mustflow 2.103.14 → 2.103.15
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/templates/default/i18n.toml +2 -2
- package/templates/default/locales/en/.mustflow/skills/file-path-cross-platform-change/SKILL.md +15 -6
- package/templates/default/locales/en/.mustflow/skills/shell-code-change/SKILL.md +20 -8
- package/templates/default/manifest.toml +1 -1
package/package.json
CHANGED
|
@@ -535,7 +535,7 @@ translations = {}
|
|
|
535
535
|
[documents."skill.file-path-cross-platform-change"]
|
|
536
536
|
source = "locales/en/.mustflow/skills/file-path-cross-platform-change/SKILL.md"
|
|
537
537
|
source_locale = "en"
|
|
538
|
-
revision =
|
|
538
|
+
revision = 5
|
|
539
539
|
translations = {}
|
|
540
540
|
|
|
541
541
|
[documents."skill.frontend-render-stability"]
|
|
@@ -697,7 +697,7 @@ translations = {}
|
|
|
697
697
|
[documents."skill.shell-code-change"]
|
|
698
698
|
source = "locales/en/.mustflow/skills/shell-code-change/SKILL.md"
|
|
699
699
|
source_locale = "en"
|
|
700
|
-
revision =
|
|
700
|
+
revision = 2
|
|
701
701
|
translations = {}
|
|
702
702
|
|
|
703
703
|
[documents."skill.structured-config-change"]
|
package/templates/default/locales/en/.mustflow/skills/file-path-cross-platform-change/SKILL.md
CHANGED
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.file-path-cross-platform-change
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 5
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: file-path-cross-platform-change
|
|
9
|
-
description: Apply this skill when file path handling, cross-platform path behavior, path helpers, safe filesystem wrappers, clone or checkout destinations, scaffold roots, temp or cache paths, atomic writes, locks, archive extraction, uploads, downloads, scanners, CLI/API/schema path contracts, snapshots, generated outputs, or package artifact paths are created, changed, reviewed, or reported.
|
|
9
|
+
description: Apply this skill when file path handling, cross-platform path behavior, path helpers, safe filesystem wrappers, clone or checkout destinations, scaffold roots, temp or cache paths, atomic writes, locks, archive extraction, uploads, downloads, scanners, CLI/API/schema path contracts, snapshots, generated outputs, GitHub Actions output or report paths, or package artifact paths are created, changed, reviewed, or reported.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -35,7 +35,7 @@ Treat file paths as security boundaries and operating-system contracts, not as o
|
|
|
35
35
|
## Use When
|
|
36
36
|
|
|
37
37
|
- Code accepts, stores, serializes, validates, normalizes, joins, resolves, compares, scans, extracts, uploads, downloads, writes, deletes, locks, packages, or reports paths.
|
|
38
|
-
- Path behavior appears in CLI arguments, API request or response schemas, config files, snapshots, fixtures, generated output, package artifacts, logs, manifests, caches, temp directories, upload or download flows, archive extraction, repository clone or checkout destinations, project scaffolding, installer output, or scanner output.
|
|
38
|
+
- Path behavior appears in CLI arguments, API request or response schemas, config files, snapshots, fixtures, generated output, package artifacts, GitHub Actions `output`, `report-output`, artifact, or report directory inputs, logs, manifests, caches, temp directories, upload or download flows, archive extraction, repository clone or checkout destinations, project scaffolding, installer output, or scanner output.
|
|
39
39
|
- Code clones or checks out repositories, downloads and extracts templates, scaffolds projects, installs dependency trees, or cleans up partially materialized project folders after a filesystem or toolchain failure.
|
|
40
40
|
- A change claims path traversal safety, base-directory containment, symlink safety, junction or reparse-point safety, archive extraction safety, atomic write behavior, durable write behavior, lock ownership, cleanup safety, deterministic scanning, or Windows/macOS/Linux compatibility.
|
|
41
41
|
- A test or docs example includes paths that must behave consistently across Windows, macOS, Linux, CI, containers, archives, package artifacts, or user machines.
|
|
@@ -51,7 +51,7 @@ Treat file paths as security boundaries and operating-system contracts, not as o
|
|
|
51
51
|
<!-- mustflow-section: required-inputs -->
|
|
52
52
|
## Required Inputs
|
|
53
53
|
|
|
54
|
-
- Every path input and output, including user input, CLI args, API fields, config fields, archive entries, generated files, temp files, cache paths, lock files, uploaded filenames, download filenames, scanner roots, package artifact paths, and logs.
|
|
54
|
+
- Every path input and output, including user input, CLI args, API fields, config fields, CI action inputs, workflow artifact outputs, archive entries, generated files, temp files, cache paths, lock files, uploaded filenames, download filenames, scanner roots, package artifact paths, and logs.
|
|
55
55
|
- The path owner and trust class: user-controlled, repository-owned, generated, temp, cache, archive-contained, package artifact, external file, or unknown.
|
|
56
56
|
- The base directory or allowed root, expected relative/absolute policy, symlink and reparse-point policy, case-sensitivity policy, invalid-name policy, atomic-write policy, lock policy, archive extraction policy, scanner bounds, cleanup policy, and platform expectations.
|
|
57
57
|
- For clone, checkout, scaffold, extract, and install flows: requested source, destination root, final project directory, deepest expected entry when known, path-length budget, component-length budget, byte budget, preflight coverage, partial-output owner, staging directory owner, promotion policy, cleanup policy, and failure classification contract.
|
|
@@ -81,6 +81,15 @@ Treat file paths as security boundaries and operating-system contracts, not as o
|
|
|
81
81
|
2. Classify each path by trust and owner: trusted repository path, user input, generated state, template path, package artifact, temporary file, cache file, archive-contained path, external path, uploaded name, downloaded name, scanner root, or unknown.
|
|
82
82
|
3. Define the allowed root and representation. Decide whether the contract accepts relative paths, absolute paths, URLs, file URLs, archive entry names, package-relative paths, repository-relative paths, or display-only paths.
|
|
83
83
|
4. Reject dangerous path text before filesystem access: null bytes, empty names where not allowed, absolute paths where relative paths are required, dot segments where not allowed, Windows device names, drive-relative paths, UNC roots, namespace prefixes, alternate data streams, trailing dots or spaces, reserved characters, and mixed separator bypasses.
|
|
84
|
+
- For repository-owned output path inputs such as GitHub Action `output`, `report-output`,
|
|
85
|
+
artifact, generated report, or coverage directory paths, default to repository-relative paths
|
|
86
|
+
unless the public contract explicitly supports external destinations.
|
|
87
|
+
- When a repository-relative output path is required, reject POSIX absolute paths, Windows drive
|
|
88
|
+
paths, Windows drive-relative paths such as `C:tmp`, UNC roots, namespace prefixes, and any
|
|
89
|
+
`..` segment after treating both `/` and `\` as separators.
|
|
90
|
+
- Validate parent traversal by path segment, not by a raw substring search. `a/../b` and
|
|
91
|
+
`a\..\b` must fail, while ordinary names containing two dots are handled by the declared
|
|
92
|
+
filename policy.
|
|
84
93
|
5. Treat Windows drive-relative paths such as `C:tmp.txt` as relative to a drive current directory, not as `C:\tmp.txt`.
|
|
85
94
|
6. Treat Windows reserved names as reserved even with extensions. Names such as `CON`, `PRN`, `AUX`, `NUL`, `COM1`, and `LPT1` must not become ordinary user filenames.
|
|
86
95
|
7. For clone, checkout, scaffold, extract, and install flows, use an explicit `preflight -> dangerous operation -> classifier -> safe cleanup` pipeline. Preflight must estimate the effective path budget before materializing files, including the destination root, project directory, generated path segments, archive or repository entry names when known, operating-system path limits, component-name limits, byte limits, and safety headroom.
|
|
@@ -107,14 +116,14 @@ Treat file paths as security boundaries and operating-system contracts, not as o
|
|
|
107
116
|
28. For scanners, set max depth, max file count, max file size, binary-file handling, ignored directories, hidden-file policy, permission-error behavior, symlink traversal policy, loop detection, deterministic ordering, and output path format.
|
|
108
117
|
29. For temp and cache paths, keep them under an owned root, avoid global temp rename into a target location, include cleanup bounds, and avoid leaking user data through predictable names.
|
|
109
118
|
30. For CLI, API, schema, snapshot, docs, and package artifact path changes, update every contract surface together. Path spelling, separators, slash policy, absolute/relative policy, escaping, sorting, and error messages are part of the contract.
|
|
110
|
-
31. Add focused tests for the riskiest path shapes: traversal, absolute input, drive-relative input, UNC-like input, reserved names, trailing dots or spaces, case collision, Unicode collision, long path, overlong filename, byte-limit overflow with multibyte names, symlink escape, archive traversal, duplicate archive entries, scanner loop, large file cap, clone checkout failure classification, and cleanup boundary.
|
|
119
|
+
31. Add focused tests for the riskiest path shapes: traversal, absolute input, drive-relative input, UNC-like input, reserved names, trailing dots or spaces, case collision, Unicode collision, long path, overlong filename, byte-limit overflow with multibyte names, symlink escape, archive traversal, duplicate archive entries, scanner loop, large file cap, clone checkout failure classification, and cleanup boundary. For workflow or action output paths, include representative `../x`, `a/../x`, `/tmp/x`, `C:\tmp\x`, `C:tmp\x`, and `\\server\share\x` cases.
|
|
111
120
|
32. Select verification from the command contract based on risk. Public CLI/API/schema/package artifact changes need broader checks than internal helper-only changes.
|
|
112
121
|
|
|
113
122
|
<!-- mustflow-section: postconditions -->
|
|
114
123
|
## Postconditions
|
|
115
124
|
|
|
116
125
|
- Path trust classes, accepted path representation, invalid-name policy, case policy, root boundary, symlink and reparse-point policy, archive policy, upload/download policy, scanner policy, atomic-write policy, lock policy, temp/cache policy, and cleanup policy are explicit.
|
|
117
|
-
- Path contracts are synchronized across helpers, schemas, CLI/API docs, snapshots, fixtures, generated outputs, package artifacts, tests, and reports.
|
|
126
|
+
- Path contracts are synchronized across helpers, schemas, CLI/API docs, snapshots, fixtures, generated outputs, workflow artifact paths, package artifacts, tests, and reports.
|
|
118
127
|
- Clone, checkout, scaffold, extract, and install flows have explicit preflight, staging, promotion, path-length, collision, platform-failure classification, diagnostic-preservation, and cleanup policies.
|
|
119
128
|
- Any race-safety, atomicity, durability, lock, or cross-platform claim is scoped to what the current runtime and helpers can actually guarantee.
|
|
120
129
|
- Platform behavior that was not tested is reported as remaining risk.
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
mustflow_doc: skill.shell-code-change
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 2
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: shell-code-change
|
|
@@ -46,6 +46,8 @@ runner shell sees it, or a pipeline treats filenames as line-delimited text.
|
|
|
46
46
|
or changed.
|
|
47
47
|
- GitHub Actions, CI, or workflow `run` blocks contain shell code, shell options, environment files,
|
|
48
48
|
heredocs, matrix variables, checkout-dependent shell logic, or context interpolation.
|
|
49
|
+
- GitHub Actions `run` blocks validate or consume action inputs that name generated files,
|
|
50
|
+
reports, coverage directories, package artifacts, or other repository workspace outputs.
|
|
49
51
|
- Code or docs use shell quoting, parameter expansion, command substitution, globbing, word
|
|
50
52
|
splitting, redirection, pipes, traps, `set` options, `test`, `case`, loops, subshells, functions,
|
|
51
53
|
`eval`, `sh -c`, `bash -c`, or sourced files.
|
|
@@ -84,6 +86,9 @@ runner shell sees it, or a pipeline treats filenames as line-delimited text.
|
|
|
84
86
|
- Dynamic input boundaries: user input, paths, URLs, branch names, pull request titles or bodies,
|
|
85
87
|
commit messages, matrix values, environment variables, secrets, file contents, regex patterns, and
|
|
86
88
|
replacement strings.
|
|
89
|
+
- GitHub Actions path-input boundaries: `with` inputs, environment variables derived from inputs,
|
|
90
|
+
`GITHUB_OUTPUT`, artifact paths, report directories, generated output paths, and whether each path
|
|
91
|
+
must stay repository-relative.
|
|
87
92
|
- File and stream boundary: whether filenames are path arguments, globs, line-delimited streams,
|
|
88
93
|
NUL-delimited streams, stdin, temp files, generated files, or destructive targets.
|
|
89
94
|
- Failure and cleanup expectations: required commands, exit-status meaning, pipeline status,
|
|
@@ -196,18 +201,23 @@ runner shell sees it, or a pipeline treats filenames as line-delimited text.
|
|
|
196
201
|
27. For GitHub Actions environment and output files, account for step lifetime, multiline delimiter
|
|
197
202
|
collisions, reserved variables, and echo portability. Do not assume values written for later
|
|
198
203
|
steps are available in the current shell.
|
|
199
|
-
28. For GitHub Actions
|
|
204
|
+
28. For GitHub Actions `run` blocks that accept paths for generated outputs, reports, coverage, or
|
|
205
|
+
artifacts, do not stop at "non-empty" validation. If the path is meant to stay in the caller
|
|
206
|
+
repository, validate it as repository-relative: reject POSIX absolute paths, Windows drive and
|
|
207
|
+
drive-relative paths, UNC roots, namespace prefixes, and `..` segments after treating `/` and
|
|
208
|
+
`\` as separators. Use `file-path-cross-platform-change` for the path contract and tests.
|
|
209
|
+
29. For GitHub Actions runner behavior, check shell defaults, job containers, checkout depth, fork
|
|
200
210
|
and Dependabot permissions, secrets availability, runner image drift, and platform-specific
|
|
201
211
|
userland before changing shell code.
|
|
202
|
-
|
|
212
|
+
30. Keep secrets out of trace output, logs, process arguments, environment dumps, temp files, and
|
|
203
213
|
diagnostic artifacts. Disable tracing around sensitive commands and redact only as a backup.
|
|
204
|
-
|
|
214
|
+
31. Treat `eval`, dynamic `source`, dynamic `.` loading, `sh -c`, remote shell strings, and workflow
|
|
205
215
|
expression injection as command-injection risks unless the command text is fully trusted and
|
|
206
216
|
bounded.
|
|
207
|
-
|
|
217
|
+
32. If the shell code becomes complex enough to need structured data parsing, concurrency,
|
|
208
218
|
rollback, JSON mutation, long-lived state, or rich error recovery, consider moving the logic to
|
|
209
219
|
a project-supported runtime and leaving shell as a thin launcher.
|
|
210
|
-
|
|
220
|
+
33. Verify with behavior evidence, not only spelling. Useful evidence includes shell lint, format,
|
|
211
221
|
cross-shell execution, Bats or similar tests, CI dry-run or provider evidence, path-shape
|
|
212
222
|
fixtures, line-ending checks, docs validation, package checks, and configured release checks.
|
|
213
223
|
|
|
@@ -218,6 +228,8 @@ runner shell sees it, or a pipeline treats filenames as line-delimited text.
|
|
|
218
228
|
- Parser and expansion boundaries are separated from downstream regex, sed, awk, find, xargs, and
|
|
219
229
|
GitHub Actions expression boundaries.
|
|
220
230
|
- Dynamic values remain data-bound and are not reinterpreted as shell code.
|
|
231
|
+
- Repository output, report, coverage, and artifact path inputs are either explicitly external or
|
|
232
|
+
validated as repository-relative path contracts.
|
|
221
233
|
- Filename handling survives spaces, newlines, leading dashes, glob characters, and empty matches or
|
|
222
234
|
the unsupported cases are stated.
|
|
223
235
|
- Exit-status, pipeline, cleanup, temp-file, destructive-action, logging, and secret-handling
|
|
@@ -240,8 +252,8 @@ Use configured oneshot command intents when available:
|
|
|
240
252
|
- `line_endings_check`
|
|
241
253
|
|
|
242
254
|
Report missing ShellCheck, shfmt, Bats, cross-shell, POSIX sh, Bash-version, GNU/BSD/BusyBox,
|
|
243
|
-
GitHub Actions, fork-PR, checkout-depth, secret-redaction, path-shape,
|
|
244
|
-
line-ending verification when those surfaces change.
|
|
255
|
+
GitHub Actions, fork-PR, checkout-depth, secret-redaction, path-shape, action output-path,
|
|
256
|
+
destructive-dry-run, or line-ending verification when those surfaces change.
|
|
245
257
|
|
|
246
258
|
<!-- mustflow-section: failure-handling -->
|
|
247
259
|
## Failure Handling
|