coding-agent-skills 0.2.9 → 0.2.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (47) hide show
  1. package/CHANGELOG.md +19 -0
  2. package/README.md +2 -0
  3. package/ROADMAP.md +18 -15
  4. package/bin/coding-agent-skills +7 -0
  5. package/docs/adapters/README.md +17 -0
  6. package/docs/adapters/project-installation.md +11 -0
  7. package/docs/adapters/real-project-adoption.md +2 -1
  8. package/docs/architecture/README.md +1 -0
  9. package/docs/release/README.md +3 -2
  10. package/docs/release/npm-package.md +5 -2
  11. package/docs/safety/README.md +5 -1
  12. package/docs/testing/README.md +7 -0
  13. package/docs/usage/README.md +15 -5
  14. package/examples/command-policies/env-audit.json +73 -0
  15. package/examples/evidence-packs/env-audit.json +55 -0
  16. package/examples/manifests/env-audit.json +14 -0
  17. package/examples/workflows/env-audit.md +16 -0
  18. package/package.json +2 -1
  19. package/runs/skill-runs.md +10 -0
  20. package/schemas/project-adapter-installation.schema.json +2 -0
  21. package/schemas/project-adapter.schema.json +2 -0
  22. package/scripts/lib/env-audit.mjs +640 -0
  23. package/scripts/lib/pack-rules.mjs +11 -2
  24. package/scripts/render-env-audit.mjs +8 -0
  25. package/scripts/test-pack.mjs +71 -1
  26. package/scripts/validate-pack.mjs +5 -2
  27. package/skills/env-audit/SKILL.md +58 -0
  28. package/skills/env-audit/adapter-interface.md +12 -0
  29. package/skills/env-audit/agents/openai.yaml +4 -0
  30. package/skills/env-audit/checklist.md +7 -0
  31. package/skills/env-audit/evidence-template.md +17 -0
  32. package/skills/env-audit/examples.md +28 -0
  33. package/skills/env-audit/failure-modes.md +5 -0
  34. package/tests/fixtures/env-audit/adapter-project/.coding-agent/adapters/env-audit-fixture/adapter.json +56 -0
  35. package/tests/fixtures/env-audit/adapter-project/.coding-agent/skills.json +23 -0
  36. package/tests/fixtures/env-audit/adapter-project/README.md +3 -0
  37. package/tests/fixtures/env-audit/adapter-project/package.json +4 -0
  38. package/tests/fixtures/env-audit/adapter-project/src/config.ts +2 -0
  39. package/tests/fixtures/env-audit/static-project/.env.example +3 -0
  40. package/tests/fixtures/env-audit/static-project/README.md +3 -0
  41. package/tests/fixtures/env-audit/static-project/docs/setup.md +3 -0
  42. package/tests/fixtures/env-audit/static-project/package.json +4 -0
  43. package/tests/fixtures/env-audit/static-project/src/config.ts +4 -0
  44. package/tests/fixtures/env-audit/static-project/src/deno.ts +1 -0
  45. package/tests/fixtures/triggers/cases.json +13 -1
  46. package/tests/trigger/README.md +2 -0
  47. package/work-ledger.md +24 -11
@@ -47,6 +47,11 @@ import {
47
47
  renderRouteTraceReport,
48
48
  routeTraceCliResult,
49
49
  } from "./lib/route-trace.mjs";
50
+ import {
51
+ buildEnvAuditReport,
52
+ envAuditCliResult,
53
+ renderEnvAuditReport,
54
+ } from "./lib/env-audit.mjs";
50
55
  import {
51
56
  adapterUpgradeCliResult,
52
57
  checkAdapterUpgrade,
@@ -262,6 +267,7 @@ test("local CLI maps approved commands to existing safe scripts", () => {
262
267
  assert.ok(cliText.includes("scripts/validate-project-adapters.mjs"));
263
268
  assert.ok(cliText.includes("scripts/render-adapter-repo-map.mjs"));
264
269
  assert.ok(cliText.includes("scripts/render-route-trace.mjs"));
270
+ assert.ok(cliText.includes("scripts/render-env-audit.mjs"));
265
271
  assert.ok(cliText.includes("scripts/validate-adapters.mjs"));
266
272
  assert.ok(!cliText.includes(".env"));
267
273
 
@@ -287,6 +293,10 @@ test("local CLI maps approved commands to existing safe scripts", () => {
287
293
  ["route-trace", path.join(fixtureRoot, "route-trace", "static-project")],
288
294
  /# Route Trace Report/,
289
295
  ],
296
+ [
297
+ ["env-audit", path.join(fixtureRoot, "env-audit", "static-project")],
298
+ /# Env Audit Report/,
299
+ ],
290
300
  ];
291
301
 
292
302
  for (const [args, expected] of commands) {
@@ -311,7 +321,7 @@ test("local CLI maps approved commands to existing safe scripts", () => {
311
321
  test("npm package metadata is public-ready and dependency-free", () => {
312
322
  const packageJson = readJson("package.json");
313
323
  assert.equal(packageJson.name, "coding-agent-skills");
314
- assert.equal(packageJson.version, "0.2.9");
324
+ assert.equal(packageJson.version, "0.2.10");
315
325
  assert.equal(
316
326
  packageJson.description,
317
327
  "Evidence-first, read-only coding-agent skills and project adapter tooling.",
@@ -324,6 +334,7 @@ test("npm package metadata is public-ready and dependency-free", () => {
324
334
  "agent-skills",
325
335
  "repo-map",
326
336
  "route-trace",
337
+ "env-audit",
327
338
  "project-adapters",
328
339
  "code-validation",
329
340
  "cli",
@@ -451,6 +462,65 @@ test("route-trace does not broaden a repo-map-only project adapter", () => {
451
462
  assert.match(renderRouteTraceReport(result), /route-trace is not enabled/);
452
463
  });
453
464
 
465
+ test("env-audit identifies variable names without reading .env values", () => {
466
+ const temporary = fs.mkdtempSync(path.join(os.tmpdir(), "env-audit-fixture-"));
467
+ fs.cpSync(path.join(root, "tests", "fixtures", "env-audit", "static-project"), temporary, {
468
+ recursive: true,
469
+ });
470
+ fs.writeFileSync(path.join(temporary, ".env"), "SHOULD_NOT_BE_READ=synthetic-fixture-value\n");
471
+
472
+ const result = buildEnvAuditReport(
473
+ temporary,
474
+ { coreRoot: root },
475
+ );
476
+
477
+ assert.equal(result.status, "complete");
478
+ assert.ok(result.filesScanned.includes(".env.example"));
479
+ assert.ok(!result.filesScanned.includes(".env"));
480
+ assert.ok(result.skipped.some((item) => item.path === ".env"));
481
+ const names = result.variables.map((variable) => variable.name);
482
+ assert.ok(names.includes("DATABASE_URL"));
483
+ assert.ok(names.includes("NEXT_PUBLIC_APP_URL"));
484
+ assert.ok(names.includes("PORT"));
485
+ assert.ok(names.includes("SERVICE_TOKEN"));
486
+ assert.ok(names.includes("DENO_REGION"));
487
+ const rendered = renderEnvAuditReport(result);
488
+ assert.match(rendered, /DATABASE_URL/);
489
+ assert.doesNotMatch(rendered, /synthetic-fixture-value/);
490
+ });
491
+
492
+ test("env-audit respects adapter-declared scope", () => {
493
+ const result = buildEnvAuditReport(
494
+ path.join(root, "tests", "fixtures", "env-audit", "adapter-project"),
495
+ { coreRoot: root },
496
+ );
497
+
498
+ assert.equal(result.status, "complete");
499
+ assert.equal(result.adapter.enabled, true);
500
+ assert.deepEqual(result.scopePaths, ["src"]);
501
+ assert.deepEqual(result.filesScanned, ["src/config.ts"]);
502
+ assert.ok(result.variables.some((variable) => variable.name === "ADAPTER_ONLY_VALUE"));
503
+ assert.ok(result.warnings.includes("env-audit used adapter-declared safe read paths only"));
504
+ const cli = envAuditCliResult(
505
+ path.join(root, "tests", "fixtures", "env-audit", "adapter-project"),
506
+ { coreRoot: root },
507
+ );
508
+ assert.equal(cli.exitCode, 0);
509
+ assert.match(cli.lines.join("\n"), /Env-audit enabled: yes/);
510
+ });
511
+
512
+ test("env-audit does not broaden a repo-map-only project adapter", () => {
513
+ const result = buildEnvAuditReport(
514
+ path.join(root, "tests", "fixtures", "project-adapter-installation", "valid-exact-pin"),
515
+ { coreRoot: root },
516
+ );
517
+
518
+ assert.equal(result.status, "partial");
519
+ assert.equal(result.filesScanned.length, 0);
520
+ assert.equal(result.variables.length, 0);
521
+ assert.match(renderEnvAuditReport(result), /env-audit is not enabled/);
522
+ });
523
+
454
524
  test("validate-pack accepts installed package trees without source-only gitignore", () => {
455
525
  const temporaryRoot = fs.mkdtempSync(path.join(os.tmpdir(), "installed-package-"));
456
526
  const installedRoot = path.join(temporaryRoot, "coding-agent-skills");
@@ -96,12 +96,14 @@ const requiredRootFiles = [
96
96
  "scripts/render-evidence-archive-report.mjs",
97
97
  "scripts/render-adapter-repo-map.mjs",
98
98
  "scripts/render-route-trace.mjs",
99
+ "scripts/render-env-audit.mjs",
99
100
  "scripts/check-adapter-upgrade.mjs",
100
101
  "scripts/check-adapter-upgrade-chain.mjs",
101
102
  "scripts/validate-adapters.mjs",
102
103
  "scripts/validate-project-adapters.mjs",
103
104
  "scripts/lib/adapter-repo-map.mjs",
104
105
  "scripts/lib/route-trace.mjs",
106
+ "scripts/lib/env-audit.mjs",
105
107
  "scripts/lib/adapter-upgrade.mjs",
106
108
  "scripts/lib/adapter-upgrade-chain.mjs",
107
109
  "scripts/lib/adapter-discovery.mjs",
@@ -675,8 +677,8 @@ if (packageJson) {
675
677
  if (packageJson.name !== "coding-agent-skills") {
676
678
  failures.push("package.json has unexpected package name");
677
679
  }
678
- if (packageJson.version !== "0.2.9") {
679
- failures.push("package.json version must be 0.2.9 for public package validation");
680
+ if (packageJson.version !== "0.2.10") {
681
+ failures.push("package.json version must be 0.2.10 for public package validation");
680
682
  }
681
683
  if (packageJson.type !== "module") failures.push("package.json must preserve ESM mode");
682
684
  if (packageJson.private !== false) {
@@ -695,6 +697,7 @@ if (packageJson) {
695
697
  "agent-skills",
696
698
  "repo-map",
697
699
  "route-trace",
700
+ "env-audit",
698
701
  "project-adapters",
699
702
  "code-validation",
700
703
  "cli",
@@ -0,0 +1,58 @@
1
+ ---
2
+ name: env-audit
3
+ description: Identify environment variable names and configuration requirements from static files without reading .env files or printing values. Use when Codex must map required, optional, sample, or inferred environment names before implementation, deployment planning, or handoff; do not use for secret validation, credential testing, API calls, runtime checks, builds, tests, deployments, migrations, or secret-file reads.
4
+ ---
5
+
6
+ # Env Audit
7
+
8
+ Identify environment variable names from bounded static evidence and emit a value-free report. Remain audit-only and fail closed when evidence would require secret files, runtime state, or credential validation.
9
+
10
+ This skill must not change project files, Git state, dependencies, runtime state, services,
11
+ databases, remotes, or deployment state.
12
+
13
+ ## Purpose And Use
14
+
15
+ Use this skill to map statically visible environment variable names, sample declarations, and configuration references before changing code, documenting setup, or preparing handoff. It can classify names as sample, required, optional, or inferred, but it must not claim that any value exists or works.
16
+
17
+ Do not use this skill for secret auditing, credential validation, live service checks, runtime truth claims, deployment readiness, migrations, builds, tests, or package installation.
18
+
19
+ ## Inputs
20
+
21
+ Require a project root or starting path. Optionally accept a project adapter, intended config area, maximum static scan depth, or named framework/config family to prioritize.
22
+
23
+ Do not assume `.env` files may be read, variable values are safe, documented names are complete, sample files are current, runtime-injected variables are visible, or an adapter covers every configuration surface.
24
+
25
+ ## Procedure
26
+
27
+ 1. Record user intent, project root, declared scope, adapter state, and safety boundary.
28
+ 2. Validate a project adapter when present before reading adapter-declared metadata.
29
+ 3. If an adapter is present but does not enable `env-audit`, stop static file reading and report the adapter-limited skip.
30
+ 4. Build the scan scope from adapter safe read paths when available; otherwise use a bounded generic static scan.
31
+ 5. Exclude `.env`, `.env.*` except `.env.example`, secret-bearing paths, generated paths, dependency paths, and oversized files before reading.
32
+ 6. Extract environment variable names from safe static patterns such as `process.env.NAME`, `import.meta.env.NAME`, `Deno.env.get("NAME")`, `env("NAME")`, docs, and `.env.example` declarations.
33
+ 7. Never print values, line contents, tokens, credentials, or raw secret-like matches.
34
+ 8. Label every finding as sample, required, optional, inferred, skipped, or not verified.
35
+ 9. Report skipped files, unverified runtime/secret-store areas, branch state warnings, and safety refusals.
36
+ 10. Emit the shared evidence pack or env-audit report before claiming completion.
37
+
38
+ Use [checklist.md](checklist.md). Consult [failure-modes.md](failure-modes.md), [adapter-interface.md](adapter-interface.md), and [examples.md](examples.md). Format findings with [evidence-template.md](evidence-template.md).
39
+
40
+ ## Evidence, Recovery, And Dependencies
41
+
42
+ Emit repository identity, adapter state, scan scope, ignored paths, variable names, classifications, file references, sample files inspected, skipped items, not-verified areas, warnings, and changed-state declaration through the shared evidence-pack contract.
43
+
44
+ Recover from missing adapters, unreadable files, ambiguous variable names, or secret-bearing paths by narrowing scope and reporting uncertainty. Never recover by reading `.env`, printing values, validating credentials, contacting APIs, installing dependencies, running builds/tests, broadening adapter scope, or mutating files.
45
+
46
+ This skill depends on the evidence-pack contract and may consume validated project adapters. Adapters may add safe paths, ignored paths, documentation precedence, and evidence requirements, but cannot weaken policy or turn this skill into credential validation.
47
+
48
+ ## Approval Boundary
49
+
50
+ Explicit approval may permit one named non-secret static file read outside normal config paths. Approval does not permit `.env` or secret-file reads, value printing, credential validation, API calls, builds, tests, package installation, runtime checks, deployments, migrations, Git mutation, or project writes.
51
+
52
+ ## Completion
53
+
54
+ Claim `complete` only when the declared static scan scope was inspected, variable names are reported without values, skipped and not-verified areas are recorded with consequences, adapter limitations are explicit, and no project, Git, dependency, runtime, service, or remote state changed.
55
+
56
+ Report `partial`, `failed`, or `blocked` when adapter scope prevents env scanning, requested evidence requires secret files or runtime state, the project root cannot be established, or safety exclusions prevent a requested conclusion. Never claim credential presence or validity from static findings.
57
+
58
+ These conditions are both the acceptance criteria and definition of done.
@@ -0,0 +1,12 @@
1
+ Adapters may enable `env-audit` by declaring the skill ID with unchanged `audit-only`
2
+ mode and compatible version `0.2.3` or `0.2.x`.
3
+
4
+ Useful extension fields:
5
+
6
+ - `safeReadPaths`: source, docs, sample, and config paths that may contain env names.
7
+ - `ignoredPaths`: generated, dependency, runtime-output, and secret-bearing paths to skip.
8
+ - `documentationPrecedence`: docs that may explain required or optional env names.
9
+ - `requiredEvidence`: evidence the report must include before completion.
10
+
11
+ Adapters must not add `.env`, `.env.*` except `.env.example`, credentials, secret stores,
12
+ runtime checks, API calls, builds, tests, deployments, migrations, or project writes.
@@ -0,0 +1,4 @@
1
+ interface:
2
+ display_name: "Env Audit"
3
+ short_description: "Map env variable names without reading values"
4
+ default_prompt: "Audit the statically visible environment variable names in this repository without changing project state. Do not read .env files or print values."
@@ -0,0 +1,7 @@
1
+ - Confirm project root, branch state, and adapter state.
2
+ - Validate adapter before consuming any adapter-declared paths.
3
+ - Refuse `.env`, `.env.*` except `.env.example`, secret-bearing paths, and generated outputs.
4
+ - Scan only bounded static source, docs, sample, and config files.
5
+ - Record variable names, classifications, and file references without values.
6
+ - Record skipped files and runtime/secret-store areas that were not verified.
7
+ - Confirm no files, dependencies, runtime state, services, remotes, or databases changed.
@@ -0,0 +1,17 @@
1
+ ## Env Audit Evidence
2
+
3
+ - Repository root:
4
+ - Branch state:
5
+ - Adapter state:
6
+ - Scan scope:
7
+ - Ignored paths:
8
+ - Static files scanned:
9
+ - Sample files inspected:
10
+ - Variable names found:
11
+ - Required names:
12
+ - Optional names:
13
+ - Inferred names:
14
+ - Skipped items:
15
+ - Not verified:
16
+ - Safety refusals:
17
+ - Changed state: none
@@ -0,0 +1,28 @@
1
+ ## Safe
2
+
3
+ ```bash
4
+ coding-agent-skills env-audit /workspace/app
5
+ ```
6
+
7
+ Produces a value-free list of names such as `DATABASE_URL`, `NEXT_PUBLIC_API_URL`, and
8
+ `PORT`, with file references and classifications.
9
+
10
+ ```bash
11
+ node scripts/render-env-audit.mjs tests/fixtures/env-audit/static-project
12
+ ```
13
+
14
+ Runs the synthetic fixture scanner without reading `.env` files or contacting services.
15
+
16
+ ## Unsafe
17
+
18
+ ```bash
19
+ cat .env
20
+ ```
21
+
22
+ Secret-file reads are forbidden.
23
+
24
+ ```bash
25
+ npm run dev
26
+ ```
27
+
28
+ Runtime checks are outside this skill.
@@ -0,0 +1,5 @@
1
+ - **Adapter not enabled:** report `partial` and do not broaden target-project scanning.
2
+ - **Secret-bearing path requested:** skip the file and record the safety exclusion.
3
+ - **Dynamic variable names:** report as not verified instead of guessing.
4
+ - **Large or unreadable files:** skip with consequence and continue bounded scanning.
5
+ - **Credential validation requested:** refuse and explain that only names are in scope.
@@ -0,0 +1,56 @@
1
+ {
2
+ "adapterId": "env-audit-fixture",
3
+ "adapterVersion": "1.0.0",
4
+ "project": {
5
+ "id": "env-audit-fixture",
6
+ "detection": {
7
+ "rootMarkers": [
8
+ {"kind": "file", "path": "package.json"},
9
+ {"kind": "file", "path": "README.md"}
10
+ ],
11
+ "maximumDepth": 1,
12
+ "scope": "declared-project-root",
13
+ "requireApprovalOutsideScope": true
14
+ }
15
+ },
16
+ "supportedSkills": [
17
+ {
18
+ "id": "env-audit",
19
+ "compatibleVersions": ["0.2.3", "0.2.x"],
20
+ "declaredMode": "audit-only"
21
+ }
22
+ ],
23
+ "extensions": {
24
+ "safeReadPaths": ["src"],
25
+ "ignoredPaths": ["dist", "build"],
26
+ "documentationPrecedence": ["README.md"],
27
+ "commandAliases": [],
28
+ "safeStatusCommands": [],
29
+ "requiredEvidence": ["project root", "adapter scope", "env names", "skipped secret paths"],
30
+ "expectedRuntimeManagers": [],
31
+ "expectedPackageManagers": ["npm"]
32
+ },
33
+ "approvalRequirements": [],
34
+ "inheritance": {
35
+ "sharedRestrictions": "required",
36
+ "deniedOperationCategories": [
37
+ "file-write",
38
+ "package-install",
39
+ "deployment",
40
+ "git-mutation",
41
+ "unrestricted-scan",
42
+ "secret-read",
43
+ "process-mutation",
44
+ "service-mutation",
45
+ "migration-apply",
46
+ "privileged-api"
47
+ ],
48
+ "allowRestrictionRemoval": false,
49
+ "allowModeOverride": false,
50
+ "allowFailureSuppression": false,
51
+ "allowCompletionOverride": false,
52
+ "allowSecretExposure": false,
53
+ "allowRequiredEvidenceRemoval": false,
54
+ "allowScopeExpansionWithoutApproval": false
55
+ }
56
+ }
@@ -0,0 +1,23 @@
1
+ {
2
+ "declarationVersion": "1.0.0",
3
+ "projectId": "env-audit-fixture",
4
+ "adapterRoot": ".coding-agent/adapters",
5
+ "adapterSchemaVersion": "1.0.0",
6
+ "core": {
7
+ "id": "coding-agent-skills",
8
+ "expectedVersion": "0.2.3",
9
+ "versionPin": ">=0.2.3 <0.3.0"
10
+ },
11
+ "compatibleSkillIds": ["env-audit"],
12
+ "adapters": [
13
+ {
14
+ "id": "env-audit-fixture",
15
+ "version": "1.0.0",
16
+ "skillIds": ["env-audit"]
17
+ }
18
+ ],
19
+ "validationCommand": "node <shared-core>/scripts/validate-project-adapters.mjs <project-root>",
20
+ "evidenceOutput": "validation-output/project-adapters.json",
21
+ "approvalPolicyReference": "docs/coding-agent-approval-policy.md",
22
+ "noSecrets": true
23
+ }
@@ -0,0 +1,3 @@
1
+ # Env Audit Adapter Fixture
2
+
3
+ This fixture narrows env scanning to `src`.
@@ -0,0 +1,4 @@
1
+ {
2
+ "name": "fixture-env-audit-adapter",
3
+ "type": "module"
4
+ }
@@ -0,0 +1,2 @@
1
+ export const adapterScoped = process.env.ADAPTER_ONLY_VALUE;
2
+ export const adapterOptional = process.env.ADAPTER_OPTIONAL_VALUE ?? "fallback";
@@ -0,0 +1,3 @@
1
+ DATABASE_URL=
2
+ NEXT_PUBLIC_APP_URL=
3
+ OPTIONAL_FEATURE_FLAG=
@@ -0,0 +1,3 @@
1
+ # Env Audit Static Fixture
2
+
3
+ Requires DATABASE_URL and optional NEXT_PUBLIC_APP_URL. Workers may use QUEUE_NAME.
@@ -0,0 +1,3 @@
1
+ # Setup
2
+
3
+ Set DATABASE_URL before starting locally. NEXT_PUBLIC_APP_URL is optional.
@@ -0,0 +1,4 @@
1
+ {
2
+ "name": "fixture-env-audit-static",
3
+ "type": "module"
4
+ }
@@ -0,0 +1,4 @@
1
+ export const databaseUrl = process.env.DATABASE_URL;
2
+ export const port = process.env.PORT ?? "3000";
3
+ export const publicUrl = import.meta.env.NEXT_PUBLIC_APP_URL;
4
+ export const requiredToken = env("SERVICE_TOKEN");
@@ -0,0 +1 @@
1
+ export const denoValue = Deno.env.get("DENO_REGION");
@@ -31,6 +31,18 @@
31
31
  "expectedSkill": "route-trace",
32
32
  "notSkills": ["build-verify", "runtime-truth"]
33
33
  },
34
+ {
35
+ "id": "env-audit-process-env",
36
+ "prompt": "Audit process.env and import.meta.env references without reading .env files.",
37
+ "expectedSkill": "env-audit",
38
+ "notSkills": ["secret-audit", "runtime-truth"]
39
+ },
40
+ {
41
+ "id": "env-audit-setup-docs",
42
+ "prompt": "Identify environment variables and configuration requirements from static docs and .env.example only.",
43
+ "expectedSkill": "env-audit",
44
+ "notSkills": ["build-verify", "deployment-preflight"]
45
+ },
34
46
  {
35
47
  "id": "build-after-implementation",
36
48
  "prompt": "The implementation is finished. Run the existing typecheck, tests, and build.",
@@ -83,7 +95,7 @@
83
95
  "id": "negative-deploy",
84
96
  "prompt": "Deploy this application to production.",
85
97
  "expectedSkill": null,
86
- "notSkills": ["repo-map", "route-trace", "build-verify", "git-preflight", "runtime-truth", "llm-drift-control"]
98
+ "notSkills": ["repo-map", "route-trace", "env-audit", "build-verify", "git-preflight", "runtime-truth", "llm-drift-control"]
87
99
  },
88
100
  {
89
101
  "id": "negative-install",
@@ -4,6 +4,8 @@
4
4
 
5
5
  - Repository orientation must trigger `repo-map`, not build or runtime validation.
6
6
  - Static route-surface tracing must trigger `route-trace`, not repository mapping or runtime truth.
7
+ - Value-free environment variable mapping must trigger `env-audit`, not runtime truth or
8
+ secret-value inspection.
7
9
  - Local validation must trigger `build-verify` only when project-native checks are requested.
8
10
  - Git readiness must trigger `git-preflight`, not publication.
9
11
  - Process/listener/health questions must trigger `runtime-truth`, not restart behavior.
package/work-ledger.md CHANGED
@@ -4,26 +4,29 @@
4
4
 
5
5
  - Repository: `coding-agent-skills`
6
6
  - Branch: `main`
7
- - Pilot skills: `repo-map`, `route-trace`, `build-verify`, `git-preflight`, `runtime-truth`, `llm-drift-control`
7
+ - Pilot skills: `repo-map`, `route-trace`, `env-audit`, `build-verify`, `git-preflight`, `runtime-truth`, `llm-drift-control`
8
8
  - Adapter discovery, project adapter installation, stale-pin detection, upgrade evidence, compatibility-chain validation, evidence-bundle verification, retention policy, provenance design, archive-report rendering, archive-index fixtures, retention-expiry advisory reporting, and detached-signature verification planning are implemented.
9
9
  - Real-project adapter adoption readiness is documented as a planning-only approval gate.
10
10
  - First external project-owned adapter adoption completed for `/home/oneclickwebsitedesignfactory/tax-lien-platform` at candidate commit `c548b1a6cbb3455a70b89d0e301e22435bfccac9`.
11
11
  - The adopted adapter is `repo-map` only, docs/metadata-only, and contains no commands, runtime checks, build/test/package behavior, platform/deployment behavior, or secret-aware behavior.
12
12
  - The shared repository does not contain real adapter manifests; real project adapters remain owned by their project repositories.
13
- - Public npm package release `v0.2.9` exposes the dependency-free
13
+ - Public npm package release `v0.2.10` exposes the dependency-free
14
14
  `coding-agent-skills` CLI under MIT license.
15
- - `route-trace` is implemented as an audit-only static route tracing skill. Additional new
16
- skills are not approved.
15
+ - `route-trace` is implemented as an audit-only static route tracing skill.
16
+ - `env-audit` is implemented as an audit-only value-free environment variable name mapping
17
+ skill.
18
+ - Builder-mode approval: complete the remaining read-only skill wave for
19
+ `coding-agent-skills` itself. Real-world project execution constraints remain unchanged.
17
20
 
18
21
  ## Last Completed Version
19
22
 
20
- `v0.2.9`
23
+ `v0.2.10`
21
24
 
22
25
  ## Current Recommended Milestone
23
26
 
24
- The `route-trace` public npm release is complete for the approved CLI surface. No further
25
- real adapters, adapter expansion, new skills, platform skills, deployment/preflight work,
26
- signing infrastructure, or evidence-harness milestone is approved.
27
+ The `env-audit` public npm release is in progress under builder-mode approval. Continue the
28
+ remaining read-only skill wave one release at a time unless a real safety, validation,
29
+ publication, or authentication boundary appears.
27
30
 
28
31
  ## Allowed Next Actions
29
32
 
@@ -41,7 +44,7 @@ signing infrastructure, or evidence-harness milestone is approved.
41
44
 
42
45
  ## Blocked Actions
43
46
 
44
- - Adding more new skills.
47
+ - Adding skills outside the approved builder-mode read-only wave.
45
48
  - Creating real project adapters.
46
49
  - Modifying real project repositories.
47
50
  - Publishing release artifacts without explicit approval.
@@ -73,14 +76,15 @@ signing infrastructure, or evidence-harness milestone is approved.
73
76
  - Implementing the next evidence-retention or provenance milestone.
74
77
  - Selecting a real project adapter candidate.
75
78
  - Gathering evidence from a real project repository.
76
- - Creating, changing, or removing skills.
79
+ - Creating, changing, or removing skills outside the approved builder-mode read-only wave.
77
80
  - Adding real project adapters.
78
81
  - Expanding the adopted `tax-lien-platform` adapter beyond `repo-map`.
79
82
  - Enabling candidate repo package scripts, build verification, runtime checks, or command aliases.
80
83
  - Allowing or bypassing project Git hooks during future adapter publication.
81
84
  - Touching real project repositories.
82
85
  - Changing release publication behavior.
83
- - Publishing a new npm version beyond the approved release.
86
+ - Publishing a new npm version outside the approved builder-mode read-only wave or another
87
+ explicitly approved release.
84
88
  - Commit, tag, or push operations.
85
89
  - Any action not listed in the allowed next actions above.
86
90
 
@@ -94,6 +98,15 @@ No next runner command is currently queued.
94
98
 
95
99
  No autonomous maintainer-loop run has been recorded yet.
96
100
 
101
+ ### 2026-07-03T10:00:00Z
102
+
103
+ - Latest tag observed: `v0.2.9`
104
+ - Implemented milestone: `env-audit` audit-only environment variable name mapping skill and CLI command.
105
+ - Required permission: `builder-mode-skill-implementation`
106
+ - Validation result: pass pending final publication evidence
107
+ - Next recommended milestone: continue builder-mode wave with `secret-audit-skill` after
108
+ `v0.2.10` publication completes.
109
+
97
110
 
98
111
  ### 2026-06-19T00:00:00Z
99
112