mustflow 2.103.16 → 2.103.21
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -0
- package/dist/cli/commands/run/args.js +83 -0
- package/dist/cli/commands/run/execution.js +334 -0
- package/dist/cli/commands/run/preview.js +29 -0
- package/dist/cli/commands/run/profile.js +6 -0
- package/dist/cli/commands/run.js +19 -425
- package/dist/cli/commands/script-pack.js +1 -0
- package/dist/cli/commands/verify.js +15 -18
- package/dist/cli/i18n/en.js +27 -0
- package/dist/cli/i18n/es.js +27 -0
- package/dist/cli/i18n/fr.js +27 -0
- package/dist/cli/i18n/hi.js +27 -0
- package/dist/cli/i18n/ko.js +27 -0
- package/dist/cli/i18n/zh.js +27 -0
- package/dist/cli/lib/command-registry.js +92 -0
- package/dist/cli/lib/option-parser.js +26 -0
- package/dist/cli/lib/script-pack-registry.js +39 -0
- package/dist/cli/script-packs/code-module-boundary.js +210 -0
- package/dist/cli/script-packs/repo-env-contract.js +4 -17
- package/dist/cli/script-packs/repo-secret-risk-scan.js +4 -17
- package/dist/cli/script-packs/repo-security-pattern-scan.js +4 -17
- package/dist/core/module-boundary.js +523 -0
- package/dist/core/public-json-contracts.js +50 -0
- package/dist/core/script-pack-suggestions.js +5 -0
- package/package.json +1 -1
- package/schemas/README.md +12 -0
- package/schemas/check-report.schema.json +52 -0
- package/schemas/index-report.schema.json +103 -0
- package/schemas/module-boundary-report.schema.json +210 -0
- package/schemas/search-report.schema.json +102 -0
- package/schemas/status-report.schema.json +50 -0
- package/templates/default/i18n.toml +10 -4
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +7 -1
- package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +16 -2
- package/templates/default/locales/en/.mustflow/skills/http-api-semantics-review/SKILL.md +286 -0
- package/templates/default/locales/en/.mustflow/skills/module-boundary-review/SKILL.md +12 -1
- package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +17 -10
- package/templates/default/locales/en/.mustflow/skills/routes.toml +6 -0
- package/templates/default/manifest.toml +8 -1
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.database-migration-change
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 3
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: database-migration-change
|
|
9
|
-
description: Apply this skill when database migration files, schema migration history, ORM schema migrations, generated clients, schema dumps, SQL snapshots, online DDL, large indexes, constraints, backfills, rolling deploy compatibility, expand-and-contract changes, destructive database changes, migration rollback or roll-forward claims, cut-over plans, lock or timeout policy, replication lag risk, migration observability, or production database migration procedures are created, changed, reviewed, or reported.
|
|
9
|
+
description: Apply this skill when database migration files, schema migration history, ORM schema migrations, generated clients, schema dumps, SQL snapshots, online DDL, large indexes, constraints, state-dependent CHECK constraints, backfills, rolling deploy compatibility, expand-and-contract changes, destructive database changes, migration rollback or roll-forward claims, cut-over plans, lock or timeout policy, replication lag risk, migration observability, or production database migration procedures are created, changed, reviewed, or reported.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -58,6 +58,9 @@ Migration incidents usually happen in the interval where old code, new code, old
|
|
|
58
58
|
- Deployment shape: single-step deploy, rolling deploy, blue-green, multiple app versions, background workers, read replicas, multiple services, serverless functions, mobile clients, or external integrations.
|
|
59
59
|
- Database engine and operational surface: PostgreSQL, MySQL, SQLite, SQL Server, managed database, migration lock behavior, DDL transaction behavior, online DDL options, table size, write load, long-running transactions, replication or CDC topology, expected lock time, statement timeout, lock timeout, and restore capability when known.
|
|
60
60
|
- Data preservation needs, compatibility window, backfill size, batch strategy, cursor or checkpoint marker, validation query, observability query, rollback or roll-forward type, cut-over control, and whether old code can run after the new schema lands.
|
|
61
|
+
- State and timestamp invariant matrix when a migration introduces lifecycle statuses, terminal
|
|
62
|
+
timestamps, retry or dead-letter states, delivery states, soft-delete states, approval states, or
|
|
63
|
+
other columns whose valid nullability depends on status.
|
|
61
64
|
- Relevant command-intent entries for build, generated-output checks, tests, docs, release, and mustflow validation.
|
|
62
65
|
|
|
63
66
|
<!-- mustflow-section: preconditions -->
|
|
@@ -114,6 +117,14 @@ Migration incidents usually happen in the interval where old code, new code, old
|
|
|
114
117
|
11. For constraints and foreign keys, use staged validation when the database supports it.
|
|
115
118
|
- PostgreSQL `NOT VALID` constraints and later `VALIDATE CONSTRAINT` can avoid validating old rows during the first lock-sensitive change while still protecting new writes.
|
|
116
119
|
- Foreign keys on large or hot tables need separate add, repair/backfill, validate, and fallback planning rather than one heroic migration.
|
|
120
|
+
- CHECK constraints must reject impossible domain states, not only prove column types. For
|
|
121
|
+
lifecycle tables, build a status matrix before writing the constraint: each status should name
|
|
122
|
+
which timestamps or reason fields are required, forbidden, or still pending. For example,
|
|
123
|
+
a delivered row should not also have a dead-letter timestamp, and a dead-lettered row should
|
|
124
|
+
not also look delivered unless the domain explicitly has a separate correction state.
|
|
125
|
+
- When existing rows may already violate the new matrix, split the change into repair, add
|
|
126
|
+
unvalidated constraint where supported, validate, and then rely on the constraint as the last
|
|
127
|
+
gate. Do not let application comments or happy-path tests stand in for the database invariant.
|
|
117
128
|
12. For indexes, check table size, write load, lock behavior, concurrent or online index support, uniqueness validation, existing duplicates, and whether generated ORM queries will use the index.
|
|
118
129
|
- PostgreSQL `CREATE INDEX CONCURRENTLY` avoids blocking ordinary writes but still scans more than once, waits for old transactions, consumes I/O, and cannot run inside a transaction block.
|
|
119
130
|
- MySQL online DDL and `ALGORITHM=INSTANT` have version, row-format, index, row-size, and operation limits; specify `ALGORITHM=INSTANT` or `LOCK=NONE` only when unsupported fallback should fail instead of silently rebuilding a table.
|
|
@@ -170,6 +181,8 @@ Migration incidents usually happen in the interval where old code, new code, old
|
|
|
170
181
|
- Expand, backfill, switch, and contract phases are separated or explicitly proven unnecessary.
|
|
171
182
|
- Old-code/new-schema and new-code/expanded-schema compatibility is classified.
|
|
172
183
|
- Backfill and validation behavior is cursor-based or otherwise bounded, restartable, idempotent, observable, and checkable where relevant.
|
|
184
|
+
- State-dependent CHECK constraints, terminal timestamp exclusivity, and valid nullability matrices
|
|
185
|
+
are explicit where status columns can otherwise contradict timestamp or reason columns.
|
|
173
186
|
- Lock levels, online DDL support, long-running transaction waits, replication lag, cut-over control, timeout policy, and observability queries are explicit where production data may be affected.
|
|
174
187
|
- Rollback claims distinguish schema rollback, data rollback, app rollback, roll-forward, forward-fix, and restore-required cases.
|
|
175
188
|
- Destructive changes and production lock risks are either deferred, measured, guarded, or reported as remaining risk.
|
|
@@ -212,6 +225,7 @@ Prefer configured migration dry-run, generated-output, schema-diff, or database
|
|
|
212
225
|
- Old-code/new-schema and new-code/expanded-schema compatibility
|
|
213
226
|
- Expand/backfill/switch/contract plan and destructive cleanup timing
|
|
214
227
|
- Backfill cursor, idempotency, throttle, pause/resume, validation, lock, timeout, replication, cut-over, and observability classification
|
|
228
|
+
- Status, timestamp, CHECK constraint, and existing-row validation matrix where relevant
|
|
215
229
|
- Rollback, app rollback, roll-forward, forward-fix, and restore-required classification
|
|
216
230
|
- ORM/generated client/schema dump/snapshot surfaces synchronized
|
|
217
231
|
- Dependent surfaces checked
|
|
@@ -0,0 +1,286 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.http-api-semantics-review
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: http-api-semantics-review
|
|
9
|
+
description: Apply this skill when HTTP API method semantics, safe or idempotent behavior, GET or HEAD request-body assumptions, OPTIONS or Allow discovery, HTTP QUERY, POST versus PUT URI ownership, PUT replacement, PATCH document formats, DELETE behavior, conditional requests, status codes, cache headers, CORS method discovery, retry behavior, or intermediary compatibility need review.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.http-api-semantics-review
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- docs_validate_fast
|
|
23
|
+
- test_release
|
|
24
|
+
- mustflow_check
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
# HTTP API Semantics Review
|
|
28
|
+
|
|
29
|
+
<!-- mustflow-section: purpose -->
|
|
30
|
+
## Purpose
|
|
31
|
+
|
|
32
|
+
Review HTTP APIs as method, status, header, cache, retry, and intermediary contracts, not as CRUD
|
|
33
|
+
labels or controller naming preferences.
|
|
34
|
+
|
|
35
|
+
The review question is not "does this route work in the current framework?" It is "will browsers,
|
|
36
|
+
crawlers, caches, gateways, SDKs, retries, stale clients, and concurrent callers interpret this
|
|
37
|
+
request the same way the server does?"
|
|
38
|
+
|
|
39
|
+
<!-- mustflow-section: use-when -->
|
|
40
|
+
## Use When
|
|
41
|
+
|
|
42
|
+
- HTTP or REST routes, handlers, OpenAPI documents, API docs, SDKs, gateways, middleware, CORS
|
|
43
|
+
policy, cache policy, status-code maps, or request/response headers are created, changed,
|
|
44
|
+
reviewed, or reported.
|
|
45
|
+
- A change chooses or changes GET, HEAD, OPTIONS, POST, PUT, PATCH, DELETE, QUERY, or fallback
|
|
46
|
+
behavior.
|
|
47
|
+
- A review claims that an endpoint is safe, idempotent, cacheable, retry-safe, crawler-safe,
|
|
48
|
+
prefetch-safe, proxy-safe, CDN-compatible, or portable across HTTP clients.
|
|
49
|
+
- The task involves PUT full replacement, PATCH document semantics, DELETE bodies, POST search,
|
|
50
|
+
GET or HEAD request bodies, HTTP QUERY, Accept-Patch, Accept-Query, Allow, ETag, If-Match,
|
|
51
|
+
If-None-Match, Cache-Control, Vary, Location, Content-Location, Retry-After, or CORS method
|
|
52
|
+
discovery.
|
|
53
|
+
|
|
54
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
55
|
+
## Do Not Use When
|
|
56
|
+
|
|
57
|
+
- The main work is broad API source-of-truth synchronization, generated clients, schema drift, or
|
|
58
|
+
compatibility classification; use `api-contract-change` first and this skill only for HTTP
|
|
59
|
+
method semantics.
|
|
60
|
+
- The main work is caller ergonomics, ambiguous DTOs, hidden operation modes, or SDK usability; use
|
|
61
|
+
`api-misuse-resistance-review`.
|
|
62
|
+
- The main work is duplicate business side effects or retry delivery; use
|
|
63
|
+
`idempotency-integrity-review`.
|
|
64
|
+
- The main work is cache key truth, stale data, invalidation, Redis, or cache outage behavior; use
|
|
65
|
+
`cache-integrity-review`.
|
|
66
|
+
- The main work is response streaming, compression, proxy buffering, SSE, WebTransport, or delivery
|
|
67
|
+
transport behavior; use `http-delivery-streaming`.
|
|
68
|
+
- The API is not HTTP-facing and no HTTP method, status, header, cache, CORS, retry, or
|
|
69
|
+
intermediary behavior is part of the contract.
|
|
70
|
+
|
|
71
|
+
<!-- mustflow-section: required-inputs -->
|
|
72
|
+
## Required Inputs
|
|
73
|
+
|
|
74
|
+
- Endpoint ledger: method, path, request body meaning, success statuses, error statuses, headers,
|
|
75
|
+
auth and permission requirement, cacheability, caller types, and fallback paths.
|
|
76
|
+
- Method contract: whether the caller requests a safe operation, an idempotent operation, a full
|
|
77
|
+
representation replacement, a patch document application, a server-selected creation, a
|
|
78
|
+
client-selected target URI, a delete/unlink operation, or a safe body-bearing query.
|
|
79
|
+
- Concurrency contract: ETag or version source, conditional request requirements, lost-update
|
|
80
|
+
behavior, conflict behavior, and retry behavior after unknown outcomes.
|
|
81
|
+
- Patch contract when PATCH is used: media type, patch grammar, null and omission semantics,
|
|
82
|
+
atomicity boundary, validation timing, Accept-Patch discovery, and status-code recovery map.
|
|
83
|
+
- Query contract when GET, QUERY, or POST search is used: canonical GET strategy, query body media
|
|
84
|
+
type, Accept-Query or Allow discovery, fallback behavior, cache-key inputs, canonicalization,
|
|
85
|
+
Location or Content-Location behavior, and sensitive-data handling.
|
|
86
|
+
- Cache and capability contract: Cache-Control, Vary, ETag, Last-Modified, Location,
|
|
87
|
+
Content-Location, Allow, Access-Control-Allow-Methods, Accept-Patch, Accept-Query, Retry-After,
|
|
88
|
+
and RateLimit header behavior when relevant.
|
|
89
|
+
- Relevant command-intent contract entries for tests, builds, docs, release checks, and mustflow
|
|
90
|
+
validation.
|
|
91
|
+
|
|
92
|
+
<!-- mustflow-section: preconditions -->
|
|
93
|
+
## Preconditions
|
|
94
|
+
|
|
95
|
+
- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
|
|
96
|
+
- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
|
|
97
|
+
current scope.
|
|
98
|
+
- The current contract source of truth is known, such as OpenAPI, route validators, handler tests,
|
|
99
|
+
API docs, gateway config, or SDK examples.
|
|
100
|
+
- If HTTP semantics changes affect request or response shapes, generated clients, auth, permission,
|
|
101
|
+
cache correctness, duplicate side effects, or streaming delivery, also apply the narrower matching
|
|
102
|
+
skill before finalizing that part.
|
|
103
|
+
|
|
104
|
+
<!-- mustflow-section: allowed-edits -->
|
|
105
|
+
## Allowed Edits
|
|
106
|
+
|
|
107
|
+
- Update route handlers, method choices, validators, OpenAPI or API docs, SDK examples, gateway
|
|
108
|
+
rules, CORS rules, cache headers, conditional request handling, status-code maps, and focused
|
|
109
|
+
tests tied to the changed HTTP contract.
|
|
110
|
+
- Add explicit support or rejection for GET or HEAD bodies, DELETE bodies, unsupported methods,
|
|
111
|
+
unsupported patch media types, missing preconditions, and body-bearing safe queries.
|
|
112
|
+
- Add capability discovery through Allow, Accept-Patch, Accept-Query, and documented fallback
|
|
113
|
+
behavior when the API exposes those capabilities.
|
|
114
|
+
- Do not silently convert PUT into partial merge, PATCH into ambiguous JSON merge, GET into a
|
|
115
|
+
command, POST search into a safe operation without naming fallback semantics, or cache policy into
|
|
116
|
+
prose-only behavior.
|
|
117
|
+
|
|
118
|
+
<!-- mustflow-section: procedure -->
|
|
119
|
+
## Procedure
|
|
120
|
+
|
|
121
|
+
1. Build a method semantics ledger for every endpoint under review:
|
|
122
|
+
- method;
|
|
123
|
+
- target URI ownership;
|
|
124
|
+
- whether the method is safe, idempotent, and cacheable for this operation;
|
|
125
|
+
- request body meaning;
|
|
126
|
+
- expected automatic retry behavior;
|
|
127
|
+
- success, conflict, validation, unsupported-media, precondition, rate-limit, and overload
|
|
128
|
+
statuses.
|
|
129
|
+
2. Check safe methods first.
|
|
130
|
+
- GET, HEAD, and OPTIONS must not request business mutations.
|
|
131
|
+
- Safe does not mean unauthenticated, cheap, unmetered, or cache-public.
|
|
132
|
+
- Crawlers, link previews, browser prefetch, health checks, and monitoring can trigger safe
|
|
133
|
+
methods.
|
|
134
|
+
3. Reject public GET and HEAD request-body semantics unless the API intentionally documents a
|
|
135
|
+
non-portable private contract.
|
|
136
|
+
- Prefer GET query parameters for small, shareable, cacheable, non-sensitive reads.
|
|
137
|
+
- Prefer QUERY for safe, idempotent, body-bearing queries when clients, gateways, servers, and
|
|
138
|
+
docs can support it.
|
|
139
|
+
- Use POST as a compatibility fallback or state-changing processing request, not as an unnamed
|
|
140
|
+
safe query.
|
|
141
|
+
4. Review OPTIONS as capability discovery.
|
|
142
|
+
- OPTIONS is not only a CORS preflight shortcut.
|
|
143
|
+
- Keep `Allow` for HTTP method support separate from `Access-Control-Allow-Methods` for CORS.
|
|
144
|
+
- Ensure 405 responses include an accurate `Allow` header.
|
|
145
|
+
5. Review POST versus PUT URI ownership.
|
|
146
|
+
- Use POST when the server chooses the new resource URI or processes a resource-specific command.
|
|
147
|
+
- Use PUT when the client knows the target URI and wants that target representation created or
|
|
148
|
+
replaced.
|
|
149
|
+
- Do not let PUT write to a different URI without redirect or explicit contract.
|
|
150
|
+
6. Review PUT as replacement.
|
|
151
|
+
- A PUT body is the new representation for the target URI, not a partial DTO by default.
|
|
152
|
+
- Reject incomplete replacement bodies, require full client-owned representations, or choose
|
|
153
|
+
PATCH or a command resource instead.
|
|
154
|
+
- For create-only PUT, require `If-None-Match: *` where concurrent creation matters.
|
|
155
|
+
- For update-only PUT, require `If-Match` or another version precondition where lost updates
|
|
156
|
+
matter.
|
|
157
|
+
7. Review PATCH as patch document application.
|
|
158
|
+
- Pick and document the patch media type, such as `application/merge-patch+json`,
|
|
159
|
+
`application/json-patch+json`, or a domain-specific media type.
|
|
160
|
+
- Do not use bare `application/json` when null, omission, delete, array, and command semantics
|
|
161
|
+
are ambiguous.
|
|
162
|
+
- Advertise supported patch formats with `Accept-Patch` where capability discovery matters.
|
|
163
|
+
- Apply the whole patch atomically. Partial patch success is a contract failure.
|
|
164
|
+
- Validate the resulting resource, not only the patch document syntax.
|
|
165
|
+
8. Review DELETE as target-resource unlinking, not necessarily physical storage deletion.
|
|
166
|
+
- Do not require identical repeat response statuses for idempotency; require identical intended
|
|
167
|
+
effect and duplicate-safe side effects.
|
|
168
|
+
- Avoid DELETE request bodies for portable bulk or filtered deletes. Prefer item DELETE calls or
|
|
169
|
+
POST command resources such as deletion jobs.
|
|
170
|
+
- Document soft-delete, tombstone, retention, restore, and audit behavior when callers rely on
|
|
171
|
+
lifecycle outcomes.
|
|
172
|
+
9. Review conditional requests and lost-update protection.
|
|
173
|
+
- Use strong ETags or equivalent version tokens when concurrent writers can overwrite one
|
|
174
|
+
another.
|
|
175
|
+
- Use `If-Match` for update preconditions and `If-None-Match: *` for create-if-absent.
|
|
176
|
+
- Return `412 Precondition Failed` for failed preconditions and `428 Precondition Required` when
|
|
177
|
+
the API refuses unsafe writes without preconditions.
|
|
178
|
+
10. Review QUERY and search design.
|
|
179
|
+
- Keep simple, bookmarkable, shareable, cacheable searches on GET where possible.
|
|
180
|
+
- Use QUERY for safe, idempotent, body-bearing queries whose inputs do not belong cleanly in the
|
|
181
|
+
URI.
|
|
182
|
+
- Define the request media type and reject missing or inconsistent Content-Type.
|
|
183
|
+
- Expose support through `Allow` and supported query formats through `Accept-Query` when
|
|
184
|
+
clients need discovery.
|
|
185
|
+
- Build cache keys from request content plus relevant metadata, and canonicalize only
|
|
186
|
+
semantically insignificant differences.
|
|
187
|
+
- Decide whether `Content-Location`, `Location`, or `303 See Other` gives callers a GET-able
|
|
188
|
+
result, equivalent query, or stored job/resource.
|
|
189
|
+
- Use POST fallback only as a compatibility shell over the same internal query model.
|
|
190
|
+
11. Review status codes as recovery instructions.
|
|
191
|
+
- Use `201` plus `Location` and preferably `ETag` when a resource is created.
|
|
192
|
+
- Use `202` plus a status resource when work is accepted but unfinished.
|
|
193
|
+
- Use `204` for successful no-body responses, `206` for partial content, and `304` for
|
|
194
|
+
conditional cache validation.
|
|
195
|
+
- Separate malformed input (`400`), unsupported media (`415`), current-state conflict (`409`),
|
|
196
|
+
failed precondition (`412`), missing precondition (`428`), valid-but-unprocessable content
|
|
197
|
+
(`422`), method unsupported for the resource (`405` with `Allow`), method unknown (`501`),
|
|
198
|
+
rate limit (`429` with `Retry-After` where useful), and overload (`503` with `Retry-After`
|
|
199
|
+
where useful).
|
|
200
|
+
12. Review HTTP cache semantics.
|
|
201
|
+
- `no-cache` means revalidate before reuse. `no-store` means do not store.
|
|
202
|
+
- Use `private`, `public`, `s-maxage`, validators, and `Vary` according to viewer, auth,
|
|
203
|
+
language, encoding, content negotiation, and tenant dimensions.
|
|
204
|
+
- Do not assume a successful unsafe method invalidates every list, search, feed, recommendation,
|
|
205
|
+
CDN tag, or read model that can include the changed resource.
|
|
206
|
+
13. Check synchronized surfaces before finalizing.
|
|
207
|
+
- Route code, validators, OpenAPI or docs, generated clients, SDK examples, gateway and CORS
|
|
208
|
+
config, cache config, status-code fixtures, retry docs, tests, monitoring, and release notes
|
|
209
|
+
should agree with the HTTP method contract.
|
|
210
|
+
- If deterministic proxy, CDN, browser, or gateway evidence is unavailable, report that gap
|
|
211
|
+
instead of claiming portability.
|
|
212
|
+
|
|
213
|
+
## Strongly Forbidden Patterns
|
|
214
|
+
|
|
215
|
+
- GET, HEAD, or OPTIONS hidden business mutations.
|
|
216
|
+
- Public GET or HEAD request bodies as if they were portable HTTP contracts.
|
|
217
|
+
- PUT partial update merge without an explicit non-PUT contract.
|
|
218
|
+
- PATCH with ambiguous `application/json` semantics.
|
|
219
|
+
- PATCH partial success.
|
|
220
|
+
- DELETE request bodies for portable bulk or filtered operations.
|
|
221
|
+
- Treating DELETE idempotency as identical status codes while duplicate side effects replay.
|
|
222
|
+
- Treating `no-cache` as `no-store`.
|
|
223
|
+
- Mixing `Allow` with `Access-Control-Allow-Methods`.
|
|
224
|
+
- POST search without naming safe-query fallback and cache behavior.
|
|
225
|
+
- QUERY without media type, support discovery, body-aware cache key, and intermediary support plan.
|
|
226
|
+
- Collapsing status codes so clients cannot tell whether to fix input, refresh state, retry later,
|
|
227
|
+
update ETags, or change media type.
|
|
228
|
+
|
|
229
|
+
<!-- mustflow-section: postconditions -->
|
|
230
|
+
## Postconditions
|
|
231
|
+
|
|
232
|
+
- Method semantics, request body meaning, URI ownership, retry expectations, status-code recovery,
|
|
233
|
+
conditional requests, capability discovery, cache semantics, and intermediary assumptions are
|
|
234
|
+
explicit or reported as missing.
|
|
235
|
+
- PUT, PATCH, DELETE, GET, HEAD, OPTIONS, POST, and QUERY behavior is either aligned with HTTP
|
|
236
|
+
semantics or intentionally documented as a narrow non-portable contract.
|
|
237
|
+
- API docs, tests, SDKs, generated clients, gateways, CORS rules, cache headers, and observability
|
|
238
|
+
agree with the chosen HTTP contract where relevant.
|
|
239
|
+
|
|
240
|
+
<!-- mustflow-section: verification -->
|
|
241
|
+
## Verification
|
|
242
|
+
|
|
243
|
+
Use configured oneshot command intents when available:
|
|
244
|
+
|
|
245
|
+
- `changes_status`
|
|
246
|
+
- `changes_diff_summary`
|
|
247
|
+
- `lint`
|
|
248
|
+
- `build`
|
|
249
|
+
- `test_related`
|
|
250
|
+
- `test`
|
|
251
|
+
- `docs_validate_fast`
|
|
252
|
+
- `test_release`
|
|
253
|
+
- `mustflow_check`
|
|
254
|
+
|
|
255
|
+
Prefer the narrowest configured tests or docs checks that exercise the HTTP method, status, header,
|
|
256
|
+
cache, conditional request, QUERY, fallback, or generated-client contract from a caller's
|
|
257
|
+
perspective. Do not infer raw browser, proxy, CDN, gateway, load-test, or live-network commands
|
|
258
|
+
outside the command contract.
|
|
259
|
+
|
|
260
|
+
<!-- mustflow-section: failure-handling -->
|
|
261
|
+
## Failure Handling
|
|
262
|
+
|
|
263
|
+
- If the contract source of truth is unclear, stop and report the competing route, schema, gateway,
|
|
264
|
+
docs, and SDK sources instead of editing only one surface.
|
|
265
|
+
- If a method choice conflicts with existing callers, classify the compatibility risk and use
|
|
266
|
+
`api-contract-change` before changing public behavior.
|
|
267
|
+
- If duplicate side effects, cache sharing, security, or streaming delivery risks are found, switch
|
|
268
|
+
to the narrower matching skill before finalizing that part.
|
|
269
|
+
- If deterministic HTTP interoperability proof requires browser, gateway, CDN, proxy, or production
|
|
270
|
+
telemetry not configured in `.mustflow/config/commands.toml`, complete available local checks and
|
|
271
|
+
report the manual evidence gap.
|
|
272
|
+
|
|
273
|
+
<!-- mustflow-section: output-format -->
|
|
274
|
+
## Output Format
|
|
275
|
+
|
|
276
|
+
- HTTP API semantics reviewed
|
|
277
|
+
- Endpoint method ledger
|
|
278
|
+
- Safe, idempotent, cacheable, request-body, URI-ownership, PUT, PATCH, DELETE, QUERY, conditional
|
|
279
|
+
request, status-code, header discovery, CORS, cache, retry, and intermediary findings
|
|
280
|
+
- Fixes made or recommendations
|
|
281
|
+
- Synchronized docs, tests, SDK, generated client, gateway, and cache surfaces
|
|
282
|
+
- Evidence level: configured-test evidence, docs evidence, static review risk, manual-only,
|
|
283
|
+
missing, or not applicable
|
|
284
|
+
- Command intents run
|
|
285
|
+
- Skipped HTTP interoperability checks and reasons
|
|
286
|
+
- Remaining HTTP semantics risk
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
mustflow_doc: skill.module-boundary-review
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 2
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: module-boundary-review
|
|
@@ -76,6 +76,9 @@ who must change, who owns the data, who owns the failure, and who should not nee
|
|
|
76
76
|
history showing files that usually move together.
|
|
77
77
|
- Module graph evidence: imports, exports, public APIs, call sites, dependency direction, cycles,
|
|
78
78
|
shared helpers, DTO flow, and configuration reads.
|
|
79
|
+
- Configured guardrail evidence when available: `code/module-boundary` results for
|
|
80
|
+
`.mustflow/config/module-boundaries.toml` layer deny rules, public entrypoints, feature imports,
|
|
81
|
+
shared budgets, and import cycles.
|
|
79
82
|
- Ownership evidence: source of truth for data, owner of policy decisions, owner of failure handling,
|
|
80
83
|
owner of cache invalidation, owner of time and config interpretation, and owner of authorization.
|
|
81
84
|
- Test evidence: number and kind of mocks, pure-domain tests, integration tests, worker or batch
|
|
@@ -131,6 +134,9 @@ who must change, who owns the data, who owns the failure, and who should not nee
|
|
|
131
134
|
- If A imports B and B imports A, identify the missing concept, ownership decision, event, port, or
|
|
132
135
|
data-flow direction.
|
|
133
136
|
- Do not accept "they need each other" without naming the invariant that forces the cycle.
|
|
137
|
+
- When the repository declares `.mustflow/config/module-boundaries.toml`, use the read-only
|
|
138
|
+
`code/module-boundary` script-pack report as executable evidence before relying on prose-only
|
|
139
|
+
boundary claims.
|
|
134
140
|
5. Trace DTO infection.
|
|
135
141
|
- API response DTOs, request DTOs, ORM rows, provider payloads, and UI view models should not
|
|
136
142
|
become domain, repository, batch, worker, or event models by default.
|
|
@@ -250,6 +256,11 @@ Prefer the narrowest configured test, build, docs, release, or mustflow intent t
|
|
|
250
256
|
module boundary. Use release or docs checks when templates, public docs, package metadata, public APIs,
|
|
251
257
|
schemas, generated clients, or install surfaces change.
|
|
252
258
|
|
|
259
|
+
When the command contract and script-pack metadata expose it, `code/module-boundary` may provide
|
|
260
|
+
read-only evidence for configured import-boundary rules. A missing module-boundary config is
|
|
261
|
+
non-blocking evidence that no executable boundary rules were enforced, not proof that the module
|
|
262
|
+
design is clean.
|
|
263
|
+
|
|
253
264
|
<!-- mustflow-section: failure-handling -->
|
|
254
265
|
## Failure Handling
|
|
255
266
|
|
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.payment-integrity-review
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 3
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: payment-integrity-review
|
|
9
|
-
description: Apply this skill when payment, checkout, authorization, capture, refund, partial refund, subscription, invoice, trial, grace period, coupon, promotion, inventory reservation, fulfillment, entitlement, settlement, fee, chargeback, dispute, provider webhook, payment session, payment link, payment-provider integration, admin manual payment operation, payment logs, PCI-sensitive data handling, or payment-related tests need review for money-event integrity, idempotency, ordering, ownership, amount, currency, retry, reconciliation, ledger, or audit risk.
|
|
9
|
+
description: Apply this skill when payment, checkout, authorization, capture, refund, partial refund, subscription, invoice, trial, grace period, coupon, promotion, inventory reservation, fulfillment, entitlement, settlement, fee, chargeback, dispute, provider webhook, payment outbox, payment session, payment link, payment-provider integration, admin manual payment operation, payment logs, PCI-sensitive data handling, or payment-related tests need review for money-event integrity, idempotency, ordering, ownership, amount, currency, retry, reconciliation, ledger, or audit risk.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -36,7 +36,7 @@ Review payment code as money-event integrity, not provider API success. The core
|
|
|
36
36
|
## Use When
|
|
37
37
|
|
|
38
38
|
- Payment, checkout, payment-session, payment-link, authorization, capture, refund, partial refund, dispute, chargeback, settlement, fee, receipt, entitlement, fulfillment, subscription, invoice, trial, grace period, coupon, promotion, or inventory reservation logic is created, changed, reviewed, or reported.
|
|
39
|
-
- Provider webhook handling, provider callback handling, payment retry handling, timeout handling, provider reconciliation, or async payment method handling can change internal money state.
|
|
39
|
+
- Provider webhook handling, provider callback handling, payment outbox records, payment retry handling, timeout handling, provider reconciliation, or async payment method handling can change internal money state.
|
|
40
40
|
- Client-supplied amount, currency, quantity, product, discount, shipping, tax, order, subscription, refund, or customer identifiers can influence a payment action.
|
|
41
41
|
- Manual admin payment operations, payment logs, audit trails, or payment-related tests need review.
|
|
42
42
|
|
|
@@ -59,9 +59,12 @@ Review payment code as money-event integrity, not provider API success. The core
|
|
|
59
59
|
- State-transition ledger: internal states, provider states, allowed transitions, terminal states,
|
|
60
60
|
retry states, async states, hold states, kill-switch states, and transition owners.
|
|
61
61
|
- Event log ledger: request submission, provider response, redirect, webhook receipt, webhook
|
|
62
|
-
application, state transition, queue handoff, reconciliation decision, fulfillment,
|
|
63
|
-
dispute, admin override, and correction events with ordering, actor, reason,
|
|
64
|
-
evidence.
|
|
62
|
+
application, state transition, outbox event, queue handoff, reconciliation decision, fulfillment,
|
|
63
|
+
refund, dispute, admin override, and correction events with ordering, actor, reason, event type,
|
|
64
|
+
and immutable evidence.
|
|
65
|
+
- Outbox event-type ledger: allowed internal event type vocabulary, enum or constant registry,
|
|
66
|
+
parser or validator, database constraint when available, and the rejection path for unknown,
|
|
67
|
+
stale, misspelled, or provider-shaped event types.
|
|
65
68
|
- Idempotency and uniqueness ledger: logical operation IDs, provider idempotency keys, database uniqueness constraints, webhook event dedupe keys, fulfillment dedupe keys, and retry behavior.
|
|
66
69
|
- Amount and currency ledger: product/cart snapshot, server-side calculation path, quantity, discounts, coupons, tax, shipping, minor-unit representation, currency, provider amount, internal ledger amount, receipt amount, and settlement amount.
|
|
67
70
|
- Ownership ledger: user, tenant, account, order, payment session, refund, subscription, invoice, entitlement, admin actor, and provider customer ownership checks.
|
|
@@ -81,7 +84,7 @@ Review payment code as money-event integrity, not provider API success. The core
|
|
|
81
84
|
<!-- mustflow-section: allowed-edits -->
|
|
82
85
|
## Allowed Edits
|
|
83
86
|
|
|
84
|
-
- Tighten payment state machines, server-side amount calculation, minor-unit money handling, ownership checks, idempotency keys, provider-ID uniqueness, webhook signature verification, webhook dedupe, queue handoff, one-time fulfillment, async payment handling, authorization/capture distinction, refund/dispute/subscription transitions, inventory and coupon reservation, timeout and retry classification, append-only ledgers, secret and card-data redaction, admin audit trails, stale payment endpoint cleanup notes, focused nightmare-path tests, and directly synchronized docs or templates.
|
|
87
|
+
- Tighten payment state machines, server-side amount calculation, minor-unit money handling, ownership checks, idempotency keys, provider-ID uniqueness, webhook signature verification, webhook dedupe, outbox event-type validation, queue handoff, one-time fulfillment, async payment handling, authorization/capture distinction, refund/dispute/subscription transitions, inventory and coupon reservation, timeout and retry classification, append-only ledgers, secret and card-data redaction, admin audit trails, stale payment endpoint cleanup notes, focused nightmare-path tests, and directly synchronized docs or templates.
|
|
85
88
|
- Do not replace a focused payment-integrity fix with a broad payment platform rewrite unless the current code cannot preserve money correctness with a smaller boundary.
|
|
86
89
|
- Do not add live payment secrets, real card data, real refunds, real charges, or live-provider side effects.
|
|
87
90
|
|
|
@@ -96,6 +99,10 @@ Review payment code as money-event integrity, not provider API success. The core
|
|
|
96
99
|
3. Keep an immutable event trail. Store request submission, provider response, redirect, webhook,
|
|
97
100
|
state transition, queue handoff, reconciliation, fulfillment, refund, dispute, and admin override
|
|
98
101
|
events with actor, reason, timestamp, provider reference, and before/after state when relevant.
|
|
102
|
+
- For internal outbox rows, validate `event_type` against the owned payment event vocabulary
|
|
103
|
+
before deriving idempotency keys, publishing, or persisting follow-up work. Do not let free-form
|
|
104
|
+
strings, provider event names, stale constants, or user-controlled values become trusted outbox
|
|
105
|
+
operation types.
|
|
99
106
|
4. Calculate amount on the server. Treat client-supplied amount, currency, quantity, discount, coupon, tax, shipping, product ID, plan ID, or cart totals as input claims only; rebuild the payable total from trusted product, cart, account, and policy snapshots.
|
|
100
107
|
5. Bind every payment object to its owner. Verify user, tenant, order, payment session, refund, subscription, invoice, provider customer, and admin actor ownership before read, write, refund, cancel, fulfillment, or entitlement changes.
|
|
101
108
|
6. Compare every amount ledger. Trace order amount, provider request amount, provider response amount, internal money ledger, receipt, settlement, fee, refund, and entitlement amount. Flag any path where one amount can drift without reconciliation.
|
|
@@ -136,8 +143,8 @@ Review payment code as money-event integrity, not provider API success. The core
|
|
|
136
143
|
|
|
137
144
|
- The payment surface has a money-event map, provider interaction map, identifier map,
|
|
138
145
|
state-transition map, immutable event log, idempotency and uniqueness map, amount and currency map,
|
|
139
|
-
ownership map, fulfillment and entitlement map, webhook/retry map,
|
|
140
|
-
map, and audit/sensitive-data map.
|
|
146
|
+
ownership map, fulfillment and entitlement map, webhook/retry map, outbox event-type validation
|
|
147
|
+
map, reconciliation and hold-state map, and audit/sensitive-data map.
|
|
141
148
|
- Any false success, duplicate money movement, duplicate fulfillment, wrong-owner action, wrong amount, wrong currency, stale event overwrite, timeout misclassification, or missing reconciliation is fixed or reported with evidence.
|
|
142
149
|
- Tests or explicit verification cover the highest-risk nightmare paths available in the current scope.
|
|
143
150
|
|
|
@@ -172,7 +179,7 @@ Prefer focused tests for duplicate operations, webhook replay, out-of-order even
|
|
|
172
179
|
## Output Format
|
|
173
180
|
|
|
174
181
|
- Payment surface and provider boundary reviewed
|
|
175
|
-
- Money-event, provider, identifier, state, event-log, idempotency, amount, ownership, fulfillment, webhook, retry, reconciliation, hold-state, audit, and sensitive-data ledgers
|
|
182
|
+
- Money-event, provider, identifier, state, event-log, outbox event-type, idempotency, amount, ownership, fulfillment, webhook, retry, reconciliation, hold-state, audit, and sensitive-data ledgers
|
|
176
183
|
- Findings or fixes for duplicate, late, out-of-order, wrong-actor, wrong-amount, wrong-currency, timeout, retry, reconciliation, and audit risks
|
|
177
184
|
- Nightmare-path tests or evidence added, run, skipped, or still missing
|
|
178
185
|
- Command intents run
|
|
@@ -216,6 +216,12 @@ route_type = "adjunct"
|
|
|
216
216
|
priority = 69
|
|
217
217
|
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "docs_change", "package_metadata_change"]
|
|
218
218
|
|
|
219
|
+
[routes."http-api-semantics-review"]
|
|
220
|
+
category = "general_code"
|
|
221
|
+
route_type = "adjunct"
|
|
222
|
+
priority = 81
|
|
223
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "public_api_change", "test_change", "docs_change", "performance_change", "security_change", "privacy_change", "data_change", "package_metadata_change", "release_risk"]
|
|
224
|
+
|
|
219
225
|
[routes."error-message-integrity-review"]
|
|
220
226
|
category = "general_code"
|
|
221
227
|
route_type = "adjunct"
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
id = "default"
|
|
2
2
|
name = "default"
|
|
3
|
-
version = "2.103.
|
|
3
|
+
version = "2.103.21"
|
|
4
4
|
description = "Minimal workflow for LLM agents to read, edit, and verify their work in a repository."
|
|
5
5
|
common_root = "common"
|
|
6
6
|
locales_root = "locales"
|
|
@@ -14,6 +14,7 @@ creates = [
|
|
|
14
14
|
".mustflow/skills/routes.toml",
|
|
15
15
|
".mustflow/skills/adapter-boundary/SKILL.md",
|
|
16
16
|
".mustflow/skills/api-contract-change/SKILL.md",
|
|
17
|
+
".mustflow/skills/http-api-semantics-review/SKILL.md",
|
|
17
18
|
".mustflow/skills/backend-reliability-change/SKILL.md",
|
|
18
19
|
".mustflow/skills/http-delivery-streaming/SKILL.md",
|
|
19
20
|
".mustflow/skills/artifact-integrity-check/SKILL.md",
|
|
@@ -226,6 +227,7 @@ available = ["minimal", "patterns", "oss", "team", "product", "library"]
|
|
|
226
227
|
minimal = [
|
|
227
228
|
"adapter-boundary",
|
|
228
229
|
"api-contract-change",
|
|
230
|
+
"http-api-semantics-review",
|
|
229
231
|
"backend-reliability-change",
|
|
230
232
|
"http-delivery-streaming",
|
|
231
233
|
"auth-permission-change",
|
|
@@ -373,6 +375,7 @@ patterns = [
|
|
|
373
375
|
"architecture-deepening-review",
|
|
374
376
|
"service-boundary-architecture",
|
|
375
377
|
"api-contract-change",
|
|
378
|
+
"http-api-semantics-review",
|
|
376
379
|
"backend-reliability-change",
|
|
377
380
|
"http-delivery-streaming",
|
|
378
381
|
"auth-permission-change",
|
|
@@ -528,6 +531,7 @@ patterns = [
|
|
|
528
531
|
oss = [
|
|
529
532
|
"adapter-boundary",
|
|
530
533
|
"api-contract-change",
|
|
534
|
+
"http-api-semantics-review",
|
|
531
535
|
"backend-reliability-change",
|
|
532
536
|
"http-delivery-streaming",
|
|
533
537
|
"artifact-integrity-check",
|
|
@@ -705,6 +709,7 @@ team = [
|
|
|
705
709
|
"architecture-deepening-review",
|
|
706
710
|
"service-boundary-architecture",
|
|
707
711
|
"api-contract-change",
|
|
712
|
+
"http-api-semantics-review",
|
|
708
713
|
"backend-reliability-change",
|
|
709
714
|
"http-delivery-streaming",
|
|
710
715
|
"auth-permission-change",
|
|
@@ -864,6 +869,7 @@ team = [
|
|
|
864
869
|
product = [
|
|
865
870
|
"adapter-boundary",
|
|
866
871
|
"api-contract-change",
|
|
872
|
+
"http-api-semantics-review",
|
|
867
873
|
"backend-reliability-change",
|
|
868
874
|
"http-delivery-streaming",
|
|
869
875
|
"service-boundary-architecture",
|
|
@@ -1028,6 +1034,7 @@ product = [
|
|
|
1028
1034
|
library = [
|
|
1029
1035
|
"adapter-boundary",
|
|
1030
1036
|
"api-contract-change",
|
|
1037
|
+
"http-api-semantics-review",
|
|
1031
1038
|
"backend-reliability-change",
|
|
1032
1039
|
"http-delivery-streaming",
|
|
1033
1040
|
"artifact-integrity-check",
|