تشغيل أي مهارة في Manus بنقرة واحدة

$pwd:

codacy-audit

Name: Codacy Audit
Author: netdata

// Codacy Cloud workflow for this repository -- run Codacy's analyzers locally before `git push` (mirrors what Codacy CI runs), and fetch/cluster Codacy issues for any PR via the v3 API. Use when the user mentions Codacy, "codacy analysis", `codacy-analysis-cli`, "codacy issues on PR", "fix codacy CI", "codacy markdownlint findings", or any Codacy gate failing on a netdata-org PR. Ships scripts analyze-local.sh (docker/binary runner for codacy-analysis-cli) and pr-issues.sh (paginated v3 issue fetch + group-by tool/pattern/severity/file). Token-safe -- CODACY_TOKEN never reaches assistant-visible stdout. Read-only by design in the current SOW; write actions (mark FP, mark fixed) are deferred.

تشغيل في Manus

$ git log --oneline --stat

stars:٧٨٬٩٢٢

forks:٦٬٤٣٩

updated:٢٣ مايو ٢٠٢٦ في ٠٩:٤٧

مستكشف الملفات

9 ملفات

SKILL.md

readonly

name

codacy-audit

description

Codacy Cloud workflow for this repository -- run Codacy's analyzers locally before `git push` (mirrors what Codacy CI runs), and fetch/cluster Codacy issues for any PR via the v3 API. Use when the user mentions Codacy, "codacy analysis", `codacy-analysis-cli`, "codacy issues on PR", "fix codacy CI", "codacy markdownlint findings", or any Codacy gate failing on a netdata-org PR. Ships scripts analyze-local.sh (docker/binary runner for codacy-analysis-cli) and pr-issues.sh (paginated v3 issue fetch + group-by tool/pattern/severity/file). Token-safe -- CODACY_TOKEN never reaches assistant-visible stdout. Read-only by design in the current SOW; write actions (mark FP, mark fixed) are deferred.

Codacy audit skill

Drives Codacy Cloud for netdata/netdata:

Pre-push prevention -- run the same analyzers Codacy CI runs, locally, before git push. Collapses the "push -> wait minutes -> see findings -> fix -> push again" loop into one push.
Read-only PR triage -- list Codacy issues for any PR, cluster by tool / pattern / severity / file, drop the JSON dump under <repo>/.local/audits/codacy/.

This skill is the fourth in the static-analysis triage family in this repo: coverity-audit/, sonarqube-audit/, graphql-audit/, codacy-audit/. Same shape, same conventions, same artifact directory.

MANDATORY -- keep this skill alive

If you (the assistant) discover a new pattern, gotcha, working flow, correction, or any operational knowledge while running this skill -- update this SKILL.md AND commit it BEFORE proceeding. Knowledge that isn't committed is lost.

Examples worth capturing:

New v3 API endpoint or response-shape detail learned the hard way
Codacy-side rate-limit signals
A pattern Codacy mismodels for this codebase (so the next assistant can add a path exclusion or mark it FP)
A new tool the local CLI gained / lost
Auth-failure surface (e.g. token type mismatch, expired token signs)

MANDATORY -- live how-tos catalog

Each concrete question that requires non-trivial analysis (multiple wrapper calls, jq pipelines, cross-referencing other skills) MUST become a how-to under how-tos/<slug>.md AND get an entry in how-tos/INDEX.md BEFORE the task is reported complete. Skipping this means the next assistant repeats the analysis from scratch.

Scope (current SOW)

In scope:

Local pre-push analysis via codacy-analysis-cli (auto-detects local binary, falls back to docker).
Read-only PR-issue queries against the v3 API.
Token-safe wrappers (sentinel-driven no-leak self-test).

Out of scope (deferred to a future SOW):

Write actions (mark issue as false-positive, mark as fixed, modify ignore-patterns).
Master-backlog triage on the 31,425+ open issues.
Cross-repo aggregation across the netdata org.

Required env keys

Key	Required for
`CODACY_TOKEN`	Account API token, header `api-token: <value>`. Required by `pr-issues.sh` and any wrapper that calls `_codacyaudit_run`. NOT required by `analyze-local.sh` (the CLI runs anonymously).
`CODACY_HOST`	Defaults to `https://api.codacy.com`. Override only if Codacy moves the API host.
`CODACY_PROVIDER`	Defaults to `gh` (GitHub).
`CODACY_ORG`	Defaults to `netdata`.
`CODACY_REPO`	Defaults to `netdata`.

All values live in <repo>/.env (gitignored). See <repo>/.agents/ENV.md for setup (where each value comes from, sample formats, common mistakes).

Scripts (in scripts/)

Script	Purpose
`_lib.sh`	Helpers (`codacyaudit_*` prefix). Token-safe; ships `codacyaudit_selftest_no_token_leak`.
`analyze-local.sh`	Run `codacy-analysis-cli` locally; auto-pick local-binary or docker; write JSON dump under `.local/audits/codacy/`.
`pr-issues.sh`	Fetch all Codacy issues for a PR via the v3 API; cluster summary on stdout; full JSON dump on disk.

Workflow -- pre-push prevention

$ .agents/skills/codacy-audit/scripts/analyze-local.sh
[analyze-local] runner=docker format=json dir=<repo>
[analyze-local] wrote 0 finding(s) to <repo>/.local/audits/codacy/local-<ts>.json

Run this before git push. If it returns 0 findings, the Codacy gate on the PR will be green (modulo Codacy server-side patterns the local CLI doesn't bundle). If it returns findings, fix them locally first.

Operational gotcha: when the Dockerized Codacy CLI fails before a tool can emit results, the output file may have a .json suffix but contain tool-runner logs instead of JSON. Always verify with jq empty <dump> before treating a local dump as finding evidence. If GitHub check-run annotations are empty too, use pr-issues.sh with CODACY_TOKEN; without that token, record the evidence gap and re-check after the next push.

Operational gotcha: the public Codacy v3 analysis endpoint can expose PR issue details even when GitHub check-run annotations are empty and no CODACY_TOKEN is available:

curl -fsS \
  "https://api.codacy.com/api/v3/analysis/organizations/gh/netdata/repositories/netdata/pull-requests/<PR>/issues?limit=100"

Filter for .data[] | select(.deltaType == "Added") to identify the issues that still block the PR. Treat commitInfo fields as sensitive operational metadata; do not copy names or email addresses into committed artifacts.

To restrict to a single tool (matches what Codacy reported on a CI run):

$ .agents/skills/codacy-audit/scripts/analyze-local.sh --tool markdownlint

Workflow -- PR triage

$ .agents/skills/codacy-audit/scripts/pr-issues.sh 22423
[pr-issues] fetching issues for PR #22423 ...
[pr-issues] wrote 0 issue(s) to <repo>/.local/audits/codacy/pr-22423-<ts>.json

No issues on PR #22423.

For a PR with findings, the script emits a clustered TSV summary. Default grouping is --by pattern; switch to --by tool, --by severity, --by file, or --by category for other angles. The JSON dump under .local/audits/codacy/ carries the full issue payload for follow-up jq queries.

Operational note: large Codacy PR issue arrays must be passed to jq via a temporary file and --slurpfile, not --argjson, because shell argument-size limits can fail before jq starts.

Path discipline

This skill follows <repo>/.agents/sow/specs/sensitive-data-discipline.md:

Repo files: repo-relative (<repo>/src/...).
Codacy account / org / repo identifiers: env-keyed.
CODACY_TOKEN: NEVER literal in any committed file; ALWAYS via ${CODACY_TOKEN} and the _lib.sh wrappers.
Audit dumps: gitignored under <repo>/.local/audits/codacy/.

Related skills

.agents/skills/coverity-audit/ -- Coverity Scan (same triage shape).
.agents/skills/sonarqube-audit/ -- SonarCloud (same triage shape).
.agents/skills/graphql-audit/ -- GitHub Code Scanning / CodeQL (same triage shape).

Token-safe self-test

Before trusting wrappers in a long-running session, run the self-test:

$ source .agents/skills/codacy-audit/scripts/_lib.sh
$ codacyaudit_load_env
$ codacyaudit_selftest_no_token_leak
PASS: codacyaudit_selftest_no_token_leak

The self-test sets CODACY_TOKEN to a sentinel UUID, drives every public wrapper, captures stdout, and asserts the sentinel never appears. Run after editing _lib.sh or any wrapper.

related-skills.json

نفس المستودع

integrations-lifecycle.md

from "netdata/netdata"

Authoritative reference for Netdata's integrations pipeline -- how `metadata.yaml` drives per-integration pages, collector `taxonomy.yaml` drives dashboard TOC placement, the `COLLECTORS.md`/`SECRETS.md`/`SERVICE-DISCOVERY.md` umbrellas, the `integrations.js` and `integrations/taxonomy.json` artifacts consumed by downstream systems, and per-integration `.md` files committed to the repo. Use when adding/modifying any integration (collector, exporter, agent or cloud notification, authentication, secretstore, service-discovery, log type, deploy method); editing `metadata.yaml` or `taxonomy.yaml`; checking whether `integrations/*.md` should be hand-edited; reading generator scripts under `integrations/`, schemas under `integrations/schemas/`, taxonomy registries under `integrations/taxonomy/`, templates under `integrations/templates/`, the workflows `generate-integrations.yml` or `check-markdown.yml`; ibm.d modules where `metadata.yaml` is generated from `contexts.yaml`; the collector-consistency rule (metadata.y

2026-05-2378.9k

project-writing-go-modules-framework-v2.md

from "netdata/netdata"

Use when creating or migrating a Go go.d collector to framework V2, touching CollectorV2, metrix.CollectorStore, ChartTemplateYAML/charts.yaml, charttpl/chartengine, V2 host scopes/vnodes, or V2 collector tests. Focuses on concise maintainer-preferred V2 collector patterns.

2026-05-2378.9k

mirror-netdata-repos.md

from "netdata/netdata"

Maintains a local mirror of Netdata-org source repositories at `${NETDATA_REPOS_DIR}` so AI assistants and developers can do cross-repo grep / code review locally without GitHub API round-trips and rate limits. Ships a vendored sync script (`scripts/sync-netdata-repos.sh`) that updates ~150 repos in two phases (resync existing on default branch, discover and clone new). Safety -- skips repos that have staged or modified changes; otherwise switches to the default branch and recursively updates submodules. Reset-to-default is intentional -- it prevents stale-feature-branch "black hole" repos that confuse cross-repo reasoning. Supports `--repo NAME` (repeatable) to scope to specific repos. Independent from any other repo mirrors this workstation may have. Use when the local mirror is out of date, before a cross-repo grep / review session, when adding a new netdata-org repo (auto-discovered), when an assistant needs cross-repo cognition without `gh` API turnaround.

2026-05-2278.9k

project-create-topology.md

from "netdata/netdata"

Developer workflow for creating or updating Netdata topology producers and topology Function payloads using the production netdata.topology.v1 schema. Use when adding or migrating topology:network-connections, topology:streaming, topology:snmp, vSphere topology, correlation rules, graph presentation, drilldowns, direction semantics, telemetry overlays, or Cloud topology aggregation fixtures.

2026-05-2278.9k

project-writing-collectors.md

from "netdata/netdata"

Best practices and orientation for AI assistants authoring or modifying Netdata data-collection plugins or modules in any language. Read before adding a new collector, modifying an existing one, working on logs, topology, NetFlow/sFlow/IPFIX, OTEL ingestion, SNMP profiles, statsd, Prometheus scraping, or interactive Functions. Covers the mental model, framework-agnostic best practices, dashboard-shaping mechanisms (NIDL, SNMP profiles, statsd synthetic_charts, OTEL mappings, Prometheus exposition), production quality criteria, the plugin landscape, per-data-type patterns (metrics, logs, snapshots, topology, enrichment), per-domain common practices, and a pre-PR self-check.

2026-05-2278.9k

query-netdata-agents.md

from "netdata/netdata"

Query Netdata Agents (parents and children) directly via their HTTP API on port 19999. Includes a bearer-token helper that mints, caches, and transparently refreshes a per-agent bearer from a long-lived Netdata Cloud token, and auto-detects bearer-protected agents. Use when the user asks how to call an agent's REST API or Function directly, query an agent's logs/metrics/alerts directly, mint a bearer token from a cloud token, or work around bearer protection.

2026-05-2278.9k

package.json

"author": "netdata"

"repository": "netdata/netdata"

فتح مستودع GitHub عرض مستودعات المنشئ

$ install --global

$ download --local

تشغيل في Manus

$ useful --forSOC

محللو ضمان جودة البرمجيات والمختبرونمهن الحاسوب والرياضيات15-1253L4

name

codacy-audit

description

Codacy audit skill

Drives Codacy Cloud for netdata/netdata:

Pre-push prevention -- run the same analyzers Codacy CI runs, locally, before git push. Collapses the "push -> wait minutes -> see findings -> fix -> push again" loop into one push.
Read-only PR triage -- list Codacy issues for any PR, cluster by tool / pattern / severity / file, drop the JSON dump under <repo>/.local/audits/codacy/.

MANDATORY -- keep this skill alive

Examples worth capturing:

New v3 API endpoint or response-shape detail learned the hard way
Codacy-side rate-limit signals
A pattern Codacy mismodels for this codebase (so the next assistant can add a path exclusion or mark it FP)
A new tool the local CLI gained / lost
Auth-failure surface (e.g. token type mismatch, expired token signs)

MANDATORY -- live how-tos catalog

Scope (current SOW)

In scope:

Local pre-push analysis via codacy-analysis-cli (auto-detects local binary, falls back to docker).
Read-only PR-issue queries against the v3 API.
Token-safe wrappers (sentinel-driven no-leak self-test).

Out of scope (deferred to a future SOW):

Write actions (mark issue as false-positive, mark as fixed, modify ignore-patterns).
Master-backlog triage on the 31,425+ open issues.
Cross-repo aggregation across the netdata org.

Required env keys

Key	Required for
`CODACY_TOKEN`	Account API token, header `api-token: <value>`. Required by `pr-issues.sh` and any wrapper that calls `_codacyaudit_run`. NOT required by `analyze-local.sh` (the CLI runs anonymously).
`CODACY_HOST`	Defaults to `https://api.codacy.com`. Override only if Codacy moves the API host.
`CODACY_PROVIDER`	Defaults to `gh` (GitHub).
`CODACY_ORG`	Defaults to `netdata`.
`CODACY_REPO`	Defaults to `netdata`.

All values live in <repo>/.env (gitignored). See <repo>/.agents/ENV.md for setup (where each value comes from, sample formats, common mistakes).

Scripts (in scripts/)

Script	Purpose
`_lib.sh`	Helpers (`codacyaudit_*` prefix). Token-safe; ships `codacyaudit_selftest_no_token_leak`.
`analyze-local.sh`	Run `codacy-analysis-cli` locally; auto-pick local-binary or docker; write JSON dump under `.local/audits/codacy/`.
`pr-issues.sh`	Fetch all Codacy issues for a PR via the v3 API; cluster summary on stdout; full JSON dump on disk.

Workflow -- pre-push prevention

$ .agents/skills/codacy-audit/scripts/analyze-local.sh
[analyze-local] runner=docker format=json dir=<repo>
[analyze-local] wrote 0 finding(s) to <repo>/.local/audits/codacy/local-<ts>.json

Operational gotcha: the public Codacy v3 analysis endpoint can expose PR issue details even when GitHub check-run annotations are empty and no CODACY_TOKEN is available:

curl -fsS \
  "https://api.codacy.com/api/v3/analysis/organizations/gh/netdata/repositories/netdata/pull-requests/<PR>/issues?limit=100"

To restrict to a single tool (matches what Codacy reported on a CI run):

$ .agents/skills/codacy-audit/scripts/analyze-local.sh --tool markdownlint

Workflow -- PR triage

$ .agents/skills/codacy-audit/scripts/pr-issues.sh 22423
[pr-issues] fetching issues for PR #22423 ...
[pr-issues] wrote 0 issue(s) to <repo>/.local/audits/codacy/pr-22423-<ts>.json

No issues on PR #22423.

Operational note: large Codacy PR issue arrays must be passed to jq via a temporary file and --slurpfile, not --argjson, because shell argument-size limits can fail before jq starts.

Path discipline

This skill follows <repo>/.agents/sow/specs/sensitive-data-discipline.md:

Repo files: repo-relative (<repo>/src/...).
Codacy account / org / repo identifiers: env-keyed.
CODACY_TOKEN: NEVER literal in any committed file; ALWAYS via ${CODACY_TOKEN} and the _lib.sh wrappers.
Audit dumps: gitignored under <repo>/.local/audits/codacy/.

Related skills

.agents/skills/coverity-audit/ -- Coverity Scan (same triage shape).
.agents/skills/sonarqube-audit/ -- SonarCloud (same triage shape).
.agents/skills/graphql-audit/ -- GitHub Code Scanning / CodeQL (same triage shape).

Token-safe self-test

Before trusting wrappers in a long-running session, run the self-test:

$ source .agents/skills/codacy-audit/scripts/_lib.sh
$ codacyaudit_load_env
$ codacyaudit_selftest_no_token_leak
PASS: codacyaudit_selftest_no_token_leak

The self-test sets CODACY_TOKEN to a sentinel UUID, drives every public wrapper, captures stdout, and asserts the sentinel never appears. Run after editing _lib.sh or any wrapper.

codacy-audit

Codacy audit skill

MANDATORY -- keep this skill alive

MANDATORY -- live how-tos catalog

Scope (current SOW)

Required env keys

Scripts (in scripts/)

Workflow -- pre-push prevention

Workflow -- PR triage

Path discipline

Related skills

Token-safe self-test

المزيد من هذا المستودع

المزيد من هذا المستودع

Codacy audit skill

MANDATORY -- keep this skill alive

MANDATORY -- live how-tos catalog

Scope (current SOW)

Required env keys

Scripts (in scripts/)

Workflow -- pre-push prevention

Workflow -- PR triage

Path discipline

Related skills

Token-safe self-test