coding-agent-skills 0.2.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (357) hide show
  1. package/AGENTS.md +44 -0
  2. package/CHANGELOG.md +205 -0
  3. package/CONTRIBUTING.md +54 -0
  4. package/LICENSE +21 -0
  5. package/README.md +85 -0
  6. package/ROADMAP.md +87 -0
  7. package/RUNBOOK.md +47 -0
  8. package/bin/coding-agent-skills +75 -0
  9. package/contracts/evidence-pack/README.md +22 -0
  10. package/contracts/evidence-pack/evidence-pack.example.json +60 -0
  11. package/contracts/evidence-pack/evidence-pack.example.md +49 -0
  12. package/contracts/evidence-pack/evidence-pack.schema.json +156 -0
  13. package/docs/adapters/README.md +82 -0
  14. package/docs/adapters/discovery.md +50 -0
  15. package/docs/adapters/external-adapters.md +42 -0
  16. package/docs/adapters/project-installation.md +135 -0
  17. package/docs/adapters/real-project-adoption.md +193 -0
  18. package/docs/adapters/upgrade-evidence.md +67 -0
  19. package/docs/adapters/upgrades.md +83 -0
  20. package/docs/architecture/README.md +23 -0
  21. package/docs/authoring/README.md +54 -0
  22. package/docs/evidence-bundles/README.md +94 -0
  23. package/docs/privacy/README.md +26 -0
  24. package/docs/release/README.md +42 -0
  25. package/docs/release/npm-package.md +85 -0
  26. package/docs/safety/README.md +94 -0
  27. package/docs/testing/README.md +100 -0
  28. package/docs/usage/README.md +89 -0
  29. package/docs/versioning/README.md +30 -0
  30. package/docs/versioning/adapter-compatibility.md +54 -0
  31. package/examples/README.md +12 -0
  32. package/examples/adapters/README.md +9 -0
  33. package/examples/adapters/documentation-precedence.json +62 -0
  34. package/examples/adapters/narrow-repo-map.json +64 -0
  35. package/examples/adapters/runtime-status-hints.json +76 -0
  36. package/examples/command-policies/README.md +3 -0
  37. package/examples/command-policies/build-verify.json +57 -0
  38. package/examples/command-policies/git-preflight.json +44 -0
  39. package/examples/command-policies/llm-drift-control.json +45 -0
  40. package/examples/command-policies/repo-map.json +59 -0
  41. package/examples/command-policies/runtime-truth.json +59 -0
  42. package/examples/evidence-packs/README.md +3 -0
  43. package/examples/evidence-packs/build-verify.json +68 -0
  44. package/examples/evidence-packs/git-preflight.json +55 -0
  45. package/examples/evidence-packs/llm-drift-control.json +55 -0
  46. package/examples/evidence-packs/repo-map.json +55 -0
  47. package/examples/evidence-packs/runtime-truth.json +55 -0
  48. package/examples/manifests/README.md +3 -0
  49. package/examples/manifests/build-verify.json +14 -0
  50. package/examples/manifests/git-preflight.json +14 -0
  51. package/examples/manifests/llm-drift-control.json +14 -0
  52. package/examples/manifests/repo-map.json +14 -0
  53. package/examples/manifests/runtime-truth.json +14 -0
  54. package/examples/upgrade-evidence/README.md +14 -0
  55. package/examples/upgrade-evidence/chain-fail.evidence.json +155 -0
  56. package/examples/upgrade-evidence/chain-fail.evidence.md +14 -0
  57. package/examples/upgrade-evidence/chain-pass.evidence.json +156 -0
  58. package/examples/upgrade-evidence/stale-pin.evidence.json +117 -0
  59. package/examples/upgrade-evidence/unsafe-upgrade.evidence.json +128 -0
  60. package/examples/upgrade-evidence/valid-upgrade.evidence.json +105 -0
  61. package/examples/upgrade-evidence/valid-upgrade.evidence.md +13 -0
  62. package/examples/workflows/README.md +3 -0
  63. package/examples/workflows/build-verify.md +20 -0
  64. package/examples/workflows/git-preflight.md +18 -0
  65. package/examples/workflows/llm-drift-control.md +16 -0
  66. package/examples/workflows/repo-map.md +20 -0
  67. package/examples/workflows/runtime-truth.md +17 -0
  68. package/package.json +58 -0
  69. package/runs/skill-runs.md +162 -0
  70. package/schemas/adapter-upgrade-evidence.schema.json +443 -0
  71. package/schemas/archive-index.schema.json +174 -0
  72. package/schemas/archive-report.schema.json +322 -0
  73. package/schemas/command-policy.schema.json +125 -0
  74. package/schemas/evidence-bundle.schema.json +394 -0
  75. package/schemas/project-adapter-installation.schema.json +127 -0
  76. package/schemas/project-adapter.schema.json +328 -0
  77. package/schemas/skill-manifest.schema.json +40 -0
  78. package/scripts/check-adapter-upgrade-chain.mjs +32 -0
  79. package/scripts/check-adapter-upgrade.mjs +31 -0
  80. package/scripts/lib/adapter-discovery.mjs +441 -0
  81. package/scripts/lib/adapter-repo-map.mjs +358 -0
  82. package/scripts/lib/adapter-upgrade-chain.mjs +261 -0
  83. package/scripts/lib/adapter-upgrade.mjs +434 -0
  84. package/scripts/lib/evidence-bundle.mjs +831 -0
  85. package/scripts/lib/pack-rules.mjs +704 -0
  86. package/scripts/lib/project-adapter-installation.mjs +327 -0
  87. package/scripts/lib/safe-evidence-output.mjs +92 -0
  88. package/scripts/lib/schema-validator.mjs +146 -0
  89. package/scripts/lib/semver.mjs +54 -0
  90. package/scripts/lib/upgrade-evidence.mjs +276 -0
  91. package/scripts/render-adapter-repo-map.mjs +8 -0
  92. package/scripts/render-evidence-archive-report.mjs +18 -0
  93. package/scripts/run-next +220 -0
  94. package/scripts/test-pack.mjs +2232 -0
  95. package/scripts/validate-adapters.mjs +10 -0
  96. package/scripts/validate-maintainer-loop.mjs +146 -0
  97. package/scripts/validate-pack.mjs +950 -0
  98. package/scripts/validate-project-adapters.mjs +8 -0
  99. package/scripts/verify-evidence-bundle.mjs +18 -0
  100. package/skills/build-verify/SKILL.md +62 -0
  101. package/skills/build-verify/adapter-interface.md +7 -0
  102. package/skills/build-verify/agents/openai.yaml +4 -0
  103. package/skills/build-verify/checklist.md +12 -0
  104. package/skills/build-verify/evidence-template.md +11 -0
  105. package/skills/build-verify/examples.md +16 -0
  106. package/skills/build-verify/failure-modes.md +14 -0
  107. package/skills/git-preflight/SKILL.md +65 -0
  108. package/skills/git-preflight/adapter-interface.md +7 -0
  109. package/skills/git-preflight/agents/openai.yaml +4 -0
  110. package/skills/git-preflight/checklist.md +11 -0
  111. package/skills/git-preflight/evidence-template.md +10 -0
  112. package/skills/git-preflight/examples.md +18 -0
  113. package/skills/git-preflight/failure-modes.md +13 -0
  114. package/skills/llm-drift-control/SKILL.md +67 -0
  115. package/skills/llm-drift-control/adapter-interface.md +7 -0
  116. package/skills/llm-drift-control/agents/openai.yaml +4 -0
  117. package/skills/llm-drift-control/checklist.md +11 -0
  118. package/skills/llm-drift-control/evidence-template.md +13 -0
  119. package/skills/llm-drift-control/examples.md +15 -0
  120. package/skills/llm-drift-control/failure-modes.md +13 -0
  121. package/skills/repo-map/SKILL.md +71 -0
  122. package/skills/repo-map/adapter-interface.md +18 -0
  123. package/skills/repo-map/agents/openai.yaml +4 -0
  124. package/skills/repo-map/checklist.md +15 -0
  125. package/skills/repo-map/evidence-template.md +29 -0
  126. package/skills/repo-map/examples.md +19 -0
  127. package/skills/repo-map/failure-modes.md +16 -0
  128. package/skills/runtime-truth/SKILL.md +62 -0
  129. package/skills/runtime-truth/adapter-interface.md +7 -0
  130. package/skills/runtime-truth/agents/openai.yaml +4 -0
  131. package/skills/runtime-truth/checklist.md +11 -0
  132. package/skills/runtime-truth/evidence-template.md +12 -0
  133. package/skills/runtime-truth/examples.md +20 -0
  134. package/skills/runtime-truth/failure-modes.md +13 -0
  135. package/tests/README.md +44 -0
  136. package/tests/adapters/README.md +15 -0
  137. package/tests/completion/README.md +15 -0
  138. package/tests/evidence/README.md +15 -0
  139. package/tests/fixtures/README.md +23 -0
  140. package/tests/fixtures/adapters/allow-deploy.json +60 -0
  141. package/tests/fixtures/adapters/allow-git-push.json +60 -0
  142. package/tests/fixtures/adapters/expand-scope.json +53 -0
  143. package/tests/fixtures/adapters/expose-secrets.json +53 -0
  144. package/tests/fixtures/adapters/incompatible-version.json +53 -0
  145. package/tests/fixtures/adapters/override-audit-only.json +53 -0
  146. package/tests/fixtures/adapters/redefine-completion.json +53 -0
  147. package/tests/fixtures/adapters/remove-required-evidence.json +53 -0
  148. package/tests/fixtures/adapters/suppress-failures.json +53 -0
  149. package/tests/fixtures/adapters/valid-narrowing.json +53 -0
  150. package/tests/fixtures/adapters/valid-repo-map.json +53 -0
  151. package/tests/fixtures/adapters/weakening-repo-map.json +42 -0
  152. package/tests/fixtures/completion/cases.json +143 -0
  153. package/tests/fixtures/completion/false-complete.json +51 -0
  154. package/tests/fixtures/evidence-bundles/advisory-review-soon/archive/evidence-archive-index.json +52 -0
  155. package/tests/fixtures/evidence-bundles/advisory-review-soon/evidence/repo-map.evidence.json +68 -0
  156. package/tests/fixtures/evidence-bundles/advisory-review-soon/evidence/valid-upgrade.evidence.json +105 -0
  157. package/tests/fixtures/evidence-bundles/advisory-review-soon/evidence-bundle.json +109 -0
  158. package/tests/fixtures/evidence-bundles/invalid-archive/archive/evidence-archive-index.json +52 -0
  159. package/tests/fixtures/evidence-bundles/invalid-archive/evidence/repo-map.evidence.json +68 -0
  160. package/tests/fixtures/evidence-bundles/invalid-archive/evidence/valid-upgrade.evidence.json +105 -0
  161. package/tests/fixtures/evidence-bundles/invalid-archive/evidence-bundle.json +109 -0
  162. package/tests/fixtures/evidence-bundles/invalid-archive-index/archive/evidence-archive-index.json +52 -0
  163. package/tests/fixtures/evidence-bundles/invalid-archive-index/evidence/repo-map.evidence.json +68 -0
  164. package/tests/fixtures/evidence-bundles/invalid-archive-index/evidence/valid-upgrade.evidence.json +105 -0
  165. package/tests/fixtures/evidence-bundles/invalid-archive-index/evidence-bundle.json +109 -0
  166. package/tests/fixtures/evidence-bundles/invalid-hash/archive/evidence-archive-index.json +52 -0
  167. package/tests/fixtures/evidence-bundles/invalid-hash/evidence/repo-map.evidence.json +68 -0
  168. package/tests/fixtures/evidence-bundles/invalid-hash/evidence/valid-upgrade.evidence.json +105 -0
  169. package/tests/fixtures/evidence-bundles/invalid-hash/evidence-bundle.json +109 -0
  170. package/tests/fixtures/evidence-bundles/invalid-missing-entry/archive/evidence-archive-index.json +52 -0
  171. package/tests/fixtures/evidence-bundles/invalid-missing-entry/evidence/repo-map.evidence.json +68 -0
  172. package/tests/fixtures/evidence-bundles/invalid-missing-entry/evidence/valid-upgrade.evidence.json +105 -0
  173. package/tests/fixtures/evidence-bundles/invalid-missing-entry/evidence-bundle.json +109 -0
  174. package/tests/fixtures/evidence-bundles/invalid-path/archive/evidence-archive-index.json +52 -0
  175. package/tests/fixtures/evidence-bundles/invalid-path/evidence/repo-map.evidence.json +68 -0
  176. package/tests/fixtures/evidence-bundles/invalid-path/evidence/valid-upgrade.evidence.json +105 -0
  177. package/tests/fixtures/evidence-bundles/invalid-path/evidence-bundle.json +109 -0
  178. package/tests/fixtures/evidence-bundles/invalid-provenance/archive/evidence-archive-index.json +52 -0
  179. package/tests/fixtures/evidence-bundles/invalid-provenance/evidence/repo-map.evidence.json +68 -0
  180. package/tests/fixtures/evidence-bundles/invalid-provenance/evidence/valid-upgrade.evidence.json +105 -0
  181. package/tests/fixtures/evidence-bundles/invalid-provenance/evidence-bundle.json +109 -0
  182. package/tests/fixtures/evidence-bundles/invalid-regression/archive/evidence-archive-index.json +52 -0
  183. package/tests/fixtures/evidence-bundles/invalid-regression/evidence/repo-map.evidence.json +68 -0
  184. package/tests/fixtures/evidence-bundles/invalid-regression/evidence/valid-upgrade.evidence.json +105 -0
  185. package/tests/fixtures/evidence-bundles/invalid-regression/evidence-bundle.json +113 -0
  186. package/tests/fixtures/evidence-bundles/invalid-retention/archive/evidence-archive-index.json +52 -0
  187. package/tests/fixtures/evidence-bundles/invalid-retention/evidence/repo-map.evidence.json +68 -0
  188. package/tests/fixtures/evidence-bundles/invalid-retention/evidence/valid-upgrade.evidence.json +105 -0
  189. package/tests/fixtures/evidence-bundles/invalid-retention/evidence-bundle.json +109 -0
  190. package/tests/fixtures/evidence-bundles/invalid-signature-plan/archive/evidence-archive-index.json +52 -0
  191. package/tests/fixtures/evidence-bundles/invalid-signature-plan/evidence/repo-map.evidence.json +68 -0
  192. package/tests/fixtures/evidence-bundles/invalid-signature-plan/evidence/valid-upgrade.evidence.json +105 -0
  193. package/tests/fixtures/evidence-bundles/invalid-signature-plan/evidence-bundle.json +109 -0
  194. package/tests/fixtures/evidence-bundles/valid-bundle/archive/evidence-archive-index.json +52 -0
  195. package/tests/fixtures/evidence-bundles/valid-bundle/evidence/repo-map.evidence.json +68 -0
  196. package/tests/fixtures/evidence-bundles/valid-bundle/evidence/valid-upgrade.evidence.json +105 -0
  197. package/tests/fixtures/evidence-bundles/valid-bundle/evidence-bundle.json +109 -0
  198. package/tests/fixtures/external-adapters/empty/README.md +3 -0
  199. package/tests/fixtures/external-adapters/invalid-completion-override/.coding-agent/adapters/completion/adapter.json +53 -0
  200. package/tests/fixtures/external-adapters/invalid-deploy/.coding-agent/adapters/deploy/adapter.json +60 -0
  201. package/tests/fixtures/external-adapters/invalid-evidence-suppression/.coding-agent/adapters/evidence/adapter.json +53 -0
  202. package/tests/fixtures/external-adapters/invalid-failure-suppression/.coding-agent/adapters/failures/adapter.json +53 -0
  203. package/tests/fixtures/external-adapters/invalid-git-push/.coding-agent/adapters/publish/adapter.json +60 -0
  204. package/tests/fixtures/external-adapters/invalid-malformed/.coding-agent/adapters/malformed/adapter.json +1 -0
  205. package/tests/fixtures/external-adapters/invalid-malformed/malformed-adapter.txt +1 -0
  206. package/tests/fixtures/external-adapters/invalid-mode-escalation/.coding-agent/adapters/mode/adapter.json +53 -0
  207. package/tests/fixtures/external-adapters/invalid-path-traversal/.coding-agent/adapters/path/adapter.json +53 -0
  208. package/tests/fixtures/external-adapters/invalid-restriction-removal/.coding-agent/adapters/restrictions/adapter.json +52 -0
  209. package/tests/fixtures/external-adapters/invalid-scope-expansion/.coding-agent/adapters/scope/adapter.json +53 -0
  210. package/tests/fixtures/external-adapters/invalid-secret-exposure/.coding-agent/adapters/secrets/adapter.json +53 -0
  211. package/tests/fixtures/external-adapters/invalid-skill-id/.coding-agent/adapters/skill/adapter.json +53 -0
  212. package/tests/fixtures/external-adapters/invalid-skill-version/.coding-agent/adapters/skill-version/adapter.json +53 -0
  213. package/tests/fixtures/external-adapters/invalid-unknown-manifest/.coding-agent/adapters/unknown/manifest.json +1 -0
  214. package/tests/fixtures/external-adapters/invalid-version/.coding-agent/adapters/version/adapter.json +53 -0
  215. package/tests/fixtures/external-adapters/mixed/.coding-agent/adapters/invalid/adapter.json +60 -0
  216. package/tests/fixtures/external-adapters/mixed/.coding-agent/adapters/valid/adapter.json +53 -0
  217. package/tests/fixtures/external-adapters/valid-basic/.coding-agent/adapters/basic/adapter.json +53 -0
  218. package/tests/fixtures/external-adapters/valid-doc-precedence/coding-agent/adapters/docs/adapter.json +53 -0
  219. package/tests/fixtures/external-adapters/valid-runtime-status/adapters/coding-agent/runtime/adapter.json +65 -0
  220. package/tests/fixtures/mutation/cases.json +87 -0
  221. package/tests/fixtures/mutation/snapshot-target/README.md +3 -0
  222. package/tests/fixtures/mutation/snapshot-target/state.json +4 -0
  223. package/tests/fixtures/policy/commands.json +164 -0
  224. package/tests/fixtures/policy/properties.json +126 -0
  225. package/tests/fixtures/privacy/cases.json +47 -0
  226. package/tests/fixtures/project-adapter-installation/invalid-adapter-location/.agents/adapters/basic/adapter.json +53 -0
  227. package/tests/fixtures/project-adapter-installation/invalid-adapter-location/.coding-agent/skills.json +23 -0
  228. package/tests/fixtures/project-adapter-installation/invalid-adapter-schema-version/.coding-agent/adapters/basic/adapter.json +53 -0
  229. package/tests/fixtures/project-adapter-installation/invalid-adapter-schema-version/.coding-agent/skills.json +23 -0
  230. package/tests/fixtures/project-adapter-installation/invalid-adapter-version-mismatch/.coding-agent/adapters/basic/adapter.json +53 -0
  231. package/tests/fixtures/project-adapter-installation/invalid-adapter-version-mismatch/.coding-agent/skills.json +23 -0
  232. package/tests/fixtures/project-adapter-installation/invalid-bad-semver/.coding-agent/adapters/basic/adapter.json +53 -0
  233. package/tests/fixtures/project-adapter-installation/invalid-bad-semver/.coding-agent/skills.json +23 -0
  234. package/tests/fixtures/project-adapter-installation/invalid-completion-override/.coding-agent/adapters/basic/adapter.json +53 -0
  235. package/tests/fixtures/project-adapter-installation/invalid-completion-override/.coding-agent/skills.json +23 -0
  236. package/tests/fixtures/project-adapter-installation/invalid-failure-suppression/.coding-agent/adapters/basic/adapter.json +53 -0
  237. package/tests/fixtures/project-adapter-installation/invalid-failure-suppression/.coding-agent/skills.json +23 -0
  238. package/tests/fixtures/project-adapter-installation/invalid-missing-declaration/.coding-agent/adapters/basic/adapter.json +53 -0
  239. package/tests/fixtures/project-adapter-installation/invalid-mode-escalation/.coding-agent/adapters/basic/adapter.json +53 -0
  240. package/tests/fixtures/project-adapter-installation/invalid-mode-escalation/.coding-agent/skills.json +23 -0
  241. package/tests/fixtures/project-adapter-installation/invalid-path-traversal/.coding-agent/adapters/basic/adapter.json +53 -0
  242. package/tests/fixtures/project-adapter-installation/invalid-path-traversal/.coding-agent/skills.json +23 -0
  243. package/tests/fixtures/project-adapter-installation/invalid-scope-expansion/.coding-agent/adapters/basic/adapter.json +53 -0
  244. package/tests/fixtures/project-adapter-installation/invalid-scope-expansion/.coding-agent/skills.json +23 -0
  245. package/tests/fixtures/project-adapter-installation/invalid-secret-exposure/.coding-agent/adapters/basic/adapter.json +53 -0
  246. package/tests/fixtures/project-adapter-installation/invalid-secret-exposure/.coding-agent/skills.json +23 -0
  247. package/tests/fixtures/project-adapter-installation/invalid-skill-mismatch/.coding-agent/adapters/basic/adapter.json +53 -0
  248. package/tests/fixtures/project-adapter-installation/invalid-skill-mismatch/.coding-agent/skills.json +23 -0
  249. package/tests/fixtures/project-adapter-installation/invalid-unknown-skill/.coding-agent/adapters/basic/adapter.json +53 -0
  250. package/tests/fixtures/project-adapter-installation/invalid-unknown-skill/.coding-agent/skills.json +23 -0
  251. package/tests/fixtures/project-adapter-installation/invalid-unsupported-core-version/.coding-agent/adapters/basic/adapter.json +53 -0
  252. package/tests/fixtures/project-adapter-installation/invalid-unsupported-core-version/.coding-agent/skills.json +23 -0
  253. package/tests/fixtures/project-adapter-installation/invalid-weakens-restrictions/.coding-agent/adapters/basic/adapter.json +52 -0
  254. package/tests/fixtures/project-adapter-installation/invalid-weakens-restrictions/.coding-agent/skills.json +23 -0
  255. package/tests/fixtures/project-adapter-installation/valid-compatible-range/coding-agent/adapters/docs/adapter.json +53 -0
  256. package/tests/fixtures/project-adapter-installation/valid-compatible-range/coding-agent.skills.json +23 -0
  257. package/tests/fixtures/project-adapter-installation/valid-exact-pin/.coding-agent/adapters/basic/adapter.json +53 -0
  258. package/tests/fixtures/project-adapter-installation/valid-exact-pin/.coding-agent/skills.json +23 -0
  259. package/tests/fixtures/project-adapter-installation/valid-multiple-adapters/.coding-agent/skills.json +28 -0
  260. package/tests/fixtures/project-adapter-installation/valid-multiple-adapters/adapters/coding-agent/repo/adapter.json +53 -0
  261. package/tests/fixtures/project-adapter-installation/valid-multiple-adapters/adapters/coding-agent/runtime/adapter.json +58 -0
  262. package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  263. package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/01-current/.coding-agent/skills.json +27 -0
  264. package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/02-incompatible/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  265. package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/02-incompatible/.coding-agent/skills.json +27 -0
  266. package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/03-target/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  267. package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/03-target/.coding-agent/skills.json +27 -0
  268. package/tests/fixtures/project-adapter-upgrade-chains/schema-drift-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  269. package/tests/fixtures/project-adapter-upgrade-chains/schema-drift-chain/01-current/.coding-agent/skills.json +27 -0
  270. package/tests/fixtures/project-adapter-upgrade-chains/schema-drift-chain/02-schema-drift/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  271. package/tests/fixtures/project-adapter-upgrade-chains/schema-drift-chain/02-schema-drift/.coding-agent/skills.json +27 -0
  272. package/tests/fixtures/project-adapter-upgrade-chains/skill-drift-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  273. package/tests/fixtures/project-adapter-upgrade-chains/skill-drift-chain/01-current/.coding-agent/skills.json +27 -0
  274. package/tests/fixtures/project-adapter-upgrade-chains/skill-drift-chain/02-skill-drift/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  275. package/tests/fixtures/project-adapter-upgrade-chains/skill-drift-chain/02-skill-drift/.coding-agent/skills.json +27 -0
  276. package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  277. package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/01-current/.coding-agent/skills.json +27 -0
  278. package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/02-stale/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  279. package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/02-stale/.coding-agent/skills.json +27 -0
  280. package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/03-target/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  281. package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/03-target/.coding-agent/skills.json +27 -0
  282. package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  283. package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/01-current/.coding-agent/skills.json +27 -0
  284. package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/02-safe/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  285. package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/02-safe/.coding-agent/skills.json +27 -0
  286. package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/03-weakens-restrictions/.coding-agent/adapters/fixture-chain-adapter/adapter.json +69 -0
  287. package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/03-weakens-restrictions/.coding-agent/skills.json +27 -0
  288. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  289. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/01-current/.coding-agent/skills.json +27 -0
  290. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/02-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  291. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/02-upgrade/.coding-agent/skills.json +27 -0
  292. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/03-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  293. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/03-upgrade/.coding-agent/skills.json +27 -0
  294. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/04-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  295. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/04-upgrade/.coding-agent/skills.json +27 -0
  296. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/05-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  297. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/05-upgrade/.coding-agent/skills.json +27 -0
  298. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/06-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  299. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/06-upgrade/.coding-agent/skills.json +27 -0
  300. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/07-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  301. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/07-upgrade/.coding-agent/skills.json +27 -0
  302. package/tests/fixtures/project-adapter-upgrades/adapter-schema-drift/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  303. package/tests/fixtures/project-adapter-upgrades/adapter-schema-drift/after/.coding-agent/skills.json +27 -0
  304. package/tests/fixtures/project-adapter-upgrades/adapter-schema-drift/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  305. package/tests/fixtures/project-adapter-upgrades/adapter-schema-drift/before/.coding-agent/skills.json +27 -0
  306. package/tests/fixtures/project-adapter-upgrades/safe-upgrade-preserves-restrictions/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +71 -0
  307. package/tests/fixtures/project-adapter-upgrades/safe-upgrade-preserves-restrictions/after/.coding-agent/skills.json +27 -0
  308. package/tests/fixtures/project-adapter-upgrades/safe-upgrade-preserves-restrictions/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  309. package/tests/fixtures/project-adapter-upgrades/safe-upgrade-preserves-restrictions/before/.coding-agent/skills.json +27 -0
  310. package/tests/fixtures/project-adapter-upgrades/skill-compatibility-drift/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  311. package/tests/fixtures/project-adapter-upgrades/skill-compatibility-drift/after/.coding-agent/skills.json +27 -0
  312. package/tests/fixtures/project-adapter-upgrades/skill-compatibility-drift/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  313. package/tests/fixtures/project-adapter-upgrades/skill-compatibility-drift/before/.coding-agent/skills.json +27 -0
  314. package/tests/fixtures/project-adapter-upgrades/stale-compatible-range/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  315. package/tests/fixtures/project-adapter-upgrades/stale-compatible-range/after/.coding-agent/skills.json +27 -0
  316. package/tests/fixtures/project-adapter-upgrades/stale-compatible-range/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  317. package/tests/fixtures/project-adapter-upgrades/stale-compatible-range/before/.coding-agent/skills.json +27 -0
  318. package/tests/fixtures/project-adapter-upgrades/stale-exact-pin/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  319. package/tests/fixtures/project-adapter-upgrades/stale-exact-pin/after/.coding-agent/skills.json +27 -0
  320. package/tests/fixtures/project-adapter-upgrades/stale-exact-pin/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  321. package/tests/fixtures/project-adapter-upgrades/stale-exact-pin/before/.coding-agent/skills.json +27 -0
  322. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-mode-escalation/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  323. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-mode-escalation/after/.coding-agent/skills.json +27 -0
  324. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-mode-escalation/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  325. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-mode-escalation/before/.coding-agent/skills.json +27 -0
  326. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-removes-evidence/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +69 -0
  327. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-removes-evidence/after/.coding-agent/skills.json +27 -0
  328. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-removes-evidence/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  329. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-removes-evidence/before/.coding-agent/skills.json +27 -0
  330. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-weakens-restrictions/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +69 -0
  331. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-weakens-restrictions/after/.coding-agent/skills.json +27 -0
  332. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-weakens-restrictions/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  333. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-weakens-restrictions/before/.coding-agent/skills.json +27 -0
  334. package/tests/fixtures/project-adapter-upgrades/unsupported-future-core/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  335. package/tests/fixtures/project-adapter-upgrades/unsupported-future-core/after/.coding-agent/skills.json +27 -0
  336. package/tests/fixtures/project-adapter-upgrades/unsupported-future-core/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  337. package/tests/fixtures/project-adapter-upgrades/unsupported-future-core/before/.coding-agent/skills.json +27 -0
  338. package/tests/fixtures/project-adapter-upgrades/unsupported-old-core/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  339. package/tests/fixtures/project-adapter-upgrades/unsupported-old-core/after/.coding-agent/skills.json +27 -0
  340. package/tests/fixtures/project-adapter-upgrades/unsupported-old-core/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  341. package/tests/fixtures/project-adapter-upgrades/unsupported-old-core/before/.coding-agent/skills.json +27 -0
  342. package/tests/fixtures/project-adapter-upgrades/valid-upgrade/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  343. package/tests/fixtures/project-adapter-upgrades/valid-upgrade/after/.coding-agent/skills.json +27 -0
  344. package/tests/fixtures/project-adapter-upgrades/valid-upgrade/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  345. package/tests/fixtures/project-adapter-upgrades/valid-upgrade/before/.coding-agent/skills.json +27 -0
  346. package/tests/fixtures/sample-repo/.env.example +1 -0
  347. package/tests/fixtures/sample-repo/README.md +4 -0
  348. package/tests/fixtures/sample-repo/docs/architecture.md +3 -0
  349. package/tests/fixtures/sample-repo/package.json +11 -0
  350. package/tests/fixtures/sample-repo/src/index.js +3 -0
  351. package/tests/fixtures/sample-repo/test/index.test.js +8 -0
  352. package/tests/fixtures/triggers/cases.json +101 -0
  353. package/tests/policy/README.md +16 -0
  354. package/tests/privacy/README.md +14 -0
  355. package/tests/safety/README.md +17 -0
  356. package/tests/trigger/README.md +11 -0
  357. package/work-ledger.md +159 -0
@@ -0,0 +1,193 @@
1
+ # Real Project Adapter Adoption Gate
2
+
3
+ This document defines the planning gate for a future first real project adapter. It does
4
+ not approve creating that adapter, modifying a project repository, or changing the shared
5
+ skill pack's safety model.
6
+
7
+ The shared repository is ready to evaluate a candidate because it already has bounded
8
+ adapter discovery, project-owned installation declarations, version pinning, upgrade
9
+ checks, compatibility-chain checks, evidence contracts, and release validation. That
10
+ readiness is a gate, not implementation permission.
11
+
12
+ ## Candidate Selection Criteria
13
+
14
+ A first real project adapter candidate must satisfy all of these conditions before any
15
+ project repository is touched:
16
+
17
+ - The project owner explicitly approves an adapter-planning review for that repository.
18
+ - The project has a stable repository root and an identifiable owning project.
19
+ - The project can use one supported adapter location:
20
+ `.coding-agent/adapters/`, `coding-agent/adapters/`, or `adapters/coding-agent/`.
21
+ - The project can declare exactly one installation file: `.coding-agent/skills.json` or
22
+ `coding-agent.skills.json`.
23
+ - The adapter need is bounded to existing pilot skills: `repo-map`, `build-verify`,
24
+ `git-preflight`, `runtime-truth`, or `llm-drift-control`.
25
+ - The adapter can narrow context with relative paths, documentation precedence, safe
26
+ aliases, status-only hints, or extra evidence requirements.
27
+ - The adapter does not require deployment, migration, package installation, Git
28
+ publication, service mutation, billing, platform credentials, or secret reads.
29
+ - The project has enough public or non-sensitive documentation to justify the adapter
30
+ without storing raw secrets, private evidence, or local environment values.
31
+
32
+ If any condition is missing, the candidate remains deferred.
33
+
34
+ ## Required Evidence Before Touching A Real Project
35
+
36
+ Before creating files in a real project repository, the operator must gather and report
37
+ sanitized evidence from this shared repository only:
38
+
39
+ - Current shared skill-pack version and tag.
40
+ - Clean or intentionally documented Git state for the shared repository.
41
+ - Candidate project name or approved placeholder, without secrets or local-only paths.
42
+ - Proposed adapter root and declaration-file location.
43
+ - Pilot skill IDs the adapter would support.
44
+ - Proposed extension type, such as read paths, documentation precedence, package-manager
45
+ hints, status-only runtime hints, or additional evidence.
46
+ - Explicit statement that no new skill, platform workflow, deployment, migration, package
47
+ publication, or global CLI flow is part of the adoption.
48
+ - Approval record naming whether the next step is read-only review, project-file
49
+ scaffolding, or implementation.
50
+
51
+ This evidence must not include `.env` contents, credentials, raw command output with
52
+ private values, or private project internals.
53
+
54
+ ## Required Validator Commands
55
+
56
+ Before adoption planning can move from this shared repository into a real project, the
57
+ shared pack must pass:
58
+
59
+ ```bash
60
+ node scripts/validate-pack.mjs .
61
+ node scripts/test-pack.mjs
62
+ node scripts/validate-maintainer-loop.mjs .
63
+ node scripts/validate-adapters.mjs tests/fixtures/external-adapters/valid-basic
64
+ node scripts/validate-project-adapters.mjs tests/fixtures/project-adapter-installation/valid-exact-pin
65
+ node scripts/check-adapter-upgrade.mjs tests/fixtures/project-adapter-upgrades/valid-upgrade/before tests/fixtures/project-adapter-upgrades/valid-upgrade/after
66
+ node scripts/check-adapter-upgrade-chain.mjs tests/fixtures/project-adapter-upgrade-chains/valid-chain
67
+ node --test
68
+ ```
69
+
70
+ After a separately approved real adapter is created in its owning project repository, run
71
+ the same shared-pack validation plus the project-specific declaration validation against
72
+ the approved project root. If an existing adapter is being changed, also run the upgrade
73
+ or compatibility-chain check against sanitized before and after revisions.
74
+
75
+ ## Safety Boundaries
76
+
77
+ Project adapters remain extension-only data. They must never:
78
+
79
+ - Remove inherited denied-operation categories.
80
+ - Change an audit-only skill into an action-capable skill.
81
+ - Permit deployment, Git publication, installation, migration, service mutation, or
82
+ privileged API calls.
83
+ - Expose secrets or add secret-bearing paths.
84
+ - Suppress failures, contradictions, dirty state, required evidence, or skipped-check
85
+ consequences.
86
+ - Redefine completion semantics.
87
+ - Expand scanning outside the approved project root.
88
+ - Read or print `.env` files.
89
+ - Copy shared restrictions into a project in a way that allows local weakening.
90
+
91
+ The shared core remains authoritative for schemas, command policy, completion rules,
92
+ evidence contracts, and validator behavior.
93
+
94
+ ## Approval Gates
95
+
96
+ The following approvals are separate:
97
+
98
+ 1. Approve selecting a candidate project for adapter planning.
99
+ 2. Approve read-only evidence gathering in that project.
100
+ 3. Approve creating project-owned adapter files in that project.
101
+ 4. Approve validating the project declaration with the shared core.
102
+ 5. Approve committing or publishing project-repository adapter changes.
103
+ 6. Approve changing the shared core if adoption reveals a missing generic validator rule.
104
+
105
+ Approval for one gate does not imply approval for the next gate.
106
+
107
+ ## Stop Conditions
108
+
109
+ Stop immediately and report if:
110
+
111
+ - The candidate requires a new skill or platform-specific workflow.
112
+ - The candidate needs deployment, migration, package installation, Git publication, or
113
+ service mutation.
114
+ - The candidate requires reading or exposing secrets.
115
+ - The project cannot use a supported adapter location or declaration file.
116
+ - The shared validation matrix fails.
117
+ - The adapter would weaken shared restrictions, evidence rules, command policy, or
118
+ completion semantics.
119
+ - The project owner has not explicitly approved the current gate.
120
+ - The work would require touching a real project repository without separate approval.
121
+
122
+ ## Rollback Conditions
123
+
124
+ If a separately approved project adapter later fails validation, the operator must stop
125
+ and preserve evidence. Rollback means removing or reverting the project-owned adapter
126
+ change in that project repository under that repository's approval process. This shared
127
+ repository must not silently loosen schemas, validators, or safety rules to make a real
128
+ adapter pass.
129
+
130
+ ## Still Forbidden Until Separately Approved
131
+
132
+ - New skills.
133
+ - Real project adapter creation.
134
+ - Real project repository modification.
135
+ - Platform or deployment skills.
136
+ - Package publication or root package setup.
137
+ - Global CLI installation flow.
138
+ - Deployments, migrations, service mutations, or privileged API calls.
139
+ - Commit, push, tag, or release publication.
140
+ - Reading or printing `.env` contents.
141
+
142
+ ## First Adoption Evidence
143
+
144
+ The first external project-owned adapter adoption has completed for
145
+ `/home/oneclickwebsitedesignfactory/tax-lien-platform` at candidate commit
146
+ `c548b1a6cbb3455a70b89d0e301e22435bfccac9`.
147
+
148
+ The adopted adapter scope is intentionally narrow:
149
+
150
+ - `repo-map` only.
151
+ - Docs/metadata-only.
152
+ - No commands.
153
+ - No runtime checks.
154
+ - No build, test, or package behavior.
155
+ - No platform, deployment, migration, or service behavior.
156
+ - No secret-aware behavior.
157
+
158
+ Validation evidence:
159
+
160
+ - Shared pack validation passed.
161
+ - Shared release tests passed.
162
+ - Maintainer-loop validation passed.
163
+ - Project adapter validation accepted one adapter and one skill with the core pin accepted.
164
+ - Built-in Node tests passed.
165
+ - Shared and candidate whitespace checks passed.
166
+ - Candidate adapter JSON parsed successfully.
167
+
168
+ Publication caveat: the candidate repository's normal pre-push hook attempted package
169
+ operations, including install, audit, and typecheck. The run was interrupted to preserve
170
+ the approved no-install/no-build/no-test boundary. Publication then completed with hook
171
+ verification bypass after the shared adapter validator and safe checks passed.
172
+
173
+ Future adoption runs must explicitly decide whether repository hooks are allowed or whether
174
+ hook bypass is required to preserve the approved boundary. Hook bypass does not replace
175
+ adapter validation; it only prevents unapproved project-native package operations.
176
+
177
+ Remaining approval boundaries:
178
+
179
+ - Expanding the adapter beyond `repo-map`.
180
+ - Enabling command aliases, build verification, runtime truth, or status checks.
181
+ - Running candidate project package scripts.
182
+ - Inspecting Docker, database, worker, SMTP, migration, deployment, billing, platform, or
183
+ secret-bearing surfaces.
184
+ - Changing shared schemas, validators, command policy, or completion rules.
185
+ - Creating additional real project adapters.
186
+
187
+ Next safe milestone options:
188
+
189
+ - Document the project-hook publication policy for real adapter adoption.
190
+ - Add synthetic fixture coverage for hook-triggered publication caveats without adding
191
+ real project details.
192
+ - Plan a second read-only candidate qualification audit.
193
+ - Plan a `repo-map` adapter upgrade evidence review for the adopted project adapter.
@@ -0,0 +1,67 @@
1
+ # Adapter Upgrade Evidence
2
+
3
+ The machine-readable contract is
4
+ [`adapter-upgrade-evidence.schema.json`](../../schemas/adapter-upgrade-evidence.schema.json).
5
+ It records a pair or chain review without storing raw project paths, project identifiers,
6
+ environment values, credentials, or upgrade mutations.
7
+
8
+ ## Contract Contents
9
+
10
+ Every record includes:
11
+
12
+ - Contract, validator, invocation, and timestamp identity.
13
+ - Sanitized before and after project summaries.
14
+ - Core, adapter, schema, skill, compatibility, and pin information.
15
+ - Restriction inheritance and approval requirements.
16
+ - Risks, failures, warnings, confidence, and recommended action.
17
+ - Final `pass`, `warn`, `fail`, or `blocked` status.
18
+ - An explicit `changedState.changed: false` declaration.
19
+
20
+ Chain records additionally include a synthetic chain ID and ordinal transition summaries.
21
+ Revision labels such as `revision-1` are evidence-safe placeholders, not directory names.
22
+
23
+ ## Pair Output
24
+
25
+ Print sanitized JSON:
26
+
27
+ ```bash
28
+ node scripts/check-adapter-upgrade.mjs <before> <after> --json
29
+ ```
30
+
31
+ Write one new JSON evidence file:
32
+
33
+ ```bash
34
+ node scripts/check-adapter-upgrade.mjs <before> <after> --output validation-output/upgrade.json
35
+ ```
36
+
37
+ ## Chain Output
38
+
39
+ Print sanitized JSON:
40
+
41
+ ```bash
42
+ node scripts/check-adapter-upgrade-chain.mjs <chain-root> --json
43
+ ```
44
+
45
+ Write one new JSON evidence file:
46
+
47
+ ```bash
48
+ node scripts/check-adapter-upgrade-chain.mjs <chain-root> --output validation-output/chain.json
49
+ ```
50
+
51
+ Output paths must be relative, end in `.json`, remain beneath the current working directory,
52
+ have an existing non-symlink parent, avoid `.env` components, and identify a file that does
53
+ not already exist. Evidence output never overwrites a file.
54
+
55
+ The optional report write does not apply an adapter upgrade. The changed-state declaration
56
+ refers to project, adapter, Git, runtime, service, database, and remote state, all of which
57
+ remain unchanged.
58
+
59
+ ## Status Policy
60
+
61
+ A stale exact pin or stale compatible range is blocking and produces `fail`. So do
62
+ unsupported cores, schema or skill drift, restriction weakening, evidence removal, failure
63
+ suppression, completion override, mode escalation, secret exposure, scope expansion, and
64
+ unsafe paths.
65
+
66
+ `warn` is reserved for compatible reviews carrying non-blocking approval requirements.
67
+ Passing evidence remains advisory and requires human approval before real-project adoption.
@@ -0,0 +1,83 @@
1
+ # Adapter Upgrade Checks
2
+
3
+ Project-owned adapter upgrades are compared as two complete, disposable project revisions:
4
+
5
+ ```bash
6
+ node scripts/check-adapter-upgrade.mjs <before-project-root> <after-project-root>
7
+ ```
8
+
9
+ The command is advisory and read-only. It validates each revision with the existing project
10
+ adapter validator, compares the declarations and accepted manifests, and reports stable
11
+ rejection codes. It does not update pins, copy adapters, install packages, or approve an
12
+ upgrade.
13
+
14
+ ## Revision Convention
15
+
16
+ Both roots must use the project installation convention in
17
+ [project-installation.md](project-installation.md). The before revision declares its current
18
+ core compatibility. The after revision declares the proposed target compatibility.
19
+
20
+ For a direct `0.2.3` check, `0.2.2` is the supported upgrade source and `0.2.3` is the target.
21
+ Older sources and future targets fail closed.
22
+
23
+ ## Compatibility Chains
24
+
25
+ An ordered chain uses contiguous directory names such as:
26
+
27
+ ```text
28
+ 01-current/
29
+ 02-upgrade/
30
+ 03-upgrade/
31
+ ```
32
+
33
+ Run:
34
+
35
+ ```bash
36
+ node scripts/check-adapter-upgrade-chain.mjs <chain-root>
37
+ ```
38
+
39
+ Every revision validates against its declared core. Every adjacent transition reuses the
40
+ pair validator with that transition's target version. Patch versions must advance by one,
41
+ and the final revision must target the running `0.2.3` core. Repeated versions are stale;
42
+ gaps, reversals, old sources, and future targets fail.
43
+
44
+ ## Stale Pins
45
+
46
+ - A **stale exact pin** still fixes the after revision to an older core.
47
+ - A **stale compatible range** does not include the running core, or leaves the expected
48
+ version behind while using a range.
49
+
50
+ The after declaration must set `expectedVersion` to the running core and its `versionPin`
51
+ must contain that version. Exact pins and bounded ranges remain distinct in evidence.
52
+
53
+ ## Safe Upgrade Rules
54
+
55
+ A safe upgrade must:
56
+
57
+ - Preserve project and adapter identity.
58
+ - Use the supported adapter schema.
59
+ - Preserve every inherited denied operation.
60
+ - Preserve audit-only modes, failure reporting, completion rules, and secret protections.
61
+ - Retain all previously required evidence; adding evidence is allowed.
62
+ - Declare only approved pilot skills and compatible skill versions.
63
+ - Keep all declaration and manifest paths inside their project revision.
64
+
65
+ Schema drift, skill compatibility drift, adapter downgrade, restriction weakening, mode
66
+ escalation, evidence removal, failure suppression, completion override, secret exposure,
67
+ scope expansion, traversal, and symlink escape reject the upgrade.
68
+
69
+ ## Evidence And Exit Codes
70
+
71
+ Exit `0` means the pair or chain validated and preserved the shared boundary. Exit `1`
72
+ means validation was rejected. Exit `2` means usage, output safety, or an internal boundary
73
+ failed. Summaries contain counts and rejection codes only; manifest values are not echoed.
74
+
75
+ Use `--json` for sanitized machine-readable evidence or `--output <relative-file.json>` to
76
+ write a new evidence artifact. See [upgrade evidence](upgrade-evidence.md) for the
77
+ non-overwriting output policy.
78
+
79
+ A passing result is evidence that the disposable comparison passed. Applying the same
80
+ upgrade to a real project still requires explicit approval and fresh project evidence.
81
+
82
+ All committed revisions and chains in this milestone are synthetic fixtures. No real project adapter
83
+ or project repository is read or modified.
@@ -0,0 +1,23 @@
1
+ # Architecture
2
+
3
+ The library uses a hybrid model:
4
+
5
+ - This standalone repository owns general shared skills, contracts, and schemas.
6
+ - Project repositories may own narrow adapters that add local manifests, documentation precedence, ignored paths, or safe detection rules.
7
+
8
+ Skills consume the evidence-pack contract but do not depend on hidden state. Audit-only and action-capable behavior remain separate. Adapters may only narrow permissions or enrich evidence; shared restrictions and completion rules take precedence.
9
+
10
+ ## Pilot Skills
11
+
12
+ Audit-only:
13
+
14
+ - `repo-map`
15
+ - `git-preflight`
16
+ - `runtime-truth`
17
+ - `llm-drift-control`
18
+
19
+ Controlled local validation:
20
+
21
+ - `build-verify`
22
+
23
+ The evidence pack is a shared output contract, not an executable skill. Route tracing, environment and secret audits, deployment preflight, GitHub handoff, provider operations, and project adapters remain separate future work.
@@ -0,0 +1,54 @@
1
+ # Authoring
2
+
3
+ New skills must:
4
+
5
+ 1. Define precise trigger conditions in YAML frontmatter.
6
+ 2. State whether they are audit-only or action-capable.
7
+ 3. Define command families, argument policy, parser invariants, and restricted categories.
8
+ 4. Use the shared evidence-pack contract.
9
+ 5. Prevent `complete` when required evidence failed or was skipped without an acceptable consequence.
10
+ 6. Keep provider and project behavior in explicit adapters.
11
+ 7. Include tests for trigger behavior, command policy, mutation prevention, privacy, adapters, and false completion.
12
+ 8. Keep `SKILL.md` concise and link directly to detailed companion references.
13
+ 9. Use imperative procedures and explicit status transitions.
14
+ 10. Validate `agents/openai.yaml` whenever trigger wording changes.
15
+ 11. Declare `adapterSchema` and `adapterCompatibility` in the skill manifest.
16
+ 12. Add exact and generated property-style command-policy cases.
17
+
18
+ Do not copy commands from restricted evidence into procedures. Use placeholders instead of private paths, domains, identifiers, or credentials.
19
+
20
+ Project adapters must validate against `schemas/project-adapter.schema.json`. They may add known paths, script aliases, source precedence, status-only commands, and evidence requirements. They may not weaken restrictions, hide failures, change skill mode, or redefine completion.
21
+
22
+ Future skills must declare the adapter contract version and compatible adapter versions in their manifest. Adapter compatibility is bidirectional: the manifest must accept the adapter version, and the adapter must accept the skill ID, version, and original mode.
23
+
24
+ External adapters must use one documented discovery location and an immediate child
25
+ directory containing `adapter.json`. Keep manifests synthetic during shared-core testing.
26
+ Run `node scripts/validate-adapters.mjs <adapter-root>` before proposing a real project
27
+ adapter. Passing schema validation alone is insufficient; compatibility, path safety,
28
+ command aliases, evidence additions, and inherited restrictions must also pass.
29
+
30
+ A future project adoption must also add exactly one supported skills declaration, pin the
31
+ released shared core, list every adapter ID/version/skill set, retain `noSecrets: true`, and
32
+ pass `node scripts/validate-project-adapters.mjs <project-root>`. A project declaration may
33
+ narrow compatibility but cannot replace the shared schema, policy, mode, or completion rules.
34
+
35
+ Before proposing an adapter upgrade, retain separate before and after project revisions and
36
+ run `node scripts/check-adapter-upgrade.mjs <before-project-root> <after-project-root>`.
37
+ Update the expected core, pin, and skill compatibility together. Preserve adapter identity,
38
+ all denied categories, and every existing evidence requirement. A passing advisory check
39
+ does not approve modification of a real project.
40
+
41
+ For multiple revisions, use contiguous ordinal directories and run
42
+ `node scripts/check-adapter-upgrade-chain.mjs <chain-root>`. Produce sanitized evidence with
43
+ `--json` or an explicitly requested relative `--output` file. Validate evidence against
44
+ `schemas/adapter-upgrade-evidence.schema.json`, keep `changedState.changed` false, and never
45
+ store raw project paths, project IDs, `.env` values, credentials, or applied changes.
46
+
47
+ Evidence bundles must declare retention, expiry-advisory, provenance, archive-index, and
48
+ archive policy metadata. Use `node scripts/verify-evidence-bundle.mjs <bundle-file>` before
49
+ claiming replay or regression success, and use
50
+ `node scripts/render-evidence-archive-report.mjs <bundle-file>` when a sanitized archive
51
+ summary is needed. Do not inline signatures, raw evidence bodies, command output, local
52
+ paths, or secret-like values into archive indexes or reports. Detached-signature
53
+ verification planning is metadata only until a future milestone explicitly approves real
54
+ verification infrastructure.
@@ -0,0 +1,94 @@
1
+ # Evidence Bundles
2
+
3
+ Evidence bundles group already-produced evidence files into a deterministic, read-only
4
+ verification unit.
5
+
6
+ ## What The Harness Verifies
7
+
8
+ - The bundle matches `schemas/evidence-bundle.schema.json`.
9
+ - The bundle declares a retention policy with a bounded review window, storage class,
10
+ and redaction rule.
11
+ - The retention policy includes an expiry advisory. The advisory may report `retained`,
12
+ `review-soon`, or `expired-review-required`, but it is manual-review-only and never
13
+ deletes or moves evidence.
14
+ - The bundle declares provenance for the producing harness and target tag.
15
+ - The provenance section follows the detached-signature design. Synthetic fixtures may
16
+ remain unsigned, but non-fixture bundles cannot use that shortcut.
17
+ - The detached-signature section includes a verification plan with required future
18
+ artifacts. The harness validates the plan but does not perform cryptographic signing or
19
+ signature verification.
20
+ - The archive policy allows only sanitized JSON summaries, never raw evidence bodies or
21
+ secret values.
22
+ - The archive policy may link to a synthetic sanitized archive index that records entry
23
+ identifiers, hashes, retention summary, and provenance summary.
24
+ - Every entry path is relative, local to the bundle, non-symlinked, and not a local
25
+ environment-file path.
26
+ - Every entry hash matches the declared SHA-256 digest.
27
+ - Evidence-pack entries validate against the shared evidence-pack contract.
28
+ - Adapter-upgrade entries validate against the adapter-upgrade evidence contract.
29
+ - Entry statuses match their declared expected status.
30
+ - Evidence does not claim state mutation.
31
+ - Replay produces the same canonical report hash inside a single verification run.
32
+ - The target release preserves all declared baseline entries without status regression.
33
+
34
+ ## Retention And Provenance
35
+
36
+ Retention metadata is advisory evidence, not a deletion scheduler. The verifier checks that
37
+ the declared review window is long enough for synthetic fixtures or maintainer release
38
+ evidence and that `retainUntil` is after `generatedAt` by at least the declared minimum
39
+ days. Expiry status is reported as advisory evidence for human review only. It is not a
40
+ deletion system and it does not change retention state.
41
+
42
+ Provenance is a signed-provenance design contract. The pilot does not create real
43
+ signatures or publish release attestations. It does require the bundle to name the
44
+ producer, source commit, target release tag, canonicalization strategy, digest algorithm,
45
+ and detached-signature policy so future signing can be added without changing the safety
46
+ model. The verification plan names the canonical bundle JSON, detached signature, and
47
+ public verification identity that a future verifier would require. `validatesSignatureNow`
48
+ must remain `false` in this milestone.
49
+
50
+ ## Archive Indexes
51
+
52
+ Archive indexes are synthetic sanitized fixtures validated against
53
+ `schemas/archive-index.schema.json`. They are metadata-only indexes for bundle review. An
54
+ index may list bundle entry IDs, expected statuses, hashes, retention advisory status, and
55
+ signature-plan status, but it must not contain raw evidence bodies, command output, local
56
+ paths, credentials, or secret-like values.
57
+
58
+ The verifier checks that the index belongs to the bundle, matches the current entry set,
59
+ preserves entry hashes, links to retention metadata, and declares no state change.
60
+
61
+ ## Archive Reports
62
+
63
+ Archive reports are sanitized summaries derived from a verified bundle. They include
64
+ bundle identity, entry identifiers, replay hash, regression status, retention metadata,
65
+ retention-expiry advisory status, provenance metadata, detached-signature verification
66
+ planning metadata, and archive-index status. They do not include raw evidence bodies,
67
+ command output, local home paths, credentials, or secret-like values.
68
+
69
+ ```bash
70
+ node scripts/render-evidence-archive-report.mjs tests/fixtures/evidence-bundles/valid-bundle/evidence-bundle.json
71
+ ```
72
+
73
+ Use `--json` to print the structured sanitized report to stdout. The command does not
74
+ write archive files; storing a report remains a separate approval boundary.
75
+
76
+ ## Command
77
+
78
+ ```bash
79
+ node scripts/verify-evidence-bundle.mjs tests/fixtures/evidence-bundles/valid-bundle/evidence-bundle.json
80
+ ```
81
+
82
+ Use `--json` when a caller needs the structured report. The report is sanitized and does
83
+ not include raw evidence bodies or secret values.
84
+
85
+ ## Boundaries
86
+
87
+ The verifier is an evidence harness only. It does not create skills, install packages,
88
+ write project files, apply upgrades, touch real project repositories, run deployments, run
89
+ migrations, mutate services, read local environment files, or publish releases.
90
+
91
+ The archive-report renderer follows the same read-only boundary. It renders sanitized
92
+ stdout only and does not create or update archive destinations.
93
+
94
+ Real project evidence bundles remain deferred until separately approved.
@@ -0,0 +1,26 @@
1
+ # Evidence Retention And Privacy
2
+
3
+ ## Collection
4
+
5
+ Collect only evidence required to justify the skill result. Prefer concise summaries and references over raw output.
6
+
7
+ ## Sanitization
8
+
9
+ Never retain token values, cookies, private keys, authenticated headers, connection strings, private tenant identifiers, or secret-file contents. Replace private paths, domains, emails, and IDs when they are not necessary to understand the result.
10
+
11
+ ## Retention
12
+
13
+ - Ephemeral command output should remain in the active task unless retention is explicitly required.
14
+ - Persisted evidence packs must be sanitized before writing.
15
+ - Evidence bundles must declare retention, expiry-advisory, archive-index, provenance, and
16
+ redaction metadata before archive reports are treated as reviewable release evidence.
17
+ - Archive indexes and reports must be sanitized summaries; they must not retain raw
18
+ evidence bodies, command output, local home paths, credentials, or secret-like values.
19
+ - Validation output belongs in ignored `validation-output/` or `test-results/` directories.
20
+ - Delete temporary authentication helpers immediately after use.
21
+
22
+ ## Local Credentials
23
+
24
+ Local `.env` files may supply credentials for separately approved operations. Load them without shell tracing, reference environment variables, avoid credential-bearing output, and never commit them.
25
+
26
+ Recommend credential rotation only when evidence shows printing, copying, committing, pushing, or external exposure.
@@ -0,0 +1,42 @@
1
+ # Release Process
2
+
3
+ ## Checklist
4
+
5
+ 1. Confirm only approved skills exist.
6
+ 2. Run `node scripts/validate-pack.mjs .`.
7
+ 3. Run `node scripts/test-pack.mjs`.
8
+ 4. Run `node scripts/validate-maintainer-loop.mjs .`.
9
+ 5. Run `node scripts/verify-evidence-bundle.mjs tests/fixtures/evidence-bundles/valid-bundle/evidence-bundle.json`.
10
+ 6. Run `node scripts/render-evidence-archive-report.mjs tests/fixtures/evidence-bundles/valid-bundle/evidence-bundle.json`.
11
+ Confirm the sanitized report includes archive-index status, retention-expiry advisory
12
+ status, and detached-signature verification planning metadata without raw evidence.
13
+ 7. Run `node --test`.
14
+ 8. Parse every JSON file.
15
+ 9. Run a secret-pattern scan without printing values.
16
+ 10. Run `git diff --check`.
17
+ 11. Run `npm publish --dry-run --access public --registry=https://registry.npmjs.org/`.
18
+ 12. Create a tarball with `npm pack` into a temporary directory.
19
+ 13. Inspect tarball contents for local-only files, credentials, `.env` files, dependency
20
+ folders, generated output, and unrelated repositories.
21
+ 14. Install the tarball into a temporary npm prefix and smoke-test the installed CLI.
22
+ 15. Review changelog, ledger, run evidence, and versioning impact.
23
+ 16. Commit with approved identity.
24
+ 17. Push `main` using credential-free remotes.
25
+ 18. Confirm a clean synchronized worktree.
26
+ 19. Create and push the annotated version tag.
27
+ 20. Publish with `npm publish --access public --registry=https://registry.npmjs.org/`.
28
+ 21. Install the published package into a temporary prefix and smoke-test the installed CLI.
29
+ 22. Create the GitHub Release for the pushed tag.
30
+
31
+ Deployments, migrations, runtime mutation, platform actions, and target-project builds or
32
+ tests remain outside this release process unless separately approved.
33
+
34
+ The [npm package release guide](npm-package.md) documents the public package shape,
35
+ dry-run inspection, publication checks, and safety boundaries.
36
+
37
+ ## Maintainer-Loop Boundary
38
+
39
+ The maintainer loop may run release preflight when `release-preflight` is explicitly
40
+ allowed. The `commit`, `tag`, and `push` permissions represent separate human approval
41
+ boundaries; the initial runner records and stops at those gates rather than publishing
42
+ silently.
@@ -0,0 +1,85 @@
1
+ # Npm Package Release
2
+
3
+ The package is prepared for public npm distribution as a dependency-free CLI wrapper
4
+ around the existing validated scripts. Publication does not change the shared skill
5
+ safety model.
6
+
7
+ ## Current Package Shape
8
+
9
+ - Package name: `coding-agent-skills`.
10
+ - Package version: `0.2.8`.
11
+ - CLI bin: `coding-agent-skills` mapped to `bin/coding-agent-skills`.
12
+ - Module type: `module`.
13
+ - Dependencies: none.
14
+ - Publication mode: public package on the public npm registry.
15
+ - License metadata: `MIT`.
16
+ - Node requirement: `>=20`.
17
+
18
+ Install globally with:
19
+
20
+ ```bash
21
+ npm install -g coding-agent-skills
22
+ ```
23
+
24
+ The supported installed commands are:
25
+
26
+ ```bash
27
+ coding-agent-skills validate-pack
28
+ coding-agent-skills validate-project /path/to/project
29
+ coding-agent-skills repo-map /path/to/project
30
+ coding-agent-skills validate-adapters /path/to/adapter-root
31
+ ```
32
+
33
+ The package can also be executed without a repo-local install:
34
+
35
+ ```bash
36
+ npx coding-agent-skills validate-pack
37
+ ```
38
+
39
+ Adapter compatibility remains controlled by the existing shared core and
40
+ project-adapter validators.
41
+
42
+ `coding-agent-skills validate-pack` is package-aware. In a source checkout, it keeps
43
+ source-only checks such as `.gitignore` validation. In an installed package tree, where
44
+ `.gitignore` is not packaged, it validates the package metadata, strict `files`
45
+ allowlist, dependency-free shape, bin mapping, required packaged files, and absence of
46
+ environment files instead of silently skipping safety checks.
47
+
48
+ ## Included Files
49
+
50
+ The package uses a strict `files` allowlist. It includes the local command wrapper,
51
+ scripts, skills, schemas, contracts, docs, examples, tests, and governance files needed
52
+ for `coding-agent-skills validate-pack` to work after packaging.
53
+
54
+ The allowlist intentionally excludes local environment files, Git internals, generated
55
+ validation output, dependency folders, and project-specific adapters.
56
+
57
+ ## Dry-Run And Publish Checks
58
+
59
+ Before publication, run the dry-run package inspection:
60
+
61
+ ```bash
62
+ npm pack --dry-run
63
+ npm publish --dry-run --access public --registry=https://registry.npmjs.org/
64
+ ```
65
+
66
+ The dry-run output must be reviewed for accidental secrets, local-only files, environment
67
+ files, dependency folders, build artifacts, generated validation output, or unrelated
68
+ project files. It must also confirm that the bin wrapper and validation inputs are
69
+ included.
70
+
71
+ ## Safety Boundaries
72
+
73
+ The public CLI remains read-only for target projects unless a specific underlying skill
74
+ already permits a bounded local validation action. The installed `repo-map` and adapter
75
+ flows do not:
76
+
77
+ - deploy
78
+ - run migrations
79
+ - mutate runtime services or processes
80
+ - read `.env` or secret files
81
+ - run target project builds or tests
82
+ - grant adapters additional power
83
+
84
+ Project adapters narrow context for safer repository understanding; they do not weaken
85
+ shared restrictions or authorize additional command families.