mustflow 2.103.3 → 2.103.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (50) hide show
  1. package/dist/cli/commands/run.js +11 -0
  2. package/dist/cli/commands/script-pack.js +2 -0
  3. package/dist/cli/i18n/en.js +35 -0
  4. package/dist/cli/i18n/es.js +35 -0
  5. package/dist/cli/i18n/fr.js +35 -0
  6. package/dist/cli/i18n/hi.js +35 -0
  7. package/dist/cli/i18n/ko.js +35 -0
  8. package/dist/cli/i18n/zh.js +35 -0
  9. package/dist/cli/lib/external-skill-import.js +78 -14
  10. package/dist/cli/lib/local-index/sql.js +9 -1
  11. package/dist/cli/lib/run-plan.js +37 -0
  12. package/dist/cli/lib/script-pack-registry.js +57 -0
  13. package/dist/cli/script-packs/repo-deploy-surface.js +98 -0
  14. package/dist/cli/script-packs/repo-security-pattern-scan.js +150 -0
  15. package/dist/core/change-impact.js +16 -0
  16. package/dist/core/code-outline.js +3 -13
  17. package/dist/core/command-env.js +26 -8
  18. package/dist/core/config-chain.js +3 -13
  19. package/dist/core/dependency-graph.js +3 -13
  20. package/dist/core/docs-link-integrity.js +23 -4
  21. package/dist/core/env-contract.js +3 -13
  22. package/dist/core/export-diff.js +3 -3
  23. package/dist/core/ignored-directories.js +40 -0
  24. package/dist/core/public-json-contracts.js +18 -0
  25. package/dist/core/reference-drift.js +4 -2
  26. package/dist/core/related-files.js +3 -13
  27. package/dist/core/repo-deploy-surface.js +428 -0
  28. package/dist/core/repo-merge-conflict-scan.js +3 -9
  29. package/dist/core/route-outline.js +3 -13
  30. package/dist/core/script-pack-suggestions.js +52 -14
  31. package/dist/core/secret-risk-scan.js +3 -13
  32. package/dist/core/security-pattern-scan.js +518 -0
  33. package/dist/core/skill-route-resolution.js +21 -1
  34. package/package.json +2 -2
  35. package/schemas/README.md +7 -0
  36. package/schemas/link-integrity-report.schema.json +1 -0
  37. package/schemas/reference-drift-report.schema.json +1 -0
  38. package/schemas/repo-deploy-surface-report.schema.json +190 -0
  39. package/schemas/security-pattern-scan-report.schema.json +196 -0
  40. package/templates/default/i18n.toml +20 -8
  41. package/templates/default/locales/en/.mustflow/skills/ai-generated-code-hardening/SKILL.md +30 -7
  42. package/templates/default/locales/en/.mustflow/skills/api-contract-change/SKILL.md +18 -9
  43. package/templates/default/locales/en/.mustflow/skills/api-request-performance-review/SKILL.md +12 -6
  44. package/templates/default/locales/en/.mustflow/skills/completion-evidence-gate/SKILL.md +20 -9
  45. package/templates/default/locales/en/.mustflow/skills/hot-path-performance-review/SKILL.md +20 -15
  46. package/templates/default/locales/en/.mustflow/skills/next-action-menu/SKILL.md +22 -7
  47. package/templates/default/locales/en/.mustflow/skills/quadratic-scan-review/SKILL.md +21 -19
  48. package/templates/default/locales/en/.mustflow/skills/react-code-change/SKILL.md +54 -8
  49. package/templates/default/locales/en/.mustflow/skills/vertical-slice-tdd/SKILL.md +22 -8
  50. package/templates/default/manifest.toml +1 -1
@@ -2,11 +2,11 @@
2
2
  mustflow_doc: skill.react-code-change
3
3
  locale: en
4
4
  canonical: true
5
- revision: 1
5
+ revision: 2
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: react-code-change
9
- description: Apply this skill when React, React DOM, React Server Components, Server Actions, React Compiler, Hooks, Suspense, Actions, forms, refs, context, concurrent rendering, SSR streaming, resource hints, package metadata, or React-related tests are created, changed, reviewed, or upgraded.
9
+ description: Apply this skill when React, React DOM, React Server Components, Server Actions, React Compiler, Hooks, Suspense, Actions, forms, refs, context, render performance, concurrent rendering, SSR streaming, resource hints, package metadata, or React-related tests are created, changed, reviewed, or upgraded.
10
10
  metadata:
11
11
  mustflow_schema: "1"
12
12
  mustflow_kind: procedure
@@ -75,6 +75,10 @@ expect current React guidance and small, compatible changes.
75
75
  - State and mutation evidence: local state owner, derived values, external
76
76
  stores, context providers, forms, Actions, optimistic updates, and rollback
77
77
  behavior.
78
+ - Render performance evidence: React DevTools Profiler or `<Profiler>` data when
79
+ available, render count, render duration, prop identity changes, context update
80
+ scope, list size, DOM node count, key stability, layout effect use, first-load
81
+ bundle ownership, and offscreen DOM cost.
78
82
  - Configured verification intents for lint, build, tests, docs, package, and
79
83
  mustflow checks.
80
84
 
@@ -186,14 +190,49 @@ expect current React guidance and small, compatible changes.
186
190
  errors, resets, progressive enhancement, and rollback.
187
191
  - Keep explicit error handling, authorization, validation, idempotency, and
188
192
  rollback behavior. Do not hide server failures behind optimistic UI.
189
- 10. **Respect React 19.2 rendering and performance APIs.**
193
+ 10. **Review React render hot paths with evidence.**
194
+ - Use React DevTools Profiler, `<Profiler>`, framework traces, or existing
195
+ render-count evidence before claiming a render-performance fix. If none is
196
+ configured, report static render risk instead of measured speedup.
197
+ - Check whether state is owned too high in the tree. Search inputs, tabs,
198
+ modal flags, hover state, and local drafts should not rerender a whole page
199
+ unless that page truly owns the state.
200
+ - Check `memo` failures from unstable props. Inline objects, arrays, functions,
201
+ and selector results can make `React.memo` ineffective; prefer primitive
202
+ props, stable callbacks, or moving object creation behind a real dependency.
203
+ - Move expensive render-time `filter`, `sort`, `map`, grouping, and lookup work
204
+ behind `useMemo`, server-side pagination, route loaders, or pre-indexed data
205
+ when input size can grow.
206
+ - Large lists need pagination, infinite query boundaries, virtualization, or a
207
+ documented hard cap. Do not render thousands of rows because the sample data
208
+ has twenty.
209
+ - Reject unstable keys such as array index for reorderable data and
210
+ `Math.random()` for any list. Use stable item identity so React preserves
211
+ row state and avoids forced remounts.
212
+ - Split oversized context values by change frequency and ownership. `memo`
213
+ does not stop rerenders caused by a fresh context value.
214
+ - Do not use `useEffect` plus `setState` for values derived from current props
215
+ or state. Compute during render or memoize the calculation to avoid the
216
+ extra render pass.
217
+ - For search and filtering, keep the controlled input urgent and move heavy
218
+ result updates behind `useDeferredValue`, `useTransition`, server filtering,
219
+ or pagination when the supported React version and UX allow it.
220
+ - Use `useLayoutEffect` only when pre-paint measurement is required. Avoid
221
+ DOM read/write interleaving that causes layout thrashing.
222
+ - Lazy-load heavy charts, editors, maps, markdown renderers, syntax
223
+ highlighters, and modal-only widgets when they are not needed for the first
224
+ interaction path.
225
+ - For large offscreen sections, consider `content-visibility` plus
226
+ `contain-intrinsic-size`, framework lazy boundaries, or route splitting when
227
+ browser support and layout stability are acceptable.
228
+ 11. **Respect React 19.2 rendering and performance APIs.**
190
229
  - Treat `<Activity>` as hidden UI with preserved state, unmounted effects,
191
230
  and lower-priority hidden updates, not as `display: none` or ordinary
192
231
  conditional rendering.
193
232
  - Use React Performance Tracks, React DevTools, or existing profiler evidence
194
233
  when claiming render, effect, Scheduler, transition, or component
195
234
  performance improvements.
196
- 11. **Keep server rendering and RSC boundaries exact.**
235
+ 12. **Keep server rendering and RSC boundaries exact.**
197
236
  - Distinguish Server Components from Server Actions. `"use server"` marks
198
237
  server functions or modules for actions; it is not a Server Component tag.
199
238
  - Keep browser APIs, client state, and event handlers out of Server
@@ -206,13 +245,13 @@ expect current React guidance and small, compatible changes.
206
245
  - In Node environments, do not assume Web Streams are faster than Node
207
246
  streams; preserve the existing SSR stream API unless the task proves the
208
247
  runtime benefit and compression behavior.
209
- 12. **Use React DOM document and resource APIs close to the owner.**
248
+ 13. **Use React DOM document and resource APIs close to the owner.**
210
249
  - Metadata, stylesheets with `precedence`, async scripts, `preinit`,
211
250
  `preload`, `preconnect`, and `prefetchDNS` may belong near the component
212
251
  that needs them when React and the framework support that behavior.
213
252
  - Avoid duplicate head managers, resource hint spam, and hints for assets
214
253
  whose timing or priority is unproven.
215
- 13. **Verify through the repository contract.**
254
+ 14. **Verify through the repository contract.**
216
255
  - Run the smallest configured checks that cover changed React code, package
217
256
  metadata, build output, docs, and tests.
218
257
  - Report missing browser, hydration, SSR, RSC, compiler, profiler, or
@@ -225,12 +264,16 @@ expect current React guidance and small, compatible changes.
225
264
  status are known or explicitly reported as unknown.
226
265
  - Effects, state, memoization, context, refs, forms, Suspense, and async
227
266
  boundaries follow React's current model for the supported version.
267
+ - Render performance claims are backed by profiler or render-count evidence, or
268
+ static risks such as state too high, unstable props, render-time transforms,
269
+ huge lists, unstable keys, oversized context, derived-state effects, layout
270
+ thrashing, eager heavy widgets, and offscreen DOM cost are reported honestly.
228
271
  - React 19 and React 19.2 APIs are not introduced into code that still promises
229
272
  older React compatibility.
230
273
  - SSR, RSC, Server Action, browser-only, and resource-hint boundaries are
231
274
  preserved.
232
- - Performance claims have profiler or benchmark evidence, or are reported as
233
- unverified.
275
+ - Performance claims have profiler, benchmark, render-count, or configured
276
+ evidence, or are reported as unverified.
234
277
 
235
278
  <!-- mustflow-section: verification -->
236
279
  ## Verification
@@ -271,6 +314,9 @@ surfaces changed.
271
314
  - React surface and supported version checked
272
315
  - Compiler, lint, effect, state, memoization, context, ref, form, Suspense, SSR,
273
316
  RSC, and resource-boundary notes
317
+ - Render performance notes: profiler evidence, state ownership, prop identity,
318
+ render-time work, list size, key stability, context scope, derived state,
319
+ layout effects, lazy loading, and offscreen DOM
274
320
  - Freshness-sensitive React claims checked or left conservative
275
321
  - Files changed
276
322
  - Command intents run
@@ -2,7 +2,7 @@
2
2
  mustflow_doc: skill.vertical-slice-tdd
3
3
  locale: en
4
4
  canonical: true
5
- revision: 1
5
+ revision: 2
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: vertical-slice-tdd
@@ -30,7 +30,7 @@ metadata:
30
30
 
31
31
  Support explicit test-driven development without making test-first work mandatory for every mustflow task.
32
32
 
33
- This skill keeps TDD work in narrow vertical behavior slices: one observable contract, one focused test change, the smallest implementation that proves it, and only then a local refactor inside the covered slice.
33
+ This skill keeps TDD work in one vertical behavior slice at a time: choose the next test by risk and evidence value, prove one observable contract, attack the test for false-green weakness, implement only enough behavior to pass, and only then refactor inside the covered slice.
34
34
 
35
35
  <!-- mustflow-section: use-when -->
36
36
  ## Use When
@@ -54,6 +54,7 @@ This skill keeps TDD work in narrow vertical behavior slices: one observable con
54
54
 
55
55
  - User request or issue evidence that makes TDD or slice-by-slice work appropriate.
56
56
  - The observable behavior contract for the first slice.
57
+ - A short test list or risk list, ordered by which test would expose the most important uncertainty next.
57
58
  - Existing tests, fixtures, and helpers near that behavior.
58
59
  - The expected RED category and baseline status before implementation.
59
60
  - Relevant command-intent contract entries for the narrowest verification path.
@@ -78,9 +79,11 @@ This skill keeps TDD work in narrow vertical behavior slices: one observable con
78
79
  <!-- mustflow-section: procedure -->
79
80
  ## Procedure
80
81
 
81
- 1. Select one vertical behavior slice.
82
+ 1. Select the next evidence-bearing slice.
82
83
  - Name the user-visible or public behavior.
83
84
  - Define the smallest input, action, and observable output that prove the slice.
85
+ - Prefer the test that would reveal the riskiest unknown, boundary, integration contract, or regression path, not merely the easiest happy path.
86
+ - Treat Red-Green-Refactor as the inner loop, not the whole method. Do not start adding tests before choosing why this test is the next useful evidence.
84
87
  - Keep cross-cutting infrastructure, broad refactors, and speculative future cases outside the slice.
85
88
  2. Find existing coverage.
86
89
  - Prefer extending a nearby existing test when it already owns the behavior surface.
@@ -90,30 +93,39 @@ This skill keeps TDD work in narrow vertical behavior slices: one observable con
90
93
  - Use `test-design-guard` to select the test shape and assertion.
91
94
  - Assert observable behavior such as a return value, exit code, output, file effect, state transition, schema result, or error shape.
92
95
  - Keep mocks supportive rather than the only behavior evidence, unless the interaction itself is the public contract.
93
- 4. Classify the RED result before implementation.
96
+ 4. Attack the test before trusting it.
97
+ - Ask what bug could still pass this test. Strengthen the assertion when the answer is concrete and in scope.
98
+ - Prefer property, contract, approval, integration, or mutation-style evidence only when `test-design-guard` shows that shape fits the contract and stays bounded.
99
+ - For legacy code, use characterization or approval-style evidence to freeze current behavior before refactoring when the intended behavior is not yet trusted.
100
+ - For API or service boundaries, prefer consumer, schema, or contract evidence over mocks of the provider's imagined behavior.
101
+ - If implementation was AI-assisted, check that generated code did not outrun the selected test by adding untested branches, features, or public behavior.
102
+ 5. Classify the RED result before implementation.
94
103
  - `behavior_red` is the only valid behavior RED.
95
104
  - `api_scaffold_red` may be reported only for an explicitly new public API scaffold and must not be counted as behavior coverage.
96
105
  - `invalid_red` includes setup failures, wrong imports, missing unrelated symbols, runner failures, fixture failures, syntax or type errors, bad mocks, missing awaits, environment failures, and unrelated baseline failures.
97
106
  - If RED is invalid, fix the test setup or report the invalid evidence before changing implementation behavior.
98
- 5. Implement the smallest behavior change.
107
+ 6. Implement the smallest behavior change.
99
108
  - Change only the code needed for the current observable contract.
100
109
  - Preserve existing public behavior outside the slice.
101
110
  - Avoid introducing abstractions unless they directly reduce complexity in the current slice.
102
- 6. Verify GREEN with the narrowest configured command intent.
111
+ - Do not accept a broad AI-generated implementation just because the narrow test turned green; trim or defer unproven behavior.
112
+ 7. Verify GREEN with the narrowest configured command intent.
103
113
  - Start with the intent that covers the changed test and implementation surface.
104
114
  - Escalate only when the slice crosses public surfaces, package or template contracts, or the related selector cannot cover the changed files.
105
115
  - Keep command evidence separate from RED evidence and implementation notes.
106
- 7. Refactor only after GREEN.
116
+ 8. Refactor only after GREEN.
107
117
  - Limit refactoring to code covered by the slice.
108
118
  - Re-run the same configured verification intent after behavior-preserving cleanup when the refactor is non-trivial.
109
- 8. Decide whether to continue.
119
+ 9. Decide whether to continue.
110
120
  - Repeat only when the next slice is clearly in scope.
121
+ - Reorder the remaining test list when new evidence changes the highest-risk unknown.
111
122
  - Stop and report deferred slices when the remaining work is broader than the user request or needs a new decision.
112
123
 
113
124
  <!-- mustflow-section: postconditions -->
114
125
  ## Postconditions
115
126
 
116
127
  - Each completed slice has a named behavior contract, RED category, implementation summary, and GREEN verification evidence.
128
+ - Each completed slice records why that test was chosen next and how false-green risk was checked.
117
129
  - Invalid RED and scaffold-only RED are not reported as behavior coverage.
118
130
  - Deferred slices, rejected speculative cases, skipped checks, and remaining risks are explicit.
119
131
  - No command execution claim relies on anything outside the configured command intents.
@@ -145,10 +157,12 @@ Prefer the narrowest configured intent that proves the current slice. Escalate o
145
157
  ## Output Format
146
158
 
147
159
  - TDD trigger and slice scope
160
+ - Next-test selection rationale
148
161
  - Existing coverage reused
149
162
  - Slices completed
150
163
  - Slices deferred
151
164
  - Cases rejected as duplicate or speculative
165
+ - False-green checks and test-strength limits
152
166
  - RED Evidence:
153
167
  - category: `behavior_red`, `api_scaffold_red`, `invalid_red`, or `not_applicable`
154
168
  - command intent
@@ -1,6 +1,6 @@
1
1
  id = "default"
2
2
  name = "default"
3
- version = "2.103.3"
3
+ version = "2.103.12"
4
4
  description = "Minimal workflow for LLM agents to read, edit, and verify their work in a repository."
5
5
  common_root = "common"
6
6
  locales_root = "locales"