coding-agent-skills 0.2.8 → 0.2.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (54) hide show
  1. package/CHANGELOG.md +19 -0
  2. package/README.md +4 -0
  3. package/ROADMAP.md +6 -3
  4. package/bin/coding-agent-skills +8 -1
  5. package/docs/adapters/README.md +17 -0
  6. package/docs/adapters/project-installation.md +14 -1
  7. package/docs/adapters/real-project-adoption.md +2 -2
  8. package/docs/architecture/README.md +4 -1
  9. package/docs/release/README.md +10 -8
  10. package/docs/release/npm-package.md +7 -4
  11. package/docs/safety/README.md +5 -1
  12. package/docs/testing/README.md +8 -0
  13. package/docs/usage/README.md +13 -5
  14. package/examples/command-policies/route-trace.json +72 -0
  15. package/examples/evidence-packs/route-trace.json +55 -0
  16. package/examples/manifests/route-trace.json +14 -0
  17. package/examples/workflows/route-trace.md +20 -0
  18. package/package.json +2 -1
  19. package/runs/skill-runs.md +27 -0
  20. package/schemas/project-adapter-installation.schema.json +5 -3
  21. package/schemas/project-adapter.schema.json +2 -0
  22. package/scripts/lib/pack-rules.mjs +11 -2
  23. package/scripts/lib/route-trace.mjs +785 -0
  24. package/scripts/render-route-trace.mjs +8 -0
  25. package/scripts/test-pack.mjs +89 -1
  26. package/scripts/validate-pack.mjs +5 -2
  27. package/skills/route-trace/SKILL.md +58 -0
  28. package/skills/route-trace/adapter-interface.md +20 -0
  29. package/skills/route-trace/agents/openai.yaml +4 -0
  30. package/skills/route-trace/checklist.md +11 -0
  31. package/skills/route-trace/evidence-template.md +18 -0
  32. package/skills/route-trace/examples.md +32 -0
  33. package/skills/route-trace/failure-modes.md +9 -0
  34. package/tests/fixtures/route-trace/adapter-project/.coding-agent/adapters/route-trace-fixture/adapter.json +59 -0
  35. package/tests/fixtures/route-trace/adapter-project/.coding-agent/skills.json +23 -0
  36. package/tests/fixtures/route-trace/adapter-project/README.md +3 -0
  37. package/tests/fixtures/route-trace/adapter-project/app/api/items/route.ts +3 -0
  38. package/tests/fixtures/route-trace/adapter-project/package.json +5 -0
  39. package/tests/fixtures/route-trace/adapter-project/pages/index.tsx +3 -0
  40. package/tests/fixtures/route-trace/adapter-project/src/routes.ts +3 -0
  41. package/tests/fixtures/route-trace/static-project/.env.example +1 -0
  42. package/tests/fixtures/route-trace/static-project/README.md +3 -0
  43. package/tests/fixtures/route-trace/static-project/app/api/users/route.ts +3 -0
  44. package/tests/fixtures/route-trace/static-project/app/blog/[slug]/page.tsx +3 -0
  45. package/tests/fixtures/route-trace/static-project/app/page.tsx +3 -0
  46. package/tests/fixtures/route-trace/static-project/package.json +5 -0
  47. package/tests/fixtures/route-trace/static-project/pages/about.tsx +3 -0
  48. package/tests/fixtures/route-trace/static-project/pages/api/hello.ts +3 -0
  49. package/tests/fixtures/route-trace/static-project/server/routes.ts +4 -0
  50. package/tests/fixtures/route-trace/static-project/src/route-config.ts +4 -0
  51. package/tests/fixtures/route-trace/static-project/src/router.tsx +10 -0
  52. package/tests/fixtures/triggers/cases.json +13 -1
  53. package/tests/trigger/README.md +1 -0
  54. package/work-ledger.md +19 -7
@@ -0,0 +1,8 @@
1
+ import { routeTraceCliResult } from "./lib/route-trace.mjs";
2
+
3
+ const outcome = routeTraceCliResult(process.argv[2]);
4
+ for (const line of outcome.lines) {
5
+ if (outcome.stream === "stdout") console.log(line);
6
+ else console.error(line);
7
+ }
8
+ process.exitCode = outcome.exitCode;
@@ -42,6 +42,11 @@ import {
42
42
  buildAdapterRepoMapReport,
43
43
  renderAdapterRepoMapReport,
44
44
  } from "./lib/adapter-repo-map.mjs";
45
+ import {
46
+ buildRouteTraceReport,
47
+ renderRouteTraceReport,
48
+ routeTraceCliResult,
49
+ } from "./lib/route-trace.mjs";
45
50
  import {
46
51
  adapterUpgradeCliResult,
47
52
  checkAdapterUpgrade,
@@ -256,6 +261,7 @@ test("local CLI maps approved commands to existing safe scripts", () => {
256
261
  assert.ok(cliText.includes("scripts/validate-pack.mjs"));
257
262
  assert.ok(cliText.includes("scripts/validate-project-adapters.mjs"));
258
263
  assert.ok(cliText.includes("scripts/render-adapter-repo-map.mjs"));
264
+ assert.ok(cliText.includes("scripts/render-route-trace.mjs"));
259
265
  assert.ok(cliText.includes("scripts/validate-adapters.mjs"));
260
266
  assert.ok(!cliText.includes(".env"));
261
267
 
@@ -277,6 +283,10 @@ test("local CLI maps approved commands to existing safe scripts", () => {
277
283
  ["repo-map", path.join(fixtureRoot, "project-adapter-installation", "valid-exact-pin")],
278
284
  /# Adapter-Aware Repo Map/,
279
285
  ],
286
+ [
287
+ ["route-trace", path.join(fixtureRoot, "route-trace", "static-project")],
288
+ /# Route Trace Report/,
289
+ ],
280
290
  ];
281
291
 
282
292
  for (const [args, expected] of commands) {
@@ -301,7 +311,7 @@ test("local CLI maps approved commands to existing safe scripts", () => {
301
311
  test("npm package metadata is public-ready and dependency-free", () => {
302
312
  const packageJson = readJson("package.json");
303
313
  assert.equal(packageJson.name, "coding-agent-skills");
304
- assert.equal(packageJson.version, "0.2.8");
314
+ assert.equal(packageJson.version, "0.2.9");
305
315
  assert.equal(
306
316
  packageJson.description,
307
317
  "Evidence-first, read-only coding-agent skills and project adapter tooling.",
@@ -313,6 +323,7 @@ test("npm package metadata is public-ready and dependency-free", () => {
313
323
  "coding-agent",
314
324
  "agent-skills",
315
325
  "repo-map",
326
+ "route-trace",
316
327
  "project-adapters",
317
328
  "code-validation",
318
329
  "cli",
@@ -363,6 +374,83 @@ test("npm package metadata is public-ready and dependency-free", () => {
363
374
  assert.match(read("docs/release/npm-package.md"), /npm install -g coding-agent-skills/);
364
375
  });
365
376
 
377
+ test("route-trace renderer identifies static route files and inferred patterns", () => {
378
+ const result = buildRouteTraceReport(
379
+ path.join(root, "tests", "fixtures", "route-trace", "static-project"),
380
+ { coreRoot: root },
381
+ );
382
+ assert.equal(result.ok, true);
383
+ assert.equal(result.status, "complete");
384
+ assert.equal(result.adapter.present, false);
385
+ assert.ok(
386
+ result.verifiedRouteFiles.some(
387
+ (record) => record.route === "/api/users" && record.file === "app/api/users/route.ts",
388
+ ),
389
+ );
390
+ assert.ok(
391
+ result.verifiedRouteFiles.some(
392
+ (record) => record.route === "/blog/[slug]" && record.file === "app/blog/[slug]/page.tsx",
393
+ ),
394
+ );
395
+ assert.ok(
396
+ result.verifiedRouteFiles.some(
397
+ (record) => record.route === "/api/hello" && record.file === "pages/api/hello.ts",
398
+ ),
399
+ );
400
+ assert.ok(
401
+ result.inferredRoutePatterns.some(
402
+ (record) => record.route === "/dashboard" && record.kind === "react-router-route-declaration",
403
+ ),
404
+ );
405
+ assert.ok(
406
+ result.inferredRoutePatterns.some(
407
+ (record) => record.route === "/health" && record.method === "GET",
408
+ ),
409
+ );
410
+ assert.ok(result.notVerified.includes("runtime-generated routes"));
411
+ assert.ok(renderRouteTraceReport(result).includes("No target project build"));
412
+ });
413
+
414
+ test("route-trace renderer respects adapter-declared scope", () => {
415
+ const result = buildRouteTraceReport(
416
+ path.join(root, "tests", "fixtures", "route-trace", "adapter-project"),
417
+ { coreRoot: root },
418
+ );
419
+ assert.equal(result.ok, true);
420
+ assert.equal(result.status, "complete");
421
+ assert.equal(result.adapter.present, true);
422
+ assert.equal(result.adapter.enabled, true);
423
+ assert.deepEqual(result.adapter.scopePaths, ["app", "pages", "src"]);
424
+ assert.ok(
425
+ result.verifiedRouteFiles.some(
426
+ (record) => record.route === "/api/items" && record.file === "app/api/items/route.ts",
427
+ ),
428
+ );
429
+ assert.ok(
430
+ result.inferredRoutePatterns.some((record) => record.route === "/adapter-health"),
431
+ );
432
+
433
+ const cli = routeTraceCliResult(
434
+ path.join(root, "tests", "fixtures", "route-trace", "adapter-project"),
435
+ { coreRoot: root },
436
+ );
437
+ assert.equal(cli.exitCode, 0);
438
+ assert.match(cli.lines.join("\n"), /route-trace used adapter-declared safe read paths only/);
439
+ });
440
+
441
+ test("route-trace does not broaden a repo-map-only project adapter", () => {
442
+ const result = buildRouteTraceReport(
443
+ path.join(root, "tests", "fixtures", "project-adapter-installation", "valid-exact-pin"),
444
+ { coreRoot: root },
445
+ );
446
+ assert.equal(result.ok, true);
447
+ assert.equal(result.status, "partial");
448
+ assert.equal(result.adapter.present, true);
449
+ assert.equal(result.adapter.enabled, false);
450
+ assert.deepEqual(result.scannedFiles, []);
451
+ assert.match(renderRouteTraceReport(result), /route-trace is not enabled/);
452
+ });
453
+
366
454
  test("validate-pack accepts installed package trees without source-only gitignore", () => {
367
455
  const temporaryRoot = fs.mkdtempSync(path.join(os.tmpdir(), "installed-package-"));
368
456
  const installedRoot = path.join(temporaryRoot, "coding-agent-skills");
@@ -95,11 +95,13 @@ const requiredRootFiles = [
95
95
  "scripts/verify-evidence-bundle.mjs",
96
96
  "scripts/render-evidence-archive-report.mjs",
97
97
  "scripts/render-adapter-repo-map.mjs",
98
+ "scripts/render-route-trace.mjs",
98
99
  "scripts/check-adapter-upgrade.mjs",
99
100
  "scripts/check-adapter-upgrade-chain.mjs",
100
101
  "scripts/validate-adapters.mjs",
101
102
  "scripts/validate-project-adapters.mjs",
102
103
  "scripts/lib/adapter-repo-map.mjs",
104
+ "scripts/lib/route-trace.mjs",
103
105
  "scripts/lib/adapter-upgrade.mjs",
104
106
  "scripts/lib/adapter-upgrade-chain.mjs",
105
107
  "scripts/lib/adapter-discovery.mjs",
@@ -673,8 +675,8 @@ if (packageJson) {
673
675
  if (packageJson.name !== "coding-agent-skills") {
674
676
  failures.push("package.json has unexpected package name");
675
677
  }
676
- if (packageJson.version !== "0.2.8") {
677
- failures.push("package.json version must be 0.2.8 for public package validation");
678
+ if (packageJson.version !== "0.2.9") {
679
+ failures.push("package.json version must be 0.2.9 for public package validation");
678
680
  }
679
681
  if (packageJson.type !== "module") failures.push("package.json must preserve ESM mode");
680
682
  if (packageJson.private !== false) {
@@ -692,6 +694,7 @@ if (packageJson) {
692
694
  "coding-agent",
693
695
  "agent-skills",
694
696
  "repo-map",
697
+ "route-trace",
695
698
  "project-adapters",
696
699
  "code-validation",
697
700
  "cli",
@@ -0,0 +1,58 @@
1
+ ---
2
+ name: route-trace
3
+ description: Trace statically visible application route surfaces without executing project code or changing state. Use when Codex must identify Next.js, API, React Router, Express/Fastify/Hono, or route-config surfaces from files before editing, reviewing, or planning route work; do not use for runtime URL probing, server execution, builds, tests, deployment checks, migrations, or runtime truth claims.
4
+ ---
5
+
6
+ # Route Trace
7
+
8
+ Identify route surfaces from static project files and emit an evidence-backed report. Remain audit-only and fail closed when route evidence would require execution or secret-bearing configuration.
9
+
10
+ This skill must not change project files, Git state, dependencies, runtime state, services,
11
+ databases, remotes, or deployment state.
12
+
13
+ ## Purpose And Use
14
+
15
+ Use this skill to locate and classify statically visible routes before changing application code, reviewing API surfaces, or planning route-level work. It can identify verified route files and inferred route declarations, but it must not claim that a route works at runtime.
16
+
17
+ Do not use this skill for live endpoint checks, server startup, browser tests, build verification, deployment readiness, migrations, database inspection, or secret auditing.
18
+
19
+ ## Inputs
20
+
21
+ Require a project root or starting path. Optionally accept a project adapter, intended route area, maximum static scan depth, or named route framework to prioritize.
22
+
23
+ Do not assume every route is statically discoverable, every route file is reachable in production, framework conventions are current, an adapter covers all route surfaces, or documentation route lists are authoritative.
24
+
25
+ ## Procedure
26
+
27
+ 1. Record user intent, project root, declared scope, adapter state, and safety boundary.
28
+ 2. Validate a project adapter when present before reading adapter-declared metadata.
29
+ 3. If an adapter is present but does not enable `route-trace`, stop static file reading and report the adapter-limited skip.
30
+ 4. Build the scan scope from adapter safe read paths when available; otherwise use a bounded generic static scan.
31
+ 5. Apply ignored paths and secret-file exclusions before reading any file.
32
+ 6. Identify verified route files from static conventions such as Next.js `app/` and `pages/` route files.
33
+ 7. Identify inferred route patterns from visible declarations such as React Router paths, Express/Fastify/Hono registrations, and route config objects.
34
+ 8. Label every finding as verified, inferred, skipped, not verified, or adapter-limited.
35
+ 9. Report skipped files, unverified runtime-dependent areas, branch state warnings, and safety refusals.
36
+ 10. Emit the shared evidence pack or route-trace report before claiming completion.
37
+
38
+ Use [checklist.md](checklist.md). Consult [failure-modes.md](failure-modes.md), [adapter-interface.md](adapter-interface.md), and [examples.md](examples.md). Format findings with [evidence-template.md](evidence-template.md).
39
+
40
+ ## Evidence, Recovery, And Dependencies
41
+
42
+ Emit repository identity, adapter state, scan scope, ignored paths, verified route files, inferred route patterns, skipped items, not-verified route classes, warnings, and changed-state declaration through the shared evidence-pack contract.
43
+
44
+ Recover from missing adapters, unsupported frameworks, unreadable files, or ambiguous route declarations by narrowing scope and reporting uncertainty. Never recover by installing dependencies, running app code, starting servers, hitting URLs, broadening adapter scope, reading `.env`, or mutating files.
45
+
46
+ This skill depends on the evidence-pack contract and may consume validated project adapters. Adapters may add safe paths, ignored paths, documentation precedence, and evidence requirements, but cannot weaken policy or turn this skill into runtime verification.
47
+
48
+ ## Approval Boundary
49
+
50
+ Explicit approval may permit one named non-secret static file read outside normal route paths. Approval does not permit package installation, builds, tests, runtime checks, server startup, URL probing, database inspection, migrations, deployments, Git mutation, or secret-file reads.
51
+
52
+ ## Completion
53
+
54
+ Claim `complete` only when the declared static scan scope was inspected, route findings are labeled by evidence type, skipped and not-verified areas are recorded with consequences, adapter limitations are explicit, and no project, Git, dependency, runtime, service, or remote state changed.
55
+
56
+ Report `partial`, `failed`, or `blocked` when adapter scope prevents route scanning, route evidence requires execution, the project root cannot be established, or safety exclusions prevent a requested conclusion. Never claim runtime availability or route correctness from static findings alone.
57
+
58
+ These conditions are both the acceptance criteria and definition of done.
@@ -0,0 +1,20 @@
1
+ # Route Trace Adapter Interface
2
+
3
+ Project adapters may enable `route-trace` only as an audit-only static inspection skill.
4
+
5
+ Adapters may provide:
6
+
7
+ - `safeReadPaths` for route-bearing source and route config files.
8
+ - `ignoredPaths` for generated output, dependency folders, and non-route surfaces.
9
+ - `documentationPrecedence` for route documentation that should be reviewed separately.
10
+ - `requiredEvidence` such as route files inspected, adapter scope, skipped paths, and not-verified runtime classes.
11
+ - `expectedPackageManagers` as metadata only.
12
+
13
+ Adapters must not:
14
+
15
+ - Add commands for `route-trace`.
16
+ - Permit builds, tests, package installs, server startup, URL probing, deployment, migration, database inspection, or secret reads.
17
+ - Remove inherited restrictions.
18
+ - Change `route-trace` from `audit-only` to action-capable.
19
+ - Expand scanning outside the declared project root without named approval.
20
+ - Suppress skipped checks, warnings, uncertainty, or completion requirements.
@@ -0,0 +1,4 @@
1
+ interface:
2
+ display_name: "Route Trace"
3
+ short_description: "Trace static route surfaces without changing the project"
4
+ default_prompt: "Trace the statically visible route surfaces in this repository without modifying project, runtime, dependency, or external state."
@@ -0,0 +1,11 @@
1
+ # Route Trace Checklist
2
+
3
+ - Confirm project root and declared scope.
4
+ - Validate any project adapter before consuming adapter metadata.
5
+ - If the adapter is present but does not enable `route-trace`, stop and report the adapter-limited skip.
6
+ - Build a bounded static scan scope from adapter safe paths or generic repository-local defaults.
7
+ - Exclude `.env`, secret-bearing files, generated output, dependencies, and ignored paths.
8
+ - Identify verified route files separately from inferred route declarations.
9
+ - Record skipped paths and not-verified runtime-dependent route classes.
10
+ - State that no server, build, test, runtime check, deployment, migration, package install, or secret read was performed.
11
+ - Emit an evidence pack or route-trace report before claiming completion.
@@ -0,0 +1,18 @@
1
+ # Route Trace Evidence Template
2
+
3
+ Use the shared evidence-pack contract and include:
4
+
5
+ - Skill: `route-trace`
6
+ - Repository root, branch, HEAD, and working-tree state
7
+ - User intent and declared route scope
8
+ - Project adapter ID or `null`
9
+ - Static scan scope and ignored paths
10
+ - Verified route files with file paths and route patterns
11
+ - Inferred route declarations with evidence file paths
12
+ - Skipped paths with reasons and consequences
13
+ - Not-verified runtime-dependent route classes
14
+ - Safety refusals
15
+ - Changed state: `false`
16
+ - Recommended next action
17
+
18
+ Completion requires evidence for both findings and boundaries. A static route trace is not runtime truth.
@@ -0,0 +1,32 @@
1
+ # Route Trace Examples
2
+
3
+ ## Safe
4
+
5
+ - Inspect a repository for statically visible Next.js `app/` and `pages/` routes.
6
+ - Trace route declarations in React Router config without running the app.
7
+ - Identify Express, Fastify, or Hono-style route registrations from visible source files.
8
+ - Report that a project adapter prevents route scanning because `route-trace` is not enabled.
9
+
10
+ ## Unsafe
11
+
12
+ - Start a dev server to see which URLs respond.
13
+ - Run browser tests or fetch live endpoints.
14
+ - Read `.env` to determine route prefixes.
15
+ - Run migrations, seed databases, deploy, or inspect production infrastructure.
16
+ - Claim that a static route finding proves runtime availability.
17
+
18
+ ## Example Output Shape
19
+
20
+ ```text
21
+ # Route Trace Report
22
+ Status: complete
23
+
24
+ ## Verified Route Files
25
+ - /api/users (next-app-api-route-file) in app/api/users/route.ts
26
+
27
+ ## Inferred Route Patterns
28
+ - GET /health (express-style-route-registration) in server/routes.ts
29
+
30
+ ## Not Verified
31
+ - runtime-generated routes
32
+ ```
@@ -0,0 +1,9 @@
1
+ # Route Trace Failure Modes
2
+
3
+ - **No project root**: stop with `failed`; do not search outside the declared scope.
4
+ - **Malformed adapter**: stop with adapter validation failure; do not fall back to broader scanning.
5
+ - **Adapter present but not enabled**: report `partial` with adapter-limited scope and no target-file reads.
6
+ - **Unreadable or large files**: skip and record the consequence.
7
+ - **Secret-bearing path**: skip; do not request contents unless the user gives a named-file approval and the file is non-secret.
8
+ - **Runtime-dependent routing**: mark as not verified instead of running the app.
9
+ - **Ambiguous route declaration**: label as inferred or unresolved; do not upgrade it to verified.
@@ -0,0 +1,59 @@
1
+ {
2
+ "adapterId": "route-trace-fixture",
3
+ "adapterVersion": "1.0.0",
4
+ "project": {
5
+ "id": "route-trace-fixture",
6
+ "detection": {
7
+ "rootMarkers": [{"kind": "file", "path": "package.json"}],
8
+ "maximumDepth": 2,
9
+ "scope": "declared-project-root",
10
+ "requireApprovalOutsideScope": true
11
+ }
12
+ },
13
+ "supportedSkills": [
14
+ {
15
+ "id": "route-trace",
16
+ "compatibleVersions": ["0.2.x"],
17
+ "declaredMode": "audit-only"
18
+ }
19
+ ],
20
+ "extensions": {
21
+ "safeReadPaths": ["app", "pages", "src"],
22
+ "ignoredPaths": ["dist", "build", "node_modules"],
23
+ "documentationPrecedence": ["README.md"],
24
+ "commandAliases": [],
25
+ "safeStatusCommands": [],
26
+ "requiredEvidence": [
27
+ "adapter scope",
28
+ "verified route files",
29
+ "inferred route patterns",
30
+ "skipped route paths",
31
+ "not-verified runtime classes"
32
+ ],
33
+ "expectedRuntimeManagers": [],
34
+ "expectedPackageManagers": ["npm"]
35
+ },
36
+ "approvalRequirements": [],
37
+ "inheritance": {
38
+ "sharedRestrictions": "required",
39
+ "deniedOperationCategories": [
40
+ "file-write",
41
+ "package-install",
42
+ "deployment",
43
+ "git-mutation",
44
+ "unrestricted-scan",
45
+ "secret-read",
46
+ "process-mutation",
47
+ "service-mutation",
48
+ "migration-apply",
49
+ "privileged-api"
50
+ ],
51
+ "allowRestrictionRemoval": false,
52
+ "allowModeOverride": false,
53
+ "allowFailureSuppression": false,
54
+ "allowCompletionOverride": false,
55
+ "allowSecretExposure": false,
56
+ "allowRequiredEvidenceRemoval": false,
57
+ "allowScopeExpansionWithoutApproval": false
58
+ }
59
+ }
@@ -0,0 +1,23 @@
1
+ {
2
+ "declarationVersion": "1.0.0",
3
+ "projectId": "route-trace-fixture",
4
+ "adapterRoot": ".coding-agent/adapters",
5
+ "adapterSchemaVersion": "1.0.0",
6
+ "core": {
7
+ "id": "coding-agent-skills",
8
+ "expectedVersion": "0.2.3",
9
+ "versionPin": ">=0.2.3 <0.3.0"
10
+ },
11
+ "compatibleSkillIds": ["route-trace"],
12
+ "adapters": [
13
+ {
14
+ "id": "route-trace-fixture",
15
+ "version": "1.0.0",
16
+ "skillIds": ["route-trace"]
17
+ }
18
+ ],
19
+ "validationCommand": "node <shared-core>/scripts/validate-project-adapters.mjs <project-root>",
20
+ "evidenceOutput": "validation-output/route-trace.json",
21
+ "approvalPolicyReference": "docs/coding-agent-approval-policy.md",
22
+ "noSecrets": true
23
+ }
@@ -0,0 +1,3 @@
1
+ # Route Trace Adapter Fixture
2
+
3
+ Synthetic adapter-scoped route tracing fixture.
@@ -0,0 +1,3 @@
1
+ export async function GET() {
2
+ return Response.json({ items: [] });
3
+ }
@@ -0,0 +1,5 @@
1
+ {
2
+ "name": "route-trace-adapter-fixture",
3
+ "private": true,
4
+ "type": "module"
5
+ }
@@ -0,0 +1,3 @@
1
+ export default function IndexPage() {
2
+ return <main>Index</main>;
3
+ }
@@ -0,0 +1,3 @@
1
+ export function register(app) {
2
+ app.get("/adapter-health", () => ({ ok: true }));
3
+ }
@@ -0,0 +1 @@
1
+ PUBLIC_EXAMPLE=value
@@ -0,0 +1,3 @@
1
+ # Route Trace Static Fixture
2
+
3
+ Synthetic fixture for static route tracing. It is not an installable project.
@@ -0,0 +1,3 @@
1
+ export async function GET() {
2
+ return Response.json({ ok: true });
3
+ }
@@ -0,0 +1,3 @@
1
+ export default function BlogPostPage() {
2
+ return <article>Post</article>;
3
+ }
@@ -0,0 +1,3 @@
1
+ export default function HomePage() {
2
+ return <main>Home</main>;
3
+ }
@@ -0,0 +1,5 @@
1
+ {
2
+ "name": "route-trace-static-fixture",
3
+ "private": true,
4
+ "type": "module"
5
+ }
@@ -0,0 +1,3 @@
1
+ export default function AboutPage() {
2
+ return <main>About</main>;
3
+ }
@@ -0,0 +1,3 @@
1
+ export default function handler(_request, response) {
2
+ response.status(200).json({ ok: true });
3
+ }
@@ -0,0 +1,4 @@
1
+ export function registerRoutes(app) {
2
+ app.get("/health", () => ({ ok: true }));
3
+ app.post("/api/widgets", () => ({ ok: true }));
4
+ }
@@ -0,0 +1,4 @@
1
+ export const routes = [
2
+ { path: "/reports" },
3
+ { path: "/reports/:id" },
4
+ ];
@@ -0,0 +1,10 @@
1
+ import { Route } from "react-router-dom";
2
+
3
+ export function Routes() {
4
+ return (
5
+ <>
6
+ <Route path="/dashboard" element={null} />
7
+ <Route path="/settings/profile" element={null} />
8
+ </>
9
+ );
10
+ }
@@ -19,6 +19,18 @@
19
19
  "expectedSkill": "repo-map",
20
20
  "notSkills": ["llm-drift-control"]
21
21
  },
22
+ {
23
+ "id": "route-trace-static-routes",
24
+ "prompt": "Trace the static route surface and identify Next.js API route files before I edit a handler.",
25
+ "expectedSkill": "route-trace",
26
+ "notSkills": ["repo-map", "runtime-truth"]
27
+ },
28
+ {
29
+ "id": "route-trace-express",
30
+ "prompt": "Find the Express routes and React Router paths that are statically visible without running the app.",
31
+ "expectedSkill": "route-trace",
32
+ "notSkills": ["build-verify", "runtime-truth"]
33
+ },
22
34
  {
23
35
  "id": "build-after-implementation",
24
36
  "prompt": "The implementation is finished. Run the existing typecheck, tests, and build.",
@@ -71,7 +83,7 @@
71
83
  "id": "negative-deploy",
72
84
  "prompt": "Deploy this application to production.",
73
85
  "expectedSkill": null,
74
- "notSkills": ["repo-map", "build-verify", "git-preflight", "runtime-truth", "llm-drift-control"]
86
+ "notSkills": ["repo-map", "route-trace", "build-verify", "git-preflight", "runtime-truth", "llm-drift-control"]
75
87
  },
76
88
  {
77
89
  "id": "negative-install",
@@ -3,6 +3,7 @@
3
3
  `tests/fixtures/triggers/cases.json` provides executable positive, negative, and wrong-skill cases for every pilot skill.
4
4
 
5
5
  - Repository orientation must trigger `repo-map`, not build or runtime validation.
6
+ - Static route-surface tracing must trigger `route-trace`, not repository mapping or runtime truth.
6
7
  - Local validation must trigger `build-verify` only when project-native checks are requested.
7
8
  - Git readiness must trigger `git-preflight`, not publication.
8
9
  - Process/listener/health questions must trigger `runtime-truth`, not restart behavior.
package/work-ledger.md CHANGED
@@ -4,24 +4,25 @@
4
4
 
5
5
  - Repository: `coding-agent-skills`
6
6
  - Branch: `main`
7
- - Pilot skills: `repo-map`, `build-verify`, `git-preflight`, `runtime-truth`, `llm-drift-control`
7
+ - Pilot skills: `repo-map`, `route-trace`, `build-verify`, `git-preflight`, `runtime-truth`, `llm-drift-control`
8
8
  - Adapter discovery, project adapter installation, stale-pin detection, upgrade evidence, compatibility-chain validation, evidence-bundle verification, retention policy, provenance design, archive-report rendering, archive-index fixtures, retention-expiry advisory reporting, and detached-signature verification planning are implemented.
9
9
  - Real-project adapter adoption readiness is documented as a planning-only approval gate.
10
10
  - First external project-owned adapter adoption completed for `/home/oneclickwebsitedesignfactory/tax-lien-platform` at candidate commit `c548b1a6cbb3455a70b89d0e301e22435bfccac9`.
11
11
  - The adopted adapter is `repo-map` only, docs/metadata-only, and contains no commands, runtime checks, build/test/package behavior, platform/deployment behavior, or secret-aware behavior.
12
12
  - The shared repository does not contain real adapter manifests; real project adapters remain owned by their project repositories.
13
- - Public npm package release `v0.2.8` exposes the existing dependency-free
13
+ - Public npm package release `v0.2.9` exposes the dependency-free
14
14
  `coding-agent-skills` CLI under MIT license.
15
- - New skills are not approved.
15
+ - `route-trace` is implemented as an audit-only static route tracing skill. Additional new
16
+ skills are not approved.
16
17
 
17
18
  ## Last Completed Version
18
19
 
19
- `v0.2.8`
20
+ `v0.2.9`
20
21
 
21
22
  ## Current Recommended Milestone
22
23
 
23
- The public npm release is complete for the existing CLI surface. No further real
24
- adapters, adapter expansion, new skills, platform skills, deployment/preflight work,
24
+ The `route-trace` public npm release is complete for the approved CLI surface. No further
25
+ real adapters, adapter expansion, new skills, platform skills, deployment/preflight work,
25
26
  signing infrastructure, or evidence-harness milestone is approved.
26
27
 
27
28
  ## Allowed Next Actions
@@ -40,7 +41,7 @@ signing infrastructure, or evidence-harness milestone is approved.
40
41
 
41
42
  ## Blocked Actions
42
43
 
43
- - Adding new skills.
44
+ - Adding more new skills.
44
45
  - Creating real project adapters.
45
46
  - Modifying real project repositories.
46
47
  - Publishing release artifacts without explicit approval.
@@ -105,6 +106,17 @@ No autonomous maintainer-loop run has been recorded yet.
105
106
  skills require separate human approval.
106
107
 
107
108
 
109
+ ### 2026-07-03T00:00:00Z
110
+
111
+ - Latest tag observed: `v0.2.8`
112
+ - Implemented milestone: `route-trace` audit-only static route tracing skill and CLI command.
113
+ - Required permission: `skill-implementation`
114
+ - Validation result: pass pending final publication evidence
115
+ - Next recommended milestone: no next runner command is queued; future real adapter
116
+ expansion, new skills, platform work, deployment/preflight skills, and release-policy
117
+ changes require separate human approval.
118
+
119
+
108
120
  ### 2026-06-15T21:02:34.116Z
109
121
 
110
122
  - Latest tag observed: `v0.2.0`