mustflow 2.103.10 → 2.103.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,190 @@
1
+ {
2
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
3
+ "$id": "https://mustflow.github.io/schemas/repo-deploy-surface-report.schema.json",
4
+ "title": "mustflow repo deploy-surface report",
5
+ "type": "object",
6
+ "additionalProperties": false,
7
+ "required": [
8
+ "schema_version",
9
+ "command",
10
+ "pack_id",
11
+ "script_id",
12
+ "script_ref",
13
+ "action",
14
+ "status",
15
+ "ok",
16
+ "mustflow_root",
17
+ "input",
18
+ "input_hash",
19
+ "has_deploy_surface",
20
+ "summary",
21
+ "surfaces",
22
+ "required_verification",
23
+ "manual_gates",
24
+ "findings",
25
+ "issues"
26
+ ],
27
+ "properties": {
28
+ "schema_version": { "const": "1" },
29
+ "command": { "const": "script-pack" },
30
+ "pack_id": { "const": "repo" },
31
+ "script_id": { "const": "deploy-surface" },
32
+ "script_ref": { "const": "repo/deploy-surface" },
33
+ "action": { "const": "inspect" },
34
+ "status": { "enum": ["passed", "failed", "error"] },
35
+ "ok": { "type": "boolean" },
36
+ "mustflow_root": { "type": "string" },
37
+ "input": {
38
+ "type": "object",
39
+ "additionalProperties": false,
40
+ "required": ["scanned_paths", "max_file_bytes"],
41
+ "properties": {
42
+ "scanned_paths": {
43
+ "type": "array",
44
+ "items": { "type": "string", "minLength": 1 }
45
+ },
46
+ "max_file_bytes": { "type": "integer", "minimum": 1 }
47
+ }
48
+ },
49
+ "input_hash": { "$ref": "#/$defs/sha256" },
50
+ "has_deploy_surface": { "type": "boolean" },
51
+ "summary": { "$ref": "#/$defs/summary" },
52
+ "surfaces": {
53
+ "type": "array",
54
+ "items": { "$ref": "#/$defs/surface" }
55
+ },
56
+ "required_verification": {
57
+ "type": "array",
58
+ "items": { "type": "string", "minLength": 1 }
59
+ },
60
+ "manual_gates": {
61
+ "type": "array",
62
+ "items": { "type": "string", "minLength": 1 }
63
+ },
64
+ "findings": {
65
+ "type": "array",
66
+ "items": { "$ref": "#/$defs/finding" }
67
+ },
68
+ "issues": {
69
+ "type": "array",
70
+ "items": { "type": "string" }
71
+ }
72
+ },
73
+ "$defs": {
74
+ "sha256": {
75
+ "type": "string",
76
+ "pattern": "^sha256:[a-f0-9]{64}$"
77
+ },
78
+ "summary": {
79
+ "type": "object",
80
+ "additionalProperties": false,
81
+ "required": [
82
+ "has_deploy_surface",
83
+ "surface_count",
84
+ "workflow_count",
85
+ "package_script_count",
86
+ "config_file_count",
87
+ "package_metadata_count",
88
+ "manual_gate_count",
89
+ "required_verification_count"
90
+ ],
91
+ "properties": {
92
+ "has_deploy_surface": { "type": "boolean" },
93
+ "surface_count": { "type": "integer", "minimum": 0 },
94
+ "workflow_count": { "type": "integer", "minimum": 0 },
95
+ "package_script_count": { "type": "integer", "minimum": 0 },
96
+ "config_file_count": { "type": "integer", "minimum": 0 },
97
+ "package_metadata_count": { "type": "integer", "minimum": 0 },
98
+ "manual_gate_count": { "type": "integer", "minimum": 0 },
99
+ "required_verification_count": { "type": "integer", "minimum": 0 }
100
+ }
101
+ },
102
+ "surface": {
103
+ "type": "object",
104
+ "additionalProperties": false,
105
+ "required": [
106
+ "id",
107
+ "kind",
108
+ "surface_type",
109
+ "path",
110
+ "line",
111
+ "trigger",
112
+ "confidence",
113
+ "evidence",
114
+ "required_verification",
115
+ "manual_gates"
116
+ ],
117
+ "properties": {
118
+ "id": { "type": "string", "minLength": 1 },
119
+ "kind": {
120
+ "enum": [
121
+ "deploy_config",
122
+ "github_actions_workflow",
123
+ "package_metadata",
124
+ "package_script"
125
+ ]
126
+ },
127
+ "surface_type": {
128
+ "enum": [
129
+ "cloudflare",
130
+ "container",
131
+ "generic_deploy",
132
+ "github_pages",
133
+ "github_release",
134
+ "netlify",
135
+ "npm_publish",
136
+ "package_release",
137
+ "vercel"
138
+ ]
139
+ },
140
+ "path": { "type": "string", "minLength": 1 },
141
+ "line": { "type": ["integer", "null"], "minimum": 1 },
142
+ "trigger": { "type": ["string", "null"] },
143
+ "confidence": { "enum": ["low", "medium", "high"] },
144
+ "evidence": { "$ref": "#/$defs/evidence" },
145
+ "required_verification": {
146
+ "type": "array",
147
+ "items": { "type": "string", "minLength": 1 }
148
+ },
149
+ "manual_gates": {
150
+ "type": "array",
151
+ "items": { "type": "string", "minLength": 1 }
152
+ }
153
+ }
154
+ },
155
+ "evidence": {
156
+ "type": "object",
157
+ "additionalProperties": false,
158
+ "required": ["path", "line", "match"],
159
+ "properties": {
160
+ "path": { "type": "string", "minLength": 1 },
161
+ "line": { "type": ["integer", "null"], "minimum": 1 },
162
+ "match": { "type": "string", "minLength": 1 }
163
+ }
164
+ },
165
+ "finding": {
166
+ "type": "object",
167
+ "additionalProperties": false,
168
+ "required": [
169
+ "code",
170
+ "severity",
171
+ "message",
172
+ "path",
173
+ "json_pointer",
174
+ "metric",
175
+ "actual",
176
+ "expected"
177
+ ],
178
+ "properties": {
179
+ "code": { "const": "deploy_surface_detected" },
180
+ "severity": { "enum": ["low", "medium", "high", "critical"] },
181
+ "message": { "type": "string" },
182
+ "path": { "type": "string", "minLength": 1 },
183
+ "json_pointer": { "type": ["string", "null"] },
184
+ "metric": { "type": ["string", "null"] },
185
+ "actual": { "type": ["number", "null"] },
186
+ "expected": { "type": ["number", "null"] }
187
+ }
188
+ }
189
+ }
190
+ }
@@ -0,0 +1,196 @@
1
+ {
2
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
3
+ "$id": "https://mustflow.github.io/schemas/security-pattern-scan-report.schema.json",
4
+ "title": "mustflow security-pattern-scan report",
5
+ "type": "object",
6
+ "additionalProperties": false,
7
+ "required": [
8
+ "schema_version",
9
+ "command",
10
+ "pack_id",
11
+ "script_id",
12
+ "script_ref",
13
+ "action",
14
+ "status",
15
+ "ok",
16
+ "mustflow_root",
17
+ "policy",
18
+ "input_hash",
19
+ "targets",
20
+ "summary",
21
+ "truncated",
22
+ "findings",
23
+ "issues"
24
+ ],
25
+ "properties": {
26
+ "schema_version": { "const": "1" },
27
+ "command": { "const": "script-pack" },
28
+ "pack_id": { "const": "repo" },
29
+ "script_id": { "const": "security-pattern-scan" },
30
+ "script_ref": { "const": "repo/security-pattern-scan" },
31
+ "action": { "const": "scan" },
32
+ "status": { "enum": ["passed", "failed", "error"] },
33
+ "ok": { "type": "boolean" },
34
+ "mustflow_root": { "type": "string" },
35
+ "policy": { "$ref": "#/$defs/policy" },
36
+ "input_hash": { "$ref": "#/$defs/sha256" },
37
+ "targets": {
38
+ "type": "array",
39
+ "items": { "$ref": "#/$defs/target" }
40
+ },
41
+ "summary": { "$ref": "#/$defs/summary" },
42
+ "truncated": { "type": "boolean" },
43
+ "findings": {
44
+ "type": "array",
45
+ "items": { "$ref": "#/$defs/finding" }
46
+ },
47
+ "issues": {
48
+ "type": "array",
49
+ "items": { "type": "string" }
50
+ }
51
+ },
52
+ "$defs": {
53
+ "sha256": {
54
+ "type": "string",
55
+ "pattern": "^sha256:[a-f0-9]{64}$"
56
+ },
57
+ "fingerprint": {
58
+ "type": "string",
59
+ "pattern": "^sha256:[a-f0-9]{16}$"
60
+ },
61
+ "stringArray": {
62
+ "type": "array",
63
+ "items": { "type": "string" }
64
+ },
65
+ "policy": {
66
+ "type": "object",
67
+ "additionalProperties": false,
68
+ "required": [
69
+ "max_file_bytes",
70
+ "max_files",
71
+ "max_findings",
72
+ "extensions",
73
+ "ignored_directories",
74
+ "evidence_mode"
75
+ ],
76
+ "properties": {
77
+ "max_file_bytes": { "type": "integer", "minimum": 1 },
78
+ "max_files": { "type": "integer", "minimum": 1 },
79
+ "max_findings": { "type": "integer", "minimum": 1 },
80
+ "extensions": { "$ref": "#/$defs/stringArray" },
81
+ "ignored_directories": { "$ref": "#/$defs/stringArray" },
82
+ "evidence_mode": { "const": "metadata_only" }
83
+ }
84
+ },
85
+ "target": {
86
+ "type": "object",
87
+ "additionalProperties": false,
88
+ "required": ["input", "path", "exists", "kind"],
89
+ "properties": {
90
+ "input": { "type": "string" },
91
+ "path": { "type": "string" },
92
+ "exists": { "type": ["boolean", "null"] },
93
+ "kind": { "enum": ["file", "directory", "missing", "other", "unknown"] }
94
+ }
95
+ },
96
+ "summary": {
97
+ "type": "object",
98
+ "additionalProperties": false,
99
+ "required": [
100
+ "target_count",
101
+ "file_count",
102
+ "finding_count",
103
+ "high_or_critical_count",
104
+ "category_count"
105
+ ],
106
+ "properties": {
107
+ "target_count": { "type": "integer", "minimum": 0 },
108
+ "file_count": { "type": "integer", "minimum": 0 },
109
+ "finding_count": { "type": "integer", "minimum": 0 },
110
+ "high_or_critical_count": { "type": "integer", "minimum": 0 },
111
+ "category_count": { "type": "integer", "minimum": 0 }
112
+ }
113
+ },
114
+ "detector": {
115
+ "enum": [
116
+ "client_controlled_authority",
117
+ "cors_origin_reflection_with_credentials",
118
+ "dynamic_regex",
119
+ "eval_execution",
120
+ "fs_call_non_literal_path",
121
+ "insecure_cookie_options",
122
+ "local_storage_token",
123
+ "mass_assignment",
124
+ "native_deserialization",
125
+ "path_join_user_input",
126
+ "postmessage_missing_origin_check",
127
+ "postmessage_wildcard_target",
128
+ "raw_sensitive_request_logging",
129
+ "server_fetch_user_url",
130
+ "shell_true",
131
+ "sql_template_interpolation",
132
+ "tls_verification_disabled",
133
+ "unsafe_yaml_load"
134
+ ]
135
+ },
136
+ "category": {
137
+ "enum": [
138
+ "access_control",
139
+ "browser",
140
+ "command",
141
+ "crypto_transport",
142
+ "filesystem",
143
+ "injection",
144
+ "logging",
145
+ "parser",
146
+ "token_session"
147
+ ]
148
+ },
149
+ "finding": {
150
+ "type": "object",
151
+ "additionalProperties": false,
152
+ "required": ["code", "severity", "message", "path"],
153
+ "properties": {
154
+ "code": {
155
+ "enum": [
156
+ "security_pattern_client_controlled_authority",
157
+ "security_pattern_cors_origin_reflection_with_credentials",
158
+ "security_pattern_dynamic_regex",
159
+ "security_pattern_eval_execution",
160
+ "security_pattern_file_too_large",
161
+ "security_pattern_fs_call_non_literal_path",
162
+ "security_pattern_insecure_cookie_options",
163
+ "security_pattern_local_storage_token",
164
+ "security_pattern_mass_assignment",
165
+ "security_pattern_max_files_exceeded",
166
+ "security_pattern_max_findings_exceeded",
167
+ "security_pattern_native_deserialization",
168
+ "security_pattern_path_join_user_input",
169
+ "security_pattern_path_outside_root",
170
+ "security_pattern_postmessage_missing_origin_check",
171
+ "security_pattern_postmessage_wildcard_target",
172
+ "security_pattern_raw_sensitive_request_logging",
173
+ "security_pattern_server_fetch_user_url",
174
+ "security_pattern_shell_true",
175
+ "security_pattern_sql_template_interpolation",
176
+ "security_pattern_tls_verification_disabled",
177
+ "security_pattern_unreadable_path",
178
+ "security_pattern_unsafe_yaml_load"
179
+ ]
180
+ },
181
+ "severity": { "enum": ["low", "medium", "high", "critical"] },
182
+ "message": { "type": "string" },
183
+ "path": { "type": "string" },
184
+ "line": { "type": "integer", "minimum": 1 },
185
+ "detector": { "$ref": "#/$defs/detector" },
186
+ "category": { "$ref": "#/$defs/category" },
187
+ "review_focus": { "type": "string" },
188
+ "fingerprint": { "$ref": "#/$defs/fingerprint" },
189
+ "json_pointer": { "type": ["string", "null"] },
190
+ "metric": { "type": ["string", "null"] },
191
+ "actual": { "type": ["number", "null"] },
192
+ "expected": { "type": ["number", "null"] }
193
+ }
194
+ }
195
+ }
196
+ }
@@ -86,7 +86,7 @@ translations = {}
86
86
  [documents."skill.api-contract-change"]
87
87
  source = "locales/en/.mustflow/skills/api-contract-change/SKILL.md"
88
88
  source_locale = "en"
89
- revision = 2
89
+ revision = 3
90
90
  translations = {}
91
91
 
92
92
  [documents."skill.backend-reliability-change"]
@@ -2,11 +2,11 @@
2
2
  mustflow_doc: skill.api-contract-change
3
3
  locale: en
4
4
  canonical: true
5
- revision: 2
5
+ revision: 3
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: api-contract-change
9
- description: Apply this skill when HTTP, REST, GraphQL, tRPC, Hono RPC, Elysia Eden, gRPC, protobuf, OpenAPI, API schemas, generated clients, SDKs, status codes, headers, content negotiation, cache headers, error envelopes, pagination, filtering, sorting, search, or public API examples are created or changed.
9
+ description: Apply this skill when HTTP, REST, HTTP QUERY, Accept-Query, GraphQL, tRPC, Hono RPC, Elysia Eden, gRPC, protobuf, OpenAPI, API schemas, generated clients, SDKs, status codes, headers, content negotiation, cache headers, error envelopes, pagination, filtering, sorting, search, or public API examples are created or changed.
10
10
  metadata:
11
11
  mustflow_schema: "1"
12
12
  mustflow_kind: procedure
@@ -29,7 +29,7 @@ metadata:
29
29
  <!-- mustflow-section: purpose -->
30
30
  ## Purpose
31
31
 
32
- Treat an API change as a contract change, not as a route or controller edit. The contract includes request schema, response schema, status code, headers, content negotiation, cache semantics, error shape, auth and permission behavior, pagination, filtering, sorting, search semantics, generated clients, SDKs, mocks, fixtures, examples, and documentation.
32
+ Treat an API change as a contract change, not as a route or controller edit. The contract includes request method semantics, request schema, response schema, status code, headers, content negotiation, cache semantics, error shape, auth and permission behavior, pagination, filtering, sorting, search semantics, generated clients, SDKs, mocks, fixtures, examples, and documentation.
33
33
 
34
34
  The goal is to keep runtime behavior, type contracts, generated artifacts, callers, tests, and docs aligned.
35
35
 
@@ -37,6 +37,7 @@ The goal is to keep runtime behavior, type contracts, generated artifacts, calle
37
37
  ## Use When
38
38
 
39
39
  - HTTP, REST, RPC, GraphQL, tRPC, Hono RPC, Elysia Eden, gRPC, protobuf, OpenAPI, AsyncAPI, webhook, callback, public endpoint, internal endpoint, generated client, SDK, schema, mock, fixture, or API docs behavior changes.
40
+ - HTTP method choices change, including GET, POST, PUT, PATCH, DELETE, safe/idempotent operations, request-body semantics, HTTP QUERY, or Accept-Query support.
40
41
  - Request body, query parameters, path parameters, headers, cookies, response body, content negotiation, content coding, status codes, redirects, caching headers, rate-limit headers, error envelopes, validation errors, auth errors, or permission errors change.
41
42
  - SSE, streaming response, WebTransport handshake, WebSocket fallback, compression negotiation, or delivery headers become part of the API behavior that callers rely on.
42
43
  - Pagination, filtering, sorting, search, includes, field selection, sparse fields, expansions, cursor shape, or total-count semantics change.
@@ -54,7 +55,8 @@ The goal is to keep runtime behavior, type contracts, generated artifacts, calle
54
55
  ## Required Inputs
55
56
 
56
57
  - Changed route, controller, resolver, handler, schema, validator, generated client, SDK, tests, fixtures, mocks, and docs.
57
- - Current request and response schema, status code map, headers, content negotiation, content coding, error envelope, auth and permission behavior, rate-limit behavior, cache behavior, streaming or reconnect behavior, pagination/filter/sort/search contract, and deprecation/versioning policy.
58
+ - Current method semantics, request and response schema, status code map, headers, content negotiation, content coding, error envelope, auth and permission behavior, rate-limit behavior, cache behavior, streaming or reconnect behavior, pagination/filter/sort/search contract, and deprecation/versioning policy.
59
+ - For body-bearing read operations, current GET, POST, and QUERY tradeoffs; request body media type; Accept-Query or Allow discovery; cache-key construction; client, proxy, CDN, browser, and server framework support; fallback behavior; and canonical GET URI strategy when present.
58
60
  - OpenAPI, GraphQL schema, tRPC router, Hono app type, Elysia Eden type surface, protobuf files, generated clients, SDK examples, frontend callers, mobile callers, integration tests, docs examples, and mock servers when present.
59
61
  - Current public consumers, backwards-compatibility expectations, supported client versions, and migration or deprecation policy.
60
62
  - Configured verification intents.
@@ -82,13 +84,13 @@ The goal is to keep runtime behavior, type contracts, generated artifacts, calle
82
84
 
83
85
  1. Name the contract source of truth: OpenAPI, GraphQL schema, route validator, tRPC router, Hono `AppType`, Elysia app/Eden surface, protobuf definition, hand-written SDK type, or docs-backed public contract.
84
86
  2. Build a contract ledger for each changed endpoint or operation:
85
- - method or operation name;
87
+ - method or operation name, including safe, idempotent, cacheable, and request-body semantics;
86
88
  - path or field name;
87
89
  - request path, query, header, cookie, and body shape;
88
90
  - auth and permission requirement;
89
91
  - response success status and body;
90
92
  - error status and body;
91
- - relevant headers, content negotiation, content coding, and cache variance;
93
+ - relevant headers, content negotiation, content coding, cache variance, and request-content cache-key inputs;
92
94
  - pagination, filtering, sorting, and search semantics;
93
95
  - generated clients, SDK functions, mocks, fixtures, examples, and docs.
94
96
  3. Classify each change:
@@ -98,6 +100,7 @@ The goal is to keep runtime behavior, type contracts, generated artifacts, calle
98
100
  - response field removed, renamed, narrowed, widened, or made nullable;
99
101
  - status code changed;
100
102
  - header added, removed, or changed;
103
+ - method semantics changed, including safe/idempotent behavior or body-bearing read behavior;
101
104
  - content coding, compression negotiation, streaming, reconnect, or cache-variance behavior changed;
102
105
  - error code or envelope changed;
103
106
  - pagination cursor or total semantics changed;
@@ -113,6 +116,9 @@ The goal is to keep runtime behavior, type contracts, generated artifacts, calle
113
116
  ## API Style Policy
114
117
 
115
118
  - REST and HTTP APIs must keep method semantics, status code meanings, headers, content type, content coding, cache behavior, redirects, streaming behavior, and error envelope stable.
119
+ - HTTP QUERY is for safe and idempotent read operations whose query input does not fit the URI cleanly. It is not a default replacement for GET or POST: keep GET for simple, shareable, bookmarkable, and widely cached URLs; avoid GET request bodies as portable API contracts; and call POST-as-search a semantic or compatibility fallback when QUERY support is unavailable.
120
+ - A QUERY contract must define the query request media type with Content-Type, supported query formats with Accept-Query when advertised, Allow or fallback behavior for unsupported clients and intermediaries, CORS preflight expectations for browser callers, and whether Content-Location, Location, or 303 See Other lets callers repeat the operation with GET.
121
+ - QUERY caching must include request content and relevant metadata in the cache key. Any cache-key normalization must match resource semantics; do not normalize the body only for convenience if that can merge distinct queries.
116
122
  - OpenAPI changes must include every status/body/header variant that callers rely on. A schema-only success response is not enough when errors are part of the contract.
117
123
  - GraphQL must not be forced into a REST envelope. Preserve GraphQL `data`, `errors`, `extensions`, partial response, nullability, and resolver error propagation semantics.
118
124
  - GraphQL nullable-to-non-null and non-null-to-null changes are contract changes. Nullability can change whether partial data survives an error.
@@ -131,7 +137,7 @@ The goal is to keep runtime behavior, type contracts, generated artifacts, calle
131
137
  - Pagination must define cursor opacity, sort stability, page size limits, `next` and `previous` meaning, empty page behavior, total-count semantics, and whether filters affect counts.
132
138
  - Filtering and sorting must define allowed fields, default sort, null ordering, case sensitivity, timezone or locale behavior, invalid filter behavior, and whether unknown fields are rejected or ignored.
133
139
  - Search must define query normalization, tokenization, ranking stability expectations, highlight fields, typo tolerance, permissions, and private-data exclusion.
134
- - Headers such as content-type, content-encoding, vary, cache-control, etag, location, retry-after, rate-limit, pagination links, content-disposition, and deprecation headers are contract surfaces.
140
+ - Headers such as content-type, accept-query, content-encoding, vary, cache-control, etag, location, content-location, retry-after, rate-limit, pagination links, content-disposition, and deprecation headers are contract surfaces.
135
141
 
136
142
  ## Dependent Surface Checklist
137
143
 
@@ -147,6 +153,7 @@ Check every relevant surface before finalizing:
147
153
  - API docs, README snippets, changelog, migration notes, deprecation notices, role matrix, and status-code docs;
148
154
  - auth and permission checks;
149
155
  - rate limits, cache keys, cache headers, search indexes, pagination cursors, and background jobs;
156
+ - QUERY support, Accept-Query discovery, request-body cache-key logic, CORS preflight behavior, unsupported-method fallback, and GET-equivalent Location or Content-Location paths when body-bearing read operations are caller-visible;
150
157
  - streaming delivery, SSE event ids, reconnect behavior, proxy or CDN delivery settings, content-coding variants, and fallback clients when they are caller-visible;
151
158
  - observability dashboards, audit logs, analytics events, and alerting that parse status or error codes.
152
159
 
@@ -157,6 +164,8 @@ Check every relevant surface before finalizing:
157
164
  - Treating TypeScript inference as proof that runtime JSON is compatible.
158
165
  - Changing status codes without updating callers, docs, tests, and audit expectations.
159
166
  - Changing content encoding, streaming flush, reconnect, cache variance, or fallback behavior without updating callers, docs, tests, and delivery verification.
167
+ - Treating GET request bodies as portable API contracts.
168
+ - Switching complex read-only searches to QUERY without client/server/proxy/CDN support evidence, fallback behavior, Content-Type and Accept-Query policy, and request-content cache-key rules.
160
169
  - Treating generated clients as disposable when they are the public API.
161
170
  - Mixing GraphQL partial-response semantics with REST success/error envelopes.
162
171
  - Adding required request fields in a minor-compatible change without a default or compatibility path.
@@ -171,7 +180,7 @@ Check every relevant surface before finalizing:
171
180
  ## Postconditions
172
181
 
173
182
  - The API contract source of truth is known.
174
- - Request, response, status, header, content negotiation, cache, error, auth, permission, pagination, filtering, sorting, and search impacts are classified.
183
+ - Request method semantics, response, status, header, content negotiation, cache, error, auth, permission, pagination, filtering, sorting, and search impacts are classified.
175
184
  - Breaking or compatibility-sensitive changes are named.
176
185
  - Generated clients, mocks, fixtures, tests, docs, and examples are synchronized or explicitly reported as skipped.
177
186
  - Framework-specific protocol semantics are preserved.
@@ -209,7 +218,7 @@ Prefer the narrowest configured checks that exercise the changed contract from a
209
218
  - API style and contract source of truth
210
219
  - Changed operations or endpoints
211
220
  - Compatibility classification
212
- - Request, response, status, header, content negotiation, cache, error, auth, permission, pagination, filter, sort, and search notes
221
+ - Request method semantics, response, status, header, content negotiation, cache, error, auth, permission, pagination, filter, sort, search, and QUERY support notes when relevant
213
222
  - Generated client, SDK, mock, fixture, docs, and caller surfaces synchronized
214
223
  - Files changed
215
224
  - Command intents run
@@ -1,6 +1,6 @@
1
1
  id = "default"
2
2
  name = "default"
3
- version = "2.103.10"
3
+ version = "2.103.12"
4
4
  description = "Minimal workflow for LLM agents to read, edit, and verify their work in a repository."
5
5
  common_root = "common"
6
6
  locales_root = "locales"