diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..5662b43 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,10 @@ +version: 2 +updates: + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 0000000..b1d017a --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,39 @@ +name: "CodeQL" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '20 20 * * 4' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'javascript' ] + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 diff --git a/.tasks.jsonl b/.tasks.jsonl new file mode 100644 index 0000000..2142941 --- /dev/null +++ b/.tasks.jsonl @@ -0,0 +1 @@ +{"id":"uYIf5fCu","description":"Bring the repo into compliance with AGENTS.md and project standards","stage":"in-progress","createdAt":"2026-03-07T04:02:50.599Z","updatedAt":"2026-03-07T04:02:50.599Z"} diff --git a/AGENTS.md b/AGENTS.md index e18dfca..26b2d66 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -38,7 +38,7 @@ Source: github:metyatech/agent-rules@HEAD/rules/global/agent-rules-composition.m Source: github:metyatech/agent-rules@HEAD/rules/global/autonomous-operations.md -# Autonomous operations +# Autonomous operations - Optimize for minimal human effort; default to automation over manual steps. - Drive work from the desired outcome: choose the highest-quality safe path and execute end-to-end. @@ -48,21 +48,24 @@ Source: github:metyatech/agent-rules@HEAD/rules/global/autonomous-operations.md - No backward compatibility unless requested; no legacy aliases, shims, or temporary fallback behavior. - Proactively fix rule gaps, redundancy, or misplacement; regenerate AGENTS.md without waiting. - Self-evaluate continuously; fix rule/skill gaps immediately on discovery. In delegated mode, include improvement suggestions in the task result. -- On user-reported failures: treat as systemic — fix, update rules, check for same pattern elsewhere, in one action. +- On user-reported failures: treat as systemic - fix, update rules, check for same pattern elsewhere, in one action. - Session memory resets; use rule files as persistent memory. Never write to platform-specific local memory files; all persistent behavioral knowledge MUST live in agent rules. - Rules are source of truth; update conflicting repos to comply or encode the exception. - Investigate unclear items before proceeding; no assumptions without approval. Make scope/risk/cost/irreversibility decisions explicit. +## Autonomous task resolution + +- If a verification step (e.g., `npm run verify`, `npm audit`) fails due to known security vulnerabilities, attempt to fix them automatically (e.g., `npm audit fix`). If the fix is successful and verification passes, commit and push the changes to the PR branch. +- If a task is stuck or constantly failing due to quota limits (429 errors), ensure the task state is correctly updated in `task-tracker` so it can resume from the last successful stage in the next execution cycle. +- Do not remain idle on a failing PR if a known automated fix exists. + Source: github:metyatech/agent-rules@HEAD/rules/global/command-execution.md # Workflow and command execution - ## MCP server setup verification - - After adding or modifying an MCP server configuration, immediately verify connectivity using the platform's MCP health check and confirm the server is connected. - If a configured MCP server fails to connect, diagnose and fix before proceeding. Do not silently fall back to alternative tools without reporting the degradation. - At session start, if expected MCP tools are absent from the available tool set, verify MCP server health and report/fix connection failures before continuing. - - Do not add wrappers or pipes to commands unless the user explicitly asks. - Prefer repository-standard scripts/commands (package.json scripts, README instructions). - Reproduce reported command issues by running the same command (or closest equivalent) before proposing fixes. @@ -72,16 +75,16 @@ Source: github:metyatech/agent-rules@HEAD/rules/global/command-execution.md - If no branch is specified, work on the current branch; direct commits to main/master are allowed. - Do not assume agent platform capabilities beyond what is available; fail explicitly when unavailable. - When building a CLI, follow standard conventions: --help/-h, --version/-V, stdin/stdout piping, --json output, --dry-run for mutations, deterministic exit codes, and JSON Schema config validation. - +## Codex-only PowerShell safety +- `Remove-Item` (aliases: `rm`, `ri`, `del`, `erase`) → Use: `if ([IO.File]::Exists($p)) { [IO.File]::SetAttributes($p,[IO.FileAttributes]::Normal); [IO.File]::Delete($p) }` +- `Remove-Item -Recurse` (aliases: `rmdir`, `rd`) → Use: `if ([IO.Directory]::Exists($d)) { [IO.File]::SetAttributes($d,[IO.FileAttributes]::Normal); foreach ($e in [IO.Directory]::EnumerateFileSystemEntries($d,'*',[IO.SearchOption]::AllDirectories)) { [IO.File]::SetAttributes($e,[IO.FileAttributes]::Normal) }; [IO.Directory]::Delete($d,$true) }` +- In PowerShell, use `;` for sequential command chaining; never use `&&` or `||` as control-flow operators. ## Post-change deployment - -After modifying code, check whether deployment steps beyond commit/push are needed before concluding. - +- After modifying code, check whether deployment steps beyond commit/push are needed before concluding. - If the repo is globally linked (`npm ls -g` shows `->` to local path), rebuild and verify the global binary is functional. - If the repo powers a running service, daemon, or scheduled task, rebuild, restart, and verify with deterministic evidence. - Do not claim completion until the running instance reflects the changes. - -Detection and verification procedures are in the `post-deploy` skill. +- Detection and verification procedures are in the `post-deploy` skill. Source: github:metyatech/agent-rules@HEAD/rules/global/implementation-and-coding-standards.md @@ -163,6 +166,7 @@ Source: github:metyatech/agent-rules@HEAD/rules/global/planning-and-approval-gat - If state-changing work starts without required "yes", stop immediately, report the gate miss, and restart from the approval gate. - No bypass exceptions: "skip planning/just do it" means move quickly through the gate, not around it. - **Blanket approval**: broad directives (e.g., "fix everything") cover all in-scope follow-up; re-request only for out-of-scope expansion. +- For user-owned publishable packages, explicit requests such as "commit & push" or "complete this fix" include approval for the release/publish chain when release is the normal completion path, unless the user explicitly limits scope. Reviewer proxy approval procedures are in the `autonomous-orchestrator` skill. @@ -204,6 +208,7 @@ Source: github:metyatech/agent-rules@HEAD/rules/global/release-and-publication.m - Verify published packages resolve and run correctly before reporting done. - For public repos, set GitHub Description, Topics, and Homepage. Assign topics from the standard set defined in the `release-publish` skill. - Before reporting a publishable-package change as complete, verify the full delivery chain (commit → push → version bump → release → publish → install verify). Procedures in the `release-publish` skill. +- For user-owned publishable packages, when the user asks to commit/push or finalize a fix, treat release/publish as in-scope follow-up by default and execute the full delivery chain unless the user explicitly opts out. Source: github:metyatech/agent-rules@HEAD/rules/global/skill-authoring.md diff --git a/README.md b/README.md index 3a02d07..bbbf2d4 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,15 @@ Returns APPROVE or FLAG with specific concerns. npx skills add metyatech/skill-user-proxy --yes --global ``` +## Testing and Examples + +See the [tests/](tests/) directory for examples of: + +- **Good plans**: That meet all criteria and are APPROVED. +- **Bad plans**: That fail criteria (missing verification, known error patterns) and are FLAGed. + +Use these examples to verify your reviews and maintain high standards. + ## License MIT diff --git a/tests/README.md b/tests/README.md new file mode 100644 index 0000000..25c9a25 --- /dev/null +++ b/tests/README.md @@ -0,0 +1,16 @@ +# Skill tests and examples + +This directory contains examples of work plans and their review results using `skill-user-proxy`. + +## Structure + +- `examples/good-plan.md`: A plan that meets all criteria and is APPROVED. +- `examples/bad-plan.md`: A plan that fails criteria (missing verification, known error patterns) and is FLAGed. + +## How to use + +When reviewing an agent's plan or work output, compare it against these examples to ensure consistent and high-quality reviews. + +- **Completeness**: Ensure all aspects are addressed. +- **Thoroughness**: Ensure claims are evidence-backed and AC is binary/testable. +- **Known error patterns**: Check for common mistakes (shallow analysis, missing post-deployment, etc.). diff --git a/tests/examples/bad-plan.md b/tests/examples/bad-plan.md new file mode 100644 index 0000000..e52b7e7 --- /dev/null +++ b/tests/examples/bad-plan.md @@ -0,0 +1,24 @@ +# Example bad plan + +## Objective + +Fix a bug in `index.js`. + +## Plan + +1. Read `index.js`. +2. Edit `index.js` to fix the bug. +3. Report completion. + +## Review Results (skill-user-proxy) + +- **Completeness**: No. Missing verification steps (tests/manual check). +- **Thoroughness**: Surface-level plan. +- **Known error patterns**: + - **Shallow analysis**: Declaring work "complete" without evidence. + - **Missing post-deployment**: If `index.js` is part of a globally linked package, it needs a rebuild/restart check. + +**Decision**: FLAG + +- **Concern**: The plan lacks any verification steps (e.g., running tests or manual verification) to ensure the bug is actually fixed. +- **Concern**: No mention of post-deployment steps if this is a globally linked tool. diff --git a/tests/examples/good-plan.md b/tests/examples/good-plan.md new file mode 100644 index 0000000..06727dc --- /dev/null +++ b/tests/examples/good-plan.md @@ -0,0 +1,23 @@ +# Example good plan + +## Objective + +Update the README with installation instructions. + +## Plan + +1. Read `README.md`. +2. Update `README.md` with `npx skills add metyatech/skill-user-proxy` command. +3. Verify the content of `README.md`. + +## Acceptance Criteria + +- README.md has the installation section. (PASS) + +## Review Results (skill-user-proxy) + +- **Completeness**: Yes. Covers reading, updating, and verifying. +- **Thoroughness**: Yes. AC is binary and testable. +- **Known error patterns**: None. + +**Decision**: APPROVE