coding-agent-skills 0.2.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (357) hide show
  1. package/AGENTS.md +44 -0
  2. package/CHANGELOG.md +205 -0
  3. package/CONTRIBUTING.md +54 -0
  4. package/LICENSE +21 -0
  5. package/README.md +85 -0
  6. package/ROADMAP.md +87 -0
  7. package/RUNBOOK.md +47 -0
  8. package/bin/coding-agent-skills +75 -0
  9. package/contracts/evidence-pack/README.md +22 -0
  10. package/contracts/evidence-pack/evidence-pack.example.json +60 -0
  11. package/contracts/evidence-pack/evidence-pack.example.md +49 -0
  12. package/contracts/evidence-pack/evidence-pack.schema.json +156 -0
  13. package/docs/adapters/README.md +82 -0
  14. package/docs/adapters/discovery.md +50 -0
  15. package/docs/adapters/external-adapters.md +42 -0
  16. package/docs/adapters/project-installation.md +135 -0
  17. package/docs/adapters/real-project-adoption.md +193 -0
  18. package/docs/adapters/upgrade-evidence.md +67 -0
  19. package/docs/adapters/upgrades.md +83 -0
  20. package/docs/architecture/README.md +23 -0
  21. package/docs/authoring/README.md +54 -0
  22. package/docs/evidence-bundles/README.md +94 -0
  23. package/docs/privacy/README.md +26 -0
  24. package/docs/release/README.md +42 -0
  25. package/docs/release/npm-package.md +85 -0
  26. package/docs/safety/README.md +94 -0
  27. package/docs/testing/README.md +100 -0
  28. package/docs/usage/README.md +89 -0
  29. package/docs/versioning/README.md +30 -0
  30. package/docs/versioning/adapter-compatibility.md +54 -0
  31. package/examples/README.md +12 -0
  32. package/examples/adapters/README.md +9 -0
  33. package/examples/adapters/documentation-precedence.json +62 -0
  34. package/examples/adapters/narrow-repo-map.json +64 -0
  35. package/examples/adapters/runtime-status-hints.json +76 -0
  36. package/examples/command-policies/README.md +3 -0
  37. package/examples/command-policies/build-verify.json +57 -0
  38. package/examples/command-policies/git-preflight.json +44 -0
  39. package/examples/command-policies/llm-drift-control.json +45 -0
  40. package/examples/command-policies/repo-map.json +59 -0
  41. package/examples/command-policies/runtime-truth.json +59 -0
  42. package/examples/evidence-packs/README.md +3 -0
  43. package/examples/evidence-packs/build-verify.json +68 -0
  44. package/examples/evidence-packs/git-preflight.json +55 -0
  45. package/examples/evidence-packs/llm-drift-control.json +55 -0
  46. package/examples/evidence-packs/repo-map.json +55 -0
  47. package/examples/evidence-packs/runtime-truth.json +55 -0
  48. package/examples/manifests/README.md +3 -0
  49. package/examples/manifests/build-verify.json +14 -0
  50. package/examples/manifests/git-preflight.json +14 -0
  51. package/examples/manifests/llm-drift-control.json +14 -0
  52. package/examples/manifests/repo-map.json +14 -0
  53. package/examples/manifests/runtime-truth.json +14 -0
  54. package/examples/upgrade-evidence/README.md +14 -0
  55. package/examples/upgrade-evidence/chain-fail.evidence.json +155 -0
  56. package/examples/upgrade-evidence/chain-fail.evidence.md +14 -0
  57. package/examples/upgrade-evidence/chain-pass.evidence.json +156 -0
  58. package/examples/upgrade-evidence/stale-pin.evidence.json +117 -0
  59. package/examples/upgrade-evidence/unsafe-upgrade.evidence.json +128 -0
  60. package/examples/upgrade-evidence/valid-upgrade.evidence.json +105 -0
  61. package/examples/upgrade-evidence/valid-upgrade.evidence.md +13 -0
  62. package/examples/workflows/README.md +3 -0
  63. package/examples/workflows/build-verify.md +20 -0
  64. package/examples/workflows/git-preflight.md +18 -0
  65. package/examples/workflows/llm-drift-control.md +16 -0
  66. package/examples/workflows/repo-map.md +20 -0
  67. package/examples/workflows/runtime-truth.md +17 -0
  68. package/package.json +58 -0
  69. package/runs/skill-runs.md +162 -0
  70. package/schemas/adapter-upgrade-evidence.schema.json +443 -0
  71. package/schemas/archive-index.schema.json +174 -0
  72. package/schemas/archive-report.schema.json +322 -0
  73. package/schemas/command-policy.schema.json +125 -0
  74. package/schemas/evidence-bundle.schema.json +394 -0
  75. package/schemas/project-adapter-installation.schema.json +127 -0
  76. package/schemas/project-adapter.schema.json +328 -0
  77. package/schemas/skill-manifest.schema.json +40 -0
  78. package/scripts/check-adapter-upgrade-chain.mjs +32 -0
  79. package/scripts/check-adapter-upgrade.mjs +31 -0
  80. package/scripts/lib/adapter-discovery.mjs +441 -0
  81. package/scripts/lib/adapter-repo-map.mjs +358 -0
  82. package/scripts/lib/adapter-upgrade-chain.mjs +261 -0
  83. package/scripts/lib/adapter-upgrade.mjs +434 -0
  84. package/scripts/lib/evidence-bundle.mjs +831 -0
  85. package/scripts/lib/pack-rules.mjs +704 -0
  86. package/scripts/lib/project-adapter-installation.mjs +327 -0
  87. package/scripts/lib/safe-evidence-output.mjs +92 -0
  88. package/scripts/lib/schema-validator.mjs +146 -0
  89. package/scripts/lib/semver.mjs +54 -0
  90. package/scripts/lib/upgrade-evidence.mjs +276 -0
  91. package/scripts/render-adapter-repo-map.mjs +8 -0
  92. package/scripts/render-evidence-archive-report.mjs +18 -0
  93. package/scripts/run-next +220 -0
  94. package/scripts/test-pack.mjs +2232 -0
  95. package/scripts/validate-adapters.mjs +10 -0
  96. package/scripts/validate-maintainer-loop.mjs +146 -0
  97. package/scripts/validate-pack.mjs +950 -0
  98. package/scripts/validate-project-adapters.mjs +8 -0
  99. package/scripts/verify-evidence-bundle.mjs +18 -0
  100. package/skills/build-verify/SKILL.md +62 -0
  101. package/skills/build-verify/adapter-interface.md +7 -0
  102. package/skills/build-verify/agents/openai.yaml +4 -0
  103. package/skills/build-verify/checklist.md +12 -0
  104. package/skills/build-verify/evidence-template.md +11 -0
  105. package/skills/build-verify/examples.md +16 -0
  106. package/skills/build-verify/failure-modes.md +14 -0
  107. package/skills/git-preflight/SKILL.md +65 -0
  108. package/skills/git-preflight/adapter-interface.md +7 -0
  109. package/skills/git-preflight/agents/openai.yaml +4 -0
  110. package/skills/git-preflight/checklist.md +11 -0
  111. package/skills/git-preflight/evidence-template.md +10 -0
  112. package/skills/git-preflight/examples.md +18 -0
  113. package/skills/git-preflight/failure-modes.md +13 -0
  114. package/skills/llm-drift-control/SKILL.md +67 -0
  115. package/skills/llm-drift-control/adapter-interface.md +7 -0
  116. package/skills/llm-drift-control/agents/openai.yaml +4 -0
  117. package/skills/llm-drift-control/checklist.md +11 -0
  118. package/skills/llm-drift-control/evidence-template.md +13 -0
  119. package/skills/llm-drift-control/examples.md +15 -0
  120. package/skills/llm-drift-control/failure-modes.md +13 -0
  121. package/skills/repo-map/SKILL.md +71 -0
  122. package/skills/repo-map/adapter-interface.md +18 -0
  123. package/skills/repo-map/agents/openai.yaml +4 -0
  124. package/skills/repo-map/checklist.md +15 -0
  125. package/skills/repo-map/evidence-template.md +29 -0
  126. package/skills/repo-map/examples.md +19 -0
  127. package/skills/repo-map/failure-modes.md +16 -0
  128. package/skills/runtime-truth/SKILL.md +62 -0
  129. package/skills/runtime-truth/adapter-interface.md +7 -0
  130. package/skills/runtime-truth/agents/openai.yaml +4 -0
  131. package/skills/runtime-truth/checklist.md +11 -0
  132. package/skills/runtime-truth/evidence-template.md +12 -0
  133. package/skills/runtime-truth/examples.md +20 -0
  134. package/skills/runtime-truth/failure-modes.md +13 -0
  135. package/tests/README.md +44 -0
  136. package/tests/adapters/README.md +15 -0
  137. package/tests/completion/README.md +15 -0
  138. package/tests/evidence/README.md +15 -0
  139. package/tests/fixtures/README.md +23 -0
  140. package/tests/fixtures/adapters/allow-deploy.json +60 -0
  141. package/tests/fixtures/adapters/allow-git-push.json +60 -0
  142. package/tests/fixtures/adapters/expand-scope.json +53 -0
  143. package/tests/fixtures/adapters/expose-secrets.json +53 -0
  144. package/tests/fixtures/adapters/incompatible-version.json +53 -0
  145. package/tests/fixtures/adapters/override-audit-only.json +53 -0
  146. package/tests/fixtures/adapters/redefine-completion.json +53 -0
  147. package/tests/fixtures/adapters/remove-required-evidence.json +53 -0
  148. package/tests/fixtures/adapters/suppress-failures.json +53 -0
  149. package/tests/fixtures/adapters/valid-narrowing.json +53 -0
  150. package/tests/fixtures/adapters/valid-repo-map.json +53 -0
  151. package/tests/fixtures/adapters/weakening-repo-map.json +42 -0
  152. package/tests/fixtures/completion/cases.json +143 -0
  153. package/tests/fixtures/completion/false-complete.json +51 -0
  154. package/tests/fixtures/evidence-bundles/advisory-review-soon/archive/evidence-archive-index.json +52 -0
  155. package/tests/fixtures/evidence-bundles/advisory-review-soon/evidence/repo-map.evidence.json +68 -0
  156. package/tests/fixtures/evidence-bundles/advisory-review-soon/evidence/valid-upgrade.evidence.json +105 -0
  157. package/tests/fixtures/evidence-bundles/advisory-review-soon/evidence-bundle.json +109 -0
  158. package/tests/fixtures/evidence-bundles/invalid-archive/archive/evidence-archive-index.json +52 -0
  159. package/tests/fixtures/evidence-bundles/invalid-archive/evidence/repo-map.evidence.json +68 -0
  160. package/tests/fixtures/evidence-bundles/invalid-archive/evidence/valid-upgrade.evidence.json +105 -0
  161. package/tests/fixtures/evidence-bundles/invalid-archive/evidence-bundle.json +109 -0
  162. package/tests/fixtures/evidence-bundles/invalid-archive-index/archive/evidence-archive-index.json +52 -0
  163. package/tests/fixtures/evidence-bundles/invalid-archive-index/evidence/repo-map.evidence.json +68 -0
  164. package/tests/fixtures/evidence-bundles/invalid-archive-index/evidence/valid-upgrade.evidence.json +105 -0
  165. package/tests/fixtures/evidence-bundles/invalid-archive-index/evidence-bundle.json +109 -0
  166. package/tests/fixtures/evidence-bundles/invalid-hash/archive/evidence-archive-index.json +52 -0
  167. package/tests/fixtures/evidence-bundles/invalid-hash/evidence/repo-map.evidence.json +68 -0
  168. package/tests/fixtures/evidence-bundles/invalid-hash/evidence/valid-upgrade.evidence.json +105 -0
  169. package/tests/fixtures/evidence-bundles/invalid-hash/evidence-bundle.json +109 -0
  170. package/tests/fixtures/evidence-bundles/invalid-missing-entry/archive/evidence-archive-index.json +52 -0
  171. package/tests/fixtures/evidence-bundles/invalid-missing-entry/evidence/repo-map.evidence.json +68 -0
  172. package/tests/fixtures/evidence-bundles/invalid-missing-entry/evidence/valid-upgrade.evidence.json +105 -0
  173. package/tests/fixtures/evidence-bundles/invalid-missing-entry/evidence-bundle.json +109 -0
  174. package/tests/fixtures/evidence-bundles/invalid-path/archive/evidence-archive-index.json +52 -0
  175. package/tests/fixtures/evidence-bundles/invalid-path/evidence/repo-map.evidence.json +68 -0
  176. package/tests/fixtures/evidence-bundles/invalid-path/evidence/valid-upgrade.evidence.json +105 -0
  177. package/tests/fixtures/evidence-bundles/invalid-path/evidence-bundle.json +109 -0
  178. package/tests/fixtures/evidence-bundles/invalid-provenance/archive/evidence-archive-index.json +52 -0
  179. package/tests/fixtures/evidence-bundles/invalid-provenance/evidence/repo-map.evidence.json +68 -0
  180. package/tests/fixtures/evidence-bundles/invalid-provenance/evidence/valid-upgrade.evidence.json +105 -0
  181. package/tests/fixtures/evidence-bundles/invalid-provenance/evidence-bundle.json +109 -0
  182. package/tests/fixtures/evidence-bundles/invalid-regression/archive/evidence-archive-index.json +52 -0
  183. package/tests/fixtures/evidence-bundles/invalid-regression/evidence/repo-map.evidence.json +68 -0
  184. package/tests/fixtures/evidence-bundles/invalid-regression/evidence/valid-upgrade.evidence.json +105 -0
  185. package/tests/fixtures/evidence-bundles/invalid-regression/evidence-bundle.json +113 -0
  186. package/tests/fixtures/evidence-bundles/invalid-retention/archive/evidence-archive-index.json +52 -0
  187. package/tests/fixtures/evidence-bundles/invalid-retention/evidence/repo-map.evidence.json +68 -0
  188. package/tests/fixtures/evidence-bundles/invalid-retention/evidence/valid-upgrade.evidence.json +105 -0
  189. package/tests/fixtures/evidence-bundles/invalid-retention/evidence-bundle.json +109 -0
  190. package/tests/fixtures/evidence-bundles/invalid-signature-plan/archive/evidence-archive-index.json +52 -0
  191. package/tests/fixtures/evidence-bundles/invalid-signature-plan/evidence/repo-map.evidence.json +68 -0
  192. package/tests/fixtures/evidence-bundles/invalid-signature-plan/evidence/valid-upgrade.evidence.json +105 -0
  193. package/tests/fixtures/evidence-bundles/invalid-signature-plan/evidence-bundle.json +109 -0
  194. package/tests/fixtures/evidence-bundles/valid-bundle/archive/evidence-archive-index.json +52 -0
  195. package/tests/fixtures/evidence-bundles/valid-bundle/evidence/repo-map.evidence.json +68 -0
  196. package/tests/fixtures/evidence-bundles/valid-bundle/evidence/valid-upgrade.evidence.json +105 -0
  197. package/tests/fixtures/evidence-bundles/valid-bundle/evidence-bundle.json +109 -0
  198. package/tests/fixtures/external-adapters/empty/README.md +3 -0
  199. package/tests/fixtures/external-adapters/invalid-completion-override/.coding-agent/adapters/completion/adapter.json +53 -0
  200. package/tests/fixtures/external-adapters/invalid-deploy/.coding-agent/adapters/deploy/adapter.json +60 -0
  201. package/tests/fixtures/external-adapters/invalid-evidence-suppression/.coding-agent/adapters/evidence/adapter.json +53 -0
  202. package/tests/fixtures/external-adapters/invalid-failure-suppression/.coding-agent/adapters/failures/adapter.json +53 -0
  203. package/tests/fixtures/external-adapters/invalid-git-push/.coding-agent/adapters/publish/adapter.json +60 -0
  204. package/tests/fixtures/external-adapters/invalid-malformed/.coding-agent/adapters/malformed/adapter.json +1 -0
  205. package/tests/fixtures/external-adapters/invalid-malformed/malformed-adapter.txt +1 -0
  206. package/tests/fixtures/external-adapters/invalid-mode-escalation/.coding-agent/adapters/mode/adapter.json +53 -0
  207. package/tests/fixtures/external-adapters/invalid-path-traversal/.coding-agent/adapters/path/adapter.json +53 -0
  208. package/tests/fixtures/external-adapters/invalid-restriction-removal/.coding-agent/adapters/restrictions/adapter.json +52 -0
  209. package/tests/fixtures/external-adapters/invalid-scope-expansion/.coding-agent/adapters/scope/adapter.json +53 -0
  210. package/tests/fixtures/external-adapters/invalid-secret-exposure/.coding-agent/adapters/secrets/adapter.json +53 -0
  211. package/tests/fixtures/external-adapters/invalid-skill-id/.coding-agent/adapters/skill/adapter.json +53 -0
  212. package/tests/fixtures/external-adapters/invalid-skill-version/.coding-agent/adapters/skill-version/adapter.json +53 -0
  213. package/tests/fixtures/external-adapters/invalid-unknown-manifest/.coding-agent/adapters/unknown/manifest.json +1 -0
  214. package/tests/fixtures/external-adapters/invalid-version/.coding-agent/adapters/version/adapter.json +53 -0
  215. package/tests/fixtures/external-adapters/mixed/.coding-agent/adapters/invalid/adapter.json +60 -0
  216. package/tests/fixtures/external-adapters/mixed/.coding-agent/adapters/valid/adapter.json +53 -0
  217. package/tests/fixtures/external-adapters/valid-basic/.coding-agent/adapters/basic/adapter.json +53 -0
  218. package/tests/fixtures/external-adapters/valid-doc-precedence/coding-agent/adapters/docs/adapter.json +53 -0
  219. package/tests/fixtures/external-adapters/valid-runtime-status/adapters/coding-agent/runtime/adapter.json +65 -0
  220. package/tests/fixtures/mutation/cases.json +87 -0
  221. package/tests/fixtures/mutation/snapshot-target/README.md +3 -0
  222. package/tests/fixtures/mutation/snapshot-target/state.json +4 -0
  223. package/tests/fixtures/policy/commands.json +164 -0
  224. package/tests/fixtures/policy/properties.json +126 -0
  225. package/tests/fixtures/privacy/cases.json +47 -0
  226. package/tests/fixtures/project-adapter-installation/invalid-adapter-location/.agents/adapters/basic/adapter.json +53 -0
  227. package/tests/fixtures/project-adapter-installation/invalid-adapter-location/.coding-agent/skills.json +23 -0
  228. package/tests/fixtures/project-adapter-installation/invalid-adapter-schema-version/.coding-agent/adapters/basic/adapter.json +53 -0
  229. package/tests/fixtures/project-adapter-installation/invalid-adapter-schema-version/.coding-agent/skills.json +23 -0
  230. package/tests/fixtures/project-adapter-installation/invalid-adapter-version-mismatch/.coding-agent/adapters/basic/adapter.json +53 -0
  231. package/tests/fixtures/project-adapter-installation/invalid-adapter-version-mismatch/.coding-agent/skills.json +23 -0
  232. package/tests/fixtures/project-adapter-installation/invalid-bad-semver/.coding-agent/adapters/basic/adapter.json +53 -0
  233. package/tests/fixtures/project-adapter-installation/invalid-bad-semver/.coding-agent/skills.json +23 -0
  234. package/tests/fixtures/project-adapter-installation/invalid-completion-override/.coding-agent/adapters/basic/adapter.json +53 -0
  235. package/tests/fixtures/project-adapter-installation/invalid-completion-override/.coding-agent/skills.json +23 -0
  236. package/tests/fixtures/project-adapter-installation/invalid-failure-suppression/.coding-agent/adapters/basic/adapter.json +53 -0
  237. package/tests/fixtures/project-adapter-installation/invalid-failure-suppression/.coding-agent/skills.json +23 -0
  238. package/tests/fixtures/project-adapter-installation/invalid-missing-declaration/.coding-agent/adapters/basic/adapter.json +53 -0
  239. package/tests/fixtures/project-adapter-installation/invalid-mode-escalation/.coding-agent/adapters/basic/adapter.json +53 -0
  240. package/tests/fixtures/project-adapter-installation/invalid-mode-escalation/.coding-agent/skills.json +23 -0
  241. package/tests/fixtures/project-adapter-installation/invalid-path-traversal/.coding-agent/adapters/basic/adapter.json +53 -0
  242. package/tests/fixtures/project-adapter-installation/invalid-path-traversal/.coding-agent/skills.json +23 -0
  243. package/tests/fixtures/project-adapter-installation/invalid-scope-expansion/.coding-agent/adapters/basic/adapter.json +53 -0
  244. package/tests/fixtures/project-adapter-installation/invalid-scope-expansion/.coding-agent/skills.json +23 -0
  245. package/tests/fixtures/project-adapter-installation/invalid-secret-exposure/.coding-agent/adapters/basic/adapter.json +53 -0
  246. package/tests/fixtures/project-adapter-installation/invalid-secret-exposure/.coding-agent/skills.json +23 -0
  247. package/tests/fixtures/project-adapter-installation/invalid-skill-mismatch/.coding-agent/adapters/basic/adapter.json +53 -0
  248. package/tests/fixtures/project-adapter-installation/invalid-skill-mismatch/.coding-agent/skills.json +23 -0
  249. package/tests/fixtures/project-adapter-installation/invalid-unknown-skill/.coding-agent/adapters/basic/adapter.json +53 -0
  250. package/tests/fixtures/project-adapter-installation/invalid-unknown-skill/.coding-agent/skills.json +23 -0
  251. package/tests/fixtures/project-adapter-installation/invalid-unsupported-core-version/.coding-agent/adapters/basic/adapter.json +53 -0
  252. package/tests/fixtures/project-adapter-installation/invalid-unsupported-core-version/.coding-agent/skills.json +23 -0
  253. package/tests/fixtures/project-adapter-installation/invalid-weakens-restrictions/.coding-agent/adapters/basic/adapter.json +52 -0
  254. package/tests/fixtures/project-adapter-installation/invalid-weakens-restrictions/.coding-agent/skills.json +23 -0
  255. package/tests/fixtures/project-adapter-installation/valid-compatible-range/coding-agent/adapters/docs/adapter.json +53 -0
  256. package/tests/fixtures/project-adapter-installation/valid-compatible-range/coding-agent.skills.json +23 -0
  257. package/tests/fixtures/project-adapter-installation/valid-exact-pin/.coding-agent/adapters/basic/adapter.json +53 -0
  258. package/tests/fixtures/project-adapter-installation/valid-exact-pin/.coding-agent/skills.json +23 -0
  259. package/tests/fixtures/project-adapter-installation/valid-multiple-adapters/.coding-agent/skills.json +28 -0
  260. package/tests/fixtures/project-adapter-installation/valid-multiple-adapters/adapters/coding-agent/repo/adapter.json +53 -0
  261. package/tests/fixtures/project-adapter-installation/valid-multiple-adapters/adapters/coding-agent/runtime/adapter.json +58 -0
  262. package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  263. package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/01-current/.coding-agent/skills.json +27 -0
  264. package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/02-incompatible/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  265. package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/02-incompatible/.coding-agent/skills.json +27 -0
  266. package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/03-target/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  267. package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/03-target/.coding-agent/skills.json +27 -0
  268. package/tests/fixtures/project-adapter-upgrade-chains/schema-drift-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  269. package/tests/fixtures/project-adapter-upgrade-chains/schema-drift-chain/01-current/.coding-agent/skills.json +27 -0
  270. package/tests/fixtures/project-adapter-upgrade-chains/schema-drift-chain/02-schema-drift/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  271. package/tests/fixtures/project-adapter-upgrade-chains/schema-drift-chain/02-schema-drift/.coding-agent/skills.json +27 -0
  272. package/tests/fixtures/project-adapter-upgrade-chains/skill-drift-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  273. package/tests/fixtures/project-adapter-upgrade-chains/skill-drift-chain/01-current/.coding-agent/skills.json +27 -0
  274. package/tests/fixtures/project-adapter-upgrade-chains/skill-drift-chain/02-skill-drift/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  275. package/tests/fixtures/project-adapter-upgrade-chains/skill-drift-chain/02-skill-drift/.coding-agent/skills.json +27 -0
  276. package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  277. package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/01-current/.coding-agent/skills.json +27 -0
  278. package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/02-stale/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  279. package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/02-stale/.coding-agent/skills.json +27 -0
  280. package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/03-target/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  281. package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/03-target/.coding-agent/skills.json +27 -0
  282. package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  283. package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/01-current/.coding-agent/skills.json +27 -0
  284. package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/02-safe/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  285. package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/02-safe/.coding-agent/skills.json +27 -0
  286. package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/03-weakens-restrictions/.coding-agent/adapters/fixture-chain-adapter/adapter.json +69 -0
  287. package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/03-weakens-restrictions/.coding-agent/skills.json +27 -0
  288. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  289. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/01-current/.coding-agent/skills.json +27 -0
  290. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/02-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  291. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/02-upgrade/.coding-agent/skills.json +27 -0
  292. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/03-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  293. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/03-upgrade/.coding-agent/skills.json +27 -0
  294. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/04-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  295. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/04-upgrade/.coding-agent/skills.json +27 -0
  296. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/05-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  297. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/05-upgrade/.coding-agent/skills.json +27 -0
  298. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/06-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  299. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/06-upgrade/.coding-agent/skills.json +27 -0
  300. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/07-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  301. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/07-upgrade/.coding-agent/skills.json +27 -0
  302. package/tests/fixtures/project-adapter-upgrades/adapter-schema-drift/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  303. package/tests/fixtures/project-adapter-upgrades/adapter-schema-drift/after/.coding-agent/skills.json +27 -0
  304. package/tests/fixtures/project-adapter-upgrades/adapter-schema-drift/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  305. package/tests/fixtures/project-adapter-upgrades/adapter-schema-drift/before/.coding-agent/skills.json +27 -0
  306. package/tests/fixtures/project-adapter-upgrades/safe-upgrade-preserves-restrictions/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +71 -0
  307. package/tests/fixtures/project-adapter-upgrades/safe-upgrade-preserves-restrictions/after/.coding-agent/skills.json +27 -0
  308. package/tests/fixtures/project-adapter-upgrades/safe-upgrade-preserves-restrictions/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  309. package/tests/fixtures/project-adapter-upgrades/safe-upgrade-preserves-restrictions/before/.coding-agent/skills.json +27 -0
  310. package/tests/fixtures/project-adapter-upgrades/skill-compatibility-drift/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  311. package/tests/fixtures/project-adapter-upgrades/skill-compatibility-drift/after/.coding-agent/skills.json +27 -0
  312. package/tests/fixtures/project-adapter-upgrades/skill-compatibility-drift/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  313. package/tests/fixtures/project-adapter-upgrades/skill-compatibility-drift/before/.coding-agent/skills.json +27 -0
  314. package/tests/fixtures/project-adapter-upgrades/stale-compatible-range/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  315. package/tests/fixtures/project-adapter-upgrades/stale-compatible-range/after/.coding-agent/skills.json +27 -0
  316. package/tests/fixtures/project-adapter-upgrades/stale-compatible-range/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  317. package/tests/fixtures/project-adapter-upgrades/stale-compatible-range/before/.coding-agent/skills.json +27 -0
  318. package/tests/fixtures/project-adapter-upgrades/stale-exact-pin/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  319. package/tests/fixtures/project-adapter-upgrades/stale-exact-pin/after/.coding-agent/skills.json +27 -0
  320. package/tests/fixtures/project-adapter-upgrades/stale-exact-pin/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  321. package/tests/fixtures/project-adapter-upgrades/stale-exact-pin/before/.coding-agent/skills.json +27 -0
  322. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-mode-escalation/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  323. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-mode-escalation/after/.coding-agent/skills.json +27 -0
  324. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-mode-escalation/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  325. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-mode-escalation/before/.coding-agent/skills.json +27 -0
  326. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-removes-evidence/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +69 -0
  327. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-removes-evidence/after/.coding-agent/skills.json +27 -0
  328. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-removes-evidence/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  329. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-removes-evidence/before/.coding-agent/skills.json +27 -0
  330. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-weakens-restrictions/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +69 -0
  331. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-weakens-restrictions/after/.coding-agent/skills.json +27 -0
  332. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-weakens-restrictions/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  333. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-weakens-restrictions/before/.coding-agent/skills.json +27 -0
  334. package/tests/fixtures/project-adapter-upgrades/unsupported-future-core/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  335. package/tests/fixtures/project-adapter-upgrades/unsupported-future-core/after/.coding-agent/skills.json +27 -0
  336. package/tests/fixtures/project-adapter-upgrades/unsupported-future-core/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  337. package/tests/fixtures/project-adapter-upgrades/unsupported-future-core/before/.coding-agent/skills.json +27 -0
  338. package/tests/fixtures/project-adapter-upgrades/unsupported-old-core/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  339. package/tests/fixtures/project-adapter-upgrades/unsupported-old-core/after/.coding-agent/skills.json +27 -0
  340. package/tests/fixtures/project-adapter-upgrades/unsupported-old-core/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  341. package/tests/fixtures/project-adapter-upgrades/unsupported-old-core/before/.coding-agent/skills.json +27 -0
  342. package/tests/fixtures/project-adapter-upgrades/valid-upgrade/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  343. package/tests/fixtures/project-adapter-upgrades/valid-upgrade/after/.coding-agent/skills.json +27 -0
  344. package/tests/fixtures/project-adapter-upgrades/valid-upgrade/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  345. package/tests/fixtures/project-adapter-upgrades/valid-upgrade/before/.coding-agent/skills.json +27 -0
  346. package/tests/fixtures/sample-repo/.env.example +1 -0
  347. package/tests/fixtures/sample-repo/README.md +4 -0
  348. package/tests/fixtures/sample-repo/docs/architecture.md +3 -0
  349. package/tests/fixtures/sample-repo/package.json +11 -0
  350. package/tests/fixtures/sample-repo/src/index.js +3 -0
  351. package/tests/fixtures/sample-repo/test/index.test.js +8 -0
  352. package/tests/fixtures/triggers/cases.json +101 -0
  353. package/tests/policy/README.md +16 -0
  354. package/tests/privacy/README.md +14 -0
  355. package/tests/safety/README.md +17 -0
  356. package/tests/trigger/README.md +11 -0
  357. package/work-ledger.md +159 -0
package/AGENTS.md ADDED
@@ -0,0 +1,44 @@
1
+ # Agent Operating Contract
2
+
3
+ This repository contains shared coding-agent skills, safety contracts, validators, and disposable harness fixtures.
4
+
5
+ ## Scope
6
+
7
+ Agents working here may maintain the shared skill pack, validators, documentation, examples, and synthetic fixtures. They must not add new skills, real project adapters, platform integrations, deployment procedures, or project-specific behavior unless a human explicitly approves that milestone.
8
+
9
+ ## Maintainer Loop
10
+
11
+ Use `./scripts/run-next --allow <permission>` to inspect the repository, validate the current pack, read the roadmap/changelog/work ledger, and decide the next bounded action. The loop is intentionally conservative: it selects and evidences work, then stops at approval boundaries.
12
+
13
+ Supported permission flags are:
14
+
15
+ - `harness-hardening`
16
+ - `docs-hardening`
17
+ - `test-hardening`
18
+ - `adapter-harness`
19
+ - `evidence-harness`
20
+ - `release-preflight`
21
+ - `commit`
22
+ - `tag`
23
+ - `push`
24
+
25
+ Unknown flags must fail closed. Permission flags do not weaken skill restrictions.
26
+
27
+ ## Safety Boundaries
28
+
29
+ Agents must not:
30
+
31
+ - create new skills without explicit approval
32
+ - modify real project repositories
33
+ - add real project adapters
34
+ - run platform publication or infrastructure commands
35
+ - apply database changes
36
+ - mutate local services or background processes
37
+ - read local environment files
38
+ - print secrets or credentials
39
+ - use destructive Git operations
40
+ - weaken shared safety policies, command policies, evidence requirements, or adapter inheritance
41
+
42
+ ## Evidence Standard
43
+
44
+ Every maintainer-loop run must leave evidence in `runs/skill-runs.md` or an approved report. Evidence must include the command used, granted permissions, files changed, validation commands, validation result, release status, next state, and unresolved approval gates.
package/CHANGELOG.md ADDED
@@ -0,0 +1,205 @@
1
+ # Changelog
2
+
3
+ All notable changes follow [Semantic Versioning](docs/versioning/README.md).
4
+
5
+ ## [0.2.8] - 2026-06-19
6
+
7
+ ### Added
8
+
9
+ - Public npm package metadata for `coding-agent-skills`.
10
+ - MIT license file with approved OneClickPostFactory copyright.
11
+ - Public npm install documentation for the supported CLI commands.
12
+
13
+ ### Changed
14
+
15
+ - Package validation now requires public npm metadata, MIT license, repository metadata,
16
+ public registry configuration, strict package allowlist, dependency-free shape, and
17
+ installed-package safety checks.
18
+ - Release tests now cover the public package contract and installed `validate-pack`
19
+ behavior.
20
+ - Release documentation now includes npm publish dry-run, tarball inspection, temporary
21
+ install smoke tests, registry verification, and GitHub Release expectations.
22
+
23
+ ## [0.2.3] - 2026-06-17
24
+
25
+ ### Added
26
+
27
+ - Synthetic evidence archive index schema and fixture files linked from evidence bundles.
28
+ - Retention-expiry advisory metadata and report output with manual-review-only semantics.
29
+ - Detached-signature verification planning metadata that records required future artifacts
30
+ without running signing or verification infrastructure.
31
+ - Disposable advisory, archive-index, and signature-plan fixtures for safe acceptance and
32
+ rejection coverage.
33
+
34
+ ### Changed
35
+
36
+ - Evidence-bundle verification now validates archive indexes, reports retention-expiry
37
+ advisory status, and rejects unsafe signature-verification plans.
38
+ - Archive reports now include archive-index summary, retention advisory status, and
39
+ detached-signature verification planning metadata.
40
+ - Current synthetic examples and fixtures now target `0.2.3` with `0.2.2` as the previous
41
+ release boundary.
42
+
43
+ ## [0.2.2] - 2026-06-16
44
+
45
+ ### Added
46
+
47
+ - Evidence-bundle retention metadata for bounded review windows, storage class, and
48
+ redaction policy.
49
+ - Provenance metadata for producer, source commit, target tag, canonicalization, digest
50
+ algorithm, and detached-signature design.
51
+ - Sanitized evidence archive report schema and read-only renderer.
52
+ - Disposable invalid fixtures for retention-window, provenance-tag, and archive-policy
53
+ rejection.
54
+
55
+ ### Changed
56
+
57
+ - Evidence-bundle verification now rejects unsafe retention, provenance, and archive
58
+ declarations before claiming replay or regression success.
59
+ - CI, pack validation, release tests, safety docs, privacy docs, authoring docs, and
60
+ testing docs now include archive-report rendering.
61
+ - Current synthetic examples and fixtures now target `0.2.2` with `0.2.1` as the previous
62
+ release boundary.
63
+
64
+ ## [0.2.1] - 2026-06-16
65
+
66
+ ### Added
67
+
68
+ - Evidence-bundle JSON Schema and dependency-free verifier.
69
+ - Deterministic replay through canonical report hashing.
70
+ - Cross-release compatibility regression checks for baseline entry coverage and status
71
+ preservation.
72
+ - Disposable valid and invalid evidence-bundle fixtures for hash mismatch, missing entry,
73
+ path traversal, and regression failures.
74
+
75
+ ### Changed
76
+
77
+ - CI, pack validation, release tests, safety docs, testing docs, roadmap, and ledger now
78
+ include evidence-bundle verification.
79
+ - Current synthetic examples and fixtures now target `0.2.1` with `0.2.0` as the previous
80
+ release boundary.
81
+
82
+ ## [0.2.0] - 2026-06-15
83
+
84
+ ### Added
85
+
86
+ - Root agent contract, maintainer runbook, explicit work ledger, and append-only run log.
87
+ - Dependency-free `scripts/run-next` coordinator with fail-closed permission gates.
88
+ - Dedicated maintainer-loop validator covering required files, ledger shape, executable
89
+ mode, permission declarations, unsafe-command absence, docs, and CI integration.
90
+
91
+ ### Changed
92
+
93
+ - CI and the release harness now validate the maintainer loop.
94
+ - README, roadmap, contribution, release, testing, and safety documentation now define
95
+ autonomous milestone selection and human approval stop boundaries.
96
+ - Evidence-bundle verification remains queued in the ledger and is not implemented.
97
+
98
+ ## [0.1.6] - 2026-06-14
99
+
100
+ ### Added
101
+
102
+ - Machine-readable adapter-upgrade evidence schema with sanitized pair and chain examples.
103
+ - Dependency-free compatibility-chain validator for ordered simulated project revisions.
104
+ - Optional safe `--json` and non-overwriting `--output` evidence modes.
105
+ - Disposable chain fixtures for valid progression, stale pins, core and skill
106
+ incompatibility, schema drift, and restriction weakening.
107
+ - Chain-level privacy, path, symlink, mutation, and unsafe-policy tests.
108
+
109
+ ### Changed
110
+
111
+ - Pair validation can target an adjacent historical core when used inside a chain while the
112
+ final chain revision must match the running core.
113
+ - Release validation and CI now validate a complete three-revision compatibility chain.
114
+ - Adapter, evidence, versioning, safety, authoring, testing, and roadmap documentation now
115
+ define structured read-only upgrade review.
116
+
117
+ ## [0.1.5] - 2026-06-14
118
+
119
+ ### Added
120
+
121
+ - Dependency-free adapter upgrade comparison command for paired project revisions.
122
+ - Distinct stale exact-pin and stale compatible-range detection.
123
+ - Disposable revision fixtures for safe upgrades, old and future cores, schema and skill
124
+ drift, restriction weakening, mode escalation, and evidence removal.
125
+ - Dynamic rejection coverage for failure suppression, completion override, unknown skills,
126
+ secret exposure, and traversal.
127
+
128
+ ### Changed
129
+
130
+ - Project validation can evaluate an immutable source revision against its declared core
131
+ while upgrade acceptance remains pinned to the running shared core.
132
+ - Release validation and CI now exercise the safe adapter upgrade path.
133
+ - Adapter, versioning, safety, authoring, and testing documentation now define upgrade
134
+ evidence and drift rejection.
135
+
136
+ ## [0.1.4] - 2026-06-13
137
+
138
+ ### Added
139
+
140
+ - Project-owned adapter installation declaration schema and dependency-free validator.
141
+ - Exact core pins and compatible comparator ranges without a semver dependency.
142
+ - Disposable project fixtures for valid installation, version mismatch, unsafe location,
143
+ policy weakening, secret exposure, scope expansion, and traversal.
144
+ - Bidirectional matching of project ID, adapter root, adapter ID/version, and pilot skill IDs.
145
+
146
+ ### Changed
147
+
148
+ - Release validation and CI now exercise a declared project-owned adapter installation.
149
+ - Adapter, testing, safety, authoring, and versioning documentation now define safe adoption.
150
+
151
+ ## [0.1.3] - 2026-06-13
152
+
153
+ ### Added
154
+
155
+ - Dependency-free external adapter discovery and validation CLI.
156
+ - Disposable fixture roots for all supported locations, compatibility failures, policy
157
+ weakening, malformed input, mixed roots, traversal, and symlink escapes.
158
+ - Safe public rejection codes and explicit empty-root behavior.
159
+
160
+ ### Changed
161
+
162
+ - Release validation and CI now exercise an external adapter root.
163
+ - Adapter documentation now defines exact manifest naming, extension-only inheritance, path
164
+ safety, and future project-owned integration.
165
+
166
+ ## [0.1.2] - 2026-06-13
167
+
168
+ ### Added
169
+
170
+ - Formal project-adapter JSON Schema and three valid synthetic examples.
171
+ - Bidirectional adapter skill/version/mode compatibility tests.
172
+ - Property-style command-policy generation across composition and bypass families.
173
+ - Provider-specific `npx`, bounded-read, authenticated-health approval, and package-script-body checks.
174
+
175
+ ### Changed
176
+
177
+ - Skill manifests now declare adapter contract compatibility.
178
+ - Command policies now declare parser invariants and argument strategies.
179
+ - Validator enforcement now covers valid and invalid adapters plus command-policy invariants.
180
+
181
+ ## [0.1.1] - 2026-06-13
182
+
183
+ ### Added
184
+
185
+ - Trigger-classification fixtures for positive, negative, and wrong-skill cases.
186
+ - Command-parser coverage for composition, wrappers, heredocs, package tools, Git, curl, and unsafe arguments.
187
+ - Mutation snapshots and audit-only documentation enforcement.
188
+ - Split synthetic privacy fixtures with in-memory detection and redaction tests.
189
+ - Adapter-weakening and evidence false-completion matrices.
190
+
191
+ ### Changed
192
+
193
+ - CI now runs structural validation, the complete harness, and built-in Node tests.
194
+ - Shared policy rules and release validation enforce the v0.1.x harness boundaries.
195
+
196
+ ## [0.1.0] - 2026-06-12
197
+
198
+ ### Added
199
+
200
+ - Shared evidence-pack contract and schemas.
201
+ - Five pilot skills: `repo-map`, `build-verify`, `git-preflight`, `runtime-truth`, and `llm-drift-control`.
202
+ - Concrete manifests, command policies, evidence packs, and workflow examples.
203
+ - Dependency-free pack validation and executable release tests.
204
+ - Synthetic fixtures and safe GitHub Actions validation.
205
+ - Release, privacy, adapter, usage, contribution, and roadmap documentation.
@@ -0,0 +1,54 @@
1
+ # Contributing
2
+
3
+ ## Before Adding A Skill
4
+
5
+ 1. Establish repeated, safe, generalizable evidence.
6
+ 2. Classify the skill as audit-only or action-capable.
7
+ 3. Define approval boundaries before command procedures.
8
+ 4. Keep platform and project behavior outside general skills.
9
+ 5. Obtain explicit scope approval.
10
+
11
+ ## Required Skill Shape
12
+
13
+ Initialize skills with the official skill creator and include:
14
+
15
+ - `SKILL.md`
16
+ - `agents/openai.yaml`
17
+ - `checklist.md`
18
+ - `examples.md`
19
+ - `failure-modes.md`
20
+ - `adapter-interface.md`
21
+ - `evidence-template.md`
22
+
23
+ Add a manifest example, command-policy example, evidence-pack example, workflow example, and executable tests.
24
+
25
+ ## Safety Rules
26
+
27
+ - Never copy restricted evidence into reusable procedures.
28
+ - Never commit secrets or local `.env` files.
29
+ - Audit-only skills cannot gain mutation through adapters or approval.
30
+ - Action-capable skills must enumerate permitted local actions and reject everything else.
31
+ - Failed or skipped required checks cannot produce `complete`.
32
+
33
+ ## Validation
34
+
35
+ Run:
36
+
37
+ ```bash
38
+ node scripts/validate-pack.mjs .
39
+ node scripts/test-pack.mjs
40
+ node scripts/validate-maintainer-loop.mjs .
41
+ node --test
42
+ ```
43
+
44
+ Update the changelog and roadmap when behavior or scope changes.
45
+
46
+ ## Maintainer Loop
47
+
48
+ `./scripts/run-next --allow <permission>` may inspect local repository state, validate the
49
+ pack, select the next ledger milestone, and append bounded run evidence. It must start from
50
+ a clean worktree and fails closed for missing, unknown, or mismatched permissions.
51
+
52
+ The loop does not replace human approval for scope changes, new skills, real adapters,
53
+ release publication, dependencies, or weakened safety rules. Update `work-ledger.md` when
54
+ the approved next milestone or its stop conditions change.
package/LICENSE ADDED
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2026 OneClickPostFactory
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
package/README.md ADDED
@@ -0,0 +1,85 @@
1
+ # Coding Agent Skills
2
+
3
+ Shared, versioned workflows for evidence-driven coding agents.
4
+
5
+ The pilot pack contains:
6
+
7
+ - Shared evidence-pack contract.
8
+ - `repo-map`: audit-only repository orientation.
9
+ - `build-verify`: controlled local validation using existing project commands.
10
+ - `git-preflight`: audit-only Git readiness inspection.
11
+ - `runtime-truth`: audit-only runtime evidence collection.
12
+ - `llm-drift-control`: audit-only claim reconciliation.
13
+
14
+ It does not contain deployment, package installation, Git publication, runtime mutation, migration, privileged API, platform-specific, or project-specific skills.
15
+
16
+ Project-specific adapters will live in their owning repositories and may narrow, but never weaken, shared safety rules.
17
+
18
+ ## Principles
19
+
20
+ - Inspect before acting.
21
+ - Separate audit-only skills from action-capable skills.
22
+ - Preserve user work and external state.
23
+ - Treat restricted historical evidence as warnings, not reusable commands.
24
+ - Produce evidence before claiming completion.
25
+ - Report skipped, failed, and unverifiable checks honestly.
26
+
27
+ See [architecture](docs/architecture/README.md), [safety](docs/safety/README.md), and [authoring](docs/authoring/README.md).
28
+
29
+ ## Completion Standard
30
+
31
+ Every skill emits the evidence-pack contract. A command being attempted is never enough to claim success. Required checks, skipped checks, failures, confidence, unresolved questions, and state changes must all be represented.
32
+
33
+ ## Use And Validate
34
+
35
+ - Read [usage guidance](docs/usage/README.md) before selecting a skill.
36
+ - Browse [safe examples](examples/README.md) for manifests, policies, evidence packs, and workflows.
37
+ - Install the public CLI with `npm install -g coding-agent-skills`.
38
+ - Run `coding-agent-skills validate-pack` to validate the installed pack.
39
+ - Run `npx coding-agent-skills validate-pack` when a one-off npm execution is preferred.
40
+ - From a clone, the same wrapper is available as `bin/coding-agent-skills validate-pack`.
41
+ - Validate project adapters against [the formal adapter schema](schemas/project-adapter.schema.json).
42
+ - Review [external adapter discovery](docs/adapters/discovery.md).
43
+ - Run `node scripts/validate-adapters.mjs <adapter-root>` for a disposable external root.
44
+ - Review [project-owned installation and pinning](docs/adapters/project-installation.md).
45
+ - Run `node scripts/validate-project-adapters.mjs <project-root>` for a declared project root.
46
+ - Render adapter-aware `repo-map` orientation with
47
+ `node scripts/render-adapter-repo-map.mjs <project-root>`.
48
+ - Review [adapter upgrade checks](docs/adapters/upgrades.md).
49
+ - Run `node scripts/check-adapter-upgrade.mjs <before-project-root> <after-project-root>`
50
+ for disposable project revisions.
51
+ - Validate ordered revisions with
52
+ `node scripts/check-adapter-upgrade-chain.mjs <chain-root>`.
53
+ - Review the [upgrade evidence contract](docs/adapters/upgrade-evidence.md) before using
54
+ `--json` or explicit `--output` evidence.
55
+ - Review [evidence bundle verification](docs/evidence-bundles/README.md).
56
+ - Run `node scripts/verify-evidence-bundle.mjs <bundle-file>` for deterministic
57
+ evidence-bundle replay and regression checks.
58
+ - Run `node scripts/render-evidence-archive-report.mjs <bundle-file>` for a sanitized,
59
+ read-only archive report summary.
60
+ - Review the [npm package release guide](docs/release/npm-package.md) before running
61
+ package dry-run or publication checks.
62
+ - Run `node scripts/validate-pack.mjs .` for structural validation.
63
+ - Run `node scripts/test-pack.mjs` for executable release tests.
64
+ - Run `node --test` for built-in Node fixture tests.
65
+
66
+ Governance lives in [CONTRIBUTING.md](CONTRIBUTING.md), [ROADMAP.md](ROADMAP.md), and the [release policy](docs/release/README.md).
67
+ The [harness guide](docs/testing/README.md) explains trigger, command, mutation, privacy, adapter, and completion checks.
68
+
69
+ ## Autonomous Maintainer Loop
70
+
71
+ The local maintainer loop reads Git tags, `ROADMAP.md`, `CHANGELOG.md`, and
72
+ `work-ledger.md`, validates the pack, then selects the next bounded milestone. It fails
73
+ closed unless the required action is named explicitly:
74
+
75
+ ```bash
76
+ ./scripts/run-next --allow evidence-harness
77
+ ```
78
+
79
+ Supported permissions are `harness-hardening`, `docs-hardening`, `test-hardening`,
80
+ `adapter-harness`, `evidence-harness`, `release-preflight`, `commit`, `tag`, and `push`.
81
+ These flags are approval gates, not permission to weaken shared restrictions.
82
+
83
+ The runner may update `work-ledger.md` and `runs/skill-runs.md` after a successful bounded
84
+ run. It stops before implementing an unapproved milestone or performing release
85
+ publication. See [the runbook](RUNBOOK.md) and [agent contract](AGENTS.md).
package/ROADMAP.md ADDED
@@ -0,0 +1,87 @@
1
+ # Roadmap
2
+
3
+ The pilot release remains limited to five approved skills. Future work requires separate design and approval.
4
+
5
+ ## Released Harness Milestones
6
+
7
+ - `v0.1.0`: schemas, examples, dependency-free validation, CI, and governance.
8
+ - `v0.1.1`: trigger, command-policy, mutation, privacy, adapter, and false-completion harnesses.
9
+ - `v0.1.2`: formal adapter contract, compatibility enforcement, and property-style command-policy coverage.
10
+ - `v0.1.3`: bounded external-adapter discovery, validation, fixture roots, and path-safety enforcement.
11
+ - `v0.1.4`: project-owned installation declarations, version pins, and disposable adoption fixtures.
12
+ - `v0.1.5`: paired adapter upgrade checks, stale-pin detection, and compatibility-drift rejection.
13
+ - `v0.1.6`: structured upgrade evidence and multi-step compatibility-chain validation.
14
+ - `v0.2.0`: fail-closed local maintainer loop with an explicit work ledger, run evidence,
15
+ permission gates, and approval stop boundaries.
16
+ - `v0.2.1`: evidence-bundle verification, deterministic replay hash, and cross-release
17
+ compatibility regression reporting over disposable evidence fixtures.
18
+ - `v0.2.2`: evidence-bundle retention policy, detached-signature provenance design, and
19
+ sanitized archive-report rendering.
20
+ - `v0.2.3`: synthetic evidence-bundle archive indexes, retention-expiry advisory
21
+ reporting, and detached-signature verification planning.
22
+ - `v0.2.4`: adapter-aware `repo-map` renderer that consumes validated project-owned
23
+ adapters.
24
+ - `v0.2.5`: local `coding-agent-skills` command surface for validated scripts.
25
+ - `v0.2.6`: npm package readiness scaffold with dependency-free package metadata.
26
+ - `v0.2.7`: package-installed `validate-pack` support for tarball/global installs.
27
+ - `v0.2.8`: first public npm release with MIT license, public metadata, and registry
28
+ install smoke coverage.
29
+
30
+ The next milestone is recorded in [work-ledger.md](work-ledger.md). The
31
+ [maintainer loop](RUNBOOK.md) may select and evidence that milestone, but it must stop
32
+ before implementation until the relevant human approval is granted.
33
+
34
+ No evidence-harness milestone is queued after `v0.2.3`. Additional real project adapters,
35
+ new skills, platform work, deployment/preflight work, and signing infrastructure remain
36
+ separately gated. The public npm package exposes the existing read-only CLI surface; it
37
+ does not approve new skills or target-project mutation.
38
+
39
+ ## Planning Gates
40
+
41
+ - Real-project adapter adoption readiness is documented as a planning-only gate. It
42
+ defines candidate selection criteria, required pre-adoption evidence, validator commands,
43
+ safety boundaries, approval gates, stop conditions, rollback conditions, and forbidden
44
+ work before any real project adapter may be created.
45
+
46
+ ## Real Project Adapter Adoption Evidence
47
+
48
+ - First external project-owned adapter adoption completed for
49
+ `/home/oneclickwebsitedesignfactory/tax-lien-platform` at candidate commit
50
+ `c548b1a6cbb3455a70b89d0e301e22435bfccac9`.
51
+ - Adopted scope: `repo-map` only, docs/metadata-only, no commands, no runtime checks, no
52
+ build/test/package behavior, no platform/deployment behavior, and no secret-aware
53
+ behavior.
54
+ - The shared repository still contains only shared schemas, validators, docs, examples,
55
+ and synthetic fixtures. The real adapter lives in its owning project repository.
56
+ - Publication caveat: the candidate repository's normal pre-push hook attempted package
57
+ operations. The run was interrupted to preserve the approved boundary, and publication
58
+ completed with hook verification bypass after shared adapter validation and safe checks
59
+ passed.
60
+
61
+ Next safe milestone options:
62
+
63
+ - Document a project-hook publication policy for future real adapter adoption.
64
+ - Add synthetic fixture coverage for hook-triggered publication caveats.
65
+ - Run a read-only qualification audit for a second candidate.
66
+ - Plan adapter-upgrade evidence review for the adopted `tax-lien-platform` adapter.
67
+
68
+ | Candidate | Scope | Mode | Current gate |
69
+ |---|---|---|---|
70
+ | `route-trace-skill` | General | Audit-only | Needs design review |
71
+ | `env-audit-skill` | General | Audit-only | Needs more evidence |
72
+ | `secret-audit-skill` | General | Audit-only | Blocked on privacy and approval model |
73
+ | `deployment-preflight-skill` | General | Audit-only | Needs design review |
74
+ | `cloudflare-preflight-skill` | Platform-specific | Audit-only | Needs more evidence |
75
+ | `cloudflare-deploy-skill` | Platform-specific | Action-capable | Blocked on approval model |
76
+ | `supabase-rls-audit-skill` | Platform-specific | Audit-only | Needs more evidence |
77
+ | `migration-review-skill` | General with platform adapters | Audit-only | Needs design review |
78
+ | `api-contract-audit-skill` | General | Audit-only | Needs design review |
79
+ | `repo-knowledge-sync-skill` | General | Action-capable | Blocked on write approval model |
80
+ | `security-hardening-review-skill` | General coordinator | Audit-only | Needs more evidence |
81
+ | `worker-queue-debug-skill` | General core with project adapters | Audit-only first | Needs more evidence |
82
+ | `devvit-ingest-debug-skill` | Project-specific | Audit-only | Needs project evidence |
83
+ | `github-handoff-skill` | Platform-specific | Action-capable | Blocked on approval model |
84
+ | `session-extractor-skill` | General tooling | Action-capable | Blocked on privacy policy and more evidence |
85
+ | `command-redaction-skill` | General tooling | Action-capable | Needs more evidence |
86
+
87
+ No roadmap item is implicitly approved for implementation.
package/RUNBOOK.md ADDED
@@ -0,0 +1,47 @@
1
+ # Maintainer Loop Runbook
2
+
3
+ The maintainer loop helps an agent choose the next bounded repository milestone from local evidence instead of waiting for a freshly written prompt after every release.
4
+
5
+ ## Normal Flow
6
+
7
+ 1. Start from a clean synchronized `main`.
8
+ 2. Read `AGENTS.md`, `ROADMAP.md`, `CHANGELOG.md`, and `work-ledger.md`.
9
+ 3. Run the local validation suite.
10
+ 4. Ask `./scripts/run-next` to select the next bounded action with an explicit permission flag.
11
+ 5. Review the runner evidence in `runs/skill-runs.md`.
12
+ 6. Stop at any approval boundary before implementation, release publication, or scope expansion.
13
+
14
+ ## Current Safe Command
15
+
16
+ ```bash
17
+ ./scripts/run-next --allow evidence-harness
18
+ ```
19
+
20
+ This command is expected to validate the pack, identify the recommended evidence-harness milestone, write local run evidence, and stop before implementing that milestone.
21
+
22
+ ## Release Validation
23
+
24
+ Before releasing maintainer-loop changes, run:
25
+
26
+ ```bash
27
+ node scripts/validate-pack.mjs .
28
+ node scripts/test-pack.mjs
29
+ node scripts/validate-maintainer-loop.mjs .
30
+ node --test
31
+ jq empty $(find . -name '*.json' -type f | sort)
32
+ git diff --check
33
+ ```
34
+
35
+ ## Stop Boundaries
36
+
37
+ Stop and request human approval before:
38
+
39
+ - adding or changing skills
40
+ - creating real project adapters
41
+ - touching real project repositories
42
+ - publishing release artifacts
43
+ - changing credential handling
44
+ - adding package dependencies
45
+ - weakening safety, evidence, completion, or adapter rules
46
+
47
+ The loop is a decision aid and evidence writer, not a general automation daemon.
@@ -0,0 +1,75 @@
1
+ #!/usr/bin/env node
2
+ import { spawnSync } from "node:child_process";
3
+ import path from "node:path";
4
+ import { fileURLToPath } from "node:url";
5
+
6
+ const repoRoot = path.resolve(path.dirname(fileURLToPath(import.meta.url)), "..");
7
+
8
+ const commands = {
9
+ "validate-pack": {
10
+ script: "scripts/validate-pack.mjs",
11
+ args: () => ["."],
12
+ usage: "coding-agent-skills validate-pack",
13
+ },
14
+ "validate-project": {
15
+ script: "scripts/validate-project-adapters.mjs",
16
+ args: ([projectRoot]) => [projectRoot],
17
+ usage: "coding-agent-skills validate-project <project-root>",
18
+ requiredArgs: 1,
19
+ },
20
+ "repo-map": {
21
+ script: "scripts/render-adapter-repo-map.mjs",
22
+ args: ([projectRoot]) => [projectRoot],
23
+ usage: "coding-agent-skills repo-map <project-root>",
24
+ requiredArgs: 1,
25
+ },
26
+ "validate-adapters": {
27
+ script: "scripts/validate-adapters.mjs",
28
+ args: ([adapterRoot]) => [adapterRoot],
29
+ usage: "coding-agent-skills validate-adapters <adapter-root>",
30
+ requiredArgs: 1,
31
+ },
32
+ };
33
+
34
+ function usage(exitCode = 0) {
35
+ const lines = [
36
+ "usage: coding-agent-skills <command> [args]",
37
+ "",
38
+ "commands:",
39
+ " validate-pack",
40
+ " validate-project <project-root>",
41
+ " repo-map <project-root>",
42
+ " validate-adapters <adapter-root>",
43
+ "",
44
+ "local-only wrapper; no npm package or global install is implied",
45
+ ];
46
+ const stream = exitCode === 0 ? process.stdout : process.stderr;
47
+ stream.write(`${lines.join("\n")}\n`);
48
+ process.exitCode = exitCode;
49
+ }
50
+
51
+ const [commandName, ...args] = process.argv.slice(2);
52
+ if (!commandName || commandName === "help" || commandName === "--help" || commandName === "-h") {
53
+ usage(commandName ? 0 : 2);
54
+ } else if (!Object.hasOwn(commands, commandName)) {
55
+ process.stderr.write(`unknown command: ${commandName}\n`);
56
+ usage(2);
57
+ } else {
58
+ const command = commands[commandName];
59
+ if ((command.requiredArgs ?? 0) !== args.length) {
60
+ process.stderr.write(`usage: ${command.usage}\n`);
61
+ process.exitCode = 2;
62
+ } else {
63
+ const result = spawnSync(
64
+ process.execPath,
65
+ [path.join(repoRoot, command.script), ...command.args(args)],
66
+ {
67
+ cwd: repoRoot,
68
+ encoding: "utf8",
69
+ stdio: "inherit",
70
+ shell: false,
71
+ },
72
+ );
73
+ process.exitCode = result.status ?? 1;
74
+ }
75
+ }
@@ -0,0 +1,22 @@
1
+ # Evidence-Pack Contract
2
+
3
+ The evidence pack records what a skill intended to do, what it actually inspected or executed, what changed, and why its final status is justified.
4
+
5
+ Every invocation emits repository and invocation identity, intent and scope, adapter and environment context, sanitized command records, skipped checks, findings, risks, failures, unresolved questions, an explicit changed-state declaration, status and confidence, and a handoff.
6
+
7
+ Valid statuses are `complete`, `partial`, `failed`, and `blocked`. Claim `complete` only when all required checks passed or were safely deemed not applicable, no unresolved issue invalidates the objective, and the changed-state declaration is accurate.
8
+
9
+ Use [evidence-pack.schema.json](evidence-pack.schema.json) for machine validation. The JSON and Markdown examples show equivalent representations.
10
+
11
+ ## Minimum Completion Evidence
12
+
13
+ - Skill, invocation, and repository identity.
14
+ - Declared scope and adapter.
15
+ - All required command or inspection records.
16
+ - Skipped checks with consequences.
17
+ - Findings, risks, failures, and unresolved questions.
18
+ - Accurate changed-state declaration.
19
+ - Status and confidence reason.
20
+ - Handoff summary and next action.
21
+
22
+ Audit-only skills must set `changedState.changed` to `false` unless an unexpected mutation is detected; an unexpected mutation prevents `complete`.