mustflow 2.103.16 → 2.103.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (39) hide show
  1. package/README.md +2 -0
  2. package/dist/cli/commands/run/args.js +83 -0
  3. package/dist/cli/commands/run/execution.js +334 -0
  4. package/dist/cli/commands/run/preview.js +29 -0
  5. package/dist/cli/commands/run/profile.js +6 -0
  6. package/dist/cli/commands/run.js +19 -425
  7. package/dist/cli/commands/script-pack.js +1 -0
  8. package/dist/cli/commands/verify.js +15 -18
  9. package/dist/cli/i18n/en.js +27 -0
  10. package/dist/cli/i18n/es.js +27 -0
  11. package/dist/cli/i18n/fr.js +27 -0
  12. package/dist/cli/i18n/hi.js +27 -0
  13. package/dist/cli/i18n/ko.js +27 -0
  14. package/dist/cli/i18n/zh.js +27 -0
  15. package/dist/cli/lib/command-registry.js +92 -0
  16. package/dist/cli/lib/option-parser.js +26 -0
  17. package/dist/cli/lib/script-pack-registry.js +39 -0
  18. package/dist/cli/script-packs/code-module-boundary.js +210 -0
  19. package/dist/cli/script-packs/repo-env-contract.js +4 -17
  20. package/dist/cli/script-packs/repo-secret-risk-scan.js +4 -17
  21. package/dist/cli/script-packs/repo-security-pattern-scan.js +4 -17
  22. package/dist/core/module-boundary.js +523 -0
  23. package/dist/core/public-json-contracts.js +50 -0
  24. package/dist/core/script-pack-suggestions.js +5 -0
  25. package/package.json +1 -1
  26. package/schemas/README.md +12 -0
  27. package/schemas/check-report.schema.json +52 -0
  28. package/schemas/index-report.schema.json +103 -0
  29. package/schemas/module-boundary-report.schema.json +210 -0
  30. package/schemas/search-report.schema.json +102 -0
  31. package/schemas/status-report.schema.json +50 -0
  32. package/templates/default/i18n.toml +10 -4
  33. package/templates/default/locales/en/.mustflow/skills/INDEX.md +7 -1
  34. package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +16 -2
  35. package/templates/default/locales/en/.mustflow/skills/http-api-semantics-review/SKILL.md +286 -0
  36. package/templates/default/locales/en/.mustflow/skills/module-boundary-review/SKILL.md +12 -1
  37. package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +17 -10
  38. package/templates/default/locales/en/.mustflow/skills/routes.toml +6 -0
  39. package/templates/default/manifest.toml +8 -1
@@ -0,0 +1,52 @@
1
+ {
2
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
3
+ "$id": "https://mustflow.github.io/schemas/check-report.schema.json",
4
+ "title": "mustflow check report",
5
+ "type": "object",
6
+ "additionalProperties": false,
7
+ "required": [
8
+ "ok",
9
+ "strict",
10
+ "issueCount",
11
+ "issues",
12
+ "warningCount",
13
+ "warnings",
14
+ "issueDetails"
15
+ ],
16
+ "properties": {
17
+ "ok": { "type": "boolean" },
18
+ "strict": { "type": "boolean" },
19
+ "issueCount": { "type": "integer", "minimum": 0 },
20
+ "issues": {
21
+ "type": "array",
22
+ "items": { "type": "string" }
23
+ },
24
+ "warningCount": { "type": "integer", "minimum": 0 },
25
+ "warnings": {
26
+ "type": "array",
27
+ "items": { "type": "string" }
28
+ },
29
+ "issueDetails": {
30
+ "type": "array",
31
+ "items": { "$ref": "#/$defs/issueDetail" }
32
+ }
33
+ },
34
+ "$defs": {
35
+ "issueDetail": {
36
+ "type": "object",
37
+ "additionalProperties": false,
38
+ "required": ["id", "severity", "mode", "message"],
39
+ "properties": {
40
+ "id": {
41
+ "anyOf": [
42
+ { "type": "string" },
43
+ { "type": "null" }
44
+ ]
45
+ },
46
+ "severity": { "enum": ["error", "warning"] },
47
+ "mode": { "enum": ["base", "strict"] },
48
+ "message": { "type": "string" }
49
+ }
50
+ }
51
+ }
52
+ }
@@ -0,0 +1,103 @@
1
+ {
2
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
3
+ "$id": "https://mustflow.github.io/schemas/index-report.schema.json",
4
+ "title": "mustflow local index report",
5
+ "type": "object",
6
+ "additionalProperties": false,
7
+ "required": [
8
+ "schema_version",
9
+ "command",
10
+ "ok",
11
+ "mustflow_root",
12
+ "database_path",
13
+ "dry_run",
14
+ "wrote_files",
15
+ "index_mode",
16
+ "reused_existing",
17
+ "rebuild_reason",
18
+ "document_count",
19
+ "skill_count",
20
+ "skill_route_count",
21
+ "command_intent_count",
22
+ "command_effect_count",
23
+ "verification_evidence_summary_count",
24
+ "verification_plan_count",
25
+ "acceptance_criteria_count",
26
+ "criterion_coverage_count",
27
+ "verification_receipt_summary_count",
28
+ "command_receipt_summary_count",
29
+ "verification_coverage_state_count",
30
+ "verification_risk_signal_count",
31
+ "validation_ratchet_signal_count",
32
+ "completion_verdict_summary_count",
33
+ "repro_route_count",
34
+ "repro_observation_count",
35
+ "failure_fingerprint_count",
36
+ "source_index_enabled",
37
+ "source_anchor_count",
38
+ "source_anchor_risk_signal_count",
39
+ "search_backend",
40
+ "search_fts5_available",
41
+ "content_mode",
42
+ "store_full_content",
43
+ "max_snippet_bytes_per_document",
44
+ "excluded_raw_data_kinds",
45
+ "indexed_file_count",
46
+ "indexed_paths"
47
+ ],
48
+ "properties": {
49
+ "schema_version": { "type": "string", "pattern": "^[0-9]+$" },
50
+ "command": { "const": "index" },
51
+ "ok": { "type": "boolean" },
52
+ "mustflow_root": { "type": "string" },
53
+ "database_path": { "type": "string" },
54
+ "dry_run": { "type": "boolean" },
55
+ "wrote_files": { "type": "boolean" },
56
+ "index_mode": { "enum": ["full", "incremental"] },
57
+ "reused_existing": { "type": "boolean" },
58
+ "rebuild_reason": {
59
+ "anyOf": [
60
+ { "type": "string" },
61
+ { "type": "null" }
62
+ ]
63
+ },
64
+ "document_count": { "$ref": "#/$defs/count" },
65
+ "skill_count": { "$ref": "#/$defs/count" },
66
+ "skill_route_count": { "$ref": "#/$defs/count" },
67
+ "command_intent_count": { "$ref": "#/$defs/count" },
68
+ "command_effect_count": { "$ref": "#/$defs/count" },
69
+ "verification_evidence_summary_count": { "$ref": "#/$defs/count" },
70
+ "verification_plan_count": { "$ref": "#/$defs/count" },
71
+ "acceptance_criteria_count": { "$ref": "#/$defs/count" },
72
+ "criterion_coverage_count": { "$ref": "#/$defs/count" },
73
+ "verification_receipt_summary_count": { "$ref": "#/$defs/count" },
74
+ "command_receipt_summary_count": { "$ref": "#/$defs/count" },
75
+ "verification_coverage_state_count": { "$ref": "#/$defs/count" },
76
+ "verification_risk_signal_count": { "$ref": "#/$defs/count" },
77
+ "validation_ratchet_signal_count": { "$ref": "#/$defs/count" },
78
+ "completion_verdict_summary_count": { "$ref": "#/$defs/count" },
79
+ "repro_route_count": { "$ref": "#/$defs/count" },
80
+ "repro_observation_count": { "$ref": "#/$defs/count" },
81
+ "failure_fingerprint_count": { "$ref": "#/$defs/count" },
82
+ "source_index_enabled": { "type": "boolean" },
83
+ "source_anchor_count": { "$ref": "#/$defs/count" },
84
+ "source_anchor_risk_signal_count": { "$ref": "#/$defs/count" },
85
+ "search_backend": { "enum": ["fts5", "table_scan"] },
86
+ "search_fts5_available": { "type": "boolean" },
87
+ "content_mode": { "const": "metadata_and_snippets" },
88
+ "store_full_content": { "const": false },
89
+ "max_snippet_bytes_per_document": { "type": "integer", "minimum": 0 },
90
+ "excluded_raw_data_kinds": {
91
+ "type": "array",
92
+ "items": { "type": "string" }
93
+ },
94
+ "indexed_file_count": { "$ref": "#/$defs/count" },
95
+ "indexed_paths": {
96
+ "type": "array",
97
+ "items": { "type": "string" }
98
+ }
99
+ },
100
+ "$defs": {
101
+ "count": { "type": "integer", "minimum": 0 }
102
+ }
103
+ }
@@ -0,0 +1,210 @@
1
+ {
2
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
3
+ "$id": "https://mustflow.github.io/schemas/module-boundary-report.schema.json",
4
+ "title": "mustflow module-boundary report",
5
+ "type": "object",
6
+ "additionalProperties": false,
7
+ "required": [
8
+ "schema_version",
9
+ "command",
10
+ "pack_id",
11
+ "script_id",
12
+ "script_ref",
13
+ "action",
14
+ "status",
15
+ "ok",
16
+ "mustflow_root",
17
+ "policy",
18
+ "input_hash",
19
+ "config",
20
+ "targets",
21
+ "graph",
22
+ "rules",
23
+ "cycles",
24
+ "shared_metrics",
25
+ "truncated",
26
+ "findings",
27
+ "issues"
28
+ ],
29
+ "properties": {
30
+ "schema_version": { "const": "1" },
31
+ "command": { "const": "script-pack" },
32
+ "pack_id": { "const": "code" },
33
+ "script_id": { "const": "module-boundary" },
34
+ "script_ref": { "const": "code/module-boundary" },
35
+ "action": { "const": "check" },
36
+ "status": { "enum": ["passed", "failed", "error"] },
37
+ "ok": { "type": "boolean" },
38
+ "mustflow_root": { "type": "string" },
39
+ "policy": { "$ref": "#/$defs/policy" },
40
+ "input_hash": { "$ref": "#/$defs/sha256" },
41
+ "config": { "$ref": "#/$defs/config" },
42
+ "targets": { "type": "array", "items": { "$ref": "#/$defs/target" } },
43
+ "graph": { "$ref": "#/$defs/graph" },
44
+ "rules": { "type": "array", "items": { "$ref": "#/$defs/rule" } },
45
+ "cycles": { "type": "array", "items": { "$ref": "#/$defs/cycle" } },
46
+ "shared_metrics": { "type": "array", "items": { "$ref": "#/$defs/sharedMetric" } },
47
+ "truncated": { "type": "boolean" },
48
+ "findings": { "type": "array", "items": { "$ref": "#/$defs/finding" } },
49
+ "issues": { "type": "array", "items": { "type": "string" } }
50
+ },
51
+ "$defs": {
52
+ "sha256": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$" },
53
+ "stringArray": { "type": "array", "items": { "type": "string" } },
54
+ "language": {
55
+ "enum": [
56
+ "typescript",
57
+ "tsx",
58
+ "javascript",
59
+ "jsx",
60
+ "javascript-module",
61
+ "javascript-commonjs",
62
+ "json",
63
+ "other"
64
+ ]
65
+ },
66
+ "targetKind": { "enum": ["file", "directory", "missing", "other", "unknown"] },
67
+ "edgeKind": { "enum": ["static_import", "static_export", "dynamic_import", "require"] },
68
+ "configStatus": { "enum": ["found", "missing", "invalid"] },
69
+ "ruleKind": {
70
+ "enum": ["layer_deny", "public_entrypoint", "feature_direct_import", "shared_budget", "import_cycle"]
71
+ },
72
+ "policy": {
73
+ "type": "object",
74
+ "additionalProperties": false,
75
+ "required": [
76
+ "max_file_bytes",
77
+ "max_files",
78
+ "max_depth",
79
+ "max_nodes",
80
+ "max_edges",
81
+ "extensions",
82
+ "ignored_directories",
83
+ "config_path",
84
+ "max_cycles",
85
+ "max_shared_files"
86
+ ],
87
+ "properties": {
88
+ "max_file_bytes": { "type": "integer", "minimum": 1 },
89
+ "max_files": { "type": "integer", "minimum": 1 },
90
+ "max_depth": { "type": "integer", "minimum": 1 },
91
+ "max_nodes": { "type": "integer", "minimum": 1 },
92
+ "max_edges": { "type": "integer", "minimum": 1 },
93
+ "extensions": { "$ref": "#/$defs/stringArray" },
94
+ "ignored_directories": { "$ref": "#/$defs/stringArray" },
95
+ "config_path": { "type": "string" },
96
+ "max_cycles": { "type": "integer", "minimum": 1 },
97
+ "max_shared_files": { "type": "integer", "minimum": 1 }
98
+ }
99
+ },
100
+ "config": {
101
+ "type": "object",
102
+ "additionalProperties": false,
103
+ "required": [
104
+ "path",
105
+ "status",
106
+ "layer_rule_count",
107
+ "public_entrypoint_rule_count",
108
+ "feature_group_rule_count",
109
+ "shared_budget_rule_count"
110
+ ],
111
+ "properties": {
112
+ "path": { "type": "string" },
113
+ "status": { "$ref": "#/$defs/configStatus" },
114
+ "layer_rule_count": { "type": "integer", "minimum": 0 },
115
+ "public_entrypoint_rule_count": { "type": "integer", "minimum": 0 },
116
+ "feature_group_rule_count": { "type": "integer", "minimum": 0 },
117
+ "shared_budget_rule_count": { "type": "integer", "minimum": 0 }
118
+ }
119
+ },
120
+ "target": {
121
+ "type": "object",
122
+ "additionalProperties": false,
123
+ "required": ["input", "path", "exists", "kind", "language"],
124
+ "properties": {
125
+ "input": { "type": "string" },
126
+ "path": { "type": "string" },
127
+ "exists": { "type": ["boolean", "null"] },
128
+ "kind": { "$ref": "#/$defs/targetKind" },
129
+ "language": { "$ref": "#/$defs/language" }
130
+ }
131
+ },
132
+ "graph": {
133
+ "type": "object",
134
+ "additionalProperties": false,
135
+ "required": ["script_ref", "status", "node_count", "edge_count", "cycle_hint_count", "truncated"],
136
+ "properties": {
137
+ "script_ref": { "const": "code/dependency-graph" },
138
+ "status": { "enum": ["passed", "failed", "error"] },
139
+ "node_count": { "type": "integer", "minimum": 0 },
140
+ "edge_count": { "type": "integer", "minimum": 0 },
141
+ "cycle_hint_count": { "type": "integer", "minimum": 0 },
142
+ "truncated": { "type": "boolean" }
143
+ }
144
+ },
145
+ "rule": {
146
+ "type": "object",
147
+ "additionalProperties": false,
148
+ "required": ["rule_id", "kind", "finding_count"],
149
+ "properties": {
150
+ "rule_id": { "type": "string" },
151
+ "kind": { "$ref": "#/$defs/ruleKind" },
152
+ "finding_count": { "type": "integer", "minimum": 0 }
153
+ }
154
+ },
155
+ "cycle": {
156
+ "type": "object",
157
+ "additionalProperties": false,
158
+ "required": ["cycle_id", "path_count", "paths"],
159
+ "properties": {
160
+ "cycle_id": { "type": "string", "pattern": "^cycle:[a-f0-9]{12}$" },
161
+ "path_count": { "type": "integer", "minimum": 0 },
162
+ "paths": { "$ref": "#/$defs/stringArray" }
163
+ }
164
+ },
165
+ "sharedMetric": {
166
+ "type": "object",
167
+ "additionalProperties": false,
168
+ "required": ["rule_id", "path", "file_count", "export_count", "max_files", "max_exports"],
169
+ "properties": {
170
+ "rule_id": { "type": "string" },
171
+ "path": { "type": "string" },
172
+ "file_count": { "type": "integer", "minimum": 0 },
173
+ "export_count": { "type": "integer", "minimum": 0 },
174
+ "max_files": { "type": ["integer", "null"], "minimum": 0 },
175
+ "max_exports": { "type": ["integer", "null"], "minimum": 0 }
176
+ }
177
+ },
178
+ "finding": {
179
+ "type": "object",
180
+ "additionalProperties": false,
181
+ "required": ["code", "severity", "message", "path"],
182
+ "properties": {
183
+ "code": {
184
+ "enum": [
185
+ "dependency_graph_path_outside_root",
186
+ "dependency_graph_unreadable_path",
187
+ "dependency_graph_max_files_exceeded",
188
+ "dependency_graph_max_nodes_exceeded",
189
+ "dependency_graph_max_edges_exceeded",
190
+ "module_boundary_config_missing",
191
+ "module_boundary_invalid_config",
192
+ "module_boundary_forbidden_import",
193
+ "module_boundary_public_entry_violation",
194
+ "module_boundary_feature_direct_import",
195
+ "module_boundary_shared_budget_exceeded",
196
+ "module_boundary_import_cycle_detected"
197
+ ]
198
+ },
199
+ "severity": { "enum": ["low", "medium", "high", "critical"] },
200
+ "message": { "type": "string" },
201
+ "path": { "type": "string" },
202
+ "rule_id": { "type": "string" },
203
+ "source_path": { "type": "string" },
204
+ "target_path": { "type": "string" },
205
+ "line": { "type": "integer", "minimum": 1 },
206
+ "cycle_id": { "type": "string", "pattern": "^cycle:[a-f0-9]{12}$" }
207
+ }
208
+ }
209
+ }
210
+ }
@@ -0,0 +1,102 @@
1
+ {
2
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
3
+ "$id": "https://mustflow.github.io/schemas/search-report.schema.json",
4
+ "title": "mustflow local search report",
5
+ "type": "object",
6
+ "additionalProperties": false,
7
+ "required": [
8
+ "schema_version",
9
+ "command",
10
+ "ok",
11
+ "mustflow_root",
12
+ "database_path",
13
+ "query",
14
+ "limit",
15
+ "scope",
16
+ "index_fresh",
17
+ "stale_paths",
18
+ "search_backend",
19
+ "search_fts5_available",
20
+ "result_count",
21
+ "results"
22
+ ],
23
+ "properties": {
24
+ "schema_version": { "type": "string", "pattern": "^[0-9]+$" },
25
+ "command": { "const": "search" },
26
+ "ok": { "type": "boolean" },
27
+ "mustflow_root": { "type": "string" },
28
+ "database_path": { "type": "string" },
29
+ "query": { "type": "string" },
30
+ "limit": { "type": "integer", "minimum": 1, "maximum": 50 },
31
+ "scope": { "enum": ["workflow", "source", "all"] },
32
+ "index_fresh": { "type": "boolean" },
33
+ "stale_paths": {
34
+ "type": "array",
35
+ "items": { "type": "string" }
36
+ },
37
+ "search_backend": { "enum": ["fts5", "table_scan"] },
38
+ "search_fts5_available": { "type": "boolean" },
39
+ "result_count": { "type": "integer", "minimum": 0 },
40
+ "results": {
41
+ "type": "array",
42
+ "items": { "$ref": "#/$defs/searchItem" }
43
+ }
44
+ },
45
+ "$defs": {
46
+ "searchItem": {
47
+ "type": "object",
48
+ "additionalProperties": false,
49
+ "required": [
50
+ "kind",
51
+ "cache_layer",
52
+ "volatile",
53
+ "authority_rank",
54
+ "authority_label",
55
+ "source_scope",
56
+ "navigation_only",
57
+ "can_instruct_agent",
58
+ "match",
59
+ "score"
60
+ ],
61
+ "properties": {
62
+ "kind": { "enum": ["document", "skill", "skill_route", "command_intent", "source_anchor"] },
63
+ "path": { "type": "string" },
64
+ "name": { "type": "string" },
65
+ "title": { "type": "string" },
66
+ "document_type": { "type": "string" },
67
+ "anchor_id": { "type": "string" },
68
+ "line_start": { "type": "integer", "minimum": 1 },
69
+ "risk": { "type": "string" },
70
+ "cache_layer": { "enum": ["stable", "task", "volatile"] },
71
+ "volatile": { "type": "boolean" },
72
+ "authority_rank": { "type": "integer", "minimum": 0 },
73
+ "authority_label": { "type": "string" },
74
+ "source_scope": { "enum": ["workflow", "source"] },
75
+ "navigation_only": { "type": "boolean" },
76
+ "can_instruct_agent": { "type": "boolean" },
77
+ "stale_status": { "type": "string" },
78
+ "stale_confidence": { "type": "number" },
79
+ "effect_locks": {
80
+ "type": "array",
81
+ "items": { "type": "string" }
82
+ },
83
+ "effect_paths": {
84
+ "type": "array",
85
+ "items": { "type": "string" }
86
+ },
87
+ "effect_modes": {
88
+ "type": "array",
89
+ "items": { "type": "string" }
90
+ },
91
+ "route_trigger": { "type": "string" },
92
+ "route_risk": { "type": "string" },
93
+ "verification_intents": {
94
+ "type": "array",
95
+ "items": { "type": "string" }
96
+ },
97
+ "match": { "type": "string" },
98
+ "score": { "type": "number" }
99
+ }
100
+ }
101
+ }
102
+ }
@@ -0,0 +1,50 @@
1
+ {
2
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
3
+ "$id": "https://mustflow.github.io/schemas/status-report.schema.json",
4
+ "title": "mustflow status report",
5
+ "type": "object",
6
+ "additionalProperties": false,
7
+ "required": [
8
+ "installed",
9
+ "manifestLock",
10
+ "trackedFiles",
11
+ "changedFiles",
12
+ "missingFiles",
13
+ "issues",
14
+ "template"
15
+ ],
16
+ "properties": {
17
+ "installed": { "type": "boolean" },
18
+ "manifestLock": { "enum": ["missing", "invalid", "present"] },
19
+ "trackedFiles": { "type": "integer", "minimum": 0 },
20
+ "changedFiles": {
21
+ "type": "array",
22
+ "items": { "type": "string" }
23
+ },
24
+ "missingFiles": {
25
+ "type": "array",
26
+ "items": { "type": "string" }
27
+ },
28
+ "issues": {
29
+ "type": "array",
30
+ "items": { "type": "string" }
31
+ },
32
+ "template": {
33
+ "anyOf": [
34
+ { "$ref": "#/$defs/template" },
35
+ { "type": "null" }
36
+ ]
37
+ }
38
+ },
39
+ "$defs": {
40
+ "template": {
41
+ "type": "object",
42
+ "additionalProperties": false,
43
+ "required": ["id", "version"],
44
+ "properties": {
45
+ "id": { "type": "string" },
46
+ "version": { "type": "string" }
47
+ }
48
+ }
49
+ }
50
+ }
@@ -62,7 +62,7 @@ translations = {}
62
62
  [documents."skills.index"]
63
63
  source = "locales/en/.mustflow/skills/INDEX.md"
64
64
  source_locale = "en"
65
- revision = 188
65
+ revision = 189
66
66
  translations = {}
67
67
 
68
68
  [documents."skill.adapter-boundary"]
@@ -89,6 +89,12 @@ source_locale = "en"
89
89
  revision = 3
90
90
  translations = {}
91
91
 
92
+ [documents."skill.http-api-semantics-review"]
93
+ source = "locales/en/.mustflow/skills/http-api-semantics-review/SKILL.md"
94
+ source_locale = "en"
95
+ revision = 1
96
+ translations = {}
97
+
92
98
  [documents."skill.backend-reliability-change"]
93
99
  source = "locales/en/.mustflow/skills/backend-reliability-change/SKILL.md"
94
100
  source_locale = "en"
@@ -128,7 +134,7 @@ translations = {}
128
134
  [documents."skill.module-boundary-review"]
129
135
  source = "locales/en/.mustflow/skills/module-boundary-review/SKILL.md"
130
136
  source_locale = "en"
131
- revision = 1
137
+ revision = 2
132
138
  translations = {}
133
139
 
134
140
  [documents."skill.change-blast-radius-review"]
@@ -146,7 +152,7 @@ translations = {}
146
152
  [documents."skill.payment-integrity-review"]
147
153
  source = "locales/en/.mustflow/skills/payment-integrity-review/SKILL.md"
148
154
  source_locale = "en"
149
- revision = 2
155
+ revision = 3
150
156
  translations = {}
151
157
 
152
158
  [documents."skill.credit-ledger-integrity-review"]
@@ -446,7 +452,7 @@ translations = {}
446
452
  [documents."skill.database-migration-change"]
447
453
  source = "locales/en/.mustflow/skills/database-migration-change/SKILL.md"
448
454
  source_locale = "en"
449
- revision = 2
455
+ revision = 3
450
456
  translations = {}
451
457
 
452
458
  [documents."skill.database-query-bottleneck-review"]
@@ -2,7 +2,7 @@
2
2
  mustflow_doc: skills.index
3
3
  locale: en
4
4
  canonical: true
5
- revision: 188
5
+ revision: 189
6
6
  authority: router
7
7
  lifecycle: mustflow-owned
8
8
  ---
@@ -106,6 +106,11 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
106
106
  shapes, response shapes, pagination, idempotency, async jobs, versioning, deprecation, rate
107
107
  limits, retry rules, observability, or caller-facing docs need caller-ergonomics and misuse-risk
108
108
  review rather than only schema compatibility.
109
+ - Use `http-api-semantics-review` as an adjunct when HTTP method choices, safe/idempotent/cacheable
110
+ claims, GET/HEAD bodies, OPTIONS or Allow discovery, HTTP QUERY, POST versus PUT URI ownership,
111
+ PUT replacement, PATCH document formats, DELETE behavior, conditional requests, status codes,
112
+ cache headers, CORS method discovery, retry behavior, or intermediary compatibility need HTTP
113
+ semantics review rather than only schema compatibility.
109
114
  - Use `api-access-control-review` as an adjunct when API security review needs BOLA or IDOR,
110
115
  object, property, or function authorization, tenant isolation, request-supplied identity,
111
116
  mass assignment, signed URLs, queue revalidation, webhook ownership, token/session hardening,
@@ -471,6 +476,7 @@ routes. Event routes stay inactive until their event occurs.
471
476
  | Product, app, service, CLI, API, SDK, library, desktop app, automation tool, or developer tool work needs a decision about which user, developer, operator, automation, integration, recovery, upgrade, documentation, or observability surfaces are supported now, deferred, explicitly unsupported, or internal-only | `.mustflow/skills/support-surface-advisor/SKILL.md` | Product stage, primary actors, main usage path, integration need, maintenance capacity, public-contract willingness, explicit non-goals, recovery and observability expectations, and current repository evidence | Support-surface plan, selected implementation boundaries, docs, tests, route metadata, core-engine boundary, and directly synchronized templates when installed | support-contract bloat, accidental public API, UI/CLI/API duplicate core logic, hidden integration promise, unsupported automation route, unowned recovery path, stale compatibility promise, or implementation explanation leaking into user-facing UI copy | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Product stage, actors, recommended surfaces, deferred and unsupported surfaces, blocking questions, maintenance and compatibility risks, core engine versus shell boundary, staged plan, verification, and remaining support-surface risk |
472
477
  | A task chooses, migrates, rewrites, or justifies a primary language, runtime, framework, compile target, or execution environment | `.mustflow/skills/runtime-target-selection/SKILL.md` | Current runtime surfaces, target options, product or system need, environment constraints, migration boundary, smoke targets, and performance or reliability claims | Decision records, skill procedures, route metadata, migration plans, command-contract proposals, tests, fixtures, docs, and smallest selected migration scaffold | language-preference rewrite, unsupported runtime target, unusable build loop, cache or artifact blowup, missing smoke target, deployment drift, or false performance claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_related`, `test_release`, `mustflow_check` | Decision boundary, candidate targets, environment and build-loop evidence, smoke targets, migration boundary, calibrated claims, verification, and remaining runtime-target risk |
473
478
  | Non-trivial code work needs early structure decisions around domain rules, public contracts, external I/O, operational safety, failure handling, concurrency, data flow, or future change cost | `.mustflow/skills/structure-first-engineering/SKILL.md` | User request, target files, project context, core boundary, data flow, expected failures, public contracts, I/O surfaces, and verification contract | Risk block, focused boundaries, DTOs, adapters, pure functions, error models, tests, and directly synchronized docs or contracts | under-designed hard boundary, speculative abstraction, vague service layer, mixed I/O and domain rules, hidden partial failure, or untestable behavior | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Work risk, structure decision, data flow, failure model, I/O and concurrency boundaries, tests, verification, and remaining structure risk |
479
+ | HTTP API method semantics, safe/idempotent/cacheable claims, GET or HEAD request-body assumptions, OPTIONS capability discovery, HTTP QUERY, POST versus PUT URI ownership, PUT replacement, PATCH document formats, DELETE behavior, conditional requests, status-code recovery, cache headers, CORS method discovery, retry behavior, or intermediary compatibility are created, changed, reviewed, or reported | `.mustflow/skills/http-api-semantics-review/SKILL.md` | Endpoint method ledger, method contract, concurrency contract, PATCH media type and atomicity, GET/QUERY/POST search contract, cache and capability headers, caller and intermediary support evidence, and configured command intents | Route handlers, method choices, validators, OpenAPI or docs, SDK examples, gateway rules, CORS rules, cache headers, conditional request handling, status-code maps, focused tests, and directly synchronized templates | hidden GET mutation, non-portable GET or HEAD body, PUT partial merge, ambiguous PATCH JSON, PATCH partial success, DELETE body dependency, duplicate DELETE side effect, POST search semantic blur, QUERY without media type or body-aware cache key, stale-client field loss, missing If-Match, confused Allow versus CORS methods, `no-cache` treated as `no-store`, collapsed status-code recovery, or proxy/CDN/client incompatibility | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | HTTP API semantics reviewed, endpoint method ledger, safe/idempotent/cache/header/status/conditional request findings, fixes or recommendations, synchronized API surfaces, verification, and remaining HTTP semantics risk |
474
480
  | HTTP, REST, GraphQL, tRPC, Hono RPC, Elysia Eden, gRPC, protobuf, OpenAPI, request/response schema, status code, header, content negotiation, cache header, error envelope, pagination, filtering, sorting, search, generated client, SDK, mock, fixture, or API docs contract is created or changed | `.mustflow/skills/api-contract-change/SKILL.md` | API style, contract source of truth, changed operations, request and response schemas, status and headers, content negotiation, error envelope, auth and permission behavior, pagination/filter/sort/search semantics, generated clients, SDKs, mocks, fixtures, callers, docs, and command contract entries | Routes, handlers, resolvers, validators, schemas, generated clients, SDKs, mocks, fixtures, docs, tests, and directly synchronized examples | route-only change, schema drift, generated-client breakage, hidden breaking change, status or error drift, pagination/search semantic drift, auth/permission drift, cache/header drift, or stale docs examples | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | API contract source, changed operations, compatibility classification, synchronized client/schema/docs/tests surfaces, verification, and remaining API contract risk |
475
481
  | Backend APIs, workers, jobs, queues, caches, database write paths, external service calls, health checks, observability, feature flags, idempotency, retries, outbox/inbox processing, or operational failure handling are created, changed, reviewed, or reported | `.mustflow/skills/backend-reliability-change/SKILL.md` | Backend surface, trigger shape, idempotency boundary, external-call deadline and retry policy, persistence and transaction boundary, queue/cache behavior, observability fields, rollout gate, and command contract entries | Handlers, services, workers, retry policy, timeout policy, idempotency storage, outbox/inbox code, cache boundaries, health endpoints, observability fields, flags, tests, docs, and directly synchronized templates | duplicate side effects, retry storm, unbounded wait, DB uniqueness race, cache stampede, stale cache authority, poison message loop, missing outbox/inbox, raw ORM response, object-level authorization bypass, high-cardinality telemetry, secret or personal-data log leak, broken liveness/readiness, or missing kill switch | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Backend surface, idempotency and retry/timeout decisions, queue/cache/database notes, health-probe split, observability and auth/DTO notes, rollout gate, verification, and remaining backend reliability risk |
476
482
  | HTTP delivery, content coding, compression negotiation, CDN or proxy cache behavior, streaming responses, SSE, EventSource, WebTransport, WebSocket fallback, HTTP/2 or HTTP/3 transport behavior, browser transport clients, reverse-proxy buffering, reconnect behavior, or delivery observability is created, changed, reviewed, or reported | `.mustflow/skills/http-delivery-streaming/SKILL.md` | Delivery surface, routes or assets, headers, cache and proxy/CDN path, browser/API clients, fallback behavior, streaming lifecycle, compression or dictionary choice, and observability fields | Route handlers, response headers, CDN/proxy config, browser transport code, streaming adapters, fallback clients, docs, tests, and directly synchronized templates | wrong content decoding, cache poisoning, private data cached publicly, proxy buffering, lost events, reconnect gaps, unsupported transport, unreliable datagram misuse, false compression win, or fallback failure | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Delivery ledger, negotiated encodings, cache/proxy behavior, stream/reconnect/fallback behavior, verification, and remaining delivery risk |