mustflow 2.103.35 → 2.106.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -3,6 +3,7 @@ import { t } from '../../lib/i18n.js';
3
3
  import { getParsedCliStringOption, hasCliOptionToken, hasParsedCliOption, parseCliOptions, } from '../../lib/option-parser.js';
4
4
  import { ALLOW_UNTRUSTED_ROOT_OPTION } from '../../lib/run-root-trust.js';
5
5
  const DEFAULT_ACTIVE_LOCK_WAIT_TIMEOUT_SECONDS = 300;
6
+ const SUPPORTED_RUN_APPROVAL_ACTIONS = new Set(['network_access', 'destructive_command']);
6
7
  const RUN_OPTIONS = [
7
8
  { name: '--json', kind: 'boolean' },
8
9
  { name: '--dry-run', kind: 'boolean' },
@@ -10,13 +11,28 @@ const RUN_OPTIONS = [
10
11
  { name: '--wait', kind: 'boolean' },
11
12
  { name: ALLOW_UNTRUSTED_ROOT_OPTION, kind: 'boolean' },
12
13
  { name: '--wait-timeout', kind: 'string' },
14
+ { name: '--allow-approval', kind: 'string' },
13
15
  ];
14
16
  export function hasRunHelpOption(args) {
15
17
  return hasCliOptionToken(args, '--help', ['-h']);
16
18
  }
19
+ export function getSupportedRunApprovalActions() {
20
+ return [...SUPPORTED_RUN_APPROVAL_ACTIONS].sort((left, right) => left.localeCompare(right));
21
+ }
22
+ function getAllowApprovalValues(parsed) {
23
+ const values = parsed.occurrences
24
+ .filter((occurrence) => occurrence.name === '--allow-approval')
25
+ .map((occurrence) => occurrence.value)
26
+ .filter((value) => typeof value === 'string');
27
+ return [...new Set(values)];
28
+ }
29
+ function findInvalidApprovalAction(values) {
30
+ return values.find((value) => !SUPPORTED_RUN_APPROVAL_ACTIONS.has(value)) ?? null;
31
+ }
17
32
  export function parseRunArguments(args) {
18
33
  const parsed = parseCliOptions(args, RUN_OPTIONS, { allowPositionals: true });
19
34
  let waitTimeoutSeconds = DEFAULT_ACTIVE_LOCK_WAIT_TIMEOUT_SECONDS;
35
+ const allowApprovals = getAllowApprovalValues(parsed);
20
36
  if (parsed.error) {
21
37
  const [intentName, ...extra] = parsed.positionals;
22
38
  return {
@@ -24,16 +40,22 @@ export function parseRunArguments(args) {
24
40
  dryRun: hasParsedCliOption(parsed, '--dry-run'),
25
41
  planOnly: hasParsedCliOption(parsed, '--plan-only'),
26
42
  allowUntrustedRoot: hasParsedCliOption(parsed, ALLOW_UNTRUSTED_ROOT_OPTION),
43
+ allowApprovals,
27
44
  wait: hasParsedCliOption(parsed, '--wait'),
28
45
  waitTimeoutSeconds,
29
46
  intentName: intentName ?? null,
30
47
  extra,
48
+ invalidApprovalAction: null,
31
49
  error: parsed.error,
32
50
  };
33
51
  }
52
+ const invalidApprovalAction = findInvalidApprovalAction(allowApprovals);
34
53
  const waitTimeoutValue = getParsedCliStringOption(parsed, '--wait-timeout');
35
54
  let error = null;
36
- if (waitTimeoutValue !== null) {
55
+ if (invalidApprovalAction) {
56
+ error = 'invalid_approval_action';
57
+ }
58
+ else if (waitTimeoutValue !== null) {
37
59
  const parsedWaitTimeout = Number(waitTimeoutValue);
38
60
  if (!Number.isInteger(parsedWaitTimeout) || parsedWaitTimeout <= 0) {
39
61
  error = 'invalid_wait_timeout';
@@ -48,10 +70,12 @@ export function parseRunArguments(args) {
48
70
  dryRun: hasParsedCliOption(parsed, '--dry-run'),
49
71
  planOnly: hasParsedCliOption(parsed, '--plan-only'),
50
72
  allowUntrustedRoot: hasParsedCliOption(parsed, ALLOW_UNTRUSTED_ROOT_OPTION),
73
+ allowApprovals,
51
74
  wait: hasParsedCliOption(parsed, '--wait'),
52
75
  waitTimeoutSeconds,
53
76
  intentName: intentName ?? null,
54
77
  extra,
78
+ invalidApprovalAction,
55
79
  error,
56
80
  };
57
81
  }
@@ -65,10 +89,11 @@ export function getRunHelp(lang = 'en') {
65
89
  { label: '--json', description: t(lang, 'run.help.option.json') },
66
90
  { label: '--wait', description: t(lang, 'run.help.option.wait') },
67
91
  { label: '--wait-timeout <seconds>', description: t(lang, 'run.help.option.waitTimeout') },
92
+ { label: '--allow-approval <action>', description: t(lang, 'run.help.option.allowApproval') },
68
93
  { label: ALLOW_UNTRUSTED_ROOT_OPTION, description: t(lang, 'run.help.option.allowUntrustedRoot') },
69
94
  { label: '-h, --help', description: t(lang, 'cli.option.help') },
70
95
  ],
71
- examples: ['mf run test', 'mf run lint --json', 'mf run mustflow_check --dry-run --json'],
96
+ examples: ['mf run test', 'mf run lint --json', 'mf run release_npm_version_available --allow-approval network_access --json'],
72
97
  exitCodes: [
73
98
  {
74
99
  label: '0',
@@ -188,7 +188,10 @@ export async function executeRunCommand(request, reporter, lang = 'en', options
188
188
  return { exitCode: 1, receipt: null };
189
189
  }
190
190
  const contract = profiler.measure('command_contract', () => readCommandContract(projectRoot));
191
- const plan = profiler.measure('plan_creation', () => createRunPlan(projectRoot, contract, request.intentName, { testTargets: options.testTargets }));
191
+ const plan = profiler.measure('plan_creation', () => createRunPlan(projectRoot, contract, request.intentName, {
192
+ testTargets: options.testTargets,
193
+ approvedActions: request.allowApprovals,
194
+ }));
192
195
  if (!plan.ok) {
193
196
  if (request.outputMode === 'json') {
194
197
  reporter.stdout(JSON.stringify(createRunPreview(plan, 'plan-only'), null, 2));
@@ -1,7 +1,7 @@
1
1
  import { printUsageError } from '../lib/cli-output.js';
2
2
  import { t } from '../lib/i18n.js';
3
3
  import { formatCliOptionParseError } from '../lib/option-parser.js';
4
- import { getRunHelp, hasRunHelpOption, parseRunArguments } from './run/args.js';
4
+ import { getRunHelp, getSupportedRunApprovalActions, hasRunHelpOption, parseRunArguments } from './run/args.js';
5
5
  import { executeRunCommand } from './run/execution.js';
6
6
  import { executeRunPreviewCommand, getRunPreviewMode } from './run/preview.js';
7
7
  export { getRunHelp } from './run/args.js';
@@ -19,7 +19,18 @@ export async function runRun(args, reporter, lang = 'en', options = {}) {
19
19
  return 0;
20
20
  }
21
21
  const parsedArgs = parseRunArguments(args);
22
- if (parsedArgs.error && parsedArgs.error !== 'invalid_wait_timeout') {
22
+ if (parsedArgs.error === 'invalid_wait_timeout') {
23
+ printUsageError(reporter, t(lang, 'run.error.invalidWaitTimeout'), 'mf run --help', getRunHelp(lang), lang);
24
+ return 1;
25
+ }
26
+ if (parsedArgs.error === 'invalid_approval_action') {
27
+ printUsageError(reporter, t(lang, 'run.error.invalidApprovalAction', {
28
+ action: parsedArgs.invalidApprovalAction ?? 'unknown',
29
+ allowed: getSupportedRunApprovalActions().join(', '),
30
+ }), 'mf run --help', getRunHelp(lang), lang);
31
+ return 1;
32
+ }
33
+ if (parsedArgs.error) {
23
34
  if (parsedArgs.error.kind === 'missing_value' && parsedArgs.error.option === '--wait-timeout') {
24
35
  printUsageError(reporter, t(lang, 'run.error.invalidWaitTimeout'), 'mf run --help', getRunHelp(lang), lang);
25
36
  return 1;
@@ -27,10 +38,6 @@ export async function runRun(args, reporter, lang = 'en', options = {}) {
27
38
  printUsageError(reporter, formatCliOptionParseError(parsedArgs.error, lang), 'mf run --help', getRunHelp(lang), lang);
28
39
  return 1;
29
40
  }
30
- if (parsedArgs.error === 'invalid_wait_timeout') {
31
- printUsageError(reporter, t(lang, 'run.error.invalidWaitTimeout'), 'mf run --help', getRunHelp(lang), lang);
32
- return 1;
33
- }
34
41
  const json = parsedArgs.json;
35
42
  const dryRun = parsedArgs.dryRun;
36
43
  const planOnly = parsedArgs.planOnly;
@@ -59,6 +66,7 @@ export async function runRun(args, reporter, lang = 'en', options = {}) {
59
66
  intentName,
60
67
  outputMode: json ? 'json' : 'text',
61
68
  allowUntrustedRoot,
69
+ allowApprovals: parsedArgs.allowApprovals,
62
70
  wait: parsedArgs.wait,
63
71
  waitTimeoutSeconds: parsedArgs.waitTimeoutSeconds,
64
72
  }, reporter, lang, options);
@@ -161,6 +161,7 @@ async function runVerificationIntent(intent, lang, verificationPlanId, correlati
161
161
  intentName: intent,
162
162
  outputMode: 'silent',
163
163
  allowUntrustedRoot: false,
164
+ allowApprovals: [],
164
165
  wait: false,
165
166
  waitTimeoutSeconds: 1,
166
167
  }, output.reporter, lang, {
@@ -1287,6 +1287,7 @@ Read these files before working:
1287
1287
  "run.help.option.json": "Print the run record or command plan as JSON",
1288
1288
  "run.help.option.wait": "Wait for conflicting active run locks before executing",
1289
1289
  "run.help.option.waitTimeout": "Maximum seconds to wait for active run locks. Default: 300",
1290
+ "run.help.option.allowApproval": "Allow this execution to satisfy one approval-gated action such as network_access",
1290
1291
  "run.help.option.allowUntrustedRoot": "Allow one execution from a root with a missing or invalid manifest lock after manual review",
1291
1292
  "run.help.exit.ok": "The command completed with an allowed exit code",
1292
1293
  "run.help.exit.fail": "The command was invalid, refused, timed out, or failed",
@@ -1319,6 +1320,7 @@ Read these files before working:
1319
1320
  "run.error.maxOutputBytesDetail": "The output limit must stay within the allowed maximum.",
1320
1321
  "run.error.conflictingPreviewModes": "Use either --dry-run or --plan-only, not both",
1321
1322
  "run.error.invalidWaitTimeout": "--wait-timeout must be a positive integer",
1323
+ "run.error.invalidApprovalAction": 'Unsupported approval action "{action}". Supported actions: {allowed}',
1322
1324
  "run.error.waitRequiresExecution": "--wait can only be used when executing a command, not with --dry-run or --plan-only",
1323
1325
  "run.error.untrustedRootMissing": "Refused to execute commands because {path} is missing. Run mf init/update to install the workflow, or pass --allow-untrusted-root after reviewing AGENTS.md and .mustflow/config/commands.toml.",
1324
1326
  "run.error.untrustedRootInvalid": "Refused to execute commands because the manifest lock is invalid: {detail}. Restore or regenerate it, or pass --allow-untrusted-root after reviewing AGENTS.md and .mustflow/config/commands.toml.",
@@ -1287,6 +1287,7 @@ Lee estos archivos antes de trabajar:
1287
1287
  "run.help.option.json": "Imprime el registro de ejecución o el plan de comando como JSON",
1288
1288
  "run.help.option.wait": "Espera bloqueos activos en conflicto antes de ejecutar",
1289
1289
  "run.help.option.waitTimeout": "Segundos máximos para esperar bloqueos activos. Predeterminado: 300",
1290
+ "run.help.option.allowApproval": "Permite que esta ejecución satisfaga una acción con aprobación como network_access",
1290
1291
  "run.help.option.allowUntrustedRoot": "Permite una ejecución desde una raíz con bloqueo de manifiesto ausente o inválido tras revisión manual",
1291
1292
  "run.help.exit.ok": "El comando se completo con un codigo de salida permitido",
1292
1293
  "run.help.exit.fail": "El comando no era válido, fue rechazado, agotó el tiempo o falló",
@@ -1319,6 +1320,7 @@ Lee estos archivos antes de trabajar:
1319
1320
  "run.error.maxOutputBytesDetail": "El límite de salida debe permanecer dentro del máximo permitido.",
1320
1321
  "run.error.conflictingPreviewModes": "Usa --dry-run o --plan-only, no ambos",
1321
1322
  "run.error.invalidWaitTimeout": "--wait-timeout debe ser un entero positivo",
1323
+ "run.error.invalidApprovalAction": 'Acción de aprobación no admitida "{action}". Acciones admitidas: {allowed}',
1322
1324
  "run.error.waitRequiresExecution": "--wait solo se puede usar al ejecutar un comando, no con --dry-run o --plan-only",
1323
1325
  "run.error.untrustedRootMissing": "Se rechazó ejecutar comandos porque falta {path}. Ejecuta mf init/update para instalar el flujo, o usa --allow-untrusted-root tras revisar AGENTS.md y .mustflow/config/commands.toml.",
1324
1326
  "run.error.untrustedRootInvalid": "Se rechazó ejecutar comandos porque el bloqueo de manifiesto no es válido: {detail}. Restáuralo o regenéralo, o usa --allow-untrusted-root tras revisar AGENTS.md y .mustflow/config/commands.toml.",
@@ -1287,6 +1287,7 @@ Lisez ces fichiers avant de travailler :
1287
1287
  "run.help.option.json": "Imprime l'enregistrement d'exécution ou le plan de commande en JSON",
1288
1288
  "run.help.option.wait": "Attend les verrous actifs en conflit avant d'exécuter",
1289
1289
  "run.help.option.waitTimeout": "Nombre maximal de secondes d'attente des verrous actifs. Par défaut : 300",
1290
+ "run.help.option.allowApproval": "Autorise cette exécution à satisfaire une action soumise à approbation comme network_access",
1290
1291
  "run.help.option.allowUntrustedRoot": "Autorise une seule exécution depuis une racine sans verrou de manifeste valide après revue manuelle",
1291
1292
  "run.help.exit.ok": "La commande s'est terminée avec un code de sortie autorisé",
1292
1293
  "run.help.exit.fail": "La commande était non valide, refusée, expirée ou a échoué",
@@ -1319,6 +1320,7 @@ Lisez ces fichiers avant de travailler :
1319
1320
  "run.error.maxOutputBytesDetail": "La limite de sortie doit rester dans le maximum autorisé.",
1320
1321
  "run.error.conflictingPreviewModes": "Utilisez --dry-run ou --plan-only, pas les deux",
1321
1322
  "run.error.invalidWaitTimeout": "--wait-timeout doit être un entier positif",
1323
+ "run.error.invalidApprovalAction": 'Action d’approbation non prise en charge "{action}". Actions prises en charge : {allowed}',
1322
1324
  "run.error.waitRequiresExecution": "--wait ne peut être utilisé que lors de l'exécution d'une commande, pas avec --dry-run ou --plan-only",
1323
1325
  "run.error.untrustedRootMissing": "Exécution refusée car {path} est absent. Lancez mf init/update pour installer le workflow, ou ajoutez --allow-untrusted-root après avoir relu AGENTS.md et .mustflow/config/commands.toml.",
1324
1326
  "run.error.untrustedRootInvalid": "Exécution refusée car le verrou de manifeste est invalide : {detail}. Restaurez-le ou régénérez-le, ou ajoutez --allow-untrusted-root après avoir relu AGENTS.md et .mustflow/config/commands.toml.",
@@ -1287,6 +1287,7 @@ export const hiMessages = {
1287
1287
  "run.help.option.json": "Run record या command plan को JSON के रूप में प्रिंट करें",
1288
1288
  "run.help.option.wait": "चलाने से पहले conflicting active run locks के लिए wait करें",
1289
1289
  "run.help.option.waitTimeout": "active run locks के लिए wait करने की maximum seconds. Default: 300",
1290
+ "run.help.option.allowApproval": "इस execution को network_access जैसे approval-gated action को satisfy करने दें",
1290
1291
  "run.help.option.allowUntrustedRoot": "Manual review के बाद missing या invalid manifest lock वाली root से एक execution allow करें",
1291
1292
  "run.help.exit.ok": "कमांड अनुमत exit code के साथ पूरी हुई",
1292
1293
  "run.help.exit.fail": "कमांड अमान्य थी, अस्वीकार हुई, timed out हुई या विफल हुई",
@@ -1319,6 +1320,7 @@ export const hiMessages = {
1319
1320
  "run.error.maxOutputBytesDetail": "Output limit अनुमत maximum के अंदर रहनी चाहिए।",
1320
1321
  "run.error.conflictingPreviewModes": "--dry-run या --plan-only में से एक इस्तेमाल करें, दोनों नहीं",
1321
1322
  "run.error.invalidWaitTimeout": "--wait-timeout positive integer होना चाहिए",
1323
+ "run.error.invalidApprovalAction": 'Unsupported approval action "{action}". Supported actions: {allowed}',
1322
1324
  "run.error.waitRequiresExecution": "--wait केवल command execute करते समय इस्तेमाल हो सकता है, --dry-run या --plan-only के साथ नहीं",
1323
1325
  "run.error.untrustedRootMissing": "{path} missing है, इसलिए commands execute करने से मना किया गया। Workflow install करने के लिए mf init/update चलाएँ, या AGENTS.md और .mustflow/config/commands.toml review करने के बाद --allow-untrusted-root पास करें।",
1324
1326
  "run.error.untrustedRootInvalid": "Manifest lock invalid है, इसलिए commands execute करने से मना किया गया: {detail}. इसे restore या regenerate करें, या AGENTS.md और .mustflow/config/commands.toml review करने के बाद --allow-untrusted-root पास करें।",
@@ -1287,6 +1287,7 @@ export const koMessages = {
1287
1287
  "run.help.option.json": "실행 결과 또는 명령 계획을 JSON으로 출력합니다",
1288
1288
  "run.help.option.wait": "충돌하는 활성 실행 잠금이 풀릴 때까지 기다린 뒤 실행합니다",
1289
1289
  "run.help.option.waitTimeout": "활성 실행 잠금을 기다릴 최대 초입니다. 기본값: 300",
1290
+ "run.help.option.allowApproval": "이번 실행에서 network_access 같은 승인 게이트 action 하나를 허용합니다",
1290
1291
  "run.help.option.allowUntrustedRoot": "잠금 파일이 없거나 올바르지 않은 루트에서 수동 검토 후 이번 실행만 허용합니다",
1291
1292
  "run.help.exit.ok": "명령이 허용된 종료 코드로 완료되었습니다",
1292
1293
  "run.help.exit.fail": "명령이 잘못되었거나, 거부되었거나, 시간 초과되었거나, 실패했습니다",
@@ -1319,6 +1320,7 @@ export const koMessages = {
1319
1320
  "run.error.maxOutputBytesDetail": "출력 상한은 허용된 최댓값 안에 있어야 합니다.",
1320
1321
  "run.error.conflictingPreviewModes": "--dry-run과 --plan-only 중 하나만 사용하세요",
1321
1322
  "run.error.invalidWaitTimeout": "--wait-timeout은 양의 정수여야 합니다",
1323
+ "run.error.invalidApprovalAction": '지원하지 않는 승인 action입니다: "{action}". 지원 action: {allowed}',
1322
1324
  "run.error.waitRequiresExecution": "--wait는 --dry-run 또는 --plan-only가 아닌 실제 명령 실행에만 사용할 수 있습니다",
1323
1325
  "run.error.untrustedRootMissing": "{path}이 없어 명령 실행을 거부했습니다. mf init/update로 워크플로우를 설치하거나, AGENTS.md와 .mustflow/config/commands.toml을 검토한 뒤 --allow-untrusted-root를 붙이세요.",
1324
1326
  "run.error.untrustedRootInvalid": "잠금 파일이 올바르지 않아 명령 실행을 거부했습니다: {detail}. 파일을 복구하거나 다시 생성하거나, AGENTS.md와 .mustflow/config/commands.toml을 검토한 뒤 --allow-untrusted-root를 붙이세요.",
@@ -1287,6 +1287,7 @@ export const zhMessages = {
1287
1287
  "run.help.option.json": "将运行记录或命令计划输出为 JSON",
1288
1288
  "run.help.option.wait": "执行前等待冲突的活动运行锁释放",
1289
1289
  "run.help.option.waitTimeout": "等待活动运行锁的最大秒数。默认值:300",
1290
+ "run.help.option.allowApproval": "允许本次执行满足一个需要审批的动作,例如 network_access",
1290
1291
  "run.help.option.allowUntrustedRoot": "人工复核后,允许从缺失或无效清单锁的根目录执行一次命令",
1291
1292
  "run.help.exit.ok": "命令已以允许的退出码完成",
1292
1293
  "run.help.exit.fail": "命令无效、被拒绝、超时或失败",
@@ -1319,6 +1320,7 @@ export const zhMessages = {
1319
1320
  "run.error.maxOutputBytesDetail": "输出限制必须保持在允许的最大值内。",
1320
1321
  "run.error.conflictingPreviewModes": "只能使用 --dry-run 或 --plan-only,不能同时使用",
1321
1322
  "run.error.invalidWaitTimeout": "--wait-timeout 必须是正整数",
1323
+ "run.error.invalidApprovalAction": '不支持的审批动作 "{action}"。支持的动作:{allowed}',
1322
1324
  "run.error.waitRequiresExecution": "--wait 只能用于实际执行命令,不能与 --dry-run 或 --plan-only 一起使用",
1323
1325
  "run.error.untrustedRootMissing": "已拒绝执行命令,因为缺少 {path}。请运行 mf init/update 安装工作流,或在检查 AGENTS.md 和 .mustflow/config/commands.toml 后传入 --allow-untrusted-root。",
1324
1326
  "run.error.untrustedRootInvalid": "已拒绝执行命令,因为清单锁无效:{detail}。请恢复或重新生成它,或在检查 AGENTS.md 和 .mustflow/config/commands.toml 后传入 --allow-untrusted-root。",
@@ -51,6 +51,9 @@ function commandAcceptsTestTargets(intent) {
51
51
  function isResolvedWindowsCommandScript(executablePath) {
52
52
  return process.platform === 'win32' && isWindowsCommandScriptPath(executablePath);
53
53
  }
54
+ function createApprovedActionSet(actions) {
55
+ return new Set((actions ?? []).map((action) => action.trim()).filter((action) => action.length > 0));
56
+ }
54
57
  export function isMustflowBuiltinIntent(intent) {
55
58
  return readString(intent, 'kind') === 'mustflow_builtin';
56
59
  }
@@ -129,7 +132,7 @@ function readRunIntentMetadata(contract, intent) {
129
132
  relatedOneshotChecks: readStringArray(intent, 'related_oneshot_checks') ?? [],
130
133
  };
131
134
  }
132
- function createApprovalBlock(projectRoot, metadata) {
135
+ function createApprovalBlock(projectRoot, metadata, approvedActions) {
133
136
  const actionTypes = [];
134
137
  if (metadata.network === true) {
135
138
  actionTypes.push('network_access');
@@ -150,15 +153,16 @@ function createApprovalBlock(projectRoot, metadata) {
150
153
  const requiredActions = approvalReport.decisions
151
154
  .filter((decision) => decision.approval_required)
152
155
  .map((decision) => decision.action_type);
153
- if (requiredActions.length === 0) {
156
+ const missingActions = requiredActions.filter((action) => !approvedActions.has(action));
157
+ if (missingActions.length === 0) {
154
158
  return null;
155
159
  }
156
- const reasonCode = requiredActions.includes('destructive_command')
160
+ const reasonCode = missingActions.includes('destructive_command')
157
161
  ? 'destructive_requires_approval'
158
162
  : 'network_requires_approval';
159
163
  return {
160
164
  reasonCode,
161
- detail: `Action ${requiredActions.map((action) => JSON.stringify(action)).join(', ')} requires explicit approval before mf run can execute this intent.`,
165
+ detail: `Action ${missingActions.map((action) => JSON.stringify(action)).join(', ')} requires explicit approval before mf run can execute this intent.`,
162
166
  };
163
167
  }
164
168
  function createBlockedRunPlan(contract, intentName, intent, eligibility, reasonCode, detail, preconditions = []) {
@@ -214,7 +218,7 @@ export function createRunPlan(projectRoot, contract, intentName, options = {}) {
214
218
  return createBlockedRunPlan(contract, intentName, rawIntent, eligibility, eligibility.code, eligibility.detail, preconditions);
215
219
  }
216
220
  const metadata = readRunIntentMetadata(contract, rawIntent);
217
- const approvalBlock = createApprovalBlock(projectRoot, metadata);
221
+ const approvalBlock = createApprovalBlock(projectRoot, metadata, createApprovedActionSet(options.approvedActions));
218
222
  if (approvalBlock) {
219
223
  return createBlockedRunPlan(contract, intentName, rawIntent, eligibility, approvalBlock.reasonCode, approvalBlock.detail, preconditions);
220
224
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "mustflow",
3
- "version": "2.103.35",
3
+ "version": "2.106.1",
4
4
  "description": "Agent workflow documents and CLI for mustflow repository roots.",
5
5
  "type": "module",
6
6
  "license": "MIT-0",
@@ -62,7 +62,7 @@ translations = {}
62
62
  [documents."skills.index"]
63
63
  source = "locales/en/.mustflow/skills/INDEX.md"
64
64
  source_locale = "en"
65
- revision = 197
65
+ revision = 200
66
66
  translations = {}
67
67
 
68
68
  [documents."skill.adapter-boundary"]
@@ -347,6 +347,12 @@ source_locale = "en"
347
347
  revision = 1
348
348
  translations = {}
349
349
 
350
+ [documents."skill.async-timing-boundary-review"]
351
+ source = "locales/en/.mustflow/skills/async-timing-boundary-review/SKILL.md"
352
+ source_locale = "en"
353
+ revision = 1
354
+ translations = {}
355
+
350
356
  [documents."skill.concurrency-invariant-review"]
351
357
  source = "locales/en/.mustflow/skills/concurrency-invariant-review/SKILL.md"
352
358
  source_locale = "en"
@@ -712,6 +718,12 @@ source_locale = "en"
712
718
  revision = 1
713
719
  translations = {}
714
720
 
721
+ [documents."skill.vite-code-change"]
722
+ source = "locales/en/.mustflow/skills/vite-code-change/SKILL.md"
723
+ source_locale = "en"
724
+ revision = 1
725
+ translations = {}
726
+
715
727
  [documents."skill.python-code-change"]
716
728
  source = "locales/en/.mustflow/skills/python-code-change/SKILL.md"
717
729
  source_locale = "en"
@@ -778,6 +790,12 @@ source_locale = "en"
778
790
  revision = 3
779
791
  translations = {}
780
792
 
793
+ [documents."skill.wails-code-change"]
794
+ source = "locales/en/.mustflow/skills/wails-code-change/SKILL.md"
795
+ source_locale = "en"
796
+ revision = 1
797
+ translations = {}
798
+
781
799
  [documents."skill.typescript-code-change"]
782
800
  source = "locales/en/.mustflow/skills/typescript-code-change/SKILL.md"
783
801
  source_locale = "en"
@@ -2,7 +2,7 @@
2
2
  mustflow_doc: skills.index
3
3
  locale: en
4
4
  canonical: true
5
- revision: 197
5
+ revision: 200
6
6
  authority: router
7
7
  lifecycle: mustflow-owned
8
8
  ---
@@ -234,6 +234,11 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
234
234
  - Use `vue-code-change` as a primary route when Vue, Nuxt, Pinia, Vue Router, Vue SFCs,
235
235
  Composition API, reactivity, props, emits, slots, `v-model`, SSR, hydration, lazy hydration,
236
236
  Vite/Vue toolchain, or Vue-related tests are created, changed, reviewed, or upgraded.
237
+ - Use `vite-code-change` as a primary route when Vite config, plugins, Rolldown or Rollup
238
+ compatibility, dependency optimization, dev server or HMR behavior, SSR, library mode, workers,
239
+ Environment API usage, package exports, TypeScript transpilation, browser targets, assets, CSS,
240
+ sourcemaps, package-manager scripts, CI, Docker, preview, or Vite-related tests are created,
241
+ changed, reviewed, migrated, or upgraded.
237
242
  - Use `babylon-code-change` as a primary route when Babylon.js, WebGPU or WebGL engine setup,
238
243
  Scene lifecycle, cameras, lights, meshes, materials, textures, shaders, glTF or GLB loading,
239
244
  Havok or Physics V2, LOD, instancing, thin instances, picking, render loops, Inspector
@@ -242,6 +247,10 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
242
247
  server load, actions, endpoints, hooks, runes, snippets, bindings, SSR, hydration, streaming,
243
248
  invalidation, adapters, Vite, TypeScript, packaging, or Svelte-related tests are created,
244
249
  changed, reviewed, or upgraded.
250
+ - Use `wails-code-change` as a primary route when Wails v3 apps, Go services, generated bindings,
251
+ TypeScript runtime calls, windows, menus, system tray, dialogs, events, WebView platform
252
+ behavior, Taskfile or build config, signing, packaging, custom protocols, file associations,
253
+ server builds, or Wails-related tests are created, changed, reviewed, or upgraded.
245
254
  - Use `axum-code-change` as a primary route when Axum routers, handlers, extractors, state,
246
255
  extensions, middleware, Tower or Tower-HTTP layers, CORS, cookies, headers, Tokio tasks or locks,
247
256
  SQLx pools, rejections, error responses, body limits, WebSockets, or Rust HTTP API tests are
@@ -285,6 +294,10 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
285
294
  - Use `race-condition-review` as an adjunct when shared state can be read, yielded, locked,
286
295
  retried, published, queued, cancelled, closed, reused, or observed across interleaving execution
287
296
  flows.
297
+ - Use `async-timing-boundary-review` as an adjunct when arbitrary sleeps, fixed delays, timer
298
+ waits, event-loop yields, render-frame waits, readiness polling, CI waits, Promise completion
299
+ claims, async one-time side effects, or eventual-consistency waits need a real completion signal
300
+ instead of a tuned millisecond value.
288
301
  - Use `concurrency-invariant-review` as an adjunct when a review needs to prove shared-state
289
302
  ownership, whole-invariant protection, lock and condition-variable discipline, memory visibility,
290
303
  duplicated execution, shutdown, thread-local context, async interleavings, or deterministic
@@ -478,6 +491,7 @@ routes. Event routes stay inactive until their event occurs.
478
491
  | Code review or implementation specifically needs to catch hidden O(N^2), pairwise work, repeated membership checks, map/filter/find/includes chains, code joins by ID, duplicate removal with index search, sorted-array linear search, repeated sort, reducer spread, string concatenation, JSON comparison, helper-hidden full-list scans, ORM lazy loading, GraphQL resolver fan-out, render-time lookup, tree or graph parent-child scans, event-history scans, interval all-pairs checks, or incremental updates that recompute whole state | `.mustflow/skills/quadratic-scan-review/SKILL.md` | Outer work, inner work, data shape, join or membership key, semantic contract, evidence level, and configured command intents | Set or Map lookup, grouping maps, parent-to-children maps, composite keys, sorted merge, single-pass aggregation, database-side joins, focused behavior tests, and bounded complexity notes tied to the repeated scan | disguised nested loop, same collection rescanned per item, array membership over growing data, ID join without index, duplicate-removal O(N^2), sorted linear search, sort inside loop, copy accumulation, JSON stringify comparison, helper-body scan, ORM N+1, resolver fan-out, render jank, graph traversal slowdown, event-history rescan, interval all-pairs leak, or small-list excuse without a hard cap | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Repeated path, outer and inner counts, data-growth classification, hidden scan findings, chosen index or intentional all-pairs decision, semantics preserved, evidence level, verification, and remaining quadratic-scan risk |
479
492
  | Code review or implementation needs type modeling to make impossible states unrepresentable, including branded IDs, unit and currency types, boolean flag clusters, broad string statuses, nullable state fields, raw external data, partial update inputs, DTO/domain/response mixing, broad maps, `any`, casts, non-null assertions, Result error variants, non-empty collections, permission capabilities, lifecycle timestamps, or exhaustiveness | `.mustflow/skills/type-state-modeling-review/SKILL.md` | Domain invariant, current type surface, construction path, boundary map, exhaustiveness surface, and configured command intents | Branded types, newtypes, wrappers, literal unions, sealed or discriminated variants, parsers, constructors, validators, DTO boundary splits, focused tests, and directly synchronized docs or templates | swapped IDs, unit or currency confusion, contradictory boolean flags, status drift, optional-field invalid state, raw DTO leakage, unsafe `Partial<T>`, domain/API/DB coupling, broad `Record<string, unknown>`, `any` spread, cast cover-up, non-null assertion crash, untyped Result errors, empty collection invariant leak, permission boolean drift, lifecycle timestamp contradiction, or missed exhaustive case | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Type surface reviewed, impossible states found or ruled out, boundary and construction path tightened, exhaustiveness and tests checked, verification, and remaining impossible-state risk |
480
493
  | Code review or implementation needs race-condition triage for shared state observed across interleaving execution flows, including check-then-act, read-modify-write, stale reads after `await`, I/O, callbacks or events, lock scope or global lock order, `tryLock`, timeout, retry, cache miss fill, lazy initialization, double-checked locking, atomics, memory ordering, DB transaction isolation, conditional updates, unique constraints, distributed locks, idempotency, filesystem exists/open, atomic create or rename, outbox ordering, queue duplicates or reordering, concurrent same-user work, shutdown, cancellation, timers, close/send races, shared collections, iterator snapshots, object reuse, fake immutability, sleep-based race tests, log ordering, or status values without transitions | `.mustflow/skills/race-condition-review/SKILL.md` | Shared state surface, invariant, interleaving points, synchronization or transaction boundary, retry and idempotency policy, event, queue, timer, cancellation and shutdown paths, collection or object ownership, evidence level, and configured command intents | Atomic conditional update, atomic create, compare-and-swap, lock scope or lock-order fix, unique constraint, row lock, idempotency guard, singleflight, outbox or inbox guard, state transition guard, snapshot iteration, ownership split, focused concurrency tests, and directly synchronized docs or templates | check-then-act, lost update, stale read after await, torn invariant, callback under lock, deadlock, retry duplication, cache stampede, double init, unsafe atomic assumption, isolation mismatch, app-only uniqueness, broken distributed lock, duplicate side effect, event/state split brain, queue duplicate or out-of-order damage, shutdown drop, cancellation completion race, old timer update, double close, send after close, shared collection mutation, pooled object corruption, fake immutable mutation, sleep-test false confidence, log-order lie, or state value race | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Shared state and invariant reviewed, interleaving ledger, atomicity and synchronization findings, stale-read and ordering checks, tests or evidence level, verification, and remaining race-condition risk |
494
+ | Code, tests, docs, or reports add, change, review, justify, or debug arbitrary sleeps, fixed delays, `setTimeout`, timer waits, event-loop yields, microtask or next-tick waits, render-frame or after-paint waits, CI waits, readiness polling, startup waits, file flush waits, worker readiness, Promise completion claims, async one-time side effects, or eventual-consistency waits | `.mustflow/skills/async-timing-boundary-review/SKILL.md` | Wait surface, intended condition, boundary class, available completion signal, caller ownership, test evidence, and command contract entries | Timing helpers, async flow, lifecycle waits, readiness probes, bounded polling, fake-time tests, stream/filesystem/process/worker/server/database/queue/index/device waits, and directly synchronized docs or templates | tuned millisecond threshold, sleep as readiness, Promise that only schedules work, one-time side-effect scope drift, render-before-layout measurement, stream or file durability lie, process or server ready guess, replica/search/queue visibility race, unbounded polling, timeout layering bug, CI-only flake, or sleep-based proof | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Waits classified, completion signal chosen or missing, fixed waits removed or bounded, Promise/once/render/I/O/external checks, verification, skipped timing diagnostics, and remaining async timing risk |
481
495
  | Code review or implementation needs concurrency-invariant triage for shared ownership and primitive discipline when correctness depends on time-order changes, including hidden writes in getters, lazy initialization, check-then-act, read-modify-write, exact lock identity, lock scope, lock order, callbacks under lock, condition-variable `while` predicates, lost notifications, atomics mixed with ordinary state, CAS ABA, double-checked locking, object publication before construction completes, fake immutability, concurrent collection iteration, cache stampede, application-only uniqueness, transaction isolation, distributed lock lease expiry, fencing tokens, idempotency keys, duplicate queue delivery, explicit state-machine transitions, scheduler overlap, shutdown drain, resource release after acquire, thread-local leakage, async `await` interleavings, or sleep-based concurrency tests | `.mustflow/skills/concurrency-invariant-review/SKILL.md` | Shared state inventory, owner decision, invariant, time-order table, lock identity and order, condition predicate, atomic and memory-visibility story, transaction and distributed lease boundary, duplicate execution rule, shutdown and thread-local context, test evidence, and configured command intents | Single-writer ownership, immutable snapshot, scoped lock, global lock order, condition predicate loop, atomic conditional write, transaction or row lock, unique constraint, idempotency record, fencing token, queue dedupe, state transition guard, scheduler ownership, shutdown drain, context cleanup, deterministic interleaving test, and directly synchronized docs or templates | ownerless shared state, read-only helper hidden write, torn invariant, different locks guarding one fact, too-narrow lock, too-wide lock, deadlock order, callback under lock, lost notification, spurious wakeup, atomic-only cover-up, ABA, unsafe publication, half-constructed object, fake immutable mutation, collection mutation during iteration, cache stampede, duplicate insert across service instances, isolation mismatch, expired distributed lock owner, duplicate side effect, queue redelivery damage, status backtracking, scheduler double-run, dropped in-flight work, leaked permit, thread-local tenant leak, stale value after await, or sleep-test false confidence | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Shared inventory and owners reviewed, invariant and time-order table, primitive-discipline findings, fixes or recommendations, deterministic evidence level, verification, and remaining concurrency-invariant risk |
482
496
  | Code review or implementation needs failure-integrity triage for exception or failure handling that can produce false success, swallowed exceptions, log-and-continue paths, ambiguous `null`, `false`, or empty defaults, `finally` masking, transaction commit after caught failure, external side-effect ordering bugs, retry without idempotency, missing timeouts, cancellation swallowing, unobserved async failures, queue ack/nack mistakes, lost causes, leaked internal errors, mixed business and system failures, partial state, lock or resource leaks on failure paths, unsafe parsing defaults, fail-open authorization, unsafe cache or fallback defaults, unstable public error messages, or missing failure-path observability | `.mustflow/skills/failure-integrity-review/SKILL.md` | Failure surface, truth surface, state-change ledger, error classification, transaction and side-effect boundary, retry, timeout, cancellation, queue, cleanup, public error, redaction, observability, and configured command intents | Failure propagation, typed error value, rollback or compensation, idempotency guard, timeout and retry budget, cancellation propagation, ack/nack and dead-letter policy, cause preservation, stable public error code, safe logging or metrics, fail-closed behavior, resource cleanup, focused failure-path tests, and directly synchronized docs or templates | broad catch, swallowed exception, false success, false empty data, cleanup masking original error, partial commit, unknown provider outcome, duplicate side effect, retry storm, hung dependency, ignored cancellation, unobserved background failure, dropped queue message, poison message loop, lost stack cause, internal error leak, client string-branching, business/system failure confusion, stuck processing state, unreleased lock, unclosed handle, dangerous default value, fail-open permission, unsafe fallback, invisible compensation failure, or no operator signal | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Failure surface and lie reviewed, state-change and truth ledger, swallowed or false-success findings, rollback/retry/fallback/observability decisions, tests or evidence level, verification, and remaining failure-integrity risk |
483
497
  | Code review or implementation needs backend-log-evidence triage for backend request, worker, scheduler, webhook, migration, script, service, repository, or external adapter logs that must explain why a request, job, or data change reached its final state, including event names, schema versions, start and finish logs, trace/span/request IDs, correlation and causation IDs, outcome and reason fields, error causes and stacks, external API before and after logs, DB affected rows, transaction begin/commit/rollback, state transitions, silent early returns, retries, timeouts, queue enqueue and consume, async context propagation, batch summaries, audit events, auth or validation failures, cache hits or misses, lock acquisition, idempotency outcomes, feature flags, release/config startup summaries, migration dry-run and apply logs, log pipeline canaries, generated/accepted/sent/stored/searchable counts, timestamp versus observed timestamp, parser or mapping failures, severity levels, duplicate logs, structured fields, safe identifiers, sampling, cardinality, log-injection safety, or redaction | `.mustflow/skills/backend-log-evidence-review/SKILL.md` | Backend path, event contract, correlation and causation model, request lifecycle evidence, error evidence, decision evidence, side-effect evidence, pipeline integrity evidence, sampling and safety constraints, local logger conventions, tests or fixtures, and configured command intents | Structured log events, stable event names, schema versions, safe identifiers, trace/span/request/correlation/causation IDs, request start and finish summaries, result type, outcome, reason code, duration, deployment/resource attributes, error object logging, cause preservation, dependency request IDs, affected-row counts, transition fields, retry attempts, timeout classes, queue and batch IDs, audit fields, auth and validation reason codes, cache and lock result fields, idempotency classifications, feature flag variants, release and config summaries, log canary and pipeline survival checks, cardinality controls, redaction guards, focused tests, and directly synchronized docs or templates | route-only start log, no finish log, missing duration, message-based dashboard, missing schema version, missing trace or span id, missing causation id, string-only error, lost cause or stack, external API logged only after failure, raw provider body log, missing affected-row count, invisible transaction boundary, status assignment without from/to state, silent guard return, attempt-free retry log, timeout without actual duration, enqueue without consume evidence, broken async request id, batch started/finished only, audit event mixed with debug log, missing auth reason, validation 400 with no safe field summary, cache blind spot, lock wait hidden, idempotency ambiguity, feature flag opacity, release or config opacity, secret-bearing config log, migration `done`, swallowed background error, all-info severity, duplicate error spam, prose-only log, high-cardinality indexed field, log pipeline silently dropping evidence, log injection exposure, unsafe sampling, missing domain identifier, or sink-side-only masking | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Backend log boundary reviewed, reconstruction question, event/lifecycle/correlation/causation/error/side-effect/decision/pipeline/cardinality/sampling/redaction findings, evidence level, verification, and remaining backend-log-evidence risk |
@@ -582,6 +596,7 @@ routes. Event routes stay inactive until their event occurs.
582
596
  | Generated or edited code, configuration, CI workflows, package metadata, install instructions, examples, Docker images, framework setup, runtime declarations, toolchain declarations, TypeScript compiler-track references, Rust release or MSRV references, or migration-sensitive snippets introduce explicit external version references, action refs, package ranges, runtime versions, framework majors, Docker image tags, or scaffold commands that may be stale | `.mustflow/skills/version-freshness-check/SKILL.md` | Versioned reference, owning files, repository version policy, approved freshness source, compatibility context, migration risk, TypeScript compiler track or Rust MSRV/toolchain track when relevant, and command contract entries | Package metadata, lockfiles, CI workflows, Dockerfiles, runtime files, framework config, docs, examples, templates, tests, and version-decision reports | stale default version, false latest claim, accidental major migration, repository policy mismatch, unsupported generated example, TypeScript RC/nightly/API-track confusion, Rust stable/nightly/MSRV confusion, floating-tag drift, or unverified security/support claim | `changes_status`, `changes_diff_summary`, `build`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Versioned surfaces checked, repository policy and freshness source, selected version track, compatibility classification, TypeScript stable/RC/nightly/API-track and Rust stable/nightly/MSRV split when relevant, approval need, synchronized surfaces, verification, and remaining version-freshness risk |
583
597
  | External systems, protocols, SDKs, databases, webhooks, queues, files, object storage, signed upload or download URLs, caches, API response models, framework requests or responses, server actions, route handlers, edge functions, worker handlers, AI models, browser storage, search engines, analytics tools, email platforms, no-code tools, observability backends, trace or request context, provider data, or volatile component implementations cross the core boundary or need stable port/adapter translation, change isolation, error mapping, timeout, retry, circuit-breaker, bulkhead, idempotency, reconciliation, security, core-state ownership, vendor portability, or observability handling | `.mustflow/skills/adapter-boundary/SKILL.md` | External system or protocol, inbound/outbound direction, delivery boundary, internal use case, local port/adapter patterns, provider risk, provider failure policy, core-state ownership risk, vendor portability risk, observability identifier policy, API contract risk, change-isolation ledger, preserved consumer contract, changed files, and command contract entries | Ports, adapters, mappers, controllers, workers, stores, gateways, response mappers, telemetry mappers, timeout and retry policies, circuit breakers, bulkhead boundaries, tests, fixtures, assembly wiring, and directly synchronized docs or templates | provider leakage, caller churn from adapter-only changes, framework business-rule leakage, telemetry backend leakage, storage-key leakage, screen-shaped API coupling, pass-through wrapper, SaaS dashboard as truth source, search or analytics policy leakage, queue contract leakage, unclassified external failure, duplicate side effect, unsafe retry, missing timeout, missing circuit breaker, missing bulkhead, unresolved unknown provider outcome, broken identifier propagation, secret or personal-data leak, or untested integration drift | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Boundary classification, change-isolation ledger, preserved consumer contract, delivery adapter responsibility, internal port, provider containment, core-state ownership, vendor portability, validation and mapping, API response mapping, observability identifier flow, timeout/retry/circuit-breaker/bulkhead/idempotency handling, reconciliation behavior, security notes, verification, and remaining provider risk |
584
598
  | Tauri frontend invokes, Rust commands, capabilities, permissions, scopes, plugins, filesystem, dialog, shell, opener, updater, sidecar, or mobile native permissions are created or changed | `.mustflow/skills/tauri-code-change/SKILL.md` | Frontend call sites, Tauri config, Rust commands, capability and permission files, plugin config, changed files, and command contract entries | Tauri frontend, Rust commands, capabilities, permissions, scopes, plugins, tests, and docs | broad native permission, untrusted IPC input, filesystem escape, shell or updater risk, or WebView/native boundary drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | IPC, permission, scope, filesystem, shell, updater, and native boundary checked, verification, and remaining Tauri risk |
599
+ | Wails v3 applications, Go services, generated bindings, TypeScript runtime calls, windows, menus, system tray, dialogs, events, frontend bridge payloads, WebView platform behavior, Taskfile or build config, signing, packaging, custom protocols, file associations, server builds, or Wails-related tests are created, changed, reviewed, or upgraded | `.mustflow/skills/wails-code-change/SKILL.md` | Wails version track, Go module and frontend package metadata, generated bindings, app entry point, service/window/event/menu/tray/dialog/build/package evidence, changed files, and command contract entries | Wails app assembly, Go services, frontend bridge calls, generated bindings, windows, events, menus, tray, dialogs, WebView platform behavior, platform packaging, tests, and docs | Electron or Wails v2 migration drift, accidental exported RPC, binding or runtime version drift, shared-service race, unsafe frontend input, oversized bridge payload, event leak or broadcast, WebView platform mismatch, or packaging/signing drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Wails version/app/service/bridge/binding/window/event/menu/tray/dialog/platform packaging notes, verification, and remaining Wails risk |
585
600
  | File path handling, cross-platform path behavior, path helpers, safe filesystem wrappers, clone or checkout destinations, scaffold roots, temp or cache paths, atomic writes, locks, archive extraction, uploads, downloads, scanners, CLI/API/schema path contracts, snapshots, generated outputs, or package artifact paths are created, changed, reviewed, or reported | `.mustflow/skills/file-path-cross-platform-change/SKILL.md` | Path ledger, trust classes, accepted path representation, base root, path helpers, safe filesystem wrappers, clone/checkout/scaffold/install/extract outputs, staging and promotion policy, temp/cache helpers, lock policy, archive policy, upload/download policy, scanner policy, CLI/API/schema/snapshot/generated/package surfaces, platform expectations, failure taxonomy, and command contract entries | Path validators, helpers, wrappers, schemas, CLI/API parsing, snapshots, fixtures, docs, tests, generated-output paths, package artifact paths, clone or scaffold destinations, archive extraction, scanner bounds, temp/cache handling, locks, and cleanup code | path traversal, base containment bypass, drive-relative path bug, reserved-name bug, case-collision bug, Unicode-collision bug, Git checkout path-length failure misreported as network or auth, unsafe archive extraction, non-atomic write claim, stale lock, scanner loop, partial-output cleanup data loss, user-selected destination deletion, path contract drift, or package artifact path drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Path contract, path ledger, trust classes, root policy, preflight/staging/promotion decisions, Windows/macOS/Linux/archive/upload/download/scanner/lock/temp/cache/atomic/cleanup decisions, failure taxonomy, synchronized contract surfaces, verification, and remaining path risk |
586
601
  | File paths, directories, symlinks, real paths, traversal, atomic writes, file copies, generated outputs, temporary files, clone or checkout materialization, cleanup, or Windows/POSIX filesystem behavior are created, changed, reviewed, or reported | `.mustflow/skills/cross-platform-filesystem-safety/SKILL.md` | Path inputs, base directory, trust boundary, symlink policy, write or cleanup strategy, clone/checkout/scaffold/install/extract path budget, app-owned staging boundary, platform expectations, failure taxonomy, and command contract entries | Path validation, file helpers, copy/update/delete code, clone/scaffold/archive cleanup code, scan bounds, fixtures, tests, docs, and templates | path traversal, symlink escape, unsafe overwrite, platform-only behavior, stale output, path-length or filename-length misclassification, watcher/resource misclassification, or cleanup data loss | `changes_status`, `changes_diff_summary`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Path trust classes, root boundary, symlink/write/delete/scan decisions, preflight and staging boundaries, clone/scaffold/extract classification, platform assumptions, verification, and remaining filesystem risk |
587
602
  | Child processes, shell or argv execution, built-in command reruns, Git/package-manager/scaffolder failures, timeouts, process trees, output limits, streaming, environment policy, command eligibility, failure classification, command-line length limits, or execution receipts are created, changed, reviewed, or reported | `.mustflow/skills/process-execution-safety/SKILL.md` | Execution path, timeout, output limit, stdin, argv and shell command-length budget, environment, cwd, process tree behavior, failure taxonomy, receipt and write-tracking expectations, and command contract entries | Process execution code, process-tree helpers, output buffers, environment creation, eligibility checks, failure classifiers, receipts, tests, and docs | runaway process, unbounded output, leaked environment, argv-too-long failure, shell-command-too-long failure, inconsistent JSON/text execution, false cleanup claim, Git checkout path failure misreported as network or auth, blind retry, diagnostic loss, or unreliable receipt | `changes_status`, `changes_diff_summary`, `test_related`, `test_release`, `mustflow_check` | Execution surface, timeout/output/environment/process-tree boundaries, argv and shell length handling, failure classification, diagnostic preservation, receipt consistency, tests, verification, and remaining process risk |
@@ -615,6 +630,7 @@ routes. Event routes stay inactive until their event occurs.
615
630
  | Astro config, package metadata, pages, layouts, components, client islands, server islands, hydration directives, content or live collections, routes, endpoints, actions, adapters, request pipeline, `src/fetch.*`, route cache, MDX, Markdoc, Markdown processing, Shiki, images, `ClientRouter`, migration, or Astro build behavior are created or changed | `.mustflow/skills/astro-code-change/SKILL.md` | Astro config, current and target Astro version when migrating, route tree, request pipeline, cache rules, Markdown/MDX/Markdoc/Shiki processor, layouts, content schema, components, adapter runtime, server island boundary, changed files, and command contract entries | Astro pages, layouts, client and server islands, content and live collections, adapters, endpoints, actions, request pipeline, route cache, Markdown, Markdoc, Shiki, tests, and docs examples | unnecessary hydration, server island first-HTML drift, build/runtime data mix, stale `output: "hybrid"` migration, route URL drift, request pipeline omission, cache data exposure, Markdown or MDX drift, unsafe Markdoc HTML, content schema drift, loader validation miss, adapter runtime mismatch, or target-preview gap | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Build/runtime, route, endpoint/action, request pipeline, cache, Markdown/MDX/Markdoc/Shiki, content, hydration, server island, ClientRouter, and adapter boundary checked, verification, and remaining Astro risk |
616
631
  | React, React DOM, React Server Components, Server Actions, React Compiler, Hooks, Suspense, Actions, forms, refs, context, concurrent rendering, SSR streaming, resource hints, package metadata, or React-related tests are created, changed, reviewed, or upgraded | `.mustflow/skills/react-code-change/SKILL.md` | React package evidence, effective React support range, compiler and lint evidence, rendering boundary, state and mutation evidence, changed files, and command contract entries | React source, tests, package metadata, framework config, SSR or RSC boundaries, docs examples, and directly synchronized compatibility surfaces | stale React version claim, CRA reintroduction, React 19 API in React 18-compatible package, effect dependency suppression, memoization folklore, compiler mismatch, context rerender drift, ref compatibility break, Suspense misuse, Action rollback gap, RSC or Server Action boundary confusion, unsafe resource hints, or unverified performance claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | React version, compiler, lint, effect, state, memoization, context, ref, form, Suspense, SSR/RSC, resource, verification, and compatibility risks checked |
617
632
  | Vue, Nuxt, Pinia, Vue Router, Vue SFCs, Composition API, reactivity, props, emits, slots, `v-model`, SSR, hydration, lazy hydration, Vite/Vue toolchain, or Vue-related tests are created, changed, reviewed, or upgraded | `.mustflow/skills/vue-code-change/SKILL.md` | Vue/Nuxt package evidence, effective Vue support range, Vite/vue-tsc/toolchain evidence, component API evidence, reactivity and watcher evidence, SSR/hydration evidence, Pinia/Router ownership evidence, changed files, and command contract entries | Vue SFCs, composables, Pinia stores, Router routes and guards, Nuxt pages/layouts/components/plugins, Vite/Nuxt config, tests, docs examples, package metadata, and directly synchronized compatibility surfaces | stale Vue or Nuxt version claim, missing SFC typecheck, wide reactive subscription, deep watch bomb, unstable computed identity, raw/proxy identity hazard, nested prop mutation, `defineModel` default desync, undeclared emit fallthrough, slot API drift, Pinia destructuring break, broad route watch, SSR request-state leak, hydration mismatch, ClientOnly misuse, lazy hydration on immediate interaction, or unverified performance claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Vue version, toolchain, SFC typecheck, reactivity, computed, watcher, component API, composable, Pinia, Router, SSR, hydration, lazy-hydration, performance, verification, and compatibility risks checked |
633
+ | Vite config, plugins, Rolldown or Rollup compatibility, dependency optimization, dev server or HMR behavior, SSR, library mode, workers, Environment API usage, package exports, TypeScript transpilation, browser targets, assets, CSS, sourcemaps, package-manager scripts, CI, Docker, preview, or Vite-related tests are created, changed, reviewed, migrated, or upgraded | `.mustflow/skills/vite-code-change/SKILL.md` | Vite package evidence, installed and target Vite major, framework plugin evidence, package manager and Node policy, Vite config, plugin ledger, optimizer ledger, runtime ledger, package export ledger, asset/output ledger, changed files, and command contract entries | Vite config, plugins, package metadata, TypeScript config, CSS config, dependency optimizer settings, dev server and HMR settings, SSR and worker entries, library build config, assets, sourcemaps, preview, CI, Docker, tests, docs, and directly synchronized template surfaces | stale Vite version claim, old Rollup/esbuild option drift, ignored compatibility layer, missing typecheck, optimizer rediscovery loop, HMR boundary hidden behind wrappers, plugin ordering myth, lost import query, virtual module id drift, global plugin cache across environments, CJS default import trap, package exports condition drift, SSR manifest confusion, worker build plugin gap, library-mode asset inline surprise, public sourcemap exposure, base path asset 404, package-manager lock drift, or unverified performance claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Vite version, Rolldown/Rollup/Oxc/CSS, TypeScript, optimizer, HMR, plugin, package-resolution, SSR, worker, library, asset, sourcemap, package-manager, CI, Docker, preview, verification, and compatibility risks checked |
618
634
  | Babylon.js, WebGPU or WebGL engine setup, Scene lifecycle, cameras, lights, meshes, materials, textures, shaders, glTF or GLB loading, AssetContainer usage, loaders, Havok or Physics V2, LOD, instancing, thin instances, picking, render loops, Inspector debugging, or Babylon-related tests are created, changed, reviewed, or upgraded | `.mustflow/skills/babylon-code-change/SKILL.md` | Babylon package evidence, engine and fallback ledger, Scene and render loop owners, asset and decoder ledger, material and shader ledger, LOD/instancing/culling ledger, physics ledger, performance counters, changed files, and command contract entries | Babylon engine setup, Scene lifecycle, loaders, assets, materials, shaders, textures, cameras, lights, shadows, render targets, render loops, observers, LOD, culling, instances, thin instances, picking, Physics V2, Havok, tests, docs, and package metadata | stale Babylon version claim, WebGPU async init race, missing WebGL fallback, WebGPU bundle churn, loader or side-effect import drift, `__root__` mesh confusion, decoder hosting gap, material dirty or shader compile stutter, texture VRAM waste, thin-instance bounding failure, picking CPU tax, observer leak, incomplete disposal, overbroad mesh physics, collision callback overload, or unverified performance claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Babylon version, engine/fallback, render loop, Scene lifecycle, asset loading, materials, shaders, textures, LOD/culling/instancing, picking, physics, performance, verification, and remaining Babylon risk |
619
635
  | Svelte or SvelteKit components, route files, universal or server load functions, form actions, endpoints, hooks, stores, context, runes, props, snippets, bindings, SSR, hydration, streaming, preload, invalidation, server-only imports, env boundaries, adapters, Vite, TypeScript, packaging, accessibility warnings, or tests are created or changed | `.mustflow/skills/svelte-code-change/SKILL.md` | Svelte config, route segment files, route matchers, stores/runes/context, hooks, app types, adapter config, Vite and TypeScript config, package export metadata, changed files, and command contract entries | Svelte components, route files, load/actions, endpoints, stores/runes/context, SSR/client boundaries, adapter and package surfaces, tests, and docs examples | SSR/client leakage, server-only import leak, browser global crash, hydration marker drift, preload side effect, invalidation miss, streaming header/auth bug, request-state leak, state owner drift, effect-as-derived loop, form degradation, adapter output drift, package export break, or ignored accessibility warning | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | SSR, server/client, route/load/action/invalidation/streaming, state/runes/props/snippets/bindings, adapter/toolchain/package, form, and accessibility boundary checked, verification, and remaining Svelte risk |
620
636
  | Web image assets are added, converted, resized, or replaced | `.mustflow/skills/web-asset-optimization/SKILL.md` | Image asset request and target path | Web image assets | asset quality and size | `asset_optimize`, `build` | Optimized asset notes |