coding-agent-skills 0.2.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (357) hide show
  1. package/AGENTS.md +44 -0
  2. package/CHANGELOG.md +205 -0
  3. package/CONTRIBUTING.md +54 -0
  4. package/LICENSE +21 -0
  5. package/README.md +85 -0
  6. package/ROADMAP.md +87 -0
  7. package/RUNBOOK.md +47 -0
  8. package/bin/coding-agent-skills +75 -0
  9. package/contracts/evidence-pack/README.md +22 -0
  10. package/contracts/evidence-pack/evidence-pack.example.json +60 -0
  11. package/contracts/evidence-pack/evidence-pack.example.md +49 -0
  12. package/contracts/evidence-pack/evidence-pack.schema.json +156 -0
  13. package/docs/adapters/README.md +82 -0
  14. package/docs/adapters/discovery.md +50 -0
  15. package/docs/adapters/external-adapters.md +42 -0
  16. package/docs/adapters/project-installation.md +135 -0
  17. package/docs/adapters/real-project-adoption.md +193 -0
  18. package/docs/adapters/upgrade-evidence.md +67 -0
  19. package/docs/adapters/upgrades.md +83 -0
  20. package/docs/architecture/README.md +23 -0
  21. package/docs/authoring/README.md +54 -0
  22. package/docs/evidence-bundles/README.md +94 -0
  23. package/docs/privacy/README.md +26 -0
  24. package/docs/release/README.md +42 -0
  25. package/docs/release/npm-package.md +85 -0
  26. package/docs/safety/README.md +94 -0
  27. package/docs/testing/README.md +100 -0
  28. package/docs/usage/README.md +89 -0
  29. package/docs/versioning/README.md +30 -0
  30. package/docs/versioning/adapter-compatibility.md +54 -0
  31. package/examples/README.md +12 -0
  32. package/examples/adapters/README.md +9 -0
  33. package/examples/adapters/documentation-precedence.json +62 -0
  34. package/examples/adapters/narrow-repo-map.json +64 -0
  35. package/examples/adapters/runtime-status-hints.json +76 -0
  36. package/examples/command-policies/README.md +3 -0
  37. package/examples/command-policies/build-verify.json +57 -0
  38. package/examples/command-policies/git-preflight.json +44 -0
  39. package/examples/command-policies/llm-drift-control.json +45 -0
  40. package/examples/command-policies/repo-map.json +59 -0
  41. package/examples/command-policies/runtime-truth.json +59 -0
  42. package/examples/evidence-packs/README.md +3 -0
  43. package/examples/evidence-packs/build-verify.json +68 -0
  44. package/examples/evidence-packs/git-preflight.json +55 -0
  45. package/examples/evidence-packs/llm-drift-control.json +55 -0
  46. package/examples/evidence-packs/repo-map.json +55 -0
  47. package/examples/evidence-packs/runtime-truth.json +55 -0
  48. package/examples/manifests/README.md +3 -0
  49. package/examples/manifests/build-verify.json +14 -0
  50. package/examples/manifests/git-preflight.json +14 -0
  51. package/examples/manifests/llm-drift-control.json +14 -0
  52. package/examples/manifests/repo-map.json +14 -0
  53. package/examples/manifests/runtime-truth.json +14 -0
  54. package/examples/upgrade-evidence/README.md +14 -0
  55. package/examples/upgrade-evidence/chain-fail.evidence.json +155 -0
  56. package/examples/upgrade-evidence/chain-fail.evidence.md +14 -0
  57. package/examples/upgrade-evidence/chain-pass.evidence.json +156 -0
  58. package/examples/upgrade-evidence/stale-pin.evidence.json +117 -0
  59. package/examples/upgrade-evidence/unsafe-upgrade.evidence.json +128 -0
  60. package/examples/upgrade-evidence/valid-upgrade.evidence.json +105 -0
  61. package/examples/upgrade-evidence/valid-upgrade.evidence.md +13 -0
  62. package/examples/workflows/README.md +3 -0
  63. package/examples/workflows/build-verify.md +20 -0
  64. package/examples/workflows/git-preflight.md +18 -0
  65. package/examples/workflows/llm-drift-control.md +16 -0
  66. package/examples/workflows/repo-map.md +20 -0
  67. package/examples/workflows/runtime-truth.md +17 -0
  68. package/package.json +58 -0
  69. package/runs/skill-runs.md +162 -0
  70. package/schemas/adapter-upgrade-evidence.schema.json +443 -0
  71. package/schemas/archive-index.schema.json +174 -0
  72. package/schemas/archive-report.schema.json +322 -0
  73. package/schemas/command-policy.schema.json +125 -0
  74. package/schemas/evidence-bundle.schema.json +394 -0
  75. package/schemas/project-adapter-installation.schema.json +127 -0
  76. package/schemas/project-adapter.schema.json +328 -0
  77. package/schemas/skill-manifest.schema.json +40 -0
  78. package/scripts/check-adapter-upgrade-chain.mjs +32 -0
  79. package/scripts/check-adapter-upgrade.mjs +31 -0
  80. package/scripts/lib/adapter-discovery.mjs +441 -0
  81. package/scripts/lib/adapter-repo-map.mjs +358 -0
  82. package/scripts/lib/adapter-upgrade-chain.mjs +261 -0
  83. package/scripts/lib/adapter-upgrade.mjs +434 -0
  84. package/scripts/lib/evidence-bundle.mjs +831 -0
  85. package/scripts/lib/pack-rules.mjs +704 -0
  86. package/scripts/lib/project-adapter-installation.mjs +327 -0
  87. package/scripts/lib/safe-evidence-output.mjs +92 -0
  88. package/scripts/lib/schema-validator.mjs +146 -0
  89. package/scripts/lib/semver.mjs +54 -0
  90. package/scripts/lib/upgrade-evidence.mjs +276 -0
  91. package/scripts/render-adapter-repo-map.mjs +8 -0
  92. package/scripts/render-evidence-archive-report.mjs +18 -0
  93. package/scripts/run-next +220 -0
  94. package/scripts/test-pack.mjs +2232 -0
  95. package/scripts/validate-adapters.mjs +10 -0
  96. package/scripts/validate-maintainer-loop.mjs +146 -0
  97. package/scripts/validate-pack.mjs +950 -0
  98. package/scripts/validate-project-adapters.mjs +8 -0
  99. package/scripts/verify-evidence-bundle.mjs +18 -0
  100. package/skills/build-verify/SKILL.md +62 -0
  101. package/skills/build-verify/adapter-interface.md +7 -0
  102. package/skills/build-verify/agents/openai.yaml +4 -0
  103. package/skills/build-verify/checklist.md +12 -0
  104. package/skills/build-verify/evidence-template.md +11 -0
  105. package/skills/build-verify/examples.md +16 -0
  106. package/skills/build-verify/failure-modes.md +14 -0
  107. package/skills/git-preflight/SKILL.md +65 -0
  108. package/skills/git-preflight/adapter-interface.md +7 -0
  109. package/skills/git-preflight/agents/openai.yaml +4 -0
  110. package/skills/git-preflight/checklist.md +11 -0
  111. package/skills/git-preflight/evidence-template.md +10 -0
  112. package/skills/git-preflight/examples.md +18 -0
  113. package/skills/git-preflight/failure-modes.md +13 -0
  114. package/skills/llm-drift-control/SKILL.md +67 -0
  115. package/skills/llm-drift-control/adapter-interface.md +7 -0
  116. package/skills/llm-drift-control/agents/openai.yaml +4 -0
  117. package/skills/llm-drift-control/checklist.md +11 -0
  118. package/skills/llm-drift-control/evidence-template.md +13 -0
  119. package/skills/llm-drift-control/examples.md +15 -0
  120. package/skills/llm-drift-control/failure-modes.md +13 -0
  121. package/skills/repo-map/SKILL.md +71 -0
  122. package/skills/repo-map/adapter-interface.md +18 -0
  123. package/skills/repo-map/agents/openai.yaml +4 -0
  124. package/skills/repo-map/checklist.md +15 -0
  125. package/skills/repo-map/evidence-template.md +29 -0
  126. package/skills/repo-map/examples.md +19 -0
  127. package/skills/repo-map/failure-modes.md +16 -0
  128. package/skills/runtime-truth/SKILL.md +62 -0
  129. package/skills/runtime-truth/adapter-interface.md +7 -0
  130. package/skills/runtime-truth/agents/openai.yaml +4 -0
  131. package/skills/runtime-truth/checklist.md +11 -0
  132. package/skills/runtime-truth/evidence-template.md +12 -0
  133. package/skills/runtime-truth/examples.md +20 -0
  134. package/skills/runtime-truth/failure-modes.md +13 -0
  135. package/tests/README.md +44 -0
  136. package/tests/adapters/README.md +15 -0
  137. package/tests/completion/README.md +15 -0
  138. package/tests/evidence/README.md +15 -0
  139. package/tests/fixtures/README.md +23 -0
  140. package/tests/fixtures/adapters/allow-deploy.json +60 -0
  141. package/tests/fixtures/adapters/allow-git-push.json +60 -0
  142. package/tests/fixtures/adapters/expand-scope.json +53 -0
  143. package/tests/fixtures/adapters/expose-secrets.json +53 -0
  144. package/tests/fixtures/adapters/incompatible-version.json +53 -0
  145. package/tests/fixtures/adapters/override-audit-only.json +53 -0
  146. package/tests/fixtures/adapters/redefine-completion.json +53 -0
  147. package/tests/fixtures/adapters/remove-required-evidence.json +53 -0
  148. package/tests/fixtures/adapters/suppress-failures.json +53 -0
  149. package/tests/fixtures/adapters/valid-narrowing.json +53 -0
  150. package/tests/fixtures/adapters/valid-repo-map.json +53 -0
  151. package/tests/fixtures/adapters/weakening-repo-map.json +42 -0
  152. package/tests/fixtures/completion/cases.json +143 -0
  153. package/tests/fixtures/completion/false-complete.json +51 -0
  154. package/tests/fixtures/evidence-bundles/advisory-review-soon/archive/evidence-archive-index.json +52 -0
  155. package/tests/fixtures/evidence-bundles/advisory-review-soon/evidence/repo-map.evidence.json +68 -0
  156. package/tests/fixtures/evidence-bundles/advisory-review-soon/evidence/valid-upgrade.evidence.json +105 -0
  157. package/tests/fixtures/evidence-bundles/advisory-review-soon/evidence-bundle.json +109 -0
  158. package/tests/fixtures/evidence-bundles/invalid-archive/archive/evidence-archive-index.json +52 -0
  159. package/tests/fixtures/evidence-bundles/invalid-archive/evidence/repo-map.evidence.json +68 -0
  160. package/tests/fixtures/evidence-bundles/invalid-archive/evidence/valid-upgrade.evidence.json +105 -0
  161. package/tests/fixtures/evidence-bundles/invalid-archive/evidence-bundle.json +109 -0
  162. package/tests/fixtures/evidence-bundles/invalid-archive-index/archive/evidence-archive-index.json +52 -0
  163. package/tests/fixtures/evidence-bundles/invalid-archive-index/evidence/repo-map.evidence.json +68 -0
  164. package/tests/fixtures/evidence-bundles/invalid-archive-index/evidence/valid-upgrade.evidence.json +105 -0
  165. package/tests/fixtures/evidence-bundles/invalid-archive-index/evidence-bundle.json +109 -0
  166. package/tests/fixtures/evidence-bundles/invalid-hash/archive/evidence-archive-index.json +52 -0
  167. package/tests/fixtures/evidence-bundles/invalid-hash/evidence/repo-map.evidence.json +68 -0
  168. package/tests/fixtures/evidence-bundles/invalid-hash/evidence/valid-upgrade.evidence.json +105 -0
  169. package/tests/fixtures/evidence-bundles/invalid-hash/evidence-bundle.json +109 -0
  170. package/tests/fixtures/evidence-bundles/invalid-missing-entry/archive/evidence-archive-index.json +52 -0
  171. package/tests/fixtures/evidence-bundles/invalid-missing-entry/evidence/repo-map.evidence.json +68 -0
  172. package/tests/fixtures/evidence-bundles/invalid-missing-entry/evidence/valid-upgrade.evidence.json +105 -0
  173. package/tests/fixtures/evidence-bundles/invalid-missing-entry/evidence-bundle.json +109 -0
  174. package/tests/fixtures/evidence-bundles/invalid-path/archive/evidence-archive-index.json +52 -0
  175. package/tests/fixtures/evidence-bundles/invalid-path/evidence/repo-map.evidence.json +68 -0
  176. package/tests/fixtures/evidence-bundles/invalid-path/evidence/valid-upgrade.evidence.json +105 -0
  177. package/tests/fixtures/evidence-bundles/invalid-path/evidence-bundle.json +109 -0
  178. package/tests/fixtures/evidence-bundles/invalid-provenance/archive/evidence-archive-index.json +52 -0
  179. package/tests/fixtures/evidence-bundles/invalid-provenance/evidence/repo-map.evidence.json +68 -0
  180. package/tests/fixtures/evidence-bundles/invalid-provenance/evidence/valid-upgrade.evidence.json +105 -0
  181. package/tests/fixtures/evidence-bundles/invalid-provenance/evidence-bundle.json +109 -0
  182. package/tests/fixtures/evidence-bundles/invalid-regression/archive/evidence-archive-index.json +52 -0
  183. package/tests/fixtures/evidence-bundles/invalid-regression/evidence/repo-map.evidence.json +68 -0
  184. package/tests/fixtures/evidence-bundles/invalid-regression/evidence/valid-upgrade.evidence.json +105 -0
  185. package/tests/fixtures/evidence-bundles/invalid-regression/evidence-bundle.json +113 -0
  186. package/tests/fixtures/evidence-bundles/invalid-retention/archive/evidence-archive-index.json +52 -0
  187. package/tests/fixtures/evidence-bundles/invalid-retention/evidence/repo-map.evidence.json +68 -0
  188. package/tests/fixtures/evidence-bundles/invalid-retention/evidence/valid-upgrade.evidence.json +105 -0
  189. package/tests/fixtures/evidence-bundles/invalid-retention/evidence-bundle.json +109 -0
  190. package/tests/fixtures/evidence-bundles/invalid-signature-plan/archive/evidence-archive-index.json +52 -0
  191. package/tests/fixtures/evidence-bundles/invalid-signature-plan/evidence/repo-map.evidence.json +68 -0
  192. package/tests/fixtures/evidence-bundles/invalid-signature-plan/evidence/valid-upgrade.evidence.json +105 -0
  193. package/tests/fixtures/evidence-bundles/invalid-signature-plan/evidence-bundle.json +109 -0
  194. package/tests/fixtures/evidence-bundles/valid-bundle/archive/evidence-archive-index.json +52 -0
  195. package/tests/fixtures/evidence-bundles/valid-bundle/evidence/repo-map.evidence.json +68 -0
  196. package/tests/fixtures/evidence-bundles/valid-bundle/evidence/valid-upgrade.evidence.json +105 -0
  197. package/tests/fixtures/evidence-bundles/valid-bundle/evidence-bundle.json +109 -0
  198. package/tests/fixtures/external-adapters/empty/README.md +3 -0
  199. package/tests/fixtures/external-adapters/invalid-completion-override/.coding-agent/adapters/completion/adapter.json +53 -0
  200. package/tests/fixtures/external-adapters/invalid-deploy/.coding-agent/adapters/deploy/adapter.json +60 -0
  201. package/tests/fixtures/external-adapters/invalid-evidence-suppression/.coding-agent/adapters/evidence/adapter.json +53 -0
  202. package/tests/fixtures/external-adapters/invalid-failure-suppression/.coding-agent/adapters/failures/adapter.json +53 -0
  203. package/tests/fixtures/external-adapters/invalid-git-push/.coding-agent/adapters/publish/adapter.json +60 -0
  204. package/tests/fixtures/external-adapters/invalid-malformed/.coding-agent/adapters/malformed/adapter.json +1 -0
  205. package/tests/fixtures/external-adapters/invalid-malformed/malformed-adapter.txt +1 -0
  206. package/tests/fixtures/external-adapters/invalid-mode-escalation/.coding-agent/adapters/mode/adapter.json +53 -0
  207. package/tests/fixtures/external-adapters/invalid-path-traversal/.coding-agent/adapters/path/adapter.json +53 -0
  208. package/tests/fixtures/external-adapters/invalid-restriction-removal/.coding-agent/adapters/restrictions/adapter.json +52 -0
  209. package/tests/fixtures/external-adapters/invalid-scope-expansion/.coding-agent/adapters/scope/adapter.json +53 -0
  210. package/tests/fixtures/external-adapters/invalid-secret-exposure/.coding-agent/adapters/secrets/adapter.json +53 -0
  211. package/tests/fixtures/external-adapters/invalid-skill-id/.coding-agent/adapters/skill/adapter.json +53 -0
  212. package/tests/fixtures/external-adapters/invalid-skill-version/.coding-agent/adapters/skill-version/adapter.json +53 -0
  213. package/tests/fixtures/external-adapters/invalid-unknown-manifest/.coding-agent/adapters/unknown/manifest.json +1 -0
  214. package/tests/fixtures/external-adapters/invalid-version/.coding-agent/adapters/version/adapter.json +53 -0
  215. package/tests/fixtures/external-adapters/mixed/.coding-agent/adapters/invalid/adapter.json +60 -0
  216. package/tests/fixtures/external-adapters/mixed/.coding-agent/adapters/valid/adapter.json +53 -0
  217. package/tests/fixtures/external-adapters/valid-basic/.coding-agent/adapters/basic/adapter.json +53 -0
  218. package/tests/fixtures/external-adapters/valid-doc-precedence/coding-agent/adapters/docs/adapter.json +53 -0
  219. package/tests/fixtures/external-adapters/valid-runtime-status/adapters/coding-agent/runtime/adapter.json +65 -0
  220. package/tests/fixtures/mutation/cases.json +87 -0
  221. package/tests/fixtures/mutation/snapshot-target/README.md +3 -0
  222. package/tests/fixtures/mutation/snapshot-target/state.json +4 -0
  223. package/tests/fixtures/policy/commands.json +164 -0
  224. package/tests/fixtures/policy/properties.json +126 -0
  225. package/tests/fixtures/privacy/cases.json +47 -0
  226. package/tests/fixtures/project-adapter-installation/invalid-adapter-location/.agents/adapters/basic/adapter.json +53 -0
  227. package/tests/fixtures/project-adapter-installation/invalid-adapter-location/.coding-agent/skills.json +23 -0
  228. package/tests/fixtures/project-adapter-installation/invalid-adapter-schema-version/.coding-agent/adapters/basic/adapter.json +53 -0
  229. package/tests/fixtures/project-adapter-installation/invalid-adapter-schema-version/.coding-agent/skills.json +23 -0
  230. package/tests/fixtures/project-adapter-installation/invalid-adapter-version-mismatch/.coding-agent/adapters/basic/adapter.json +53 -0
  231. package/tests/fixtures/project-adapter-installation/invalid-adapter-version-mismatch/.coding-agent/skills.json +23 -0
  232. package/tests/fixtures/project-adapter-installation/invalid-bad-semver/.coding-agent/adapters/basic/adapter.json +53 -0
  233. package/tests/fixtures/project-adapter-installation/invalid-bad-semver/.coding-agent/skills.json +23 -0
  234. package/tests/fixtures/project-adapter-installation/invalid-completion-override/.coding-agent/adapters/basic/adapter.json +53 -0
  235. package/tests/fixtures/project-adapter-installation/invalid-completion-override/.coding-agent/skills.json +23 -0
  236. package/tests/fixtures/project-adapter-installation/invalid-failure-suppression/.coding-agent/adapters/basic/adapter.json +53 -0
  237. package/tests/fixtures/project-adapter-installation/invalid-failure-suppression/.coding-agent/skills.json +23 -0
  238. package/tests/fixtures/project-adapter-installation/invalid-missing-declaration/.coding-agent/adapters/basic/adapter.json +53 -0
  239. package/tests/fixtures/project-adapter-installation/invalid-mode-escalation/.coding-agent/adapters/basic/adapter.json +53 -0
  240. package/tests/fixtures/project-adapter-installation/invalid-mode-escalation/.coding-agent/skills.json +23 -0
  241. package/tests/fixtures/project-adapter-installation/invalid-path-traversal/.coding-agent/adapters/basic/adapter.json +53 -0
  242. package/tests/fixtures/project-adapter-installation/invalid-path-traversal/.coding-agent/skills.json +23 -0
  243. package/tests/fixtures/project-adapter-installation/invalid-scope-expansion/.coding-agent/adapters/basic/adapter.json +53 -0
  244. package/tests/fixtures/project-adapter-installation/invalid-scope-expansion/.coding-agent/skills.json +23 -0
  245. package/tests/fixtures/project-adapter-installation/invalid-secret-exposure/.coding-agent/adapters/basic/adapter.json +53 -0
  246. package/tests/fixtures/project-adapter-installation/invalid-secret-exposure/.coding-agent/skills.json +23 -0
  247. package/tests/fixtures/project-adapter-installation/invalid-skill-mismatch/.coding-agent/adapters/basic/adapter.json +53 -0
  248. package/tests/fixtures/project-adapter-installation/invalid-skill-mismatch/.coding-agent/skills.json +23 -0
  249. package/tests/fixtures/project-adapter-installation/invalid-unknown-skill/.coding-agent/adapters/basic/adapter.json +53 -0
  250. package/tests/fixtures/project-adapter-installation/invalid-unknown-skill/.coding-agent/skills.json +23 -0
  251. package/tests/fixtures/project-adapter-installation/invalid-unsupported-core-version/.coding-agent/adapters/basic/adapter.json +53 -0
  252. package/tests/fixtures/project-adapter-installation/invalid-unsupported-core-version/.coding-agent/skills.json +23 -0
  253. package/tests/fixtures/project-adapter-installation/invalid-weakens-restrictions/.coding-agent/adapters/basic/adapter.json +52 -0
  254. package/tests/fixtures/project-adapter-installation/invalid-weakens-restrictions/.coding-agent/skills.json +23 -0
  255. package/tests/fixtures/project-adapter-installation/valid-compatible-range/coding-agent/adapters/docs/adapter.json +53 -0
  256. package/tests/fixtures/project-adapter-installation/valid-compatible-range/coding-agent.skills.json +23 -0
  257. package/tests/fixtures/project-adapter-installation/valid-exact-pin/.coding-agent/adapters/basic/adapter.json +53 -0
  258. package/tests/fixtures/project-adapter-installation/valid-exact-pin/.coding-agent/skills.json +23 -0
  259. package/tests/fixtures/project-adapter-installation/valid-multiple-adapters/.coding-agent/skills.json +28 -0
  260. package/tests/fixtures/project-adapter-installation/valid-multiple-adapters/adapters/coding-agent/repo/adapter.json +53 -0
  261. package/tests/fixtures/project-adapter-installation/valid-multiple-adapters/adapters/coding-agent/runtime/adapter.json +58 -0
  262. package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  263. package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/01-current/.coding-agent/skills.json +27 -0
  264. package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/02-incompatible/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  265. package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/02-incompatible/.coding-agent/skills.json +27 -0
  266. package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/03-target/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  267. package/tests/fixtures/project-adapter-upgrade-chains/broken-compatibility-chain/03-target/.coding-agent/skills.json +27 -0
  268. package/tests/fixtures/project-adapter-upgrade-chains/schema-drift-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  269. package/tests/fixtures/project-adapter-upgrade-chains/schema-drift-chain/01-current/.coding-agent/skills.json +27 -0
  270. package/tests/fixtures/project-adapter-upgrade-chains/schema-drift-chain/02-schema-drift/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  271. package/tests/fixtures/project-adapter-upgrade-chains/schema-drift-chain/02-schema-drift/.coding-agent/skills.json +27 -0
  272. package/tests/fixtures/project-adapter-upgrade-chains/skill-drift-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  273. package/tests/fixtures/project-adapter-upgrade-chains/skill-drift-chain/01-current/.coding-agent/skills.json +27 -0
  274. package/tests/fixtures/project-adapter-upgrade-chains/skill-drift-chain/02-skill-drift/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  275. package/tests/fixtures/project-adapter-upgrade-chains/skill-drift-chain/02-skill-drift/.coding-agent/skills.json +27 -0
  276. package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  277. package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/01-current/.coding-agent/skills.json +27 -0
  278. package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/02-stale/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  279. package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/02-stale/.coding-agent/skills.json +27 -0
  280. package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/03-target/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  281. package/tests/fixtures/project-adapter-upgrade-chains/stale-pin-chain/03-target/.coding-agent/skills.json +27 -0
  282. package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  283. package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/01-current/.coding-agent/skills.json +27 -0
  284. package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/02-safe/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  285. package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/02-safe/.coding-agent/skills.json +27 -0
  286. package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/03-weakens-restrictions/.coding-agent/adapters/fixture-chain-adapter/adapter.json +69 -0
  287. package/tests/fixtures/project-adapter-upgrade-chains/unsafe-weakening-chain/03-weakens-restrictions/.coding-agent/skills.json +27 -0
  288. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/01-current/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  289. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/01-current/.coding-agent/skills.json +27 -0
  290. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/02-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  291. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/02-upgrade/.coding-agent/skills.json +27 -0
  292. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/03-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  293. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/03-upgrade/.coding-agent/skills.json +27 -0
  294. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/04-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  295. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/04-upgrade/.coding-agent/skills.json +27 -0
  296. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/05-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  297. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/05-upgrade/.coding-agent/skills.json +27 -0
  298. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/06-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  299. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/06-upgrade/.coding-agent/skills.json +27 -0
  300. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/07-upgrade/.coding-agent/adapters/fixture-chain-adapter/adapter.json +70 -0
  301. package/tests/fixtures/project-adapter-upgrade-chains/valid-chain/07-upgrade/.coding-agent/skills.json +27 -0
  302. package/tests/fixtures/project-adapter-upgrades/adapter-schema-drift/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  303. package/tests/fixtures/project-adapter-upgrades/adapter-schema-drift/after/.coding-agent/skills.json +27 -0
  304. package/tests/fixtures/project-adapter-upgrades/adapter-schema-drift/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  305. package/tests/fixtures/project-adapter-upgrades/adapter-schema-drift/before/.coding-agent/skills.json +27 -0
  306. package/tests/fixtures/project-adapter-upgrades/safe-upgrade-preserves-restrictions/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +71 -0
  307. package/tests/fixtures/project-adapter-upgrades/safe-upgrade-preserves-restrictions/after/.coding-agent/skills.json +27 -0
  308. package/tests/fixtures/project-adapter-upgrades/safe-upgrade-preserves-restrictions/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  309. package/tests/fixtures/project-adapter-upgrades/safe-upgrade-preserves-restrictions/before/.coding-agent/skills.json +27 -0
  310. package/tests/fixtures/project-adapter-upgrades/skill-compatibility-drift/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  311. package/tests/fixtures/project-adapter-upgrades/skill-compatibility-drift/after/.coding-agent/skills.json +27 -0
  312. package/tests/fixtures/project-adapter-upgrades/skill-compatibility-drift/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  313. package/tests/fixtures/project-adapter-upgrades/skill-compatibility-drift/before/.coding-agent/skills.json +27 -0
  314. package/tests/fixtures/project-adapter-upgrades/stale-compatible-range/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  315. package/tests/fixtures/project-adapter-upgrades/stale-compatible-range/after/.coding-agent/skills.json +27 -0
  316. package/tests/fixtures/project-adapter-upgrades/stale-compatible-range/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  317. package/tests/fixtures/project-adapter-upgrades/stale-compatible-range/before/.coding-agent/skills.json +27 -0
  318. package/tests/fixtures/project-adapter-upgrades/stale-exact-pin/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  319. package/tests/fixtures/project-adapter-upgrades/stale-exact-pin/after/.coding-agent/skills.json +27 -0
  320. package/tests/fixtures/project-adapter-upgrades/stale-exact-pin/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  321. package/tests/fixtures/project-adapter-upgrades/stale-exact-pin/before/.coding-agent/skills.json +27 -0
  322. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-mode-escalation/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  323. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-mode-escalation/after/.coding-agent/skills.json +27 -0
  324. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-mode-escalation/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  325. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-mode-escalation/before/.coding-agent/skills.json +27 -0
  326. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-removes-evidence/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +69 -0
  327. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-removes-evidence/after/.coding-agent/skills.json +27 -0
  328. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-removes-evidence/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  329. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-removes-evidence/before/.coding-agent/skills.json +27 -0
  330. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-weakens-restrictions/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +69 -0
  331. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-weakens-restrictions/after/.coding-agent/skills.json +27 -0
  332. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-weakens-restrictions/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  333. package/tests/fixtures/project-adapter-upgrades/unsafe-upgrade-weakens-restrictions/before/.coding-agent/skills.json +27 -0
  334. package/tests/fixtures/project-adapter-upgrades/unsupported-future-core/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  335. package/tests/fixtures/project-adapter-upgrades/unsupported-future-core/after/.coding-agent/skills.json +27 -0
  336. package/tests/fixtures/project-adapter-upgrades/unsupported-future-core/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  337. package/tests/fixtures/project-adapter-upgrades/unsupported-future-core/before/.coding-agent/skills.json +27 -0
  338. package/tests/fixtures/project-adapter-upgrades/unsupported-old-core/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  339. package/tests/fixtures/project-adapter-upgrades/unsupported-old-core/after/.coding-agent/skills.json +27 -0
  340. package/tests/fixtures/project-adapter-upgrades/unsupported-old-core/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  341. package/tests/fixtures/project-adapter-upgrades/unsupported-old-core/before/.coding-agent/skills.json +27 -0
  342. package/tests/fixtures/project-adapter-upgrades/valid-upgrade/after/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  343. package/tests/fixtures/project-adapter-upgrades/valid-upgrade/after/.coding-agent/skills.json +27 -0
  344. package/tests/fixtures/project-adapter-upgrades/valid-upgrade/before/.coding-agent/adapters/fixture-upgrade-adapter/adapter.json +70 -0
  345. package/tests/fixtures/project-adapter-upgrades/valid-upgrade/before/.coding-agent/skills.json +27 -0
  346. package/tests/fixtures/sample-repo/.env.example +1 -0
  347. package/tests/fixtures/sample-repo/README.md +4 -0
  348. package/tests/fixtures/sample-repo/docs/architecture.md +3 -0
  349. package/tests/fixtures/sample-repo/package.json +11 -0
  350. package/tests/fixtures/sample-repo/src/index.js +3 -0
  351. package/tests/fixtures/sample-repo/test/index.test.js +8 -0
  352. package/tests/fixtures/triggers/cases.json +101 -0
  353. package/tests/policy/README.md +16 -0
  354. package/tests/privacy/README.md +14 -0
  355. package/tests/safety/README.md +17 -0
  356. package/tests/trigger/README.md +11 -0
  357. package/work-ledger.md +159 -0
@@ -0,0 +1,94 @@
1
+ # Safety
2
+
3
+ ## Audit-Only Rule
4
+
5
+ `repo-map`, `git-preflight`, `runtime-truth`, and `llm-drift-control` must not alter project files, Git state, dependencies, processes, services, databases, remote systems, or deployment state.
6
+
7
+ `build-verify` may run existing project-native validation commands. Build or test tools may create their normal local artifacts, but the skill must declare observed changes and must reject installation, fix modes, snapshot updates, deployment, migration, or unknown scripts.
8
+
9
+ ## Restricted Categories
10
+
11
+ - File writes, deletion, permission changes, or generated output inside a target project.
12
+ - Package installation, upgrade, or lockfile mutation.
13
+ - Deployments and remote publication.
14
+ - Commits, pushes, pulls, merges, rebases, resets, restores, cleans, checkouts, switches, or stashes.
15
+ - Unbounded scans outside the declared repository scope.
16
+ - Secret-file reads or commands that print credentials.
17
+ - Process or service mutation.
18
+ - Migration application or database mutation.
19
+ - Privileged or authenticated API calls.
20
+
21
+ An allowlisted executable does not make arbitrary arguments safe. Evaluate the complete shell structure and reject mixed chains containing restricted operations.
22
+
23
+ Approval must name an exceptional read and its purpose. It cannot expand an audit-only skill into a mutation skill.
24
+
25
+ ## Adapter Inheritance
26
+
27
+ Project adapters inherit every shared restriction. Schema fields that could weaken safety are fixed: adapters cannot remove restrictions, override mode, suppress failures, redefine completion, expose secrets, remove evidence requirements, or expand scope without approval.
28
+
29
+ Adapter command aliases and status hints are parsed with the same command-policy harness as shared examples. A familiar alias never bypasses argument or composition checks.
30
+
31
+ External discovery is bounded to declared adapter locations and the exact `adapter.json`
32
+ filename. It rejects traversal, symlink escapes, non-regular manifests, oversized manifests,
33
+ malformed JSON, secret-like content, and mixed roots containing any rejection. The validator
34
+ does not execute adapter commands or read unrelated project files.
35
+
36
+ Project installation adds a declaration but no new permissions. Exact or ranged core pins,
37
+ adapter records, and skill IDs must agree with discovered manifests. Declaration paths remain
38
+ repository-relative, `.env` files remain outside discovery, and the declared validation
39
+ command is metadata rather than executable input.
40
+
41
+ Upgrade checks preserve that boundary across revisions. They are advisory, do not write
42
+ pins or manifests, and reject stale targets, unsupported cores, schema or skill drift,
43
+ restriction weakening, audit-mode escalation, evidence removal, failure suppression,
44
+ completion override, secret exposure, scope expansion, traversal, and symlink escape.
45
+
46
+ Compatibility-chain checks apply the same boundary to every adjacent revision and require a
47
+ current final target. They never apply upgrades. Optional evidence output is permitted only
48
+ when explicitly requested, uses a new relative `.json` file beneath a non-symlink output
49
+ base, and never overwrites existing content. Evidence omits raw project paths and project IDs.
50
+
51
+ Evidence-bundle verification is read-only. Bundle entries must stay beneath the bundle
52
+ directory, avoid local environment-file paths, avoid symlink escapes, match declared hashes,
53
+ validate against known evidence contracts, and preserve baseline status. The verifier emits
54
+ sanitized reports only and never executes commands from evidence.
55
+
56
+ Evidence retention, provenance, archive-index, and archive-report checks are also
57
+ read-only. Retention is validated as metadata only; expiry reporting is advisory and does
58
+ not delete or move files. Signed provenance is a detached-signature design and verification
59
+ planning contract, not a private-key operation and not live signature verification. Archive
60
+ indexes and reports are sanitized metadata summaries unless a future milestone separately
61
+ approves storage.
62
+
63
+ ## Maintainer Loop
64
+
65
+ The local maintainer loop is a bounded repository coordinator. It may read repository Git
66
+ state, tags, the roadmap, changelog, and work ledger; run local validators; select the next
67
+ declared milestone; and append evidence to the repository-owned ledger files.
68
+
69
+ Permission flags are explicit gates. They do not authorize new skills, real project
70
+ adapters, external project changes, infrastructure work, credential access, policy
71
+ weakening, or destructive Git operations.
72
+
73
+ ### Stop Boundaries
74
+
75
+ The runner stops when the worktree is dirty, validation fails, no permission matches the
76
+ next action, scope is blocked by the ledger, or human approval is required. It does not read
77
+ local environment files, publish releases, apply database changes, mutate services, or
78
+ perform deployment work.
79
+
80
+ ## Command Policy Limits
81
+
82
+ Command policies declare executable families, argument strategy, parser invariants, composition rules, and denied categories. Property-style tests exercise obvious bypass combinations, but the parser is not a complete shell implementation. Unsupported syntax fails closed.
83
+
84
+ ## Restricted Evidence
85
+
86
+ Historical or extracted restricted commands may inform deny rules and warnings. They must not be copied into recommended procedures, examples, templates, or adapters.
87
+
88
+ ## Secret Handling
89
+
90
+ Never reproduce tokens, credentials, cookies, private keys, service-role values, or authenticated headers. Record only the secret type and affected location.
91
+
92
+ Local `.env` files may intentionally provide credentials for separately approved authenticated operations. Load them without shell tracing, reference environment-variable names rather than literal values, and avoid output that may reveal credentials. Never commit `.env` files or place credentials in remote URLs.
93
+
94
+ Recommend rotation only when evidence shows a credential was printed, copied into generated content, committed, pushed, or exposed outside its approved local environment.
@@ -0,0 +1,100 @@
1
+ # Harness
2
+
3
+ The harness is dependency-free and runs through:
4
+
5
+ - `node scripts/validate-pack.mjs .`
6
+ - `node scripts/test-pack.mjs`
7
+ - `node scripts/validate-maintainer-loop.mjs .`
8
+ - `node scripts/validate-adapters.mjs tests/fixtures/external-adapters/valid-basic`
9
+ - `node scripts/validate-project-adapters.mjs tests/fixtures/project-adapter-installation/valid-exact-pin`
10
+ - `node scripts/check-adapter-upgrade.mjs tests/fixtures/project-adapter-upgrades/valid-upgrade/before tests/fixtures/project-adapter-upgrades/valid-upgrade/after`
11
+ - `node scripts/check-adapter-upgrade-chain.mjs tests/fixtures/project-adapter-upgrade-chains/valid-chain`
12
+ - `node scripts/verify-evidence-bundle.mjs tests/fixtures/evidence-bundles/valid-bundle/evidence-bundle.json`
13
+ - `node scripts/render-evidence-archive-report.mjs tests/fixtures/evidence-bundles/valid-bundle/evidence-bundle.json`
14
+ - `node --test`
15
+
16
+ ## Trigger Classification
17
+
18
+ Synthetic prompts identify the least-privileged matching pilot skill and reject mutation or publication requests. The classifier is a harness oracle, not a production router.
19
+
20
+ ## Command Policy
21
+
22
+ The command analyzer handles obvious composition, multiline scripts, pipelines, wrappers, heredocs, redirects, project scripts, Git, provider-specific `npx`, curl approval, runtime status commands, and restricted arguments.
23
+
24
+ Property-style tests generate combinations of safe prefixes, shell separators, and restricted suffixes. They exist to catch repeated bypass families without manually writing every combination.
25
+
26
+ This is intentionally conservative and is not a complete POSIX parser. Unknown execution, quoting ambiguity, or unsupported shell syntax must fail closed.
27
+
28
+ ## Mutation Snapshots
29
+
30
+ Audit-only Markdown is scanned for restricted commands presented as procedures. Commands in explicitly denied or negative contexts remain documentation. Synthetic snapshot targets are hashed before and after checks.
31
+
32
+ ## Privacy And Redaction
33
+
34
+ Sensitive shapes are stored as ordered synthetic parts and reconstructed only in memory. Tests verify type detection, redaction, and absence from reusable skill content without printing fixture values.
35
+
36
+ ## Adapter Weakening
37
+
38
+ Valid adapters must pass both JSON Schema validation and semantic compatibility checks. Tests cover narrowing, documentation precedence, and status-only hints, then reject deployment, Git publication, failure suppression, completion overrides, secret exposure, missing restrictions, stale skill versions, required-evidence removal, scope expansion, and audit-mode overrides.
39
+
40
+ ## External Adapter Discovery
41
+
42
+ Disposable fixture roots exercise all three discovery conventions. The harness accepts valid
43
+ roots and rejects malformed JSON, unknown manifests, incompatible skills and versions,
44
+ restriction weakening, mixed roots, traversal, and symlink escapes. Missing roots fail;
45
+ empty roots return a clear zero-adapter result. CLI tests also confirm stable exit codes and
46
+ that summaries do not echo manifest commands or identifiers.
47
+
48
+ ## Project Installation And Pins
49
+
50
+ Disposable project roots cover exact pins, compatible ranges, multiple adapters, missing or
51
+ ambiguous declarations, unsupported old and future cores, malformed semver, unknown skills,
52
+ adapter version mismatch, invalid locations, restriction weakening, secret exposure, scope
53
+ expansion, traversal, and symlink escape. Privacy tests verify that unrelated `.env` files
54
+ are ignored and secret-like declaration content is rejected without appearing in summaries.
55
+
56
+ ## Adapter Upgrade And Stale Pins
57
+
58
+ Paired simulated revisions cover safe exact and ranged upgrades, stale exact pins, stale
59
+ ranges, unsupported old and future cores, adapter schema drift, skill compatibility drift,
60
+ restriction weakening, mode escalation, evidence removal, failure suppression, completion
61
+ override, secret exposure, unknown skills, and traversal. CLI tests confirm stable exit
62
+ codes and summaries that do not echo adapter identifiers or secret-like values.
63
+
64
+ ## Upgrade Evidence And Chains
65
+
66
+ Upgrade evidence examples validate against a dedicated JSON Schema and always declare
67
+ `changedState.changed: false`. Pair and chain CLIs support sanitized `--json` output and a
68
+ non-overwriting relative `--output` file.
69
+
70
+ Ordered chain fixtures cover accepted patch progression, stale pins, broken core and skill
71
+ compatibility, schema drift, restriction weakening, evidence removal, failure suppression,
72
+ completion override, mode escalation, `.env` avoidance, traversal, symlinks, and mutation
73
+ snapshots. Chain summaries use ordinal revision labels rather than directory names.
74
+
75
+ ## Evidence Bundles
76
+
77
+ Disposable evidence bundles cover valid replay, hash mismatch, missing entries,
78
+ cross-release regression, path traversal, invalid retention windows, retention-expiry
79
+ advisory status, provenance tag mismatch, unsafe archive policy, archive-index mismatch,
80
+ and unsafe signature-verification planning. Tests verify schema validity, entry hashes,
81
+ evidence-pack semantics, adapter-upgrade evidence semantics, deterministic report hashes,
82
+ status preservation, detached-signature design metadata, verification-plan metadata,
83
+ sanitized archive indexes, sanitized archive reports, and sanitized CLI output.
84
+
85
+ ## Maintainer Loop
86
+
87
+ The maintainer-loop validator checks the required root files, ledger sections, run-log
88
+ fields, executable runner mode, documented permission flags, unknown-flag rejection,
89
+ restricted-command absence, documentation links, and CI integration.
90
+
91
+ Release tests also invoke the runner without permissions and with an unknown permission.
92
+ Both cases must fail before repository inspection or mutation. A successful autonomous run
93
+ is intentionally tested after release from a clean worktree because it appends bounded
94
+ ledger and run evidence.
95
+
96
+ ## False Completion
97
+
98
+ Schema-valid evidence still fails semantic completion when required consequences, successful commands, material-risk resolution, known state, confidence reasons, repository identity, or supporting evidence are missing.
99
+
100
+ Fixtures live under `tests/fixtures/`. Focused test documentation records both implemented checks and future extensions.
@@ -0,0 +1,89 @@
1
+ # Using The Pilot Skills
2
+
3
+ Select the least-privileged skill that matches the request:
4
+
5
+ | Need | Skill |
6
+ |---|---|
7
+ | Understand repository identity and structure | `repo-map` |
8
+ | Run existing local validation checks | `build-verify` |
9
+ | Assess Git handoff readiness | `git-preflight` |
10
+ | Determine what is actually running | `runtime-truth` |
11
+ | Reconcile claims with evidence | `llm-drift-control` |
12
+
13
+ ## Typical Flow
14
+
15
+ 1. Use `repo-map` when repository identity or boundaries are not established.
16
+ 2. Perform implementation outside this pilot pack.
17
+ 3. Use `build-verify` for approved project-native checks.
18
+ 4. Use `git-preflight` before handoff or publication.
19
+ 5. Use `runtime-truth` only when live local state matters.
20
+ 6. Use `llm-drift-control` when claims and evidence may disagree.
21
+
22
+ Every skill emits an evidence pack. Read `status`, skipped checks, failures, confidence, and changed state before relying on a completion claim.
23
+
24
+ When a project owns a compatible adapter, render read-only adapter-aware `repo-map` context
25
+ with:
26
+
27
+ ```bash
28
+ node scripts/render-adapter-repo-map.mjs <project-root>
29
+ ```
30
+
31
+ This validates the project adapter first, then reports adapter-declared documentation
32
+ precedence, safe read paths, ignored paths, and required evidence. It is not a build,
33
+ test, runtime, deployment, migration, package-install, or secret-reading flow.
34
+
35
+ See [examples](../../examples/README.md) for safe concrete inputs and outputs.
36
+
37
+ ## Public CLI Surface
38
+
39
+ Install the CLI from the public npm registry:
40
+
41
+ ```bash
42
+ npm install -g coding-agent-skills
43
+ ```
44
+
45
+ Run supported commands:
46
+
47
+ ```bash
48
+ coding-agent-skills validate-pack
49
+ coding-agent-skills validate-project /path/to/project
50
+ coding-agent-skills repo-map /path/to/project
51
+ coding-agent-skills validate-adapters /path/to/adapter-root
52
+ ```
53
+
54
+ For one-off execution, use:
55
+
56
+ ```bash
57
+ npx coding-agent-skills validate-pack
58
+ ```
59
+
60
+ These commands wrap the same validated scripts shipped in the repository. `repo-map`
61
+ validates the project adapter first, then renders adapter-declared documentation
62
+ precedence, safe read paths, ignored paths, and required evidence.
63
+
64
+ The installed CLI does not run target project builds or tests, perform runtime checks,
65
+ deploy, migrate, mutate services or processes, or read `.env` files. Project adapters
66
+ narrow context; they do not grant additional power or weaken shared restrictions.
67
+
68
+ ## Local Command Surface
69
+
70
+ From the shared skill repository root, the same wrapper can be used directly:
71
+
72
+ ```bash
73
+ bin/coding-agent-skills validate-pack
74
+ bin/coding-agent-skills validate-project /path/to/project
75
+ bin/coding-agent-skills repo-map /path/to/project
76
+ bin/coding-agent-skills validate-adapters /path/to/adapter-root
77
+ ```
78
+
79
+ If the repository's `bin/` directory is already on the shell path, the same commands can
80
+ also be invoked as:
81
+
82
+ ```bash
83
+ coding-agent-skills validate-pack
84
+ coding-agent-skills validate-project /path/to/project
85
+ coding-agent-skills repo-map /path/to/project
86
+ coding-agent-skills validate-adapters /path/to/adapter-root
87
+ ```
88
+
89
+ The local wrapper follows the same safety model as the published CLI.
@@ -0,0 +1,30 @@
1
+ # Versioning
2
+
3
+ Use Semantic Versioning:
4
+
5
+ - **Patch:** wording, validation, examples, or safety fixes that preserve behavior.
6
+ - **Minor:** new approved skills, compatible schema fields, or new adapter capabilities.
7
+ - **Major:** incompatible contracts, renamed skills, weakened compatibility, or changed completion semantics.
8
+
9
+ Skill examples use the repository release version. Evidence packs separately record their contract version.
10
+
11
+ Tags use `vMAJOR.MINOR.PATCH`. Tags are created only after validation passes, `main` is pushed, the working tree is clean, and local and remote branches are synchronized.
12
+
13
+ ## Project Pins
14
+
15
+ A project-owned adapter declaration records the expected shared core version and one version
16
+ pin. Supported forms are:
17
+
18
+ - Exact pin: `0.2.3`
19
+ - Compatible range: `>=0.2.2 <0.3.0`
20
+
21
+ Ranges are conjunctions of plain Semantic Versioning comparators. Caret, tilde, wildcard,
22
+ prerelease, build metadata, and logical-OR forms are not supported by the dependency-free
23
+ pilot parser.
24
+
25
+ The running core version must equal `expectedVersion` and satisfy `versionPin`. This rejects
26
+ unsupported old or future cores, stale declarations, and ranges that do not include the
27
+ current release. Adapter schema and adapter manifest versions are validated separately.
28
+
29
+ See [adapter compatibility](adapter-compatibility.md) for stale-pin, schema-drift, skill
30
+ compatibility, policy-preservation, and multi-step chain rules across project revisions.
@@ -0,0 +1,54 @@
1
+ # Adapter Compatibility Across Upgrades
2
+
3
+ Adapter upgrades compare four independent version surfaces:
4
+
5
+ 1. The before and after project core `expectedVersion`.
6
+ 2. The exact core pin or bounded compatible range.
7
+ 3. The declared adapter schema version and installed adapter version.
8
+ 4. Each adapter's compatible pilot skill versions.
9
+
10
+ ## Supported Transition
11
+
12
+ The `v0.2.3` pair harness recognizes `0.2.2` as its supported source and `0.2.3` as its target.
13
+ The source revision is validated against the version it declares. The target revision is
14
+ then required to match the running core.
15
+
16
+ This separation allows a valid older revision to be inspected without pretending its pin is
17
+ current. A source older than the immediately preceding patch is an unsupported old core. A
18
+ target newer than the running core is an unsupported future core.
19
+
20
+ Multi-step chains may retain earlier synthetic revisions when every adjacent transition is
21
+ a contiguous patch upgrade. Each step is evaluated against its own target core, while the
22
+ last revision must target `0.2.3`.
23
+
24
+ ## Drift Rules
25
+
26
+ - **Pin drift:** the target exact pin or range excludes the running core.
27
+ - **Schema drift:** the project declares an adapter schema unsupported by the shared core.
28
+ - **Adapter version drift:** the declared and discovered adapter versions disagree or
29
+ downgrade.
30
+ - **Skill compatibility drift:** approved skill IDs, modes, or compatible versions no longer
31
+ agree.
32
+ - **Policy drift:** the target removes restrictions, evidence, failure reporting, completion
33
+ integrity, secret protection, or approval boundaries.
34
+
35
+ Project adapters may narrow reads and add required evidence. They must preserve all shared
36
+ restrictions and all evidence already required by the before revision.
37
+
38
+ ## Upgrade Evidence
39
+
40
+ A review should retain:
41
+
42
+ - Both immutable project revision roots or equivalent commit identities.
43
+ - The core target version.
44
+ - The upgrade command and exit status.
45
+ - Accepted adapter and skill counts.
46
+ - Every rejection code or skipped comparison.
47
+ - Confirmation that no project state changed.
48
+
49
+ Upgrade evidence is advisory. It does not authorize edits, publication, deployment, or
50
+ adoption in a real project.
51
+
52
+ Structured pair and chain records validate against
53
+ [`adapter-upgrade-evidence.schema.json`](../../schemas/adapter-upgrade-evidence.schema.json).
54
+ They use ordinal project summaries and never store raw revision paths or project IDs.
@@ -0,0 +1,12 @@
1
+ # Pilot Examples
2
+
3
+ All examples are synthetic and safe to publish.
4
+
5
+ - [Skill manifests](manifests/)
6
+ - [Command policies](command-policies/)
7
+ - [Project adapters](adapters/)
8
+ - [Evidence packs](evidence-packs/)
9
+ - [Adapter upgrade evidence](upgrade-evidence/)
10
+ - [Workflow guides](workflows/)
11
+
12
+ Unsafe operations appear only as named restricted categories or clearly marked warnings. No example contains private paths, credentials, internal transcripts, or real service endpoints.
@@ -0,0 +1,9 @@
1
+ # Adapter Examples
2
+
3
+ These synthetic examples validate against `schemas/project-adapter.schema.json`.
4
+
5
+ - `narrow-repo-map.json` adds only bounded repository context.
6
+ - `documentation-precedence.json` declares authoritative documentation order.
7
+ - `runtime-status-hints.json` adds status-only runtime-manager hints.
8
+
9
+ Examples are contracts, not installed project adapters. Real adapters belong in their owning project repositories.
@@ -0,0 +1,62 @@
1
+ {
2
+ "adapterId": "sample-documentation-precedence",
3
+ "adapterVersion": "1.0.0",
4
+ "project": {
5
+ "id": "sample-project",
6
+ "detection": {
7
+ "rootMarkers": [
8
+ {
9
+ "kind": "directory",
10
+ "path": "docs"
11
+ }
12
+ ],
13
+ "maximumDepth": 1,
14
+ "scope": "declared-project-root",
15
+ "requireApprovalOutsideScope": true
16
+ }
17
+ },
18
+ "supportedSkills": [
19
+ {
20
+ "id": "llm-drift-control",
21
+ "compatibleVersions": ["0.2.x"],
22
+ "declaredMode": "audit-only"
23
+ }
24
+ ],
25
+ "extensions": {
26
+ "safeReadPaths": ["README.md", "docs", "src", "test"],
27
+ "ignoredPaths": ["docs/generated"],
28
+ "documentationPrecedence": [
29
+ "docs/architecture/README.md",
30
+ "docs/product/README.md",
31
+ "README.md"
32
+ ],
33
+ "commandAliases": [],
34
+ "safeStatusCommands": [],
35
+ "requiredEvidence": ["source reference", "test reference", "documentation reference"],
36
+ "expectedRuntimeManagers": [],
37
+ "expectedPackageManagers": ["none"]
38
+ },
39
+ "approvalRequirements": [],
40
+ "inheritance": {
41
+ "sharedRestrictions": "required",
42
+ "deniedOperationCategories": [
43
+ "file-write",
44
+ "package-install",
45
+ "deployment",
46
+ "git-mutation",
47
+ "unrestricted-scan",
48
+ "secret-read",
49
+ "process-mutation",
50
+ "service-mutation",
51
+ "migration-apply",
52
+ "privileged-api"
53
+ ],
54
+ "allowRestrictionRemoval": false,
55
+ "allowModeOverride": false,
56
+ "allowFailureSuppression": false,
57
+ "allowCompletionOverride": false,
58
+ "allowSecretExposure": false,
59
+ "allowRequiredEvidenceRemoval": false,
60
+ "allowScopeExpansionWithoutApproval": false
61
+ }
62
+ }
@@ -0,0 +1,64 @@
1
+ {
2
+ "adapterId": "sample-repo-map",
3
+ "adapterVersion": "1.0.0",
4
+ "project": {
5
+ "id": "sample-project",
6
+ "detection": {
7
+ "rootMarkers": [
8
+ {
9
+ "kind": "file",
10
+ "path": "package.json"
11
+ }
12
+ ],
13
+ "maximumDepth": 2,
14
+ "scope": "declared-project-root",
15
+ "requireApprovalOutsideScope": true
16
+ }
17
+ },
18
+ "supportedSkills": [
19
+ {
20
+ "id": "repo-map",
21
+ "compatibleVersions": ["0.2.3"],
22
+ "declaredMode": "audit-only"
23
+ }
24
+ ],
25
+ "extensions": {
26
+ "safeReadPaths": ["README.md", "docs", "src"],
27
+ "ignoredPaths": ["dist", "coverage"],
28
+ "documentationPrecedence": [],
29
+ "commandAliases": [],
30
+ "safeStatusCommands": [],
31
+ "requiredEvidence": ["package manifest", "application entry point"],
32
+ "expectedRuntimeManagers": [],
33
+ "expectedPackageManagers": ["npm"]
34
+ },
35
+ "approvalRequirements": [
36
+ {
37
+ "operation": "read-outside-declared-scope",
38
+ "required": true,
39
+ "reason": "The adapter cannot expand repository scope implicitly."
40
+ }
41
+ ],
42
+ "inheritance": {
43
+ "sharedRestrictions": "required",
44
+ "deniedOperationCategories": [
45
+ "file-write",
46
+ "package-install",
47
+ "deployment",
48
+ "git-mutation",
49
+ "unrestricted-scan",
50
+ "secret-read",
51
+ "process-mutation",
52
+ "service-mutation",
53
+ "migration-apply",
54
+ "privileged-api"
55
+ ],
56
+ "allowRestrictionRemoval": false,
57
+ "allowModeOverride": false,
58
+ "allowFailureSuppression": false,
59
+ "allowCompletionOverride": false,
60
+ "allowSecretExposure": false,
61
+ "allowRequiredEvidenceRemoval": false,
62
+ "allowScopeExpansionWithoutApproval": false
63
+ }
64
+ }
@@ -0,0 +1,76 @@
1
+ {
2
+ "adapterId": "sample-runtime-status",
3
+ "adapterVersion": "1.0.0",
4
+ "project": {
5
+ "id": "sample-service",
6
+ "detection": {
7
+ "rootMarkers": [
8
+ {
9
+ "kind": "file",
10
+ "path": "package.json"
11
+ }
12
+ ],
13
+ "maximumDepth": 1,
14
+ "scope": "declared-project-root",
15
+ "requireApprovalOutsideScope": true
16
+ }
17
+ },
18
+ "supportedSkills": [
19
+ {
20
+ "id": "runtime-truth",
21
+ "compatibleVersions": ["0.2.3"],
22
+ "declaredMode": "audit-only"
23
+ }
24
+ ],
25
+ "extensions": {
26
+ "safeReadPaths": ["README.md", "package.json"],
27
+ "ignoredPaths": ["logs"],
28
+ "documentationPrecedence": ["README.md"],
29
+ "commandAliases": [
30
+ {
31
+ "alias": "service-status",
32
+ "skillId": "runtime-truth",
33
+ "family": "runtime-status",
34
+ "command": "systemctl --user status sample.service --no-pager"
35
+ }
36
+ ],
37
+ "safeStatusCommands": [
38
+ {
39
+ "manager": "systemd-user",
40
+ "command": "systemctl --user status sample.service --no-pager"
41
+ }
42
+ ],
43
+ "requiredEvidence": ["manager status", "listener ownership", "health response"],
44
+ "expectedRuntimeManagers": ["systemd-user"],
45
+ "expectedPackageManagers": ["npm"]
46
+ },
47
+ "approvalRequirements": [
48
+ {
49
+ "operation": "authenticated-health-check",
50
+ "required": true,
51
+ "reason": "Authenticated health checks require a separately approved workflow."
52
+ }
53
+ ],
54
+ "inheritance": {
55
+ "sharedRestrictions": "required",
56
+ "deniedOperationCategories": [
57
+ "file-write",
58
+ "package-install",
59
+ "deployment",
60
+ "git-mutation",
61
+ "unrestricted-scan",
62
+ "secret-read",
63
+ "process-mutation",
64
+ "service-mutation",
65
+ "migration-apply",
66
+ "privileged-api"
67
+ ],
68
+ "allowRestrictionRemoval": false,
69
+ "allowModeOverride": false,
70
+ "allowFailureSuppression": false,
71
+ "allowCompletionOverride": false,
72
+ "allowSecretExposure": false,
73
+ "allowRequiredEvidenceRemoval": false,
74
+ "allowScopeExpansionWithoutApproval": false
75
+ }
76
+ }
@@ -0,0 +1,3 @@
1
+ # Command-Policy Examples
2
+
3
+ Policies describe allowed families and shared restricted categories. They are declarative examples, not runtime wrappers.
@@ -0,0 +1,57 @@
1
+ {
2
+ "version": "0.2.3",
3
+ "mode": "action-capable",
4
+ "parserPolicy": {
5
+ "inspectEverySegment": true,
6
+ "inspectScriptBodies": true,
7
+ "rejectUnknownExecutables": true,
8
+ "rejectShellWrappers": true,
9
+ "rejectHeredocs": true,
10
+ "rejectRedirection": true,
11
+ "providerSpecificNpx": true,
12
+ "authenticatedCurlRequiresApproval": true,
13
+ "boundedReadsRequired": true,
14
+ "allowedComposition": "read-only"
15
+ },
16
+ "allowedFamilies": [
17
+ {
18
+ "name": "manifest-inspection",
19
+ "executables": ["sed", "head", "jq"],
20
+ "argumentPolicy": {
21
+ "strategy": "pattern",
22
+ "allowedPatterns": ["known manifest and CI file reads"],
23
+ "deniedPatterns": ["secret files and paths outside the repository"]
24
+ },
25
+ "constraints": [
26
+ "Read only known project manifests and CI configuration."
27
+ ]
28
+ },
29
+ {
30
+ "name": "project-native-validation",
31
+ "executables": ["npm", "pnpm", "yarn", "node"],
32
+ "argumentPolicy": {
33
+ "strategy": "discovered-script",
34
+ "allowedPatterns": ["lint, typecheck, test, build, check, and validate"],
35
+ "deniedPatterns": ["install, fix, deploy, migrate, snapshot, watch, dev, and start"]
36
+ },
37
+ "constraints": [
38
+ "Run only scripts discovered in project manifests.",
39
+ "Allow lint without fix mode, typecheck, targeted tests, tests, and build.",
40
+ "Reject watch mode, installation, snapshot updates, and unknown scripts."
41
+ ]
42
+ }
43
+ ],
44
+ "restrictedCategories": [
45
+ "file-write",
46
+ "package-install",
47
+ "deployment",
48
+ "git-mutation",
49
+ "unrestricted-scan",
50
+ "secret-read",
51
+ "process-mutation",
52
+ "service-mutation",
53
+ "migration-apply",
54
+ "privileged-api"
55
+ ],
56
+ "approvalExceptions": []
57
+ }