mustflow 2.107.3 → 2.107.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -324,6 +324,13 @@ function gapForRequirement(requirement, candidates) {
324
324
  detail: `No runnable command intents cover required_after = "${requirement.reason}".`,
325
325
  };
326
326
  }
327
+ /**
328
+ * mf:anchor core.verification.change-report
329
+ * purpose: Turn changed-file classification into verification requirements, candidates, gaps, and a scheduled intent plan.
330
+ * search: verification report, required_after, selected intents, gaps, test selection
331
+ * invariant: Selected verification intents must come from configured command-contract coverage and declared test selection.
332
+ * risk: config, data_consistency
333
+ */
327
334
  export function createChangeVerificationReport(classificationReport, commandContract, projectRoot) {
328
335
  const testSelectionPlan = createProjectTestSelectionPlan(projectRoot, classificationReport, commandContract);
329
336
  const requirements = classificationReport.summary.validationReasons.map((reason) => createVerificationRequirement(classificationReport, reason));
@@ -137,6 +137,13 @@ function addEntryToBatches(batches, batchEntries, entry) {
137
137
  locks: entry.locks,
138
138
  });
139
139
  }
140
+ /**
141
+ * mf:anchor core.verification.schedule-locks
142
+ * purpose: Order selected verification intents by command-effect locks and undeclared-write risk.
143
+ * search: verification schedule, command effects, locks, parallel eligible, undeclared writes
144
+ * invariant: Intents without explicit compatible effects or with recent undeclared writes stay serial-only.
145
+ * risk: config, state
146
+ */
140
147
  export function createVerificationSchedule(projectRoot, commandContract, candidates) {
141
148
  const latestUndeclaredWriteIntents = readLatestUndeclaredWriteIntents(projectRoot);
142
149
  const runnableIntents = uniqueSorted(candidates
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "mustflow",
3
- "version": "2.107.3",
3
+ "version": "2.107.9",
4
4
  "description": "Agent workflow documents and CLI for mustflow repository roots.",
5
5
  "type": "module",
6
6
  "license": "MIT-0",
package/schemas/README.md CHANGED
@@ -39,9 +39,9 @@ Current schemas:
39
39
  - `evidence-report.schema.json`: output of `mf evidence --changed --json`, containing verification
40
40
  requirements, risk-priced evidence assessment, latest bounded evidence, failure replay capsules,
41
41
  conflict ledgers, receipts, remaining risks, and gaps without running commands
42
- - `workspace-status.schema.json`: output of `mf workspace status --json`, containing configured
43
- workspace roots, discovered nested repositories, and per-root command-contract readiness without
44
- granting command authority
42
+ - `workspace-status.schema.json`: output of `mf workspace status --json` and
43
+ `mf workspace scan --json`, containing configured or ad hoc workspace roots, discovered nested
44
+ repositories, and per-root command-contract readiness without granting command authority
45
45
  - `workspace-command-catalog.schema.json`: output of `mf workspace command-catalog --json`,
46
46
  containing per-root command intent availability, safe `mf run` entrypoints, and no raw command
47
47
  strings
@@ -16,7 +16,7 @@
16
16
  ],
17
17
  "properties": {
18
18
  "schema_version": { "const": "1" },
19
- "command": { "const": "workspace status" },
19
+ "command": { "enum": ["workspace status", "workspace scan"] },
20
20
  "mustflow_root": { "type": "string" },
21
21
  "workspace": {
22
22
  "type": "object",
@@ -65,7 +65,9 @@
65
65
  "type": "array",
66
66
  "items": { "$ref": "#/$defs/repository" }
67
67
  },
68
- "issues": { "$ref": "#/$defs/stringArray" }
68
+ "issues": { "$ref": "#/$defs/stringArray" },
69
+ "projects_dir": { "type": "string" },
70
+ "next_actions": { "$ref": "#/$defs/stringArray" }
69
71
  },
70
72
  "$defs": {
71
73
  "stringArray": {
@@ -34,7 +34,7 @@ project_context = ".mustflow/context/PROJECT.md"
34
34
  output = "REPO_MAP.md"
35
35
  mode = "anchors_only"
36
36
  privacy = "minimal"
37
- include_nested = false
37
+ include_nested = true
38
38
  anchor_files = [
39
39
  "AGENTS.md",
40
40
  "REPO_MAP.md",
@@ -94,8 +94,8 @@ anchor_files = [
94
94
  ]
95
95
 
96
96
  [workspace]
97
- enabled = false
98
- roots = []
97
+ enabled = true
98
+ roots = ["projects"]
99
99
  max_depth = 4
100
100
  max_repositories = 50
101
101
  follow_symlinks = false
@@ -167,6 +167,12 @@ source_locale = "en"
167
167
  revision = 1
168
168
  translations = {}
169
169
 
170
+ [documents."skill.third-party-api-integration-review"]
171
+ source = "locales/en/.mustflow/skills/third-party-api-integration-review/SKILL.md"
172
+ source_locale = "en"
173
+ revision = 1
174
+ translations = {}
175
+
170
176
  [documents."skill.api-access-control-review"]
171
177
  source = "locales/en/.mustflow/skills/api-access-control-review/SKILL.md"
172
178
  source_locale = "en"
@@ -323,6 +329,12 @@ source_locale = "en"
323
329
  revision = 1
324
330
  translations = {}
325
331
 
332
+ [documents."skill.website-task-friction-review"]
333
+ source = "locales/en/.mustflow/skills/website-task-friction-review/SKILL.md"
334
+ source_locale = "en"
335
+ revision = 1
336
+ translations = {}
337
+
326
338
  [documents."skill.cache-integrity-review"]
327
339
  source = "locales/en/.mustflow/skills/cache-integrity-review/SKILL.md"
328
340
  source_locale = "en"
@@ -814,6 +826,12 @@ source_locale = "en"
814
826
  revision = 2
815
827
  translations = {}
816
828
 
829
+ [documents."skill.cli-option-contract-review"]
830
+ source = "locales/en/.mustflow/skills/cli-option-contract-review/SKILL.md"
831
+ source_locale = "en"
832
+ revision = 1
833
+ translations = {}
834
+
817
835
  [documents."skill.cli-output-contract-review"]
818
836
  source = "locales/en/.mustflow/skills/cli-output-contract-review/SKILL.md"
819
837
  source_locale = "en"
@@ -106,6 +106,10 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
106
106
  shapes, response shapes, pagination, idempotency, async jobs, versioning, deprecation, rate
107
107
  limits, retry rules, observability, or caller-facing docs need caller-ergonomics and misuse-risk
108
108
  review rather than only schema compatibility.
109
+ - Use `third-party-api-integration-review` as an adjunct when a third-party SDK or external API
110
+ integration needs production-readiness review for auth scopes, sandbox/production separation,
111
+ timeouts, retries, rate limits, idempotency, pagination, webhooks, provider error mapping,
112
+ SDK/API version drift, changelogs, migration guides, observability, or failure-path tests.
109
113
  - Use `http-api-semantics-review` as an adjunct when HTTP method choices, safe/idempotent/cacheable
110
114
  claims, GET/HEAD bodies, OPTIONS or Allow discovery, HTTP QUERY, POST versus PUT URI ownership,
111
115
  PUT replacement, PATCH document formats, DELETE behavior, conditional requests, status codes,
@@ -227,6 +231,10 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
227
231
  sort, Unicode normalization, grapheme-safe truncation, RTL or bidi text, font fallback, pseudo
228
232
  localization, SSR locale, fallback, backend error-code mapping, rich text, export, share, or
229
233
  notification surface review instead of a visible JSX text scan.
234
+ - Use `website-task-friction-review` as an adjunct when a public website, landing page, signup,
235
+ checkout, account, support, navigation, search, form, pricing, consent, or mobile web flow needs
236
+ review for user complaints such as slowness, popups, forced signup, confusing navigation,
237
+ hidden costs, vague errors, dark patterns, weak trust, or missing recovery paths.
230
238
  - Use `react-code-change` as a primary route when React, React DOM, React Server Components,
231
239
  Server Actions, React Compiler, Hooks, Suspense, Actions, forms, refs, context, concurrent
232
240
  rendering, SSR streaming, resource hints, package metadata, or React-related tests are created,
@@ -595,6 +603,7 @@ routes. Event routes stay inactive until their event occurs.
595
603
  | Dependency, package, runtime, framework, tool, command, plugin, service, platform capability, supported-version policy, security patch path, ecosystem maturity claim, maintainer-risk assumption, runtime portability claim, edge or serverless compatibility claim, critical-path library choice, package script, lifecycle hook, binary download, lockfile, audit result, or supply-chain-sensitive dependency surface is assumed, added, removed, imported, invoked, installed, audited, or documented | `.mustflow/skills/dependency-reality-check/SKILL.md` | Assumed dependency or capability, declaration files, version or feature expectation, role criticality, supported-version or end-of-life evidence, patchability expectation, runtime compatibility boundary, maintainer and ecosystem evidence when available, lockfile entry, package script or lifecycle hook, audit or provenance evidence, and relevant command intents | Package metadata, lockfiles, imports, scripts, command contracts, docs, tests, runtime policy notes, portability notes, and reports | unavailable dependency, hallucinated or lookalike package, fragile single-maintainer core dependency, experimental technology in a survival path, unsupported runtime, unclear security patch path, runtime-specific API leakage into core logic, stale version claim, lifecycle script risk, audit suppression, lockfile drift, or install guidance mismatch | `changes_status`, `changes_diff_summary`, `build`, `test_release`, `mustflow_check` | Dependency checked, ecosystem and maintainer-risk boundary reviewed, supported-version, patchability, and runtime-portability boundary reviewed, supply-chain surface reviewed, declarations synchronized, verification, and remaining dependency risk |
596
604
  | Generated or edited code, configuration, CI workflows, package metadata, install instructions, examples, Docker images, framework setup, runtime declarations, toolchain declarations, TypeScript compiler-track references, Rust release or MSRV references, or migration-sensitive snippets introduce explicit external version references, action refs, package ranges, runtime versions, framework majors, Docker image tags, or scaffold commands that may be stale | `.mustflow/skills/version-freshness-check/SKILL.md` | Versioned reference, owning files, repository version policy, approved freshness source, compatibility context, migration risk, TypeScript compiler track or Rust MSRV/toolchain track when relevant, and command contract entries | Package metadata, lockfiles, CI workflows, Dockerfiles, runtime files, framework config, docs, examples, templates, tests, and version-decision reports | stale default version, false latest claim, accidental major migration, repository policy mismatch, unsupported generated example, TypeScript RC/nightly/API-track confusion, Rust stable/nightly/MSRV confusion, floating-tag drift, or unverified security/support claim | `changes_status`, `changes_diff_summary`, `build`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Versioned surfaces checked, repository policy and freshness source, selected version track, compatibility classification, TypeScript stable/RC/nightly/API-track and Rust stable/nightly/MSRV split when relevant, approval need, synchronized surfaces, verification, and remaining version-freshness risk |
597
605
  | External systems, protocols, SDKs, databases, webhooks, queues, files, object storage, signed upload or download URLs, caches, API response models, framework requests or responses, server actions, route handlers, edge functions, worker handlers, AI models, browser storage, search engines, analytics tools, email platforms, no-code tools, observability backends, trace or request context, provider data, or volatile component implementations cross the core boundary or need stable port/adapter translation, change isolation, error mapping, timeout, retry, circuit-breaker, bulkhead, idempotency, reconciliation, security, core-state ownership, vendor portability, or observability handling | `.mustflow/skills/adapter-boundary/SKILL.md` | External system or protocol, inbound/outbound direction, delivery boundary, internal use case, local port/adapter patterns, provider risk, provider failure policy, core-state ownership risk, vendor portability risk, observability identifier policy, API contract risk, change-isolation ledger, preserved consumer contract, changed files, and command contract entries | Ports, adapters, mappers, controllers, workers, stores, gateways, response mappers, telemetry mappers, timeout and retry policies, circuit breakers, bulkhead boundaries, tests, fixtures, assembly wiring, and directly synchronized docs or templates | provider leakage, caller churn from adapter-only changes, framework business-rule leakage, telemetry backend leakage, storage-key leakage, screen-shaped API coupling, pass-through wrapper, SaaS dashboard as truth source, search or analytics policy leakage, queue contract leakage, unclassified external failure, duplicate side effect, unsafe retry, missing timeout, missing circuit breaker, missing bulkhead, unresolved unknown provider outcome, broken identifier propagation, secret or personal-data leak, or untested integration drift | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Boundary classification, change-isolation ledger, preserved consumer contract, delivery adapter responsibility, internal port, provider containment, core-state ownership, vendor portability, validation and mapping, API response mapping, observability identifier flow, timeout/retry/circuit-breaker/bulkhead/idempotency handling, reconciliation behavior, security notes, verification, and remaining provider risk |
606
+ | Third-party SDK or external API integration, review, debugging, upgrade, webhook handling, auth scope change, sandbox or production setup, provider SDK version change, API version migration, rate-limit handling, retry policy, idempotency key usage, pagination, provider error mapping, request id logging, changelog review, deprecation response, or provider operational-readiness test needs production integration review | `.mustflow/skills/third-party-api-integration-review/SKILL.md` | Provider and SDK/API ledger, source-of-truth docs, auth and scope ledger, operation and side-effect ledger, webhook ledger, error and observability ledger, changelog or migration evidence, existing fakes or sandbox tests, and configured command intents | Provider adapters, wrappers, typed request and response models, error mappers, timeout and retry policies, rate-limit handling, idempotency key handling, pagination handling, webhook signature verification and dedupe, redacted observability, sandbox tests, fixtures, runbooks, migration notes, and directly synchronized docs or templates | demo-only integration, stale provider docs, SDK/API drift, sandbox-production mixup, hardcoded secret, overbroad scope, token refresh gap, missing timeout, infinite retry, retrying permanent errors, mutating retry without idempotency, per-attempt idempotency key, 429 retry storm, ignored Retry-After, offset pagination assumption, raw provider error leak, string-only provider error, missing request id, trusted webhook payload, JSON-parsed signature breakage, duplicate webhook side effect, event-order assumption, success redirect as proof, unhandled unknown provider outcome, dashboard-only setting, untested SDK upgrade, or happy-path-only sandbox test | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | Third-party integration reviewed, provider source-of-truth and SDK/API version evidence, auth/environment/scope decisions, timeout/retry/rate-limit/idempotency/pagination decisions, webhook delivery and dedupe checks, error and observability mapping, tests or missing evidence, verification, and remaining provider operational risk |
598
607
  | Tauri frontend invokes, Rust commands, capabilities, permissions, scopes, plugins, filesystem, dialog, shell, opener, updater, sidecar, or mobile native permissions are created or changed | `.mustflow/skills/tauri-code-change/SKILL.md` | Frontend call sites, Tauri config, Rust commands, capability and permission files, plugin config, changed files, and command contract entries | Tauri frontend, Rust commands, capabilities, permissions, scopes, plugins, tests, and docs | broad native permission, untrusted IPC input, filesystem escape, shell or updater risk, or WebView/native boundary drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | IPC, permission, scope, filesystem, shell, updater, and native boundary checked, verification, and remaining Tauri risk |
599
608
  | Wails v3 applications, Go services, generated bindings, TypeScript runtime calls, windows, menus, system tray, dialogs, events, frontend bridge payloads, WebView platform behavior, Taskfile or build config, signing, packaging, custom protocols, file associations, server builds, or Wails-related tests are created, changed, reviewed, or upgraded | `.mustflow/skills/wails-code-change/SKILL.md` | Wails version track, Go module and frontend package metadata, generated bindings, app entry point, service/window/event/menu/tray/dialog/build/package evidence, changed files, and command contract entries | Wails app assembly, Go services, frontend bridge calls, generated bindings, windows, events, menus, tray, dialogs, WebView platform behavior, platform packaging, tests, and docs | Electron or Wails v2 migration drift, accidental exported RPC, binding or runtime version drift, shared-service race, unsafe frontend input, oversized bridge payload, event leak or broadcast, WebView platform mismatch, or packaging/signing drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Wails version/app/service/bridge/binding/window/event/menu/tray/dialog/platform packaging notes, verification, and remaining Wails risk |
600
609
  | File path handling, cross-platform path behavior, path helpers, safe filesystem wrappers, clone or checkout destinations, scaffold roots, temp or cache paths, atomic writes, locks, archive extraction, uploads, downloads, scanners, CLI/API/schema path contracts, snapshots, generated outputs, or package artifact paths are created, changed, reviewed, or reported | `.mustflow/skills/file-path-cross-platform-change/SKILL.md` | Path ledger, trust classes, accepted path representation, base root, path helpers, safe filesystem wrappers, clone/checkout/scaffold/install/extract outputs, staging and promotion policy, temp/cache helpers, lock policy, archive policy, upload/download policy, scanner policy, CLI/API/schema/snapshot/generated/package surfaces, platform expectations, failure taxonomy, and command contract entries | Path validators, helpers, wrappers, schemas, CLI/API parsing, snapshots, fixtures, docs, tests, generated-output paths, package artifact paths, clone or scaffold destinations, archive extraction, scanner bounds, temp/cache handling, locks, and cleanup code | path traversal, base containment bypass, drive-relative path bug, reserved-name bug, case-collision bug, Unicode-collision bug, Git checkout path-length failure misreported as network or auth, unsafe archive extraction, non-atomic write claim, stale lock, scanner loop, partial-output cleanup data loss, user-selected destination deletion, path contract drift, or package artifact path drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Path contract, path ledger, trust classes, root policy, preflight/staging/promotion decisions, Windows/macOS/Linux/archive/upload/download/scanner/lock/temp/cache/atomic/cleanup decisions, failure taxonomy, synchronized contract surfaces, verification, and remaining path risk |
@@ -620,6 +629,7 @@ routes. Event routes stay inactive until their event occurs.
620
629
  | Frontend UI, design system component, dashboard, form, card, list, table, chart, media slot, modal, drawer, toast, bottom CTA, portal, or responsive surface needs stress-layout review against hostile content, narrow parent containers, async media, skeletons, empty or error states, permission variants, scrollbars, mobile viewport and keyboard behavior, safe areas, line clamps, i18n or RTL, touch input, reduced motion, observer loops, portal edge placement, z-index layers, browser zoom, cascade layers, or reproducible break conditions | `.mustflow/skills/frontend-stress-layout-review/SKILL.md` | User goal, current diff or target files, framework and styling signals, stress fixture ledger, parent container ledger, geometry contract ledger, interaction and state ledger, evidence level, and configured command intents | Stress fixtures, stories, tests, parent-container-aware constraints, container queries, `min-width: 0`, `minmax(0, 1fr)`, `overflow-wrap: anywhere`, reserved media dimensions, `aspect-ratio`, skeleton geometry, empty and error states, permission variants, stable scroll containers, `scrollbar-gutter: stable`, mobile viewport and keyboard constraints, `safe-area-inset-*`, explicit `line-height`, logical properties, touch-accessible affordances, `prefers-reduced-motion`, observer scope, portal placement, z-index tokens, table and chart stress handling, zoom-safe geometry, cascade layer fixes, and directly synchronized docs or templates | happy-path fixture blindness, parent-width overflow, flex or grid min-content blowout, unbroken text overflow, async media or font layout shift, skeleton mismatch, collapsed empty state, error-state overlap, permission action wrapping, late `display: none` layout jump, scrollbar width wrap, fragile `100vh`, keyboard-covered CTA, unsafe-area overlap, line-clamp/action collision, localization or RTL breakage, hover-only control, layout-affecting hover or animation, ResizeObserver loop, clipped portal, z-index arms race, unusable wide table, chart zero-width mount, browser zoom clipping, CSS specificity loss, or vague non-reproducible visual complaint | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Frontend stress layout reviewed, stress fixture and parent-container ledgers, reproducible break conditions, fixes or recommendation, evidence level, verification, and remaining stress-layout risk |
621
630
  | Frontend UI, design-system component, form, dialog, menu, tab, combobox, custom select, table, card, media, icon button, image, toast, live update, drag interaction, focus style, keyboard handler, `onClick`, `role`, `tabIndex`, `aria-*`, `alt`, hidden content, visually hidden text, or automated accessibility claim needs accessibility-tree review for native semantics, accessible names, visible label consistency, keyboard navigation, focus order and return, forms, errors, status messages, ARIA references, icon or image alternatives, custom widget contracts, non-text contrast, target size, drag alternatives, or a11y evidence limits | `.mustflow/skills/frontend-accessibility-tree-review/SKILL.md` | User goal, current diff or target files, framework and component-library signals, semantic ledger, keyboard ledger, assistive-technology ledger, form ledger, interaction ledger, evidence level, and configured command intents | Native HTML element selection, button/link semantics, `href` cleanup, keyboard parity, tabindex cleanup, focus-visible styling, obscured focus fixes, dialog focus management, icon-only accessible names, visible-label-aligned names, `aria-labelledby` and `aria-describedby` id references, `aria-hidden` cleanup, SVG icon defaults, image `alt`, label and fieldset wiring, `aria-invalid`, error descriptions, submit-failure focus, live regions, ARIA pattern keyboard behavior, custom select constraints, non-text contrast, target-size fixes, drag alternatives, focused tests, accessibility snapshots, and directly synchronized docs or templates | ARIA costume over broken semantics, clickable div, fake link, `href="#"`, missing Enter or Space behavior, tabIndex sprawl, positive tabindex, invisible focus, focus hidden behind sticky layers, modal focus leak, unnamed icon button, visible text fighting `aria-label`, broken `aria-labelledby`, interactive child hidden by `aria-hidden`, duplicate SVG announcement, useless image alt, placeholder-only field, missing legend, color-only error, disconnected error text, submit failure silence, unannounced async status, menu or combobox keyboard mismatch, unnecessary custom select, offscreen focus trap, non-text contrast failure, tiny pointer target, drag-only operation, axe-only proof, or accessibility-tree evidence gap | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Frontend accessibility tree reviewed, semantic/keyboard/focus/name/form/status/widget evidence, findings, fixes or recommendation, automated-evidence limits, verification, and remaining accessibility-tree risk |
622
631
  | Frontend UI, product copy, forms, validation messages, empty states, toasts, dialogs, metadata, SEO or Open Graph text, charts, canvas, SVG text, emails, push notifications, share text, exports, downloads, PDFs, CSVs, calendar invites, translation keys, `t(...)`, ICU messages, placeholders, `aria-label`, `title`, `alt`, browser `confirm`, date/time/relative-time formatting, numbers, currency, units, search, sort, collation, Unicode normalization, grapheme truncation, RTL, bidirectional text, font fallback, pseudo localization, SSR locale, hydration, fallback, backend error-code mapping, or localized rich text needs localization review beyond visible JSX text | `.mustflow/skills/frontend-localization-review/SKILL.md` | User goal, current diff or target files, framework and i18n library signals, supported locale policy, string exposure ledger, message-shape ledger, format ledger, text-processing ledger, direction and layout ledger, runtime locale ledger, evidence level, and configured command intents | Message catalog wiring, full-sentence keys, named interpolation, context-specific messages, plural and zero handling, grammar-safe dynamic values, tone consistency, locale-aware formatters, display/storage value split, collation and search normalization, grapheme-safe truncation, RTL and `dir="auto"` handling, logical direction fixes, icon mirroring decisions, font fallback checks, pseudo-localization fixtures, SSR locale agreement, missing-key handling, backend error-code mapping, component interpolation for rich text, export and notification text coverage, focused tests, and directly synchronized docs or templates | visible-JSX-only scan, hardcoded placeholder or metadata, concatenated translation fragments, reused dictionary key, `Delete {item}` grammar trap, English-only plural, missing zero state, broken Korean particle or inflection, mixed tone, manual date string, time-zone shifted deadline, hydration relative-time mismatch, comma-only number format, locale-agnostic input parse, language/region/currency conflation, default `sort()`, unsafe lowercasing, accent or Unicode normalization miss, emoji-splitting `.length`, wrong ellipsis owner, RTL afterthought, missing `dir="auto"`, blanket icon mirroring, fixed-width translated button, missing glyph fallback, no pseudo localization, single-locale screenshot proof, server/client locale mismatch, silent English fallback, raw HTML in translations, raw backend prose, untranslated export, or static-only localization claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Frontend localization reviewed, string exposure and message-shape ledgers, formatting/search/sort/RTL/SSR/export checks, fixes or recommendation, evidence level, verification, and remaining localization risk |
632
+ | Public website, landing page, marketing page, ecommerce page, signup flow, checkout flow, account page, support surface, navigation, search, form, cookie or consent surface, pricing page, mobile web surface, or conversion path is planned, edited, reviewed, or reported and common visitor complaints need website-task friction review | `.mustflow/skills/website-task-friction-review/SKILL.md` | Primary visitor task, target audience, entry point, completion point, changed route or surface, product constraints, pricing/account/support/privacy facts, likely devices, complaint evidence, and configured command intents | Website copy, navigation labels, page order, form fields, validation, error states, mobile layout, support links, trust disclosures, pricing visibility, consent behavior, recovery paths, focused tests, docs, templates, and reports | popup blocking first task, forced signup, hidden cost, confusing navigation, invisible search, mobile hover dependency, tiny target, vague error, lost form data, inaccessible task path, slow first interaction, weak trust, hard-to-find support, dark pattern, invented policy claim, or unverified conversion-ready claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Website task reviewed, entry and completion path, friction findings by severity, likely user complaint, cause, fix, acceptance test, focused checks, narrower skills used or recommended, verification, and remaining website task risk |
623
633
  | Frontend navigation flicker, theme flash, FOUC, hydration flash, blank first render, unstable loading shell, route transition jank, state loss across navigation, or first-paint instability is reported, created, edited, reviewed, or verified | `.mustflow/skills/frontend-render-stability/SKILL.md` | Symptom, affected routes, framework and version signals, root shell, links/router, theme init, root CSS, font/media loading, data-loading owner, and configured verification entries | Root HTML, layouts, router links/config, early theme scripts, root CSS, theme tokens, skeletons, hydration boundaries, route data loaders, directly tied tests, docs, and templates | masked full document reload, late theme application, hydration mismatch, client-only first data, loading layout shift, duplicate view-transition names, reduced-motion regression, or false visual proof | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `docs_validate_fast`, `mustflow_check` | Symptom phase, evidence inspected, instability layer found or ruled out, framework-specific skills used, files changed, verification, skipped visual checks, and remaining render-stability risk |
624
634
  | User-facing UI, dashboard, settings, navigation, form, copy, responsive layout, accessibility, visual geometry, interaction flow, or visual state changes are planned, edited, reviewed, or reported | `.mustflow/skills/ui-quality-gate/SKILL.md` | Changed UI surface, user task, interaction path, existing patterns, state combinations, localization rules, content stress cases, geometry-sensitive component facts, and command contract entries | UI controls, labels, states, layout constraints, geometry contracts, accessibility attributes, localization hooks, task-flow recovery, docs, templates, and reports | decorative UI drift, inaccessible controls, icon/text misalignment, overflow or layout breakage, missing empty/error/permission recovery, or unverified visual claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | UI surface reviewed, states checked, geometry/layout/accessibility/localization/recovery notes, skipped visual checks, and remaining UI risk |
625
635
  | HTML, templates, component markup, forms, controls, dialogs, navigation, tables, media, metadata, SEO head content, or structured data are created or changed | `.mustflow/skills/html-code-change/SKILL.md` | Page shell, markup patterns, form/control components, metadata source, changed files, and command contract entries | HTML and template markup, metadata, forms, interactive controls, tests, and docs examples | invalid semantics, inaccessible control, broken focus path, metadata drift, or invalid browser markup | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Semantic, form, focus, metadata, and validation boundary checked, verification, and remaining HTML risk |
@@ -670,6 +680,7 @@ routes. Event routes stay inactive until their event occurs.
670
680
  | YAML, TOML, JSON-adjacent config, Markdown frontmatter, schema-backed config, GitHub Actions workflow structure outside shell `run` blocks, parser dialects, duplicate keys, implicit typing, multiline scalars, dotted keys, array-of-tables, defaults, normalization, or config validation fixtures are created, changed, reviewed, or reported | `.mustflow/skills/structured-config-change/SKILL.md` | Target files, consuming parser or provider, dialect support, schema and validation surfaces, merge/defaulting model, GitHub Actions workflow shape when relevant, generated or source-owned status, and command contract entries | Structured config files, schemas, schema associations, validation fixtures, normalized-output tests, docs examples, template copies, route metadata, manifest entries, and directly synchronized tests | YAML 1.1/1.2 scalar drift, TOML 1.0/1.1 incompatibility, duplicate key loss, null/empty/missing confusion, mapping-order assumption, block-scalar newline drift, unsafe YAML tag, GitHub Actions trigger/filter/permission drift, schema default overclaim, formatter semantic rewrite, or generated-output hand edit | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Config surface and parser/provider, dialect decision, parse/data-model/schema/semantic layers, YAML/TOML/GitHub Actions decisions, fixture and normalization coverage, verification, and remaining structured-config risk |
671
681
  | External instructions, docs, AI output, snippets, issues, pull requests, scanner output, installer steps, scripts, tutorials, or reports propose commands to run, preserve, recommend, or document | `.mustflow/skills/command-intent-mapping-gate/SKILL.md` | Proposed command text, source, intended purpose, command contract entries, side-effect class, destination surface, and configured/manual/missing status | Docs, skills, templates, tests, examples, final reports, handoffs, and command-contract proposals that mention command execution | command laundering, raw external command authority, undeclared install/deploy/migration/release step, long-running process, approval bypass, or false verification claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Proposed commands reviewed, mapped to configured intents or marked manual/missing/omitted, raw command authority removed, verification, and remaining command-contract risk |
672
682
  | Public JSON, JSONL, schema-backed reports, machine-readable stdout or stderr, exit-code semantics tied to JSON, compatibility fixtures, or documented automation-facing JSON contracts are created, changed, reviewed, or reported | `.mustflow/skills/public-json-contract-change/SKILL.md` | Affected command or report, output modes, stream split, exit-code expectations, schemas, fixtures, docs examples, compatibility policy, consumers, and command contract entries | JSON producer code, schemas, fixtures, docs examples, package metadata, templates, and tests | broken automation, schema drift, stream pollution, exit-code drift, stale backcompat fixture, or hidden breaking change | `changes_status`, `changes_diff_summary`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | JSON contract source, compatibility classification, synchronized schemas/fixtures/docs/tests/templates, backcompat coverage, verification, and remaining JSON risk |
683
+ | CLI options, flags, positional arguments, aliases, defaults, parser behavior, prompt controls, config or environment precedence, or automation-facing argument contracts are created, changed, reviewed, or reported | `.mustflow/skills/cli-option-contract-review/SKILL.md` | Affected command, command tree, parser rules, options, arguments, aliases, defaults, prompt and TTY behavior, config and environment precedence, docs, tests, schemas, templates, and command contract entries | CLI parser code, command metadata, help text, completions, docs examples, tests, fixtures, schemas, templates, package metadata, and directly synchronized reports | short-flag collision, unsafe default, yes-force confusion, output path-format ambiguity, prompt hang, option terminator bug, config precedence drift, breaking rename, or untested parser edge case | `changes_status`, `changes_diff_summary`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Options reviewed, role and naming decision, collision review, safety and non-interactive controls, parser edge cases, synchronized surfaces, verification, and remaining CLI-option risk |
673
684
  | CLI text output, JSON output, exit codes, error messages, warnings, deprecations, help text, command aliases, schema-backed reports, or automation-facing command behavior are created, changed, reviewed, or reported | `.mustflow/skills/cli-output-contract-review/SKILL.md` | Affected command, output modes, exit-code expectations, docs examples, schemas, fixtures, consumers, and command contract entries | CLI output code, schemas, fixtures, docs, README examples, package tests, templates, and reports | broken automation, misleading success, schema drift, undocumented deprecation, stale example, or incompatible output change | `changes_status`, `changes_diff_summary`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Output surfaces reviewed, status and exit-code semantics, synchronized schemas/docs/tests/templates, verification, and remaining CLI-output risk |
674
685
  | mustflow template install surfaces, template manifests, skill profiles, locale source files, init or update behavior, managed file lists, package inclusion, template command contracts, or source-to-template workflow copies are created, changed, reviewed, or reported | `.mustflow/skills/template-install-surface-sync/SKILL.md` | Changed files, intended installed behavior, source file, template copy, manifest entries, profile impact, locale policy, init/update tests, and intentional divergence rules | Source workflow files, canonical template copies, route metadata, manifest creates/profiles, locale metadata, init/update tests, package tests, and docs examples | source/template drift, blind command-contract copy, missing installed file, profile bloat, stale locale policy, broken update preview, or package omission | `changes_status`, `changes_diff_summary`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Installed surface, must-match sync, intentional divergences, manifest/profile updates, locale/init/update/package checks, verification, and remaining template drift risk |
675
686
  | Dates, versions, counts, durations, limits, metrics, benchmarks, prices, percentages, or other numeric facts are created, edited, or reported | `.mustflow/skills/date-number-audit/SKILL.md` | Date or numeric fact, source of truth, dependent surfaces, precision expectation, and command contract entries | Numeric statements, metadata, tests, docs, templates, and reports | invented, stale, or mismatched numeric claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Audited values, source of truth, synchronized surfaces, skipped checks, and remaining numeric risk |
@@ -0,0 +1,147 @@
1
+ ---
2
+ mustflow_doc: skill.cli-option-contract-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: cli-option-contract-review
9
+ description: Apply this skill when CLI options, flags, positional arguments, aliases, defaults, parser behavior, prompt controls, config or environment precedence, or automation-facing argument contracts are created, changed, reviewed, or reported.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.cli-option-contract-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - test_related
19
+ - docs_validate_fast
20
+ - test_release
21
+ - mustflow_check
22
+ ---
23
+
24
+ # CLI Option Contract Review
25
+
26
+ <!-- mustflow-section: purpose -->
27
+ ## Purpose
28
+
29
+ Preserve the contract between CLI syntax and the humans, scripts, CI jobs, shells, terminals, config files, and docs that depend on it.
30
+
31
+ CLI options are public API. A convenient flag can still be unsafe if it collides with existing shorthand, hides destructive behavior behind a vague name, prompts in CI, writes to stdout when scripts expect JSON, or turns a path, format, selector, or environment into an ambiguous value.
32
+
33
+ <!-- mustflow-section: use-when -->
34
+ ## Use When
35
+
36
+ - A command adds, removes, renames, aliases, deprecates, validates, or changes a flag, option, positional argument, variadic argument, default value, inherited global flag, or option parser rule.
37
+ - A task designs or reviews standard CLI controls such as dry-run, check, plan, diff, yes, force, confirm, no-input, interactive, verbose, quiet, debug, format, output, color, pager, progress, config, profile, env, timeout, retry, jobs, cache, stdin, token, endpoint, region, project, pagination, target, prune, rollback, or AI-agent permission flags.
38
+ - A command changes prompt behavior, TTY behavior, non-interactive behavior, CI behavior, option terminator support, repeated flags, boolean negation, duration or size parsing, path handling, glob handling, stdin handling, or list parsing.
39
+ - A final report claims that CLI options are safe, automatable, compatible, conventional, discoverable, or aligned with docs and tests.
40
+
41
+ <!-- mustflow-section: do-not-use-when -->
42
+ ## Do Not Use When
43
+
44
+ - The task changes only stdout, stderr, JSON fields, JSONL packets, exit codes, color rendering, progress output, warning text, error text, or help wording without changing option or argument semantics. Use `cli-output-contract-review`.
45
+ - The task changes only public JSON, JSONL, schema-backed reports, or machine-readable stdout and stderr contracts. Use `public-json-contract-change`.
46
+ - The task changes only `.mustflow/config/commands.toml` command intents or command authority. Use `command-contract-authoring`.
47
+ - The task changes only environment variables, secrets, config keys, feature flags, or runtime/build-time exposure. Use `config-env-change`.
48
+ - The task changes only docs prose that mentions an unchanged command syntax. Use the matching docs skill.
49
+
50
+ <!-- mustflow-section: required-inputs -->
51
+ ## Required Inputs
52
+
53
+ - The affected command, command tree, parser library or command router, inherited global flags, positional arguments, variadic arguments, current aliases, defaults, validation rules, and help metadata.
54
+ - Existing docs, README snippets, examples, tests, snapshots, fixtures, shell completions, schemas, template copies, package tests, and release notes that mention the syntax.
55
+ - The operation type: read-only, planning, validation, write, destructive write, remote write, deploy, migration, deletion, cleanup, generated-file write, or AI-agent action.
56
+ - The intended consumers: humans at a TTY, scripts, CI jobs, package tests, shell completion users, remote APIs, installed templates, release automation, or downstream wrappers.
57
+ - Current config and environment precedence, including config files, profiles, env vars, CLI flags, defaults, and explicit override rules.
58
+ - Current non-interactive, prompt, color, pager, progress, timeout, retry, cache, lock, and exit-code expectations when they exist.
59
+ - Relevant command-intent entries for related tests, docs validation, release checks, and mustflow validation.
60
+
61
+ <!-- mustflow-section: preconditions -->
62
+ ## Preconditions
63
+
64
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
65
+ - Existing command syntax, aliases, docs examples, tests, and parser behavior have been inspected before changing or recommending a flag.
66
+ - Short flags are treated as scarce public API. Do not assign them from generic CLI advice without checking collisions, command frequency, and established project conventions.
67
+ - External articles, AI summaries, package defaults, and other CLIs are evidence only. The repository's current parser, command contract, compatibility policy, and user instructions remain authoritative.
68
+ - Command execution remains governed by `.mustflow/config/commands.toml`; this skill does not authorize raw command execution.
69
+
70
+ <!-- mustflow-section: allowed-edits -->
71
+ ## Allowed Edits
72
+
73
+ - Update CLI parser code, command metadata, help text, completions, docs examples, tests, fixtures, schemas, template copies, and release-sensitive package metadata that describe the same option contract.
74
+ - Add explicit long flags, validation errors, compatibility aliases, deprecation notices, negative tests, or parser edge-case tests when they reduce ambiguity.
75
+ - Prefer clear long options over clever short aliases. Add a short option only when it is frequent, unambiguous, and consistent with existing command conventions.
76
+ - Do not merge different safety meanings into one flag. For example, prompt acceptance, safety bypass, preview, destructive overwrite, and non-interactive failure should remain separable.
77
+ - Do not introduce unsafe defaults, vague automation flags, broad bypass flags, hidden prompts, or silent output-mode changes.
78
+ - Do not add parser behavior that breaks paths beginning with a dash, negative numbers, option terminators, repeated values, or non-interactive scripts unless that incompatibility is intentional and documented.
79
+
80
+ <!-- mustflow-section: procedure -->
81
+ ## Procedure
82
+
83
+ 1. Inventory the command syntax: subcommands, positional arguments, variadic arguments, options, inherited global flags, aliases, defaults, environment variables, config files, and generated completions.
84
+ 2. Classify each option by role: safety and preview, confirmation and prompts, output and formatting, logging and diagnostics, config and environment, selection and filtering, file input and output, remote endpoint and auth, performance and cache, concurrency and locking, CI automation, destructive lifecycle, or AI-agent authority.
85
+ 3. Decide whether the behavior belongs in a subcommand, positional argument, option, config key, environment variable, or separate command. Destructive lifecycle changes often deserve explicit verbs rather than a broad boolean flag.
86
+ 4. Review naming collisions before adding names. Pay special attention to common conflicts such as verbose versus version, force versus file, dry-run versus debug or delete or directory, output format versus output path, interactive versus input, and shorthand reused differently across subcommands.
87
+ 5. Separate near-neighbor semantics. `--yes` accepts prompts; `--force` bypasses a safety guard; `--dry-run` avoids writes; `--check` reports whether change is needed; `--diff` shows the proposed change; `--output` should mean a destination only if format uses another name such as `--format`.
88
+ 6. Prefer explicit paired controls for risky workflows: dry-run, plan, diff, check, validate, no-input, confirm, yes, force, no-clobber, overwrite, backup, rollback, atomic, lock-timeout, fail-fast, and continue-on-error.
89
+ 7. Check non-interactive behavior. Prompts should be TTY-only; `--no-input` should fail instead of waiting; CI-oriented paths should be compatible with quiet, JSON, no-color, no-progress, no-pager, timeout, wait, and detailed exit-code behavior when the repository supports those controls.
90
+ 8. Check human and machine output interaction. If an option changes output format, route machine-readable results and diagnostics consistently, and use `cli-output-contract-review` or `public-json-contract-change` for the output contract details.
91
+ 9. Define config and environment precedence. Document and test whether CLI flags override environment variables, profiles, config files, defaults, and inline `--set` style overrides.
92
+ 10. Review parser edge cases: `--` option terminator, paths beginning with `-`, negative numbers, repeated flags, comma-separated lists versus repeated values, boolean negation with `--no-*`, optional values, duration and size units, shell quoting, globs, symlinks, hidden files, recursive flags, and stdin markers.
93
+ 11. Check file and generation behavior. Separate input path, output path, output directory, create-dirs, overwrite, no-clobber, backup, atomic write, recursive traversal, hidden files, symlink following, ignore files, and validation-only modes.
94
+ 12. Check remote and SaaS behavior when relevant. Separate endpoint URL, region, account, project, token source, token stdin, CA or proxy settings, connect timeout, read timeout, pagination, query filters, and retries.
95
+ 13. Check infra or deploy behavior when relevant. Separate plan, apply, refresh, target, replace, prune, rollback, lock, lock-timeout, wait, parallelism, and detailed-exit-code semantics.
96
+ 14. Check AI-agent behavior when relevant. Separate model, prompt source, context include or exclude, max files, max bytes, write permissions, command permissions, network permissions, approval policy, checkpoint, dry-run, diff, and apply.
97
+ 15. Preserve compatibility. For renamed or split flags, consider aliases, deprecation warnings, migration help, and tests before removing old syntax. Treat breaking option removals, changed defaults, changed prompt behavior, and changed parser grammar as public API changes.
98
+ 16. Synchronize every surface that teaches or consumes the syntax: parser code, help text, completions, docs, README, examples, tests, fixtures, schemas, templates, package metadata, and release notes when applicable.
99
+ 17. Verify with the narrowest configured related tests first, then docs, release, template, and mustflow checks when syntax, docs, profiles, templates, or package metadata changed.
100
+
101
+ <!-- mustflow-section: postconditions -->
102
+ ## Postconditions
103
+
104
+ - Option names, aliases, defaults, parser behavior, config precedence, prompt behavior, and non-interactive behavior are explicit and synchronized.
105
+ - Short flags have a documented reason or are omitted in favor of clear long flags.
106
+ - Destructive, write, preview, confirmation, force, and non-interactive controls are not conflated.
107
+ - Automation-facing use has stable output-mode, no-prompt, no-color, no-progress, no-pager, timeout, retry, and exit-code behavior when relevant.
108
+ - Parser edge cases are covered by tests or reported as remaining risk.
109
+
110
+ <!-- mustflow-section: verification -->
111
+ ## Verification
112
+
113
+ Use configured oneshot command intents when available:
114
+
115
+ - `changes_status`
116
+ - `changes_diff_summary`
117
+ - `test_related`
118
+ - `docs_validate_fast`
119
+ - `test_release`
120
+ - `mustflow_check`
121
+
122
+ Use broader configured tests when option parsing is cross-cutting or no narrower related test covers the syntax.
123
+
124
+ <!-- mustflow-section: failure-handling -->
125
+ ## Failure Handling
126
+
127
+ - If an option name conflicts with existing syntax, keep the old contract and choose a clearer long option unless a breaking change is intentionally routed through compatibility and versioning.
128
+ - If a parser edge case cannot be verified directly, add focused coverage or report the missing coverage before claiming safety.
129
+ - If docs, help text, completions, or templates cannot be synchronized in the same change, avoid claiming the option contract is installed or documented.
130
+ - If non-interactive behavior is unclear, default to failing safely rather than prompting, writing, deleting, or assuming consent.
131
+ - If an external recommendation conflicts with repository conventions, document the rejected recommendation and the repository-specific reason.
132
+ - If a breaking option change is intentional, route the version impact through the repository versioning policy and report affected consumers.
133
+
134
+ <!-- mustflow-section: output-format -->
135
+ ## Output Format
136
+
137
+ - CLI command and options reviewed
138
+ - Option role classification and naming decision
139
+ - Short and long flag collision review
140
+ - Safety, preview, destructive, prompt, and non-interactive controls
141
+ - Parser edge cases checked or reported missing
142
+ - Config and environment precedence
143
+ - Human, machine, CI, color, pager, progress, timeout, retry, and exit-code interaction
144
+ - Docs, help, completions, tests, schemas, templates, and package metadata synchronized
145
+ - Command intents run
146
+ - Skipped checks and reasons
147
+ - Remaining CLI-option contract risk
@@ -60,6 +60,12 @@ route_type = "primary"
60
60
  priority = 68
61
61
  applies_to_reasons = ["docs_change", "mustflow_docs_change", "mustflow_config_change", "package_metadata_change", "security_change", "release_risk", "unknown_change"]
62
62
 
63
+ [routes."cli-option-contract-review"]
64
+ category = "workflow_contracts"
65
+ route_type = "primary"
66
+ priority = 66
67
+ applies_to_reasons = ["public_api_change", "behavior_change", "docs_change", "test_change", "package_metadata_change", "release_risk"]
68
+
63
69
  [routes."cli-output-contract-review"]
64
70
  category = "workflow_contracts"
65
71
  route_type = "adjunct"
@@ -216,6 +222,12 @@ route_type = "adjunct"
216
222
  priority = 69
217
223
  applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "docs_change", "package_metadata_change"]
218
224
 
225
+ [routes."third-party-api-integration-review"]
226
+ category = "data_external"
227
+ route_type = "adjunct"
228
+ priority = 82
229
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change", "package_metadata_change", "release_risk"]
230
+
219
231
  [routes."http-api-semantics-review"]
220
232
  category = "general_code"
221
233
  route_type = "adjunct"
@@ -966,6 +978,12 @@ route_type = "adjunct"
966
978
  priority = 84
967
979
  applies_to_reasons = ["ui_change", "behavior_change", "code_change", "test_change", "docs_change", "i18n_change", "web_asset_change"]
968
980
 
981
+ [routes."website-task-friction-review"]
982
+ category = "ui_assets"
983
+ route_type = "adjunct"
984
+ priority = 83
985
+ applies_to_reasons = ["ui_change", "behavior_change", "code_change", "test_change", "docs_change", "performance_change", "security_change", "privacy_change", "public_api_change", "web_asset_change", "release_risk"]
986
+
969
987
  [routes."frontend-render-stability"]
970
988
  category = "ui_assets"
971
989
  route_type = "primary"
@@ -0,0 +1,188 @@
1
+ ---
2
+ mustflow_doc: skill.third-party-api-integration-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: third-party-api-integration-review
9
+ description: Apply this skill when integrating, reviewing, debugging, or upgrading a third-party SDK or external API service, including authentication, scopes, sandbox versus production behavior, request timeouts, retries, rate limits, idempotency, pagination, webhooks, SDK/API drift, provider error mapping, changelogs, deprecations, migration guides, observability, or production-readiness tests.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.third-party-api-integration-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - test_audit
23
+ - docs_validate_fast
24
+ - test_release
25
+ - mustflow_check
26
+ ---
27
+
28
+ # Third-Party API Integration Review
29
+
30
+ <!-- mustflow-section: purpose -->
31
+ ## Purpose
32
+
33
+ Make third-party SDK and API integrations production-safe instead of merely making the first demo call succeed.
34
+
35
+ Developers usually suffer when provider complexity is pushed into the consuming product: unclear auth scopes, stale docs, SDK/API mismatch, opaque errors, rate limits, unsafe retries, duplicate webhooks, undocumented version drift, and missing recovery evidence. This skill turns those failure paths into explicit design and test requirements.
36
+
37
+ <!-- mustflow-section: use-when -->
38
+ ## Use When
39
+
40
+ - A product calls, wraps, replaces, upgrades, or removes a third-party SDK, external REST/GraphQL/RPC API, hosted auth provider, payment provider, messaging provider, storage provider, analytics provider, AI provider, search provider, CRM, email/SMS/push provider, geocoding provider, or SaaS integration.
41
+ - Code handles provider authentication, authorization scopes, refresh tokens, tenant or organization ids, sandbox/production environments, API keys, service accounts, or webhook signing secrets.
42
+ - Code implements or reviews provider request timeouts, retry policy, rate-limit handling, pagination, idempotency keys, webhook event handling, provider error mapping, request ids, logs, metrics, traces, or dead-letter/replay behavior.
43
+ - A provider SDK version, API version, changelog, migration guide, deprecation notice, webhook payload, response shape, error shape, pagination model, or rate-limit policy changes.
44
+ - Integration tests, fakes, fixtures, docs, runbooks, or recovery tools must prove the integration handles unhappy paths.
45
+
46
+ <!-- mustflow-section: do-not-use-when -->
47
+ ## Do Not Use When
48
+
49
+ - The API is owned by the same repository or organization and the task is primarily public contract design; use `api-contract-change`, `api-misuse-resistance-review`, or `http-api-semantics-review`.
50
+ - The only question is where to place the provider boundary or how to hide provider types from core logic; use `adapter-boundary` first, then return here for provider operational behavior.
51
+ - The task is only a rate-limit implementation, retry loop, idempotency mechanism, queue consumer, or payment ledger change with no third-party provider integration; use the narrower integrity skill.
52
+ - The task is a one-off local script that is not production, repeated, automated, or connected to customer, money, entitlement, privacy, or operational state.
53
+
54
+ <!-- mustflow-section: required-inputs -->
55
+ ## Required Inputs
56
+
57
+ - Provider name, SDK package and version, API version, environment, endpoint or event names, and whether the integration is inbound, outbound, or both.
58
+ - Source-of-truth ledger: provider reference docs, OpenAPI or schema files, SDK docs, changelog, migration guide, status page or incident notes when relevant, and local wrapper or adapter patterns.
59
+ - Auth ledger: credential source, secret storage boundary, auth flow, token lifetime, refresh behavior, scopes, tenant or organization binding, sandbox/production separation, and failure behavior for 401 versus 403.
60
+ - Operation ledger: reads, writes, mutating operations, money or entitlement effects, external side effects, pagination model, idempotency support, rate limits, retryability, unknown-outcome recovery, and rollback or reconciliation path.
61
+ - Webhook ledger when inbound events exist: signature verification, raw-body requirement, event id, duplicate policy, ordering assumptions, retry behavior, ack timing, async processing, replay tooling, and retention.
62
+ - Error and observability ledger: provider error codes, HTTP statuses, request id, retry-after or reset headers, local error taxonomy, redaction policy, logs, metrics, traces, alerts, and support diagnostics.
63
+ - Existing tests, fakes, sandbox credentials policy, fixtures, runbooks, and command-intent entries for verification.
64
+
65
+ <!-- mustflow-section: preconditions -->
66
+ ## Preconditions
67
+
68
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the current scope.
69
+ - Secrets, credentials, tokens, webhook secrets, customer payloads, and provider console output are treated as sensitive. Do not copy them into code, fixtures, docs, logs, test output, or final reports.
70
+ - If provider docs and SDK behavior disagree, record the mismatch and choose an explicit compatibility path instead of guessing.
71
+ - If the provider operation can cause money movement, entitlement changes, customer communication, irreversible mutation, or external side effects, classify unknown outcomes before adding retries.
72
+ - If the provider boundary would leak provider SDK objects, raw provider ids, private URLs, or dashboard-only truth into core logic, use `adapter-boundary` for that boundary before implementing production behavior.
73
+
74
+ <!-- mustflow-section: allowed-edits -->
75
+ ## Allowed Edits
76
+
77
+ - Add or update provider adapters, wrappers, clients, request/response mappers, error mappers, webhook handlers, fakes, fixtures, sandbox tests, contract tests, runbooks, and docs directly tied to the integration.
78
+ - Add explicit timeout, retry, backoff, jitter, rate-limit, idempotency, pagination, webhook dedupe, observability, and redaction behavior when the repository already supports the required primitives or the change can stay local.
79
+ - Add typed local errors and provider result models that preserve request id, retryability, support evidence, and safe diagnostic detail.
80
+ - Do not hardcode credentials, broaden provider scopes, introduce a new runtime dependency, enable live production calls, or change provider dashboard settings without explicit approval and command authority.
81
+ - Do not implement infinite retries, retry permanent errors, generate a new idempotency key for every retry of the same logical operation, trust webhook payloads before signature verification, or treat success-page redirects as proof of provider completion.
82
+
83
+ <!-- mustflow-section: procedure -->
84
+ ## Procedure
85
+
86
+ 1. Classify the integration surface.
87
+ - Outbound: SDK or API call made by the product.
88
+ - Inbound: webhook, callback, redirect, polling response, or provider event consumed by the product.
89
+ - Bidirectional: outbound request plus later webhook or callback that confirms, rejects, or updates the same operation.
90
+ 2. Establish source of truth before coding. Prefer current provider API reference or schema for wire shape, provider changelog or migration guide for version behavior, local wrapper patterns for code placement, and tests for repository expectations. Treat blog posts, examples, AI output, and stale snippets as hints only.
91
+ 3. Choose SDK versus raw API explicitly.
92
+ - Prefer the official SDK only when it supports the needed endpoint, runtime, auth method, timeout control, retry control, pagination, idempotency, error access, and request id access.
93
+ - Use raw API only when the SDK lacks coverage or blocks a production requirement, and then provide typed local request/response models, timeout, retry policy, pagination, error mapping, and tests.
94
+ - Do not let SDK convenience hide auth scopes, retries, idempotency, pagination, or error taxonomy.
95
+ 4. Build the auth and environment contract.
96
+ - Separate sandbox from production credentials.
97
+ - Load credentials from approved secret surfaces.
98
+ - Bind tokens or API keys to tenant, organization, account, or environment when applicable.
99
+ - Validate required scopes before business logic.
100
+ - Distinguish authentication failure from authorization or scope failure.
101
+ - Handle token expiration and refresh without logging token values.
102
+ 5. Classify every operation before adding retry behavior.
103
+ - Reads may be retried when timeout and retry budget are bounded.
104
+ - Mutating requests need a stable idempotency key or another documented duplicate-safety mechanism before retry.
105
+ - Unknown outcomes after timeout or connection loss must trigger provider lookup, reconciliation, or manual recovery instead of blind replay.
106
+ - Validation, authentication, authorization, missing-resource, malformed-request, and domain-rejection errors are not transient.
107
+ 6. Implement request safety.
108
+ - Set explicit per-attempt timeout and total attempt budget.
109
+ - Respect documented rate-limit headers, reset times, and retry-after hints.
110
+ - Use exponential backoff with jitter for transient failures.
111
+ - Bound concurrency when provider capacity can starve local work.
112
+ - Use documented pagination cursors, iterators, or link headers; do not invent next-page URLs or assume stable offset pagination unless the provider promises it.
113
+ 7. Implement provider error mapping.
114
+ - Map provider status, code, message, field errors, request id, retryability, and endpoint into local typed errors.
115
+ - Preserve enough detail for support without logging secrets, full customer payloads, raw tokens, or payment data.
116
+ - Make rate-limit, auth, validation, provider outage, timeout, and unknown-outcome errors distinguishable to callers.
117
+ - Keep provider error classes and SDK response objects out of core logic.
118
+ 8. Implement webhook and callback safety when events exist.
119
+ - Verify signature using the raw body when the provider requires it.
120
+ - Acknowledge quickly and move expensive work to an internal queue or use case when possible.
121
+ - Store event id or delivery id before side effects.
122
+ - Deduplicate repeated events and return safe success for already-processed duplicates.
123
+ - Do not assume events arrive once, in order, immediately, or only after the user-facing redirect.
124
+ - Make handlers idempotent and add replay or dead-letter handling when failures need recovery.
125
+ 9. Handle SDK/API version drift.
126
+ - Check changelog and migration guide before SDK or API version upgrades.
127
+ - Identify breaking changes in auth, endpoint paths, request fields, response fields, error shape, pagination, rate limits, idempotency, webhook payloads, and retry behavior.
128
+ - Keep old and new behavior side by side when migration risk is high.
129
+ - Add compatibility tests before replacing production behavior.
130
+ 10. Add observability that helps support without leaking data.
131
+ - Record local operation id, provider request id, endpoint or event name, retry attempt count, final provider status category, retry-after timing, idempotency key hash or local operation id, and redacted error code.
132
+ - Add metrics or logs for rate-limit hits, retries exhausted, webhook duplicates, invalid signatures, unknown outcomes, SDK version, and migration path when local patterns support them.
133
+ - Avoid raw provider payload dumps in logs and fixtures.
134
+ 11. Test failure paths, not only the first successful call.
135
+ - Cover auth failure, scope failure, validation failure, timeout, transient 5xx, rate limit, retry exhaustion, idempotent duplicate request, pagination continuation, SDK error mapping, webhook invalid signature, webhook duplicate event, webhook out-of-order event when relevant, and version-upgrade fixture compatibility.
136
+ - Prefer fakes or sandbox tests unless the repository has explicit live-provider test authority.
137
+ - Do not mark the integration complete when only the happy path is tested.
138
+ 12. Report provider ambiguity honestly. Name undocumented behavior, doc/SDK mismatch, skipped live checks, missing sandbox evidence, manual console steps, missing idempotency support, missing webhook replay tooling, and remaining operational risk.
139
+
140
+ <!-- mustflow-section: postconditions -->
141
+ ## Postconditions
142
+
143
+ - The integration has explicit auth, environment, timeout, retry, rate-limit, idempotency, pagination, webhook, error, observability, version, and test decisions.
144
+ - Provider-specific behavior is contained at the integration boundary or explicitly classified as a public contract.
145
+ - Failure paths and recovery states are tested, faked, documented, or reported as missing evidence.
146
+ - Secrets and sensitive provider data are not copied into code, fixtures, logs, docs, or reports.
147
+
148
+ <!-- mustflow-section: verification -->
149
+ ## Verification
150
+
151
+ Use configured oneshot command intents when available:
152
+
153
+ - `changes_status`
154
+ - `changes_diff_summary`
155
+ - `lint`
156
+ - `build`
157
+ - `test_related`
158
+ - `test`
159
+ - `test_audit`
160
+ - `docs_validate_fast`
161
+ - `test_release`
162
+ - `mustflow_check`
163
+
164
+ Use the narrowest configured tests that cover the changed provider adapter, webhook handler, error mapping, retry behavior, idempotency behavior, SDK version migration, and docs or template surfaces touched.
165
+
166
+ <!-- mustflow-section: failure-handling -->
167
+ ## Failure Handling
168
+
169
+ - If provider docs are missing or contradictory, stop relying on inferred behavior and report the mismatch with the safest local fallback.
170
+ - If mutating operations lack idempotency support, avoid automatic retry and require reconciliation or manual recovery for unknown outcomes.
171
+ - If webhook signatures cannot be verified with current framework parsing, fix the raw-body handling before trusting the event.
172
+ - If tests would require live production credentials, skip them and report the missing configured sandbox or fake instead of using real credentials.
173
+ - If SDK retry behavior is implicit or unconfigurable, wrap or disable it when local retry budgets must be enforced.
174
+ - If a provider dashboard setting is required, document it as manual or config-owned evidence; do not claim code alone enforces it.
175
+
176
+ <!-- mustflow-section: output-format -->
177
+ ## Output Format
178
+
179
+ - Third-party provider and SDK/API surface reviewed
180
+ - Source-of-truth docs, SDK version, changelog, and migration evidence checked
181
+ - Auth, environment, scope, and secret boundary decisions
182
+ - Timeout, retry, rate-limit, idempotency, pagination, and unknown-outcome decisions
183
+ - Webhook or callback delivery, signature, dedupe, ordering, and replay decisions
184
+ - Error mapping, observability, redaction, and support diagnostics
185
+ - Tests added, reused, skipped, or missing for happy and unhappy paths
186
+ - Command intents run
187
+ - Skipped checks and reasons
188
+ - Remaining provider, SDK drift, documentation, sandbox, or operational risk