coding-agent-skills 0.2.8 → 0.2.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (78) hide show
  1. package/CHANGELOG.md +38 -0
  2. package/README.md +6 -0
  3. package/ROADMAP.md +21 -15
  4. package/bin/coding-agent-skills +15 -1
  5. package/docs/adapters/README.md +34 -0
  6. package/docs/adapters/project-installation.md +25 -1
  7. package/docs/adapters/real-project-adoption.md +3 -2
  8. package/docs/architecture/README.md +5 -1
  9. package/docs/release/README.md +11 -8
  10. package/docs/release/npm-package.md +10 -4
  11. package/docs/safety/README.md +9 -1
  12. package/docs/testing/README.md +15 -0
  13. package/docs/usage/README.md +23 -5
  14. package/examples/command-policies/env-audit.json +73 -0
  15. package/examples/command-policies/route-trace.json +72 -0
  16. package/examples/evidence-packs/env-audit.json +55 -0
  17. package/examples/evidence-packs/route-trace.json +55 -0
  18. package/examples/manifests/env-audit.json +14 -0
  19. package/examples/manifests/route-trace.json +14 -0
  20. package/examples/workflows/env-audit.md +16 -0
  21. package/examples/workflows/route-trace.md +20 -0
  22. package/package.json +3 -1
  23. package/runs/skill-runs.md +37 -0
  24. package/schemas/project-adapter-installation.schema.json +7 -3
  25. package/schemas/project-adapter.schema.json +4 -0
  26. package/scripts/lib/env-audit.mjs +640 -0
  27. package/scripts/lib/pack-rules.mjs +20 -2
  28. package/scripts/lib/route-trace.mjs +785 -0
  29. package/scripts/render-env-audit.mjs +8 -0
  30. package/scripts/render-route-trace.mjs +8 -0
  31. package/scripts/test-pack.mjs +159 -1
  32. package/scripts/validate-pack.mjs +8 -2
  33. package/skills/env-audit/SKILL.md +58 -0
  34. package/skills/env-audit/adapter-interface.md +12 -0
  35. package/skills/env-audit/agents/openai.yaml +4 -0
  36. package/skills/env-audit/checklist.md +7 -0
  37. package/skills/env-audit/evidence-template.md +17 -0
  38. package/skills/env-audit/examples.md +28 -0
  39. package/skills/env-audit/failure-modes.md +5 -0
  40. package/skills/route-trace/SKILL.md +58 -0
  41. package/skills/route-trace/adapter-interface.md +20 -0
  42. package/skills/route-trace/agents/openai.yaml +4 -0
  43. package/skills/route-trace/checklist.md +11 -0
  44. package/skills/route-trace/evidence-template.md +18 -0
  45. package/skills/route-trace/examples.md +32 -0
  46. package/skills/route-trace/failure-modes.md +9 -0
  47. package/tests/fixtures/env-audit/adapter-project/.coding-agent/adapters/env-audit-fixture/adapter.json +56 -0
  48. package/tests/fixtures/env-audit/adapter-project/.coding-agent/skills.json +23 -0
  49. package/tests/fixtures/env-audit/adapter-project/README.md +3 -0
  50. package/tests/fixtures/env-audit/adapter-project/package.json +4 -0
  51. package/tests/fixtures/env-audit/adapter-project/src/config.ts +2 -0
  52. package/tests/fixtures/env-audit/static-project/.env.example +3 -0
  53. package/tests/fixtures/env-audit/static-project/README.md +3 -0
  54. package/tests/fixtures/env-audit/static-project/docs/setup.md +3 -0
  55. package/tests/fixtures/env-audit/static-project/package.json +4 -0
  56. package/tests/fixtures/env-audit/static-project/src/config.ts +4 -0
  57. package/tests/fixtures/env-audit/static-project/src/deno.ts +1 -0
  58. package/tests/fixtures/route-trace/adapter-project/.coding-agent/adapters/route-trace-fixture/adapter.json +59 -0
  59. package/tests/fixtures/route-trace/adapter-project/.coding-agent/skills.json +23 -0
  60. package/tests/fixtures/route-trace/adapter-project/README.md +3 -0
  61. package/tests/fixtures/route-trace/adapter-project/app/api/items/route.ts +3 -0
  62. package/tests/fixtures/route-trace/adapter-project/package.json +5 -0
  63. package/tests/fixtures/route-trace/adapter-project/pages/index.tsx +3 -0
  64. package/tests/fixtures/route-trace/adapter-project/src/routes.ts +3 -0
  65. package/tests/fixtures/route-trace/static-project/.env.example +1 -0
  66. package/tests/fixtures/route-trace/static-project/README.md +3 -0
  67. package/tests/fixtures/route-trace/static-project/app/api/users/route.ts +3 -0
  68. package/tests/fixtures/route-trace/static-project/app/blog/[slug]/page.tsx +3 -0
  69. package/tests/fixtures/route-trace/static-project/app/page.tsx +3 -0
  70. package/tests/fixtures/route-trace/static-project/package.json +5 -0
  71. package/tests/fixtures/route-trace/static-project/pages/about.tsx +3 -0
  72. package/tests/fixtures/route-trace/static-project/pages/api/hello.ts +3 -0
  73. package/tests/fixtures/route-trace/static-project/server/routes.ts +4 -0
  74. package/tests/fixtures/route-trace/static-project/src/route-config.ts +4 -0
  75. package/tests/fixtures/route-trace/static-project/src/router.tsx +10 -0
  76. package/tests/fixtures/triggers/cases.json +25 -1
  77. package/tests/trigger/README.md +3 -0
  78. package/work-ledger.md +35 -10
@@ -0,0 +1,55 @@
1
+ {
2
+ "contractVersion": "1.0.0",
3
+ "skill": {"name": "env-audit", "version": "0.2.3"},
4
+ "invocation": {
5
+ "id": "example-env-audit",
6
+ "startedAt": "2026-07-03T10:00:00Z",
7
+ "endedAt": "2026-07-03T10:01:00Z"
8
+ },
9
+ "repository": {
10
+ "root": "/workspace/example-project",
11
+ "branch": "main",
12
+ "head": "0123456789abcdef",
13
+ "workingTreeState": "clean"
14
+ },
15
+ "userIntent": "Identify environment variable names before updating setup documentation.",
16
+ "declaredScope": ["/workspace/example-project"],
17
+ "projectAdapter": "example-env-adapter",
18
+ "environmentSummary": {"platform": "linux", "shell": "bash"},
19
+ "status": "complete",
20
+ "confidence": {
21
+ "level": "high",
22
+ "reason": "Static env references, sample files, skipped secret paths, and not-verified runtime stores were recorded without values."
23
+ },
24
+ "commands": [
25
+ {
26
+ "command": "coding-agent-skills env-audit /workspace/example-project",
27
+ "family": "env-audit-renderer",
28
+ "workingDirectory": "/workspace/example-project",
29
+ "startedAt": "2026-07-03T10:00:20Z",
30
+ "endedAt": "2026-07-03T10:00:21Z",
31
+ "exitStatus": 0,
32
+ "resultStatus": "success",
33
+ "safetyClass": "allowed",
34
+ "approvalReference": null,
35
+ "purpose": "Render a value-free static env audit report.",
36
+ "outputSummary": "Found env variable names and sample declarations without reading .env files or printing values."
37
+ }
38
+ ],
39
+ "skippedChecks": [],
40
+ "findings": [
41
+ {
42
+ "summary": "Environment variable names were identified from static references and .env.example only.",
43
+ "evidence": ["src/config.ts", ".env.example"]
44
+ }
45
+ ],
46
+ "risks": [],
47
+ "failures": [],
48
+ "unresolvedQuestions": [],
49
+ "changedState": {
50
+ "changed": false,
51
+ "summary": "No project, Git, dependency, runtime, service, or remote state changed."
52
+ },
53
+ "handoffSummary": "Environment variable names are mapped without values; runtime stores remain unverified.",
54
+ "recommendedNextAction": "Review the reported names before updating documentation."
55
+ }
@@ -0,0 +1,55 @@
1
+ {
2
+ "contractVersion": "1.0.0",
3
+ "skill": {"name": "route-trace", "version": "0.2.3"},
4
+ "invocation": {
5
+ "id": "example-route-trace",
6
+ "startedAt": "2026-07-02T10:00:00Z",
7
+ "endedAt": "2026-07-02T10:02:00Z"
8
+ },
9
+ "repository": {
10
+ "root": "/workspace/example-project",
11
+ "branch": "main",
12
+ "head": "0123456789abcdef",
13
+ "workingTreeState": "clean"
14
+ },
15
+ "userIntent": "Trace static route surfaces before editing an API handler.",
16
+ "declaredScope": ["/workspace/example-project"],
17
+ "projectAdapter": "example-route-adapter",
18
+ "environmentSummary": {"platform": "linux", "shell": "bash"},
19
+ "status": "complete",
20
+ "confidence": {
21
+ "level": "high",
22
+ "reason": "Adapter scope, route files, inferred route declarations, skipped paths, and not-verified runtime-dependent route classes were recorded."
23
+ },
24
+ "commands": [
25
+ {
26
+ "command": "coding-agent-skills route-trace /workspace/example-project",
27
+ "family": "route-trace-renderer",
28
+ "workingDirectory": "/workspace/example-project",
29
+ "startedAt": "2026-07-02T10:00:20Z",
30
+ "endedAt": "2026-07-02T10:00:21Z",
31
+ "exitStatus": 0,
32
+ "resultStatus": "success",
33
+ "safetyClass": "allowed",
34
+ "approvalReference": null,
35
+ "purpose": "Render a static route-trace report.",
36
+ "outputSummary": "Found Next.js API route files and inferred Express route declarations without runtime checks."
37
+ }
38
+ ],
39
+ "skippedChecks": [],
40
+ "findings": [
41
+ {
42
+ "summary": "Verified route files and inferred route declarations were identified from static files only.",
43
+ "evidence": ["app/api/users/route.ts", "server/routes.ts"]
44
+ }
45
+ ],
46
+ "risks": [],
47
+ "failures": [],
48
+ "unresolvedQuestions": [],
49
+ "changedState": {
50
+ "changed": false,
51
+ "summary": "No project, Git, dependency, runtime, service, or remote state changed."
52
+ },
53
+ "handoffSummary": "Static route surfaces are mapped with runtime-dependent areas explicitly not verified.",
54
+ "recommendedNextAction": "Review the relevant verified route file before editing."
55
+ }
@@ -0,0 +1,14 @@
1
+ {
2
+ "name": "env-audit",
3
+ "version": "0.2.3",
4
+ "mode": "audit-only",
5
+ "evidenceContract": "../../contracts/evidence-pack/evidence-pack.schema.json",
6
+ "commandPolicy": "../command-policies/env-audit.json",
7
+ "adapterSchema": "../../schemas/project-adapter.schema.json",
8
+ "adapterCompatibility": {
9
+ "contractVersion": "1.0.0",
10
+ "compatibleAdapterVersions": ["1.0.0"]
11
+ },
12
+ "adapterInterface": "../../skills/env-audit/adapter-interface.md",
13
+ "description": "Identify environment variable names without reading values."
14
+ }
@@ -0,0 +1,14 @@
1
+ {
2
+ "name": "route-trace",
3
+ "version": "0.2.3",
4
+ "mode": "audit-only",
5
+ "evidenceContract": "../../contracts/evidence-pack/evidence-pack.schema.json",
6
+ "commandPolicy": "../command-policies/route-trace.json",
7
+ "adapterSchema": "../../schemas/project-adapter.schema.json",
8
+ "adapterCompatibility": {
9
+ "contractVersion": "1.0.0",
10
+ "compatibleAdapterVersions": ["1.0.0"]
11
+ },
12
+ "adapterInterface": "../../skills/route-trace/adapter-interface.md",
13
+ "description": "Trace static route surfaces without executing project code."
14
+ }
@@ -0,0 +1,16 @@
1
+ # Env Audit Workflow
2
+
3
+ Use `env-audit` before editing setup docs, config loaders, or handoff notes:
4
+
5
+ ```bash
6
+ coding-agent-skills env-audit /workspace/project
7
+ ```
8
+
9
+ Review:
10
+
11
+ - names and classifications
12
+ - sample files inspected
13
+ - skipped secret-bearing paths
14
+ - runtime and credential stores not verified
15
+
16
+ Do not use the output as proof that values exist or credentials work.
@@ -0,0 +1,20 @@
1
+ # Route Trace Workflow
2
+
3
+ Use `route-trace` when the route surface must be understood from static files before
4
+ editing or review.
5
+
6
+ ```bash
7
+ coding-agent-skills route-trace /path/to/project
8
+ ```
9
+
10
+ Expected evidence:
11
+
12
+ - validated adapter state when present
13
+ - adapter-limited or generic static scan scope
14
+ - verified route files
15
+ - inferred route declarations
16
+ - skipped paths and not-verified runtime-dependent route classes
17
+ - no state changes
18
+
19
+ Do not run servers, hit URLs, read `.env`, install packages, build, test, deploy, migrate,
20
+ or claim runtime availability from static route findings.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "coding-agent-skills",
3
- "version": "0.2.8",
3
+ "version": "0.2.10",
4
4
  "description": "Evidence-first, read-only coding-agent skills and project adapter tooling.",
5
5
  "type": "module",
6
6
  "private": false,
@@ -9,6 +9,8 @@
9
9
  "coding-agent",
10
10
  "agent-skills",
11
11
  "repo-map",
12
+ "route-trace",
13
+ "env-audit",
12
14
  "project-adapters",
13
15
  "code-validation",
14
16
  "cli"
@@ -160,3 +160,40 @@ This file records bounded maintainer-loop runs. Entries must not contain secrets
160
160
  - Validation result: pass pending final publication evidence
161
161
  - Commit/tag/push status: pending approved release workflow
162
162
  - Next state: no next runner command is queued after `v0.2.8`; future package releases, new skills, real adapter expansion, platform work, deployment/preflight skills, and release-policy changes require separate human approval
163
+
164
+
165
+ ## design-v0.2.9-route-trace
166
+
167
+ - Run ID: `design-v0.2.9-route-trace`
168
+ - Timestamp: `2026-07-03T00:00:00Z`
169
+ - Command used: `manual approval for route-trace-skill implementation and release`
170
+ - Permissions granted: `skill-implementation`, `test-hardening`, `docs-hardening`, `release-preflight`, `commit`, `push`, `tag`, `npm-publish`, `github-release`
171
+ - Design summary: add `route-trace` as an audit-only static inspection skill and CLI command. It validates a project adapter when present, limits inspection to adapter-safe paths when available, skips ignored and secret-bearing paths, identifies visible route files and route declarations without executing project code, and labels findings as verified route files, inferred route patterns, skipped items, or not verified.
172
+ - Supported static surfaces: Next.js `app/` and `pages/` routes, API route files, React Router-style declarations, Express/Fastify/Hono-style route registrations, route config files, and adapter-declared safe paths.
173
+ - Safety scope: no `.env` reads, no target-project builds/tests/dev servers, no runtime URL probing, no app-code execution, no package installation, no deployments, no migrations, no database inspection, no process/service mutation, and no runtime truth claims.
174
+ - Release target: `v0.2.9` / `coding-agent-skills@0.2.9`.
175
+
176
+
177
+ ## implementation-v0.2.9-route-trace
178
+
179
+ - Run ID: `implementation-v0.2.9-route-trace`
180
+ - Timestamp: `2026-07-03T00:00:00Z`
181
+ - Command used: `resume interrupted route-trace-skill implementation and complete release loop`
182
+ - Permissions granted: `skill-implementation`, `test-hardening`, `docs-hardening`, `release-preflight`, `commit`, `push`, `tag`, `npm-publish`, `github-release`
183
+ - Files changed: `route-trace` skill, route-trace renderer and library, CLI wrapper, adapter schemas, pack rules, release tests, synthetic route fixtures, usage/release/safety/adapter docs, changelog, roadmap, work ledger, run log, and package metadata.
184
+ - Route-trace scope: audit-only static route tracing for verified route files, inferred route patterns, skipped paths, not-verified runtime route classes, and adapter-limited scope.
185
+ - Safety scope: no target-project builds, tests, dev servers, package installs, app-code execution, URL probing, deployments, migrations, database inspection, secret-file reads, project writes, or runtime truth claims.
186
+ - Validation commands: `git diff --check`; `bin/coding-agent-skills validate-pack`; `bin/coding-agent-skills validate-adapters tests/fixtures/external-adapters/valid-basic`; `bin/coding-agent-skills validate-project /home/oneclickwebsitedesignfactory/tax-lien-platform`; `bin/coding-agent-skills repo-map /home/oneclickwebsitedesignfactory/tax-lien-platform`; `bin/coding-agent-skills route-trace tests/fixtures/route-trace/static-project`; `bin/coding-agent-skills route-trace /home/oneclickwebsitedesignfactory/tax-lien-platform`; `node scripts/validate-pack.mjs .`; `node scripts/test-pack.mjs`; `node scripts/validate-maintainer-loop.mjs .`; `node --test`; JSON parsing; package secret scan; npm publish dry-run; tarball install smoke.
187
+ - Validation result: pass pending final commit, tag, publication, registry smoke, npm exec, and GitHub Release evidence.
188
+ - Real project smoke: `/home/oneclickwebsitedesignfactory/tax-lien-platform` remained repo-map-only for adapters, so route-trace reported `partial` and did not read target project route files.
189
+
190
+ ## implementation-v0.2.10-env-audit
191
+
192
+ - Run ID: `implementation-v0.2.10-env-audit`
193
+ - Repository: `/home/oneclickwebsitedesignfactory/coding-agent-skills`
194
+ - Command used: `builder-mode approval for env-audit-skill implementation and release`
195
+ - Files changed: `env-audit` skill, env-audit renderer and library, CLI wrapper, adapter schemas, pack rules, release tests, synthetic env fixtures, usage/release/safety/adapter docs, changelog, roadmap, work ledger, run log, and package metadata.
196
+ - Safety boundary: read-only, static-analysis only, no `.env` reads, no value printing, no credential validation, no API calls, no builds, no tests in target projects, no deploys, no migrations, and no target-project mutation.
197
+ - Validation commands: pending final release validation matrix.
198
+ - Result: pass pending final publication evidence.
199
+ - Commit/tag/push status: pending approved release workflow.
@@ -65,6 +65,8 @@
65
65
  "type": "string",
66
66
  "enum": [
67
67
  "repo-map",
68
+ "route-trace",
69
+ "env-audit",
68
70
  "build-verify",
69
71
  "git-preflight",
70
72
  "runtime-truth",
@@ -96,9 +98,11 @@
96
98
  "items": {
97
99
  "type": "string",
98
100
  "enum": [
99
- "repo-map",
100
- "build-verify",
101
- "git-preflight",
101
+ "repo-map",
102
+ "route-trace",
103
+ "env-audit",
104
+ "build-verify",
105
+ "git-preflight",
102
106
  "runtime-truth",
103
107
  "llm-drift-control"
104
108
  ]
@@ -89,6 +89,8 @@
89
89
  "type": "string",
90
90
  "enum": [
91
91
  "repo-map",
92
+ "route-trace",
93
+ "env-audit",
92
94
  "build-verify",
93
95
  "git-preflight",
94
96
  "runtime-truth",
@@ -165,6 +167,8 @@
165
167
  "type": "string",
166
168
  "enum": [
167
169
  "repo-map",
170
+ "route-trace",
171
+ "env-audit",
168
172
  "build-verify",
169
173
  "git-preflight",
170
174
  "runtime-truth",