npx claudepluginhub rune-kit/rune --plugin @rune/analyticsThis skill uses the workspace's default tool permissions.
Catch environment mismatches before they waste debugging time. Validates that the developer's machine has the right runtime versions, tools, ports, and configuration to run the project. Prevents the entire class of "works on my machine" failures that masquerade as code bugs.
Guides setup of dev environments: identifies tools like Node/Python/Go/Docker/Git, provides platform-specific installs for macOS/Linux/Windows, configures env vars/deps, verifies functionality.
Validates integrated build pipelines and running services using health checks and smoke tests. Use when verifying project builds and service health.
Validates .env files against code references, manifests, and examples for missing variables, type mismatches, insecure defaults, and unused entries before deployment.
Share bugs, ideas, or general feedback.
Catch environment mismatches before they waste debugging time. Validates that the developer's machine has the right runtime versions, tools, ports, and configuration to run the project. Prevents the entire class of "works on my machine" failures that masquerade as code bugs.
This is the environment counterpart to sentinel (which checks code security) and preflight (which checks code quality). sentinel-env checks the MACHINE, not the code.
cook Phase 0.5 — before planning, after resume check (first run in a new project only)scaffold — after project bootstrap, verify environment matches generated configonboard — during project onboarding, verify developer can run the project/rune env-check — manual environment validationnpm install, pip install, or similar fails during cookNone — sentinel-env is a pure read-only utility. It checks and reports, never modifies.
cook (L1): Phase 0.5 — first run detection (no .rune/ directory exists)scaffold (L1): post-bootstrap environment validationonboard (L2): developer onboarding verification/rune env-check direct invocationRead project configuration files to determine what environment is needed:
Use Glob to check for project config files:
package.json → Node.js projectpyproject.toml / setup.py / requirements.txt → Python projectCargo.toml → Rust projectgo.mod → Go projectGemfile → Ruby projectdocker-compose.yml / Dockerfile → Docker project.nvmrc / .node-version → specific Node version required.python-version → specific Python version requiredRead each detected config file to extract version constraints:
package.json → engines.node, engines.npm, dependency versionspyproject.toml → requires-python, dependency versionsCargo.toml → rust-versiongo.mod → go directive versionBuild an environment requirements checklist from the detected configs.
For each detected runtime, verify the installed version matches constraints:
# Node.js
node --version # Compare against package.json engines.node or .nvmrc
npm --version # Compare against package.json engines.npm
# or pnpm/yarn/bun depending on lockfile present
# Python
python --version # Compare against pyproject.toml requires-python
pip --version
# Rust
rustc --version # Compare against Cargo.toml rust-version
cargo --version
# Go
go version # Compare against go.mod go directive
# Docker
docker --version
docker compose version
Version comparison logic:
>=18.0.0 and installed is 20.11.1 → PASS>=18.0.0 and installed is 16.20.2 → BLOCK (wrong major version)Detect and verify tools the project depends on:
Package manager: Check which lockfile exists and verify the matching tool is installed
package-lock.json → npmpnpm-lock.yaml → pnpmyarn.lock → yarnbun.lockb → bunpoetry.lock → poetryuv.lock → uvGit: git --version — required for all projects
Docker: Check only if Dockerfile or docker-compose.yml exists
Database tools: Check if prisma, drizzle, alembic, django migrations exist → verify DB client installed
Build tools: Check for turbo.json (turborepo), nx.json (Nx), Makefile, etc.
Hard dependencies — tools the project WRAPS (not just uses as dev dependency): Scan for evidence that the project wraps an external tool:
Grep for shutil.which(, which , command -v → project looks up an executable at runtimeGrep for subprocess.run(, child_process.exec(, Deno.Command( → project invokes external CLIRead README/docs for "requires X installed" or "depends on X"For each detected hard dependency, apply the 9-tier binary detection below — checking only which/where is insufficient and produces the largest category of "works on my machine" false-negatives (user has binary installed but PATH is stale, or installed via a package manager that didn't register it, or installed as a desktop app with a bundled binary).
9-Tier Binary Detection (stop at first hit):
| Tier | Source | Catches |
|---|---|---|
| 1 | Explicit --<tool>-bin <path> flag | CI, automation, manual override |
| 2 | Skill-specific env var <SKILL>_<TOOL>_BIN | Per-project pinning |
| 3 | Tool-family env var <TOOL>_APP_BIN | Ecosystem conventions |
| 4 | Generic tool env var <TOOL>_BIN | Legacy overrides |
| 5 | Platform desktop-app bundle (macOS .app/Contents/Resources, Windows %LOCALAPPDATA%\Programs, Linux /opt) | Desktop app users (~40% of population) |
| 6 | PATH lookup (which/where.exe) | Standard shell users |
| 7 | Package manager global bin (npm config get prefix, pnpm, pipx --list, cargo install --root) | npm-global on Windows (PATH oversight) |
| 8 | Platform common directories (~/.local/bin, ~/.npm-global/bin, Homebrew, %APPDATA%\npm, %LOCALAPPDATA%\Microsoft\WindowsApps, %ProgramFiles%\nodejs) | Manual installers |
| 9 | Platform release archive names (e.g., codex-x86_64-unknown-linux-musl, <tool>-aarch64-apple-darwin) | Release-tarball downloaders |
Verdict:
[ENV-XXX] Required tool '<tool>' not found (9-tier lookup exhausted)
→ Debian/Ubuntu: sudo apt install <tool>
→ macOS: brew install <tool> (or desktop app: <URL>)
→ Windows: winget install <tool> (or choco install <tool>)
→ Any platform: npm install -g <package> (if Node tool)
→ Manual: <download URL>
→ Pin explicitly: export <TOOL>_BIN=/path/to/binary
subprocess.run() silently failsscripts/codex_imagen_bridge.mjs in @rune-pro/media ports this patternDetect which ports the project needs and check if they're available:
Parse port information from:
package.json scripts (look for --port, -p, PORT= patterns).env / .env.example (look for PORT=, DATABASE_URL with port)docker-compose.yml (ports section)Check each port:
# Cross-platform port check
# Windows: netstat -ano | findstr :PORT
# Unix: lsof -i :PORT or ss -tlnp | grep :PORT
If port is in use → WARN with the process name using it
Compare required env vars against actual configuration:
.env.example or .env.template if it exists.env if it exists (DO NOT log values — only check key presence).env.example:
.env → PASS.env → WARN (with the key name, never the expected value).env committed to git (check .gitignore) → BLOCK (security risk)your-api-key-here, changeme, xxx) → WARNQuick system health check:
Disk space: Check available space on the project drive
Platform-specific checks:
git config core.longpaths for node_modules)node-gyp in dependencies)fs.inotify.max_user_watches)Produce a structured environment report:
Verdict logic:
For each finding, include a specific remediation command the developer can copy-paste.
## Environment Check: [project name]
- **Project type**: [Node.js / Python / Rust / Go / Multi]
- **Checks run**: [count]
- **Verdict**: READY | READY WITH WARNINGS | BLOCKED
### BLOCKED
- [ENV-001] Node.js 16.20.2 installed but >=18.0.0 required
→ Fix: `nvm install 18 && nvm use 18`
### WARNINGS
- [ENV-002] Port 3000 in use by process "node" (PID 12345)
→ Fix: `kill 12345` or change PORT in .env
- [ENV-003] Missing env var: DATABASE_URL (required by .env.example)
→ Fix: Copy from .env.example and fill in your database connection string
### PASSED
- [ENV-004] pnpm 9.1.0 ✓ (matches pnpm-lock.yaml)
- [ENV-005] Git 2.44.0 ✓
- [ENV-006] Docker 25.0.3 ✓
- [ENV-007] Disk space: 42 GB available ✓
| Failure Mode | Severity | Mitigation |
|---|---|---|
| False BLOCK on version — semver parsing error | HIGH | Use simple major.minor comparison, not full semver regex |
| Slowness on Windows — netstat/port checks are slower | MEDIUM | Timeout port checks at 3s, skip if slow |
| .env file contains secrets — accidentally logged | CRITICAL | NEVER read .env values, only check key existence via grep for key names |
| Platform detection wrong — WSL vs native Windows | MEDIUM | Check for WSL explicitly (uname -r contains "microsoft") |
| Over-checking — flagging optional tools as required | MEDIUM | Only check tools evidenced by config files, not speculative |
| Missing hard dependency — project wraps external CLI but tool not checked | HIGH | Step 3.6: scan for shutil.which, subprocess.run, child_process.exec → verify tool exists on PATH |
| Hard dep found but wrong version — tool exists but API changed | MEDIUM | Log version for manual review. Version compatibility is project-specific — don't guess |
~500-1000 tokens input, ~500-1000 tokens output. Haiku model — this is fast, cheap, read-only scanning. Runs once per new project (or on manual invoke). Sub-10-second execution target.