coding-agent-skills 0.2.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +44 -0
- package/CHANGELOG.md +205 -0
- package/CONTRIBUTING.md +54 -0
- package/LICENSE +21 -0
- package/README.md +85 -0
- package/ROADMAP.md +87 -0
- package/RUNBOOK.md +47 -0
- package/bin/coding-agent-skills +75 -0
- package/contracts/evidence-pack/README.md +22 -0
- package/contracts/evidence-pack/evidence-pack.example.json +60 -0
- package/contracts/evidence-pack/evidence-pack.example.md +49 -0
- package/contracts/evidence-pack/evidence-pack.schema.json +156 -0
- package/docs/adapters/README.md +82 -0
- package/docs/adapters/discovery.md +50 -0
- package/docs/adapters/external-adapters.md +42 -0
- package/docs/adapters/project-installation.md +135 -0
- package/docs/adapters/real-project-adoption.md +193 -0
- package/docs/adapters/upgrade-evidence.md +67 -0
- package/docs/adapters/upgrades.md +83 -0
- package/docs/architecture/README.md +23 -0
- package/docs/authoring/README.md +54 -0
- package/docs/evidence-bundles/README.md +94 -0
- package/docs/privacy/README.md +26 -0
- package/docs/release/README.md +42 -0
- package/docs/release/npm-package.md +85 -0
- package/docs/safety/README.md +94 -0
- package/docs/testing/README.md +100 -0
- package/docs/usage/README.md +89 -0
- package/docs/versioning/README.md +30 -0
- package/docs/versioning/adapter-compatibility.md +54 -0
- package/examples/README.md +12 -0
- package/examples/adapters/README.md +9 -0
- package/examples/adapters/documentation-precedence.json +62 -0
- package/examples/adapters/narrow-repo-map.json +64 -0
- package/examples/adapters/runtime-status-hints.json +76 -0
- package/examples/command-policies/README.md +3 -0
- package/examples/command-policies/build-verify.json +57 -0
- package/examples/command-policies/git-preflight.json +44 -0
- package/examples/command-policies/llm-drift-control.json +45 -0
- package/examples/command-policies/repo-map.json +59 -0
- package/examples/command-policies/runtime-truth.json +59 -0
- package/examples/evidence-packs/README.md +3 -0
- package/examples/evidence-packs/build-verify.json +68 -0
- package/examples/evidence-packs/git-preflight.json +55 -0
- package/examples/evidence-packs/llm-drift-control.json +55 -0
- package/examples/evidence-packs/repo-map.json +55 -0
- package/examples/evidence-packs/runtime-truth.json +55 -0
- package/examples/manifests/README.md +3 -0
- package/examples/manifests/build-verify.json +14 -0
- package/examples/manifests/git-preflight.json +14 -0
- package/examples/manifests/llm-drift-control.json +14 -0
- package/examples/manifests/repo-map.json +14 -0
- package/examples/manifests/runtime-truth.json +14 -0
- package/examples/upgrade-evidence/README.md +14 -0
- package/examples/upgrade-evidence/chain-fail.evidence.json +155 -0
- package/examples/upgrade-evidence/chain-fail.evidence.md +14 -0
- package/examples/upgrade-evidence/chain-pass.evidence.json +156 -0
- package/examples/upgrade-evidence/stale-pin.evidence.json +117 -0
- package/examples/upgrade-evidence/unsafe-upgrade.evidence.json +128 -0
- package/examples/upgrade-evidence/valid-upgrade.evidence.json +105 -0
- package/examples/upgrade-evidence/valid-upgrade.evidence.md +13 -0
- package/examples/workflows/README.md +3 -0
- package/examples/workflows/build-verify.md +20 -0
- package/examples/workflows/git-preflight.md +18 -0
- package/examples/workflows/llm-drift-control.md +16 -0
- package/examples/workflows/repo-map.md +20 -0
- package/examples/workflows/runtime-truth.md +17 -0
- package/package.json +58 -0
- package/runs/skill-runs.md +162 -0
- package/schemas/adapter-upgrade-evidence.schema.json +443 -0
- package/schemas/archive-index.schema.json +174 -0
- package/schemas/archive-report.schema.json +322 -0
- package/schemas/command-policy.schema.json +125 -0
- package/schemas/evidence-bundle.schema.json +394 -0
- package/schemas/project-adapter-installation.schema.json +127 -0
- package/schemas/project-adapter.schema.json +328 -0
- package/schemas/skill-manifest.schema.json +40 -0
- package/scripts/check-adapter-upgrade-chain.mjs +32 -0
- package/scripts/check-adapter-upgrade.mjs +31 -0
- package/scripts/lib/adapter-discovery.mjs +441 -0
- package/scripts/lib/adapter-repo-map.mjs +358 -0
- package/scripts/lib/adapter-upgrade-chain.mjs +261 -0
- package/scripts/lib/adapter-upgrade.mjs +434 -0
- package/scripts/lib/evidence-bundle.mjs +831 -0
- package/scripts/lib/pack-rules.mjs +704 -0
- package/scripts/lib/project-adapter-installation.mjs +327 -0
- package/scripts/lib/safe-evidence-output.mjs +92 -0
- package/scripts/lib/schema-validator.mjs +146 -0
- package/scripts/lib/semver.mjs +54 -0
- package/scripts/lib/upgrade-evidence.mjs +276 -0
- package/scripts/render-adapter-repo-map.mjs +8 -0
- package/scripts/render-evidence-archive-report.mjs +18 -0
- package/scripts/run-next +220 -0
- package/scripts/test-pack.mjs +2232 -0
- package/scripts/validate-adapters.mjs +10 -0
- package/scripts/validate-maintainer-loop.mjs +146 -0
- package/scripts/validate-pack.mjs +950 -0
- package/scripts/validate-project-adapters.mjs +8 -0
- package/scripts/verify-evidence-bundle.mjs +18 -0
- package/skills/build-verify/SKILL.md +62 -0
- package/skills/build-verify/adapter-interface.md +7 -0
- package/skills/build-verify/agents/openai.yaml +4 -0
- package/skills/build-verify/checklist.md +12 -0
- package/skills/build-verify/evidence-template.md +11 -0
- package/skills/build-verify/examples.md +16 -0
- package/skills/build-verify/failure-modes.md +14 -0
- package/skills/git-preflight/SKILL.md +65 -0
- package/skills/git-preflight/adapter-interface.md +7 -0
- package/skills/git-preflight/agents/openai.yaml +4 -0
- package/skills/git-preflight/checklist.md +11 -0
- package/skills/git-preflight/evidence-template.md +10 -0
- package/skills/git-preflight/examples.md +18 -0
- package/skills/git-preflight/failure-modes.md +13 -0
- package/skills/llm-drift-control/SKILL.md +67 -0
- package/skills/llm-drift-control/adapter-interface.md +7 -0
- package/skills/llm-drift-control/agents/openai.yaml +4 -0
- package/skills/llm-drift-control/checklist.md +11 -0
- package/skills/llm-drift-control/evidence-template.md +13 -0
- package/skills/llm-drift-control/examples.md +15 -0
- package/skills/llm-drift-control/failure-modes.md +13 -0
- package/skills/repo-map/SKILL.md +71 -0
- package/skills/repo-map/adapter-interface.md +18 -0
- package/skills/repo-map/agents/openai.yaml +4 -0
- package/skills/repo-map/checklist.md +15 -0
- package/skills/repo-map/evidence-template.md +29 -0
- package/skills/repo-map/examples.md +19 -0
- package/skills/repo-map/failure-modes.md +16 -0
- package/skills/runtime-truth/SKILL.md +62 -0
- package/skills/runtime-truth/adapter-interface.md +7 -0
- package/skills/runtime-truth/agents/openai.yaml +4 -0
- package/skills/runtime-truth/checklist.md +11 -0
- package/skills/runtime-truth/evidence-template.md +12 -0
- package/skills/runtime-truth/examples.md +20 -0
- package/skills/runtime-truth/failure-modes.md +13 -0
- package/tests/README.md +44 -0
- package/tests/adapters/README.md +15 -0
- package/tests/completion/README.md +15 -0
- package/tests/evidence/README.md +15 -0
- package/tests/fixtures/README.md +23 -0
- package/tests/fixtures/adapters/allow-deploy.json +60 -0
- package/tests/fixtures/adapters/allow-git-push.json +60 -0
- package/tests/fixtures/adapters/expand-scope.json +53 -0
- package/tests/fixtures/adapters/expose-secrets.json +53 -0
- package/tests/fixtures/adapters/incompatible-version.json +53 -0
- package/tests/fixtures/adapters/override-audit-only.json +53 -0
- package/tests/fixtures/adapters/redefine-completion.json +53 -0
- package/tests/fixtures/adapters/remove-required-evidence.json +53 -0
- package/tests/fixtures/adapters/suppress-failures.json +53 -0
- package/tests/fixtures/adapters/valid-narrowing.json +53 -0
- package/tests/fixtures/adapters/valid-repo-map.json +53 -0
- package/tests/fixtures/adapters/weakening-repo-map.json +42 -0
- package/tests/fixtures/completion/cases.json +143 -0
- package/tests/fixtures/completion/false-complete.json +51 -0
- package/tests/fixtures/evidence-bundles/advisory-review-soon/archive/evidence-archive-index.json +52 -0
- package/tests/fixtures/evidence-bundles/advisory-review-soon/evidence/repo-map.evidence.json +68 -0
- package/tests/fixtures/evidence-bundles/advisory-review-soon/evidence/valid-upgrade.evidence.json +105 -0
- package/tests/fixtures/evidence-bundles/advisory-review-soon/evidence-bundle.json +109 -0
- package/tests/fixtures/evidence-bundles/invalid-archive/archive/evidence-archive-index.json +52 -0
- package/tests/fixtures/evidence-bundles/invalid-archive/evidence/repo-map.evidence.json +68 -0
- package/tests/fixtures/evidence-bundles/invalid-archive/evidence/valid-upgrade.evidence.json +105 -0
- package/tests/fixtures/evidence-bundles/invalid-archive/evidence-bundle.json +109 -0
- package/tests/fixtures/evidence-bundles/invalid-archive-index/archive/evidence-archive-index.json +52 -0
- package/tests/fixtures/evidence-bundles/invalid-archive-index/evidence/repo-map.evidence.json +68 -0
- package/tests/fixtures/evidence-bundles/invalid-archive-index/evidence/valid-upgrade.evidence.json +105 -0
- package/tests/fixtures/evidence-bundles/invalid-archive-index/evidence-bundle.json +109 -0
- package/tests/fixtures/evidence-bundles/invalid-hash/archive/evidence-archive-index.json +52 -0
- package/tests/fixtures/evidence-bundles/invalid-hash/evidence/repo-map.evidence.json +68 -0
- package/tests/fixtures/evidence-bundles/invalid-hash/evidence/valid-upgrade.evidence.json +105 -0
- package/tests/fixtures/evidence-bundles/invalid-hash/evidence-bundle.json +109 -0
- package/tests/fixtures/evidence-bundles/invalid-missing-entry/archive/evidence-archive-index.json +52 -0
- package/tests/fixtures/evidence-bundles/invalid-missing-entry/evidence/repo-map.evidence.json +68 -0
- package/tests/fixtures/evidence-bundles/invalid-missing-entry/evidence/valid-upgrade.evidence.json +105 -0
- package/tests/fixtures/evidence-bundles/invalid-missing-entry/evidence-bundle.json +109 -0
- package/tests/fixtures/evidence-bundles/invalid-path/archive/evidence-archive-index.json +52 -0
- package/tests/fixtures/evidence-bundles/invalid-path/evidence/repo-map.evidence.json +68 -0
- package/tests/fixtures/evidence-bundles/invalid-path/evidence/valid-upgrade.evidence.json +105 -0
- package/tests/fixtures/evidence-bundles/invalid-path/evidence-bundle.json +109 -0
- package/tests/fixtures/evidence-bundles/invalid-provenance/archive/evidence-archive-index.json +52 -0
- package/tests/fixtures/evidence-bundles/invalid-provenance/evidence/repo-map.evidence.json +68 -0
- package/tests/fixtures/evidence-bundles/invalid-provenance/evidence/valid-upgrade.evidence.json +105 -0
- package/tests/fixtures/evidence-bundles/invalid-provenance/evidence-bundle.json +109 -0
- package/tests/fixtures/evidence-bundles/invalid-regression/archive/evidence-archive-index.json +52 -0
- package/tests/fixtures/evidence-bundles/invalid-regression/evidence/repo-map.evidence.json +68 -0
- package/tests/fixtures/evidence-bundles/invalid-regression/evidence/valid-upgrade.evidence.json +105 -0
- package/tests/fixtures/evidence-bundles/invalid-regression/evidence-bundle.json +113 -0
- package/tests/fixtures/evidence-bundles/invalid-retention/archive/evidence-archive-index.json +52 -0
- package/tests/fixtures/evidence-bundles/invalid-retention/evidence/repo-map.evidence.json +68 -0
- package/tests/fixtures/evidence-bundles/invalid-retention/evidence/valid-upgrade.evidence.json +105 -0
- package/tests/fixtures/evidence-bundles/invalid-retention/evidence-bundle.json +109 -0
- package/tests/fixtures/evidence-bundles/invalid-signature-plan/archive/evidence-archive-index.json +52 -0
- package/tests/fixtures/evidence-bundles/invalid-signature-plan/evidence/repo-map.evidence.json +68 -0
- package/tests/fixtures/evidence-bundles/invalid-signature-plan/evidence/valid-upgrade.evidence.json +105 -0
- package/tests/fixtures/evidence-bundles/invalid-signature-plan/evidence-bundle.json +109 -0
- package/tests/fixtures/evidence-bundles/valid-bundle/archive/evidence-archive-index.json +52 -0
- package/tests/fixtures/evidence-bundles/valid-bundle/evidence/repo-map.evidence.json +68 -0
- package/tests/fixtures/evidence-bundles/valid-bundle/evidence/valid-upgrade.evidence.json +105 -0
- package/tests/fixtures/evidence-bundles/valid-bundle/evidence-bundle.json +109 -0
- package/tests/fixtures/external-adapters/empty/README.md +3 -0
- package/tests/fixtures/external-adapters/invalid-completion-override/.coding-agent/adapters/completion/adapter.json +53 -0
- package/tests/fixtures/external-adapters/invalid-deploy/.coding-agent/adapters/deploy/adapter.json +60 -0
- package/tests/fixtures/external-adapters/invalid-evidence-suppression/.coding-agent/adapters/evidence/adapter.json +53 -0
- package/tests/fixtures/external-adapters/invalid-failure-suppression/.coding-agent/adapters/failures/adapter.json +53 -0
- package/tests/fixtures/external-adapters/invalid-git-push/.coding-agent/adapters/publish/adapter.json +60 -0
- package/tests/fixtures/external-adapters/invalid-malformed/.coding-agent/adapters/malformed/adapter.json +1 -0
- package/tests/fixtures/external-adapters/invalid-malformed/malformed-adapter.txt +1 -0
- package/tests/fixtures/external-adapters/invalid-mode-escalation/.coding-agent/adapters/mode/adapter.json +53 -0
- package/tests/fixtures/external-adapters/invalid-path-traversal/.coding-agent/adapters/path/adapter.json +53 -0
- package/tests/fixtures/external-adapters/invalid-restriction-removal/.coding-agent/adapters/restrictions/adapter.json +52 -0
- package/tests/fixtures/external-adapters/invalid-scope-expansion/.coding-agent/adapters/scope/adapter.json +53 -0
- package/tests/fixtures/external-adapters/invalid-secret-exposure/.coding-agent/adapters/secrets/adapter.json +53 -0
- package/tests/fixtures/external-adapters/invalid-skill-id/.coding-agent/adapters/skill/adapter.json +53 -0
- package/tests/fixtures/external-adapters/invalid-skill-version/.coding-agent/adapters/skill-version/adapter.json +53 -0
- package/tests/fixtures/external-adapters/invalid-unknown-manifest/.coding-agent/adapters/unknown/manifest.json +1 -0
- package/tests/fixtures/external-adapters/invalid-version/.coding-agent/adapters/version/adapter.json +53 -0
- package/tests/fixtures/external-adapters/mixed/.coding-agent/adapters/invalid/adapter.json +60 -0
- package/tests/fixtures/external-adapters/mixed/.coding-agent/adapters/valid/adapter.json +53 -0
- package/tests/fixtures/external-adapters/valid-basic/.coding-agent/adapters/basic/adapter.json +53 -0
- package/tests/fixtures/external-adapters/valid-doc-precedence/coding-agent/adapters/docs/adapter.json +53 -0
- package/tests/fixtures/external-adapters/valid-runtime-status/adapters/coding-agent/runtime/adapter.json +65 -0
- package/tests/fixtures/mutation/cases.json +87 -0
- package/tests/fixtures/mutation/snapshot-target/README.md +3 -0
- package/tests/fixtures/mutation/snapshot-target/state.json +4 -0
- package/tests/fixtures/policy/commands.json +164 -0
- package/tests/fixtures/policy/properties.json +126 -0
- package/tests/fixtures/privacy/cases.json +47 -0
- package/tests/fixtures/project-adapter-installation/invalid-adapter-location/.agents/adapters/basic/adapter.json +53 -0
- package/tests/fixtures/project-adapter-installation/invalid-adapter-location/.coding-agent/skills.json +23 -0
- package/tests/fixtures/project-adapter-installation/invalid-adapter-schema-version/.coding-agent/adapters/basic/adapter.json +53 -0
- package/tests/fixtures/project-adapter-installation/invalid-adapter-schema-version/.coding-agent/skills.json +23 -0
- package/tests/fixtures/project-adapter-installation/invalid-adapter-version-mismatch/.coding-agent/adapters/basic/adapter.json +53 -0
- package/tests/fixtures/project-adapter-installation/invalid-adapter-version-mismatch/.coding-agent/skills.json +23 -0
- package/tests/fixtures/project-adapter-installation/invalid-bad-semver/.coding-agent/adapters/basic/adapter.json +53 -0
- package/tests/fixtures/project-adapter-installation/invalid-bad-semver/.coding-agent/skills.json +23 -0
- package/tests/fixtures/project-adapter-installation/invalid-completion-override/.coding-agent/adapters/basic/adapter.json +53 -0
- package/tests/fixtures/project-adapter-installation/invalid-completion-override/.coding-agent/skills.json +23 -0
- package/tests/fixtures/project-adapter-installation/invalid-failure-suppression/.coding-agent/adapters/basic/adapter.json +53 -0
- package/tests/fixtures/project-adapter-installation/invalid-failure-suppression/.coding-agent/skills.json +23 -0
- package/tests/fixtures/project-adapter-installation/invalid-missing-declaration/.coding-agent/adapters/basic/adapter.json +53 -0
- package/tests/fixtures/project-adapter-installation/invalid-mode-escalation/.coding-agent/adapters/basic/adapter.json +53 -0
- package/tests/fixtures/project-adapter-installation/invalid-mode-escalation/.coding-agent/skills.json +23 -0
- package/tests/fixtures/project-adapter-installation/invalid-path-traversal/.coding-agent/adapters/basic/adapter.json +53 -0
- package/tests/fixtures/project-adapter-installation/invalid-path-traversal/.coding-agent/skills.json +23 -0
- package/tests/fixtures/project-adapter-installation/invalid-scope-expansion/.coding-agent/adapters/basic/adapter.json +53 -0
- package/tests/fixtures/project-adapter-installation/invalid-scope-expansion/.coding-agent/skills.json +23 -0
- package/tests/fixtures/project-adapter-installation/invalid-secret-exposure/.coding-agent/adapters/basic/adapter.json +53 -0
- package/tests/fixtures/project-adapter-installation/invalid-secret-exposure/.coding-agent/skills.json +23 -0
- package/tests/fixtures/project-adapter-installation/invalid-skill-mismatch/.coding-agent/adapters/basic/adapter.json +53 -0
- package/tests/fixtures/project-adapter-installation/invalid-skill-mismatch/.coding-agent/skills.json +23 -0
- package/tests/fixtures/project-adapter-installation/invalid-unknown-skill/.coding-agent/adapters/basic/adapter.json +53 -0
- package/tests/fixtures/project-adapter-installation/invalid-unknown-skill/.coding-agent/skills.json +23 -0
- package/tests/fixtures/project-adapter-installation/invalid-unsupported-core-version/.coding-agent/adapters/basic/adapter.json +53 -0
- package/tests/fixtures/project-adapter-installation/invalid-unsupported-core-version/.coding-agent/skills.json +23 -0
- package/tests/fixtures/project-adapter-installation/invalid-weakens-restrictions/.coding-agent/adapters/basic/adapter.json +52 -0
- package/tests/fixtures/project-adapter-installation/invalid-weakens-restrictions/.coding-agent/skills.json +23 -0
- package/tests/fixtures/project-adapter-installation/valid-compatible-range/coding-agent/adapters/docs/adapter.json +53 -0
- package/tests/fixtures/project-adapter-installation/valid-compatible-range/coding-agent.skills.json +23 -0
- package/tests/fixtures/project-adapter-installation/valid-exact-pin/.coding-agent/adapters/basic/adapter.json +53 -0
- package/tests/fixtures/project-adapter-installation/valid-exact-pin/.coding-agent/skills.json +23 -0
- package/tests/fixtures/project-adapter-installation/valid-multiple-adapters/.coding-agent/skills.json +28 -0
- package/tests/fixtures/project-adapter-installation/valid-multiple-adapters/adapters/coding-agent/repo/adapter.json +53 -0
- package/tests/fixtures/project-adapter-installation/valid-multiple-adapters/adapters/coding-agent/runtime/adapter.json +58 -0
- package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/01-current/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/02-incompatible/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/02-incompatible/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/03-target/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/03-target/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrade-chains/schema-drift-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrade-chains/schema-drift-chain/01-current/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrade-chains/schema-drift-chain/02-schema-drift/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrade-chains/schema-drift-chain/02-schema-drift/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrade-chains/skill-drift-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrade-chains/skill-drift-chain/01-current/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrade-chains/skill-drift-chain/02-skill-drift/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrade-chains/skill-drift-chain/02-skill-drift/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/01-current/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/02-stale/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/02-stale/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/03-target/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/03-target/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/01-current/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/02-safe/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/02-safe/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/03-weakens-restrictions/.coding-agent/adapters/fixture-chain-adapter/adapter.json +69 -0
- package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/03-weakens-restrictions/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/01-current/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/02-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/02-upgrade/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/03-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/03-upgrade/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/04-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/04-upgrade/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/05-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/05-upgrade/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/06-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/06-upgrade/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/07-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/07-upgrade/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrades/adapter-schema-drift/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrades/adapter-schema-drift/after/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrades/adapter-schema-drift/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrades/adapter-schema-drift/before/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrades/safe-upgrade-preserves-restrictions/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +71 -0
- package/tests/fixtures/project-adapter-upgrades/safe-upgrade-preserves-restrictions/after/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrades/safe-upgrade-preserves-restrictions/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrades/safe-upgrade-preserves-restrictions/before/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrades/skill-compatibility-drift/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrades/skill-compatibility-drift/after/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrades/skill-compatibility-drift/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrades/skill-compatibility-drift/before/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrades/stale-compatible-range/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrades/stale-compatible-range/after/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrades/stale-compatible-range/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrades/stale-compatible-range/before/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrades/stale-exact-pin/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrades/stale-exact-pin/after/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrades/stale-exact-pin/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrades/stale-exact-pin/before/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-mode-escalation/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-mode-escalation/after/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-mode-escalation/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-mode-escalation/before/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-removes-evidence/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +69 -0
- package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-removes-evidence/after/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-removes-evidence/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-removes-evidence/before/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-weakens-restrictions/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +69 -0
- package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-weakens-restrictions/after/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-weakens-restrictions/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-weakens-restrictions/before/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrades/unsupported-future-core/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrades/unsupported-future-core/after/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrades/unsupported-future-core/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrades/unsupported-future-core/before/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrades/unsupported-old-core/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrades/unsupported-old-core/after/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrades/unsupported-old-core/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrades/unsupported-old-core/before/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrades/valid-upgrade/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrades/valid-upgrade/after/.coding-agent/skills.json +27 -0
- package/tests/fixtures/project-adapter-upgrades/valid-upgrade/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
- package/tests/fixtures/project-adapter-upgrades/valid-upgrade/before/.coding-agent/skills.json +27 -0
- package/tests/fixtures/sample-repo/.env.example +1 -0
- package/tests/fixtures/sample-repo/README.md +4 -0
- package/tests/fixtures/sample-repo/docs/architecture.md +3 -0
- package/tests/fixtures/sample-repo/package.json +11 -0
- package/tests/fixtures/sample-repo/src/index.js +3 -0
- package/tests/fixtures/sample-repo/test/index.test.js +8 -0
- package/tests/fixtures/triggers/cases.json +101 -0
- package/tests/policy/README.md +16 -0
- package/tests/privacy/README.md +14 -0
- package/tests/safety/README.md +17 -0
- package/tests/trigger/README.md +11 -0
- package/work-ledger.md +159 -0
|
@@ -0,0 +1,193 @@
|
|
|
1
|
+
# Real Project Adapter Adoption Gate
|
|
2
|
+
|
|
3
|
+
This document defines the planning gate for a future first real project adapter. It does
|
|
4
|
+
not approve creating that adapter, modifying a project repository, or changing the shared
|
|
5
|
+
skill pack's safety model.
|
|
6
|
+
|
|
7
|
+
The shared repository is ready to evaluate a candidate because it already has bounded
|
|
8
|
+
adapter discovery, project-owned installation declarations, version pinning, upgrade
|
|
9
|
+
checks, compatibility-chain checks, evidence contracts, and release validation. That
|
|
10
|
+
readiness is a gate, not implementation permission.
|
|
11
|
+
|
|
12
|
+
## Candidate Selection Criteria
|
|
13
|
+
|
|
14
|
+
A first real project adapter candidate must satisfy all of these conditions before any
|
|
15
|
+
project repository is touched:
|
|
16
|
+
|
|
17
|
+
- The project owner explicitly approves an adapter-planning review for that repository.
|
|
18
|
+
- The project has a stable repository root and an identifiable owning project.
|
|
19
|
+
- The project can use one supported adapter location:
|
|
20
|
+
`.coding-agent/adapters/`, `coding-agent/adapters/`, or `adapters/coding-agent/`.
|
|
21
|
+
- The project can declare exactly one installation file: `.coding-agent/skills.json` or
|
|
22
|
+
`coding-agent.skills.json`.
|
|
23
|
+
- The adapter need is bounded to existing pilot skills: `repo-map`, `build-verify`,
|
|
24
|
+
`git-preflight`, `runtime-truth`, or `llm-drift-control`.
|
|
25
|
+
- The adapter can narrow context with relative paths, documentation precedence, safe
|
|
26
|
+
aliases, status-only hints, or extra evidence requirements.
|
|
27
|
+
- The adapter does not require deployment, migration, package installation, Git
|
|
28
|
+
publication, service mutation, billing, platform credentials, or secret reads.
|
|
29
|
+
- The project has enough public or non-sensitive documentation to justify the adapter
|
|
30
|
+
without storing raw secrets, private evidence, or local environment values.
|
|
31
|
+
|
|
32
|
+
If any condition is missing, the candidate remains deferred.
|
|
33
|
+
|
|
34
|
+
## Required Evidence Before Touching A Real Project
|
|
35
|
+
|
|
36
|
+
Before creating files in a real project repository, the operator must gather and report
|
|
37
|
+
sanitized evidence from this shared repository only:
|
|
38
|
+
|
|
39
|
+
- Current shared skill-pack version and tag.
|
|
40
|
+
- Clean or intentionally documented Git state for the shared repository.
|
|
41
|
+
- Candidate project name or approved placeholder, without secrets or local-only paths.
|
|
42
|
+
- Proposed adapter root and declaration-file location.
|
|
43
|
+
- Pilot skill IDs the adapter would support.
|
|
44
|
+
- Proposed extension type, such as read paths, documentation precedence, package-manager
|
|
45
|
+
hints, status-only runtime hints, or additional evidence.
|
|
46
|
+
- Explicit statement that no new skill, platform workflow, deployment, migration, package
|
|
47
|
+
publication, or global CLI flow is part of the adoption.
|
|
48
|
+
- Approval record naming whether the next step is read-only review, project-file
|
|
49
|
+
scaffolding, or implementation.
|
|
50
|
+
|
|
51
|
+
This evidence must not include `.env` contents, credentials, raw command output with
|
|
52
|
+
private values, or private project internals.
|
|
53
|
+
|
|
54
|
+
## Required Validator Commands
|
|
55
|
+
|
|
56
|
+
Before adoption planning can move from this shared repository into a real project, the
|
|
57
|
+
shared pack must pass:
|
|
58
|
+
|
|
59
|
+
```bash
|
|
60
|
+
node scripts/validate-pack.mjs .
|
|
61
|
+
node scripts/test-pack.mjs
|
|
62
|
+
node scripts/validate-maintainer-loop.mjs .
|
|
63
|
+
node scripts/validate-adapters.mjs tests/fixtures/external-adapters/valid-basic
|
|
64
|
+
node scripts/validate-project-adapters.mjs tests/fixtures/project-adapter-installation/valid-exact-pin
|
|
65
|
+
node scripts/check-adapter-upgrade.mjs tests/fixtures/project-adapter-upgrades/valid-upgrade/before tests/fixtures/project-adapter-upgrades/valid-upgrade/after
|
|
66
|
+
node scripts/check-adapter-upgrade-chain.mjs tests/fixtures/project-adapter-upgrade-chains/valid-chain
|
|
67
|
+
node --test
|
|
68
|
+
```
|
|
69
|
+
|
|
70
|
+
After a separately approved real adapter is created in its owning project repository, run
|
|
71
|
+
the same shared-pack validation plus the project-specific declaration validation against
|
|
72
|
+
the approved project root. If an existing adapter is being changed, also run the upgrade
|
|
73
|
+
or compatibility-chain check against sanitized before and after revisions.
|
|
74
|
+
|
|
75
|
+
## Safety Boundaries
|
|
76
|
+
|
|
77
|
+
Project adapters remain extension-only data. They must never:
|
|
78
|
+
|
|
79
|
+
- Remove inherited denied-operation categories.
|
|
80
|
+
- Change an audit-only skill into an action-capable skill.
|
|
81
|
+
- Permit deployment, Git publication, installation, migration, service mutation, or
|
|
82
|
+
privileged API calls.
|
|
83
|
+
- Expose secrets or add secret-bearing paths.
|
|
84
|
+
- Suppress failures, contradictions, dirty state, required evidence, or skipped-check
|
|
85
|
+
consequences.
|
|
86
|
+
- Redefine completion semantics.
|
|
87
|
+
- Expand scanning outside the approved project root.
|
|
88
|
+
- Read or print `.env` files.
|
|
89
|
+
- Copy shared restrictions into a project in a way that allows local weakening.
|
|
90
|
+
|
|
91
|
+
The shared core remains authoritative for schemas, command policy, completion rules,
|
|
92
|
+
evidence contracts, and validator behavior.
|
|
93
|
+
|
|
94
|
+
## Approval Gates
|
|
95
|
+
|
|
96
|
+
The following approvals are separate:
|
|
97
|
+
|
|
98
|
+
1. Approve selecting a candidate project for adapter planning.
|
|
99
|
+
2. Approve read-only evidence gathering in that project.
|
|
100
|
+
3. Approve creating project-owned adapter files in that project.
|
|
101
|
+
4. Approve validating the project declaration with the shared core.
|
|
102
|
+
5. Approve committing or publishing project-repository adapter changes.
|
|
103
|
+
6. Approve changing the shared core if adoption reveals a missing generic validator rule.
|
|
104
|
+
|
|
105
|
+
Approval for one gate does not imply approval for the next gate.
|
|
106
|
+
|
|
107
|
+
## Stop Conditions
|
|
108
|
+
|
|
109
|
+
Stop immediately and report if:
|
|
110
|
+
|
|
111
|
+
- The candidate requires a new skill or platform-specific workflow.
|
|
112
|
+
- The candidate needs deployment, migration, package installation, Git publication, or
|
|
113
|
+
service mutation.
|
|
114
|
+
- The candidate requires reading or exposing secrets.
|
|
115
|
+
- The project cannot use a supported adapter location or declaration file.
|
|
116
|
+
- The shared validation matrix fails.
|
|
117
|
+
- The adapter would weaken shared restrictions, evidence rules, command policy, or
|
|
118
|
+
completion semantics.
|
|
119
|
+
- The project owner has not explicitly approved the current gate.
|
|
120
|
+
- The work would require touching a real project repository without separate approval.
|
|
121
|
+
|
|
122
|
+
## Rollback Conditions
|
|
123
|
+
|
|
124
|
+
If a separately approved project adapter later fails validation, the operator must stop
|
|
125
|
+
and preserve evidence. Rollback means removing or reverting the project-owned adapter
|
|
126
|
+
change in that project repository under that repository's approval process. This shared
|
|
127
|
+
repository must not silently loosen schemas, validators, or safety rules to make a real
|
|
128
|
+
adapter pass.
|
|
129
|
+
|
|
130
|
+
## Still Forbidden Until Separately Approved
|
|
131
|
+
|
|
132
|
+
- New skills.
|
|
133
|
+
- Real project adapter creation.
|
|
134
|
+
- Real project repository modification.
|
|
135
|
+
- Platform or deployment skills.
|
|
136
|
+
- Package publication or root package setup.
|
|
137
|
+
- Global CLI installation flow.
|
|
138
|
+
- Deployments, migrations, service mutations, or privileged API calls.
|
|
139
|
+
- Commit, push, tag, or release publication.
|
|
140
|
+
- Reading or printing `.env` contents.
|
|
141
|
+
|
|
142
|
+
## First Adoption Evidence
|
|
143
|
+
|
|
144
|
+
The first external project-owned adapter adoption has completed for
|
|
145
|
+
`/home/oneclickwebsitedesignfactory/tax-lien-platform` at candidate commit
|
|
146
|
+
`c548b1a6cbb3455a70b89d0e301e22435bfccac9`.
|
|
147
|
+
|
|
148
|
+
The adopted adapter scope is intentionally narrow:
|
|
149
|
+
|
|
150
|
+
- `repo-map` only.
|
|
151
|
+
- Docs/metadata-only.
|
|
152
|
+
- No commands.
|
|
153
|
+
- No runtime checks.
|
|
154
|
+
- No build, test, or package behavior.
|
|
155
|
+
- No platform, deployment, migration, or service behavior.
|
|
156
|
+
- No secret-aware behavior.
|
|
157
|
+
|
|
158
|
+
Validation evidence:
|
|
159
|
+
|
|
160
|
+
- Shared pack validation passed.
|
|
161
|
+
- Shared release tests passed.
|
|
162
|
+
- Maintainer-loop validation passed.
|
|
163
|
+
- Project adapter validation accepted one adapter and one skill with the core pin accepted.
|
|
164
|
+
- Built-in Node tests passed.
|
|
165
|
+
- Shared and candidate whitespace checks passed.
|
|
166
|
+
- Candidate adapter JSON parsed successfully.
|
|
167
|
+
|
|
168
|
+
Publication caveat: the candidate repository's normal pre-push hook attempted package
|
|
169
|
+
operations, including install, audit, and typecheck. The run was interrupted to preserve
|
|
170
|
+
the approved no-install/no-build/no-test boundary. Publication then completed with hook
|
|
171
|
+
verification bypass after the shared adapter validator and safe checks passed.
|
|
172
|
+
|
|
173
|
+
Future adoption runs must explicitly decide whether repository hooks are allowed or whether
|
|
174
|
+
hook bypass is required to preserve the approved boundary. Hook bypass does not replace
|
|
175
|
+
adapter validation; it only prevents unapproved project-native package operations.
|
|
176
|
+
|
|
177
|
+
Remaining approval boundaries:
|
|
178
|
+
|
|
179
|
+
- Expanding the adapter beyond `repo-map`.
|
|
180
|
+
- Enabling command aliases, build verification, runtime truth, or status checks.
|
|
181
|
+
- Running candidate project package scripts.
|
|
182
|
+
- Inspecting Docker, database, worker, SMTP, migration, deployment, billing, platform, or
|
|
183
|
+
secret-bearing surfaces.
|
|
184
|
+
- Changing shared schemas, validators, command policy, or completion rules.
|
|
185
|
+
- Creating additional real project adapters.
|
|
186
|
+
|
|
187
|
+
Next safe milestone options:
|
|
188
|
+
|
|
189
|
+
- Document the project-hook publication policy for real adapter adoption.
|
|
190
|
+
- Add synthetic fixture coverage for hook-triggered publication caveats without adding
|
|
191
|
+
real project details.
|
|
192
|
+
- Plan a second read-only candidate qualification audit.
|
|
193
|
+
- Plan a `repo-map` adapter upgrade evidence review for the adopted project adapter.
|
|
@@ -0,0 +1,67 @@
|
|
|
1
|
+
# Adapter Upgrade Evidence
|
|
2
|
+
|
|
3
|
+
The machine-readable contract is
|
|
4
|
+
[`adapter-upgrade-evidence.schema.json`](../../schemas/adapter-upgrade-evidence.schema.json).
|
|
5
|
+
It records a pair or chain review without storing raw project paths, project identifiers,
|
|
6
|
+
environment values, credentials, or upgrade mutations.
|
|
7
|
+
|
|
8
|
+
## Contract Contents
|
|
9
|
+
|
|
10
|
+
Every record includes:
|
|
11
|
+
|
|
12
|
+
- Contract, validator, invocation, and timestamp identity.
|
|
13
|
+
- Sanitized before and after project summaries.
|
|
14
|
+
- Core, adapter, schema, skill, compatibility, and pin information.
|
|
15
|
+
- Restriction inheritance and approval requirements.
|
|
16
|
+
- Risks, failures, warnings, confidence, and recommended action.
|
|
17
|
+
- Final `pass`, `warn`, `fail`, or `blocked` status.
|
|
18
|
+
- An explicit `changedState.changed: false` declaration.
|
|
19
|
+
|
|
20
|
+
Chain records additionally include a synthetic chain ID and ordinal transition summaries.
|
|
21
|
+
Revision labels such as `revision-1` are evidence-safe placeholders, not directory names.
|
|
22
|
+
|
|
23
|
+
## Pair Output
|
|
24
|
+
|
|
25
|
+
Print sanitized JSON:
|
|
26
|
+
|
|
27
|
+
```bash
|
|
28
|
+
node scripts/check-adapter-upgrade.mjs <before> <after> --json
|
|
29
|
+
```
|
|
30
|
+
|
|
31
|
+
Write one new JSON evidence file:
|
|
32
|
+
|
|
33
|
+
```bash
|
|
34
|
+
node scripts/check-adapter-upgrade.mjs <before> <after> --output validation-output/upgrade.json
|
|
35
|
+
```
|
|
36
|
+
|
|
37
|
+
## Chain Output
|
|
38
|
+
|
|
39
|
+
Print sanitized JSON:
|
|
40
|
+
|
|
41
|
+
```bash
|
|
42
|
+
node scripts/check-adapter-upgrade-chain.mjs <chain-root> --json
|
|
43
|
+
```
|
|
44
|
+
|
|
45
|
+
Write one new JSON evidence file:
|
|
46
|
+
|
|
47
|
+
```bash
|
|
48
|
+
node scripts/check-adapter-upgrade-chain.mjs <chain-root> --output validation-output/chain.json
|
|
49
|
+
```
|
|
50
|
+
|
|
51
|
+
Output paths must be relative, end in `.json`, remain beneath the current working directory,
|
|
52
|
+
have an existing non-symlink parent, avoid `.env` components, and identify a file that does
|
|
53
|
+
not already exist. Evidence output never overwrites a file.
|
|
54
|
+
|
|
55
|
+
The optional report write does not apply an adapter upgrade. The changed-state declaration
|
|
56
|
+
refers to project, adapter, Git, runtime, service, database, and remote state, all of which
|
|
57
|
+
remain unchanged.
|
|
58
|
+
|
|
59
|
+
## Status Policy
|
|
60
|
+
|
|
61
|
+
A stale exact pin or stale compatible range is blocking and produces `fail`. So do
|
|
62
|
+
unsupported cores, schema or skill drift, restriction weakening, evidence removal, failure
|
|
63
|
+
suppression, completion override, mode escalation, secret exposure, scope expansion, and
|
|
64
|
+
unsafe paths.
|
|
65
|
+
|
|
66
|
+
`warn` is reserved for compatible reviews carrying non-blocking approval requirements.
|
|
67
|
+
Passing evidence remains advisory and requires human approval before real-project adoption.
|
|
@@ -0,0 +1,83 @@
|
|
|
1
|
+
# Adapter Upgrade Checks
|
|
2
|
+
|
|
3
|
+
Project-owned adapter upgrades are compared as two complete, disposable project revisions:
|
|
4
|
+
|
|
5
|
+
```bash
|
|
6
|
+
node scripts/check-adapter-upgrade.mjs <before-project-root> <after-project-root>
|
|
7
|
+
```
|
|
8
|
+
|
|
9
|
+
The command is advisory and read-only. It validates each revision with the existing project
|
|
10
|
+
adapter validator, compares the declarations and accepted manifests, and reports stable
|
|
11
|
+
rejection codes. It does not update pins, copy adapters, install packages, or approve an
|
|
12
|
+
upgrade.
|
|
13
|
+
|
|
14
|
+
## Revision Convention
|
|
15
|
+
|
|
16
|
+
Both roots must use the project installation convention in
|
|
17
|
+
[project-installation.md](project-installation.md). The before revision declares its current
|
|
18
|
+
core compatibility. The after revision declares the proposed target compatibility.
|
|
19
|
+
|
|
20
|
+
For a direct `0.2.3` check, `0.2.2` is the supported upgrade source and `0.2.3` is the target.
|
|
21
|
+
Older sources and future targets fail closed.
|
|
22
|
+
|
|
23
|
+
## Compatibility Chains
|
|
24
|
+
|
|
25
|
+
An ordered chain uses contiguous directory names such as:
|
|
26
|
+
|
|
27
|
+
```text
|
|
28
|
+
01-current/
|
|
29
|
+
02-upgrade/
|
|
30
|
+
03-upgrade/
|
|
31
|
+
```
|
|
32
|
+
|
|
33
|
+
Run:
|
|
34
|
+
|
|
35
|
+
```bash
|
|
36
|
+
node scripts/check-adapter-upgrade-chain.mjs <chain-root>
|
|
37
|
+
```
|
|
38
|
+
|
|
39
|
+
Every revision validates against its declared core. Every adjacent transition reuses the
|
|
40
|
+
pair validator with that transition's target version. Patch versions must advance by one,
|
|
41
|
+
and the final revision must target the running `0.2.3` core. Repeated versions are stale;
|
|
42
|
+
gaps, reversals, old sources, and future targets fail.
|
|
43
|
+
|
|
44
|
+
## Stale Pins
|
|
45
|
+
|
|
46
|
+
- A **stale exact pin** still fixes the after revision to an older core.
|
|
47
|
+
- A **stale compatible range** does not include the running core, or leaves the expected
|
|
48
|
+
version behind while using a range.
|
|
49
|
+
|
|
50
|
+
The after declaration must set `expectedVersion` to the running core and its `versionPin`
|
|
51
|
+
must contain that version. Exact pins and bounded ranges remain distinct in evidence.
|
|
52
|
+
|
|
53
|
+
## Safe Upgrade Rules
|
|
54
|
+
|
|
55
|
+
A safe upgrade must:
|
|
56
|
+
|
|
57
|
+
- Preserve project and adapter identity.
|
|
58
|
+
- Use the supported adapter schema.
|
|
59
|
+
- Preserve every inherited denied operation.
|
|
60
|
+
- Preserve audit-only modes, failure reporting, completion rules, and secret protections.
|
|
61
|
+
- Retain all previously required evidence; adding evidence is allowed.
|
|
62
|
+
- Declare only approved pilot skills and compatible skill versions.
|
|
63
|
+
- Keep all declaration and manifest paths inside their project revision.
|
|
64
|
+
|
|
65
|
+
Schema drift, skill compatibility drift, adapter downgrade, restriction weakening, mode
|
|
66
|
+
escalation, evidence removal, failure suppression, completion override, secret exposure,
|
|
67
|
+
scope expansion, traversal, and symlink escape reject the upgrade.
|
|
68
|
+
|
|
69
|
+
## Evidence And Exit Codes
|
|
70
|
+
|
|
71
|
+
Exit `0` means the pair or chain validated and preserved the shared boundary. Exit `1`
|
|
72
|
+
means validation was rejected. Exit `2` means usage, output safety, or an internal boundary
|
|
73
|
+
failed. Summaries contain counts and rejection codes only; manifest values are not echoed.
|
|
74
|
+
|
|
75
|
+
Use `--json` for sanitized machine-readable evidence or `--output <relative-file.json>` to
|
|
76
|
+
write a new evidence artifact. See [upgrade evidence](upgrade-evidence.md) for the
|
|
77
|
+
non-overwriting output policy.
|
|
78
|
+
|
|
79
|
+
A passing result is evidence that the disposable comparison passed. Applying the same
|
|
80
|
+
upgrade to a real project still requires explicit approval and fresh project evidence.
|
|
81
|
+
|
|
82
|
+
All committed revisions and chains in this milestone are synthetic fixtures. No real project adapter
|
|
83
|
+
or project repository is read or modified.
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
# Architecture
|
|
2
|
+
|
|
3
|
+
The library uses a hybrid model:
|
|
4
|
+
|
|
5
|
+
- This standalone repository owns general shared skills, contracts, and schemas.
|
|
6
|
+
- Project repositories may own narrow adapters that add local manifests, documentation precedence, ignored paths, or safe detection rules.
|
|
7
|
+
|
|
8
|
+
Skills consume the evidence-pack contract but do not depend on hidden state. Audit-only and action-capable behavior remain separate. Adapters may only narrow permissions or enrich evidence; shared restrictions and completion rules take precedence.
|
|
9
|
+
|
|
10
|
+
## Pilot Skills
|
|
11
|
+
|
|
12
|
+
Audit-only:
|
|
13
|
+
|
|
14
|
+
- `repo-map`
|
|
15
|
+
- `git-preflight`
|
|
16
|
+
- `runtime-truth`
|
|
17
|
+
- `llm-drift-control`
|
|
18
|
+
|
|
19
|
+
Controlled local validation:
|
|
20
|
+
|
|
21
|
+
- `build-verify`
|
|
22
|
+
|
|
23
|
+
The evidence pack is a shared output contract, not an executable skill. Route tracing, environment and secret audits, deployment preflight, GitHub handoff, provider operations, and project adapters remain separate future work.
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
# Authoring
|
|
2
|
+
|
|
3
|
+
New skills must:
|
|
4
|
+
|
|
5
|
+
1. Define precise trigger conditions in YAML frontmatter.
|
|
6
|
+
2. State whether they are audit-only or action-capable.
|
|
7
|
+
3. Define command families, argument policy, parser invariants, and restricted categories.
|
|
8
|
+
4. Use the shared evidence-pack contract.
|
|
9
|
+
5. Prevent `complete` when required evidence failed or was skipped without an acceptable consequence.
|
|
10
|
+
6. Keep provider and project behavior in explicit adapters.
|
|
11
|
+
7. Include tests for trigger behavior, command policy, mutation prevention, privacy, adapters, and false completion.
|
|
12
|
+
8. Keep `SKILL.md` concise and link directly to detailed companion references.
|
|
13
|
+
9. Use imperative procedures and explicit status transitions.
|
|
14
|
+
10. Validate `agents/openai.yaml` whenever trigger wording changes.
|
|
15
|
+
11. Declare `adapterSchema` and `adapterCompatibility` in the skill manifest.
|
|
16
|
+
12. Add exact and generated property-style command-policy cases.
|
|
17
|
+
|
|
18
|
+
Do not copy commands from restricted evidence into procedures. Use placeholders instead of private paths, domains, identifiers, or credentials.
|
|
19
|
+
|
|
20
|
+
Project adapters must validate against `schemas/project-adapter.schema.json`. They may add known paths, script aliases, source precedence, status-only commands, and evidence requirements. They may not weaken restrictions, hide failures, change skill mode, or redefine completion.
|
|
21
|
+
|
|
22
|
+
Future skills must declare the adapter contract version and compatible adapter versions in their manifest. Adapter compatibility is bidirectional: the manifest must accept the adapter version, and the adapter must accept the skill ID, version, and original mode.
|
|
23
|
+
|
|
24
|
+
External adapters must use one documented discovery location and an immediate child
|
|
25
|
+
directory containing `adapter.json`. Keep manifests synthetic during shared-core testing.
|
|
26
|
+
Run `node scripts/validate-adapters.mjs <adapter-root>` before proposing a real project
|
|
27
|
+
adapter. Passing schema validation alone is insufficient; compatibility, path safety,
|
|
28
|
+
command aliases, evidence additions, and inherited restrictions must also pass.
|
|
29
|
+
|
|
30
|
+
A future project adoption must also add exactly one supported skills declaration, pin the
|
|
31
|
+
released shared core, list every adapter ID/version/skill set, retain `noSecrets: true`, and
|
|
32
|
+
pass `node scripts/validate-project-adapters.mjs <project-root>`. A project declaration may
|
|
33
|
+
narrow compatibility but cannot replace the shared schema, policy, mode, or completion rules.
|
|
34
|
+
|
|
35
|
+
Before proposing an adapter upgrade, retain separate before and after project revisions and
|
|
36
|
+
run `node scripts/check-adapter-upgrade.mjs <before-project-root> <after-project-root>`.
|
|
37
|
+
Update the expected core, pin, and skill compatibility together. Preserve adapter identity,
|
|
38
|
+
all denied categories, and every existing evidence requirement. A passing advisory check
|
|
39
|
+
does not approve modification of a real project.
|
|
40
|
+
|
|
41
|
+
For multiple revisions, use contiguous ordinal directories and run
|
|
42
|
+
`node scripts/check-adapter-upgrade-chain.mjs <chain-root>`. Produce sanitized evidence with
|
|
43
|
+
`--json` or an explicitly requested relative `--output` file. Validate evidence against
|
|
44
|
+
`schemas/adapter-upgrade-evidence.schema.json`, keep `changedState.changed` false, and never
|
|
45
|
+
store raw project paths, project IDs, `.env` values, credentials, or applied changes.
|
|
46
|
+
|
|
47
|
+
Evidence bundles must declare retention, expiry-advisory, provenance, archive-index, and
|
|
48
|
+
archive policy metadata. Use `node scripts/verify-evidence-bundle.mjs <bundle-file>` before
|
|
49
|
+
claiming replay or regression success, and use
|
|
50
|
+
`node scripts/render-evidence-archive-report.mjs <bundle-file>` when a sanitized archive
|
|
51
|
+
summary is needed. Do not inline signatures, raw evidence bodies, command output, local
|
|
52
|
+
paths, or secret-like values into archive indexes or reports. Detached-signature
|
|
53
|
+
verification planning is metadata only until a future milestone explicitly approves real
|
|
54
|
+
verification infrastructure.
|
|
@@ -0,0 +1,94 @@
|
|
|
1
|
+
# Evidence Bundles
|
|
2
|
+
|
|
3
|
+
Evidence bundles group already-produced evidence files into a deterministic, read-only
|
|
4
|
+
verification unit.
|
|
5
|
+
|
|
6
|
+
## What The Harness Verifies
|
|
7
|
+
|
|
8
|
+
- The bundle matches `schemas/evidence-bundle.schema.json`.
|
|
9
|
+
- The bundle declares a retention policy with a bounded review window, storage class,
|
|
10
|
+
and redaction rule.
|
|
11
|
+
- The retention policy includes an expiry advisory. The advisory may report `retained`,
|
|
12
|
+
`review-soon`, or `expired-review-required`, but it is manual-review-only and never
|
|
13
|
+
deletes or moves evidence.
|
|
14
|
+
- The bundle declares provenance for the producing harness and target tag.
|
|
15
|
+
- The provenance section follows the detached-signature design. Synthetic fixtures may
|
|
16
|
+
remain unsigned, but non-fixture bundles cannot use that shortcut.
|
|
17
|
+
- The detached-signature section includes a verification plan with required future
|
|
18
|
+
artifacts. The harness validates the plan but does not perform cryptographic signing or
|
|
19
|
+
signature verification.
|
|
20
|
+
- The archive policy allows only sanitized JSON summaries, never raw evidence bodies or
|
|
21
|
+
secret values.
|
|
22
|
+
- The archive policy may link to a synthetic sanitized archive index that records entry
|
|
23
|
+
identifiers, hashes, retention summary, and provenance summary.
|
|
24
|
+
- Every entry path is relative, local to the bundle, non-symlinked, and not a local
|
|
25
|
+
environment-file path.
|
|
26
|
+
- Every entry hash matches the declared SHA-256 digest.
|
|
27
|
+
- Evidence-pack entries validate against the shared evidence-pack contract.
|
|
28
|
+
- Adapter-upgrade entries validate against the adapter-upgrade evidence contract.
|
|
29
|
+
- Entry statuses match their declared expected status.
|
|
30
|
+
- Evidence does not claim state mutation.
|
|
31
|
+
- Replay produces the same canonical report hash inside a single verification run.
|
|
32
|
+
- The target release preserves all declared baseline entries without status regression.
|
|
33
|
+
|
|
34
|
+
## Retention And Provenance
|
|
35
|
+
|
|
36
|
+
Retention metadata is advisory evidence, not a deletion scheduler. The verifier checks that
|
|
37
|
+
the declared review window is long enough for synthetic fixtures or maintainer release
|
|
38
|
+
evidence and that `retainUntil` is after `generatedAt` by at least the declared minimum
|
|
39
|
+
days. Expiry status is reported as advisory evidence for human review only. It is not a
|
|
40
|
+
deletion system and it does not change retention state.
|
|
41
|
+
|
|
42
|
+
Provenance is a signed-provenance design contract. The pilot does not create real
|
|
43
|
+
signatures or publish release attestations. It does require the bundle to name the
|
|
44
|
+
producer, source commit, target release tag, canonicalization strategy, digest algorithm,
|
|
45
|
+
and detached-signature policy so future signing can be added without changing the safety
|
|
46
|
+
model. The verification plan names the canonical bundle JSON, detached signature, and
|
|
47
|
+
public verification identity that a future verifier would require. `validatesSignatureNow`
|
|
48
|
+
must remain `false` in this milestone.
|
|
49
|
+
|
|
50
|
+
## Archive Indexes
|
|
51
|
+
|
|
52
|
+
Archive indexes are synthetic sanitized fixtures validated against
|
|
53
|
+
`schemas/archive-index.schema.json`. They are metadata-only indexes for bundle review. An
|
|
54
|
+
index may list bundle entry IDs, expected statuses, hashes, retention advisory status, and
|
|
55
|
+
signature-plan status, but it must not contain raw evidence bodies, command output, local
|
|
56
|
+
paths, credentials, or secret-like values.
|
|
57
|
+
|
|
58
|
+
The verifier checks that the index belongs to the bundle, matches the current entry set,
|
|
59
|
+
preserves entry hashes, links to retention metadata, and declares no state change.
|
|
60
|
+
|
|
61
|
+
## Archive Reports
|
|
62
|
+
|
|
63
|
+
Archive reports are sanitized summaries derived from a verified bundle. They include
|
|
64
|
+
bundle identity, entry identifiers, replay hash, regression status, retention metadata,
|
|
65
|
+
retention-expiry advisory status, provenance metadata, detached-signature verification
|
|
66
|
+
planning metadata, and archive-index status. They do not include raw evidence bodies,
|
|
67
|
+
command output, local home paths, credentials, or secret-like values.
|
|
68
|
+
|
|
69
|
+
```bash
|
|
70
|
+
node scripts/render-evidence-archive-report.mjs tests/fixtures/evidence-bundles/valid-bundle/evidence-bundle.json
|
|
71
|
+
```
|
|
72
|
+
|
|
73
|
+
Use `--json` to print the structured sanitized report to stdout. The command does not
|
|
74
|
+
write archive files; storing a report remains a separate approval boundary.
|
|
75
|
+
|
|
76
|
+
## Command
|
|
77
|
+
|
|
78
|
+
```bash
|
|
79
|
+
node scripts/verify-evidence-bundle.mjs tests/fixtures/evidence-bundles/valid-bundle/evidence-bundle.json
|
|
80
|
+
```
|
|
81
|
+
|
|
82
|
+
Use `--json` when a caller needs the structured report. The report is sanitized and does
|
|
83
|
+
not include raw evidence bodies or secret values.
|
|
84
|
+
|
|
85
|
+
## Boundaries
|
|
86
|
+
|
|
87
|
+
The verifier is an evidence harness only. It does not create skills, install packages,
|
|
88
|
+
write project files, apply upgrades, touch real project repositories, run deployments, run
|
|
89
|
+
migrations, mutate services, read local environment files, or publish releases.
|
|
90
|
+
|
|
91
|
+
The archive-report renderer follows the same read-only boundary. It renders sanitized
|
|
92
|
+
stdout only and does not create or update archive destinations.
|
|
93
|
+
|
|
94
|
+
Real project evidence bundles remain deferred until separately approved.
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
# Evidence Retention And Privacy
|
|
2
|
+
|
|
3
|
+
## Collection
|
|
4
|
+
|
|
5
|
+
Collect only evidence required to justify the skill result. Prefer concise summaries and references over raw output.
|
|
6
|
+
|
|
7
|
+
## Sanitization
|
|
8
|
+
|
|
9
|
+
Never retain token values, cookies, private keys, authenticated headers, connection strings, private tenant identifiers, or secret-file contents. Replace private paths, domains, emails, and IDs when they are not necessary to understand the result.
|
|
10
|
+
|
|
11
|
+
## Retention
|
|
12
|
+
|
|
13
|
+
- Ephemeral command output should remain in the active task unless retention is explicitly required.
|
|
14
|
+
- Persisted evidence packs must be sanitized before writing.
|
|
15
|
+
- Evidence bundles must declare retention, expiry-advisory, archive-index, provenance, and
|
|
16
|
+
redaction metadata before archive reports are treated as reviewable release evidence.
|
|
17
|
+
- Archive indexes and reports must be sanitized summaries; they must not retain raw
|
|
18
|
+
evidence bodies, command output, local home paths, credentials, or secret-like values.
|
|
19
|
+
- Validation output belongs in ignored `validation-output/` or `test-results/` directories.
|
|
20
|
+
- Delete temporary authentication helpers immediately after use.
|
|
21
|
+
|
|
22
|
+
## Local Credentials
|
|
23
|
+
|
|
24
|
+
Local `.env` files may supply credentials for separately approved operations. Load them without shell tracing, reference environment variables, avoid credential-bearing output, and never commit them.
|
|
25
|
+
|
|
26
|
+
Recommend credential rotation only when evidence shows printing, copying, committing, pushing, or external exposure.
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
# Release Process
|
|
2
|
+
|
|
3
|
+
## Checklist
|
|
4
|
+
|
|
5
|
+
1. Confirm only approved skills exist.
|
|
6
|
+
2. Run `node scripts/validate-pack.mjs .`.
|
|
7
|
+
3. Run `node scripts/test-pack.mjs`.
|
|
8
|
+
4. Run `node scripts/validate-maintainer-loop.mjs .`.
|
|
9
|
+
5. Run `node scripts/verify-evidence-bundle.mjs tests/fixtures/evidence-bundles/valid-bundle/evidence-bundle.json`.
|
|
10
|
+
6. Run `node scripts/render-evidence-archive-report.mjs tests/fixtures/evidence-bundles/valid-bundle/evidence-bundle.json`.
|
|
11
|
+
Confirm the sanitized report includes archive-index status, retention-expiry advisory
|
|
12
|
+
status, and detached-signature verification planning metadata without raw evidence.
|
|
13
|
+
7. Run `node --test`.
|
|
14
|
+
8. Parse every JSON file.
|
|
15
|
+
9. Run a secret-pattern scan without printing values.
|
|
16
|
+
10. Run `git diff --check`.
|
|
17
|
+
11. Run `npm publish --dry-run --access public --registry=https://registry.npmjs.org/`.
|
|
18
|
+
12. Create a tarball with `npm pack` into a temporary directory.
|
|
19
|
+
13. Inspect tarball contents for local-only files, credentials, `.env` files, dependency
|
|
20
|
+
folders, generated output, and unrelated repositories.
|
|
21
|
+
14. Install the tarball into a temporary npm prefix and smoke-test the installed CLI.
|
|
22
|
+
15. Review changelog, ledger, run evidence, and versioning impact.
|
|
23
|
+
16. Commit with approved identity.
|
|
24
|
+
17. Push `main` using credential-free remotes.
|
|
25
|
+
18. Confirm a clean synchronized worktree.
|
|
26
|
+
19. Create and push the annotated version tag.
|
|
27
|
+
20. Publish with `npm publish --access public --registry=https://registry.npmjs.org/`.
|
|
28
|
+
21. Install the published package into a temporary prefix and smoke-test the installed CLI.
|
|
29
|
+
22. Create the GitHub Release for the pushed tag.
|
|
30
|
+
|
|
31
|
+
Deployments, migrations, runtime mutation, platform actions, and target-project builds or
|
|
32
|
+
tests remain outside this release process unless separately approved.
|
|
33
|
+
|
|
34
|
+
The [npm package release guide](npm-package.md) documents the public package shape,
|
|
35
|
+
dry-run inspection, publication checks, and safety boundaries.
|
|
36
|
+
|
|
37
|
+
## Maintainer-Loop Boundary
|
|
38
|
+
|
|
39
|
+
The maintainer loop may run release preflight when `release-preflight` is explicitly
|
|
40
|
+
allowed. The `commit`, `tag`, and `push` permissions represent separate human approval
|
|
41
|
+
boundaries; the initial runner records and stops at those gates rather than publishing
|
|
42
|
+
silently.
|
|
@@ -0,0 +1,85 @@
|
|
|
1
|
+
# Npm Package Release
|
|
2
|
+
|
|
3
|
+
The package is prepared for public npm distribution as a dependency-free CLI wrapper
|
|
4
|
+
around the existing validated scripts. Publication does not change the shared skill
|
|
5
|
+
safety model.
|
|
6
|
+
|
|
7
|
+
## Current Package Shape
|
|
8
|
+
|
|
9
|
+
- Package name: `coding-agent-skills`.
|
|
10
|
+
- Package version: `0.2.8`.
|
|
11
|
+
- CLI bin: `coding-agent-skills` mapped to `bin/coding-agent-skills`.
|
|
12
|
+
- Module type: `module`.
|
|
13
|
+
- Dependencies: none.
|
|
14
|
+
- Publication mode: public package on the public npm registry.
|
|
15
|
+
- License metadata: `MIT`.
|
|
16
|
+
- Node requirement: `>=20`.
|
|
17
|
+
|
|
18
|
+
Install globally with:
|
|
19
|
+
|
|
20
|
+
```bash
|
|
21
|
+
npm install -g coding-agent-skills
|
|
22
|
+
```
|
|
23
|
+
|
|
24
|
+
The supported installed commands are:
|
|
25
|
+
|
|
26
|
+
```bash
|
|
27
|
+
coding-agent-skills validate-pack
|
|
28
|
+
coding-agent-skills validate-project /path/to/project
|
|
29
|
+
coding-agent-skills repo-map /path/to/project
|
|
30
|
+
coding-agent-skills validate-adapters /path/to/adapter-root
|
|
31
|
+
```
|
|
32
|
+
|
|
33
|
+
The package can also be executed without a repo-local install:
|
|
34
|
+
|
|
35
|
+
```bash
|
|
36
|
+
npx coding-agent-skills validate-pack
|
|
37
|
+
```
|
|
38
|
+
|
|
39
|
+
Adapter compatibility remains controlled by the existing shared core and
|
|
40
|
+
project-adapter validators.
|
|
41
|
+
|
|
42
|
+
`coding-agent-skills validate-pack` is package-aware. In a source checkout, it keeps
|
|
43
|
+
source-only checks such as `.gitignore` validation. In an installed package tree, where
|
|
44
|
+
`.gitignore` is not packaged, it validates the package metadata, strict `files`
|
|
45
|
+
allowlist, dependency-free shape, bin mapping, required packaged files, and absence of
|
|
46
|
+
environment files instead of silently skipping safety checks.
|
|
47
|
+
|
|
48
|
+
## Included Files
|
|
49
|
+
|
|
50
|
+
The package uses a strict `files` allowlist. It includes the local command wrapper,
|
|
51
|
+
scripts, skills, schemas, contracts, docs, examples, tests, and governance files needed
|
|
52
|
+
for `coding-agent-skills validate-pack` to work after packaging.
|
|
53
|
+
|
|
54
|
+
The allowlist intentionally excludes local environment files, Git internals, generated
|
|
55
|
+
validation output, dependency folders, and project-specific adapters.
|
|
56
|
+
|
|
57
|
+
## Dry-Run And Publish Checks
|
|
58
|
+
|
|
59
|
+
Before publication, run the dry-run package inspection:
|
|
60
|
+
|
|
61
|
+
```bash
|
|
62
|
+
npm pack --dry-run
|
|
63
|
+
npm publish --dry-run --access public --registry=https://registry.npmjs.org/
|
|
64
|
+
```
|
|
65
|
+
|
|
66
|
+
The dry-run output must be reviewed for accidental secrets, local-only files, environment
|
|
67
|
+
files, dependency folders, build artifacts, generated validation output, or unrelated
|
|
68
|
+
project files. It must also confirm that the bin wrapper and validation inputs are
|
|
69
|
+
included.
|
|
70
|
+
|
|
71
|
+
## Safety Boundaries
|
|
72
|
+
|
|
73
|
+
The public CLI remains read-only for target projects unless a specific underlying skill
|
|
74
|
+
already permits a bounded local validation action. The installed `repo-map` and adapter
|
|
75
|
+
flows do not:
|
|
76
|
+
|
|
77
|
+
- deploy
|
|
78
|
+
- run migrations
|
|
79
|
+
- mutate runtime services or processes
|
|
80
|
+
- read `.env` or secret files
|
|
81
|
+
- run target project builds or tests
|
|
82
|
+
- grant adapters additional power
|
|
83
|
+
|
|
84
|
+
Project adapters narrow context for safer repository understanding; they do not weaken
|
|
85
|
+
shared restrictions or authorize additional command families.
|