repo-map`, `build-verify`,
24
- `git-preflight`, `runtime-truth`, or `llm-drift-control`.
23
+ - The adapter need is bounded to existing pilot skills: `repo-map`, `route-trace`,
24
+ `env-audit`, `build-verify`, `git-preflight`, `runtime-truth`, or
25
+ `llm-drift-control`.
25
26
  - The adapter can narrow context with relative paths, documentation precedence, safe
26
27
  aliases, status-only hints, or extra evidence requirements.
27
28
  - The adapter does not require deployment, migration, package installation, Git
@@ -12,6 +12,8 @@ Skills consume the evidence-pack contract but do not depend on hidden state. Aud
12
12
  Audit-only:
13
13
 
14
14
  - `repo-map`
15
+ - `route-trace`
16
+ - `env-audit`
15
17
  - `git-preflight`
16
18
  - `runtime-truth`
17
19
  - `llm-drift-control`
@@ -20,4 +22,6 @@ Controlled local validation:
20
22
 
21
23
  - `build-verify`
22
24
 
23
- The evidence pack is a shared output contract, not an executable skill. Route tracing, environment and secret audits, deployment preflight, GitHub handoff, provider operations, and project adapters remain separate future work.
25
+ The evidence pack is a shared output contract, not an executable skill. Environment and
26
+ secret audits, deployment preflight, GitHub handoff, provider operations, and additional
27
+ project adapters remain separate future work.
@@ -19,14 +19,17 @@
19
19
  13. Inspect tarball contents for local-only files, credentials, `.env` files, dependency
20
20
  folders, generated output, and unrelated repositories.
21
21
  14. Install the tarball into a temporary npm prefix and smoke-test the installed CLI.
22
- 15. Review changelog, ledger, run evidence, and versioning impact.
23
- 16. Commit with approved identity.
24
- 17. Push `main` using credential-free remotes.
25
- 18. Confirm a clean synchronized worktree.
26
- 19. Create and push the annotated version tag.
27
- 20. Publish with `npm publish --access public --registry=https://registry.npmjs.org/`.
28
- 21. Install the published package into a temporary prefix and smoke-test the installed CLI.
29
- 22. Create the GitHub Release for the pushed tag.
22
+ 15. Smoke-test any new CLI command such as `coding-agent-skills route-trace` or
23
+ `coding-agent-skills env-audit` against synthetic fixtures only unless a real project
24
+ read-only smoke is explicitly approved.
25
+ 16. Review changelog, ledger, run evidence, and versioning impact.
26
+ 17. Commit with approved identity.
27
+ 18. Push `main` using credential-free remotes.
28
+ 19. Confirm a clean synchronized worktree.
29
+ 20. Create and push the annotated version tag.
30
+ 21. Publish with `npm publish --access public --registry=https://registry.npmjs.org/`.
31
+ 22. Install the published package into a temporary prefix and smoke-test the installed CLI.
32
+ 23. Create the GitHub Release for the pushed tag.
30
33
 
31
34
  Deployments, migrations, runtime mutation, platform actions, and target-project builds or
32
35
  tests remain outside this release process unless separately approved.
@@ -7,7 +7,7 @@ safety model.
7
7
  ## Current Package Shape
8
8
 
9
9
  - Package name: `coding-agent-skills`.
10
- - Package version: `0.2.8`.
10
+ - Package version: `0.2.10`.
11
11
  - CLI bin: `coding-agent-skills` mapped to `bin/coding-agent-skills`.
12
12
  - Module type: `module`.
13
13
  - Dependencies: none.
@@ -27,6 +27,8 @@ The supported installed commands are:
27
27
  coding-agent-skills validate-pack
28
28
  coding-agent-skills validate-project /path/to/project
29
29
  coding-agent-skills repo-map /path/to/project
30
+ coding-agent-skills route-trace /path/to/project
31
+ coding-agent-skills env-audit /path/to/project
30
32
  coding-agent-skills validate-adapters /path/to/adapter-root
31
33
  ```
32
34
 
@@ -37,7 +39,10 @@ npx coding-agent-skills validate-pack
37
39
  ```
38
40
 
39
41
  Adapter compatibility remains controlled by the existing shared core and
40
- project-adapter validators.
42
+ project-adapter validators. `route-trace` is static and audit-only; it reports route
43
+ files and route declarations without executing the target project. `env-audit` is static
44
+ and audit-only; it reports environment variable names without reading `.env` files or
45
+ printing values.
41
46
 
42
47
  `coding-agent-skills validate-pack` is package-aware. In a source checkout, it keeps
43
48
  source-only checks such as `.gitignore` validation. In an installed package tree, where
@@ -71,13 +76,14 @@ included.
71
76
  ## Safety Boundaries
72
77
 
73
78
  The public CLI remains read-only for target projects unless a specific underlying skill
74
- already permits a bounded local validation action. The installed `repo-map` and adapter
75
- flows do not:
79
+ already permits a bounded local validation action. The installed `repo-map`,
80
+ `route-trace`, and adapter flows do not:
76
81
 
77
82
  - deploy
78
83
  - run migrations
79
84
  - mutate runtime services or processes
80
85
  - read `.env` or secret files
86
+ - execute target project application code
81
87
  - run target project builds or tests
82
88
  - grant adapters additional power
83
89
 
@@ -2,7 +2,15 @@
2
2
 
3
3
  ## Audit-Only Rule
4
4
 
5
- `repo-map`, `git-preflight`, `runtime-truth`, and `llm-drift-control` must not alter project files, Git state, dependencies, processes, services, databases, remote systems, or deployment state.
5
+ `repo-map`, `route-trace`, `env-audit`, `git-preflight`, `runtime-truth`, and `llm-drift-control` must not alter project files, Git state, dependencies, processes, services, databases, remote systems, or deployment state.
6
+
7
+ `route-trace` is static only. It may read bounded non-secret route files and route
8
+ configuration, but it must not execute app code, run servers, hit URLs, claim runtime
9
+ truth, or broaden adapter scope when a project adapter is present.
10
+
11
+ `env-audit` is value-free. It may read bounded non-secret source, docs, sample, and config
12
+ files, including `.env.example`, but must not read `.env`, print values, validate
13
+ credentials, contact APIs, or inspect secret stores.
6
14
 
7
15
  `build-verify` may run existing project-native validation commands. Build or test tools may create their normal local artifacts, but the skill must declare observed changes and must reject installation, fix modes, snapshot updates, deployment, migration, or unknown scripts.
8
16
 
@@ -29,6 +29,21 @@ This is intentionally conservative and is not a complete POSIX parser. Unknown e
29
29
 
30
30
  Audit-only Markdown is scanned for restricted commands presented as procedures. Commands in explicitly denied or negative contexts remain documentation. Synthetic snapshot targets are hashed before and after checks.
31
31
 
32
+ ## Route Trace
33
+
34
+ Synthetic route-trace projects cover generic bounded static scanning, adapter-declared
35
+ scope, verified Next.js route files, inferred React Router and Express-style declarations,
36
+ skipped paths, not-verified runtime route classes, and repo-map-only adapter skips.
37
+ Route-trace tests must never run a target project, hit URLs, build, test, deploy, migrate,
38
+ or read `.env` files.
39
+
40
+ ## Env Audit
41
+
42
+ Synthetic env-audit projects cover value-free variable-name detection, `.env` exclusion,
43
+ `.env.example` inspection, adapter-declared scope, and adapter-present-but-not-enabled
44
+ behavior. Env-audit tests must never print values, validate credentials, contact APIs,
45
+ run target projects, build, test, deploy, migrate, or read `.env` files.
46
+
32
47
  ## Privacy And Redaction
33
48
 
34
49
  Sensitive shapes are stored as ordered synthetic parts and reconstructed only in memory. Tests verify type detection, redaction, and absence from reusable skill content without printing fixture values.
@@ -5,6 +5,8 @@ Select the least-privileged skill that matches the request:
5
5
  | Need | Skill |
6
6
  |---|---|
7
7
  | Understand repository identity and structure | `repo-map` |
8
+ | Trace statically visible route surfaces | `route-trace` |
9
+ | Map environment variable names without values | `env-audit` |
8
10
  | Run existing local validation checks | `build-verify` |
9
11
  | Assess Git handoff readiness | `git-preflight` |
10
12
  | Determine what is actually running | `runtime-truth` |
@@ -13,11 +15,14 @@ Select the least-privileged skill that matches the request:
13
15
  ## Typical Flow
14
16
 
15
17
  1. Use `repo-map` when repository identity or boundaries are not established.
16
- 2. Perform implementation outside this pilot pack.
17
- 3. Use `build-verify` for approved project-native checks.
18
- 4. Use `git-preflight` before handoff or publication.
19
- 5. Use `runtime-truth` only when live local state matters.
20
- 6. Use `llm-drift-control` when claims and evidence may disagree.
18
+ 2. Use `route-trace` when route files or declarations must be mapped from static files.
19
+ 3. Use `env-audit` when environment variable names or sample config references must be
20
+ mapped without reading values.
21
+ 4. Perform implementation outside this pilot pack.
22
+ 5. Use `build-verify` for approved project-native checks.
23
+ 6. Use `git-preflight` before handoff or publication.
24
+ 7. Use `runtime-truth` only when live local state matters.
25
+ 8. Use `llm-drift-control` when claims and evidence may disagree.
21
26
 
22
27
  Every skill emits an evidence pack. Read `status`, skipped checks, failures, confidence, and changed state before relying on a completion claim.
23
28
 
@@ -48,6 +53,8 @@ Run supported commands:
48
53
  coding-agent-skills validate-pack
49
54
  coding-agent-skills validate-project /path/to/project
50
55
  coding-agent-skills repo-map /path/to/project
56
+ coding-agent-skills route-trace /path/to/project
57
+ coding-agent-skills env-audit /path/to/project
51
58
  coding-agent-skills validate-adapters /path/to/adapter-root
52
59
  ```
53
60
 
@@ -60,6 +67,13 @@ npx coding-agent-skills validate-pack
60
67
  These commands wrap the same validated scripts shipped in the repository. `repo-map`
61
68
  validates the project adapter first, then renders adapter-declared documentation
62
69
  precedence, safe read paths, ignored paths, and required evidence.
70
+ `route-trace` validates a project adapter when present, uses adapter-declared safe paths
71
+ when enabled, and statically reports verified route files, inferred route declarations,
72
+ skipped items, and not-verified runtime-dependent route classes.
73
+ `env-audit` validates a project adapter when present, uses adapter-declared safe paths
74
+ when enabled, and statically reports environment variable names, classifications, sample
75
+ files inspected, skipped secret-bearing paths, and not-verified runtime or credential
76
+ stores without printing values.
63
77
 
64
78
  The installed CLI does not run target project builds or tests, perform runtime checks,
65
79
  deploy, migrate, mutate services or processes, or read `.env` files. Project adapters
@@ -73,6 +87,8 @@ From the shared skill repository root, the same wrapper can be used directly:
73
87
  bin/coding-agent-skills validate-pack
74
88
  bin/coding-agent-skills validate-project /path/to/project
75
89
  bin/coding-agent-skills repo-map /path/to/project
90
+ bin/coding-agent-skills route-trace /path/to/project
91
+ bin/coding-agent-skills env-audit /path/to/project
76
92
  bin/coding-agent-skills validate-adapters /path/to/adapter-root
77
93
  ```
78
94
 
@@ -83,6 +99,8 @@ also be invoked as:
83
99
  coding-agent-skills validate-pack
84
100
  coding-agent-skills validate-project /path/to/project
85
101
  coding-agent-skills repo-map /path/to/project
102
+ coding-agent-skills route-trace /path/to/project
103
+ coding-agent-skills env-audit /path/to/project
86
104
  coding-agent-skills validate-adapters /path/to/adapter-root
87
105
  ```
88
106
 
@@ -0,0 +1,73 @@
1
+ {
2
+ "version": "0.2.3",
3
+ "mode": "audit-only",
4
+ "parserPolicy": {
5
+ "inspectEverySegment": true,
6
+ "inspectScriptBodies": true,
7
+ "rejectUnknownExecutables": true,
8
+ "rejectShellWrappers": true,
9
+ "rejectHeredocs": true,
10
+ "rejectRedirection": true,
11
+ "providerSpecificNpx": true,
12
+ "authenticatedCurlRequiresApproval": true,
13
+ "boundedReadsRequired": true,
14
+ "allowedComposition": "read-only"
15
+ },
16
+ "allowedFamilies": [
17
+ {
18
+ "name": "bounded-env-name-inspection",
19
+ "executables": ["pwd", "ls", "rg", "find", "sed", "head"],
20
+ "argumentPolicy": {
21
+ "strategy": "pattern",
22
+ "allowedPatterns": ["bounded repository-local static env-name inspection"],
23
+ "deniedPatterns": ["secret files, values, absolute home paths, app execution, and unbounded traversal"]
24
+ },
25
+ "constraints": [
26
+ "Remain inside the declared project scope.",
27
+ "Bound traversal depth and output.",
28
+ "Exclude .env, secret-bearing, generated, dependency, build, and runtime-output paths.",
29
+ "Report variable names only, never values."
30
+ ]
31
+ },
32
+ {
33
+ "name": "git-identity-inspection",
34
+ "executables": ["git"],
35
+ "argumentPolicy": {
36
+ "strategy": "exact",
37
+ "allowedPatterns": ["rev-parse and status --short --branch"],
38
+ "deniedPatterns": ["all Git mutation and publication subcommands"]
39
+ },
40
+ "constraints": [
41
+ "Allow only read-only repository identity and branch-state inspection."
42
+ ]
43
+ },
44
+ {
45
+ "name": "env-audit-renderer",
46
+ "executables": ["node", "coding-agent-skills"],
47
+ "argumentPolicy": {
48
+ "strategy": "exact",
49
+ "allowedPatterns": ["node scripts/render-env-audit.mjs <project-root>; coding-agent-skills env-audit <project-root>"],
50
+ "deniedPatterns": [".env reads, value printing, credential validation, API calls, builds, tests, deployment, migration, and package installation"]
51
+ },
52
+ "constraints": [
53
+ "The renderer must remain static and read-only.",
54
+ "Do not treat renderer output as credential presence or validity evidence."
55
+ ]
56
+ }
57
+ ],
58
+ "restrictedCategories": [
59
+ "file-write",
60
+ "package-install",
61
+ "deployment",
62
+ "git-mutation",
63
+ "unrestricted-scan",
64
+ "secret-read",
65
+ "process-mutation",
66
+ "service-mutation",
67
+ "migration-apply",
68
+ "privileged-api"
69
+ ],
70
+ "approvalExceptions": [
71
+ "A named-file approval may permit one otherwise excluded non-mutating static read when the file is not secret-bearing."
72
+ ]
73
+ }
@@ -0,0 +1,72 @@
1
+ {
2
+ "version": "0.2.3",
3
+ "mode": "audit-only",
4
+ "parserPolicy": {
5
+ "inspectEverySegment": true,
6
+ "inspectScriptBodies": true,
7
+ "rejectUnknownExecutables": true,
8
+ "rejectShellWrappers": true,
9
+ "rejectHeredocs": true,
10
+ "rejectRedirection": true,
11
+ "providerSpecificNpx": true,
12
+ "authenticatedCurlRequiresApproval": true,
13
+ "boundedReadsRequired": true,
14
+ "allowedComposition": "read-only"
15
+ },
16
+ "allowedFamilies": [
17
+ {
18
+ "name": "bounded-route-inspection",
19
+ "executables": ["pwd", "ls", "rg", "find", "sed", "head"],
20
+ "argumentPolicy": {
21
+ "strategy": "pattern",
22
+ "allowedPatterns": ["bounded repository-local static route inspection"],
23
+ "deniedPatterns": ["absolute home paths, secret files, app execution, and unbounded traversal"]
24
+ },
25
+ "constraints": [
26
+ "Remain inside the declared project scope.",
27
+ "Bound traversal depth and output.",
28
+ "Exclude secret-bearing, generated, dependency, build, and runtime-output paths."
29
+ ]
30
+ },
31
+ {
32
+ "name": "git-identity-inspection",
33
+ "executables": ["git"],
34
+ "argumentPolicy": {
35
+ "strategy": "exact",
36
+ "allowedPatterns": ["rev-parse and status --short --branch"],
37
+ "deniedPatterns": ["all Git mutation and publication subcommands"]
38
+ },
39
+ "constraints": [
40
+ "Allow only read-only repository identity and branch-state inspection."
41
+ ]
42
+ },
43
+ {
44
+ "name": "route-trace-renderer",
45
+ "executables": ["node", "coding-agent-skills"],
46
+ "argumentPolicy": {
47
+ "strategy": "exact",
48
+ "allowedPatterns": ["node scripts/render-route-trace.mjs <project-root>; coding-agent-skills route-trace <project-root>"],
49
+ "deniedPatterns": ["builds, tests, dev servers, URL probing, app execution, deployment, migration, and package installation"]
50
+ },
51
+ "constraints": [
52
+ "The renderer must remain static and read-only.",
53
+ "Do not treat renderer output as runtime availability evidence."
54
+ ]
55
+ }
56
+ ],
57
+ "restrictedCategories": [
58
+ "file-write",
59
+ "package-install",
60
+ "deployment",
61
+ "git-mutation",
62
+ "unrestricted-scan",
63
+ "secret-read",
64
+ "process-mutation",
65
+ "service-mutation",
66
+ "migration-apply",
67
+ "privileged-api"
68
+ ],
69
+ "approvalExceptions": [
70
+ "A named-file approval may permit one otherwise excluded non-mutating static read when the file is not secret-bearing."
71
+ ]
72
+ }