Skip to content

feat(agent-skills): add transitive link traversal to skill validator#56

Merged
jdutton merged 7 commits intomainfrom
feat/audit-link-traversal
Mar 4, 2026
Merged

feat(agent-skills): add transitive link traversal to skill validator#56
jdutton merged 7 commits intomainfrom
feat/audit-link-traversal

Conversation

@jdutton
Copy link
Owner

@jdutton jdutton commented Mar 4, 2026

Summary

  • Adds transitive link traversal to vat audit for standalone skills (SKILL.md files not in a VAT project)
  • Follows all local file links from SKILL.md via BFS with cycle detection
  • Reports broken links (LINK_INTEGRITY_BROKEN error), boundary escapes (OUTSIDE_PROJECT_BOUNDARY warning), and unreferenced markdown files (SKILL_UNREFERENCED_FILE info with --warn-unreferenced-files)
  • Excludes CLAUDE.md, README.md, and other navigation files from unreferenced file detection

Test plan

  • 12 test cases covering: valid links, broken links, escaped links, unreferenced files (on/off), circular links, transitive links, navigation file exclusion, non-markdown assets, external URLs, anchor fragments
  • All 14 validation steps pass (lint, typecheck, unit/integration/system tests, duplication check)
  • Manual verification against real standalone skills (cpto-exec-kb, avonrisk-exec-kb)

🤖 Generated with Claude Code

jdutton and others added 3 commits March 4, 2026 09:01
@jdutton @claude
feat(agent-skills): add transitive link traversal to skill validator
0390ab4 
validateSkill() now performs BFS link graph traversal after frontmatter
validation, checking all local file links for existence and boundary
escapes. Linked markdown files are recursively traversed with cycle
detection. Supports unreferenced file detection via checkUnreferencedFiles
option. Navigation files (README.md, index.md, etc.) and CLAUDE.md are
excluded from unreferenced checks.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jdutton @claude
fix(agent-skills): emit warning for unparseable linked files
aea8154 
Instead of silently skipping files that exist but fail to parse,
emit a LINK_INTEGRITY_BROKEN warning so users know something went wrong.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jdutton @claude
chore: release v0.1.16-rc.3
a55b126 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@codecov
Copy link

codecov bot commented Mar 4, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 92.50936% with 20 lines in your changes missing coverage. Please review.
✅ Project coverage is 74.22%. Comparing base (0fb2446) to head (1f25f78).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
...ges/agent-skills/src/validators/skill-validator.ts 92.50% 20 Missing ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main      #56      +/-   ##
==========================================
+ Coverage   73.82%   74.22%   +0.40%     
==========================================
  Files         164      164              
  Lines       12049    12315     +266     
  Branches     2112     2173      +61     
==========================================
+ Hits         8895     9141     +246     
- Misses       3154     3174      +20
Files with missing lines Coverage Δ
...ges/agent-skills/src/validators/skill-validator.ts 94.81% <92.50%> (-5.19%) ⬇️
Files with missing lines Coverage Δ
...ges/agent-skills/src/validators/skill-validator.ts 94.81% <92.50%> (-5.19%) ⬇️
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

jdutton and others added 4 commits March 4, 2026 10:01
@jdutton @claude
test(cli): enhance audit dogfooding tests with link traversal coverage
49a85d9 
Add system tests verifying:
- Dist skills audit scans multiple files without errors
- Transitive link following works end-to-end via CLI
- Broken links detected via CLI exit code
- Unreferenced files reported with --warn-unreferenced-files
- CLAUDE.md and README.md never flagged as unreferenced

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jdutton @claude
docs: document inline links vs implicit references in skills
795b310 
Skills are LLM-interpreted, so file references in code blocks and prose
are functionally valid even without formal markdown inline links.
Documents this pattern observed in official Claude Marketplace plugins
(superpowers) and recommends using inline links for auditability.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jdutton @claude
docs(CLAUDE.md): add dogfooding guidance for audit before commit
60795c6 
Encourage AI assistants to run vat audit --user as best-effort QA
when changing audit, validation, or link traversal code. Not a hard
gate — agentic guidance to catch regressions in real-world usability.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jdutton @claude
feat(agent-skills): add implicit reference detection to reduce false-…
1f25f78 
…positive unreferenced file warnings

Adds extractImplicitReferences() that scans BFS-visited files for non-markdown-link
references to companion files (backtick-quoted, bold, DOT graphviz, bare prose, @-prefix).
Files found via implicit reference now get SKILL_IMPLICIT_REFERENCE instead of
SKILL_UNREFERENCED_FILE, eliminating false positives for real-world skill conventions.

Reduces unreferenced file false positives from 18 to 9 when auditing installed plugins.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 4, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@jdutton jdutton merged commit 0e1de12 into main Mar 4, 2026
5 checks passed
@jdutton jdutton deleted the feat/audit-link-traversal branch March 4, 2026 18:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jdutton