• **First time you open a *plain project on a new machine — before the first

  codeplain <module>.plain

  or

  ./test_scripts/run_unittests*.sh

  invocation. This is the most common case.
• At the start of

  forge-plain

  Phase 3 environment verification —

  forge-plain

  historically did this inline; delegate to this skill instead so the same check runs the same way everywhere.
• After

  add-feature

  — when the new feature brought in a new dependency (a new framework, a new service, a new package manager) the project didn't need before.
• Before a real render — alongside

  plain-healthcheck

  .

  plain-healthcheck

  answers "are the specs renderable?"; this skill answers "can this machine render them?". Both should pass.
• Onboarding — when a teammate (or CI runner, or fresh dev container) is about to start using the project.
• Debugging a confusing failure — when a test script exits with "command not found", "module not found", "could not connect", or similar before any test runs.
• On demand — whenever the user asks "what do I need to install for this project?".

.plain

• It does not install anything. It only suggests install commands and lets the user run them.
• It does not generate scripts, modify

  config.yaml

  , or change project files. Use

  implement-*-testing-script

  ,

  init-config-file

  , etc. for that.
• It does not start services (databases, brokers, Docker daemons). It only checks whether the right binaries and (optionally) running endpoints are reachable.
• It does not validate the specs themselves (syntax, dry-run, complexity). Use

  plain-healthcheck

  for that — the two skills are complementary.
• It does not print secrets. Check whether an env var is set (e.g.

  printenv FOO >/dev/null && echo set || echo missing

  ), never echo its value.

1. Detect the host OS first. Run

   uname -s 2>/dev/null || echo "$OS"

   . Use the result to (a) pick the right script extensions to inspect (

   .sh

   vs

   .ps1

   ) and (b) pick the right install commands later (Homebrew, apt, dnf, pacman, choco, scoop, winget).
2. List every

   .plain

   file in the repo root and in any subdirectory that contains them. Note which are top modules (not

   requires

   -ed by anything) and which are import modules (under

   template/

   ).
3. List every

   config.yaml

   in the repo and read each one. Note the

   *-script

   keys it sets and the values they point at.
4. List every script under

   test_scripts/

   (both

   .sh

   and

   .ps1

   — projects can ship both).
5. List every file under

   resources/

   if the directory exists. Schemas and protocol files there often imply running services (e.g. a Postgres

   .sql

   schema implies a Postgres server).
6. Print a one-line inventory summary, e.g.

   Detected: 2 top modules (backend/api.plain, frontend/web.plain), 2 config.yaml(s), 4 test_scripts, 3 resources. Host: Darwin.

Check only the layers a package manager cannot install. Anything

pip install -r requirements.txt

,

npm ci

,

mvn install

,

cargo fetch

,

go mod download

,

bundle install

,

composer install

, etc. would resolve is out of scope for this skill. It will be installed by the project's own scripts the moment they run. Checking it here is wasted work and creates false-negative reports the moment the manifest changes.

• ❌ Do NOT check individual language packages — not

  torch

  , not

  requests

  , not

  numpy

  , not

  FastAPI

  , not

  express

  , not

  react

  , not a specific JAR in

  pom.xml

  , not a specific gem in

  Gemfile

  , not a specific crate in

  Cargo.toml

  . The language's package manager handles all of it. The same rule applies in every language — Python, Node.js, Java, Go, Rust, Ruby, PHP, .NET, Dart, etc.
• ✅ Do check the layers below the package manager, which fall into four categories. Build the requirement list at runtime by walking through each category and adding only what the project actually needs.

• Signals in

  .plain

  files: phrases like

  should be in Python

  ,

  should be in Java

  ,

  should be in Go

  in

  ***implementation reqs***

  . Find the language; ignore the framework (the framework is a package, not a toolchain).
• Signals in

  test_scripts/

  (more reliable, because scripts are the executable contract): which interpreter / build tool is invoked at the top level.

  python3

  /

  pip

  → Python toolchain.

  node

  /

  npm

  /

  pnpm

  /

  yarn

  → Node.js toolchain.

  mvn

  /

  gradle

  → JDK + Maven/Gradle.

  go

  → Go toolchain.

  cargo

  → Rust toolchain.

  dotnet

  → .NET SDK.

  ruby

  /

  bundle

  → Ruby + Bundler.

  php

  /

  composer

  → PHP + Composer.

  dart

  /

  flutter

  → Dart/Flutter SDK.

• Python →

  python3 --version

  +

  pip --version

  .
• Node.js →

  node --version

  +

  npm --version

  (or

  pnpm

  /

  yarn

  if the scripts use them).
• Java →

  java -version

  +

  javac -version

  +

  mvn -version

  (or

  gradle --version

  ).
• Go →

  go version

  .
• Rust →

  cargo --version

  +

  rustc --version

  .
• .NET →

  dotnet --version

  .
• Ruby →

  ruby --version

  +

  bundle --version

  .
• PHP →

  php --version

  +

  composer --version

  .
• Flutter / Dart →

  flutter --version

  +

  dart --version

  .

python3

pip

pip install -r requirements.txt

torch

numpy

requests

• Signals: a

  .plain

  file names a service the implementation talks to (database, cache, queue, broker, orchestrator). A

  resources/*.sql

  schema implies a database. A

  docker-compose.yml

  (if present) lists services explicitly.
• For each service found, probe both that its CLI is available and — when possible — that the service is reachable. "Binary present but service not running" should report as

  WARN

  , not

  FAIL

  ; the user may want to start it on demand.

pip install

npm install

requirements.txt

• The spec describes OCR → a wrapper like

  pytesseract

  is in

  requirements.txt

  , but the host still needs the

  tesseract

  binary and the language data files.
• The spec describes video/audio processing →

  ffmpeg-python

  is in the manifest, but the

  ffmpeg

  binary itself must be on the host.
• The spec describes PDF extraction → a Python wrapper is in the manifest, but the

  pdftotext

  /

  pdftoppm

  binaries from poppler-utils are still required.
• The spec describes headless-browser e2e testing → the npm package is in

  package.json

  , but the actual browser binaries (Chromium, Firefox, WebKit) must be downloaded onto the host separately.
• The spec describes shelling out to any external CLI from generated code → that CLI must be on the host.

requirements.txt

ffmpeg

psql

docker

tesseract

• Signals: a spec mentions GPU acceleration, local model training/fine-tuning, real-time inference, CUDA, MPS / Apple Silicon, hardware-accelerated video encoding, etc.
• The check is layered, and each layer fails independently. Probe each one and surface each result separately, in order, so the user sees exactly where the chain breaks:
  1. Driver present? (e.g.

     nvidia-smi

     succeeds.)
  2. Device visible? (e.g.

     nvidia-smi -L

     lists ≥ 1 GPU.)
  3. Accelerator SDK installed? (e.g.

     nvcc --version

     for the CUDA toolkit.)
  4. Acceleration libraries discoverable? (e.g. cuDNN via

     ldconfig -p \| grep libcudnn

     on Linux.)
  5. The runtime can actually see the accelerator? (e.g. a one-line Python probe through whatever framework the spec named:

     python -c "import torch; print(torch.cuda.is_available(), torch.version.cuda)"

     .) This particular layer does require the language package, so run it after the test scripts have had a chance to install dependencies — or surface it as "can be verified after

     pip install

     " if dependencies aren't installed yet.
  6. Version compatibility. If the runtime reports a different CUDA major version than the toolkit, surface a

     WARN

     . Driver / toolkit / runtime version mismatches are the most common silent GPU bug.

uname -m

sw_vers

rocminfo

A

.plain

file declares:

:Implementation: should fine-tune :BaseModel: on the user's local hardware using PyTorch. Training should use available GPUs when present.

What the package manager handles (out of scope for this skill):

torch

itself.

pip install -r requirements.txt

will fetch the right wheel.

What this skill must probe (in scope):

1. The Python toolchain (Category 1):

   python3 --version

   ,

   pip --version

   .
2. The NVIDIA driver (Category 4, layer 1):

   nvidia-smi

   .
3. At least one GPU visible (Category 4, layer 2):

   nvidia-smi -L

   lists ≥ 1 device.
4. CUDA toolkit (Category 4, layer 3):

   nvcc --version

   .
5. cuDNN discoverable (Category 4, layer 4):

   ldconfig -p \| grep libcudnn

   on Linux; skip on macOS.
6. PyTorch actually sees the GPU (Category 4, layer 5):

   python -c "import torch; print(torch.cuda.is_available(), torch.version.cuda)"

   — noting this requires

   torch

   to be installed (i.e. requires the test scripts to have run their install step at least once).
7. Version match (Category 4, layer 6): cross-check

   torch.version.cuda

   against

   nvcc --version

   . Mismatch →

   WARN

   .

The skill never asks "is

torch

installed?". That belongs to

pip

.

• codeplain

  CLI on

  PATH

  —

  codeplain --version

  .

• CODEPLAIN_API_KEY

  env var set —

  printenv CODEPLAIN_API_KEY >/dev/null && echo set || echo missing

  (never echo the value).
• A shell matching the testing scripts' extension (Bash for

  .sh

  , PowerShell for

  .ps1

  ).

• git

  (the renderer uses it; almost every plain project tracks itself in git).

terminal

• PASS — present and (where a version was specified) at or above the required version.
• WARN — present but at a version that doesn't match what the project explicitly asks for (e.g. spec says Java 17, host has Java 21), or service binary present but the service itself isn't running, or a Category 4 sub-layer is mismatched against another (e.g. CUDA toolkit version doesn't match what the framework expects).
• FAIL — missing, unreachable, or below the minimum version.

1. Category 1 — Language toolchains. Run the toolchain + package-manager probes listed in Step 2's Category 1 for the languages this project actually uses. Do not probe individual language packages.
2. Category 5 — Codeplain and

   git

   . Always required, independent of the project.

   codeplain --version

   ,

   printenv CODEPLAIN_API_KEY >/dev/null

   ,

   git --version

   . Verify the shell flavor matches the scripts' extension; a

   .sh

   -only project on native Windows is a

   FAIL

   (suggest WSL).
3. Category 2 — External services. For each service identified at runtime, probe the CLI's presence first, then — if the CLI exists — check whether the service itself is reachable. Service binary present but daemon down →

   WARN

   , not

   FAIL

   .
4. Category 3 — System binaries that language packages wrap. For each one identified in Step 2, check the system binary is on

   PATH

   (

   which <bin>

   /

   <bin> --version

   ). The wrapper package itself isn't probed.
5. Category 4 — Hardware, drivers, accelerators. Walk the layered probe from Step 2 in order (driver → device visibility → SDK → acceleration libs → framework-sees-it → version match), reporting each layer's result separately. Never collapse a multi-layer failure into a single "GPU not available" message — each layer has a different fix.
6. Credentials and config holes. For every env var, dotfile, or cloud CLI login state the project implies, probe its presence without printing its value:

   printenv VAR >/dev/null && echo set || echo missing

   ,

   [ -f <path> ] && echo present || echo missing

   ,

   aws sts get-caller-identity

   /

   gcloud auth list

   /

   az account show

   for cloud SDKs.

• PASS

  — every required item is present at an acceptable version. Follow with a one-paragraph summary listing what was checked.

• WARN

  — everything required is present but at least one item triggered a soft warning (version mismatch, service not currently running). Follow with the numbered list of warnings.

• FAIL

  — at least one required item is missing or below minimum version. Follow with a numbered list of every gap.

backend/api.plain

using FastAPI

test_scripts/run_unittests_python.sh

pytest

Re-run check-plain-env after installing missing items to confirm.

• (Hard mistake) Don't probe individual language packages. Anything

  pip install -r requirements.txt

  ,

  npm ci

  ,

  mvn install

  ,

  cargo fetch

  ,

  go mod download

  ,

  bundle install

  ,

  composer install

  , etc. would resolve is out of scope.

  torch

  ,

  requests

  ,

  numpy

  ,

  FastAPI

  ,

  express

  ,

  react

  , JARs, gems, crates — all package-manager territory. Check the toolchain (

  python3

  ,

  pip

  ,

  node

  ,

  npm

  ,

  mvn

  ,

  cargo

  , ...) and stop there. Probing the package itself creates false negatives the moment

  requirements.txt

  changes and duplicates work the test scripts will do anyway.
• Don't stop after the directly named technologies. A spec that says "fine-tune on local hardware using PyTorch" never says "CUDA", but the workflow can't run without CUDA. Always work through Category 3 (system binaries that language packages wrap) and Category 4 (hardware/drivers) — not only the directly named runtimes. These categories are where the workflow's hidden requirements live.
• Don't merge a chain of failures into one generic message. "GPU not available" is not a useful report. The chain is

  driver → device visibility → toolkit → acceleration libs → framework-sees-it → version match

  ; each layer has a different fix. Surface each layer separately.
• Don't work only from

  .plain

  files. Always cross-reference with

  test_scripts/

  — the scripts are the executable contract. If a script invokes a non-language binary the specs never mention, that binary is automatically a Category 3 requirement.
• Don't pre-bake a catalog. Derive the requirement list at runtime from the project in front of you. A hard-coded "things to always check" table becomes wrong the moment any project deviates from the assumed shape — and every project does.
• Don't probe testing framework binaries as if they were independent.

  pytest

  ,

  jest

  ,

  vitest

  ,

  phpunit

  ,

  junit-console

  , etc. are installed by the package manager via

  requirements.txt

  /

  package.json

  /

  pom.xml

  . The toolchain check (Category 1) is enough — the framework binary itself is out of scope.
• Don't probe in silence. Use the

  terminal

  tool and capture the actual command output (version strings, exit codes). Telling the user "looks like Python is installed" without running

  python3 --version

  is guessing.
• Don't print secret values. Check whether

  CODEPLAIN_API_KEY

  ,

  DATABASE_URL

  , etc. are set, not what they contain. Use

  printenv VAR >/dev/null

  not

  printenv VAR

  .
• Don't install anything on the user's behalf. Even when the install command is obvious. The user needs to opt in.
• Don't stop at the first FAIL. Run the full sweep so the report is complete in one pass.
• Don't suggest

  curl | sh

  installs when a package manager works. Reserve the upstream installer fallback for cases where no package-manager option exists (e.g.

  rustup

  , sometimes Go).
• Don't ignore version mismatches. If a spec says Java 17 and the host has Java 21, surface that as a

  WARN

  so the user can decide — don't silently let it pass.
• Don't duplicate this check inline elsewhere. Other skills (

  forge-plain

  ,

  add-feature

  ,

  plain-healthcheck

  ) that need an env check should delegate to

  check-plain-env

  rather than re-implementing the probe themselves. This skill is the single source of truth.

• Host OS detected (

  uname -s

  /

  $OS

  ) before any other action.
• Requirement list derived at runtime from this project's

  .plain

  files,

  test_scripts/

  ,

  config.yaml

  (s), and

  resources/

  — no pre-baked catalog used.
• No individual language packages probed. Only the toolchain + package manager for each detected language.
• Every script under

  test_scripts/

  opened and read; every non-language binary it invokes added to the Category 3 list.
• Every external service named in the specs is in the Category 2 list, with both a binary probe and (when feasible) a reachability probe.
• Every hardware / accelerator signal ("GPU", "fine-tune", "local inference", "CUDA", "MPS", etc.) triggered the layered Category 4 probe.
• Every requirement probed via the

  terminal

  tool with an actual version / availability command (no "looks installed" guesses).
• GPU / accelerator chains probed layer-by-layer (driver → device visibility → toolkit → acceleration libs → framework-sees-it → version match), with each layer reported separately.
• Each result classified as PASS / WARN / FAIL.
• Report has the verdict on the first line.
• Every FAIL and WARN row has all four columns: What / Why / Status / How to install.
• Install suggestions match the detected host OS (no Debian commands on macOS, no

  brew

  on Linux, etc.).
• No secret values were printed at any point.
• Nothing was installed; no project files were modified.