coding-agent-skills 0.2.9 → 0.2.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +19 -0
- package/README.md +2 -0
- package/ROADMAP.md +18 -15
- package/bin/coding-agent-skills +7 -0
- package/docs/adapters/README.md +17 -0
- package/docs/adapters/project-installation.md +11 -0
- package/docs/adapters/real-project-adoption.md +2 -1
- package/docs/architecture/README.md +1 -0
- package/docs/release/README.md +3 -2
- package/docs/release/npm-package.md +5 -2
- package/docs/safety/README.md +5 -1
- package/docs/testing/README.md +7 -0
- package/docs/usage/README.md +15 -5
- package/examples/command-policies/env-audit.json +73 -0
- package/examples/evidence-packs/env-audit.json +55 -0
- package/examples/manifests/env-audit.json +14 -0
- package/examples/workflows/env-audit.md +16 -0
- package/package.json +2 -1
- package/runs/skill-runs.md +10 -0
- package/schemas/project-adapter-installation.schema.json +2 -0
- package/schemas/project-adapter.schema.json +2 -0
- package/scripts/lib/env-audit.mjs +640 -0
- package/scripts/lib/pack-rules.mjs +11 -2
- package/scripts/render-env-audit.mjs +8 -0
- package/scripts/test-pack.mjs +71 -1
- package/scripts/validate-pack.mjs +5 -2
- package/skills/env-audit/SKILL.md +58 -0
- package/skills/env-audit/adapter-interface.md +12 -0
- package/skills/env-audit/agents/openai.yaml +4 -0
- package/skills/env-audit/checklist.md +7 -0
- package/skills/env-audit/evidence-template.md +17 -0
- package/skills/env-audit/examples.md +28 -0
- package/skills/env-audit/failure-modes.md +5 -0
- package/tests/fixtures/env-audit/adapter-project/.coding-agent/adapters/env-audit-fixture/adapter.json +56 -0
- package/tests/fixtures/env-audit/adapter-project/.coding-agent/skills.json +23 -0
- package/tests/fixtures/env-audit/adapter-project/README.md +3 -0
- package/tests/fixtures/env-audit/adapter-project/package.json +4 -0
- package/tests/fixtures/env-audit/adapter-project/src/config.ts +2 -0
- package/tests/fixtures/env-audit/static-project/.env.example +3 -0
- package/tests/fixtures/env-audit/static-project/README.md +3 -0
- package/tests/fixtures/env-audit/static-project/docs/setup.md +3 -0
- package/tests/fixtures/env-audit/static-project/package.json +4 -0
- package/tests/fixtures/env-audit/static-project/src/config.ts +4 -0
- package/tests/fixtures/env-audit/static-project/src/deno.ts +1 -0
- package/tests/fixtures/triggers/cases.json +13 -1
- package/tests/trigger/README.md +2 -0
- package/work-ledger.md +24 -11
package/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,25 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes follow [Semantic Versioning](docs/versioning/README.md).
|
|
4
4
|
|
|
5
|
+
## [0.2.10] - 2026-07-03
|
|
6
|
+
|
|
7
|
+
### Added
|
|
8
|
+
|
|
9
|
+
- `env-audit` audit-only skill for static environment variable name mapping without values.
|
|
10
|
+
- `coding-agent-skills env-audit <project-root>` CLI command.
|
|
11
|
+
- Dependency-free env audit renderer for variable names, classifications, sample files,
|
|
12
|
+
skipped secret-bearing paths, not-verified runtime stores, adapter-limited scope, and
|
|
13
|
+
safety refusals.
|
|
14
|
+
- Synthetic env-audit fixtures and release tests for generic static scans, adapter-scoped
|
|
15
|
+
scans, `.env` exclusion, `.env.example` inspection, and repo-map-only adapter skips.
|
|
16
|
+
|
|
17
|
+
### Changed
|
|
18
|
+
|
|
19
|
+
- Adapter schemas and validators now recognize `env-audit` as an audit-only skill while
|
|
20
|
+
preserving the existing `0.2.3` adapter contract compatibility baseline.
|
|
21
|
+
- Builder-mode approval for completing the remaining read-only skill wave is recorded in
|
|
22
|
+
the roadmap, ledger, and run log.
|
|
23
|
+
|
|
5
24
|
## [0.2.9] - 2026-07-03
|
|
6
25
|
|
|
7
26
|
### Added
|
package/README.md
CHANGED
|
@@ -7,6 +7,7 @@ The pilot pack contains:
|
|
|
7
7
|
- Shared evidence-pack contract.
|
|
8
8
|
- `repo-map`: audit-only repository orientation.
|
|
9
9
|
- `route-trace`: audit-only static route surface tracing.
|
|
10
|
+
- `env-audit`: audit-only environment variable name mapping without values.
|
|
10
11
|
- `build-verify`: controlled local validation using existing project commands.
|
|
11
12
|
- `git-preflight`: audit-only Git readiness inspection.
|
|
12
13
|
- `runtime-truth`: audit-only runtime evidence collection.
|
|
@@ -40,6 +41,7 @@ Every skill emits the evidence-pack contract. A command being attempted is never
|
|
|
40
41
|
- Run `npx coding-agent-skills validate-pack` when a one-off npm execution is preferred.
|
|
41
42
|
- From a clone, the same wrapper is available as `bin/coding-agent-skills validate-pack`.
|
|
42
43
|
- Trace static route surfaces with `coding-agent-skills route-trace <project-root>`.
|
|
44
|
+
- Map environment variable names with `coding-agent-skills env-audit <project-root>`.
|
|
43
45
|
- Validate project adapters against [the formal adapter schema](schemas/project-adapter.schema.json).
|
|
44
46
|
- Review [external adapter discovery](docs/adapters/discovery.md).
|
|
45
47
|
- Run `node scripts/validate-adapters.mjs <adapter-root>` for a disposable external root.
|
package/ROADMAP.md
CHANGED
|
@@ -1,7 +1,8 @@
|
|
|
1
1
|
# Roadmap
|
|
2
2
|
|
|
3
|
-
The public package now contains
|
|
4
|
-
|
|
3
|
+
The public package now contains seven approved shared skills. Builder-mode approval is
|
|
4
|
+
active for the remaining read-only skill wave in this repository; real-world project
|
|
5
|
+
execution constraints remain unchanged.
|
|
5
6
|
|
|
6
7
|
## Released Harness Milestones
|
|
7
8
|
|
|
@@ -29,15 +30,16 @@ design and approval.
|
|
|
29
30
|
install smoke coverage.
|
|
30
31
|
- `v0.2.9`: audit-only `route-trace` skill and CLI renderer for static route surface
|
|
31
32
|
tracing.
|
|
33
|
+
- `v0.2.10`: audit-only `env-audit` skill and CLI renderer for value-free environment
|
|
34
|
+
variable name mapping.
|
|
32
35
|
|
|
33
36
|
The next milestone is recorded in [work-ledger.md](work-ledger.md). The
|
|
34
37
|
[maintainer loop](RUNBOOK.md) may select and evidence that milestone, but it must stop
|
|
35
38
|
before implementation until the relevant human approval is granted.
|
|
36
39
|
|
|
37
|
-
No evidence-harness milestone is queued after `v0.2.3`.
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
does not approve new skills or target-project mutation.
|
|
40
|
+
No evidence-harness milestone is queued after `v0.2.3`. Builder-mode approval permits the
|
|
41
|
+
listed read-only skill wave inside this repository. Real project adapters, target-project
|
|
42
|
+
mutation, signing infrastructure, and action-capable platform work remain separately gated.
|
|
41
43
|
|
|
42
44
|
## Planning Gates
|
|
43
45
|
|
|
@@ -71,20 +73,21 @@ Next safe milestone options:
|
|
|
71
73
|
| Candidate | Scope | Mode | Current gate |
|
|
72
74
|
|---|---|---|---|
|
|
73
75
|
| `route-trace-skill` | General | Audit-only | Implemented in `v0.2.9` |
|
|
74
|
-
| `env-audit-skill` | General | Audit-only |
|
|
75
|
-
| `secret-audit-skill` | General | Audit-only |
|
|
76
|
-
| `deployment-preflight-skill` | General | Audit-only |
|
|
77
|
-
| `cloudflare-preflight-skill` | Platform-specific | Audit-only |
|
|
76
|
+
| `env-audit-skill` | General | Audit-only | Implemented in `v0.2.10` |
|
|
77
|
+
| `secret-audit-skill` | General | Audit-only | Builder-mode approved; queued after `env-audit` |
|
|
78
|
+
| `deployment-preflight-skill` | General | Audit-only | Builder-mode approved; later in wave |
|
|
79
|
+
| `cloudflare-preflight-skill` | Platform-specific | Audit-only | Builder-mode approved; later in wave |
|
|
78
80
|
| `cloudflare-deploy-skill` | Platform-specific | Action-capable | Blocked on approval model |
|
|
79
|
-
| `supabase-rls-audit-skill` | Platform-specific | Audit-only |
|
|
80
|
-
| `migration-review-skill` | General with platform adapters | Audit-only |
|
|
81
|
-
| `api-contract-audit-skill` | General | Audit-only |
|
|
81
|
+
| `supabase-rls-audit-skill` | Platform-specific | Audit-only | Builder-mode approved; later in wave |
|
|
82
|
+
| `migration-review-skill` | General with platform adapters | Audit-only | Builder-mode approved; later in wave |
|
|
83
|
+
| `api-contract-audit-skill` | General | Audit-only | Builder-mode approved; later in wave |
|
|
82
84
|
| `repo-knowledge-sync-skill` | General | Action-capable | Blocked on write approval model |
|
|
83
85
|
| `security-hardening-review-skill` | General coordinator | Audit-only | Needs more evidence |
|
|
84
86
|
| `worker-queue-debug-skill` | General core with project adapters | Audit-only first | Needs more evidence |
|
|
85
87
|
| `devvit-ingest-debug-skill` | Project-specific | Audit-only | Needs project evidence |
|
|
86
|
-
| `github-handoff-skill` |
|
|
88
|
+
| `github-handoff-skill` | General | Audit-only | Builder-mode approved; later in wave |
|
|
87
89
|
| `session-extractor-skill` | General tooling | Action-capable | Blocked on privacy policy and more evidence |
|
|
88
90
|
| `command-redaction-skill` | General tooling | Action-capable | Needs more evidence |
|
|
89
91
|
|
|
90
|
-
|
|
92
|
+
Builder-mode approval applies only to the named read-only wave. No other roadmap item is
|
|
93
|
+
implicitly approved for implementation.
|
package/bin/coding-agent-skills
CHANGED
|
@@ -29,6 +29,12 @@ const commands = {
|
|
|
29
29
|
usage: "coding-agent-skills route-trace <project-root>",
|
|
30
30
|
requiredArgs: 1,
|
|
31
31
|
},
|
|
32
|
+
"env-audit": {
|
|
33
|
+
script: "scripts/render-env-audit.mjs",
|
|
34
|
+
args: ([projectRoot]) => [projectRoot],
|
|
35
|
+
usage: "coding-agent-skills env-audit <project-root>",
|
|
36
|
+
requiredArgs: 1,
|
|
37
|
+
},
|
|
32
38
|
"validate-adapters": {
|
|
33
39
|
script: "scripts/validate-adapters.mjs",
|
|
34
40
|
args: ([adapterRoot]) => [adapterRoot],
|
|
@@ -46,6 +52,7 @@ function usage(exitCode = 0) {
|
|
|
46
52
|
" validate-project <project-root>",
|
|
47
53
|
" repo-map <project-root>",
|
|
48
54
|
" route-trace <project-root>",
|
|
55
|
+
" env-audit <project-root>",
|
|
49
56
|
" validate-adapters <adapter-root>",
|
|
50
57
|
"",
|
|
51
58
|
"local wrapper for the published coding-agent-skills package",
|
package/docs/adapters/README.md
CHANGED
|
@@ -54,12 +54,29 @@ statically reports verified route files, inferred route patterns, skipped items,
|
|
|
54
54
|
not-verified runtime-dependent routing classes. It does not execute target code, run
|
|
55
55
|
servers, hit URLs, build, test, deploy, migrate, inspect databases, or read `.env` files.
|
|
56
56
|
|
|
57
|
+
## Adapter-Aware Env Audit Consumption
|
|
58
|
+
|
|
59
|
+
The shared pack can consume a validated project-owned adapter as bounded context for
|
|
60
|
+
`env-audit`:
|
|
61
|
+
|
|
62
|
+
```bash
|
|
63
|
+
node scripts/render-env-audit.mjs <project-root>
|
|
64
|
+
```
|
|
65
|
+
|
|
66
|
+
The renderer validates the project declaration when present. If an adapter is present but
|
|
67
|
+
does not enable `env-audit`, it reports an adapter-limited skip instead of broadening
|
|
68
|
+
scope. When enabled, it reads only adapter-declared safe paths, excludes `.env` and
|
|
69
|
+
secret-bearing files, and reports variable names, classifications, sample files inspected,
|
|
70
|
+
skipped items, and not-verified runtime or credential stores. It never prints values or
|
|
71
|
+
validates credentials.
|
|
72
|
+
|
|
57
73
|
## What Adapters May Do
|
|
58
74
|
|
|
59
75
|
- Add bounded relative read paths and ignored paths.
|
|
60
76
|
- Declare project-root markers and a bounded detection depth.
|
|
61
77
|
- Add documentation precedence and package-manager hints.
|
|
62
78
|
- Add route-trace safe read paths for static route files and route config.
|
|
79
|
+
- Add env-audit safe read paths for static source, docs, sample, and config files.
|
|
63
80
|
- Add command aliases that already satisfy the shared command policy.
|
|
64
81
|
- Add status-only runtime commands and manager hints.
|
|
65
82
|
- Require additional evidence or named approval for exceptional reads.
|
|
@@ -122,6 +122,17 @@ patterns, skipped paths, and not-verified runtime-dependent route classes. It do
|
|
|
122
122
|
servers, hit URLs, execute app code, build, test, deploy, migrate, inspect databases, read
|
|
123
123
|
`.env` files, or modify project state.
|
|
124
124
|
|
|
125
|
+
A project-owned adapter can also enable read-only `env-audit` context:
|
|
126
|
+
|
|
127
|
+
```bash
|
|
128
|
+
node scripts/render-env-audit.mjs <project-root>
|
|
129
|
+
```
|
|
130
|
+
|
|
131
|
+
The env-audit renderer validates the project declaration when present. If the adapter is
|
|
132
|
+
present but does not enable `env-audit`, it reports an adapter-limited skip. When enabled,
|
|
133
|
+
it reads only adapter-declared safe paths, refuses `.env` and secret-bearing files, and
|
|
134
|
+
reports environment variable names without values.
|
|
135
|
+
|
|
125
136
|
## Safety Boundary
|
|
126
137
|
|
|
127
138
|
Project adapters are extension-only. They cannot remove denied operations, change an
|
|
@@ -21,7 +21,8 @@ project repository is touched:
|
|
|
21
21
|
- The project can declare exactly one installation file: `.coding-agent/skills.json` or
|
|
22
22
|
`coding-agent.skills.json`.
|
|
23
23
|
- The adapter need is bounded to existing pilot skills: `repo-map`, `route-trace`,
|
|
24
|
-
`build-verify`, `git-preflight`, `runtime-truth`, or
|
|
24
|
+
`env-audit`, `build-verify`, `git-preflight`, `runtime-truth`, or
|
|
25
|
+
`llm-drift-control`.
|
|
25
26
|
- The adapter can narrow context with relative paths, documentation precedence, safe
|
|
26
27
|
aliases, status-only hints, or extra evidence requirements.
|
|
27
28
|
- The adapter does not require deployment, migration, package installation, Git
|
package/docs/release/README.md
CHANGED
|
@@ -19,8 +19,9 @@
|
|
|
19
19
|
13. Inspect tarball contents for local-only files, credentials, `.env` files, dependency
|
|
20
20
|
folders, generated output, and unrelated repositories.
|
|
21
21
|
14. Install the tarball into a temporary npm prefix and smoke-test the installed CLI.
|
|
22
|
-
15. Smoke-test any new CLI command such as `coding-agent-skills route-trace`
|
|
23
|
-
synthetic fixtures only unless a real project
|
|
22
|
+
15. Smoke-test any new CLI command such as `coding-agent-skills route-trace` or
|
|
23
|
+
`coding-agent-skills env-audit` against synthetic fixtures only unless a real project
|
|
24
|
+
read-only smoke is explicitly approved.
|
|
24
25
|
16. Review changelog, ledger, run evidence, and versioning impact.
|
|
25
26
|
17. Commit with approved identity.
|
|
26
27
|
18. Push `main` using credential-free remotes.
|
|
@@ -7,7 +7,7 @@ safety model.
|
|
|
7
7
|
## Current Package Shape
|
|
8
8
|
|
|
9
9
|
- Package name: `coding-agent-skills`.
|
|
10
|
-
- Package version: `0.2.
|
|
10
|
+
- Package version: `0.2.10`.
|
|
11
11
|
- CLI bin: `coding-agent-skills` mapped to `bin/coding-agent-skills`.
|
|
12
12
|
- Module type: `module`.
|
|
13
13
|
- Dependencies: none.
|
|
@@ -28,6 +28,7 @@ coding-agent-skills validate-pack
|
|
|
28
28
|
coding-agent-skills validate-project /path/to/project
|
|
29
29
|
coding-agent-skills repo-map /path/to/project
|
|
30
30
|
coding-agent-skills route-trace /path/to/project
|
|
31
|
+
coding-agent-skills env-audit /path/to/project
|
|
31
32
|
coding-agent-skills validate-adapters /path/to/adapter-root
|
|
32
33
|
```
|
|
33
34
|
|
|
@@ -39,7 +40,9 @@ npx coding-agent-skills validate-pack
|
|
|
39
40
|
|
|
40
41
|
Adapter compatibility remains controlled by the existing shared core and
|
|
41
42
|
project-adapter validators. `route-trace` is static and audit-only; it reports route
|
|
42
|
-
files and route declarations without executing the target project.
|
|
43
|
+
files and route declarations without executing the target project. `env-audit` is static
|
|
44
|
+
and audit-only; it reports environment variable names without reading `.env` files or
|
|
45
|
+
printing values.
|
|
43
46
|
|
|
44
47
|
`coding-agent-skills validate-pack` is package-aware. In a source checkout, it keeps
|
|
45
48
|
source-only checks such as `.gitignore` validation. In an installed package tree, where
|
package/docs/safety/README.md
CHANGED
|
@@ -2,12 +2,16 @@
|
|
|
2
2
|
|
|
3
3
|
## Audit-Only Rule
|
|
4
4
|
|
|
5
|
-
`repo-map`, `route-trace`, `git-preflight`, `runtime-truth`, and `llm-drift-control` must not alter project files, Git state, dependencies, processes, services, databases, remote systems, or deployment state.
|
|
5
|
+
`repo-map`, `route-trace`, `env-audit`, `git-preflight`, `runtime-truth`, and `llm-drift-control` must not alter project files, Git state, dependencies, processes, services, databases, remote systems, or deployment state.
|
|
6
6
|
|
|
7
7
|
`route-trace` is static only. It may read bounded non-secret route files and route
|
|
8
8
|
configuration, but it must not execute app code, run servers, hit URLs, claim runtime
|
|
9
9
|
truth, or broaden adapter scope when a project adapter is present.
|
|
10
10
|
|
|
11
|
+
`env-audit` is value-free. It may read bounded non-secret source, docs, sample, and config
|
|
12
|
+
files, including `.env.example`, but must not read `.env`, print values, validate
|
|
13
|
+
credentials, contact APIs, or inspect secret stores.
|
|
14
|
+
|
|
11
15
|
`build-verify` may run existing project-native validation commands. Build or test tools may create their normal local artifacts, but the skill must declare observed changes and must reject installation, fix modes, snapshot updates, deployment, migration, or unknown scripts.
|
|
12
16
|
|
|
13
17
|
## Restricted Categories
|
package/docs/testing/README.md
CHANGED
|
@@ -37,6 +37,13 @@ skipped paths, not-verified runtime route classes, and repo-map-only adapter ski
|
|
|
37
37
|
Route-trace tests must never run a target project, hit URLs, build, test, deploy, migrate,
|
|
38
38
|
or read `.env` files.
|
|
39
39
|
|
|
40
|
+
## Env Audit
|
|
41
|
+
|
|
42
|
+
Synthetic env-audit projects cover value-free variable-name detection, `.env` exclusion,
|
|
43
|
+
`.env.example` inspection, adapter-declared scope, and adapter-present-but-not-enabled
|
|
44
|
+
behavior. Env-audit tests must never print values, validate credentials, contact APIs,
|
|
45
|
+
run target projects, build, test, deploy, migrate, or read `.env` files.
|
|
46
|
+
|
|
40
47
|
## Privacy And Redaction
|
|
41
48
|
|
|
42
49
|
Sensitive shapes are stored as ordered synthetic parts and reconstructed only in memory. Tests verify type detection, redaction, and absence from reusable skill content without printing fixture values.
|
package/docs/usage/README.md
CHANGED
|
@@ -6,6 +6,7 @@ Select the least-privileged skill that matches the request:
|
|
|
6
6
|
|---|---|
|
|
7
7
|
| Understand repository identity and structure | `repo-map` |
|
|
8
8
|
| Trace statically visible route surfaces | `route-trace` |
|
|
9
|
+
| Map environment variable names without values | `env-audit` |
|
|
9
10
|
| Run existing local validation checks | `build-verify` |
|
|
10
11
|
| Assess Git handoff readiness | `git-preflight` |
|
|
11
12
|
| Determine what is actually running | `runtime-truth` |
|
|
@@ -15,11 +16,13 @@ Select the least-privileged skill that matches the request:
|
|
|
15
16
|
|
|
16
17
|
1. Use `repo-map` when repository identity or boundaries are not established.
|
|
17
18
|
2. Use `route-trace` when route files or declarations must be mapped from static files.
|
|
18
|
-
3.
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
19
|
+
3. Use `env-audit` when environment variable names or sample config references must be
|
|
20
|
+
mapped without reading values.
|
|
21
|
+
4. Perform implementation outside this pilot pack.
|
|
22
|
+
5. Use `build-verify` for approved project-native checks.
|
|
23
|
+
6. Use `git-preflight` before handoff or publication.
|
|
24
|
+
7. Use `runtime-truth` only when live local state matters.
|
|
25
|
+
8. Use `llm-drift-control` when claims and evidence may disagree.
|
|
23
26
|
|
|
24
27
|
Every skill emits an evidence pack. Read `status`, skipped checks, failures, confidence, and changed state before relying on a completion claim.
|
|
25
28
|
|
|
@@ -51,6 +54,7 @@ coding-agent-skills validate-pack
|
|
|
51
54
|
coding-agent-skills validate-project /path/to/project
|
|
52
55
|
coding-agent-skills repo-map /path/to/project
|
|
53
56
|
coding-agent-skills route-trace /path/to/project
|
|
57
|
+
coding-agent-skills env-audit /path/to/project
|
|
54
58
|
coding-agent-skills validate-adapters /path/to/adapter-root
|
|
55
59
|
```
|
|
56
60
|
|
|
@@ -66,6 +70,10 @@ precedence, safe read paths, ignored paths, and required evidence.
|
|
|
66
70
|
`route-trace` validates a project adapter when present, uses adapter-declared safe paths
|
|
67
71
|
when enabled, and statically reports verified route files, inferred route declarations,
|
|
68
72
|
skipped items, and not-verified runtime-dependent route classes.
|
|
73
|
+
`env-audit` validates a project adapter when present, uses adapter-declared safe paths
|
|
74
|
+
when enabled, and statically reports environment variable names, classifications, sample
|
|
75
|
+
files inspected, skipped secret-bearing paths, and not-verified runtime or credential
|
|
76
|
+
stores without printing values.
|
|
69
77
|
|
|
70
78
|
The installed CLI does not run target project builds or tests, perform runtime checks,
|
|
71
79
|
deploy, migrate, mutate services or processes, or read `.env` files. Project adapters
|
|
@@ -80,6 +88,7 @@ bin/coding-agent-skills validate-pack
|
|
|
80
88
|
bin/coding-agent-skills validate-project /path/to/project
|
|
81
89
|
bin/coding-agent-skills repo-map /path/to/project
|
|
82
90
|
bin/coding-agent-skills route-trace /path/to/project
|
|
91
|
+
bin/coding-agent-skills env-audit /path/to/project
|
|
83
92
|
bin/coding-agent-skills validate-adapters /path/to/adapter-root
|
|
84
93
|
```
|
|
85
94
|
|
|
@@ -91,6 +100,7 @@ coding-agent-skills validate-pack
|
|
|
91
100
|
coding-agent-skills validate-project /path/to/project
|
|
92
101
|
coding-agent-skills repo-map /path/to/project
|
|
93
102
|
coding-agent-skills route-trace /path/to/project
|
|
103
|
+
coding-agent-skills env-audit /path/to/project
|
|
94
104
|
coding-agent-skills validate-adapters /path/to/adapter-root
|
|
95
105
|
```
|
|
96
106
|
|
|
@@ -0,0 +1,73 @@
|
|
|
1
|
+
{
|
|
2
|
+
"version": "0.2.3",
|
|
3
|
+
"mode": "audit-only",
|
|
4
|
+
"parserPolicy": {
|
|
5
|
+
"inspectEverySegment": true,
|
|
6
|
+
"inspectScriptBodies": true,
|
|
7
|
+
"rejectUnknownExecutables": true,
|
|
8
|
+
"rejectShellWrappers": true,
|
|
9
|
+
"rejectHeredocs": true,
|
|
10
|
+
"rejectRedirection": true,
|
|
11
|
+
"providerSpecificNpx": true,
|
|
12
|
+
"authenticatedCurlRequiresApproval": true,
|
|
13
|
+
"boundedReadsRequired": true,
|
|
14
|
+
"allowedComposition": "read-only"
|
|
15
|
+
},
|
|
16
|
+
"allowedFamilies": [
|
|
17
|
+
{
|
|
18
|
+
"name": "bounded-env-name-inspection",
|
|
19
|
+
"executables": ["pwd", "ls", "rg", "find", "sed", "head"],
|
|
20
|
+
"argumentPolicy": {
|
|
21
|
+
"strategy": "pattern",
|
|
22
|
+
"allowedPatterns": ["bounded repository-local static env-name inspection"],
|
|
23
|
+
"deniedPatterns": ["secret files, values, absolute home paths, app execution, and unbounded traversal"]
|
|
24
|
+
},
|
|
25
|
+
"constraints": [
|
|
26
|
+
"Remain inside the declared project scope.",
|
|
27
|
+
"Bound traversal depth and output.",
|
|
28
|
+
"Exclude .env, secret-bearing, generated, dependency, build, and runtime-output paths.",
|
|
29
|
+
"Report variable names only, never values."
|
|
30
|
+
]
|
|
31
|
+
},
|
|
32
|
+
{
|
|
33
|
+
"name": "git-identity-inspection",
|
|
34
|
+
"executables": ["git"],
|
|
35
|
+
"argumentPolicy": {
|
|
36
|
+
"strategy": "exact",
|
|
37
|
+
"allowedPatterns": ["rev-parse and status --short --branch"],
|
|
38
|
+
"deniedPatterns": ["all Git mutation and publication subcommands"]
|
|
39
|
+
},
|
|
40
|
+
"constraints": [
|
|
41
|
+
"Allow only read-only repository identity and branch-state inspection."
|
|
42
|
+
]
|
|
43
|
+
},
|
|
44
|
+
{
|
|
45
|
+
"name": "env-audit-renderer",
|
|
46
|
+
"executables": ["node", "coding-agent-skills"],
|
|
47
|
+
"argumentPolicy": {
|
|
48
|
+
"strategy": "exact",
|
|
49
|
+
"allowedPatterns": ["node scripts/render-env-audit.mjs <project-root>; coding-agent-skills env-audit <project-root>"],
|
|
50
|
+
"deniedPatterns": [".env reads, value printing, credential validation, API calls, builds, tests, deployment, migration, and package installation"]
|
|
51
|
+
},
|
|
52
|
+
"constraints": [
|
|
53
|
+
"The renderer must remain static and read-only.",
|
|
54
|
+
"Do not treat renderer output as credential presence or validity evidence."
|
|
55
|
+
]
|
|
56
|
+
}
|
|
57
|
+
],
|
|
58
|
+
"restrictedCategories": [
|
|
59
|
+
"file-write",
|
|
60
|
+
"package-install",
|
|
61
|
+
"deployment",
|
|
62
|
+
"git-mutation",
|
|
63
|
+
"unrestricted-scan",
|
|
64
|
+
"secret-read",
|
|
65
|
+
"process-mutation",
|
|
66
|
+
"service-mutation",
|
|
67
|
+
"migration-apply",
|
|
68
|
+
"privileged-api"
|
|
69
|
+
],
|
|
70
|
+
"approvalExceptions": [
|
|
71
|
+
"A named-file approval may permit one otherwise excluded non-mutating static read when the file is not secret-bearing."
|
|
72
|
+
]
|
|
73
|
+
}
|
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
{
|
|
2
|
+
"contractVersion": "1.0.0",
|
|
3
|
+
"skill": {"name": "env-audit", "version": "0.2.3"},
|
|
4
|
+
"invocation": {
|
|
5
|
+
"id": "example-env-audit",
|
|
6
|
+
"startedAt": "2026-07-03T10:00:00Z",
|
|
7
|
+
"endedAt": "2026-07-03T10:01:00Z"
|
|
8
|
+
},
|
|
9
|
+
"repository": {
|
|
10
|
+
"root": "/workspace/example-project",
|
|
11
|
+
"branch": "main",
|
|
12
|
+
"head": "0123456789abcdef",
|
|
13
|
+
"workingTreeState": "clean"
|
|
14
|
+
},
|
|
15
|
+
"userIntent": "Identify environment variable names before updating setup documentation.",
|
|
16
|
+
"declaredScope": ["/workspace/example-project"],
|
|
17
|
+
"projectAdapter": "example-env-adapter",
|
|
18
|
+
"environmentSummary": {"platform": "linux", "shell": "bash"},
|
|
19
|
+
"status": "complete",
|
|
20
|
+
"confidence": {
|
|
21
|
+
"level": "high",
|
|
22
|
+
"reason": "Static env references, sample files, skipped secret paths, and not-verified runtime stores were recorded without values."
|
|
23
|
+
},
|
|
24
|
+
"commands": [
|
|
25
|
+
{
|
|
26
|
+
"command": "coding-agent-skills env-audit /workspace/example-project",
|
|
27
|
+
"family": "env-audit-renderer",
|
|
28
|
+
"workingDirectory": "/workspace/example-project",
|
|
29
|
+
"startedAt": "2026-07-03T10:00:20Z",
|
|
30
|
+
"endedAt": "2026-07-03T10:00:21Z",
|
|
31
|
+
"exitStatus": 0,
|
|
32
|
+
"resultStatus": "success",
|
|
33
|
+
"safetyClass": "allowed",
|
|
34
|
+
"approvalReference": null,
|
|
35
|
+
"purpose": "Render a value-free static env audit report.",
|
|
36
|
+
"outputSummary": "Found env variable names and sample declarations without reading .env files or printing values."
|
|
37
|
+
}
|
|
38
|
+
],
|
|
39
|
+
"skippedChecks": [],
|
|
40
|
+
"findings": [
|
|
41
|
+
{
|
|
42
|
+
"summary": "Environment variable names were identified from static references and .env.example only.",
|
|
43
|
+
"evidence": ["src/config.ts", ".env.example"]
|
|
44
|
+
}
|
|
45
|
+
],
|
|
46
|
+
"risks": [],
|
|
47
|
+
"failures": [],
|
|
48
|
+
"unresolvedQuestions": [],
|
|
49
|
+
"changedState": {
|
|
50
|
+
"changed": false,
|
|
51
|
+
"summary": "No project, Git, dependency, runtime, service, or remote state changed."
|
|
52
|
+
},
|
|
53
|
+
"handoffSummary": "Environment variable names are mapped without values; runtime stores remain unverified.",
|
|
54
|
+
"recommendedNextAction": "Review the reported names before updating documentation."
|
|
55
|
+
}
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "env-audit",
|
|
3
|
+
"version": "0.2.3",
|
|
4
|
+
"mode": "audit-only",
|
|
5
|
+
"evidenceContract": "../../contracts/evidence-pack/evidence-pack.schema.json",
|
|
6
|
+
"commandPolicy": "../command-policies/env-audit.json",
|
|
7
|
+
"adapterSchema": "../../schemas/project-adapter.schema.json",
|
|
8
|
+
"adapterCompatibility": {
|
|
9
|
+
"contractVersion": "1.0.0",
|
|
10
|
+
"compatibleAdapterVersions": ["1.0.0"]
|
|
11
|
+
},
|
|
12
|
+
"adapterInterface": "../../skills/env-audit/adapter-interface.md",
|
|
13
|
+
"description": "Identify environment variable names without reading values."
|
|
14
|
+
}
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
# Env Audit Workflow
|
|
2
|
+
|
|
3
|
+
Use `env-audit` before editing setup docs, config loaders, or handoff notes:
|
|
4
|
+
|
|
5
|
+
```bash
|
|
6
|
+
coding-agent-skills env-audit /workspace/project
|
|
7
|
+
```
|
|
8
|
+
|
|
9
|
+
Review:
|
|
10
|
+
|
|
11
|
+
- names and classifications
|
|
12
|
+
- sample files inspected
|
|
13
|
+
- skipped secret-bearing paths
|
|
14
|
+
- runtime and credential stores not verified
|
|
15
|
+
|
|
16
|
+
Do not use the output as proof that values exist or credentials work.
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "coding-agent-skills",
|
|
3
|
-
"version": "0.2.
|
|
3
|
+
"version": "0.2.10",
|
|
4
4
|
"description": "Evidence-first, read-only coding-agent skills and project adapter tooling.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"private": false,
|
|
@@ -10,6 +10,7 @@
|
|
|
10
10
|
"agent-skills",
|
|
11
11
|
"repo-map",
|
|
12
12
|
"route-trace",
|
|
13
|
+
"env-audit",
|
|
13
14
|
"project-adapters",
|
|
14
15
|
"code-validation",
|
|
15
16
|
"cli"
|
package/runs/skill-runs.md
CHANGED
|
@@ -186,4 +186,14 @@ This file records bounded maintainer-loop runs. Entries must not contain secrets
|
|
|
186
186
|
- Validation commands: `git diff --check`; `bin/coding-agent-skills validate-pack`; `bin/coding-agent-skills validate-adapters tests/fixtures/external-adapters/valid-basic`; `bin/coding-agent-skills validate-project /home/oneclickwebsitedesignfactory/tax-lien-platform`; `bin/coding-agent-skills repo-map /home/oneclickwebsitedesignfactory/tax-lien-platform`; `bin/coding-agent-skills route-trace tests/fixtures/route-trace/static-project`; `bin/coding-agent-skills route-trace /home/oneclickwebsitedesignfactory/tax-lien-platform`; `node scripts/validate-pack.mjs .`; `node scripts/test-pack.mjs`; `node scripts/validate-maintainer-loop.mjs .`; `node --test`; JSON parsing; package secret scan; npm publish dry-run; tarball install smoke.
|
|
187
187
|
- Validation result: pass pending final commit, tag, publication, registry smoke, npm exec, and GitHub Release evidence.
|
|
188
188
|
- Real project smoke: `/home/oneclickwebsitedesignfactory/tax-lien-platform` remained repo-map-only for adapters, so route-trace reported `partial` and did not read target project route files.
|
|
189
|
+
|
|
190
|
+
## implementation-v0.2.10-env-audit
|
|
191
|
+
|
|
192
|
+
- Run ID: `implementation-v0.2.10-env-audit`
|
|
193
|
+
- Repository: `/home/oneclickwebsitedesignfactory/coding-agent-skills`
|
|
194
|
+
- Command used: `builder-mode approval for env-audit-skill implementation and release`
|
|
195
|
+
- Files changed: `env-audit` skill, env-audit renderer and library, CLI wrapper, adapter schemas, pack rules, release tests, synthetic env fixtures, usage/release/safety/adapter docs, changelog, roadmap, work ledger, run log, and package metadata.
|
|
196
|
+
- Safety boundary: read-only, static-analysis only, no `.env` reads, no value printing, no credential validation, no API calls, no builds, no tests in target projects, no deploys, no migrations, and no target-project mutation.
|
|
197
|
+
- Validation commands: pending final release validation matrix.
|
|
198
|
+
- Result: pass pending final publication evidence.
|
|
189
199
|
- Commit/tag/push status: pending approved release workflow.
|
|
@@ -66,6 +66,7 @@
|
|
|
66
66
|
"enum": [
|
|
67
67
|
"repo-map",
|
|
68
68
|
"route-trace",
|
|
69
|
+
"env-audit",
|
|
69
70
|
"build-verify",
|
|
70
71
|
"git-preflight",
|
|
71
72
|
"runtime-truth",
|
|
@@ -99,6 +100,7 @@
|
|
|
99
100
|
"enum": [
|
|
100
101
|
"repo-map",
|
|
101
102
|
"route-trace",
|
|
103
|
+
"env-audit",
|
|
102
104
|
"build-verify",
|
|
103
105
|
"git-preflight",
|
|
104
106
|
"runtime-truth",
|
|
@@ -90,6 +90,7 @@
|
|
|
90
90
|
"enum": [
|
|
91
91
|
"repo-map",
|
|
92
92
|
"route-trace",
|
|
93
|
+
"env-audit",
|
|
93
94
|
"build-verify",
|
|
94
95
|
"git-preflight",
|
|
95
96
|
"runtime-truth",
|
|
@@ -167,6 +168,7 @@
|
|
|
167
168
|
"enum": [
|
|
168
169
|
"repo-map",
|
|
169
170
|
"route-trace",
|
|
171
|
+
"env-audit",
|
|
170
172
|
"build-verify",
|
|
171
173
|
"git-preflight",
|
|
172
174
|
"runtime-truth",
|