coding-agent-skills 0.2.8 → 0.2.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (78) hide show
  1. package/CHANGELOG.md +38 -0
  2. package/README.md +6 -0
  3. package/ROADMAP.md +21 -15
  4. package/bin/coding-agent-skills +15 -1
  5. package/docs/adapters/README.md +34 -0
  6. package/docs/adapters/project-installation.md +25 -1
  7. package/docs/adapters/real-project-adoption.md +3 -2
  8. package/docs/architecture/README.md +5 -1
  9. package/docs/release/README.md +11 -8
  10. package/docs/release/npm-package.md +10 -4
  11. package/docs/safety/README.md +9 -1
  12. package/docs/testing/README.md +15 -0
  13. package/docs/usage/README.md +23 -5
  14. package/examples/command-policies/env-audit.json +73 -0
  15. package/examples/command-policies/route-trace.json +72 -0
  16. package/examples/evidence-packs/env-audit.json +55 -0
  17. package/examples/evidence-packs/route-trace.json +55 -0
  18. package/examples/manifests/env-audit.json +14 -0
  19. package/examples/manifests/route-trace.json +14 -0
  20. package/examples/workflows/env-audit.md +16 -0
  21. package/examples/workflows/route-trace.md +20 -0
  22. package/package.json +3 -1
  23. package/runs/skill-runs.md +37 -0
  24. package/schemas/project-adapter-installation.schema.json +7 -3
  25. package/schemas/project-adapter.schema.json +4 -0
  26. package/scripts/lib/env-audit.mjs +640 -0
  27. package/scripts/lib/pack-rules.mjs +20 -2
  28. package/scripts/lib/route-trace.mjs +785 -0
  29. package/scripts/render-env-audit.mjs +8 -0
  30. package/scripts/render-route-trace.mjs +8 -0
  31. package/scripts/test-pack.mjs +159 -1
  32. package/scripts/validate-pack.mjs +8 -2
  33. package/skills/env-audit/SKILL.md +58 -0
  34. package/skills/env-audit/adapter-interface.md +12 -0
  35. package/skills/env-audit/agents/openai.yaml +4 -0
  36. package/skills/env-audit/checklist.md +7 -0
  37. package/skills/env-audit/evidence-template.md +17 -0
  38. package/skills/env-audit/examples.md +28 -0
  39. package/skills/env-audit/failure-modes.md +5 -0
  40. package/skills/route-trace/SKILL.md +58 -0
  41. package/skills/route-trace/adapter-interface.md +20 -0
  42. package/skills/route-trace/agents/openai.yaml +4 -0
  43. package/skills/route-trace/checklist.md +11 -0
  44. package/skills/route-trace/evidence-template.md +18 -0
  45. package/skills/route-trace/examples.md +32 -0
  46. package/skills/route-trace/failure-modes.md +9 -0
  47. package/tests/fixtures/env-audit/adapter-project/.coding-agent/adapters/env-audit-fixture/adapter.json +56 -0
  48. package/tests/fixtures/env-audit/adapter-project/.coding-agent/skills.json +23 -0
  49. package/tests/fixtures/env-audit/adapter-project/README.md +3 -0
  50. package/tests/fixtures/env-audit/adapter-project/package.json +4 -0
  51. package/tests/fixtures/env-audit/adapter-project/src/config.ts +2 -0
  52. package/tests/fixtures/env-audit/static-project/.env.example +3 -0
  53. package/tests/fixtures/env-audit/static-project/README.md +3 -0
  54. package/tests/fixtures/env-audit/static-project/docs/setup.md +3 -0
  55. package/tests/fixtures/env-audit/static-project/package.json +4 -0
  56. package/tests/fixtures/env-audit/static-project/src/config.ts +4 -0
  57. package/tests/fixtures/env-audit/static-project/src/deno.ts +1 -0
  58. package/tests/fixtures/route-trace/adapter-project/.coding-agent/adapters/route-trace-fixture/adapter.json +59 -0
  59. package/tests/fixtures/route-trace/adapter-project/.coding-agent/skills.json +23 -0
  60. package/tests/fixtures/route-trace/adapter-project/README.md +3 -0
  61. package/tests/fixtures/route-trace/adapter-project/app/api/items/route.ts +3 -0
  62. package/tests/fixtures/route-trace/adapter-project/package.json +5 -0
  63. package/tests/fixtures/route-trace/adapter-project/pages/index.tsx +3 -0
  64. package/tests/fixtures/route-trace/adapter-project/src/routes.ts +3 -0
  65. package/tests/fixtures/route-trace/static-project/.env.example +1 -0
  66. package/tests/fixtures/route-trace/static-project/README.md +3 -0
  67. package/tests/fixtures/route-trace/static-project/app/api/users/route.ts +3 -0
  68. package/tests/fixtures/route-trace/static-project/app/blog/[slug]/page.tsx +3 -0
  69. package/tests/fixtures/route-trace/static-project/app/page.tsx +3 -0
  70. package/tests/fixtures/route-trace/static-project/package.json +5 -0
  71. package/tests/fixtures/route-trace/static-project/pages/about.tsx +3 -0
  72. package/tests/fixtures/route-trace/static-project/pages/api/hello.ts +3 -0
  73. package/tests/fixtures/route-trace/static-project/server/routes.ts +4 -0
  74. package/tests/fixtures/route-trace/static-project/src/route-config.ts +4 -0
  75. package/tests/fixtures/route-trace/static-project/src/router.tsx +10 -0
  76. package/tests/fixtures/triggers/cases.json +25 -1
  77. package/tests/trigger/README.md +3 -0
  78. package/work-ledger.md +35 -10
@@ -0,0 +1,2 @@
1
+ export const adapterScoped = process.env.ADAPTER_ONLY_VALUE;
2
+ export const adapterOptional = process.env.ADAPTER_OPTIONAL_VALUE ?? "fallback";
@@ -0,0 +1,3 @@
1
+ DATABASE_URL=
2
+ NEXT_PUBLIC_APP_URL=
3
+ OPTIONAL_FEATURE_FLAG=
@@ -0,0 +1,3 @@
1
+ # Env Audit Static Fixture
2
+
3
+ Requires DATABASE_URL and optional NEXT_PUBLIC_APP_URL. Workers may use QUEUE_NAME.
@@ -0,0 +1,3 @@
1
+ # Setup
2
+
3
+ Set DATABASE_URL before starting locally. NEXT_PUBLIC_APP_URL is optional.
@@ -0,0 +1,4 @@
1
+ {
2
+ "name": "fixture-env-audit-static",
3
+ "type": "module"
4
+ }
@@ -0,0 +1,4 @@
1
+ export const databaseUrl = process.env.DATABASE_URL;
2
+ export const port = process.env.PORT ?? "3000";
3
+ export const publicUrl = import.meta.env.NEXT_PUBLIC_APP_URL;
4
+ export const requiredToken = env("SERVICE_TOKEN");
@@ -0,0 +1 @@
1
+ export const denoValue = Deno.env.get("DENO_REGION");
@@ -0,0 +1,59 @@
1
+ {
2
+ "adapterId": "route-trace-fixture",
3
+ "adapterVersion": "1.0.0",
4
+ "project": {
5
+ "id": "route-trace-fixture",
6
+ "detection": {
7
+ "rootMarkers": [{"kind": "file", "path": "package.json"}],
8
+ "maximumDepth": 2,
9
+ "scope": "declared-project-root",
10
+ "requireApprovalOutsideScope": true
11
+ }
12
+ },
13
+ "supportedSkills": [
14
+ {
15
+ "id": "route-trace",
16
+ "compatibleVersions": ["0.2.x"],
17
+ "declaredMode": "audit-only"
18
+ }
19
+ ],
20
+ "extensions": {
21
+ "safeReadPaths": ["app", "pages", "src"],
22
+ "ignoredPaths": ["dist", "build", "node_modules"],
23
+ "documentationPrecedence": ["README.md"],
24
+ "commandAliases": [],
25
+ "safeStatusCommands": [],
26
+ "requiredEvidence": [
27
+ "adapter scope",
28
+ "verified route files",
29
+ "inferred route patterns",
30
+ "skipped route paths",
31
+ "not-verified runtime classes"
32
+ ],
33
+ "expectedRuntimeManagers": [],
34
+ "expectedPackageManagers": ["npm"]
35
+ },
36
+ "approvalRequirements": [],
37
+ "inheritance": {
38
+ "sharedRestrictions": "required",
39
+ "deniedOperationCategories": [
40
+ "file-write",
41
+ "package-install",
42
+ "deployment",
43
+ "git-mutation",
44
+ "unrestricted-scan",
45
+ "secret-read",
46
+ "process-mutation",
47
+ "service-mutation",
48
+ "migration-apply",
49
+ "privileged-api"
50
+ ],
51
+ "allowRestrictionRemoval": false,
52
+ "allowModeOverride": false,
53
+ "allowFailureSuppression": false,
54
+ "allowCompletionOverride": false,
55
+ "allowSecretExposure": false,
56
+ "allowRequiredEvidenceRemoval": false,
57
+ "allowScopeExpansionWithoutApproval": false
58
+ }
59
+ }
@@ -0,0 +1,23 @@
1
+ {
2
+ "declarationVersion": "1.0.0",
3
+ "projectId": "route-trace-fixture",
4
+ "adapterRoot": ".coding-agent/adapters",
5
+ "adapterSchemaVersion": "1.0.0",
6
+ "core": {
7
+ "id": "coding-agent-skills",
8
+ "expectedVersion": "0.2.3",
9
+ "versionPin": ">=0.2.3 <0.3.0"
10
+ },
11
+ "compatibleSkillIds": ["route-trace"],
12
+ "adapters": [
13
+ {
14
+ "id": "route-trace-fixture",
15
+ "version": "1.0.0",
16
+ "skillIds": ["route-trace"]
17
+ }
18
+ ],
19
+ "validationCommand": "node <shared-core>/scripts/validate-project-adapters.mjs <project-root>",
20
+ "evidenceOutput": "validation-output/route-trace.json",
21
+ "approvalPolicyReference": "docs/coding-agent-approval-policy.md",
22
+ "noSecrets": true
23
+ }
@@ -0,0 +1,3 @@
1
+ # Route Trace Adapter Fixture
2
+
3
+ Synthetic adapter-scoped route tracing fixture.
@@ -0,0 +1,3 @@
1
+ export async function GET() {
2
+ return Response.json({ items: [] });
3
+ }
@@ -0,0 +1,5 @@
1
+ {
2
+ "name": "route-trace-adapter-fixture",
3
+ "private": true,
4
+ "type": "module"
5
+ }
@@ -0,0 +1,3 @@
1
+ export default function IndexPage() {
2
+ return <main>Index</main>;
3
+ }
@@ -0,0 +1,3 @@
1
+ export function register(app) {
2
+ app.get("/adapter-health", () => ({ ok: true }));
3
+ }
@@ -0,0 +1 @@
1
+ PUBLIC_EXAMPLE=value
@@ -0,0 +1,3 @@
1
+ # Route Trace Static Fixture
2
+
3
+ Synthetic fixture for static route tracing. It is not an installable project.
@@ -0,0 +1,3 @@
1
+ export async function GET() {
2
+ return Response.json({ ok: true });
3
+ }
@@ -0,0 +1,3 @@
1
+ export default function BlogPostPage() {
2
+ return <article>Post</article>;
3
+ }
@@ -0,0 +1,3 @@
1
+ export default function HomePage() {
2
+ return <main>Home</main>;
3
+ }
@@ -0,0 +1,5 @@
1
+ {
2
+ "name": "route-trace-static-fixture",
3
+ "private": true,
4
+ "type": "module"
5
+ }
@@ -0,0 +1,3 @@
1
+ export default function AboutPage() {
2
+ return <main>About</main>;
3
+ }
@@ -0,0 +1,3 @@
1
+ export default function handler(_request, response) {
2
+ response.status(200).json({ ok: true });
3
+ }
@@ -0,0 +1,4 @@
1
+ export function registerRoutes(app) {
2
+ app.get("/health", () => ({ ok: true }));
3
+ app.post("/api/widgets", () => ({ ok: true }));
4
+ }
@@ -0,0 +1,4 @@
1
+ export const routes = [
2
+ { path: "/reports" },
3
+ { path: "/reports/:id" },
4
+ ];
@@ -0,0 +1,10 @@
1
+ import { Route } from "react-router-dom";
2
+
3
+ export function Routes() {
4
+ return (
5
+ <>
6
+ <Route path="/dashboard" element={null} />
7
+ <Route path="/settings/profile" element={null} />
8
+ </>
9
+ );
10
+ }
@@ -19,6 +19,30 @@
19
19
  "expectedSkill": "repo-map",
20
20
  "notSkills": ["llm-drift-control"]
21
21
  },
22
+ {
23
+ "id": "route-trace-static-routes",
24
+ "prompt": "Trace the static route surface and identify Next.js API route files before I edit a handler.",
25
+ "expectedSkill": "route-trace",
26
+ "notSkills": ["repo-map", "runtime-truth"]
27
+ },
28
+ {
29
+ "id": "route-trace-express",
30
+ "prompt": "Find the Express routes and React Router paths that are statically visible without running the app.",
31
+ "expectedSkill": "route-trace",
32
+ "notSkills": ["build-verify", "runtime-truth"]
33
+ },
34
+ {
35
+ "id": "env-audit-process-env",
36
+ "prompt": "Audit process.env and import.meta.env references without reading .env files.",
37
+ "expectedSkill": "env-audit",
38
+ "notSkills": ["secret-audit", "runtime-truth"]
39
+ },
40
+ {
41
+ "id": "env-audit-setup-docs",
42
+ "prompt": "Identify environment variables and configuration requirements from static docs and .env.example only.",
43
+ "expectedSkill": "env-audit",
44
+ "notSkills": ["build-verify", "deployment-preflight"]
45
+ },
22
46
  {
23
47
  "id": "build-after-implementation",
24
48
  "prompt": "The implementation is finished. Run the existing typecheck, tests, and build.",
@@ -71,7 +95,7 @@
71
95
  "id": "negative-deploy",
72
96
  "prompt": "Deploy this application to production.",
73
97
  "expectedSkill": null,
74
- "notSkills": ["repo-map", "build-verify", "git-preflight", "runtime-truth", "llm-drift-control"]
98
+ "notSkills": ["repo-map", "route-trace", "env-audit", "build-verify", "git-preflight", "runtime-truth", "llm-drift-control"]
75
99
  },
76
100
  {
77
101
  "id": "negative-install",
@@ -3,6 +3,9 @@
3
3
  `tests/fixtures/triggers/cases.json` provides executable positive, negative, and wrong-skill cases for every pilot skill.
4
4
 
5
5
  - Repository orientation must trigger `repo-map`, not build or runtime validation.
6
+ - Static route-surface tracing must trigger `route-trace`, not repository mapping or runtime truth.
7
+ - Value-free environment variable mapping must trigger `env-audit`, not runtime truth or
8
+ secret-value inspection.
6
9
  - Local validation must trigger `build-verify` only when project-native checks are requested.
7
10
  - Git readiness must trigger `git-preflight`, not publication.
8
11
  - Process/listener/health questions must trigger `runtime-truth`, not restart behavior.
package/work-ledger.md CHANGED
@@ -4,25 +4,29 @@
4
4
 
5
5
  - Repository: `coding-agent-skills`
6
6
  - Branch: `main`
7
- - Pilot skills: `repo-map`, `build-verify`, `git-preflight`, `runtime-truth`, `llm-drift-control`
7
+ - Pilot skills: `repo-map`, `route-trace`, `env-audit`, `build-verify`, `git-preflight`, `runtime-truth`, `llm-drift-control`
8
8
  - Adapter discovery, project adapter installation, stale-pin detection, upgrade evidence, compatibility-chain validation, evidence-bundle verification, retention policy, provenance design, archive-report rendering, archive-index fixtures, retention-expiry advisory reporting, and detached-signature verification planning are implemented.
9
9
  - Real-project adapter adoption readiness is documented as a planning-only approval gate.
10
10
  - First external project-owned adapter adoption completed for `/home/oneclickwebsitedesignfactory/tax-lien-platform` at candidate commit `c548b1a6cbb3455a70b89d0e301e22435bfccac9`.
11
11
  - The adopted adapter is `repo-map` only, docs/metadata-only, and contains no commands, runtime checks, build/test/package behavior, platform/deployment behavior, or secret-aware behavior.
12
12
  - The shared repository does not contain real adapter manifests; real project adapters remain owned by their project repositories.
13
- - Public npm package release `v0.2.8` exposes the existing dependency-free
13
+ - Public npm package release `v0.2.10` exposes the dependency-free
14
14
  `coding-agent-skills` CLI under MIT license.
15
- - New skills are not approved.
15
+ - `route-trace` is implemented as an audit-only static route tracing skill.
16
+ - `env-audit` is implemented as an audit-only value-free environment variable name mapping
17
+ skill.
18
+ - Builder-mode approval: complete the remaining read-only skill wave for
19
+ `coding-agent-skills` itself. Real-world project execution constraints remain unchanged.
16
20
 
17
21
  ## Last Completed Version
18
22
 
19
- `v0.2.8`
23
+ `v0.2.10`
20
24
 
21
25
  ## Current Recommended Milestone
22
26
 
23
- The public npm release is complete for the existing CLI surface. No further real
24
- adapters, adapter expansion, new skills, platform skills, deployment/preflight work,
25
- signing infrastructure, or evidence-harness milestone is approved.
27
+ The `env-audit` public npm release is in progress under builder-mode approval. Continue the
28
+ remaining read-only skill wave one release at a time unless a real safety, validation,
29
+ publication, or authentication boundary appears.
26
30
 
27
31
  ## Allowed Next Actions
28
32
 
@@ -40,7 +44,7 @@ signing infrastructure, or evidence-harness milestone is approved.
40
44
 
41
45
  ## Blocked Actions
42
46
 
43
- - Adding new skills.
47
+ - Adding skills outside the approved builder-mode read-only wave.
44
48
  - Creating real project adapters.
45
49
  - Modifying real project repositories.
46
50
  - Publishing release artifacts without explicit approval.
@@ -72,14 +76,15 @@ signing infrastructure, or evidence-harness milestone is approved.
72
76
  - Implementing the next evidence-retention or provenance milestone.
73
77
  - Selecting a real project adapter candidate.
74
78
  - Gathering evidence from a real project repository.
75
- - Creating, changing, or removing skills.
79
+ - Creating, changing, or removing skills outside the approved builder-mode read-only wave.
76
80
  - Adding real project adapters.
77
81
  - Expanding the adopted `tax-lien-platform` adapter beyond `repo-map`.
78
82
  - Enabling candidate repo package scripts, build verification, runtime checks, or command aliases.
79
83
  - Allowing or bypassing project Git hooks during future adapter publication.
80
84
  - Touching real project repositories.
81
85
  - Changing release publication behavior.
82
- - Publishing a new npm version beyond the approved release.
86
+ - Publishing a new npm version outside the approved builder-mode read-only wave or another
87
+ explicitly approved release.
83
88
  - Commit, tag, or push operations.
84
89
  - Any action not listed in the allowed next actions above.
85
90
 
@@ -93,6 +98,15 @@ No next runner command is currently queued.
93
98
 
94
99
  No autonomous maintainer-loop run has been recorded yet.
95
100
 
101
+ ### 2026-07-03T10:00:00Z
102
+
103
+ - Latest tag observed: `v0.2.9`
104
+ - Implemented milestone: `env-audit` audit-only environment variable name mapping skill and CLI command.
105
+ - Required permission: `builder-mode-skill-implementation`
106
+ - Validation result: pass pending final publication evidence
107
+ - Next recommended milestone: continue builder-mode wave with `secret-audit-skill` after
108
+ `v0.2.10` publication completes.
109
+
96
110
 
97
111
  ### 2026-06-19T00:00:00Z
98
112
 
@@ -105,6 +119,17 @@ No autonomous maintainer-loop run has been recorded yet.
105
119
  skills require separate human approval.
106
120
 
107
121
 
122
+ ### 2026-07-03T00:00:00Z
123
+
124
+ - Latest tag observed: `v0.2.8`
125
+ - Implemented milestone: `route-trace` audit-only static route tracing skill and CLI command.
126
+ - Required permission: `skill-implementation`
127
+ - Validation result: pass pending final publication evidence
128
+ - Next recommended milestone: no next runner command is queued; future real adapter
129
+ expansion, new skills, platform work, deployment/preflight skills, and release-policy
130
+ changes require separate human approval.
131
+
132
+
108
133
  ### 2026-06-15T21:02:34.116Z
109
134
 
110
135
  - Latest tag observed: `v0.2.0`