coding-agent-skills 0.2.9 → 0.2.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (69) hide show
  1. package/CHANGELOG.md +39 -0
  2. package/README.md +6 -0
  3. package/ROADMAP.md +20 -15
  4. package/bin/coding-agent-skills +14 -0
  5. package/docs/adapters/README.md +36 -0
  6. package/docs/adapters/project-installation.md +23 -0
  7. package/docs/adapters/real-project-adoption.md +2 -1
  8. package/docs/architecture/README.md +5 -3
  9. package/docs/release/README.md +4 -2
  10. package/docs/release/npm-package.md +10 -3
  11. package/docs/safety/README.md +10 -1
  12. package/docs/testing/README.md +15 -0
  13. package/docs/usage/README.md +24 -5
  14. package/examples/command-policies/env-audit.json +73 -0
  15. package/examples/command-policies/secret-audit.json +71 -0
  16. package/examples/evidence-packs/env-audit.json +55 -0
  17. package/examples/evidence-packs/secret-audit.json +55 -0
  18. package/examples/manifests/env-audit.json +14 -0
  19. package/examples/manifests/secret-audit.json +14 -0
  20. package/examples/workflows/env-audit.md +16 -0
  21. package/examples/workflows/secret-audit.md +10 -0
  22. package/package.json +3 -1
  23. package/runs/skill-runs.md +26 -0
  24. package/schemas/project-adapter-installation.schema.json +4 -0
  25. package/schemas/project-adapter.schema.json +4 -0
  26. package/scripts/lib/env-audit.mjs +640 -0
  27. package/scripts/lib/pack-rules.mjs +20 -2
  28. package/scripts/lib/secret-audit.mjs +510 -0
  29. package/scripts/render-env-audit.mjs +8 -0
  30. package/scripts/render-secret-audit.mjs +8 -0
  31. package/scripts/test-pack.mjs +139 -1
  32. package/scripts/validate-pack.mjs +8 -2
  33. package/skills/env-audit/SKILL.md +58 -0
  34. package/skills/env-audit/adapter-interface.md +12 -0
  35. package/skills/env-audit/agents/openai.yaml +4 -0
  36. package/skills/env-audit/checklist.md +7 -0
  37. package/skills/env-audit/evidence-template.md +17 -0
  38. package/skills/env-audit/examples.md +28 -0
  39. package/skills/env-audit/failure-modes.md +5 -0
  40. package/skills/secret-audit/SKILL.md +57 -0
  41. package/skills/secret-audit/adapter-interface.md +12 -0
  42. package/skills/secret-audit/agents/openai.yaml +4 -0
  43. package/skills/secret-audit/checklist.md +7 -0
  44. package/skills/secret-audit/evidence-template.md +15 -0
  45. package/skills/secret-audit/examples.md +27 -0
  46. package/skills/secret-audit/failure-modes.md +5 -0
  47. package/tests/fixtures/env-audit/adapter-project/.coding-agent/adapters/env-audit-fixture/adapter.json +56 -0
  48. package/tests/fixtures/env-audit/adapter-project/.coding-agent/skills.json +23 -0
  49. package/tests/fixtures/env-audit/adapter-project/README.md +3 -0
  50. package/tests/fixtures/env-audit/adapter-project/package.json +4 -0
  51. package/tests/fixtures/env-audit/adapter-project/src/config.ts +2 -0
  52. package/tests/fixtures/env-audit/static-project/.env.example +3 -0
  53. package/tests/fixtures/env-audit/static-project/README.md +3 -0
  54. package/tests/fixtures/env-audit/static-project/docs/setup.md +3 -0
  55. package/tests/fixtures/env-audit/static-project/package.json +4 -0
  56. package/tests/fixtures/env-audit/static-project/src/config.ts +4 -0
  57. package/tests/fixtures/env-audit/static-project/src/deno.ts +1 -0
  58. package/tests/fixtures/secret-audit/adapter-project/.coding-agent/adapters/secret-audit-fixture/adapter.json +53 -0
  59. package/tests/fixtures/secret-audit/adapter-project/.coding-agent/skills.json +23 -0
  60. package/tests/fixtures/secret-audit/adapter-project/README.md +3 -0
  61. package/tests/fixtures/secret-audit/adapter-project/package.json +4 -0
  62. package/tests/fixtures/secret-audit/adapter-project/src/placeholder.ts +1 -0
  63. package/tests/fixtures/secret-audit/static-project/.env.example +1 -0
  64. package/tests/fixtures/secret-audit/static-project/README.md +3 -0
  65. package/tests/fixtures/secret-audit/static-project/package.json +4 -0
  66. package/tests/fixtures/secret-audit/static-project/src/config.ts +1 -0
  67. package/tests/fixtures/triggers/cases.json +25 -1
  68. package/tests/trigger/README.md +4 -0
  69. package/work-ledger.md +36 -11
@@ -0,0 +1,53 @@
1
+ {
2
+ "adapterId": "secret-audit-fixture",
3
+ "adapterVersion": "1.0.0",
4
+ "project": {
5
+ "id": "secret-audit-fixture",
6
+ "detection": {
7
+ "rootMarkers": [{"kind": "file", "path": "package.json"}],
8
+ "maximumDepth": 1,
9
+ "scope": "declared-project-root",
10
+ "requireApprovalOutsideScope": true
11
+ }
12
+ },
13
+ "supportedSkills": [
14
+ {
15
+ "id": "secret-audit",
16
+ "compatibleVersions": ["0.2.3", "0.2.x"],
17
+ "declaredMode": "audit-only"
18
+ }
19
+ ],
20
+ "extensions": {
21
+ "safeReadPaths": ["src"],
22
+ "ignoredPaths": ["dist", "build"],
23
+ "documentationPrecedence": ["README.md"],
24
+ "commandAliases": [],
25
+ "safeStatusCommands": [],
26
+ "requiredEvidence": ["project root", "adapter scope", "finding paths", "redaction statement"],
27
+ "expectedRuntimeManagers": [],
28
+ "expectedPackageManagers": ["npm"]
29
+ },
30
+ "approvalRequirements": [],
31
+ "inheritance": {
32
+ "sharedRestrictions": "required",
33
+ "deniedOperationCategories": [
34
+ "file-write",
35
+ "package-install",
36
+ "deployment",
37
+ "git-mutation",
38
+ "unrestricted-scan",
39
+ "secret-read",
40
+ "process-mutation",
41
+ "service-mutation",
42
+ "migration-apply",
43
+ "privileged-api"
44
+ ],
45
+ "allowRestrictionRemoval": false,
46
+ "allowModeOverride": false,
47
+ "allowFailureSuppression": false,
48
+ "allowCompletionOverride": false,
49
+ "allowSecretExposure": false,
50
+ "allowRequiredEvidenceRemoval": false,
51
+ "allowScopeExpansionWithoutApproval": false
52
+ }
53
+ }
@@ -0,0 +1,23 @@
1
+ {
2
+ "declarationVersion": "1.0.0",
3
+ "projectId": "secret-audit-fixture",
4
+ "adapterRoot": ".coding-agent/adapters",
5
+ "adapterSchemaVersion": "1.0.0",
6
+ "core": {
7
+ "id": "coding-agent-skills",
8
+ "expectedVersion": "0.2.3",
9
+ "versionPin": ">=0.2.3 <0.3.0"
10
+ },
11
+ "compatibleSkillIds": ["secret-audit"],
12
+ "adapters": [
13
+ {
14
+ "id": "secret-audit-fixture",
15
+ "version": "1.0.0",
16
+ "skillIds": ["secret-audit"]
17
+ }
18
+ ],
19
+ "validationCommand": "node <shared-core>/scripts/validate-project-adapters.mjs <project-root>",
20
+ "evidenceOutput": "validation-output/project-adapters.json",
21
+ "approvalPolicyReference": "docs/coding-agent-approval-policy.md",
22
+ "noSecrets": true
23
+ }
@@ -0,0 +1,3 @@
1
+ # Secret Audit Adapter Fixture
2
+
3
+ This fixture narrows secret scanning to `src`.
@@ -0,0 +1,4 @@
1
+ {
2
+ "name": "fixture-secret-audit-adapter",
3
+ "type": "module"
4
+ }
@@ -0,0 +1 @@
1
+ export const placeholder = "safe-placeholder-only";
@@ -0,0 +1,3 @@
1
+ # Secret Audit Static Fixture
2
+
3
+ This fixture intentionally contains no packaged secret-like values.
@@ -0,0 +1,4 @@
1
+ {
2
+ "name": "fixture-secret-audit-static",
3
+ "type": "module"
4
+ }
@@ -0,0 +1 @@
1
+ export const placeholder = "replace-with-token-at-runtime";
@@ -31,6 +31,30 @@
31
31
  "expectedSkill": "route-trace",
32
32
  "notSkills": ["build-verify", "runtime-truth"]
33
33
  },
34
+ {
35
+ "id": "env-audit-process-env",
36
+ "prompt": "Audit process.env and import.meta.env references without reading .env files.",
37
+ "expectedSkill": "env-audit",
38
+ "notSkills": ["secret-audit", "runtime-truth"]
39
+ },
40
+ {
41
+ "id": "env-audit-setup-docs",
42
+ "prompt": "Identify environment variables and configuration requirements from static docs and .env.example only.",
43
+ "expectedSkill": "env-audit",
44
+ "notSkills": ["build-verify", "deployment-preflight"]
45
+ },
46
+ {
47
+ "id": "secret-audit-exposure",
48
+ "prompt": "Run a secret audit for hardcoded tokens and private keys without printing matched values.",
49
+ "expectedSkill": "secret-audit",
50
+ "notSkills": ["env-audit", "runtime-truth"]
51
+ },
52
+ {
53
+ "id": "secret-audit-tracked-secrets",
54
+ "prompt": "Check for tracked secret exposure in source files without reading .env or credential stores.",
55
+ "expectedSkill": "secret-audit",
56
+ "notSkills": ["repo-map", "build-verify"]
57
+ },
34
58
  {
35
59
  "id": "build-after-implementation",
36
60
  "prompt": "The implementation is finished. Run the existing typecheck, tests, and build.",
@@ -83,7 +107,7 @@
83
107
  "id": "negative-deploy",
84
108
  "prompt": "Deploy this application to production.",
85
109
  "expectedSkill": null,
86
- "notSkills": ["repo-map", "route-trace", "build-verify", "git-preflight", "runtime-truth", "llm-drift-control"]
110
+ "notSkills": ["repo-map", "route-trace", "env-audit", "secret-audit", "build-verify", "git-preflight", "runtime-truth", "llm-drift-control"]
87
111
  },
88
112
  {
89
113
  "id": "negative-install",
@@ -4,6 +4,10 @@
4
4
 
5
5
  - Repository orientation must trigger `repo-map`, not build or runtime validation.
6
6
  - Static route-surface tracing must trigger `route-trace`, not repository mapping or runtime truth.
7
+ - Value-free environment variable mapping must trigger `env-audit`, not runtime truth or
8
+ secret-value inspection.
9
+ - Redacted high-confidence secret exposure detection must trigger `secret-audit`, not
10
+ environment variable mapping or runtime truth.
7
11
  - Local validation must trigger `build-verify` only when project-native checks are requested.
8
12
  - Git readiness must trigger `git-preflight`, not publication.
9
13
  - Process/listener/health questions must trigger `runtime-truth`, not restart behavior.
package/work-ledger.md CHANGED
@@ -4,26 +4,31 @@
4
4
 
5
5
  - Repository: `coding-agent-skills`
6
6
  - Branch: `main`
7
- - Pilot skills: `repo-map`, `route-trace`, `build-verify`, `git-preflight`, `runtime-truth`, `llm-drift-control`
7
+ - Pilot skills: `repo-map`, `route-trace`, `env-audit`, `secret-audit`, `build-verify`, `git-preflight`, `runtime-truth`, `llm-drift-control`
8
8
  - Adapter discovery, project adapter installation, stale-pin detection, upgrade evidence, compatibility-chain validation, evidence-bundle verification, retention policy, provenance design, archive-report rendering, archive-index fixtures, retention-expiry advisory reporting, and detached-signature verification planning are implemented.
9
9
  - Real-project adapter adoption readiness is documented as a planning-only approval gate.
10
10
  - First external project-owned adapter adoption completed for `/home/oneclickwebsitedesignfactory/tax-lien-platform` at candidate commit `c548b1a6cbb3455a70b89d0e301e22435bfccac9`.
11
11
  - The adopted adapter is `repo-map` only, docs/metadata-only, and contains no commands, runtime checks, build/test/package behavior, platform/deployment behavior, or secret-aware behavior.
12
12
  - The shared repository does not contain real adapter manifests; real project adapters remain owned by their project repositories.
13
- - Public npm package release `v0.2.9` exposes the dependency-free
13
+ - Public npm package release `v0.2.11` exposes the dependency-free
14
14
  `coding-agent-skills` CLI under MIT license.
15
- - `route-trace` is implemented as an audit-only static route tracing skill. Additional new
16
- skills are not approved.
15
+ - `route-trace` is implemented as an audit-only static route tracing skill.
16
+ - `env-audit` is implemented as an audit-only value-free environment variable name mapping
17
+ skill.
18
+ - `secret-audit` is implemented as an audit-only redacted secret exposure detection skill.
19
+ - Builder-mode approval: complete the remaining read-only skill wave for
20
+ `coding-agent-skills` itself. Real-world project execution constraints remain unchanged.
17
21
 
18
22
  ## Last Completed Version
19
23
 
20
- `v0.2.9`
24
+ `v0.2.11`
21
25
 
22
26
  ## Current Recommended Milestone
23
27
 
24
- The `route-trace` public npm release is complete for the approved CLI surface. No further
25
- real adapters, adapter expansion, new skills, platform skills, deployment/preflight work,
26
- signing infrastructure, or evidence-harness milestone is approved.
28
+ The `secret-audit` public npm release is in progress under builder-mode approval. Continue
29
+ the remaining read-only skill wave one release at a time unless a real safety, validation,
30
+ publication, or authentication boundary appears. The next approved wave item is
31
+ `api-contract-audit-skill`.
27
32
 
28
33
  ## Allowed Next Actions
29
34
 
@@ -41,7 +46,7 @@ signing infrastructure, or evidence-harness milestone is approved.
41
46
 
42
47
  ## Blocked Actions
43
48
 
44
- - Adding more new skills.
49
+ - Adding skills outside the approved builder-mode read-only wave.
45
50
  - Creating real project adapters.
46
51
  - Modifying real project repositories.
47
52
  - Publishing release artifacts without explicit approval.
@@ -73,14 +78,15 @@ signing infrastructure, or evidence-harness milestone is approved.
73
78
  - Implementing the next evidence-retention or provenance milestone.
74
79
  - Selecting a real project adapter candidate.
75
80
  - Gathering evidence from a real project repository.
76
- - Creating, changing, or removing skills.
81
+ - Creating, changing, or removing skills outside the approved builder-mode read-only wave.
77
82
  - Adding real project adapters.
78
83
  - Expanding the adopted `tax-lien-platform` adapter beyond `repo-map`.
79
84
  - Enabling candidate repo package scripts, build verification, runtime checks, or command aliases.
80
85
  - Allowing or bypassing project Git hooks during future adapter publication.
81
86
  - Touching real project repositories.
82
87
  - Changing release publication behavior.
83
- - Publishing a new npm version beyond the approved release.
88
+ - Publishing a new npm version outside the approved builder-mode read-only wave or another
89
+ explicitly approved release.
84
90
  - Commit, tag, or push operations.
85
91
  - Any action not listed in the allowed next actions above.
86
92
 
@@ -94,6 +100,25 @@ No next runner command is currently queued.
94
100
 
95
101
  No autonomous maintainer-loop run has been recorded yet.
96
102
 
103
+ ### 2026-07-03T11:00:00Z
104
+
105
+ - Latest tag observed: `v0.2.10`
106
+ - Implemented milestone: `secret-audit` audit-only redacted secret exposure detection skill and CLI command.
107
+ - Required permission: `builder-mode-skill-implementation`
108
+ - Validation result: pass pending final publication evidence
109
+ - Next recommended milestone: continue builder-mode wave with `api-contract-audit-skill`
110
+ after `v0.2.11` publication completes.
111
+
112
+
113
+ ### 2026-07-03T10:00:00Z
114
+
115
+ - Latest tag observed: `v0.2.9`
116
+ - Implemented milestone: `env-audit` audit-only environment variable name mapping skill and CLI command.
117
+ - Required permission: `builder-mode-skill-implementation`
118
+ - Validation result: pass pending final publication evidence
119
+ - Next recommended milestone: continue builder-mode wave with `secret-audit-skill` after
120
+ `v0.2.10` publication completes.
121
+
97
122
 
98
123
  ### 2026-06-19T00:00:00Z
99
124