coding-agent-skills 0.2.8 → 0.2.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +19 -0
- package/README.md +4 -0
- package/ROADMAP.md +6 -3
- package/bin/coding-agent-skills +8 -1
- package/docs/adapters/README.md +17 -0
- package/docs/adapters/project-installation.md +14 -1
- package/docs/adapters/real-project-adoption.md +2 -2
- package/docs/architecture/README.md +4 -1
- package/docs/release/README.md +10 -8
- package/docs/release/npm-package.md +7 -4
- package/docs/safety/README.md +5 -1
- package/docs/testing/README.md +8 -0
- package/docs/usage/README.md +13 -5
- package/examples/command-policies/route-trace.json +72 -0
- package/examples/evidence-packs/route-trace.json +55 -0
- package/examples/manifests/route-trace.json +14 -0
- package/examples/workflows/route-trace.md +20 -0
- package/package.json +2 -1
- package/runs/skill-runs.md +27 -0
- package/schemas/project-adapter-installation.schema.json +5 -3
- package/schemas/project-adapter.schema.json +2 -0
- package/scripts/lib/pack-rules.mjs +11 -2
- package/scripts/lib/route-trace.mjs +785 -0
- package/scripts/render-route-trace.mjs +8 -0
- package/scripts/test-pack.mjs +89 -1
- package/scripts/validate-pack.mjs +5 -2
- package/skills/route-trace/SKILL.md +58 -0
- package/skills/route-trace/adapter-interface.md +20 -0
- package/skills/route-trace/agents/openai.yaml +4 -0
- package/skills/route-trace/checklist.md +11 -0
- package/skills/route-trace/evidence-template.md +18 -0
- package/skills/route-trace/examples.md +32 -0
- package/skills/route-trace/failure-modes.md +9 -0
- package/tests/fixtures/route-trace/adapter-project/.coding-agent/adapters/route-trace-fixture/adapter.json +59 -0
- package/tests/fixtures/route-trace/adapter-project/.coding-agent/skills.json +23 -0
- package/tests/fixtures/route-trace/adapter-project/README.md +3 -0
- package/tests/fixtures/route-trace/adapter-project/app/api/items/route.ts +3 -0
- package/tests/fixtures/route-trace/adapter-project/package.json +5 -0
- package/tests/fixtures/route-trace/adapter-project/pages/index.tsx +3 -0
- package/tests/fixtures/route-trace/adapter-project/src/routes.ts +3 -0
- package/tests/fixtures/route-trace/static-project/.env.example +1 -0
- package/tests/fixtures/route-trace/static-project/README.md +3 -0
- package/tests/fixtures/route-trace/static-project/app/api/users/route.ts +3 -0
- package/tests/fixtures/route-trace/static-project/app/blog/[slug]/page.tsx +3 -0
- package/tests/fixtures/route-trace/static-project/app/page.tsx +3 -0
- package/tests/fixtures/route-trace/static-project/package.json +5 -0
- package/tests/fixtures/route-trace/static-project/pages/about.tsx +3 -0
- package/tests/fixtures/route-trace/static-project/pages/api/hello.ts +3 -0
- package/tests/fixtures/route-trace/static-project/server/routes.ts +4 -0
- package/tests/fixtures/route-trace/static-project/src/route-config.ts +4 -0
- package/tests/fixtures/route-trace/static-project/src/router.tsx +10 -0
- package/tests/fixtures/triggers/cases.json +13 -1
- package/tests/trigger/README.md +1 -0
- package/work-ledger.md +19 -7
package/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,25 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes follow [Semantic Versioning](docs/versioning/README.md).
|
|
4
4
|
|
|
5
|
+
## [0.2.9] - 2026-07-03
|
|
6
|
+
|
|
7
|
+
### Added
|
|
8
|
+
|
|
9
|
+
- `route-trace` audit-only skill for static route surface tracing.
|
|
10
|
+
- `coding-agent-skills route-trace <project-root>` CLI command.
|
|
11
|
+
- Dependency-free route trace renderer for verified route files, inferred route patterns,
|
|
12
|
+
skipped paths, not-verified runtime route classes, adapter-limited scope, and safety
|
|
13
|
+
refusals.
|
|
14
|
+
- Synthetic route-trace fixtures and release tests for generic static scans, adapter-scoped
|
|
15
|
+
scans, and repo-map-only adapter skips.
|
|
16
|
+
|
|
17
|
+
### Changed
|
|
18
|
+
|
|
19
|
+
- Adapter schemas and validators now recognize `route-trace` as an audit-only skill while
|
|
20
|
+
preserving the existing `0.2.3` adapter contract compatibility baseline.
|
|
21
|
+
- Package metadata, usage docs, release docs, roadmap, ledger, and run log now describe the
|
|
22
|
+
new read-only route-trace command.
|
|
23
|
+
|
|
5
24
|
## [0.2.8] - 2026-06-19
|
|
6
25
|
|
|
7
26
|
### Added
|
package/README.md
CHANGED
|
@@ -6,6 +6,7 @@ The pilot pack contains:
|
|
|
6
6
|
|
|
7
7
|
- Shared evidence-pack contract.
|
|
8
8
|
- `repo-map`: audit-only repository orientation.
|
|
9
|
+
- `route-trace`: audit-only static route surface tracing.
|
|
9
10
|
- `build-verify`: controlled local validation using existing project commands.
|
|
10
11
|
- `git-preflight`: audit-only Git readiness inspection.
|
|
11
12
|
- `runtime-truth`: audit-only runtime evidence collection.
|
|
@@ -38,6 +39,7 @@ Every skill emits the evidence-pack contract. A command being attempted is never
|
|
|
38
39
|
- Run `coding-agent-skills validate-pack` to validate the installed pack.
|
|
39
40
|
- Run `npx coding-agent-skills validate-pack` when a one-off npm execution is preferred.
|
|
40
41
|
- From a clone, the same wrapper is available as `bin/coding-agent-skills validate-pack`.
|
|
42
|
+
- Trace static route surfaces with `coding-agent-skills route-trace <project-root>`.
|
|
41
43
|
- Validate project adapters against [the formal adapter schema](schemas/project-adapter.schema.json).
|
|
42
44
|
- Review [external adapter discovery](docs/adapters/discovery.md).
|
|
43
45
|
- Run `node scripts/validate-adapters.mjs <adapter-root>` for a disposable external root.
|
|
@@ -45,6 +47,8 @@ Every skill emits the evidence-pack contract. A command being attempted is never
|
|
|
45
47
|
- Run `node scripts/validate-project-adapters.mjs <project-root>` for a declared project root.
|
|
46
48
|
- Render adapter-aware `repo-map` orientation with
|
|
47
49
|
`node scripts/render-adapter-repo-map.mjs <project-root>`.
|
|
50
|
+
- Render a static route-trace report with
|
|
51
|
+
`node scripts/render-route-trace.mjs <project-root>`.
|
|
48
52
|
- Review [adapter upgrade checks](docs/adapters/upgrades.md).
|
|
49
53
|
- Run `node scripts/check-adapter-upgrade.mjs <before-project-root> <after-project-root>`
|
|
50
54
|
for disposable project revisions.
|
package/ROADMAP.md
CHANGED
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
# Roadmap
|
|
2
2
|
|
|
3
|
-
The
|
|
3
|
+
The public package now contains six approved shared skills. Future work requires separate
|
|
4
|
+
design and approval.
|
|
4
5
|
|
|
5
6
|
## Released Harness Milestones
|
|
6
7
|
|
|
@@ -26,13 +27,15 @@ The pilot release remains limited to five approved skills. Future work requires
|
|
|
26
27
|
- `v0.2.7`: package-installed `validate-pack` support for tarball/global installs.
|
|
27
28
|
- `v0.2.8`: first public npm release with MIT license, public metadata, and registry
|
|
28
29
|
install smoke coverage.
|
|
30
|
+
- `v0.2.9`: audit-only `route-trace` skill and CLI renderer for static route surface
|
|
31
|
+
tracing.
|
|
29
32
|
|
|
30
33
|
The next milestone is recorded in [work-ledger.md](work-ledger.md). The
|
|
31
34
|
[maintainer loop](RUNBOOK.md) may select and evidence that milestone, but it must stop
|
|
32
35
|
before implementation until the relevant human approval is granted.
|
|
33
36
|
|
|
34
37
|
No evidence-harness milestone is queued after `v0.2.3`. Additional real project adapters,
|
|
35
|
-
new skills
|
|
38
|
+
new skills beyond `route-trace`, platform work, deployment/preflight work, and signing infrastructure remain
|
|
36
39
|
separately gated. The public npm package exposes the existing read-only CLI surface; it
|
|
37
40
|
does not approve new skills or target-project mutation.
|
|
38
41
|
|
|
@@ -67,7 +70,7 @@ Next safe milestone options:
|
|
|
67
70
|
|
|
68
71
|
| Candidate | Scope | Mode | Current gate |
|
|
69
72
|
|---|---|---|---|
|
|
70
|
-
| `route-trace-skill` | General | Audit-only |
|
|
73
|
+
| `route-trace-skill` | General | Audit-only | Implemented in `v0.2.9` |
|
|
71
74
|
| `env-audit-skill` | General | Audit-only | Needs more evidence |
|
|
72
75
|
| `secret-audit-skill` | General | Audit-only | Blocked on privacy and approval model |
|
|
73
76
|
| `deployment-preflight-skill` | General | Audit-only | Needs design review |
|
package/bin/coding-agent-skills
CHANGED
|
@@ -23,6 +23,12 @@ const commands = {
|
|
|
23
23
|
usage: "coding-agent-skills repo-map <project-root>",
|
|
24
24
|
requiredArgs: 1,
|
|
25
25
|
},
|
|
26
|
+
"route-trace": {
|
|
27
|
+
script: "scripts/render-route-trace.mjs",
|
|
28
|
+
args: ([projectRoot]) => [projectRoot],
|
|
29
|
+
usage: "coding-agent-skills route-trace <project-root>",
|
|
30
|
+
requiredArgs: 1,
|
|
31
|
+
},
|
|
26
32
|
"validate-adapters": {
|
|
27
33
|
script: "scripts/validate-adapters.mjs",
|
|
28
34
|
args: ([adapterRoot]) => [adapterRoot],
|
|
@@ -39,9 +45,10 @@ function usage(exitCode = 0) {
|
|
|
39
45
|
" validate-pack",
|
|
40
46
|
" validate-project <project-root>",
|
|
41
47
|
" repo-map <project-root>",
|
|
48
|
+
" route-trace <project-root>",
|
|
42
49
|
" validate-adapters <adapter-root>",
|
|
43
50
|
"",
|
|
44
|
-
"local
|
|
51
|
+
"local wrapper for the published coding-agent-skills package",
|
|
45
52
|
];
|
|
46
53
|
const stream = exitCode === 0 ? process.stdout : process.stderr;
|
|
47
54
|
stream.write(`${lines.join("\n")}\n`);
|
package/docs/adapters/README.md
CHANGED
|
@@ -38,11 +38,28 @@ builds, install packages, perform runtime checks, deploy, migrate, or read `.env
|
|
|
38
38
|
This is agent context for safer repository understanding. It is not target-application
|
|
39
39
|
product behavior.
|
|
40
40
|
|
|
41
|
+
## Adapter-Aware Route Trace Consumption
|
|
42
|
+
|
|
43
|
+
The shared pack can consume a validated project-owned adapter as bounded context for
|
|
44
|
+
`route-trace`:
|
|
45
|
+
|
|
46
|
+
```bash
|
|
47
|
+
node scripts/render-route-trace.mjs <project-root>
|
|
48
|
+
```
|
|
49
|
+
|
|
50
|
+
The renderer validates the project declaration when present. If an adapter is present but
|
|
51
|
+
does not enable `route-trace`, it reports an adapter-limited skip instead of broadening
|
|
52
|
+
scope. When enabled, it reads only adapter-declared safe paths, applies ignored paths, and
|
|
53
|
+
statically reports verified route files, inferred route patterns, skipped items, and
|
|
54
|
+
not-verified runtime-dependent routing classes. It does not execute target code, run
|
|
55
|
+
servers, hit URLs, build, test, deploy, migrate, inspect databases, or read `.env` files.
|
|
56
|
+
|
|
41
57
|
## What Adapters May Do
|
|
42
58
|
|
|
43
59
|
- Add bounded relative read paths and ignored paths.
|
|
44
60
|
- Declare project-root markers and a bounded detection depth.
|
|
45
61
|
- Add documentation precedence and package-manager hints.
|
|
62
|
+
- Add route-trace safe read paths for static route files and route config.
|
|
46
63
|
- Add command aliases that already satisfy the shared command policy.
|
|
47
64
|
- Add status-only runtime commands and manager hints.
|
|
48
65
|
- Require additional evidence or named approval for exceptional reads.
|
|
@@ -85,7 +85,7 @@ The dependency-free validator:
|
|
|
85
85
|
Exit `0` means the project declaration and all installed adapters are compatible. Exit `1`
|
|
86
86
|
means validation failed. Exit `2` means the project-root argument is missing.
|
|
87
87
|
|
|
88
|
-
##
|
|
88
|
+
## Adapter-Aware Consumption
|
|
89
89
|
|
|
90
90
|
After validation passes, a project-owned adapter can be consumed as read-only `repo-map`
|
|
91
91
|
context:
|
|
@@ -109,6 +109,19 @@ The renderer is metadata-only. It does not read target project file contents, ru
|
|
|
109
109
|
project tests, run builds, install packages, perform runtime checks, deploy, migrate, read
|
|
110
110
|
`.env` files, or modify project state.
|
|
111
111
|
|
|
112
|
+
A project-owned adapter can also enable read-only `route-trace` context:
|
|
113
|
+
|
|
114
|
+
```bash
|
|
115
|
+
node scripts/render-route-trace.mjs <project-root>
|
|
116
|
+
```
|
|
117
|
+
|
|
118
|
+
The route-trace renderer validates the project declaration when present. If the adapter is
|
|
119
|
+
present but does not enable `route-trace`, it reports an adapter-limited skip. When enabled,
|
|
120
|
+
it reads only adapter-declared safe paths and reports verified route files, inferred route
|
|
121
|
+
patterns, skipped paths, and not-verified runtime-dependent route classes. It does not run
|
|
122
|
+
servers, hit URLs, execute app code, build, test, deploy, migrate, inspect databases, read
|
|
123
|
+
`.env` files, or modify project state.
|
|
124
|
+
|
|
112
125
|
## Safety Boundary
|
|
113
126
|
|
|
114
127
|
Project adapters are extension-only. They cannot remove denied operations, change an
|
|
@@ -20,8 +20,8 @@ project repository is touched:
|
|
|
20
20
|
`.coding-agent/adapters/`, `coding-agent/adapters/`, or `adapters/coding-agent/`.
|
|
21
21
|
- The project can declare exactly one installation file: `.coding-agent/skills.json` or
|
|
22
22
|
`coding-agent.skills.json`.
|
|
23
|
-
- The adapter need is bounded to existing pilot skills: `repo-map`, `
|
|
24
|
-
`git-preflight`, `runtime-truth`, or `llm-drift-control`.
|
|
23
|
+
- The adapter need is bounded to existing pilot skills: `repo-map`, `route-trace`,
|
|
24
|
+
`build-verify`, `git-preflight`, `runtime-truth`, or `llm-drift-control`.
|
|
25
25
|
- The adapter can narrow context with relative paths, documentation precedence, safe
|
|
26
26
|
aliases, status-only hints, or extra evidence requirements.
|
|
27
27
|
- The adapter does not require deployment, migration, package installation, Git
|
|
@@ -12,6 +12,7 @@ Skills consume the evidence-pack contract but do not depend on hidden state. Aud
|
|
|
12
12
|
Audit-only:
|
|
13
13
|
|
|
14
14
|
- `repo-map`
|
|
15
|
+
- `route-trace`
|
|
15
16
|
- `git-preflight`
|
|
16
17
|
- `runtime-truth`
|
|
17
18
|
- `llm-drift-control`
|
|
@@ -20,4 +21,6 @@ Controlled local validation:
|
|
|
20
21
|
|
|
21
22
|
- `build-verify`
|
|
22
23
|
|
|
23
|
-
The evidence pack is a shared output contract, not an executable skill.
|
|
24
|
+
The evidence pack is a shared output contract, not an executable skill. Environment and
|
|
25
|
+
secret audits, deployment preflight, GitHub handoff, provider operations, and additional
|
|
26
|
+
project adapters remain separate future work.
|
package/docs/release/README.md
CHANGED
|
@@ -19,14 +19,16 @@
|
|
|
19
19
|
13. Inspect tarball contents for local-only files, credentials, `.env` files, dependency
|
|
20
20
|
folders, generated output, and unrelated repositories.
|
|
21
21
|
14. Install the tarball into a temporary npm prefix and smoke-test the installed CLI.
|
|
22
|
-
15.
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
22
|
+
15. Smoke-test any new CLI command such as `coding-agent-skills route-trace` against
|
|
23
|
+
synthetic fixtures only unless a real project read-only smoke is explicitly approved.
|
|
24
|
+
16. Review changelog, ledger, run evidence, and versioning impact.
|
|
25
|
+
17. Commit with approved identity.
|
|
26
|
+
18. Push `main` using credential-free remotes.
|
|
27
|
+
19. Confirm a clean synchronized worktree.
|
|
28
|
+
20. Create and push the annotated version tag.
|
|
29
|
+
21. Publish with `npm publish --access public --registry=https://registry.npmjs.org/`.
|
|
30
|
+
22. Install the published package into a temporary prefix and smoke-test the installed CLI.
|
|
31
|
+
23. Create the GitHub Release for the pushed tag.
|
|
30
32
|
|
|
31
33
|
Deployments, migrations, runtime mutation, platform actions, and target-project builds or
|
|
32
34
|
tests remain outside this release process unless separately approved.
|
|
@@ -7,7 +7,7 @@ safety model.
|
|
|
7
7
|
## Current Package Shape
|
|
8
8
|
|
|
9
9
|
- Package name: `coding-agent-skills`.
|
|
10
|
-
- Package version: `0.2.
|
|
10
|
+
- Package version: `0.2.9`.
|
|
11
11
|
- CLI bin: `coding-agent-skills` mapped to `bin/coding-agent-skills`.
|
|
12
12
|
- Module type: `module`.
|
|
13
13
|
- Dependencies: none.
|
|
@@ -27,6 +27,7 @@ The supported installed commands are:
|
|
|
27
27
|
coding-agent-skills validate-pack
|
|
28
28
|
coding-agent-skills validate-project /path/to/project
|
|
29
29
|
coding-agent-skills repo-map /path/to/project
|
|
30
|
+
coding-agent-skills route-trace /path/to/project
|
|
30
31
|
coding-agent-skills validate-adapters /path/to/adapter-root
|
|
31
32
|
```
|
|
32
33
|
|
|
@@ -37,7 +38,8 @@ npx coding-agent-skills validate-pack
|
|
|
37
38
|
```
|
|
38
39
|
|
|
39
40
|
Adapter compatibility remains controlled by the existing shared core and
|
|
40
|
-
project-adapter validators.
|
|
41
|
+
project-adapter validators. `route-trace` is static and audit-only; it reports route
|
|
42
|
+
files and route declarations without executing the target project.
|
|
41
43
|
|
|
42
44
|
`coding-agent-skills validate-pack` is package-aware. In a source checkout, it keeps
|
|
43
45
|
source-only checks such as `.gitignore` validation. In an installed package tree, where
|
|
@@ -71,13 +73,14 @@ included.
|
|
|
71
73
|
## Safety Boundaries
|
|
72
74
|
|
|
73
75
|
The public CLI remains read-only for target projects unless a specific underlying skill
|
|
74
|
-
already permits a bounded local validation action. The installed `repo-map
|
|
75
|
-
flows do not:
|
|
76
|
+
already permits a bounded local validation action. The installed `repo-map`,
|
|
77
|
+
`route-trace`, and adapter flows do not:
|
|
76
78
|
|
|
77
79
|
- deploy
|
|
78
80
|
- run migrations
|
|
79
81
|
- mutate runtime services or processes
|
|
80
82
|
- read `.env` or secret files
|
|
83
|
+
- execute target project application code
|
|
81
84
|
- run target project builds or tests
|
|
82
85
|
- grant adapters additional power
|
|
83
86
|
|
package/docs/safety/README.md
CHANGED
|
@@ -2,7 +2,11 @@
|
|
|
2
2
|
|
|
3
3
|
## Audit-Only Rule
|
|
4
4
|
|
|
5
|
-
`repo-map`, `git-preflight`, `runtime-truth`, and `llm-drift-control` must not alter project files, Git state, dependencies, processes, services, databases, remote systems, or deployment state.
|
|
5
|
+
`repo-map`, `route-trace`, `git-preflight`, `runtime-truth`, and `llm-drift-control` must not alter project files, Git state, dependencies, processes, services, databases, remote systems, or deployment state.
|
|
6
|
+
|
|
7
|
+
`route-trace` is static only. It may read bounded non-secret route files and route
|
|
8
|
+
configuration, but it must not execute app code, run servers, hit URLs, claim runtime
|
|
9
|
+
truth, or broaden adapter scope when a project adapter is present.
|
|
6
10
|
|
|
7
11
|
`build-verify` may run existing project-native validation commands. Build or test tools may create their normal local artifacts, but the skill must declare observed changes and must reject installation, fix modes, snapshot updates, deployment, migration, or unknown scripts.
|
|
8
12
|
|
package/docs/testing/README.md
CHANGED
|
@@ -29,6 +29,14 @@ This is intentionally conservative and is not a complete POSIX parser. Unknown e
|
|
|
29
29
|
|
|
30
30
|
Audit-only Markdown is scanned for restricted commands presented as procedures. Commands in explicitly denied or negative contexts remain documentation. Synthetic snapshot targets are hashed before and after checks.
|
|
31
31
|
|
|
32
|
+
## Route Trace
|
|
33
|
+
|
|
34
|
+
Synthetic route-trace projects cover generic bounded static scanning, adapter-declared
|
|
35
|
+
scope, verified Next.js route files, inferred React Router and Express-style declarations,
|
|
36
|
+
skipped paths, not-verified runtime route classes, and repo-map-only adapter skips.
|
|
37
|
+
Route-trace tests must never run a target project, hit URLs, build, test, deploy, migrate,
|
|
38
|
+
or read `.env` files.
|
|
39
|
+
|
|
32
40
|
## Privacy And Redaction
|
|
33
41
|
|
|
34
42
|
Sensitive shapes are stored as ordered synthetic parts and reconstructed only in memory. Tests verify type detection, redaction, and absence from reusable skill content without printing fixture values.
|
package/docs/usage/README.md
CHANGED
|
@@ -5,6 +5,7 @@ Select the least-privileged skill that matches the request:
|
|
|
5
5
|
| Need | Skill |
|
|
6
6
|
|---|---|
|
|
7
7
|
| Understand repository identity and structure | `repo-map` |
|
|
8
|
+
| Trace statically visible route surfaces | `route-trace` |
|
|
8
9
|
| Run existing local validation checks | `build-verify` |
|
|
9
10
|
| Assess Git handoff readiness | `git-preflight` |
|
|
10
11
|
| Determine what is actually running | `runtime-truth` |
|
|
@@ -13,11 +14,12 @@ Select the least-privileged skill that matches the request:
|
|
|
13
14
|
## Typical Flow
|
|
14
15
|
|
|
15
16
|
1. Use `repo-map` when repository identity or boundaries are not established.
|
|
16
|
-
2.
|
|
17
|
-
3.
|
|
18
|
-
4. Use `
|
|
19
|
-
5. Use `
|
|
20
|
-
6. Use `
|
|
17
|
+
2. Use `route-trace` when route files or declarations must be mapped from static files.
|
|
18
|
+
3. Perform implementation outside this pilot pack.
|
|
19
|
+
4. Use `build-verify` for approved project-native checks.
|
|
20
|
+
5. Use `git-preflight` before handoff or publication.
|
|
21
|
+
6. Use `runtime-truth` only when live local state matters.
|
|
22
|
+
7. Use `llm-drift-control` when claims and evidence may disagree.
|
|
21
23
|
|
|
22
24
|
Every skill emits an evidence pack. Read `status`, skipped checks, failures, confidence, and changed state before relying on a completion claim.
|
|
23
25
|
|
|
@@ -48,6 +50,7 @@ Run supported commands:
|
|
|
48
50
|
coding-agent-skills validate-pack
|
|
49
51
|
coding-agent-skills validate-project /path/to/project
|
|
50
52
|
coding-agent-skills repo-map /path/to/project
|
|
53
|
+
coding-agent-skills route-trace /path/to/project
|
|
51
54
|
coding-agent-skills validate-adapters /path/to/adapter-root
|
|
52
55
|
```
|
|
53
56
|
|
|
@@ -60,6 +63,9 @@ npx coding-agent-skills validate-pack
|
|
|
60
63
|
These commands wrap the same validated scripts shipped in the repository. `repo-map`
|
|
61
64
|
validates the project adapter first, then renders adapter-declared documentation
|
|
62
65
|
precedence, safe read paths, ignored paths, and required evidence.
|
|
66
|
+
`route-trace` validates a project adapter when present, uses adapter-declared safe paths
|
|
67
|
+
when enabled, and statically reports verified route files, inferred route declarations,
|
|
68
|
+
skipped items, and not-verified runtime-dependent route classes.
|
|
63
69
|
|
|
64
70
|
The installed CLI does not run target project builds or tests, perform runtime checks,
|
|
65
71
|
deploy, migrate, mutate services or processes, or read `.env` files. Project adapters
|
|
@@ -73,6 +79,7 @@ From the shared skill repository root, the same wrapper can be used directly:
|
|
|
73
79
|
bin/coding-agent-skills validate-pack
|
|
74
80
|
bin/coding-agent-skills validate-project /path/to/project
|
|
75
81
|
bin/coding-agent-skills repo-map /path/to/project
|
|
82
|
+
bin/coding-agent-skills route-trace /path/to/project
|
|
76
83
|
bin/coding-agent-skills validate-adapters /path/to/adapter-root
|
|
77
84
|
```
|
|
78
85
|
|
|
@@ -83,6 +90,7 @@ also be invoked as:
|
|
|
83
90
|
coding-agent-skills validate-pack
|
|
84
91
|
coding-agent-skills validate-project /path/to/project
|
|
85
92
|
coding-agent-skills repo-map /path/to/project
|
|
93
|
+
coding-agent-skills route-trace /path/to/project
|
|
86
94
|
coding-agent-skills validate-adapters /path/to/adapter-root
|
|
87
95
|
```
|
|
88
96
|
|
|
@@ -0,0 +1,72 @@
|
|
|
1
|
+
{
|
|
2
|
+
"version": "0.2.3",
|
|
3
|
+
"mode": "audit-only",
|
|
4
|
+
"parserPolicy": {
|
|
5
|
+
"inspectEverySegment": true,
|
|
6
|
+
"inspectScriptBodies": true,
|
|
7
|
+
"rejectUnknownExecutables": true,
|
|
8
|
+
"rejectShellWrappers": true,
|
|
9
|
+
"rejectHeredocs": true,
|
|
10
|
+
"rejectRedirection": true,
|
|
11
|
+
"providerSpecificNpx": true,
|
|
12
|
+
"authenticatedCurlRequiresApproval": true,
|
|
13
|
+
"boundedReadsRequired": true,
|
|
14
|
+
"allowedComposition": "read-only"
|
|
15
|
+
},
|
|
16
|
+
"allowedFamilies": [
|
|
17
|
+
{
|
|
18
|
+
"name": "bounded-route-inspection",
|
|
19
|
+
"executables": ["pwd", "ls", "rg", "find", "sed", "head"],
|
|
20
|
+
"argumentPolicy": {
|
|
21
|
+
"strategy": "pattern",
|
|
22
|
+
"allowedPatterns": ["bounded repository-local static route inspection"],
|
|
23
|
+
"deniedPatterns": ["absolute home paths, secret files, app execution, and unbounded traversal"]
|
|
24
|
+
},
|
|
25
|
+
"constraints": [
|
|
26
|
+
"Remain inside the declared project scope.",
|
|
27
|
+
"Bound traversal depth and output.",
|
|
28
|
+
"Exclude secret-bearing, generated, dependency, build, and runtime-output paths."
|
|
29
|
+
]
|
|
30
|
+
},
|
|
31
|
+
{
|
|
32
|
+
"name": "git-identity-inspection",
|
|
33
|
+
"executables": ["git"],
|
|
34
|
+
"argumentPolicy": {
|
|
35
|
+
"strategy": "exact",
|
|
36
|
+
"allowedPatterns": ["rev-parse and status --short --branch"],
|
|
37
|
+
"deniedPatterns": ["all Git mutation and publication subcommands"]
|
|
38
|
+
},
|
|
39
|
+
"constraints": [
|
|
40
|
+
"Allow only read-only repository identity and branch-state inspection."
|
|
41
|
+
]
|
|
42
|
+
},
|
|
43
|
+
{
|
|
44
|
+
"name": "route-trace-renderer",
|
|
45
|
+
"executables": ["node", "coding-agent-skills"],
|
|
46
|
+
"argumentPolicy": {
|
|
47
|
+
"strategy": "exact",
|
|
48
|
+
"allowedPatterns": ["node scripts/render-route-trace.mjs <project-root>; coding-agent-skills route-trace <project-root>"],
|
|
49
|
+
"deniedPatterns": ["builds, tests, dev servers, URL probing, app execution, deployment, migration, and package installation"]
|
|
50
|
+
},
|
|
51
|
+
"constraints": [
|
|
52
|
+
"The renderer must remain static and read-only.",
|
|
53
|
+
"Do not treat renderer output as runtime availability evidence."
|
|
54
|
+
]
|
|
55
|
+
}
|
|
56
|
+
],
|
|
57
|
+
"restrictedCategories": [
|
|
58
|
+
"file-write",
|
|
59
|
+
"package-install",
|
|
60
|
+
"deployment",
|
|
61
|
+
"git-mutation",
|
|
62
|
+
"unrestricted-scan",
|
|
63
|
+
"secret-read",
|
|
64
|
+
"process-mutation",
|
|
65
|
+
"service-mutation",
|
|
66
|
+
"migration-apply",
|
|
67
|
+
"privileged-api"
|
|
68
|
+
],
|
|
69
|
+
"approvalExceptions": [
|
|
70
|
+
"A named-file approval may permit one otherwise excluded non-mutating static read when the file is not secret-bearing."
|
|
71
|
+
]
|
|
72
|
+
}
|
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
{
|
|
2
|
+
"contractVersion": "1.0.0",
|
|
3
|
+
"skill": {"name": "route-trace", "version": "0.2.3"},
|
|
4
|
+
"invocation": {
|
|
5
|
+
"id": "example-route-trace",
|
|
6
|
+
"startedAt": "2026-07-02T10:00:00Z",
|
|
7
|
+
"endedAt": "2026-07-02T10:02:00Z"
|
|
8
|
+
},
|
|
9
|
+
"repository": {
|
|
10
|
+
"root": "/workspace/example-project",
|
|
11
|
+
"branch": "main",
|
|
12
|
+
"head": "0123456789abcdef",
|
|
13
|
+
"workingTreeState": "clean"
|
|
14
|
+
},
|
|
15
|
+
"userIntent": "Trace static route surfaces before editing an API handler.",
|
|
16
|
+
"declaredScope": ["/workspace/example-project"],
|
|
17
|
+
"projectAdapter": "example-route-adapter",
|
|
18
|
+
"environmentSummary": {"platform": "linux", "shell": "bash"},
|
|
19
|
+
"status": "complete",
|
|
20
|
+
"confidence": {
|
|
21
|
+
"level": "high",
|
|
22
|
+
"reason": "Adapter scope, route files, inferred route declarations, skipped paths, and not-verified runtime-dependent route classes were recorded."
|
|
23
|
+
},
|
|
24
|
+
"commands": [
|
|
25
|
+
{
|
|
26
|
+
"command": "coding-agent-skills route-trace /workspace/example-project",
|
|
27
|
+
"family": "route-trace-renderer",
|
|
28
|
+
"workingDirectory": "/workspace/example-project",
|
|
29
|
+
"startedAt": "2026-07-02T10:00:20Z",
|
|
30
|
+
"endedAt": "2026-07-02T10:00:21Z",
|
|
31
|
+
"exitStatus": 0,
|
|
32
|
+
"resultStatus": "success",
|
|
33
|
+
"safetyClass": "allowed",
|
|
34
|
+
"approvalReference": null,
|
|
35
|
+
"purpose": "Render a static route-trace report.",
|
|
36
|
+
"outputSummary": "Found Next.js API route files and inferred Express route declarations without runtime checks."
|
|
37
|
+
}
|
|
38
|
+
],
|
|
39
|
+
"skippedChecks": [],
|
|
40
|
+
"findings": [
|
|
41
|
+
{
|
|
42
|
+
"summary": "Verified route files and inferred route declarations were identified from static files only.",
|
|
43
|
+
"evidence": ["app/api/users/route.ts", "server/routes.ts"]
|
|
44
|
+
}
|
|
45
|
+
],
|
|
46
|
+
"risks": [],
|
|
47
|
+
"failures": [],
|
|
48
|
+
"unresolvedQuestions": [],
|
|
49
|
+
"changedState": {
|
|
50
|
+
"changed": false,
|
|
51
|
+
"summary": "No project, Git, dependency, runtime, service, or remote state changed."
|
|
52
|
+
},
|
|
53
|
+
"handoffSummary": "Static route surfaces are mapped with runtime-dependent areas explicitly not verified.",
|
|
54
|
+
"recommendedNextAction": "Review the relevant verified route file before editing."
|
|
55
|
+
}
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "route-trace",
|
|
3
|
+
"version": "0.2.3",
|
|
4
|
+
"mode": "audit-only",
|
|
5
|
+
"evidenceContract": "../../contracts/evidence-pack/evidence-pack.schema.json",
|
|
6
|
+
"commandPolicy": "../command-policies/route-trace.json",
|
|
7
|
+
"adapterSchema": "../../schemas/project-adapter.schema.json",
|
|
8
|
+
"adapterCompatibility": {
|
|
9
|
+
"contractVersion": "1.0.0",
|
|
10
|
+
"compatibleAdapterVersions": ["1.0.0"]
|
|
11
|
+
},
|
|
12
|
+
"adapterInterface": "../../skills/route-trace/adapter-interface.md",
|
|
13
|
+
"description": "Trace static route surfaces without executing project code."
|
|
14
|
+
}
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
# Route Trace Workflow
|
|
2
|
+
|
|
3
|
+
Use `route-trace` when the route surface must be understood from static files before
|
|
4
|
+
editing or review.
|
|
5
|
+
|
|
6
|
+
```bash
|
|
7
|
+
coding-agent-skills route-trace /path/to/project
|
|
8
|
+
```
|
|
9
|
+
|
|
10
|
+
Expected evidence:
|
|
11
|
+
|
|
12
|
+
- validated adapter state when present
|
|
13
|
+
- adapter-limited or generic static scan scope
|
|
14
|
+
- verified route files
|
|
15
|
+
- inferred route declarations
|
|
16
|
+
- skipped paths and not-verified runtime-dependent route classes
|
|
17
|
+
- no state changes
|
|
18
|
+
|
|
19
|
+
Do not run servers, hit URLs, read `.env`, install packages, build, test, deploy, migrate,
|
|
20
|
+
or claim runtime availability from static route findings.
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "coding-agent-skills",
|
|
3
|
-
"version": "0.2.
|
|
3
|
+
"version": "0.2.9",
|
|
4
4
|
"description": "Evidence-first, read-only coding-agent skills and project adapter tooling.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"private": false,
|
|
@@ -9,6 +9,7 @@
|
|
|
9
9
|
"coding-agent",
|
|
10
10
|
"agent-skills",
|
|
11
11
|
"repo-map",
|
|
12
|
+
"route-trace",
|
|
12
13
|
"project-adapters",
|
|
13
14
|
"code-validation",
|
|
14
15
|
"cli"
|
package/runs/skill-runs.md
CHANGED
|
@@ -160,3 +160,30 @@ This file records bounded maintainer-loop runs. Entries must not contain secrets
|
|
|
160
160
|
- Validation result: pass pending final publication evidence
|
|
161
161
|
- Commit/tag/push status: pending approved release workflow
|
|
162
162
|
- Next state: no next runner command is queued after `v0.2.8`; future package releases, new skills, real adapter expansion, platform work, deployment/preflight skills, and release-policy changes require separate human approval
|
|
163
|
+
|
|
164
|
+
|
|
165
|
+
## design-v0.2.9-route-trace
|
|
166
|
+
|
|
167
|
+
- Run ID: `design-v0.2.9-route-trace`
|
|
168
|
+
- Timestamp: `2026-07-03T00:00:00Z`
|
|
169
|
+
- Command used: `manual approval for route-trace-skill implementation and release`
|
|
170
|
+
- Permissions granted: `skill-implementation`, `test-hardening`, `docs-hardening`, `release-preflight`, `commit`, `push`, `tag`, `npm-publish`, `github-release`
|
|
171
|
+
- Design summary: add `route-trace` as an audit-only static inspection skill and CLI command. It validates a project adapter when present, limits inspection to adapter-safe paths when available, skips ignored and secret-bearing paths, identifies visible route files and route declarations without executing project code, and labels findings as verified route files, inferred route patterns, skipped items, or not verified.
|
|
172
|
+
- Supported static surfaces: Next.js `app/` and `pages/` routes, API route files, React Router-style declarations, Express/Fastify/Hono-style route registrations, route config files, and adapter-declared safe paths.
|
|
173
|
+
- Safety scope: no `.env` reads, no target-project builds/tests/dev servers, no runtime URL probing, no app-code execution, no package installation, no deployments, no migrations, no database inspection, no process/service mutation, and no runtime truth claims.
|
|
174
|
+
- Release target: `v0.2.9` / `coding-agent-skills@0.2.9`.
|
|
175
|
+
|
|
176
|
+
|
|
177
|
+
## implementation-v0.2.9-route-trace
|
|
178
|
+
|
|
179
|
+
- Run ID: `implementation-v0.2.9-route-trace`
|
|
180
|
+
- Timestamp: `2026-07-03T00:00:00Z`
|
|
181
|
+
- Command used: `resume interrupted route-trace-skill implementation and complete release loop`
|
|
182
|
+
- Permissions granted: `skill-implementation`, `test-hardening`, `docs-hardening`, `release-preflight`, `commit`, `push`, `tag`, `npm-publish`, `github-release`
|
|
183
|
+
- Files changed: `route-trace` skill, route-trace renderer and library, CLI wrapper, adapter schemas, pack rules, release tests, synthetic route fixtures, usage/release/safety/adapter docs, changelog, roadmap, work ledger, run log, and package metadata.
|
|
184
|
+
- Route-trace scope: audit-only static route tracing for verified route files, inferred route patterns, skipped paths, not-verified runtime route classes, and adapter-limited scope.
|
|
185
|
+
- Safety scope: no target-project builds, tests, dev servers, package installs, app-code execution, URL probing, deployments, migrations, database inspection, secret-file reads, project writes, or runtime truth claims.
|
|
186
|
+
- Validation commands: `git diff --check`; `bin/coding-agent-skills validate-pack`; `bin/coding-agent-skills validate-adapters tests/fixtures/external-adapters/valid-basic`; `bin/coding-agent-skills validate-project /home/oneclickwebsitedesignfactory/tax-lien-platform`; `bin/coding-agent-skills repo-map /home/oneclickwebsitedesignfactory/tax-lien-platform`; `bin/coding-agent-skills route-trace tests/fixtures/route-trace/static-project`; `bin/coding-agent-skills route-trace /home/oneclickwebsitedesignfactory/tax-lien-platform`; `node scripts/validate-pack.mjs .`; `node scripts/test-pack.mjs`; `node scripts/validate-maintainer-loop.mjs .`; `node --test`; JSON parsing; package secret scan; npm publish dry-run; tarball install smoke.
|
|
187
|
+
- Validation result: pass pending final commit, tag, publication, registry smoke, npm exec, and GitHub Release evidence.
|
|
188
|
+
- Real project smoke: `/home/oneclickwebsitedesignfactory/tax-lien-platform` remained repo-map-only for adapters, so route-trace reported `partial` and did not read target project route files.
|
|
189
|
+
- Commit/tag/push status: pending approved release workflow.
|
|
@@ -65,6 +65,7 @@
|
|
|
65
65
|
"type": "string",
|
|
66
66
|
"enum": [
|
|
67
67
|
"repo-map",
|
|
68
|
+
"route-trace",
|
|
68
69
|
"build-verify",
|
|
69
70
|
"git-preflight",
|
|
70
71
|
"runtime-truth",
|
|
@@ -96,9 +97,10 @@
|
|
|
96
97
|
"items": {
|
|
97
98
|
"type": "string",
|
|
98
99
|
"enum": [
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
100
|
+
"repo-map",
|
|
101
|
+
"route-trace",
|
|
102
|
+
"build-verify",
|
|
103
|
+
"git-preflight",
|
|
102
104
|
"runtime-truth",
|
|
103
105
|
"llm-drift-control"
|
|
104
106
|
]
|
|
@@ -89,6 +89,7 @@
|
|
|
89
89
|
"type": "string",
|
|
90
90
|
"enum": [
|
|
91
91
|
"repo-map",
|
|
92
|
+
"route-trace",
|
|
92
93
|
"build-verify",
|
|
93
94
|
"git-preflight",
|
|
94
95
|
"runtime-truth",
|
|
@@ -165,6 +166,7 @@
|
|
|
165
166
|
"type": "string",
|
|
166
167
|
"enum": [
|
|
167
168
|
"repo-map",
|
|
169
|
+
"route-trace",
|
|
168
170
|
"build-verify",
|
|
169
171
|
"git-preflight",
|
|
170
172
|
"runtime-truth",
|