mustflow 2.103.3 → 2.103.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli/commands/run.js +11 -0
- package/dist/cli/commands/script-pack.js +2 -0
- package/dist/cli/i18n/en.js +35 -0
- package/dist/cli/i18n/es.js +35 -0
- package/dist/cli/i18n/fr.js +35 -0
- package/dist/cli/i18n/hi.js +35 -0
- package/dist/cli/i18n/ko.js +35 -0
- package/dist/cli/i18n/zh.js +35 -0
- package/dist/cli/lib/external-skill-import.js +78 -14
- package/dist/cli/lib/local-index/sql.js +9 -1
- package/dist/cli/lib/run-plan.js +37 -0
- package/dist/cli/lib/script-pack-registry.js +57 -0
- package/dist/cli/script-packs/repo-deploy-surface.js +98 -0
- package/dist/cli/script-packs/repo-security-pattern-scan.js +150 -0
- package/dist/core/change-impact.js +16 -0
- package/dist/core/code-outline.js +3 -13
- package/dist/core/command-env.js +26 -8
- package/dist/core/config-chain.js +3 -13
- package/dist/core/dependency-graph.js +3 -13
- package/dist/core/docs-link-integrity.js +23 -4
- package/dist/core/env-contract.js +3 -13
- package/dist/core/export-diff.js +3 -3
- package/dist/core/ignored-directories.js +40 -0
- package/dist/core/public-json-contracts.js +18 -0
- package/dist/core/reference-drift.js +4 -2
- package/dist/core/related-files.js +3 -13
- package/dist/core/repo-deploy-surface.js +428 -0
- package/dist/core/repo-merge-conflict-scan.js +3 -9
- package/dist/core/route-outline.js +3 -13
- package/dist/core/script-pack-suggestions.js +52 -14
- package/dist/core/secret-risk-scan.js +3 -13
- package/dist/core/security-pattern-scan.js +518 -0
- package/dist/core/skill-route-resolution.js +21 -1
- package/package.json +2 -2
- package/schemas/README.md +7 -0
- package/schemas/link-integrity-report.schema.json +1 -0
- package/schemas/reference-drift-report.schema.json +1 -0
- package/schemas/repo-deploy-surface-report.schema.json +190 -0
- package/schemas/security-pattern-scan-report.schema.json +196 -0
- package/templates/default/i18n.toml +20 -8
- package/templates/default/locales/en/.mustflow/skills/ai-generated-code-hardening/SKILL.md +30 -7
- package/templates/default/locales/en/.mustflow/skills/api-contract-change/SKILL.md +18 -9
- package/templates/default/locales/en/.mustflow/skills/api-request-performance-review/SKILL.md +12 -6
- package/templates/default/locales/en/.mustflow/skills/completion-evidence-gate/SKILL.md +20 -9
- package/templates/default/locales/en/.mustflow/skills/hot-path-performance-review/SKILL.md +20 -15
- package/templates/default/locales/en/.mustflow/skills/next-action-menu/SKILL.md +22 -7
- package/templates/default/locales/en/.mustflow/skills/quadratic-scan-review/SKILL.md +21 -19
- package/templates/default/locales/en/.mustflow/skills/react-code-change/SKILL.md +54 -8
- package/templates/default/locales/en/.mustflow/skills/vertical-slice-tdd/SKILL.md +22 -8
- package/templates/default/manifest.toml +1 -1
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.react-code-change
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 2
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: react-code-change
|
|
9
|
-
description: Apply this skill when React, React DOM, React Server Components, Server Actions, React Compiler, Hooks, Suspense, Actions, forms, refs, context, concurrent rendering, SSR streaming, resource hints, package metadata, or React-related tests are created, changed, reviewed, or upgraded.
|
|
9
|
+
description: Apply this skill when React, React DOM, React Server Components, Server Actions, React Compiler, Hooks, Suspense, Actions, forms, refs, context, render performance, concurrent rendering, SSR streaming, resource hints, package metadata, or React-related tests are created, changed, reviewed, or upgraded.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -75,6 +75,10 @@ expect current React guidance and small, compatible changes.
|
|
|
75
75
|
- State and mutation evidence: local state owner, derived values, external
|
|
76
76
|
stores, context providers, forms, Actions, optimistic updates, and rollback
|
|
77
77
|
behavior.
|
|
78
|
+
- Render performance evidence: React DevTools Profiler or `<Profiler>` data when
|
|
79
|
+
available, render count, render duration, prop identity changes, context update
|
|
80
|
+
scope, list size, DOM node count, key stability, layout effect use, first-load
|
|
81
|
+
bundle ownership, and offscreen DOM cost.
|
|
78
82
|
- Configured verification intents for lint, build, tests, docs, package, and
|
|
79
83
|
mustflow checks.
|
|
80
84
|
|
|
@@ -186,14 +190,49 @@ expect current React guidance and small, compatible changes.
|
|
|
186
190
|
errors, resets, progressive enhancement, and rollback.
|
|
187
191
|
- Keep explicit error handling, authorization, validation, idempotency, and
|
|
188
192
|
rollback behavior. Do not hide server failures behind optimistic UI.
|
|
189
|
-
10. **
|
|
193
|
+
10. **Review React render hot paths with evidence.**
|
|
194
|
+
- Use React DevTools Profiler, `<Profiler>`, framework traces, or existing
|
|
195
|
+
render-count evidence before claiming a render-performance fix. If none is
|
|
196
|
+
configured, report static render risk instead of measured speedup.
|
|
197
|
+
- Check whether state is owned too high in the tree. Search inputs, tabs,
|
|
198
|
+
modal flags, hover state, and local drafts should not rerender a whole page
|
|
199
|
+
unless that page truly owns the state.
|
|
200
|
+
- Check `memo` failures from unstable props. Inline objects, arrays, functions,
|
|
201
|
+
and selector results can make `React.memo` ineffective; prefer primitive
|
|
202
|
+
props, stable callbacks, or moving object creation behind a real dependency.
|
|
203
|
+
- Move expensive render-time `filter`, `sort`, `map`, grouping, and lookup work
|
|
204
|
+
behind `useMemo`, server-side pagination, route loaders, or pre-indexed data
|
|
205
|
+
when input size can grow.
|
|
206
|
+
- Large lists need pagination, infinite query boundaries, virtualization, or a
|
|
207
|
+
documented hard cap. Do not render thousands of rows because the sample data
|
|
208
|
+
has twenty.
|
|
209
|
+
- Reject unstable keys such as array index for reorderable data and
|
|
210
|
+
`Math.random()` for any list. Use stable item identity so React preserves
|
|
211
|
+
row state and avoids forced remounts.
|
|
212
|
+
- Split oversized context values by change frequency and ownership. `memo`
|
|
213
|
+
does not stop rerenders caused by a fresh context value.
|
|
214
|
+
- Do not use `useEffect` plus `setState` for values derived from current props
|
|
215
|
+
or state. Compute during render or memoize the calculation to avoid the
|
|
216
|
+
extra render pass.
|
|
217
|
+
- For search and filtering, keep the controlled input urgent and move heavy
|
|
218
|
+
result updates behind `useDeferredValue`, `useTransition`, server filtering,
|
|
219
|
+
or pagination when the supported React version and UX allow it.
|
|
220
|
+
- Use `useLayoutEffect` only when pre-paint measurement is required. Avoid
|
|
221
|
+
DOM read/write interleaving that causes layout thrashing.
|
|
222
|
+
- Lazy-load heavy charts, editors, maps, markdown renderers, syntax
|
|
223
|
+
highlighters, and modal-only widgets when they are not needed for the first
|
|
224
|
+
interaction path.
|
|
225
|
+
- For large offscreen sections, consider `content-visibility` plus
|
|
226
|
+
`contain-intrinsic-size`, framework lazy boundaries, or route splitting when
|
|
227
|
+
browser support and layout stability are acceptable.
|
|
228
|
+
11. **Respect React 19.2 rendering and performance APIs.**
|
|
190
229
|
- Treat `<Activity>` as hidden UI with preserved state, unmounted effects,
|
|
191
230
|
and lower-priority hidden updates, not as `display: none` or ordinary
|
|
192
231
|
conditional rendering.
|
|
193
232
|
- Use React Performance Tracks, React DevTools, or existing profiler evidence
|
|
194
233
|
when claiming render, effect, Scheduler, transition, or component
|
|
195
234
|
performance improvements.
|
|
196
|
-
|
|
235
|
+
12. **Keep server rendering and RSC boundaries exact.**
|
|
197
236
|
- Distinguish Server Components from Server Actions. `"use server"` marks
|
|
198
237
|
server functions or modules for actions; it is not a Server Component tag.
|
|
199
238
|
- Keep browser APIs, client state, and event handlers out of Server
|
|
@@ -206,13 +245,13 @@ expect current React guidance and small, compatible changes.
|
|
|
206
245
|
- In Node environments, do not assume Web Streams are faster than Node
|
|
207
246
|
streams; preserve the existing SSR stream API unless the task proves the
|
|
208
247
|
runtime benefit and compression behavior.
|
|
209
|
-
|
|
248
|
+
13. **Use React DOM document and resource APIs close to the owner.**
|
|
210
249
|
- Metadata, stylesheets with `precedence`, async scripts, `preinit`,
|
|
211
250
|
`preload`, `preconnect`, and `prefetchDNS` may belong near the component
|
|
212
251
|
that needs them when React and the framework support that behavior.
|
|
213
252
|
- Avoid duplicate head managers, resource hint spam, and hints for assets
|
|
214
253
|
whose timing or priority is unproven.
|
|
215
|
-
|
|
254
|
+
14. **Verify through the repository contract.**
|
|
216
255
|
- Run the smallest configured checks that cover changed React code, package
|
|
217
256
|
metadata, build output, docs, and tests.
|
|
218
257
|
- Report missing browser, hydration, SSR, RSC, compiler, profiler, or
|
|
@@ -225,12 +264,16 @@ expect current React guidance and small, compatible changes.
|
|
|
225
264
|
status are known or explicitly reported as unknown.
|
|
226
265
|
- Effects, state, memoization, context, refs, forms, Suspense, and async
|
|
227
266
|
boundaries follow React's current model for the supported version.
|
|
267
|
+
- Render performance claims are backed by profiler or render-count evidence, or
|
|
268
|
+
static risks such as state too high, unstable props, render-time transforms,
|
|
269
|
+
huge lists, unstable keys, oversized context, derived-state effects, layout
|
|
270
|
+
thrashing, eager heavy widgets, and offscreen DOM cost are reported honestly.
|
|
228
271
|
- React 19 and React 19.2 APIs are not introduced into code that still promises
|
|
229
272
|
older React compatibility.
|
|
230
273
|
- SSR, RSC, Server Action, browser-only, and resource-hint boundaries are
|
|
231
274
|
preserved.
|
|
232
|
-
- Performance claims have profiler
|
|
233
|
-
unverified.
|
|
275
|
+
- Performance claims have profiler, benchmark, render-count, or configured
|
|
276
|
+
evidence, or are reported as unverified.
|
|
234
277
|
|
|
235
278
|
<!-- mustflow-section: verification -->
|
|
236
279
|
## Verification
|
|
@@ -271,6 +314,9 @@ surfaces changed.
|
|
|
271
314
|
- React surface and supported version checked
|
|
272
315
|
- Compiler, lint, effect, state, memoization, context, ref, form, Suspense, SSR,
|
|
273
316
|
RSC, and resource-boundary notes
|
|
317
|
+
- Render performance notes: profiler evidence, state ownership, prop identity,
|
|
318
|
+
render-time work, list size, key stability, context scope, derived state,
|
|
319
|
+
layout effects, lazy loading, and offscreen DOM
|
|
274
320
|
- Freshness-sensitive React claims checked or left conservative
|
|
275
321
|
- Files changed
|
|
276
322
|
- Command intents run
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
mustflow_doc: skill.vertical-slice-tdd
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 2
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: vertical-slice-tdd
|
|
@@ -30,7 +30,7 @@ metadata:
|
|
|
30
30
|
|
|
31
31
|
Support explicit test-driven development without making test-first work mandatory for every mustflow task.
|
|
32
32
|
|
|
33
|
-
This skill keeps TDD work in
|
|
33
|
+
This skill keeps TDD work in one vertical behavior slice at a time: choose the next test by risk and evidence value, prove one observable contract, attack the test for false-green weakness, implement only enough behavior to pass, and only then refactor inside the covered slice.
|
|
34
34
|
|
|
35
35
|
<!-- mustflow-section: use-when -->
|
|
36
36
|
## Use When
|
|
@@ -54,6 +54,7 @@ This skill keeps TDD work in narrow vertical behavior slices: one observable con
|
|
|
54
54
|
|
|
55
55
|
- User request or issue evidence that makes TDD or slice-by-slice work appropriate.
|
|
56
56
|
- The observable behavior contract for the first slice.
|
|
57
|
+
- A short test list or risk list, ordered by which test would expose the most important uncertainty next.
|
|
57
58
|
- Existing tests, fixtures, and helpers near that behavior.
|
|
58
59
|
- The expected RED category and baseline status before implementation.
|
|
59
60
|
- Relevant command-intent contract entries for the narrowest verification path.
|
|
@@ -78,9 +79,11 @@ This skill keeps TDD work in narrow vertical behavior slices: one observable con
|
|
|
78
79
|
<!-- mustflow-section: procedure -->
|
|
79
80
|
## Procedure
|
|
80
81
|
|
|
81
|
-
1. Select
|
|
82
|
+
1. Select the next evidence-bearing slice.
|
|
82
83
|
- Name the user-visible or public behavior.
|
|
83
84
|
- Define the smallest input, action, and observable output that prove the slice.
|
|
85
|
+
- Prefer the test that would reveal the riskiest unknown, boundary, integration contract, or regression path, not merely the easiest happy path.
|
|
86
|
+
- Treat Red-Green-Refactor as the inner loop, not the whole method. Do not start adding tests before choosing why this test is the next useful evidence.
|
|
84
87
|
- Keep cross-cutting infrastructure, broad refactors, and speculative future cases outside the slice.
|
|
85
88
|
2. Find existing coverage.
|
|
86
89
|
- Prefer extending a nearby existing test when it already owns the behavior surface.
|
|
@@ -90,30 +93,39 @@ This skill keeps TDD work in narrow vertical behavior slices: one observable con
|
|
|
90
93
|
- Use `test-design-guard` to select the test shape and assertion.
|
|
91
94
|
- Assert observable behavior such as a return value, exit code, output, file effect, state transition, schema result, or error shape.
|
|
92
95
|
- Keep mocks supportive rather than the only behavior evidence, unless the interaction itself is the public contract.
|
|
93
|
-
4.
|
|
96
|
+
4. Attack the test before trusting it.
|
|
97
|
+
- Ask what bug could still pass this test. Strengthen the assertion when the answer is concrete and in scope.
|
|
98
|
+
- Prefer property, contract, approval, integration, or mutation-style evidence only when `test-design-guard` shows that shape fits the contract and stays bounded.
|
|
99
|
+
- For legacy code, use characterization or approval-style evidence to freeze current behavior before refactoring when the intended behavior is not yet trusted.
|
|
100
|
+
- For API or service boundaries, prefer consumer, schema, or contract evidence over mocks of the provider's imagined behavior.
|
|
101
|
+
- If implementation was AI-assisted, check that generated code did not outrun the selected test by adding untested branches, features, or public behavior.
|
|
102
|
+
5. Classify the RED result before implementation.
|
|
94
103
|
- `behavior_red` is the only valid behavior RED.
|
|
95
104
|
- `api_scaffold_red` may be reported only for an explicitly new public API scaffold and must not be counted as behavior coverage.
|
|
96
105
|
- `invalid_red` includes setup failures, wrong imports, missing unrelated symbols, runner failures, fixture failures, syntax or type errors, bad mocks, missing awaits, environment failures, and unrelated baseline failures.
|
|
97
106
|
- If RED is invalid, fix the test setup or report the invalid evidence before changing implementation behavior.
|
|
98
|
-
|
|
107
|
+
6. Implement the smallest behavior change.
|
|
99
108
|
- Change only the code needed for the current observable contract.
|
|
100
109
|
- Preserve existing public behavior outside the slice.
|
|
101
110
|
- Avoid introducing abstractions unless they directly reduce complexity in the current slice.
|
|
102
|
-
|
|
111
|
+
- Do not accept a broad AI-generated implementation just because the narrow test turned green; trim or defer unproven behavior.
|
|
112
|
+
7. Verify GREEN with the narrowest configured command intent.
|
|
103
113
|
- Start with the intent that covers the changed test and implementation surface.
|
|
104
114
|
- Escalate only when the slice crosses public surfaces, package or template contracts, or the related selector cannot cover the changed files.
|
|
105
115
|
- Keep command evidence separate from RED evidence and implementation notes.
|
|
106
|
-
|
|
116
|
+
8. Refactor only after GREEN.
|
|
107
117
|
- Limit refactoring to code covered by the slice.
|
|
108
118
|
- Re-run the same configured verification intent after behavior-preserving cleanup when the refactor is non-trivial.
|
|
109
|
-
|
|
119
|
+
9. Decide whether to continue.
|
|
110
120
|
- Repeat only when the next slice is clearly in scope.
|
|
121
|
+
- Reorder the remaining test list when new evidence changes the highest-risk unknown.
|
|
111
122
|
- Stop and report deferred slices when the remaining work is broader than the user request or needs a new decision.
|
|
112
123
|
|
|
113
124
|
<!-- mustflow-section: postconditions -->
|
|
114
125
|
## Postconditions
|
|
115
126
|
|
|
116
127
|
- Each completed slice has a named behavior contract, RED category, implementation summary, and GREEN verification evidence.
|
|
128
|
+
- Each completed slice records why that test was chosen next and how false-green risk was checked.
|
|
117
129
|
- Invalid RED and scaffold-only RED are not reported as behavior coverage.
|
|
118
130
|
- Deferred slices, rejected speculative cases, skipped checks, and remaining risks are explicit.
|
|
119
131
|
- No command execution claim relies on anything outside the configured command intents.
|
|
@@ -145,10 +157,12 @@ Prefer the narrowest configured intent that proves the current slice. Escalate o
|
|
|
145
157
|
## Output Format
|
|
146
158
|
|
|
147
159
|
- TDD trigger and slice scope
|
|
160
|
+
- Next-test selection rationale
|
|
148
161
|
- Existing coverage reused
|
|
149
162
|
- Slices completed
|
|
150
163
|
- Slices deferred
|
|
151
164
|
- Cases rejected as duplicate or speculative
|
|
165
|
+
- False-green checks and test-strength limits
|
|
152
166
|
- RED Evidence:
|
|
153
167
|
- category: `behavior_red`, `api_scaffold_red`, `invalid_red`, or `not_applicable`
|
|
154
168
|
- command intent
|