coding-agent-skills 0.2.9 → 0.2.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (69) hide show
  1. package/CHANGELOG.md +39 -0
  2. package/README.md +6 -0
  3. package/ROADMAP.md +20 -15
  4. package/bin/coding-agent-skills +14 -0
  5. package/docs/adapters/README.md +36 -0
  6. package/docs/adapters/project-installation.md +23 -0
  7. package/docs/adapters/real-project-adoption.md +2 -1
  8. package/docs/architecture/README.md +5 -3
  9. package/docs/release/README.md +4 -2
  10. package/docs/release/npm-package.md +10 -3
  11. package/docs/safety/README.md +10 -1
  12. package/docs/testing/README.md +15 -0
  13. package/docs/usage/README.md +24 -5
  14. package/examples/command-policies/env-audit.json +73 -0
  15. package/examples/command-policies/secret-audit.json +71 -0
  16. package/examples/evidence-packs/env-audit.json +55 -0
  17. package/examples/evidence-packs/secret-audit.json +55 -0
  18. package/examples/manifests/env-audit.json +14 -0
  19. package/examples/manifests/secret-audit.json +14 -0
  20. package/examples/workflows/env-audit.md +16 -0
  21. package/examples/workflows/secret-audit.md +10 -0
  22. package/package.json +3 -1
  23. package/runs/skill-runs.md +26 -0
  24. package/schemas/project-adapter-installation.schema.json +4 -0
  25. package/schemas/project-adapter.schema.json +4 -0
  26. package/scripts/lib/env-audit.mjs +640 -0
  27. package/scripts/lib/pack-rules.mjs +20 -2
  28. package/scripts/lib/secret-audit.mjs +510 -0
  29. package/scripts/render-env-audit.mjs +8 -0
  30. package/scripts/render-secret-audit.mjs +8 -0
  31. package/scripts/test-pack.mjs +139 -1
  32. package/scripts/validate-pack.mjs +8 -2
  33. package/skills/env-audit/SKILL.md +58 -0
  34. package/skills/env-audit/adapter-interface.md +12 -0
  35. package/skills/env-audit/agents/openai.yaml +4 -0
  36. package/skills/env-audit/checklist.md +7 -0
  37. package/skills/env-audit/evidence-template.md +17 -0
  38. package/skills/env-audit/examples.md +28 -0
  39. package/skills/env-audit/failure-modes.md +5 -0
  40. package/skills/secret-audit/SKILL.md +57 -0
  41. package/skills/secret-audit/adapter-interface.md +12 -0
  42. package/skills/secret-audit/agents/openai.yaml +4 -0
  43. package/skills/secret-audit/checklist.md +7 -0
  44. package/skills/secret-audit/evidence-template.md +15 -0
  45. package/skills/secret-audit/examples.md +27 -0
  46. package/skills/secret-audit/failure-modes.md +5 -0
  47. package/tests/fixtures/env-audit/adapter-project/.coding-agent/adapters/env-audit-fixture/adapter.json +56 -0
  48. package/tests/fixtures/env-audit/adapter-project/.coding-agent/skills.json +23 -0
  49. package/tests/fixtures/env-audit/adapter-project/README.md +3 -0
  50. package/tests/fixtures/env-audit/adapter-project/package.json +4 -0
  51. package/tests/fixtures/env-audit/adapter-project/src/config.ts +2 -0
  52. package/tests/fixtures/env-audit/static-project/.env.example +3 -0
  53. package/tests/fixtures/env-audit/static-project/README.md +3 -0
  54. package/tests/fixtures/env-audit/static-project/docs/setup.md +3 -0
  55. package/tests/fixtures/env-audit/static-project/package.json +4 -0
  56. package/tests/fixtures/env-audit/static-project/src/config.ts +4 -0
  57. package/tests/fixtures/env-audit/static-project/src/deno.ts +1 -0
  58. package/tests/fixtures/secret-audit/adapter-project/.coding-agent/adapters/secret-audit-fixture/adapter.json +53 -0
  59. package/tests/fixtures/secret-audit/adapter-project/.coding-agent/skills.json +23 -0
  60. package/tests/fixtures/secret-audit/adapter-project/README.md +3 -0
  61. package/tests/fixtures/secret-audit/adapter-project/package.json +4 -0
  62. package/tests/fixtures/secret-audit/adapter-project/src/placeholder.ts +1 -0
  63. package/tests/fixtures/secret-audit/static-project/.env.example +1 -0
  64. package/tests/fixtures/secret-audit/static-project/README.md +3 -0
  65. package/tests/fixtures/secret-audit/static-project/package.json +4 -0
  66. package/tests/fixtures/secret-audit/static-project/src/config.ts +1 -0
  67. package/tests/fixtures/triggers/cases.json +25 -1
  68. package/tests/trigger/README.md +4 -0
  69. package/work-ledger.md +36 -11
@@ -0,0 +1,55 @@
1
+ {
2
+ "contractVersion": "1.0.0",
3
+ "skill": {"name": "secret-audit", "version": "0.2.3"},
4
+ "invocation": {
5
+ "id": "example-secret-audit",
6
+ "startedAt": "2026-07-03T11:00:00Z",
7
+ "endedAt": "2026-07-03T11:01:00Z"
8
+ },
9
+ "repository": {
10
+ "root": "/workspace/example-project",
11
+ "branch": "main",
12
+ "head": "0123456789abcdef",
13
+ "workingTreeState": "clean"
14
+ },
15
+ "userIntent": "Find possible tracked secret exposure before handoff.",
16
+ "declaredScope": ["/workspace/example-project"],
17
+ "projectAdapter": "example-secret-adapter",
18
+ "environmentSummary": {"platform": "linux", "shell": "bash"},
19
+ "status": "complete",
20
+ "confidence": {
21
+ "level": "high",
22
+ "reason": "Static files were scanned for high-confidence secret-like patterns with matched values omitted."
23
+ },
24
+ "commands": [
25
+ {
26
+ "command": "coding-agent-skills secret-audit /workspace/example-project",
27
+ "family": "secret-audit-renderer",
28
+ "workingDirectory": "/workspace/example-project",
29
+ "startedAt": "2026-07-03T11:00:20Z",
30
+ "endedAt": "2026-07-03T11:00:21Z",
31
+ "exitStatus": 0,
32
+ "resultStatus": "success",
33
+ "safetyClass": "allowed",
34
+ "approvalReference": null,
35
+ "purpose": "Render a redacted static secret-audit report.",
36
+ "outputSummary": "Reported finding paths, types, and counts without matched values."
37
+ }
38
+ ],
39
+ "skippedChecks": [],
40
+ "findings": [
41
+ {
42
+ "summary": "Potential secret exposure was reported by file path, type, and count only.",
43
+ "evidence": ["src/example.ts"]
44
+ }
45
+ ],
46
+ "risks": [],
47
+ "failures": [],
48
+ "unresolvedQuestions": [],
49
+ "changedState": {
50
+ "changed": false,
51
+ "summary": "No project, Git, dependency, runtime, service, or remote state changed."
52
+ },
53
+ "handoffSummary": "Secret-like findings require human review; matched values were omitted.",
54
+ "recommendedNextAction": "Review flagged files locally and rotate credentials only through approved project procedures."
55
+ }
@@ -0,0 +1,14 @@
1
+ {
2
+ "name": "env-audit",
3
+ "version": "0.2.3",
4
+ "mode": "audit-only",
5
+ "evidenceContract": "../../contracts/evidence-pack/evidence-pack.schema.json",
6
+ "commandPolicy": "../command-policies/env-audit.json",
7
+ "adapterSchema": "../../schemas/project-adapter.schema.json",
8
+ "adapterCompatibility": {
9
+ "contractVersion": "1.0.0",
10
+ "compatibleAdapterVersions": ["1.0.0"]
11
+ },
12
+ "adapterInterface": "../../skills/env-audit/adapter-interface.md",
13
+ "description": "Identify environment variable names without reading values."
14
+ }
@@ -0,0 +1,14 @@
1
+ {
2
+ "name": "secret-audit",
3
+ "version": "0.2.3",
4
+ "mode": "audit-only",
5
+ "evidenceContract": "../../contracts/evidence-pack/evidence-pack.schema.json",
6
+ "commandPolicy": "../command-policies/secret-audit.json",
7
+ "adapterSchema": "../../schemas/project-adapter.schema.json",
8
+ "adapterCompatibility": {
9
+ "contractVersion": "1.0.0",
10
+ "compatibleAdapterVersions": ["1.0.0"]
11
+ },
12
+ "adapterInterface": "../../skills/secret-audit/adapter-interface.md",
13
+ "description": "Find high-confidence secret exposure risks without printing values."
14
+ }
@@ -0,0 +1,16 @@
1
+ # Env Audit Workflow
2
+
3
+ Use `env-audit` before editing setup docs, config loaders, or handoff notes:
4
+
5
+ ```bash
6
+ coding-agent-skills env-audit /workspace/project
7
+ ```
8
+
9
+ Review:
10
+
11
+ - names and classifications
12
+ - sample files inspected
13
+ - skipped secret-bearing paths
14
+ - runtime and credential stores not verified
15
+
16
+ Do not use the output as proof that values exist or credentials work.
@@ -0,0 +1,10 @@
1
+ # Secret Audit Workflow
2
+
3
+ Use `secret-audit` before handoff or publication:
4
+
5
+ ```bash
6
+ coding-agent-skills secret-audit /workspace/project
7
+ ```
8
+
9
+ Review file paths, types, counts, skipped secret-bearing paths, and not-verified stores.
10
+ Do not ask the tool to print matched values or rotate credentials.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "coding-agent-skills",
3
- "version": "0.2.9",
3
+ "version": "0.2.11",
4
4
  "description": "Evidence-first, read-only coding-agent skills and project adapter tooling.",
5
5
  "type": "module",
6
6
  "private": false,
@@ -10,6 +10,8 @@
10
10
  "agent-skills",
11
11
  "repo-map",
12
12
  "route-trace",
13
+ "env-audit",
14
+ "secret-audit",
13
15
  "project-adapters",
14
16
  "code-validation",
15
17
  "cli"
@@ -186,4 +186,30 @@ This file records bounded maintainer-loop runs. Entries must not contain secrets
186
186
  - Validation commands: `git diff --check`; `bin/coding-agent-skills validate-pack`; `bin/coding-agent-skills validate-adapters tests/fixtures/external-adapters/valid-basic`; `bin/coding-agent-skills validate-project /home/oneclickwebsitedesignfactory/tax-lien-platform`; `bin/coding-agent-skills repo-map /home/oneclickwebsitedesignfactory/tax-lien-platform`; `bin/coding-agent-skills route-trace tests/fixtures/route-trace/static-project`; `bin/coding-agent-skills route-trace /home/oneclickwebsitedesignfactory/tax-lien-platform`; `node scripts/validate-pack.mjs .`; `node scripts/test-pack.mjs`; `node scripts/validate-maintainer-loop.mjs .`; `node --test`; JSON parsing; package secret scan; npm publish dry-run; tarball install smoke.
187
187
  - Validation result: pass pending final commit, tag, publication, registry smoke, npm exec, and GitHub Release evidence.
188
188
  - Real project smoke: `/home/oneclickwebsitedesignfactory/tax-lien-platform` remained repo-map-only for adapters, so route-trace reported `partial` and did not read target project route files.
189
+
190
+ ## implementation-v0.2.10-env-audit
191
+
192
+ - Run ID: `implementation-v0.2.10-env-audit`
193
+ - Repository: `/home/oneclickwebsitedesignfactory/coding-agent-skills`
194
+ - Command used: `builder-mode approval for env-audit-skill implementation and release`
195
+ - Files changed: `env-audit` skill, env-audit renderer and library, CLI wrapper, adapter schemas, pack rules, release tests, synthetic env fixtures, usage/release/safety/adapter docs, changelog, roadmap, work ledger, run log, and package metadata.
196
+ - Safety boundary: read-only, static-analysis only, no `.env` reads, no value printing, no credential validation, no API calls, no builds, no tests in target projects, no deploys, no migrations, and no target-project mutation.
197
+ - Validation commands: pending final release validation matrix.
198
+ - Result: pass pending final publication evidence.
199
+ - Commit/tag/push status: pending approved release workflow.
200
+
201
+ ## implementation-v0.2.11-secret-audit
202
+
203
+ - Run ID: `implementation-v0.2.11-secret-audit`
204
+ - Repository: `/home/oneclickwebsitedesignfactory/coding-agent-skills`
205
+ - Command used: `builder-mode approval for secret-audit-skill implementation and release`
206
+ - Files changed: `secret-audit` skill, secret-audit renderer and library, CLI wrapper,
207
+ adapter schemas, pack rules, release tests, synthetic secret fixtures, usage/release/
208
+ safety/adapter docs, changelog, roadmap, work ledger, run log, and package metadata.
209
+ - Safety boundary: read-only, static-analysis only, no `.env` reads, no secret-file
210
+ reads, no matched value printing, no credential validation or rotation, no API calls,
211
+ no builds, no tests in target projects, no deploys, no migrations, and no
212
+ target-project mutation.
213
+ - Validation commands: pending final release validation matrix.
214
+ - Result: pass pending final publication evidence.
189
215
  - Commit/tag/push status: pending approved release workflow.
@@ -66,6 +66,8 @@
66
66
  "enum": [
67
67
  "repo-map",
68
68
  "route-trace",
69
+ "env-audit",
70
+ "secret-audit",
69
71
  "build-verify",
70
72
  "git-preflight",
71
73
  "runtime-truth",
@@ -99,6 +101,8 @@
99
101
  "enum": [
100
102
  "repo-map",
101
103
  "route-trace",
104
+ "env-audit",
105
+ "secret-audit",
102
106
  "build-verify",
103
107
  "git-preflight",
104
108
  "runtime-truth",
@@ -90,6 +90,8 @@
90
90
  "enum": [
91
91
  "repo-map",
92
92
  "route-trace",
93
+ "env-audit",
94
+ "secret-audit",
93
95
  "build-verify",
94
96
  "git-preflight",
95
97
  "runtime-truth",
@@ -167,6 +169,8 @@
167
169
  "enum": [
168
170
  "repo-map",
169
171
  "route-trace",
172
+ "env-audit",
173
+ "secret-audit",
170
174
  "build-verify",
171
175
  "git-preflight",
172
176
  "runtime-truth",