Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From project-toolkit
Determines provenance (UPSTREAM, LOCAL, VENDOR, UNKNOWN) of validators, linters, and tool configs by analyzing file headers, package manifests, directories like node_modules/.venv, and docs. Use before modifications.
npx claudepluginhub rjmurillo/ai-agents --plugin project-toolkitHow this skill is triggered — by the user, by Claude, or both
Slash command
/project-toolkit:analysis-provenanceclaude-sonnet-4-6The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Identify code ownership before modifying validators, linters, or tool configurations.
Identifies provenance (UPSTREAM, LOCAL, VENDOR, UNKNOWN) of validators, linters, and tool configs by analyzing file headers, docs, package manifests, and directories. Use before modifications to avoid changing upstream tools.
Aligns local configs to upstream validators like ESLint, markdownlint, PSScriptAnalyzer for unexpected failures, avoiding tool modifications or forks.
Automates format-lint-resolve pipelines for code editing tasks. Discovers linters from pyproject.toml/.pre-commit-config.yaml/package.json, fixes ruff/mypy/bandit issues, ensures quality before completion.
Share bugs, ideas, or general feedback.
Identify code ownership before modifying validators, linters, or tool configurations.
check provenance before modifyingis this file upstream or localwho owns this validatorcheck code ownershipanalyze provenance# Check provenance of a single file
python3 .claude/skills/analysis-provenance/scripts/check_provenance.py --target .config/markdownlint.json
# Check provenance of a directory
python3 .claude/skills/analysis-provenance/scripts/check_provenance.py --target .config/
# JSON output for automation
python3 .claude/skills/analysis-provenance/scripts/check_provenance.py --target PSScriptAnalyzerSettings.psd1 --format json
| Category | Meaning | Action |
|---|---|---|
| UPSTREAM | External dependency (npm, pip, NuGet) | Configure, do not modify |
| LOCAL | Project-owned code | Modify as needed |
| VENDOR | Copied/vendored upstream code | Avoid modification, track upstream |
| UNKNOWN | Cannot determine | Investigate before modifying |
Use this skill before:
graph TD
A[Target file or directory] --> B["1. Target Resolution<br/>Resolve paths, check exists"]
B --> C["2. Directory Analysis<br/>node_modules, .venv, vendor,<br/>.gitmodules"]
C --> D["3. Package Manifest Analysis<br/>package.json, requirements,<br/>lockfiles"]
D --> E["4. File Header Analysis<br/>First 20 lines: generated<br/>markers, copyright notices"]
E --> F["5. Provenance Determination<br/>Weight signals, return<br/>category + evidence"]
F --> G["Decision:<br/>UPSTREAM - configure only<br/>LOCAL - safe to modify<br/>VENDOR - track upstream<br/>UNKNOWN - investigate first"]
Need to modify a validator/linter?
│
├─ Run: python3 .claude/skills/analysis-provenance/scripts/check_provenance.py --target <file>
│
├─ Result: UPSTREAM
│ ├─ Do NOT modify the tool/file directly
│ ├─ Adjust local configuration instead
│ ├─ Check for configuration override options
│ └─ If no override exists, document why the rule is suppressed
│
└─ Result: LOCAL
├─ Safe to modify as needed
├─ Follow project coding standards
└─ Test changes before committing
From the repository root, run:
python3 .claude/skills/analysis-provenance/scripts/check_provenance.py --target <path> [options]
| Parameter | Required | Default | Description |
|---|---|---|---|
--target | Yes | - | File or directory to analyze |
--format | No | text | Output format: text, json |
--verbose | No | false | Include all evidence details |
| Exit Code | Meaning |
|---|---|
| 0 | Provenance determined successfully |
| 1 | Script error (file not found, invalid arguments) |
| Avoid | Why | Instead |
|---|---|---|
| Modifying files in node_modules | Changes lost on npm install | Configure via local config files |
| Editing vendored code | Breaks upstream tracking | Document suppression, fork if needed |
| Skipping provenance check | Accidental upstream modification | Always check before modifying |
| Assuming config is local | May be generated or vendored | Verify with this skill |
After running provenance check:
| Skill | Relationship |
|---|---|
| style-enforcement | Configure vs modify validators |
| programming-advisor | Evaluate external solutions |
| analyze | Broad codebase investigation |
| Signal | Location | Example |
|---|---|---|
| Package manifest entry | package.json | "markdownlint-cli2": "^0.12.1" |
| Node modules path | node_modules/ | Any file under this directory |
| Python site-packages | .venv/, site-packages/ | Any file under these directories |
| NuGet cache | .nuget/, packages/ | Any file under these directories |
| File header comment | First 20 lines | "Generated by", "DO NOT EDIT", copyright notice |
| Git submodule | .gitmodules | Path matches submodule |
| Signal | Location | Example |
|---|---|---|
| Under project root | Outside dependency directories | src/, .config/, scripts/ |
| No external version | Not in lockfiles | Custom script |
| Project copyright | File header | Project-specific copyright |
| Git tracked | .git/ | In project git history |
| Signal | Location | Example |
|---|---|---|
vendor/ directory | Project root | vendor/third-party/ |
| Vendor comment | File header | "Vendored from " |
VENDORED.md reference | Same directory | Documents upstream source |
python3 .claude/skills/analysis-provenance/scripts/check_provenance.py --target .markdownlint.json
Provenance Check: .markdownlint.json
====================================
Category: LOCAL
Confidence: HIGH
Evidence:
- File is under project root
- File is tracked in git
- No external package reference found
Recommendation: Safe to modify as needed.
python3 .claude/skills/analysis-provenance/scripts/check_provenance.py --target node_modules/markdownlint-cli2/lib/main.js
Provenance Check: node_modules/markdownlint-cli2/lib/main.js
============================================================
Category: UPSTREAM
Confidence: HIGH
Evidence:
- Located in node_modules directory
- Package: markdownlint-cli2@0.12.1 (package.json)
- npm registry: https://registry.npmjs.org/
Recommendation: Do NOT modify. Configure via .markdownlint.json instead.
python3 .claude/skills/analysis-provenance/scripts/check_provenance.py --target PSScriptAnalyzerSettings.psd1 --format json
{
"target": "PSScriptAnalyzerSettings.psd1",
"category": "LOCAL",
"confidence": "HIGH",
"evidence": [
{"signal": "project_root", "value": true},
{"signal": "git_tracked", "value": true},
{"signal": "external_package", "value": false}
],
"recommendation": "Safe to modify as needed."
}
| Tool | Config Files | Typical Provenance |
|---|---|---|
| markdownlint | .markdownlint.json, .markdownlint-cli2.jsonc | LOCAL |
| PSScriptAnalyzer | PSScriptAnalyzerSettings.psd1 | LOCAL |
| ESLint | .eslintrc.json, eslint.config.js | LOCAL |
| Prettier | .prettierrc, .prettierrc.json | LOCAL |
| StyleCop | .stylecop.json | LOCAL |
| EditorConfig | .editorconfig | LOCAL |
| Tool binaries | node_modules/, .venv/ | UPSTREAM |
# Check provenance FIRST
python3 .claude/skills/analysis-provenance/scripts/check_provenance.py \
--target <validator-file>
# If UPSTREAM: adjust config
# If LOCAL: modify file
# Prevent accidental upstream modifications
- id: provenance-check
name: Provenance Check
entry: python3 .claude/skills/analysis-provenance/scripts/check_provenance.py
args: [--target, node_modules, --exit-on-upstream]
language: python
Dependency management and provenance tracking are fundamental software engineering practices. The upstream vs local distinction applies regardless of package manager or language. Configuration over modification is a timeless pattern for external dependencies.