Provenance
Trace an agent artifact back to sessions, sources, and related files when lineage is unclear or stale.
Overview
Provenance is an agent skill most often used in Operate (also Build, Ship) that traces artifact lineage to sources and emits a lineage report.
Install
npx skills add https://github.com/boshu2/agentops --skill provenanceWhat is this skill?
- Executes /provenance against a named artifact and reads file content for metadata
- Surfaces source references, session IDs, dates, and related artifacts
- Aligns with supply-chain integrity, ADR, and hermetic-build practices in frontmatter
- Produces structured lineage output (result.json contract in skill metadata)
- Background-tier internal AgentOps skill with Read, Grep, Glob, Bash tooling
- Produces result.json per output_contract metadata
- Self-check suite validates SKILL.md frontmatter and lineage/orphan/stale coverage
Adoption & trust: 760 installs on skills.sh; 384 GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
An agent-generated file landed in your repo and you cannot tell which session, source, or upstream artifact produced it.
Who is it for?
Builders running boshu2 AgentOps-style pipelines who need explainable outputs and orphan/stale detection on knowledge artifacts.
Skip if: Greenfield UI work, marketing copy, or teams without local agent artifacts to inspect—use a generic code-search workflow instead.
When should I use this skill?
Given /provenance <artifact> when you need to trace knowledge artifact lineage to sources, sessions, and related artifacts.
What do I get? / Deliverables
You receive a lineage report (stdout/result.json contract) mapping the artifact to references, sessions, dates, and related artifacts for remediation or ADR updates.
- Lineage report on stdout
- result.json lineage payload per skill contract
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Operate/monitoring is the canonical shelf because provenance answers “where did this output come from?” during production-like agent runs and audits, though it also supports Ship integrity checks. Monitoring fits lineage reports and orphan/stale detection rather than greenfield feature coding.
Where it fits
After a multi-skill run, trace which session produced a conflicting markdown spec in docs/.
Verify an internal result.json chains to approved sources before merging an agent PR.
Periodically scan for stale or orphan artifacts that no longer reference live upstream intel.
How it compares
AgentOps lineage skill for repo artifacts—not a cloud-wide SIEM or dependency SBOM scanner.
Common Questions / FAQ
Who is provenance for?
Solo builders and small teams operating Claude/Codex-style agent workflows who treat generated files as auditable build outputs.
When should I use provenance?
In Build when validating agent-tooling outputs; in Ship when reviewing security/supply-chain integrity; in Operate when monitoring stale or orphan artifacts after automated runs.
Is provenance safe to install?
It uses Read/Grep/Glob/Bash on your workspace—review the Security Audits panel on this Prism page and restrict Bash in untrusted environments.
SKILL.md
READMESKILL.md - Provenance
#!/usr/bin/env bash set -euo pipefail SKILL_DIR="$(cd "$(dirname "$0")/.." && pwd)" PASS=0; FAIL=0 check() { if bash -c "$2"; then echo "PASS: $1"; PASS=$((PASS + 1)); else echo "FAIL: $1"; FAIL=$((FAIL + 1)); fi; } check "SKILL.md exists" "[ -f '$SKILL_DIR/SKILL.md' ]" check "SKILL.md has YAML frontmatter" "head -1 '$SKILL_DIR/SKILL.md' | grep -q '^---$'" check "name is provenance" "grep -q '^name: provenance' '$SKILL_DIR/SKILL.md'" check "mentions lineage" "grep -qi 'lineage' '$SKILL_DIR/SKILL.md'" check "mentions orphan or stale" "grep -qiE 'orphan|stale' '$SKILL_DIR/SKILL.md'" echo ""; echo "Results: $PASS passed, $FAIL failed" [ $FAIL -eq 0 ] && exit 0 || exit 1 --- name: provenance description: Trace artifact provenance. practices: - supply-chain-integrity - adr - hermetic-builds hexagonal_role: driven-adapter consumes: [] produces: - result.json context_rel: - kind: supplier-to with: trace skill_api_version: 1 allowed-tools: Read, Grep, Glob, Bash context: window: fork intent: mode: task sections: exclude: - TASK intel_scope: full metadata: tier: background dependencies: [] internal: true output_contract: 'stdout: lineage report' --- # Provenance Skill Trace knowledge artifact lineage to sources. ## Execution Steps Given `/provenance <artifact>`: ### Step 1: Read the Artifact ``` Tool: Read Parameters: file_path: <artifact-path> ``` Look for provenance metadata: - Source references - Session IDs - Dates - Related artifacts ### Step 2: Trace Source Chain ```bash # Check for source metadata in the file grep -i "source\|session\|from\|extracted" <artifact-path> # Search for related transcripts using ao ao search "<artifact-name>" 2>/dev/null ``` ### Step 3: Search Session Transcripts with CASS **Use CASS to find when this artifact was discussed:** ```bash # Extract artifact name for search artifact_name=$(basename "<artifact-path>" .md) # Search session transcripts cass search "$artifact_name" --json --limit 5 ``` **Parse CASS results to find:** - Sessions where artifact was created/discussed - Timeline of references - Related sessions by workspace **CASS JSON output fields:** ```json { "hits": [{ "title": "...", "source_path": "/path/to/session.jsonl", "created_at": 1766076237333, "score": 18.5, "agent": "claude_code" }] } ``` ### Step 4: Build Lineage Chain ``` Transcript (source of truth) ↓ Forge extraction (candidate) ↓ Human review (promotion) ↓ Pattern recognition (tier-up) ↓ Skill creation (automation) ``` ### Step 5: Write Provenance Report ```markdown # Provenance: <artifact-name> ## Current State - **Tier:** <0-3> - **Created:** <date> - **Citations:** <count> ## Source Chain 1. **Origin:** <transcript or session> - Line/context: <where extracted> - Extracted: <date> 2. **Promoted:** <tier change> - Reason: <why promoted> - Date: <when> ## Session References (from CASS) | Date | Session | Agent | Score | |------|---------|-------|-------| | <date> | <session-id> | <agent> | <score> | ## Related Artifacts - <related artifact 1> - <related artifact 2> ``` ### Step 6: Report to User Tell the user: 1. Artifact lineage 2. Original source 3. Promotion history 4. Session references (from CASS) 5. Related artifacts ## Finding Orphans ```bash /provenance --orphans ``` Find artifacts without source tracking: ```bash # Files without "Source:" or "Session:" metadata for f in .agents/learnings/*.md; do grep -L "Source\|Session" "$f" 2>/dev/null done ``` ## Finding Stale Artifacts ```bash /provenance --stale ``` Find artifacts where source may have changed: ```bash # Artifacts older than their sources find .agents/ -name "*.md" -mtime +30 2>/dev/null ``` ## Key Rules - **Every insight has a source** - trace it - **Track promotions** - know why tier changed - **Find orphans** - clean up untracked knowledge - **Maintain lineage** - provenance enables trust - **Use CASS** - find when artifacts were discussed