mustflow 2.103.16 → 2.103.20
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -0
- package/dist/cli/commands/run/args.js +83 -0
- package/dist/cli/commands/run/execution.js +334 -0
- package/dist/cli/commands/run/preview.js +29 -0
- package/dist/cli/commands/run/profile.js +6 -0
- package/dist/cli/commands/run.js +19 -425
- package/dist/cli/commands/script-pack.js +1 -0
- package/dist/cli/commands/verify.js +15 -18
- package/dist/cli/i18n/en.js +27 -0
- package/dist/cli/i18n/es.js +27 -0
- package/dist/cli/i18n/fr.js +27 -0
- package/dist/cli/i18n/hi.js +27 -0
- package/dist/cli/i18n/ko.js +27 -0
- package/dist/cli/i18n/zh.js +27 -0
- package/dist/cli/lib/command-registry.js +92 -0
- package/dist/cli/lib/script-pack-registry.js +39 -0
- package/dist/cli/script-packs/code-module-boundary.js +210 -0
- package/dist/core/module-boundary.js +523 -0
- package/dist/core/public-json-contracts.js +50 -0
- package/dist/core/script-pack-suggestions.js +5 -0
- package/package.json +1 -1
- package/schemas/README.md +12 -0
- package/schemas/check-report.schema.json +52 -0
- package/schemas/index-report.schema.json +103 -0
- package/schemas/module-boundary-report.schema.json +210 -0
- package/schemas/search-report.schema.json +102 -0
- package/schemas/status-report.schema.json +50 -0
- package/templates/default/i18n.toml +3 -3
- package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +16 -2
- package/templates/default/locales/en/.mustflow/skills/module-boundary-review/SKILL.md +12 -1
- package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +17 -10
- package/templates/default/manifest.toml +1 -1
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.payment-integrity-review
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 3
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: payment-integrity-review
|
|
9
|
-
description: Apply this skill when payment, checkout, authorization, capture, refund, partial refund, subscription, invoice, trial, grace period, coupon, promotion, inventory reservation, fulfillment, entitlement, settlement, fee, chargeback, dispute, provider webhook, payment session, payment link, payment-provider integration, admin manual payment operation, payment logs, PCI-sensitive data handling, or payment-related tests need review for money-event integrity, idempotency, ordering, ownership, amount, currency, retry, reconciliation, ledger, or audit risk.
|
|
9
|
+
description: Apply this skill when payment, checkout, authorization, capture, refund, partial refund, subscription, invoice, trial, grace period, coupon, promotion, inventory reservation, fulfillment, entitlement, settlement, fee, chargeback, dispute, provider webhook, payment outbox, payment session, payment link, payment-provider integration, admin manual payment operation, payment logs, PCI-sensitive data handling, or payment-related tests need review for money-event integrity, idempotency, ordering, ownership, amount, currency, retry, reconciliation, ledger, or audit risk.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -36,7 +36,7 @@ Review payment code as money-event integrity, not provider API success. The core
|
|
|
36
36
|
## Use When
|
|
37
37
|
|
|
38
38
|
- Payment, checkout, payment-session, payment-link, authorization, capture, refund, partial refund, dispute, chargeback, settlement, fee, receipt, entitlement, fulfillment, subscription, invoice, trial, grace period, coupon, promotion, or inventory reservation logic is created, changed, reviewed, or reported.
|
|
39
|
-
- Provider webhook handling, provider callback handling, payment retry handling, timeout handling, provider reconciliation, or async payment method handling can change internal money state.
|
|
39
|
+
- Provider webhook handling, provider callback handling, payment outbox records, payment retry handling, timeout handling, provider reconciliation, or async payment method handling can change internal money state.
|
|
40
40
|
- Client-supplied amount, currency, quantity, product, discount, shipping, tax, order, subscription, refund, or customer identifiers can influence a payment action.
|
|
41
41
|
- Manual admin payment operations, payment logs, audit trails, or payment-related tests need review.
|
|
42
42
|
|
|
@@ -59,9 +59,12 @@ Review payment code as money-event integrity, not provider API success. The core
|
|
|
59
59
|
- State-transition ledger: internal states, provider states, allowed transitions, terminal states,
|
|
60
60
|
retry states, async states, hold states, kill-switch states, and transition owners.
|
|
61
61
|
- Event log ledger: request submission, provider response, redirect, webhook receipt, webhook
|
|
62
|
-
application, state transition, queue handoff, reconciliation decision, fulfillment,
|
|
63
|
-
dispute, admin override, and correction events with ordering, actor, reason,
|
|
64
|
-
evidence.
|
|
62
|
+
application, state transition, outbox event, queue handoff, reconciliation decision, fulfillment,
|
|
63
|
+
refund, dispute, admin override, and correction events with ordering, actor, reason, event type,
|
|
64
|
+
and immutable evidence.
|
|
65
|
+
- Outbox event-type ledger: allowed internal event type vocabulary, enum or constant registry,
|
|
66
|
+
parser or validator, database constraint when available, and the rejection path for unknown,
|
|
67
|
+
stale, misspelled, or provider-shaped event types.
|
|
65
68
|
- Idempotency and uniqueness ledger: logical operation IDs, provider idempotency keys, database uniqueness constraints, webhook event dedupe keys, fulfillment dedupe keys, and retry behavior.
|
|
66
69
|
- Amount and currency ledger: product/cart snapshot, server-side calculation path, quantity, discounts, coupons, tax, shipping, minor-unit representation, currency, provider amount, internal ledger amount, receipt amount, and settlement amount.
|
|
67
70
|
- Ownership ledger: user, tenant, account, order, payment session, refund, subscription, invoice, entitlement, admin actor, and provider customer ownership checks.
|
|
@@ -81,7 +84,7 @@ Review payment code as money-event integrity, not provider API success. The core
|
|
|
81
84
|
<!-- mustflow-section: allowed-edits -->
|
|
82
85
|
## Allowed Edits
|
|
83
86
|
|
|
84
|
-
- Tighten payment state machines, server-side amount calculation, minor-unit money handling, ownership checks, idempotency keys, provider-ID uniqueness, webhook signature verification, webhook dedupe, queue handoff, one-time fulfillment, async payment handling, authorization/capture distinction, refund/dispute/subscription transitions, inventory and coupon reservation, timeout and retry classification, append-only ledgers, secret and card-data redaction, admin audit trails, stale payment endpoint cleanup notes, focused nightmare-path tests, and directly synchronized docs or templates.
|
|
87
|
+
- Tighten payment state machines, server-side amount calculation, minor-unit money handling, ownership checks, idempotency keys, provider-ID uniqueness, webhook signature verification, webhook dedupe, outbox event-type validation, queue handoff, one-time fulfillment, async payment handling, authorization/capture distinction, refund/dispute/subscription transitions, inventory and coupon reservation, timeout and retry classification, append-only ledgers, secret and card-data redaction, admin audit trails, stale payment endpoint cleanup notes, focused nightmare-path tests, and directly synchronized docs or templates.
|
|
85
88
|
- Do not replace a focused payment-integrity fix with a broad payment platform rewrite unless the current code cannot preserve money correctness with a smaller boundary.
|
|
86
89
|
- Do not add live payment secrets, real card data, real refunds, real charges, or live-provider side effects.
|
|
87
90
|
|
|
@@ -96,6 +99,10 @@ Review payment code as money-event integrity, not provider API success. The core
|
|
|
96
99
|
3. Keep an immutable event trail. Store request submission, provider response, redirect, webhook,
|
|
97
100
|
state transition, queue handoff, reconciliation, fulfillment, refund, dispute, and admin override
|
|
98
101
|
events with actor, reason, timestamp, provider reference, and before/after state when relevant.
|
|
102
|
+
- For internal outbox rows, validate `event_type` against the owned payment event vocabulary
|
|
103
|
+
before deriving idempotency keys, publishing, or persisting follow-up work. Do not let free-form
|
|
104
|
+
strings, provider event names, stale constants, or user-controlled values become trusted outbox
|
|
105
|
+
operation types.
|
|
99
106
|
4. Calculate amount on the server. Treat client-supplied amount, currency, quantity, discount, coupon, tax, shipping, product ID, plan ID, or cart totals as input claims only; rebuild the payable total from trusted product, cart, account, and policy snapshots.
|
|
100
107
|
5. Bind every payment object to its owner. Verify user, tenant, order, payment session, refund, subscription, invoice, provider customer, and admin actor ownership before read, write, refund, cancel, fulfillment, or entitlement changes.
|
|
101
108
|
6. Compare every amount ledger. Trace order amount, provider request amount, provider response amount, internal money ledger, receipt, settlement, fee, refund, and entitlement amount. Flag any path where one amount can drift without reconciliation.
|
|
@@ -136,8 +143,8 @@ Review payment code as money-event integrity, not provider API success. The core
|
|
|
136
143
|
|
|
137
144
|
- The payment surface has a money-event map, provider interaction map, identifier map,
|
|
138
145
|
state-transition map, immutable event log, idempotency and uniqueness map, amount and currency map,
|
|
139
|
-
ownership map, fulfillment and entitlement map, webhook/retry map,
|
|
140
|
-
map, and audit/sensitive-data map.
|
|
146
|
+
ownership map, fulfillment and entitlement map, webhook/retry map, outbox event-type validation
|
|
147
|
+
map, reconciliation and hold-state map, and audit/sensitive-data map.
|
|
141
148
|
- Any false success, duplicate money movement, duplicate fulfillment, wrong-owner action, wrong amount, wrong currency, stale event overwrite, timeout misclassification, or missing reconciliation is fixed or reported with evidence.
|
|
142
149
|
- Tests or explicit verification cover the highest-risk nightmare paths available in the current scope.
|
|
143
150
|
|
|
@@ -172,7 +179,7 @@ Prefer focused tests for duplicate operations, webhook replay, out-of-order even
|
|
|
172
179
|
## Output Format
|
|
173
180
|
|
|
174
181
|
- Payment surface and provider boundary reviewed
|
|
175
|
-
- Money-event, provider, identifier, state, event-log, idempotency, amount, ownership, fulfillment, webhook, retry, reconciliation, hold-state, audit, and sensitive-data ledgers
|
|
182
|
+
- Money-event, provider, identifier, state, event-log, outbox event-type, idempotency, amount, ownership, fulfillment, webhook, retry, reconciliation, hold-state, audit, and sensitive-data ledgers
|
|
176
183
|
- Findings or fixes for duplicate, late, out-of-order, wrong-actor, wrong-amount, wrong-currency, timeout, retry, reconciliation, and audit risks
|
|
177
184
|
- Nightmare-path tests or evidence added, run, skipped, or still missing
|
|
178
185
|
- Command intents run
|