coding-agent-skills 0.2.9 → 0.2.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +19 -0
- package/README.md +2 -0
- package/ROADMAP.md +18 -15
- package/bin/coding-agent-skills +7 -0
- package/docs/adapters/README.md +17 -0
- package/docs/adapters/project-installation.md +11 -0
- package/docs/adapters/real-project-adoption.md +2 -1
- package/docs/architecture/README.md +1 -0
- package/docs/release/README.md +3 -2
- package/docs/release/npm-package.md +5 -2
- package/docs/safety/README.md +5 -1
- package/docs/testing/README.md +7 -0
- package/docs/usage/README.md +15 -5
- package/examples/command-policies/env-audit.json +73 -0
- package/examples/evidence-packs/env-audit.json +55 -0
- package/examples/manifests/env-audit.json +14 -0
- package/examples/workflows/env-audit.md +16 -0
- package/package.json +2 -1
- package/runs/skill-runs.md +10 -0
- package/schemas/project-adapter-installation.schema.json +2 -0
- package/schemas/project-adapter.schema.json +2 -0
- package/scripts/lib/env-audit.mjs +640 -0
- package/scripts/lib/pack-rules.mjs +11 -2
- package/scripts/render-env-audit.mjs +8 -0
- package/scripts/test-pack.mjs +71 -1
- package/scripts/validate-pack.mjs +5 -2
- package/skills/env-audit/SKILL.md +58 -0
- package/skills/env-audit/adapter-interface.md +12 -0
- package/skills/env-audit/agents/openai.yaml +4 -0
- package/skills/env-audit/checklist.md +7 -0
- package/skills/env-audit/evidence-template.md +17 -0
- package/skills/env-audit/examples.md +28 -0
- package/skills/env-audit/failure-modes.md +5 -0
- package/tests/fixtures/env-audit/adapter-project/.coding-agent/adapters/env-audit-fixture/adapter.json +56 -0
- package/tests/fixtures/env-audit/adapter-project/.coding-agent/skills.json +23 -0
- package/tests/fixtures/env-audit/adapter-project/README.md +3 -0
- package/tests/fixtures/env-audit/adapter-project/package.json +4 -0
- package/tests/fixtures/env-audit/adapter-project/src/config.ts +2 -0
- package/tests/fixtures/env-audit/static-project/.env.example +3 -0
- package/tests/fixtures/env-audit/static-project/README.md +3 -0
- package/tests/fixtures/env-audit/static-project/docs/setup.md +3 -0
- package/tests/fixtures/env-audit/static-project/package.json +4 -0
- package/tests/fixtures/env-audit/static-project/src/config.ts +4 -0
- package/tests/fixtures/env-audit/static-project/src/deno.ts +1 -0
- package/tests/fixtures/triggers/cases.json +13 -1
- package/tests/trigger/README.md +2 -0
- package/work-ledger.md +24 -11
package/scripts/test-pack.mjs
CHANGED
|
@@ -47,6 +47,11 @@ import {
|
|
|
47
47
|
renderRouteTraceReport,
|
|
48
48
|
routeTraceCliResult,
|
|
49
49
|
} from "./lib/route-trace.mjs";
|
|
50
|
+
import {
|
|
51
|
+
buildEnvAuditReport,
|
|
52
|
+
envAuditCliResult,
|
|
53
|
+
renderEnvAuditReport,
|
|
54
|
+
} from "./lib/env-audit.mjs";
|
|
50
55
|
import {
|
|
51
56
|
adapterUpgradeCliResult,
|
|
52
57
|
checkAdapterUpgrade,
|
|
@@ -262,6 +267,7 @@ test("local CLI maps approved commands to existing safe scripts", () => {
|
|
|
262
267
|
assert.ok(cliText.includes("scripts/validate-project-adapters.mjs"));
|
|
263
268
|
assert.ok(cliText.includes("scripts/render-adapter-repo-map.mjs"));
|
|
264
269
|
assert.ok(cliText.includes("scripts/render-route-trace.mjs"));
|
|
270
|
+
assert.ok(cliText.includes("scripts/render-env-audit.mjs"));
|
|
265
271
|
assert.ok(cliText.includes("scripts/validate-adapters.mjs"));
|
|
266
272
|
assert.ok(!cliText.includes(".env"));
|
|
267
273
|
|
|
@@ -287,6 +293,10 @@ test("local CLI maps approved commands to existing safe scripts", () => {
|
|
|
287
293
|
["route-trace", path.join(fixtureRoot, "route-trace", "static-project")],
|
|
288
294
|
/# Route Trace Report/,
|
|
289
295
|
],
|
|
296
|
+
[
|
|
297
|
+
["env-audit", path.join(fixtureRoot, "env-audit", "static-project")],
|
|
298
|
+
/# Env Audit Report/,
|
|
299
|
+
],
|
|
290
300
|
];
|
|
291
301
|
|
|
292
302
|
for (const [args, expected] of commands) {
|
|
@@ -311,7 +321,7 @@ test("local CLI maps approved commands to existing safe scripts", () => {
|
|
|
311
321
|
test("npm package metadata is public-ready and dependency-free", () => {
|
|
312
322
|
const packageJson = readJson("package.json");
|
|
313
323
|
assert.equal(packageJson.name, "coding-agent-skills");
|
|
314
|
-
assert.equal(packageJson.version, "0.2.
|
|
324
|
+
assert.equal(packageJson.version, "0.2.10");
|
|
315
325
|
assert.equal(
|
|
316
326
|
packageJson.description,
|
|
317
327
|
"Evidence-first, read-only coding-agent skills and project adapter tooling.",
|
|
@@ -324,6 +334,7 @@ test("npm package metadata is public-ready and dependency-free", () => {
|
|
|
324
334
|
"agent-skills",
|
|
325
335
|
"repo-map",
|
|
326
336
|
"route-trace",
|
|
337
|
+
"env-audit",
|
|
327
338
|
"project-adapters",
|
|
328
339
|
"code-validation",
|
|
329
340
|
"cli",
|
|
@@ -451,6 +462,65 @@ test("route-trace does not broaden a repo-map-only project adapter", () => {
|
|
|
451
462
|
assert.match(renderRouteTraceReport(result), /route-trace is not enabled/);
|
|
452
463
|
});
|
|
453
464
|
|
|
465
|
+
test("env-audit identifies variable names without reading .env values", () => {
|
|
466
|
+
const temporary = fs.mkdtempSync(path.join(os.tmpdir(), "env-audit-fixture-"));
|
|
467
|
+
fs.cpSync(path.join(root, "tests", "fixtures", "env-audit", "static-project"), temporary, {
|
|
468
|
+
recursive: true,
|
|
469
|
+
});
|
|
470
|
+
fs.writeFileSync(path.join(temporary, ".env"), "SHOULD_NOT_BE_READ=synthetic-fixture-value\n");
|
|
471
|
+
|
|
472
|
+
const result = buildEnvAuditReport(
|
|
473
|
+
temporary,
|
|
474
|
+
{ coreRoot: root },
|
|
475
|
+
);
|
|
476
|
+
|
|
477
|
+
assert.equal(result.status, "complete");
|
|
478
|
+
assert.ok(result.filesScanned.includes(".env.example"));
|
|
479
|
+
assert.ok(!result.filesScanned.includes(".env"));
|
|
480
|
+
assert.ok(result.skipped.some((item) => item.path === ".env"));
|
|
481
|
+
const names = result.variables.map((variable) => variable.name);
|
|
482
|
+
assert.ok(names.includes("DATABASE_URL"));
|
|
483
|
+
assert.ok(names.includes("NEXT_PUBLIC_APP_URL"));
|
|
484
|
+
assert.ok(names.includes("PORT"));
|
|
485
|
+
assert.ok(names.includes("SERVICE_TOKEN"));
|
|
486
|
+
assert.ok(names.includes("DENO_REGION"));
|
|
487
|
+
const rendered = renderEnvAuditReport(result);
|
|
488
|
+
assert.match(rendered, /DATABASE_URL/);
|
|
489
|
+
assert.doesNotMatch(rendered, /synthetic-fixture-value/);
|
|
490
|
+
});
|
|
491
|
+
|
|
492
|
+
test("env-audit respects adapter-declared scope", () => {
|
|
493
|
+
const result = buildEnvAuditReport(
|
|
494
|
+
path.join(root, "tests", "fixtures", "env-audit", "adapter-project"),
|
|
495
|
+
{ coreRoot: root },
|
|
496
|
+
);
|
|
497
|
+
|
|
498
|
+
assert.equal(result.status, "complete");
|
|
499
|
+
assert.equal(result.adapter.enabled, true);
|
|
500
|
+
assert.deepEqual(result.scopePaths, ["src"]);
|
|
501
|
+
assert.deepEqual(result.filesScanned, ["src/config.ts"]);
|
|
502
|
+
assert.ok(result.variables.some((variable) => variable.name === "ADAPTER_ONLY_VALUE"));
|
|
503
|
+
assert.ok(result.warnings.includes("env-audit used adapter-declared safe read paths only"));
|
|
504
|
+
const cli = envAuditCliResult(
|
|
505
|
+
path.join(root, "tests", "fixtures", "env-audit", "adapter-project"),
|
|
506
|
+
{ coreRoot: root },
|
|
507
|
+
);
|
|
508
|
+
assert.equal(cli.exitCode, 0);
|
|
509
|
+
assert.match(cli.lines.join("\n"), /Env-audit enabled: yes/);
|
|
510
|
+
});
|
|
511
|
+
|
|
512
|
+
test("env-audit does not broaden a repo-map-only project adapter", () => {
|
|
513
|
+
const result = buildEnvAuditReport(
|
|
514
|
+
path.join(root, "tests", "fixtures", "project-adapter-installation", "valid-exact-pin"),
|
|
515
|
+
{ coreRoot: root },
|
|
516
|
+
);
|
|
517
|
+
|
|
518
|
+
assert.equal(result.status, "partial");
|
|
519
|
+
assert.equal(result.filesScanned.length, 0);
|
|
520
|
+
assert.equal(result.variables.length, 0);
|
|
521
|
+
assert.match(renderEnvAuditReport(result), /env-audit is not enabled/);
|
|
522
|
+
});
|
|
523
|
+
|
|
454
524
|
test("validate-pack accepts installed package trees without source-only gitignore", () => {
|
|
455
525
|
const temporaryRoot = fs.mkdtempSync(path.join(os.tmpdir(), "installed-package-"));
|
|
456
526
|
const installedRoot = path.join(temporaryRoot, "coding-agent-skills");
|
|
@@ -96,12 +96,14 @@ const requiredRootFiles = [
|
|
|
96
96
|
"scripts/render-evidence-archive-report.mjs",
|
|
97
97
|
"scripts/render-adapter-repo-map.mjs",
|
|
98
98
|
"scripts/render-route-trace.mjs",
|
|
99
|
+
"scripts/render-env-audit.mjs",
|
|
99
100
|
"scripts/check-adapter-upgrade.mjs",
|
|
100
101
|
"scripts/check-adapter-upgrade-chain.mjs",
|
|
101
102
|
"scripts/validate-adapters.mjs",
|
|
102
103
|
"scripts/validate-project-adapters.mjs",
|
|
103
104
|
"scripts/lib/adapter-repo-map.mjs",
|
|
104
105
|
"scripts/lib/route-trace.mjs",
|
|
106
|
+
"scripts/lib/env-audit.mjs",
|
|
105
107
|
"scripts/lib/adapter-upgrade.mjs",
|
|
106
108
|
"scripts/lib/adapter-upgrade-chain.mjs",
|
|
107
109
|
"scripts/lib/adapter-discovery.mjs",
|
|
@@ -675,8 +677,8 @@ if (packageJson) {
|
|
|
675
677
|
if (packageJson.name !== "coding-agent-skills") {
|
|
676
678
|
failures.push("package.json has unexpected package name");
|
|
677
679
|
}
|
|
678
|
-
if (packageJson.version !== "0.2.
|
|
679
|
-
failures.push("package.json version must be 0.2.
|
|
680
|
+
if (packageJson.version !== "0.2.10") {
|
|
681
|
+
failures.push("package.json version must be 0.2.10 for public package validation");
|
|
680
682
|
}
|
|
681
683
|
if (packageJson.type !== "module") failures.push("package.json must preserve ESM mode");
|
|
682
684
|
if (packageJson.private !== false) {
|
|
@@ -695,6 +697,7 @@ if (packageJson) {
|
|
|
695
697
|
"agent-skills",
|
|
696
698
|
"repo-map",
|
|
697
699
|
"route-trace",
|
|
700
|
+
"env-audit",
|
|
698
701
|
"project-adapters",
|
|
699
702
|
"code-validation",
|
|
700
703
|
"cli",
|
|
@@ -0,0 +1,58 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: env-audit
|
|
3
|
+
description: Identify environment variable names and configuration requirements from static files without reading .env files or printing values. Use when Codex must map required, optional, sample, or inferred environment names before implementation, deployment planning, or handoff; do not use for secret validation, credential testing, API calls, runtime checks, builds, tests, deployments, migrations, or secret-file reads.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# Env Audit
|
|
7
|
+
|
|
8
|
+
Identify environment variable names from bounded static evidence and emit a value-free report. Remain audit-only and fail closed when evidence would require secret files, runtime state, or credential validation.
|
|
9
|
+
|
|
10
|
+
This skill must not change project files, Git state, dependencies, runtime state, services,
|
|
11
|
+
databases, remotes, or deployment state.
|
|
12
|
+
|
|
13
|
+
## Purpose And Use
|
|
14
|
+
|
|
15
|
+
Use this skill to map statically visible environment variable names, sample declarations, and configuration references before changing code, documenting setup, or preparing handoff. It can classify names as sample, required, optional, or inferred, but it must not claim that any value exists or works.
|
|
16
|
+
|
|
17
|
+
Do not use this skill for secret auditing, credential validation, live service checks, runtime truth claims, deployment readiness, migrations, builds, tests, or package installation.
|
|
18
|
+
|
|
19
|
+
## Inputs
|
|
20
|
+
|
|
21
|
+
Require a project root or starting path. Optionally accept a project adapter, intended config area, maximum static scan depth, or named framework/config family to prioritize.
|
|
22
|
+
|
|
23
|
+
Do not assume `.env` files may be read, variable values are safe, documented names are complete, sample files are current, runtime-injected variables are visible, or an adapter covers every configuration surface.
|
|
24
|
+
|
|
25
|
+
## Procedure
|
|
26
|
+
|
|
27
|
+
1. Record user intent, project root, declared scope, adapter state, and safety boundary.
|
|
28
|
+
2. Validate a project adapter when present before reading adapter-declared metadata.
|
|
29
|
+
3. If an adapter is present but does not enable `env-audit`, stop static file reading and report the adapter-limited skip.
|
|
30
|
+
4. Build the scan scope from adapter safe read paths when available; otherwise use a bounded generic static scan.
|
|
31
|
+
5. Exclude `.env`, `.env.*` except `.env.example`, secret-bearing paths, generated paths, dependency paths, and oversized files before reading.
|
|
32
|
+
6. Extract environment variable names from safe static patterns such as `process.env.NAME`, `import.meta.env.NAME`, `Deno.env.get("NAME")`, `env("NAME")`, docs, and `.env.example` declarations.
|
|
33
|
+
7. Never print values, line contents, tokens, credentials, or raw secret-like matches.
|
|
34
|
+
8. Label every finding as sample, required, optional, inferred, skipped, or not verified.
|
|
35
|
+
9. Report skipped files, unverified runtime/secret-store areas, branch state warnings, and safety refusals.
|
|
36
|
+
10. Emit the shared evidence pack or env-audit report before claiming completion.
|
|
37
|
+
|
|
38
|
+
Use [checklist.md](checklist.md). Consult [failure-modes.md](failure-modes.md), [adapter-interface.md](adapter-interface.md), and [examples.md](examples.md). Format findings with [evidence-template.md](evidence-template.md).
|
|
39
|
+
|
|
40
|
+
## Evidence, Recovery, And Dependencies
|
|
41
|
+
|
|
42
|
+
Emit repository identity, adapter state, scan scope, ignored paths, variable names, classifications, file references, sample files inspected, skipped items, not-verified areas, warnings, and changed-state declaration through the shared evidence-pack contract.
|
|
43
|
+
|
|
44
|
+
Recover from missing adapters, unreadable files, ambiguous variable names, or secret-bearing paths by narrowing scope and reporting uncertainty. Never recover by reading `.env`, printing values, validating credentials, contacting APIs, installing dependencies, running builds/tests, broadening adapter scope, or mutating files.
|
|
45
|
+
|
|
46
|
+
This skill depends on the evidence-pack contract and may consume validated project adapters. Adapters may add safe paths, ignored paths, documentation precedence, and evidence requirements, but cannot weaken policy or turn this skill into credential validation.
|
|
47
|
+
|
|
48
|
+
## Approval Boundary
|
|
49
|
+
|
|
50
|
+
Explicit approval may permit one named non-secret static file read outside normal config paths. Approval does not permit `.env` or secret-file reads, value printing, credential validation, API calls, builds, tests, package installation, runtime checks, deployments, migrations, Git mutation, or project writes.
|
|
51
|
+
|
|
52
|
+
## Completion
|
|
53
|
+
|
|
54
|
+
Claim `complete` only when the declared static scan scope was inspected, variable names are reported without values, skipped and not-verified areas are recorded with consequences, adapter limitations are explicit, and no project, Git, dependency, runtime, service, or remote state changed.
|
|
55
|
+
|
|
56
|
+
Report `partial`, `failed`, or `blocked` when adapter scope prevents env scanning, requested evidence requires secret files or runtime state, the project root cannot be established, or safety exclusions prevent a requested conclusion. Never claim credential presence or validity from static findings.
|
|
57
|
+
|
|
58
|
+
These conditions are both the acceptance criteria and definition of done.
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
Adapters may enable `env-audit` by declaring the skill ID with unchanged `audit-only`
|
|
2
|
+
mode and compatible version `0.2.3` or `0.2.x`.
|
|
3
|
+
|
|
4
|
+
Useful extension fields:
|
|
5
|
+
|
|
6
|
+
- `safeReadPaths`: source, docs, sample, and config paths that may contain env names.
|
|
7
|
+
- `ignoredPaths`: generated, dependency, runtime-output, and secret-bearing paths to skip.
|
|
8
|
+
- `documentationPrecedence`: docs that may explain required or optional env names.
|
|
9
|
+
- `requiredEvidence`: evidence the report must include before completion.
|
|
10
|
+
|
|
11
|
+
Adapters must not add `.env`, `.env.*` except `.env.example`, credentials, secret stores,
|
|
12
|
+
runtime checks, API calls, builds, tests, deployments, migrations, or project writes.
|
|
@@ -0,0 +1,4 @@
|
|
|
1
|
+
interface:
|
|
2
|
+
display_name: "Env Audit"
|
|
3
|
+
short_description: "Map env variable names without reading values"
|
|
4
|
+
default_prompt: "Audit the statically visible environment variable names in this repository without changing project state. Do not read .env files or print values."
|
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
- Confirm project root, branch state, and adapter state.
|
|
2
|
+
- Validate adapter before consuming any adapter-declared paths.
|
|
3
|
+
- Refuse `.env`, `.env.*` except `.env.example`, secret-bearing paths, and generated outputs.
|
|
4
|
+
- Scan only bounded static source, docs, sample, and config files.
|
|
5
|
+
- Record variable names, classifications, and file references without values.
|
|
6
|
+
- Record skipped files and runtime/secret-store areas that were not verified.
|
|
7
|
+
- Confirm no files, dependencies, runtime state, services, remotes, or databases changed.
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
## Env Audit Evidence
|
|
2
|
+
|
|
3
|
+
- Repository root:
|
|
4
|
+
- Branch state:
|
|
5
|
+
- Adapter state:
|
|
6
|
+
- Scan scope:
|
|
7
|
+
- Ignored paths:
|
|
8
|
+
- Static files scanned:
|
|
9
|
+
- Sample files inspected:
|
|
10
|
+
- Variable names found:
|
|
11
|
+
- Required names:
|
|
12
|
+
- Optional names:
|
|
13
|
+
- Inferred names:
|
|
14
|
+
- Skipped items:
|
|
15
|
+
- Not verified:
|
|
16
|
+
- Safety refusals:
|
|
17
|
+
- Changed state: none
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
## Safe
|
|
2
|
+
|
|
3
|
+
```bash
|
|
4
|
+
coding-agent-skills env-audit /workspace/app
|
|
5
|
+
```
|
|
6
|
+
|
|
7
|
+
Produces a value-free list of names such as `DATABASE_URL`, `NEXT_PUBLIC_API_URL`, and
|
|
8
|
+
`PORT`, with file references and classifications.
|
|
9
|
+
|
|
10
|
+
```bash
|
|
11
|
+
node scripts/render-env-audit.mjs tests/fixtures/env-audit/static-project
|
|
12
|
+
```
|
|
13
|
+
|
|
14
|
+
Runs the synthetic fixture scanner without reading `.env` files or contacting services.
|
|
15
|
+
|
|
16
|
+
## Unsafe
|
|
17
|
+
|
|
18
|
+
```bash
|
|
19
|
+
cat .env
|
|
20
|
+
```
|
|
21
|
+
|
|
22
|
+
Secret-file reads are forbidden.
|
|
23
|
+
|
|
24
|
+
```bash
|
|
25
|
+
npm run dev
|
|
26
|
+
```
|
|
27
|
+
|
|
28
|
+
Runtime checks are outside this skill.
|
|
@@ -0,0 +1,5 @@
|
|
|
1
|
+
- **Adapter not enabled:** report `partial` and do not broaden target-project scanning.
|
|
2
|
+
- **Secret-bearing path requested:** skip the file and record the safety exclusion.
|
|
3
|
+
- **Dynamic variable names:** report as not verified instead of guessing.
|
|
4
|
+
- **Large or unreadable files:** skip with consequence and continue bounded scanning.
|
|
5
|
+
- **Credential validation requested:** refuse and explain that only names are in scope.
|
|
@@ -0,0 +1,56 @@
|
|
|
1
|
+
{
|
|
2
|
+
"adapterId": "env-audit-fixture",
|
|
3
|
+
"adapterVersion": "1.0.0",
|
|
4
|
+
"project": {
|
|
5
|
+
"id": "env-audit-fixture",
|
|
6
|
+
"detection": {
|
|
7
|
+
"rootMarkers": [
|
|
8
|
+
{"kind": "file", "path": "package.json"},
|
|
9
|
+
{"kind": "file", "path": "README.md"}
|
|
10
|
+
],
|
|
11
|
+
"maximumDepth": 1,
|
|
12
|
+
"scope": "declared-project-root",
|
|
13
|
+
"requireApprovalOutsideScope": true
|
|
14
|
+
}
|
|
15
|
+
},
|
|
16
|
+
"supportedSkills": [
|
|
17
|
+
{
|
|
18
|
+
"id": "env-audit",
|
|
19
|
+
"compatibleVersions": ["0.2.3", "0.2.x"],
|
|
20
|
+
"declaredMode": "audit-only"
|
|
21
|
+
}
|
|
22
|
+
],
|
|
23
|
+
"extensions": {
|
|
24
|
+
"safeReadPaths": ["src"],
|
|
25
|
+
"ignoredPaths": ["dist", "build"],
|
|
26
|
+
"documentationPrecedence": ["README.md"],
|
|
27
|
+
"commandAliases": [],
|
|
28
|
+
"safeStatusCommands": [],
|
|
29
|
+
"requiredEvidence": ["project root", "adapter scope", "env names", "skipped secret paths"],
|
|
30
|
+
"expectedRuntimeManagers": [],
|
|
31
|
+
"expectedPackageManagers": ["npm"]
|
|
32
|
+
},
|
|
33
|
+
"approvalRequirements": [],
|
|
34
|
+
"inheritance": {
|
|
35
|
+
"sharedRestrictions": "required",
|
|
36
|
+
"deniedOperationCategories": [
|
|
37
|
+
"file-write",
|
|
38
|
+
"package-install",
|
|
39
|
+
"deployment",
|
|
40
|
+
"git-mutation",
|
|
41
|
+
"unrestricted-scan",
|
|
42
|
+
"secret-read",
|
|
43
|
+
"process-mutation",
|
|
44
|
+
"service-mutation",
|
|
45
|
+
"migration-apply",
|
|
46
|
+
"privileged-api"
|
|
47
|
+
],
|
|
48
|
+
"allowRestrictionRemoval": false,
|
|
49
|
+
"allowModeOverride": false,
|
|
50
|
+
"allowFailureSuppression": false,
|
|
51
|
+
"allowCompletionOverride": false,
|
|
52
|
+
"allowSecretExposure": false,
|
|
53
|
+
"allowRequiredEvidenceRemoval": false,
|
|
54
|
+
"allowScopeExpansionWithoutApproval": false
|
|
55
|
+
}
|
|
56
|
+
}
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
{
|
|
2
|
+
"declarationVersion": "1.0.0",
|
|
3
|
+
"projectId": "env-audit-fixture",
|
|
4
|
+
"adapterRoot": ".coding-agent/adapters",
|
|
5
|
+
"adapterSchemaVersion": "1.0.0",
|
|
6
|
+
"core": {
|
|
7
|
+
"id": "coding-agent-skills",
|
|
8
|
+
"expectedVersion": "0.2.3",
|
|
9
|
+
"versionPin": ">=0.2.3 <0.3.0"
|
|
10
|
+
},
|
|
11
|
+
"compatibleSkillIds": ["env-audit"],
|
|
12
|
+
"adapters": [
|
|
13
|
+
{
|
|
14
|
+
"id": "env-audit-fixture",
|
|
15
|
+
"version": "1.0.0",
|
|
16
|
+
"skillIds": ["env-audit"]
|
|
17
|
+
}
|
|
18
|
+
],
|
|
19
|
+
"validationCommand": "node <shared-core>/scripts/validate-project-adapters.mjs <project-root>",
|
|
20
|
+
"evidenceOutput": "validation-output/project-adapters.json",
|
|
21
|
+
"approvalPolicyReference": "docs/coding-agent-approval-policy.md",
|
|
22
|
+
"noSecrets": true
|
|
23
|
+
}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export const denoValue = Deno.env.get("DENO_REGION");
|
|
@@ -31,6 +31,18 @@
|
|
|
31
31
|
"expectedSkill": "route-trace",
|
|
32
32
|
"notSkills": ["build-verify", "runtime-truth"]
|
|
33
33
|
},
|
|
34
|
+
{
|
|
35
|
+
"id": "env-audit-process-env",
|
|
36
|
+
"prompt": "Audit process.env and import.meta.env references without reading .env files.",
|
|
37
|
+
"expectedSkill": "env-audit",
|
|
38
|
+
"notSkills": ["secret-audit", "runtime-truth"]
|
|
39
|
+
},
|
|
40
|
+
{
|
|
41
|
+
"id": "env-audit-setup-docs",
|
|
42
|
+
"prompt": "Identify environment variables and configuration requirements from static docs and .env.example only.",
|
|
43
|
+
"expectedSkill": "env-audit",
|
|
44
|
+
"notSkills": ["build-verify", "deployment-preflight"]
|
|
45
|
+
},
|
|
34
46
|
{
|
|
35
47
|
"id": "build-after-implementation",
|
|
36
48
|
"prompt": "The implementation is finished. Run the existing typecheck, tests, and build.",
|
|
@@ -83,7 +95,7 @@
|
|
|
83
95
|
"id": "negative-deploy",
|
|
84
96
|
"prompt": "Deploy this application to production.",
|
|
85
97
|
"expectedSkill": null,
|
|
86
|
-
"notSkills": ["repo-map", "route-trace", "build-verify", "git-preflight", "runtime-truth", "llm-drift-control"]
|
|
98
|
+
"notSkills": ["repo-map", "route-trace", "env-audit", "build-verify", "git-preflight", "runtime-truth", "llm-drift-control"]
|
|
87
99
|
},
|
|
88
100
|
{
|
|
89
101
|
"id": "negative-install",
|
package/tests/trigger/README.md
CHANGED
|
@@ -4,6 +4,8 @@
|
|
|
4
4
|
|
|
5
5
|
- Repository orientation must trigger `repo-map`, not build or runtime validation.
|
|
6
6
|
- Static route-surface tracing must trigger `route-trace`, not repository mapping or runtime truth.
|
|
7
|
+
- Value-free environment variable mapping must trigger `env-audit`, not runtime truth or
|
|
8
|
+
secret-value inspection.
|
|
7
9
|
- Local validation must trigger `build-verify` only when project-native checks are requested.
|
|
8
10
|
- Git readiness must trigger `git-preflight`, not publication.
|
|
9
11
|
- Process/listener/health questions must trigger `runtime-truth`, not restart behavior.
|
package/work-ledger.md
CHANGED
|
@@ -4,26 +4,29 @@
|
|
|
4
4
|
|
|
5
5
|
- Repository: `coding-agent-skills`
|
|
6
6
|
- Branch: `main`
|
|
7
|
-
- Pilot skills: `repo-map`, `route-trace`, `build-verify`, `git-preflight`, `runtime-truth`, `llm-drift-control`
|
|
7
|
+
- Pilot skills: `repo-map`, `route-trace`, `env-audit`, `build-verify`, `git-preflight`, `runtime-truth`, `llm-drift-control`
|
|
8
8
|
- Adapter discovery, project adapter installation, stale-pin detection, upgrade evidence, compatibility-chain validation, evidence-bundle verification, retention policy, provenance design, archive-report rendering, archive-index fixtures, retention-expiry advisory reporting, and detached-signature verification planning are implemented.
|
|
9
9
|
- Real-project adapter adoption readiness is documented as a planning-only approval gate.
|
|
10
10
|
- First external project-owned adapter adoption completed for `/home/oneclickwebsitedesignfactory/tax-lien-platform` at candidate commit `c548b1a6cbb3455a70b89d0e301e22435bfccac9`.
|
|
11
11
|
- The adopted adapter is `repo-map` only, docs/metadata-only, and contains no commands, runtime checks, build/test/package behavior, platform/deployment behavior, or secret-aware behavior.
|
|
12
12
|
- The shared repository does not contain real adapter manifests; real project adapters remain owned by their project repositories.
|
|
13
|
-
- Public npm package release `v0.2.
|
|
13
|
+
- Public npm package release `v0.2.10` exposes the dependency-free
|
|
14
14
|
`coding-agent-skills` CLI under MIT license.
|
|
15
|
-
- `route-trace` is implemented as an audit-only static route tracing skill.
|
|
16
|
-
|
|
15
|
+
- `route-trace` is implemented as an audit-only static route tracing skill.
|
|
16
|
+
- `env-audit` is implemented as an audit-only value-free environment variable name mapping
|
|
17
|
+
skill.
|
|
18
|
+
- Builder-mode approval: complete the remaining read-only skill wave for
|
|
19
|
+
`coding-agent-skills` itself. Real-world project execution constraints remain unchanged.
|
|
17
20
|
|
|
18
21
|
## Last Completed Version
|
|
19
22
|
|
|
20
|
-
`v0.2.
|
|
23
|
+
`v0.2.10`
|
|
21
24
|
|
|
22
25
|
## Current Recommended Milestone
|
|
23
26
|
|
|
24
|
-
The `
|
|
25
|
-
|
|
26
|
-
|
|
27
|
+
The `env-audit` public npm release is in progress under builder-mode approval. Continue the
|
|
28
|
+
remaining read-only skill wave one release at a time unless a real safety, validation,
|
|
29
|
+
publication, or authentication boundary appears.
|
|
27
30
|
|
|
28
31
|
## Allowed Next Actions
|
|
29
32
|
|
|
@@ -41,7 +44,7 @@ signing infrastructure, or evidence-harness milestone is approved.
|
|
|
41
44
|
|
|
42
45
|
## Blocked Actions
|
|
43
46
|
|
|
44
|
-
- Adding
|
|
47
|
+
- Adding skills outside the approved builder-mode read-only wave.
|
|
45
48
|
- Creating real project adapters.
|
|
46
49
|
- Modifying real project repositories.
|
|
47
50
|
- Publishing release artifacts without explicit approval.
|
|
@@ -73,14 +76,15 @@ signing infrastructure, or evidence-harness milestone is approved.
|
|
|
73
76
|
- Implementing the next evidence-retention or provenance milestone.
|
|
74
77
|
- Selecting a real project adapter candidate.
|
|
75
78
|
- Gathering evidence from a real project repository.
|
|
76
|
-
- Creating, changing, or removing skills.
|
|
79
|
+
- Creating, changing, or removing skills outside the approved builder-mode read-only wave.
|
|
77
80
|
- Adding real project adapters.
|
|
78
81
|
- Expanding the adopted `tax-lien-platform` adapter beyond `repo-map`.
|
|
79
82
|
- Enabling candidate repo package scripts, build verification, runtime checks, or command aliases.
|
|
80
83
|
- Allowing or bypassing project Git hooks during future adapter publication.
|
|
81
84
|
- Touching real project repositories.
|
|
82
85
|
- Changing release publication behavior.
|
|
83
|
-
- Publishing a new npm version
|
|
86
|
+
- Publishing a new npm version outside the approved builder-mode read-only wave or another
|
|
87
|
+
explicitly approved release.
|
|
84
88
|
- Commit, tag, or push operations.
|
|
85
89
|
- Any action not listed in the allowed next actions above.
|
|
86
90
|
|
|
@@ -94,6 +98,15 @@ No next runner command is currently queued.
|
|
|
94
98
|
|
|
95
99
|
No autonomous maintainer-loop run has been recorded yet.
|
|
96
100
|
|
|
101
|
+
### 2026-07-03T10:00:00Z
|
|
102
|
+
|
|
103
|
+
- Latest tag observed: `v0.2.9`
|
|
104
|
+
- Implemented milestone: `env-audit` audit-only environment variable name mapping skill and CLI command.
|
|
105
|
+
- Required permission: `builder-mode-skill-implementation`
|
|
106
|
+
- Validation result: pass pending final publication evidence
|
|
107
|
+
- Next recommended milestone: continue builder-mode wave with `secret-audit-skill` after
|
|
108
|
+
`v0.2.10` publication completes.
|
|
109
|
+
|
|
97
110
|
|
|
98
111
|
### 2026-06-19T00:00:00Z
|
|
99
112
|
|