mustflow 2.107.3 → 2.108.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (42) hide show
  1. package/README.md +1 -0
  2. package/dist/cli/commands/init.js +49 -1
  3. package/dist/cli/commands/run/execution.js +7 -0
  4. package/dist/cli/commands/run/executor.js +7 -0
  5. package/dist/cli/commands/verify.js +14 -0
  6. package/dist/cli/commands/workspace.js +106 -16
  7. package/dist/cli/i18n/en.js +6 -1
  8. package/dist/cli/i18n/es.js +6 -1
  9. package/dist/cli/i18n/fr.js +6 -1
  10. package/dist/cli/i18n/hi.js +6 -1
  11. package/dist/cli/i18n/ko.js +6 -1
  12. package/dist/cli/i18n/zh.js +6 -1
  13. package/dist/cli/index.js +8 -0
  14. package/dist/cli/lib/agent-context.js +7 -0
  15. package/dist/cli/lib/repo-map.js +14 -0
  16. package/dist/cli/lib/run-plan.js +7 -0
  17. package/dist/core/change-verification.js +7 -0
  18. package/dist/core/verification-scheduler.js +7 -0
  19. package/package.json +1 -1
  20. package/schemas/README.md +3 -3
  21. package/schemas/workspace-status.schema.json +4 -2
  22. package/templates/default/common/.mustflow/config/mustflow.toml +3 -3
  23. package/templates/default/i18n.toml +61 -7
  24. package/templates/default/locales/en/.mustflow/docs/agent-workflow.md +24 -1
  25. package/templates/default/locales/en/.mustflow/skills/INDEX.md +51 -5
  26. package/templates/default/locales/en/.mustflow/skills/admin-control-plane-safety-review/SKILL.md +200 -0
  27. package/templates/default/locales/en/.mustflow/skills/ai-product-readiness-review/SKILL.md +158 -0
  28. package/templates/default/locales/en/.mustflow/skills/auth-permission-change/SKILL.md +91 -28
  29. package/templates/default/locales/en/.mustflow/skills/browser-automation-reliability-review/SKILL.md +279 -0
  30. package/templates/default/locales/en/.mustflow/skills/cli-option-contract-review/SKILL.md +147 -0
  31. package/templates/default/locales/en/.mustflow/skills/database-change-safety/SKILL.md +21 -2
  32. package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +25 -7
  33. package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md +117 -43
  34. package/templates/default/locales/en/.mustflow/skills/frontend-component-library-review/SKILL.md +299 -0
  35. package/templates/default/locales/en/.mustflow/skills/frontend-localization-review/SKILL.md +128 -36
  36. package/templates/default/locales/en/.mustflow/skills/notification-delivery-integrity-review/SKILL.md +226 -0
  37. package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +34 -14
  38. package/templates/default/locales/en/.mustflow/skills/routes.toml +54 -0
  39. package/templates/default/locales/en/.mustflow/skills/small-service-platform-architecture-review/SKILL.md +273 -0
  40. package/templates/default/locales/en/.mustflow/skills/third-party-api-integration-review/SKILL.md +188 -0
  41. package/templates/default/locales/en/.mustflow/skills/website-task-friction-review/SKILL.md +139 -0
  42. package/templates/default/manifest.toml +60 -1
@@ -2,7 +2,7 @@
2
2
  mustflow_doc: skills.index
3
3
  locale: en
4
4
  canonical: true
5
- revision: 200
5
+ revision: 206
6
6
  authority: router
7
7
  lifecycle: mustflow-owned
8
8
  ---
@@ -57,6 +57,11 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
57
57
  broad code changes need a repository-evidence pass for symptom-only fixes, pinpoint
58
58
  hardcoding, same-defect-class siblings, duplicate helpers or shapes, hidden coupling,
59
59
  public-surface drift, swallowed errors, excessive complexity, and weak tests.
60
+ - Use `ai-product-readiness-review` as a primary route when an AI product feature, AI Gateway,
61
+ provider/model integration, prompt/RAG/tool path, AI cache, fallback path, streaming path,
62
+ eval gate, user-data flow, model registry, observability surface, or model portability plan
63
+ needs end-to-end product readiness review before narrower prompt, cost, latency, agent,
64
+ privacy, cache, or UX skills take over.
60
65
  - Use `prompt-contract-quality-review` as a primary route when prompts, prompt builders,
61
66
  RAG assembly, structured outputs, tool-use instructions, model settings, eval fixtures,
62
67
  refusal states, or agent completion definitions need prompt-as-function review for
@@ -76,6 +81,11 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
76
81
  agents, agentic workflows, planners, executors, verifiers, tool contracts, tool-call gates,
77
82
  approval or interrupt flows, durable agent state, handoffs, guardrails, loop budgets, retry
78
83
  classification, trace evaluation, or outcome metrics need execution-control review.
84
+ - Use `browser-automation-reliability-review` as a primary route when browser automation,
85
+ UI automation, Playwright, Selenium, Puppeteer, WebDriver, browser-driving agents, flaky
86
+ selectors, page readiness, auth state, CAPTCHA or anti-bot handling, rate limits, screenshot
87
+ verification, retry, timeout, human approval, or browser automation observability needs
88
+ reliability review before narrower agent, auth, API, frontend, or test-suite skills take over.
79
89
  - Use `agent-eval-integrity-review` as a primary route when agent evaluation loops, trace or
80
90
  trajectory grading, LLM judges, outcome scoring, eval datasets, golden or dirty sets, pass@k or
81
91
  pass^k metrics, shadow environments, production-monitoring-to-eval feedback, or agent regression
@@ -91,6 +101,11 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
91
101
  settlement, discount, inventory, notification, subscription, visibility, eligibility, report, or
92
102
  tenant rules may be enforced in only one UI, controller, query, mapper, batch, webhook, cache,
93
103
  admin tool, support path, or report instead of a shared rule owner.
104
+ - Use `small-service-platform-architecture-review` as a primary route when a multi-product
105
+ platform, app factory, shared account portal, Product Registry, entitlement and credit platform,
106
+ deployment factory, analytics spine, common UI, template system, or operations automation must
107
+ support many small product apps before specialist auth, payment, admin, notification,
108
+ localization, deployment, AI, file, queue, or service-boundary skills take over.
94
109
  - Use `payment-integrity-review` as an adjunct when payment, checkout, authorization, capture,
95
110
  refund, subscription, provider webhook, fulfillment, entitlement, ledger, coupon, inventory,
96
111
  settlement, dispute, chargeback, or payment-provider integration code needs money-event integrity
@@ -102,10 +117,19 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
102
117
  reconciliation jobs need ledger integrity review for idempotency, atomic balance changes,
103
118
  concurrency, ordering, ownership, amount precision, policy snapshots, expiry lots, audit, or
104
119
  reconciliation risk.
120
+ - Use `notification-delivery-integrity-review` as an adjunct when notification generation, email,
121
+ push, SMS, in-app inboxes, unsubscribe, suppression, digest, quiet hours, timezone scheduling,
122
+ provider webhooks, delivery attempts, templates, or notification audit logs need delivery
123
+ lifecycle review across source events, intents, schedules, channels, provider outcomes, consent,
124
+ dedupe, retry, and explainability.
105
125
  - Use `api-misuse-resistance-review` as an adjunct when APIs, SDKs, service methods, DTOs, request
106
126
  shapes, response shapes, pagination, idempotency, async jobs, versioning, deprecation, rate
107
127
  limits, retry rules, observability, or caller-facing docs need caller-ergonomics and misuse-risk
108
128
  review rather than only schema compatibility.
129
+ - Use `third-party-api-integration-review` as an adjunct when a third-party SDK or external API
130
+ integration needs production-readiness review for auth scopes, sandbox/production separation,
131
+ timeouts, retries, rate limits, idempotency, pagination, webhooks, provider error mapping,
132
+ SDK/API version drift, changelogs, migration guides, observability, or failure-path tests.
109
133
  - Use `http-api-semantics-review` as an adjunct when HTTP method choices, safe/idempotent/cacheable
110
134
  claims, GET/HEAD bodies, OPTIONS or Allow discovery, HTTP QUERY, POST versus PUT URI ownership,
111
135
  PUT replacement, PATCH document formats, DELETE behavior, conditional requests, status codes,
@@ -115,6 +139,10 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
115
139
  object, property, or function authorization, tenant isolation, request-supplied identity,
116
140
  mass assignment, signed URLs, queue revalidation, webhook ownership, token/session hardening,
117
141
  account enumeration, automation defense, or denial-case coverage.
142
+ - Use `admin-control-plane-safety-review` as an adjunct when admin panels, backoffice tools,
143
+ support consoles, operator dashboards, staff APIs, audit logs, change history, impersonation,
144
+ dangerous actions, approvals, exports, imports, bulk operations, admin search or filters,
145
+ production guardrails, PII masking, admin sessions, or MFA need control-plane safety review.
118
146
  - Use `file-upload-security-review` as an adjunct when file uploads, imports, attachments,
119
147
  direct-to-storage uploads, remote file fetches, archive extraction, previews, thumbnails,
120
148
  conversions, scanner gates, storage keys, signed URLs, downloads, browser headers, or uploaded
@@ -221,12 +249,21 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
221
249
  focus order or return, dialog, form, error, live region, ARIA, hidden content, icon, image alt,
222
250
  custom widget, non-text contrast, target size, drag alternative, or automated a11y evidence
223
251
  review instead of an "ARIA attributes exist" checklist.
252
+ - Use `frontend-component-library-review` as an adjunct when a frontend component library, design
253
+ system package, UI kit, token system, primitive layer, variant API, theming surface, package
254
+ exports, Storybook or docs contract, visual regression suite, codemod, SemVer policy, or
255
+ breaking-change plan needs public API platform review before narrower accessibility, state,
256
+ layout, localization, bundle, or framework skills take over.
224
257
  - Use `frontend-localization-review` as an adjunct when frontend localization needs all
225
258
  user-visible strings, message catalogs, full-sentence translation units, interpolation, plural
226
259
  and zero cases, grammar or particles, tone, date/time/number/currency/unit formatting, search,
227
260
  sort, Unicode normalization, grapheme-safe truncation, RTL or bidi text, font fallback, pseudo
228
261
  localization, SSR locale, fallback, backend error-code mapping, rich text, export, share, or
229
262
  notification surface review instead of a visible JSX text scan.
263
+ - Use `website-task-friction-review` as an adjunct when a public website, landing page, signup,
264
+ checkout, account, support, navigation, search, form, pricing, consent, or mobile web flow needs
265
+ review for user complaints such as slowness, popups, forced signup, confusing navigation,
266
+ hidden costs, vague errors, dark patterns, weak trust, or missing recovery paths.
230
267
  - Use `react-code-change` as a primary route when React, React DOM, React Server Components,
231
268
  Server Actions, React Compiler, Hooks, Suspense, Actions, forms, refs, context, concurrent
232
269
  rendering, SSR streaming, resource hints, package metadata, or React-related tests are created,
@@ -469,18 +506,21 @@ routes. Event routes stay inactive until their event occurs.
469
506
  | Large-scope code, docs, tests, content, log, data, or refactor work needs cheap-signal candidate selection before reading or editing many files | `.mustflow/skills/heuristic-candidate-selection/SKILL.md` | User goal, target scope, file-role boundaries, cheap signals, exclusions, scoring factors, batch limit, and verification contract | Candidate discovery, scoring, read plan, bounded batch edits, and directly synchronized surfaces | token waste, false positives, generated-file noise, unimportant cleanup, hallucinated source content, oversized diff, or missed high-impact file | `changes_status`, `changes_diff_summary`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Selection goal, excluded surfaces, cheap signals, scored candidates, selected batch, skipped/deferred files, verification, and remaining selection risk |
470
507
  | Assistant-authored, AI-generated, vibe-coded, copied, or broad code changes need a hardening pass for symptom-only fixes, pinpoint hardcoding, exact-value branches, same-defect-class sibling inputs or callers, duplicate helpers, duplicate types or shapes, hidden coupling, circular dependencies, re-export discipline, swallowed errors, excessive nesting, god functions or files, edge cases, and behavior-focused tests | `.mustflow/skills/ai-generated-code-hardening/SKILL.md` | User goal, current diff or target files, reported symptom or failing fixture, existing helpers/types/shapes, sibling inputs or callers, import and export paths, public entrypoints or barrels, error-handling conventions, edge/failure cases, tests, and configured command intents | Small hardening fixes, defect-class rule repair, deduplication into existing single source of truth, boundary notes, focused tests, and directly synchronized docs or contracts | symptom-only patch, pinpoint hardcode, exact literal fixture fix, uninspected sibling input, duplicate abstraction, hidden coupling, circular dependency, accidental public API, string-only tests, over-mocking, fallback sprawl, silent error handling, fan-in/fan-out concentration, or broad rewrite | `changes_status`, `changes_diff_summary`, `test_related`, `test_audit`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Sources of truth reused or extended, symptom patch and same-class sibling findings, duplicate/coupling/export/error/complexity/test findings, fixes made, deferred enforcement, verification, and remaining hardening risk |
471
508
  | Quality metrics, line-count limits, complexity budgets, lint/type/test gates, or assistant-authored changes may be gamed through long-line stuffing, multiple statements per line, new suppressions, test bypass markers, type escapes, placeholder implementations, generated/vendor logic, giant config blobs, dispatch maps, or helper/util/manager/common containers | `.mustflow/skills/quality-gaming-guard/SKILL.md` | User goal, intended quality outcome behind the metric, current diff, quality gates, formatter/lint/type/test rules, generated/vendor policy, helper naming conventions, suppression baseline, and command contract entries | Real responsibility split, removal of gaming patterns, focused tests or quality-gate evidence, bounded `quality_gaming_check` command contract, and directly synchronized docs or templates | cosmetic metric compliance, line stuffing, validation suppression, test bypass, broad type escape, placeholder success, generated/vendor hiding, junk-drawer helper extraction, or legacy baseline confused with new regression | `quality_gaming_check`, `changes_status`, `changes_diff_summary`, `test_related`, `lint`, `build`, `mustflow_check` | Quality goal, gaming patterns inspected, patterns removed or intentionally left, baseline versus new-regression decision, verification, and remaining quality-gaming risk |
509
+ | AI product features, AI Gateways, provider/model integrations, prompt/RAG/tool paths, AI caches, fallback paths, streaming paths, evaluation gates, user-data flows, model registries, AI observability, incident runbooks, or model portability plans are created, changed, reviewed, or reported before the risk is narrow enough for one specialist LLM skill | `.mustflow/skills/ai-product-readiness-review/SKILL.md` | Product role ledger, harm model, gateway ledger, authority and action ledger, data ledger, cost and cache ledger, eval ledger, fallback and streaming ledger, model portability ledger, observability ledger, changed files, and command contract entries | AI Gateway boundaries, provider adapters, model registries, prompt registries, policy engines, tool proposal gates, quota guards, token budgets, cache keys, redaction, retry and fallback states, streaming validators, eval fixtures, observability fields, incident runbooks, tests, docs, route metadata, and directly synchronized templates | model-as-product shortcut, automatic high-risk decision, direct client provider call, prompt-only security, RAG permission leak, unvalidated model output, missing policy engine, cost budget gap, app cache tenant leak, eval theater, fallback-as-second-model, partial streaming disclosure, raw AI log retention, scattered model names, stale provider assumption, or missing kill switch | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `prompt_cache_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | AI product-readiness surface reviewed, AI role and harm model, gateway and policy boundaries, prompt-injection/data/output/permission/side-effect controls, cost/cache/eval/fallback/streaming/observability/model-portability decisions, specialist skills applied or deferred, verification, and remaining AI product-readiness risk |
472
510
  | Prompts, prompt builders, system or developer messages, RAG prompt assembly, few-shot examples, structured outputs, tool-use instructions, model selection, reasoning-effort settings, eval sets, refusal or fallback handling, prompt versioning, or AI feature completion criteria are created, changed, reviewed, or reported | `.mustflow/skills/prompt-contract-quality-review/SKILL.md` | Prompt contract ledger, input ledger, authority ledger, output schema, tool policy, model/runtime ledger, RAG evidence ledger, eval ledger, changed files, and command contract entries | Prompt builders, prompt templates, schemas, validators, eval fixtures, boundary examples, tool policies, fallback states, completion definitions, docs, tests, and directly synchronized templates | prompt-as-function gap, user input treated as authority, buried RAG evidence, happy-path-only examples, JSON-parse theater, unpinned production model, hidden prompt storage, raw chain-of-thought request, guessed tool parameters, missing failure state, unbounded reasoning/token cost, or vibe-based prompt improvement claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Prompt contract reviewed, function boundary, authority and source separation, eval and semantic validation status, model/runtime policy, RAG/tool/failure/completion states, verification, and remaining prompt-contract risk |
473
511
  | LLM answers, RAG responses, citations, source grounding, claim extraction, evidence IDs, answerability states, abstain behavior, retrieval thresholds, tool-backed facts, output validators, LLM judges, or hallucination-control metrics are created, changed, reviewed, or reported | `.mustflow/skills/llm-hallucination-control-review/SKILL.md` | Answer contract ledger, evidence ledger, claim ledger, tool ledger, validator ledger, eval ledger, observability ledger, changed files, and command contract entries | Answerability states, abstain states, missing-information states, source-coverage gates, claim maps, evidence-ID requirements, citation validators, retrieval thresholds, chunk metadata, tool-parameter ownership, deterministic calculators, domain validators, eval fixtures, tests, docs, route metadata, and directly synchronized templates | unsupported factual claim, fabricated citation, source ID invention, weak retrieval gate, noisy semantic-only retrieval, chunk context loss, summary-on-summary hallucination, guessed tool parameter, model arithmetic, source-priority conflict, LLM judge overtrust, low-temperature theater, missing abstain path, missing dirty eval, false citation metric gap, or unobservable grounding drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Hallucination-control surface reviewed, answerability and abstain states, evidence IDs, claim map, citations, source coverage, validators, retrieval thresholds, tool ownership, evals, metrics, verification, and remaining hallucination-control risk |
474
512
  | RAG, knowledge-base answer, grounded chat, citation answer, retrieval-augmented support bot, or document QA flow is wrong, stale, unsupported, slow, leaking data, over-refusing, or not yet localized to ingestion, parsing, chunking, retrieval, filtering, reranking, context assembly, prompt construction, generation, citation validation, or answerability boundaries | `.mustflow/skills/rag-pipeline-triage/SKILL.md` | Symptom classification, trace ledger, source ledger, comparison ledger, eval ledger, privacy ledger, changed files, and command contract entries | End-to-end trace preservation, source availability and parsed-text checks, chunk metadata, duplicate and stale source checks, no-retrieval/current-context/gold-context comparison, keyword/vector/hybrid/retriever/reranker/context/prompt/generation/citation/answerability localization, safe synthetic fixtures, metrics, docs, and directly synchronized templates | model scapegoating, tuning top-k before source proof, original-document theater while parsed text is broken, stale source mixing, filter blamed as vector failure, reranker candidate starvation, critical evidence truncated or buried, retrieved text treated as instruction, citation decoration, answerability missing state, private corpus dump, access filter bypass, or single satisfaction score hiding layer failure | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | RAG pipeline triaged, localized boundary, trace/source/comparison/eval/metric/privacy ledgers, layer findings, fix or recommendation, evidence level, verification, and remaining RAG pipeline risk |
475
513
  | LLM API calls, prompt assembly, chat history, RAG context, tool schemas, structured output schemas, model routing, reasoning settings, token budgets, provider prompt caching, app-level response caching, retries, batch or flex processing, predicted outputs, image or file inputs, or LLM cost metrics are created, changed, reviewed, or reported | `.mustflow/skills/llm-token-cost-control-review/SKILL.md` | Cost surface ledger, request ledger, cache ledger, context ledger, output ledger, routing ledger, observability ledger, changed files, and command contract entries | Request builders, prompt prefix ordering, canonical serialization, prompt hashes, cache keys, token counters, budget guards, model routers, context trimming, RAG packing, tool and schema payloads, output patch formats, retry repair paths, metrics, logs, tests, docs, route metadata, and directly synchronized templates | prompt-cache prefix drift, volatile field before stable prefix, unmeasured token count, full transcript replay, RAG chunk bloat, oversized tool or JSON schema payload, expensive model default, unbounded reasoning, no visible output after token cap, full-output regeneration, full-context retry replay, app cache key leak, predicted-output cost confusion, image or file token surprise, or per-call cost hiding cost-per-success regression | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `prompt_cache_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | LLM token-cost surface reviewed, cost unit and measurement source, stable prefix and cache behavior, app cache/history/RAG/tool/schema/input choices, routing/reasoning/output/retry/Batch/Flex/prediction choices, observability, verification, and remaining token-cost risk |
476
514
  | LLM response latency, time to first token, first useful output, streaming, output length, LLM round trips, tool-call wait, prompt-cache latency, model routing, speculative or parallel execution, realtime continuation, priority tiers, predicted outputs, or user-perceived AI speed are created, changed, reviewed, or reported | `.mustflow/skills/llm-response-latency-review/SKILL.md` | Latency target ledger, request timeline ledger, call graph ledger, output ledger, cache ledger, routing ledger, observability ledger, changed files, and command contract entries | Streaming paths, first-useful-output contracts, request timeline metrics, call graph simplification, parallel or speculative work, model routers, fallback cascades, output caps, schema shortening, prompt-cache prefix ordering, cache keys, realtime continuation, priority-tier routing, timeout and cancellation behavior, tests, docs, route metadata, and directly synchronized templates | slow first token, useless streamed preamble, extra sequential LLM round trip, tool wait blocking first output, cache-prefix drift, unmeasured cache miss, verbose output drift, long JSON key or enum overhead, RAG chunk bloat, router escalation loop, prediction-token mismatch, priority-tier misuse, unsafe speculative work, missing cancellation, or raw prompt telemetry leak | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | LLM response-latency surface reviewed, latency unit and request timeline, round trips, parallel/tool/stream/cancel behavior, output/schema/cache/history/RAG/routing/fallback/prediction/realtime/priority choices, observability, verification, and remaining response-latency risk |
477
515
  | Autonomous or semi-autonomous LLM agents, agentic workflows, planners, executors, verifiers, tool contracts, tool-call gates, human approval or interrupt flows, durable agent state, handoffs, guardrails, loop budgets, retry policies, trace evaluation, or agent outcome metrics are created, changed, reviewed, or reported | `.mustflow/skills/agent-execution-control-review/SKILL.md` | Autonomy ledger, stage gate ledger, role separation ledger, tool contract ledger, effect ledger, state and resume ledger, memory and context ledger, handoff and guardrail ledger, loop, retry, and budget ledger, trace and eval outcome ledger, changed files, and command contract entries | Workflow-versus-agent routing, stage gates, planner/executor/verifier boundaries, tool contracts, tool argument ownership, draft/execute separation, idempotency keys, approval records, durable checkpoints, state schema versions, memory partitions, handoff filters, guardrails, loop budgets, retry classification, trace spans, eval fixtures, tests, docs, route metadata, and directly synchronized templates | unnecessary autonomous agent, one model self-certifying success, ungated bad plan, ambiguous tool contract, guessed tool argument, relative-path trap, external effect before approval, missing idempotency key, interrupt replay side effect, stale state schema, over-shared handoff, misplaced guardrail, repeated tool loop, blind retry, final-answer-only eval, or unsafe trace data | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Agent execution-control surface reviewed, workflow-versus-agent decision, autonomy envelope, stage gates, role separation, tool contracts, approval and side-effect replay safety, state/resume/memory/handoff/guardrail/loop/retry/trace/eval checks, verification, and remaining agent execution-control risk |
516
+ | Browser automation, UI automation, Playwright, Selenium, Puppeteer, WebDriver, computer-use or browser-driving agents, visual browser verification, flaky selectors, page readiness, authentication state, CAPTCHA or anti-bot handling, rate limits, screenshot checks, retry, timeout, human approval, or browser automation observability is created, changed, reviewed, triaged, or reported | `.mustflow/skills/browser-automation-reliability-review/SKILL.md` | Automation intent ledger, state ledger, readiness ledger, selector and action ledger, auth and identity ledger, external pressure ledger, verification ledger, agent and approval ledger, changed files, and command contract entries | Browser automation state machines, locator contracts, test IDs, accessible names, readiness assertions, frame and popup handlers, input verification, auth fixtures, per-worker account isolation, retry classification, timeout hierarchy, idempotency checks, rate-limit handling, approval gates, manual fallback states, traces, screenshots, redaction, cleanup, tests, docs, route metadata, and directly synchronized templates | sleep-as-readiness, `networkidle` faith, flaky selector string patch, hidden duplicate DOM, skeleton-as-content, stale element handle, force-click default, shared mutable account, CAPTCHA bypass, anti-bot evasion, retry storm, non-idempotent replay, timeout layer mismatch, screenshot-as-business-proof, unredacted trace data, page prompt injection, stale approval resume, coordinate click drift, or unverified browser success claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Browser automation surface reviewed, browser-versus-API boundary, automation owner, state/readiness/locator/actionability/auth/rate-limit/retry/timeout/idempotency decisions, screenshot and business-success evidence, agent page-content trust, approval and resume checks, verification, and remaining browser automation reliability risk |
478
517
  | Agent evaluation loops, trace or trajectory grading, LLM judges, verifier agents, outcome scoring, tool-call prechecks or postchecks, eval datasets, golden or dirty sets, pass@k or pass^k metrics, shadow environments, production-monitoring-to-eval pipelines, or agent regression gates are created, changed, reviewed, or reported | `.mustflow/skills/agent-eval-integrity-review/SKILL.md` | Outcome ledger, trace ledger, oracle ledger, tool-boundary ledger, dataset ledger, metric ledger, environment ledger, monitoring ledger, privacy ledger, changed files, and command contract entries | Outcome oracles, trace schemas, trajectory graders, deterministic checkers, model-judge rubrics, human-review sampling, tool prechecks and postchecks, tool-result evidence packets, eval fixtures, golden and dirty sets, shadow-environment adapters, monitoring-to-eval candidate flows, tests, docs, route metadata, and directly synchronized templates | final-answer-only scoring, LLM judge as sole oracle, reasoning claim treated as evidence, self-reflection certifying success, missing final environment state, ungraded unsafe trajectory, missing tool precheck or postcheck, brittle exact tool-order assertion, uncalibrated judge drift, pass@k masking unreliable pass^k, dirty set gating flakiness, raw trace data leak, or production failure not entering evals | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Agent eval-integrity surface reviewed, outcome oracle, final-state and trajectory checks, deterministic/model/human oracle split, tool boundary evidence, golden/dirty/capability/regression metrics, shadow environment, monitoring-to-eval loop, trace privacy, verification, and remaining agent eval-integrity risk |
479
518
  | Code review or implementation needs module-boundary triage for change spread, co-change clusters, data ownership, policy ownership, failure ownership, import direction, circular dependencies, DTO leakage, shared/common/utils growth, mock-heavy tests, repeated policy conditions, enum interpretation, repository business logic, anemic domain, domain-to-I/O leakage, transaction boundary mismatch, technical event names, public module API bloat, caller sequencing, premature common helpers, bug/fix distance, config ownership, log responsibility, exception translation, cache invalidation ownership, repeated authorization checks, frontend/backend policy leakage, time policy, batch or worker bypass, or temporary-code accumulation | `.mustflow/skills/module-boundary-review/SKILL.md` | Change reason, changed-file spread, co-change evidence, module graph evidence, ownership evidence, test evidence, and configured command intents | Policy ownership, DTO boundaries, mapper boundaries, module public APIs, import direction, config injection, exception translation, cache invalidation ownership, authorization checks, event facts, worker entrypoints, focused tests, and directly synchronized docs or templates | layer-name theater, role-sliced files that always change together, lower-level modules knowing high-level policy, circular dependency, DTO infection, ownerless shared helper, broad noun module, mock-heavy rule tests, copied policy condition, enum rule scatter, repository-owned business rule, service-only domain, domain I/O coupling, cross-owner transaction, table-change event, exposed internals, caller order dependency, unsafe reuse, repeated temporary branch, bug/fix distance, config chaos, misleading logs, leaked provider or DB errors, stale cache owner drift, copied auth checks, frontend reconstructing backend policy, inconsistent time rules, worker bypass, or random capability loss when a module is removed | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Module boundary reviewed, change-spread and co-change evidence, owner and import findings, boundary fixes or recommendation, evidence level, verification, and remaining module-boundary risk |
480
519
  | Code review or implementation needs change-blast-radius triage for maintainability risk from unpredictable next-change spread, historical co-change spread, one change reason scattered across files, multiple change reasons in one file, controller workflow leakage, junk-drawer service names, boolean mode flags, trash-can option objects, scattered domain rules, scattered authorization, hidden state transitions, direct time or randomness, unclear transaction boundaries, external API and DB coupling, retry without idempotency, cache-as-truth decisions, config flag combinations, tenant or partner hardcoding, legacy branches in the core path, DTO/entity/view model mixing, ambiguous nullable values, swallowed exceptions, low-context logs, implementation-coupled tests, mock-heavy tests, decorative abstractions, premature DRY, hidden ordering dependency, invisible event contracts, migration/runtime compatibility, or hard-to-delete features | `.mustflow/skills/change-blast-radius-review/SKILL.md` | User goal, current diff or target files, change-reason ledger, historical co-change ledger, blast-radius ledger, ownership ledger, deleteability ledger, test and operations evidence, and configured command intents | Policy ownership, workflow boundaries, explicit modes, option-object narrowing, authorization owner, state-transition owner, transaction and retry/idempotency boundaries, cache truth boundary, config and tenant variation isolation, legacy adapters, DTO mapping ownership, result types, traceable logs, behavior-focused tests, event contracts, migration compatibility notes, and directly synchronized docs or templates | clean-code theater, unpredictable edit spread, repeated cross-repo co-change, unrelated reasons in one file, controller as boss, junk-drawer service, boolean maze, option combinatorics, copied policy, copied auth, scattered status writes, hidden time or random, partial data after failure, duplicate side effect, stale cache authority, untested flag product, hardcoded customer branch, legacy core pollution, object-language mixing, nullable ambiguity, false success, useless logs, brittle process tests, five-mock class, decorative interface, wrong DRY, order-sensitive line shuffle, ghost event coupling, deploy gamble, or feature that cannot be deleted cleanly | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | Change blast radius reviewed, next likely change and owner, historical co-change evidence, spread and deletion path, maintainability findings, fixes or recommendation, verification, and remaining change-spread risk |
481
520
  | Code review or implementation needs business-rule-leakage triage for money, permission, ownership, state, settlement, discount, coupon, refund, inventory, notification, subscription, visibility, eligibility, expiry, price, tax, fee, points, reports, tenant scope, UI-only guards, controller eligibility checks, direct status assignment, query predicates as policy, list/detail scope mismatch, admin path bypass, batch hidden policy, tests at the wrong layer, duplicated business constants, date or timezone policy drift, ambiguous `isActive` or `canUse`, authentication/authorization/eligibility mixing, ownership boundary drift, broad update DTOs, PATCH null semantics, mapper logic, default-value drift, misleading error messages, swallowed business failures, transaction/action mismatch, event timing, duplicate requests, webhook trust, out-of-order events, cache-as-rule, search index drift, report or settlement SQL, public text drift, or other bypass entrances | `.mustflow/skills/business-rule-leakage-review/SKILL.md` | User goal, current diff or target files, rule ledger, entrypoint ledger, enforcement ledger, consistency ledger, state/transaction/event/idempotency/default/error evidence, and configured command intents | Shared policy/domain/application/database rule owner, server-side enforcement, reusable query scopes, list/detail consistency, update field restrictions, PATCH intent models, mechanical mappers, default ownership, visible failures, transaction and event boundaries, idempotency, webhook verification, search/detail rechecks, report calculation owners, focused tests, and directly synchronized docs or templates | clean code with leaked money rule, client-only rule, controller judge, scattered status assignment, missing query predicate, URL detail bypass, admin bypass, batch bypass, misplaced test, magic policy number, timezone cutoff drift, vague helper meaning, auth/eligibility blur, user-vs-tenant ownership hole, mass update, PATCH null corruption, mapper policy, default mismatch, error-text lie, false success, half-committed business action, pre-commit event, duplicate refund or coupon use, trusted webhook, stale event transition, wrong cache viewer, dead search result, settlement query drift, support macro drift, or uninspected entrypoint | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | Business rule leakage reviewed, source of truth and entrypoints, enforcement and bypass findings, consistency notes, fixes or recommendation, verification, and remaining rule-leakage risk |
482
- | Payment, checkout, authorization, capture, refund, partial refund, subscription, invoice, trial, grace period, coupon, promotion, inventory reservation, fulfillment, entitlement, settlement, fee, chargeback, dispute, provider webhook, payment session, payment link, payment-provider integration, admin manual payment change, payment log, PCI-sensitive data handling, or payment-related test needs payment-integrity triage for duplicate, late, out-of-order, wrong-actor, wrong-amount, wrong-currency, timeout, retry, idempotency, ledger, reconciliation, or audit risk | `.mustflow/skills/payment-integrity-review/SKILL.md` | User goal, current diff or target files, money-event ledger, provider interaction ledger, state-transition ledger, idempotency and uniqueness ledger, amount and currency ledger, ownership ledger, fulfillment and entitlement ledger, webhook and retry ledger, audit and sensitive-data ledger, existing tests, and configured command intents | Payment state machines, server-side amount calculation, minor-unit money handling, object ownership checks, idempotency keys, provider ID uniqueness, webhook raw-body signature verification, webhook event dedupe, queue handoff, one-time fulfillment, async payment handling, authorization/capture distinctions, refund/dispute/subscription transitions, inventory and coupon reservation, timeout and retry classification, append-only ledgers, secret and payment-data redaction, admin audit trails, stale payment endpoint cleanup notes, focused nightmare-path tests, and directly synchronized docs or templates | paid-boolean shortcut, client-trusted amount, wrong-owner order/payment/refund/subscription ID, amount drift, float money math, missing idempotency, per-retry UUID idempotency, missing provider uniqueness, duplicate webhook, out-of-order webhook, JSON-parsed webhook signature breakage, disabled webhook signature, success-page-as-proof, double fulfillment, async payment premature fulfillment, authorized-treated-as-captured, double refund, missing dispute handling, subscription period-only active check, inventory oversell, coupon double spend or lost coupon, timeout-treated-as-failure, blind retry, mutable ledger, card data logging, test/live secret mix, unaudited admin override, stale payment API, or happy-path-only payment tests | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | Payment integrity reviewed, money-event/provider/state/idempotency/amount/ownership/fulfillment/webhook/audit map, findings, fixes or recommendation, nightmare-path evidence, verification, and remaining payment-integrity risk |
521
+ | Payment, checkout, authorization, capture, refund, partial refund, subscription, invoice, credit note, receipt, tax document, trial, grace period, coupon, promotion, inventory reservation, fulfillment, entitlement, settlement, fee, payout, chargeback, dispute, fraud review, card testing, provider webhook, payment session, payment link, payment-provider integration, admin manual payment change, payment log, PCI-sensitive data handling, or payment-related test needs payment-integrity triage for duplicate, late, out-of-order, wrong-actor, wrong-amount, wrong-currency, timeout, retry, idempotency, ledger, reconciliation, or audit risk | `.mustflow/skills/payment-integrity-review/SKILL.md` | User goal, current diff or target files, money-event ledger, provider interaction ledger, state-transition ledger, idempotency and uniqueness ledger, amount and currency ledger, invoice/receipt/tax ledger, dispute and fraud ledger, ownership ledger, fulfillment and entitlement ledger, webhook and retry ledger, audit and sensitive-data ledger, existing tests, and configured command intents | Payment state machines, server-side amount calculation, invoice and line-item snapshots, minor-unit money handling, tax snapshots and reversals, receipt delivery tracking, object ownership checks, idempotency keys, provider ID uniqueness, webhook raw-body signature verification, webhook event dedupe, queue handoff, one-time fulfillment, async payment handling, authorization/capture distinctions, refund/dispute/subscription transitions, inventory and coupon reservation, timeout and retry classification, payout reconciliation, append-only ledgers, secret and payment-data redaction, fraud and card-testing defenses, admin audit trails, stale payment endpoint cleanup notes, focused nightmare-path tests, and directly synchronized docs or templates | paid-boolean shortcut, client-trusted amount, wrong-owner order/payment/refund/subscription ID, amount drift, float money math, missing idempotency, per-retry UUID idempotency, missing provider uniqueness, duplicate webhook, out-of-order webhook, JSON-parsed webhook signature breakage, disabled webhook signature, success-page-as-proof, double fulfillment, async payment premature fulfillment, authorized-treated-as-captured, double refund, missing refund-dispute collision policy, missing tax reversal, receipt delivery gap, chargeback evidence gap, subscription period-only active check, inventory oversell, coupon double spend or lost coupon, timeout-treated-as-failure, blind retry, mutable ledger, payout-as-revenue confusion, card testing exposure, card data logging, test/live secret mix, unaudited admin override, stale payment API, or happy-path-only payment tests | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | Payment integrity reviewed, money-event/provider/state/idempotency/amount/invoice/receipt/tax/ownership/fulfillment/webhook/dispute/fraud/payout/audit map, findings, fixes or recommendation, nightmare-path evidence, verification, and remaining payment-integrity risk |
483
522
  | Credit, point, wallet balance, reward point, prepaid credit, usage credit, bonus credit, loyalty point, stored-value balance, balance deduction, accrual, refund, reversal, expiration, reservation, capture, release, admin adjustment, transfer, ledger table, balance cache, reconciliation job, settlement report, or credit-related test needs credit-ledger-integrity triage for ledger identity, idempotency, atomic balance changes, concurrency, ordering, ownership, amount precision, rounding, policy snapshots, expiry lots, reservation state, failure recovery, audit evidence, or reconciliation risk | `.mustflow/skills/credit-ledger-integrity-review/SKILL.md` | User goal, current diff or target files, balance surface ledger, ledger-entry ledger, source identity ledger, atomicity ledger, amount and unit ledger, ownership ledger, expiry and lot ledger, reservation ledger, queue and cache ledger, audit and reconciliation ledger, existing tests, and configured command intents | Ledger-entry models, source identifiers, idempotency comparison, conditional balance updates, database constraints, transaction boundaries, row-lock targets, optimistic-lock retry classification, amount validation, rounding policy, non-negative invariants, refund and reversal modeling, partial-use handling, expiry lot allocation, reservation/capture/release transitions, queue idempotency and ordering, cache invalidation, replica-read routing, admin adjustment audit trails, reconciliation checks, evidence logs, focused concurrency and failure tests, and directly synchronized docs or templates | mutable-balance-only path, missing source key, weak idempotency comparison, read-then-update subtraction, unchecked affected rows, split transaction, wrong lock target, optimistic retry double-spend, float credit math, hidden rounding rule, negative or zero amount abuse, app-only non-negative promise, missing unique ledger key, generic balance increase refund, partial refund blind spot, expiry lot loss, expiry batch race, missing reservation state, arbitrary status update, queue reorder damage, duplicate consumer delivery, cache-trusted deduction, replica stale balance, unaudited admin adjustment, request-body wallet ownership, current-price recalculation, missing policy snapshot, no failure injection, no balance-vs-ledger reconciliation, vague deduction log, or happy-path-only credit tests | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | Credit ledger integrity reviewed, balance/ledger/source/atomicity/amount/ownership/expiry/reservation/queue/cache/audit/reconciliation map, findings, fixes or recommendation, nightmare-path evidence, verification, and remaining credit-ledger integrity risk |
523
+ | Notification generation, email, push, SMS, in-app inbox, digest, reminder, campaign, announcement, marketing message, transactional message, security alert, receipt, legal notice, notification preference, unsubscribe, suppression, quiet hours, timezone schedule, provider webhook, delivery attempt, notification template, or notification audit work needs notification-delivery triage for duplicate, late, suppressed, unsubscribed, wrong-channel, quiet-hours, timezone, retry, provider-webhook, hard-bounce, complaint, invalid-token, fallback, or audit risk | `.mustflow/skills/notification-delivery-integrity-review/SKILL.md` | User goal, current diff or target files, notification event ledger, notification intent ledger, recipient/channel/category ledger, preference and legal policy ledger, suppression ledger, schedule/timezone/quiet-hours/digest ledger, delivery job and attempt ledger, provider event ledger, in-app inbox ledger, audit/security/privacy/operations ledger, existing tests, and configured command intents | Source event and outbox records, notification intent records, preference snapshots, final pre-send rechecks, suppression records, schedule records, timezone-safe recurring intent, quiet-hours behavior, digest records, delivery jobs, delivery attempts, provider event receipts, provider webhook signature and dedupe handling, in-app inbox state, semantic dedupe keys, queue priority, retry classification, template snapshots, redacted audit logs, campaign dry run/sample/canary/ramp-up/kill-switch controls, focused hostile-path tests, and directly synchronized docs or templates | sendNotification shortcut, global opt-out, marketing consent bypass, provider acceptance treated as delivery, missing outbox, stale recipient scope, hard bounce ignored, complaint ignored, one-click unsubscribe missing, link-scanner mutation, stale push token, logout token leak, collapse key misuse, lockscreen data leak, in-app inbox count drift, mark_all_read_before race, semantic dedupe key missing, aggregation hidden as dedupe, digest window drift, quiet-hours delayed blast, timezone DST bug, provider limit starvation, unknown provider outcome blind retry, poison notification loop, provider webhook signature or dedupe gap, template render-time leak, account deletion pending-send leak, fallback spam, dry-run/sample/canary gap, no why-sent or why-suppressed audit, or happy-path-only notification tests | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Notification delivery reviewed, source-event/intent/recipient/preference/suppression/schedule/digest/delivery/provider/inbox/audit map, findings, fixes or recommendation, hostile-path evidence, verification, and remaining notification-delivery risk |
484
524
  | Code review or implementation needs api-misuse-resistance triage for APIs, SDKs, function boundaries, service methods, endpoints, command methods, DTOs, request shapes, response shapes, operation names, call ordering, lifecycle setup, boolean parameters, option bags, null or empty semantics, internal table leakage, string-only errors, success-only failure models, idempotency, pagination, sorting, filtering, authorization shape, status mutation, PATCH command buses, time formats, money amounts, open enums, async jobs, bulk partial failures, cacheability, response size, overfragmented calls, internal/external API mixing, version policy, deprecation telemetry, rate limits, retry hints, observability, SDK ergonomics, or caller contract tests | `.mustflow/skills/api-misuse-resistance-review/SKILL.md` | User goal, current diff or target files, caller ledger, operation ledger, shape ledger, compatibility evidence, existing style, and configured command intents | Operation-centered names, explicit lifecycle or builder boundaries, named options or split operations, narrowed option bags, explicit absence and PATCH semantics, public DTO mapping, stable errors, idempotency metadata, cursor stability, auth-specific operations, command-shaped state changes, time and money units, unknown enum handling, job resources, item-level bulk results, cache and rate-limit hints, observability fields, SDK examples, focused tests, and directly synchronized docs or templates | implementation-leaking name, hidden state machine, boolean riddle, trash-can options, null folklore, DB schema frozen as API, string-only error, success-only design, duplicate side effect, moving-list pagination, random default order, hidden permission mode, illegal status transition, PATCH-as-command bus, timezone ambiguity, floating money, closed external enum, fake synchronous completion, erased partial failure, uncacheable expensive read, all-in-one payload bloat, frontend-as-backend call graph, internal/external contract blur, decorative version number, unmeasured deprecation, retry-hostile rate limit, untraceable operation, awkward SDK, happy-path-only contract test, or first-time caller trap | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | API misuse resistance reviewed, caller and operation ledgers, shape and contract findings, fixes or recommendation, compatibility notes, verification, and remaining caller-misuse risk |
485
525
  | Code review or implementation needs error-message-integrity triage for error text, error codes, validation messages, parse failures, API or CLI error envelopes, public user messages, internal logs, structured diagnostics, exception wrapping, provider errors, retryable flags, idempotency errors, queue or batch failures, partial failures, permission errors, conflict errors, impossible-state errors, support IDs, redaction, stable machine fields, monitoring fields, or troubleshooting text | `.mustflow/skills/error-message-integrity-review/SKILL.md` | User goal, current diff or target files, error audience ledger, error contract ledger, disclosure ledger, recovery ledger, and configured command intents | Stable error codes, expected/actual fields, failed-operation context, reasons, safe identifiers, public/internal message split, redaction, retryability, idempotency metadata, provider metadata, parse positions, range bounds, conflict facts, partial-failure summaries, structured log fields, focused tests, and directly synchronized docs or templates | empty failed label, invalid-value fog, missing action, result repeated as cause, no work context, public/internal message mixing, sensitive value leak, missing safe identifier, retry ambiguity, try-again-later dodge, unstable string-only code, overbroad error bucket, validation info leak, parse location missing, range without bounds, timezone ambiguity, provider evidence loss, cause destruction, brittle message concatenation, prose-only logs, internal jargon in user text, permission existence leak, should-never-happen message, vague conflict, idempotency uncertainty, missing attempt count, partial failure erased, untested error contract, no 30-second next action, or call-site-specific taxonomy drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | Error message integrity reviewed, surfaces and audiences, code/message contract, evidence and redaction findings, fixes or recommendation, verification, and remaining error-message risk |
486
526
  | Object lifetime, retained references, cleanup symmetry, event listeners, timers, subscriptions, goroutines, threads, workers, streams, native handles, caches, queues, registries, closures, or memory/resource leak risk is created, changed, reviewed, or reported | `.mustflow/skills/memory-lifetime-review/SKILL.md` | Lifetime surface, setup sites, cleanup sites, retainer graph, repetition path, success and error paths, and configured command intents | Teardown, cancellation, ownership, weak-reference, eviction, queue-bound, stream-close, worker-shutdown, lifecycle-symmetry code, focused tests, and directly synchronized docs or templates | long-lived owner retaining short-lived object, setup without cleanup, unstable listener identity, timeout without cancellation, unbounded cache or queue, debug/log retention, leaked goroutine/thread/worker, native handle leak, finalizer-only cleanup, weak-reference cover-up, or missing repeated-lifecycle proof | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Lifetime boundary, setup and cleanup owners, retainer paths, long-lived owners and short-lived objects, repeated-lifecycle proof, verification, and remaining lifetime risk |
@@ -567,8 +607,9 @@ routes. Event routes stay inactive until their event occurs.
567
607
  | Trigger | Skill Document | Required Input | Edit Scope | Risk | Verification Intents | Expected Output |
568
608
  | --- | --- | --- | --- | --- | --- | --- |
569
609
  | Environment variables, config keys, secrets, public env prefixes, build-time or runtime config, config schemas or parsers, feature flags, deployment variables, CI secrets, Docker or Compose env, Kubernetes ConfigMaps or Secrets, Cloudflare bindings, Vite, Next.js, Astro, SvelteKit, Tauri, Node, Bun, generated env types, `.env` examples, config docs, or config validation behavior are created, changed, reviewed, or reported | `.mustflow/skills/config-env-change/SKILL.md` | Key name, value meaning, sensitivity, visibility, timing, required environments, owner, default, validation shape, config source of truth, read-first surfaces, platform timing, deployment surfaces, generated types, docs, tests, and command contract entries | Config schemas, parser code, runtime loader wiring, generated type expectations, fake-value env examples, deployment docs, tests, CI or deployment variable names, feature flag defaults, redacted validation errors, and deprecation notes | secret leak, public-prefix misuse, build-time/runtime confusion, stale deploy config, missing `.env.example`, unchecked raw env read, boolean truthiness bug, unredacted error, stale feature flag, production fallback from local/test, or missing restart/rebuild/rollout note | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Keys or flags changed, sensitivity, visibility, timing, required action after value change, source of truth, synchronized surfaces, public/private boundary, redaction notes, build/runtime classification, feature flag behavior, verification, and remaining config/env risk |
570
- | Authentication, authorization, permission, effective-permission decision, role, tenant, session, JWT, OAuth/OIDC, API key, route guard, admin, impersonation, database policy, object-level access control, or permission cache behavior is created or changed | `.mustflow/skills/auth-permission-change/SKILL.md` | Actors, principals, permission decision tuple, effective permissions, tenants, resources, actions, context, auth middleware, sessions, tokens, API keys, route guards, server policy, DB policy, role matrix, audit, and tests | Auth middleware, policy functions, controllers, services, jobs, webhooks, database queries, RLS, UI guards, audit logs, docs, migrations, and tests | authentication treated as authorization, role column mistaken for effective permission, unexplained allow or deny, client guard trusted as security, object-level authorization bypass, cross-tenant leak, stale token or cache permission, over-broad admin/API-key scope, or missing denial tests | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Auth/authz boundary, principal/tenant/resource/action/context, effective permission, policy version, decision explanation, revocation window, policy source of truth, server/database enforcement, client UX-only guards, denial coverage, verification, and remaining permission risk |
610
+ | Authentication, authorization, permission, effective-permission decision, role, RBAC/ABAC policy, tenant, organization or team membership, session, cookie, JWT, refresh token, OAuth/OIDC, MFA, passkey, account recovery, API key, route guard, admin, impersonation, database policy, object-level access control, or permission cache behavior is created or changed | `.mustflow/skills/auth-permission-change/SKILL.md` | Actors, principals, permission decision tuple, effective permissions, tenants, organizations, teams, resources, actions, context, auth middleware, sessions, cookies, tokens, refresh-token store, OAuth/OIDC, MFA/passkeys, API keys, route guards, server policy, DB policy, role matrix, audit, and tests | Auth middleware, policy functions, controllers, services, jobs, webhooks, database queries, RLS, UI guards, audit logs, docs, migrations, and tests | authentication treated as authorization, role column mistaken for effective permission, unexplained allow or deny, client guard trusted as security, object-level authorization bypass, cross-tenant leak, stale token or cache permission, refresh-token reuse gap, account-recovery privilege escalation, over-broad admin/API-key scope, or missing denial tests | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Auth/authz boundary, principal/tenant/resource/action/context, effective permission, policy version, decision explanation, revocation window, policy source of truth, server/database enforcement, client UX-only guards, account-takeover response, denial coverage, verification, and remaining permission risk |
571
611
  | API security review needs api-access-control triage for BOLA or IDOR, effective permission decisions, broken authentication, object-level authorization, object-property authorization, function-level authorization, request-supplied user, tenant, role, or owner identifiers, tenant isolation, scoped admin, list/detail mismatch, write permissions, mass assignment, DTO exposure, client-only admin, temporary public holes, router order, GraphQL resolvers, batch APIs, exports, downloads, previews, signed storage URLs, cache keys, async job revalidation, webhook ownership mapping, OAuth or OIDC confusion, JWT verification, stale token claims, session rotation, cookie flags, reauthentication, reset tokens, account enumeration, automation defense, internal identity planes, or denial-case matrices | `.mustflow/skills/api-access-control-review/SKILL.md` | User goal, current diff or target files, subject-object-action-context ledger, decision explanation ledger, object authorization ledger, property authorization ledger, function authorization ledger, authentication proof ledger, denial evidence, and configured command intents | Server-side object checks, tenant-scoped lookups, relationship checks, function-level checks, property allowlists, DTO mappers, signed URL scoping, cache-key dimensions, worker revalidation, webhook ownership mapping, token/session/cookie hardening, reauthentication gates, enumeration-safe responses, rate limits, audit logs, focused denial tests, and directly synchronized docs or templates | login-as-authorization, request-owned identity trust, findById before owner check, role-only admin, unexplainable allow/deny decision, list/detail authorization drift, read/write permission confusion, mass assignment, entity DTO leak, client-only admin, permitAll leak, route shadowing, resolver bypass, batch item bypass, export/download bypass, signed URL bypass, tenantless query or cache, stale queue permission, webhook ownership confusion, OAuth/OIDC token confusion, decoded-but-unverified JWT, stale token claim, session fixation, weak cookie, missing reauth, reusable reset token, account enumeration, automation abuse, internal account exposure, or happy-path-only auth tests | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | API access control reviewed, subject/object/action/field/tenant map, effective permission and decision-explanation findings, object/property/function/auth findings, fixes or recommendation, denial evidence, verification, and remaining API access-control risk |
612
+ | Admin panel, backoffice tool, support console, operator dashboard, staff API, internal dashboard, admin RBAC or ABAC, scoped operator role, audit log, object change history, impersonation, dangerous action, approval flow, export, import, bulk operation, admin search or filter, production guardrail, PII masking, admin session, MFA, or operational-evidence work needs admin-control-plane safety triage | `.mustflow/skills/admin-control-plane-safety-review/SKILL.md` | User goal, current diff or target files, admin actor and session ledger, permission ledger, resource and field ledger, dangerous action ledger, audit and change-history ledger, impersonation ledger, search/filter/export/import/bulk ledger, role matrix, admin docs, runbooks, existing tests, and configured command intents | Scoped admin permission checks, trusted-layer enforcement, server-side field allowlists, tenant-scoped lookups, step-up authentication, dangerous-action previews and confirmations, approval gates, audit records, change-history records, impersonation controls, export/import controls, bulk dry-run and job controls, search and filter limits, production guardrails, focused hostile-path tests, and directly synchronized docs or templates | single `is_admin` shortcut, UI-only admin gate, hidden button trusted as security, support bypass, role-only operator permission, missing explicit deny, missing admin MFA or step-up, audit log confused with change history, editable audit trail, impersonation without actor and subject, export-as-harmless-read, unlimited PII CSV, import mass assignment, bulk click without dry run, preview payload trusted at execution, missing idempotency, no cancel or partial-failure report, production/staging confusion, unmasked sensitive search, unaudited PII read, or happy-path-only admin tests | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | Admin control plane reviewed, operator persona and environment scope, effective permission and trusted enforcement findings, admin session and production guardrails, audit versus change-history findings, impersonation/dangerous-action/export/import/bulk/search/filter findings, hostile-path evidence, verification, and remaining admin-control-plane risk |
572
613
  | File upload, import, attachment, direct-to-storage upload, remote file fetch, archive extraction, thumbnail, preview, image resize, OCR, media transcode, document conversion, antivirus scan, CDR, file metadata, storage key, public file URL, signed upload URL, signed download URL, CDN delivery, file download, uploaded filename display, or file lifecycle test needs file-upload-security triage across validation, storage, processing, serving, and cleanup | `.mustflow/skills/file-upload-security-review/SKILL.md` | User goal, current diff or target files, upload entrypoint ledger, file identity ledger, validation ledger, processing ledger, serving ledger, existing tests or abuse cases, storage policy evidence, and configured command intents | Server-side type allowlists, decoded and normalized filename checks, generated storage keys, path containment checks, overwrite protection, upload size and count limits, quota checks, quarantine states, scanner gates, parser sandboxing, archive extraction guards, CSV formula neutralization, metadata stripping, image rewriting, signed URL constraints, download authorization, response headers, filename encoding, audit logs, cleanup rules, focused denial tests, and directly synchronized docs or templates | client-only file restriction, trusted MIME label, extension check before normalization, blocklist-only type policy, original-name-only validation, user-controlled storage key, path traversal, long-name exception leak, overwrite or key guessing, executable web-root storage, web-server handler execution, magic-byte theater, polyglot file, metadata payload, active SVG or HTML, unsafe PDF or Office preview, Zip Slip, decompression bomb, CSV formula injection, remote fetch SSRF, scan-after-publication gap, unsandboxed parser, weak presigned URL policy, direct-to-storage pre-scan publication, tenant key collision, missing download authorization, unsafe response header, filename XSS or header injection, chunk assembly bypass, quota bypass, orphan file leak, or happy-path-only upload tests | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | File upload security reviewed, upload/file identity/storage/validation/processing/serving/cleanup map, findings, fixes or recommendation, denial evidence, verification, and remaining file-upload security risk |
573
614
  | Code review or implementation needs security-flow triage by tracing values from source to sink across authorization, object ownership, tenant scoping, IDOR or BOLA risk, list/detail/export scope, state-changing permissions, mass assignment, admin-only surfaces, cache keys, sort/filter/field injection inputs, ORM raw paths, shell wrappers, SSRF, file upload and extraction, path traversal, XSS, CSRF, OAuth, reset tokens, JWTs, cookies, cryptography, logs, fail-open error handling, queued work, race conditions, or supply-chain and CI/CD paths | `.mustflow/skills/security-flow-review/SKILL.md` | User goal, current diff or target files, security claim, source-to-sink map, actor and resource map, read and write surfaces, framework escape hatches, existing tests or scanner findings, and configured command intents | Server-side ownership checks, tenant-scoped queries, allowlisted updates, cache-key dimensions, URL and path validation, parser or renderer boundaries, upload and extraction limits, token validation, cookie flags, fail-closed error handling, queue revalidation, idempotency, focused tests, and directly synchronized docs or templates | dangerous-keyword theater, authentication treated as authorization, UUID-as-lock assumption, list/detail scope drift, export over-disclosure, state change via raw body status, mass assignment, frontend-only admin gate, cache viewer leak, ORDER BY injection, ORM raw escape hatch, shell wrapper injection, SSRF, unsafe upload preview, Zip Slip, decompression bomb, path traversal, XSS, CSRF, weak OAuth state, reset-token reuse, stale JWT claims, broad cookie domain, custom crypto, token or PII logging, missing security logs, fail-open permission, stale queued permission, duplicate money or entitlement effect, postinstall or CI secret exposure | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Security flow reviewed, source/sink/actor/resource/tenant map, authorization and ownership notes, input/file/network/browser/token/cookie/crypto/log/fail-open/async/race/cache/supply-chain findings, fixes or recommendation, tests or invariant evidence, verification, and remaining security-flow risk |
574
615
  | Code, configuration, docs, templates, logs, telemetry, traces, baggage, behavior analytics, credentials, data flows, data residency policy, region or processing-location claims, AI-generated code, authentication, authorization, client-only permission checks, admin operations, audit logs, cache policy, cache-as-authority decisions, claim or policy data, comparison or affiliate data, user-generated content, sessions, tokens, uploads, downloads, signed URLs, API responses, webhooks, job queues, external API call records, external requests, third-party data-use terms, runtime security patch policy, deployment settings, dependencies, cryptography, secure transport, scanner gates, security invariants, or agent configuration affect secrets, personal data, retention, access control, vendor disclosure, or external disclosure | `.mustflow/skills/security-privacy-review/SKILL.md` | Changed files, sensitive surfaces, actor and resource owner, data-owner boundary, data residency and processing-location boundary, runtime patch boundary, AI gateway or budget boundary, server-side authorization rule, file upload/download boundary, API response field boundary, behavior analytics surface, trace or baggage surface, webhook or external-call record surface, admin operation surface, audit-log surface, cache visibility and authority policy, claim or affiliate policy surface, session or token surface, external target, dependency source, third-party data-use or terms surface, cryptography or transport surface, scanner evidence, agent-tool permission, deployment setting, project secret and privacy rules, public or packaged surfaces, and command contract entries | Sensitive data handling, authorization, admin operations, data residency, runtime patchability, AI budget records, behavior analytics, observability identifiers, webhook receipts, external-call records, dead-letter records, audit logs, shared-cache behavior, cache-authority behavior, claim and affiliate disclosure, sessions, tokens, inputs, files, signed URLs, API responses, logs, receipts, generated state, docs, templates, package metadata, deployment settings, and reports | secret leak, personal-data exposure, access-control bypass, client-trusted role or owner value, unsafe admin action, private file exposure, over-broad API response, shared-cache leak, unsafe cache authority, unprovable data location, unpatchable runtime, privacy-heavy telemetry, unsafe baggage propagation, unsafe webhook payload retention, unsafe external request, supply-chain drift, weak cryptography, insecure transport, over-privileged agent, risky third-party terms, or misleading privacy claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Sensitive surfaces reviewed, data residency, runtime patchability, AI hard-limit, behavior analytics, observability, and audit boundaries, webhook, external-call, and dead-letter boundaries, cache authority and disclosure boundaries, assumptions checked, disclosure and retention paths, authorization, file, API response, third-party terms, and external-boundary notes, verification, and remaining security or privacy risk |
@@ -582,7 +623,7 @@ routes. Event routes stay inactive until their event occurs.
582
623
  | Trigger | Skill Document | Required Input | Edit Scope | Risk | Verification Intents | Expected Output |
583
624
  | --- | --- | --- | --- | --- | --- | --- |
584
625
  | Database schema, database engine choice, managed database extension or provider feature, SQLite or PostgreSQL suitability, query, transaction, ORM model, repository/store, index, cache-backed read model, read/write model, content metadata, content blocks, content graph, lifecycle states, versioned records, ledgers, job tables, outbox events, inbox events, idempotency records, processed webhook records, external API call records, provider intent records, manual recovery records, taxonomy, filter URL policies, SEO landing records, claim or fact registries, comparison methodologies, affiliate links, source provenance, verification state, behavior analytics events, core event stores, search document metadata, queue recovery metadata, semantic export/import data, provider id mappings, app-owned identity records, public URL records, data residency records, AI budget or policy records, external-service truth ownership, operational versus analytics data boundaries, cache-as-store decisions, API response projections, public identifiers, data ownership boundaries, admin audit logs, cache invalidation data, user activity state, aggregate cache, hybrid file/database storage, file metadata records, data retention, pagination, concurrency, idempotency, audit log, or persistence boundary is introduced, changed, reviewed, or reported | `.mustflow/skills/database-change-safety/SKILL.md` | Data role, database operating model, managed database dependency model, event role, affected tables or stores, storage split, identity and provider-id mapping model, public URL and file-object model, data location model, AI budget and feature-policy model, block/graph/lifecycle/version/ledger/job/outbox/inbox/webhook/provider-call/taxonomy/filter/claim/source/admin/cache/user-state model, export/import and provider-id mapping model, external-service truth model, search/queue/log/analytics data model, operational versus analytics boundary, API projection boundary, file metadata and object-storage boundary, public id rule, read/write path, transaction boundary, migration or rollback expectations, local DB or ORM patterns, changed files, and command contract entries | Schema, migrations, repositories, stores, queries, transactions, indexes, read models, ledgers, job records, outbox records, inbox records, processed webhook records, external call records, provider intent records, manual recovery records, content metadata, block records, claim records, source records, comparison records, affiliate records, behavior event records, core event records, search source records, projection records, export/import records, provider mapping records, app identity records, public URL records, data residency records, AI budget or feature-policy records, admin audit records, file metadata records, cache records, user-state records, fixtures, tests, docs, and directly synchronized templates | data loss, incomplete export, provider-id lock-in, provider-auth-function lock-in, raw storage URL lock-in, unprovable data location, SaaS-only core fact, stale cache, authorization leak, transaction bug, duplicate side effect, unknown provider outcome, retry drift, missing manual replay record, slow query, N+1 query growth, write-contention blind spot, operational DB reporting overload, file/database drift, provenance drift, search or queue reconstruction gap, aggregate drift, API/DB coupling, cache-invalidation drift, provider-budget-only AI enforcement, or unverified migration claim | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Data role, database operating model, source-of-truth split, managed database dependency, app-owned identity, public URL, data residency, AI budget and policy records, schema/query/transaction review, delete lifecycle, versioning, ledger, job/outbox/inbox/webhook/provider-call/manual-recovery model, export/import and provider-id mapping model, external-service truth model, search/queue/log/analytics ownership, read/write model, behavior/audit event boundary, API projection boundary, file metadata boundary, block/graph/lifecycle/taxonomy/filter/claim/source/admin/cache/user-state checks, migration and rollback status, index/performance notes, security/retention checks, tests, verification, and remaining database risk |
585
- | Database migration files, schema migration history, ORM schema migrations, generated clients, schema dumps, SQL snapshots, online DDL, indexes, constraints, backfills, rolling deploy compatibility, expand-and-contract changes, destructive database changes, migration rollback or roll-forward claims, cut-over plans, lock or timeout policy, replication lag risk, migration observability, or production database migration procedures are created, changed, reviewed, or reported | `.mustflow/skills/database-migration-change/SKILL.md` | Source schema, target schema, migration files, migration history, generated clients, schema dumps, SQL snapshots, affected queries, deployment shape, database engine, table size, lock and online-DDL assumptions, backfill cursor, rollback or roll-forward type, validation and observability queries, and command contract entries | Migration files, ORM schemas, generated clients, schema dumps, SQL snapshots, backfill code, validation checks, observability notes, seeds, fixtures, compatibility code, docs, tests, and directly synchronized examples | data loss, drop-plus-add rename, old/new app incompatibility, unsafe rolling deploy, unbounded or offset backfill, production lock, silent online-DDL table rewrite, replication lag, uncontrolled cut-over, generated-client drift, migration-history drift, false rollback claim, ORM autogenerate mistake, or destructive contract mixed with expand phase | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Migration phase, old/new schema compatibility, expand/backfill/switch/contract plan, backfill and validation plan, lock/timeout/replication/cut-over/observability classification, rollback or roll-forward classification, ORM/generated/schema dump surfaces, dependent surfaces, verification, and remaining database-migration risk |
626
+ | Database migration files, schema migration history, ORM schema migrations, generated clients, schema dumps, SQL snapshots, online DDL, indexes, constraints, background-job backfills, zero-downtime migration claims, rolling deploy compatibility, expand-and-contract changes, destructive database changes, migration rollback or roll-forward claims, cut-over plans, feature-flagged read/write switches, lock or timeout policy, replication lag risk, migration observability, or production database migration procedures are created, changed, reviewed, or reported | `.mustflow/skills/database-migration-change/SKILL.md` | Source schema, target schema, migration files, migration history, generated clients, schema dumps, SQL snapshots, affected queries, deployment shape, database engine, table size, lock and online-DDL assumptions, backfill cursor, read/write transition controls, rollback or roll-forward type, validation and observability queries, runbook stop thresholds, and command contract entries | Migration files, ORM schemas, generated clients, schema dumps, SQL snapshots, backfill code, validation checks, observability notes, runbook notes, seeds, fixtures, compatibility code, docs, tests, and directly synchronized examples | data loss, drop-plus-add rename, old/new app incompatibility, unsafe rolling deploy, deploy-time long-running data rewrite, unbounded or offset backfill, production lock, silent online-DDL table rewrite, replication lag, uncontrolled cut-over, backup-only rollback claim, generated-client drift, migration-history drift, false zero-downtime claim, ORM autogenerate mistake, or destructive contract mixed with expand phase | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Migration phase, old/new schema compatibility, expand/backfill/switch/contract plan, read/write transition controls, backfill and validation plan, lock/timeout/replication/cut-over/runbook/observability classification, rollback or roll-forward classification, ORM/generated/schema dump surfaces, dependent surfaces, verification, and remaining database-migration risk |
586
627
  | Database query review needs to catch bottlenecks visible in the diff, including join fan-out, N+1 calls, over-eager loading, `SELECT *`, unstable `LIMIT`, large `OFFSET`, composite index mismatch, range predicate order, functions or casts on indexed columns, parameter type mismatch, wildcard search, cross-column `OR`, large `IN`, `COUNT(*) > 0`, `NOT IN` with NULL, `LEFT JOIN` filters, aggregation after fan-out, latest-row subqueries, wide sort/group/distinct, JSON filters, missing tenant or soft-delete scope, plan/statistics skew, missing-index advice, or long transactions | `.mustflow/skills/database-query-bottleneck-review/SKILL.md` | Query surface, cardinality shape, repetition shape, index and plan evidence, database and ORM context, correctness boundaries, and configured command intents | Projection narrowing, stable ordering, keyset pagination, batching, explicit loading, database-side joins or aggregation, transaction narrowing, focused tests, and engine-specific index or statistics changes only through matching engine skills | cardinality explosion, ORM N+1, eager-load overfetch, covering-index defeat, nondeterministic page, linear offset scan, composite index stop point missed, function-wrapped column scan, implicit cast, wildcard table scan, OR plan instability, huge IN planning cost, wasted count, NULL logic bug, accidental inner join, DISTINCT hiding fan-out, per-parent latest query, temp sort on wide rows, JSON path scan, tenant-wide scan, stale statistics, bad cached plan, index write-amplification, plan-forcing theater, or lock wait from long transaction | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Query path reviewed, cardinality and repetition ledger, projection/pagination/index/plan/transaction findings, evidence level, verification, and remaining database bottleneck risk |
587
628
  | Database JSON, `jsonb`, `json`, metadata, extra, options, settings, attributes, properties, payload, raw payload, event context, dynamic fields, JSON path filters or sorts, generated columns, computed columns, expression indexes, GIN indexes, `jsonb_path_ops`, JSON search indexes, `JSON_VALUE`, `JSON_EXTRACT`, `ISJSON`, schemaVersion, JSON key registries, raw provider payloads, arrays of objects, unbounded maps, or JSON-to-column promotion decisions are introduced, changed, reviewed, or reported | `.mustflow/skills/database-json-modeling-review/SKILL.md` | JSON column role, database engine, key inventory, query and behavior paths, raw-versus-operational split, cardinality and shape, migration compatibility expectations, tests, fixtures, docs, and configured command intents | JSON field contracts, promoted typed columns, child tables, generated/computed columns, check constraints, expression/JSON indexes, key registries, schema versions, repositories, migrations, tests, fixtures, docs, and directly synchronized templates | business state hidden in metadata, status or permission key buried in JSON, tenant or retention key not enforceable, raw payload mistaken for truth, JSON path scan, unbounded object arrays, mutable/static evidence mixed, cross-domain blob, unknown key drift, malformed value drift, engine-specific JSON index overclaim, generated-column migration surprise, old/new writer incompatibility, or missing promotion criteria | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | JSON surface reviewed, role and key inventory, promotion decisions, raw payload versus operational truth split, engine-specific validation/index notes, migration/backfill/compatibility status, evidence level, verification, and remaining JSON modeling risk |
588
629
  | Data deletion, soft delete, hard delete, purge, restore, undelete, account deletion, tenant deletion, retention, legal hold, erasure, anonymization, pseudonymization, tombstones, backup residue, PITR, WAL, binlog, transaction logs, object storage cleanup, search or cache deletion, analytics or warehouse deletion, downstream deletion events, bulk delete jobs, partition drops, admin dry runs, or deletion audit behavior is introduced, changed, reviewed, or reported | `.mustflow/skills/deletion-lifecycle-review/SKILL.md` | Deletion class, entity and dependency graph, state model, query and uniqueness model, recovery model, purge and retention model, privacy and audit model, downstream systems, backup/log residue assumptions, and configured command intents | Deletion states, lifecycle columns, constraints, partial indexes, scopes, tombstone tables, purge and restore jobs, downstream deletion records, idempotent workers, audit records, fixtures, tests, docs, and directly synchronized templates | deleted data leaking through queries, `is_deleted` theater, soft-deleted row blocking active uniqueness, unsafe cascade, lost restore scope, id reuse security bug, missing tombstone, legal hold bypass, audit evidence purged, personal data copied into audit logs, backup erasure overclaim, stuck downstream deletion, unbounded bulk delete, tenant offboarding outage, partition-retention drift, or false irreversible-delete claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Deletion surface reviewed, deletion class and state model, dependency and downstream graph, visibility/uniqueness/identity/cascade/legal/audit/restore/purge/backup decisions, evidence level, verification, and remaining deletion lifecycle risk |
@@ -595,6 +636,7 @@ routes. Event routes stay inactive until their event occurs.
595
636
  | Dependency, package, runtime, framework, tool, command, plugin, service, platform capability, supported-version policy, security patch path, ecosystem maturity claim, maintainer-risk assumption, runtime portability claim, edge or serverless compatibility claim, critical-path library choice, package script, lifecycle hook, binary download, lockfile, audit result, or supply-chain-sensitive dependency surface is assumed, added, removed, imported, invoked, installed, audited, or documented | `.mustflow/skills/dependency-reality-check/SKILL.md` | Assumed dependency or capability, declaration files, version or feature expectation, role criticality, supported-version or end-of-life evidence, patchability expectation, runtime compatibility boundary, maintainer and ecosystem evidence when available, lockfile entry, package script or lifecycle hook, audit or provenance evidence, and relevant command intents | Package metadata, lockfiles, imports, scripts, command contracts, docs, tests, runtime policy notes, portability notes, and reports | unavailable dependency, hallucinated or lookalike package, fragile single-maintainer core dependency, experimental technology in a survival path, unsupported runtime, unclear security patch path, runtime-specific API leakage into core logic, stale version claim, lifecycle script risk, audit suppression, lockfile drift, or install guidance mismatch | `changes_status`, `changes_diff_summary`, `build`, `test_release`, `mustflow_check` | Dependency checked, ecosystem and maintainer-risk boundary reviewed, supported-version, patchability, and runtime-portability boundary reviewed, supply-chain surface reviewed, declarations synchronized, verification, and remaining dependency risk |
596
637
  | Generated or edited code, configuration, CI workflows, package metadata, install instructions, examples, Docker images, framework setup, runtime declarations, toolchain declarations, TypeScript compiler-track references, Rust release or MSRV references, or migration-sensitive snippets introduce explicit external version references, action refs, package ranges, runtime versions, framework majors, Docker image tags, or scaffold commands that may be stale | `.mustflow/skills/version-freshness-check/SKILL.md` | Versioned reference, owning files, repository version policy, approved freshness source, compatibility context, migration risk, TypeScript compiler track or Rust MSRV/toolchain track when relevant, and command contract entries | Package metadata, lockfiles, CI workflows, Dockerfiles, runtime files, framework config, docs, examples, templates, tests, and version-decision reports | stale default version, false latest claim, accidental major migration, repository policy mismatch, unsupported generated example, TypeScript RC/nightly/API-track confusion, Rust stable/nightly/MSRV confusion, floating-tag drift, or unverified security/support claim | `changes_status`, `changes_diff_summary`, `build`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Versioned surfaces checked, repository policy and freshness source, selected version track, compatibility classification, TypeScript stable/RC/nightly/API-track and Rust stable/nightly/MSRV split when relevant, approval need, synchronized surfaces, verification, and remaining version-freshness risk |
597
638
  | External systems, protocols, SDKs, databases, webhooks, queues, files, object storage, signed upload or download URLs, caches, API response models, framework requests or responses, server actions, route handlers, edge functions, worker handlers, AI models, browser storage, search engines, analytics tools, email platforms, no-code tools, observability backends, trace or request context, provider data, or volatile component implementations cross the core boundary or need stable port/adapter translation, change isolation, error mapping, timeout, retry, circuit-breaker, bulkhead, idempotency, reconciliation, security, core-state ownership, vendor portability, or observability handling | `.mustflow/skills/adapter-boundary/SKILL.md` | External system or protocol, inbound/outbound direction, delivery boundary, internal use case, local port/adapter patterns, provider risk, provider failure policy, core-state ownership risk, vendor portability risk, observability identifier policy, API contract risk, change-isolation ledger, preserved consumer contract, changed files, and command contract entries | Ports, adapters, mappers, controllers, workers, stores, gateways, response mappers, telemetry mappers, timeout and retry policies, circuit breakers, bulkhead boundaries, tests, fixtures, assembly wiring, and directly synchronized docs or templates | provider leakage, caller churn from adapter-only changes, framework business-rule leakage, telemetry backend leakage, storage-key leakage, screen-shaped API coupling, pass-through wrapper, SaaS dashboard as truth source, search or analytics policy leakage, queue contract leakage, unclassified external failure, duplicate side effect, unsafe retry, missing timeout, missing circuit breaker, missing bulkhead, unresolved unknown provider outcome, broken identifier propagation, secret or personal-data leak, or untested integration drift | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Boundary classification, change-isolation ledger, preserved consumer contract, delivery adapter responsibility, internal port, provider containment, core-state ownership, vendor portability, validation and mapping, API response mapping, observability identifier flow, timeout/retry/circuit-breaker/bulkhead/idempotency handling, reconciliation behavior, security notes, verification, and remaining provider risk |
639
+ | Third-party SDK or external API integration, review, debugging, upgrade, webhook handling, auth scope change, sandbox or production setup, provider SDK version change, API version migration, rate-limit handling, retry policy, idempotency key usage, pagination, provider error mapping, request id logging, changelog review, deprecation response, or provider operational-readiness test needs production integration review | `.mustflow/skills/third-party-api-integration-review/SKILL.md` | Provider and SDK/API ledger, source-of-truth docs, auth and scope ledger, operation and side-effect ledger, webhook ledger, error and observability ledger, changelog or migration evidence, existing fakes or sandbox tests, and configured command intents | Provider adapters, wrappers, typed request and response models, error mappers, timeout and retry policies, rate-limit handling, idempotency key handling, pagination handling, webhook signature verification and dedupe, redacted observability, sandbox tests, fixtures, runbooks, migration notes, and directly synchronized docs or templates | demo-only integration, stale provider docs, SDK/API drift, sandbox-production mixup, hardcoded secret, overbroad scope, token refresh gap, missing timeout, infinite retry, retrying permanent errors, mutating retry without idempotency, per-attempt idempotency key, 429 retry storm, ignored Retry-After, offset pagination assumption, raw provider error leak, string-only provider error, missing request id, trusted webhook payload, JSON-parsed signature breakage, duplicate webhook side effect, event-order assumption, success redirect as proof, unhandled unknown provider outcome, dashboard-only setting, untested SDK upgrade, or happy-path-only sandbox test | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | Third-party integration reviewed, provider source-of-truth and SDK/API version evidence, auth/environment/scope decisions, timeout/retry/rate-limit/idempotency/pagination decisions, webhook delivery and dedupe checks, error and observability mapping, tests or missing evidence, verification, and remaining provider operational risk |
598
640
  | Tauri frontend invokes, Rust commands, capabilities, permissions, scopes, plugins, filesystem, dialog, shell, opener, updater, sidecar, or mobile native permissions are created or changed | `.mustflow/skills/tauri-code-change/SKILL.md` | Frontend call sites, Tauri config, Rust commands, capability and permission files, plugin config, changed files, and command contract entries | Tauri frontend, Rust commands, capabilities, permissions, scopes, plugins, tests, and docs | broad native permission, untrusted IPC input, filesystem escape, shell or updater risk, or WebView/native boundary drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | IPC, permission, scope, filesystem, shell, updater, and native boundary checked, verification, and remaining Tauri risk |
599
641
  | Wails v3 applications, Go services, generated bindings, TypeScript runtime calls, windows, menus, system tray, dialogs, events, frontend bridge payloads, WebView platform behavior, Taskfile or build config, signing, packaging, custom protocols, file associations, server builds, or Wails-related tests are created, changed, reviewed, or upgraded | `.mustflow/skills/wails-code-change/SKILL.md` | Wails version track, Go module and frontend package metadata, generated bindings, app entry point, service/window/event/menu/tray/dialog/build/package evidence, changed files, and command contract entries | Wails app assembly, Go services, frontend bridge calls, generated bindings, windows, events, menus, tray, dialogs, WebView platform behavior, platform packaging, tests, and docs | Electron or Wails v2 migration drift, accidental exported RPC, binding or runtime version drift, shared-service race, unsafe frontend input, oversized bridge payload, event leak or broadcast, WebView platform mismatch, or packaging/signing drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Wails version/app/service/bridge/binding/window/event/menu/tray/dialog/platform packaging notes, verification, and remaining Wails risk |
600
642
  | File path handling, cross-platform path behavior, path helpers, safe filesystem wrappers, clone or checkout destinations, scaffold roots, temp or cache paths, atomic writes, locks, archive extraction, uploads, downloads, scanners, CLI/API/schema path contracts, snapshots, generated outputs, or package artifact paths are created, changed, reviewed, or reported | `.mustflow/skills/file-path-cross-platform-change/SKILL.md` | Path ledger, trust classes, accepted path representation, base root, path helpers, safe filesystem wrappers, clone/checkout/scaffold/install/extract outputs, staging and promotion policy, temp/cache helpers, lock policy, archive policy, upload/download policy, scanner policy, CLI/API/schema/snapshot/generated/package surfaces, platform expectations, failure taxonomy, and command contract entries | Path validators, helpers, wrappers, schemas, CLI/API parsing, snapshots, fixtures, docs, tests, generated-output paths, package artifact paths, clone or scaffold destinations, archive extraction, scanner bounds, temp/cache handling, locks, and cleanup code | path traversal, base containment bypass, drive-relative path bug, reserved-name bug, case-collision bug, Unicode-collision bug, Git checkout path-length failure misreported as network or auth, unsafe archive extraction, non-atomic write claim, stale lock, scanner loop, partial-output cleanup data loss, user-selected destination deletion, path contract drift, or package artifact path drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Path contract, path ledger, trust classes, root policy, preflight/staging/promotion decisions, Windows/macOS/Linux/archive/upload/download/scanner/lock/temp/cache/atomic/cleanup decisions, failure taxonomy, synchronized contract surfaces, verification, and remaining path risk |
@@ -619,7 +661,9 @@ routes. Event routes stay inactive until their event occurs.
619
661
  | Frontend component, route, store, query, form, router state, context provider, persisted store, external subscription, optimistic mutation, search/filter/pagination interaction, selected item, list key, or hydration path can duplicate, derive, overwrite, or race the same value across props, local state, server cache, URL params, form drafts, global app context, selectors, storage, or external stores | `.mustflow/skills/frontend-state-ownership-review/SKILL.md` | User goal, current diff or target files, framework and state-library signals, state owner ledger, state class map, synchronization surfaces, identity and collection surfaces, evidence level, and configured command intents | State owner cleanup, derived selectors, nearest-owner move, status or mode union, grouped action, selected ID lookup, query key dimensions, invalidation scope, request cancellation, optimistic rollback, URL-state routing, form draft reset, context split or memoization, persisted-state versioning, reset keys, external subscription wrapper, focused tests, and directly synchronized docs or templates | props-to-state drift, duplicated derived state, effect-derived one-render lag, contradictory booleans, partial grouped-state tear, selected object staleness, server data copied into global store, URL state fork, form draft overwrite, optimistic update without rollback, stale request overwrite, incomplete query key, broad invalidation, index-key local-state swap, raw setter sprawl, context value rerender storm, state too high or too low, non-serializable persisted store, hydration mismatch, unsafe external subscription snapshot, or unverified state owner | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Frontend state surface reviewed, owner ledger and state class map, duplicate or derived state findings, query/URL/form/optimistic/race/context/persistence decisions, tests or evidence level, verification, and remaining state-ownership risk |
620
662
  | Frontend UI, design system component, dashboard, form, card, list, table, chart, media slot, modal, drawer, toast, bottom CTA, portal, or responsive surface needs stress-layout review against hostile content, narrow parent containers, async media, skeletons, empty or error states, permission variants, scrollbars, mobile viewport and keyboard behavior, safe areas, line clamps, i18n or RTL, touch input, reduced motion, observer loops, portal edge placement, z-index layers, browser zoom, cascade layers, or reproducible break conditions | `.mustflow/skills/frontend-stress-layout-review/SKILL.md` | User goal, current diff or target files, framework and styling signals, stress fixture ledger, parent container ledger, geometry contract ledger, interaction and state ledger, evidence level, and configured command intents | Stress fixtures, stories, tests, parent-container-aware constraints, container queries, `min-width: 0`, `minmax(0, 1fr)`, `overflow-wrap: anywhere`, reserved media dimensions, `aspect-ratio`, skeleton geometry, empty and error states, permission variants, stable scroll containers, `scrollbar-gutter: stable`, mobile viewport and keyboard constraints, `safe-area-inset-*`, explicit `line-height`, logical properties, touch-accessible affordances, `prefers-reduced-motion`, observer scope, portal placement, z-index tokens, table and chart stress handling, zoom-safe geometry, cascade layer fixes, and directly synchronized docs or templates | happy-path fixture blindness, parent-width overflow, flex or grid min-content blowout, unbroken text overflow, async media or font layout shift, skeleton mismatch, collapsed empty state, error-state overlap, permission action wrapping, late `display: none` layout jump, scrollbar width wrap, fragile `100vh`, keyboard-covered CTA, unsafe-area overlap, line-clamp/action collision, localization or RTL breakage, hover-only control, layout-affecting hover or animation, ResizeObserver loop, clipped portal, z-index arms race, unusable wide table, chart zero-width mount, browser zoom clipping, CSS specificity loss, or vague non-reproducible visual complaint | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Frontend stress layout reviewed, stress fixture and parent-container ledgers, reproducible break conditions, fixes or recommendation, evidence level, verification, and remaining stress-layout risk |
621
663
  | Frontend UI, design-system component, form, dialog, menu, tab, combobox, custom select, table, card, media, icon button, image, toast, live update, drag interaction, focus style, keyboard handler, `onClick`, `role`, `tabIndex`, `aria-*`, `alt`, hidden content, visually hidden text, or automated accessibility claim needs accessibility-tree review for native semantics, accessible names, visible label consistency, keyboard navigation, focus order and return, forms, errors, status messages, ARIA references, icon or image alternatives, custom widget contracts, non-text contrast, target size, drag alternatives, or a11y evidence limits | `.mustflow/skills/frontend-accessibility-tree-review/SKILL.md` | User goal, current diff or target files, framework and component-library signals, semantic ledger, keyboard ledger, assistive-technology ledger, form ledger, interaction ledger, evidence level, and configured command intents | Native HTML element selection, button/link semantics, `href` cleanup, keyboard parity, tabindex cleanup, focus-visible styling, obscured focus fixes, dialog focus management, icon-only accessible names, visible-label-aligned names, `aria-labelledby` and `aria-describedby` id references, `aria-hidden` cleanup, SVG icon defaults, image `alt`, label and fieldset wiring, `aria-invalid`, error descriptions, submit-failure focus, live regions, ARIA pattern keyboard behavior, custom select constraints, non-text contrast, target-size fixes, drag alternatives, focused tests, accessibility snapshots, and directly synchronized docs or templates | ARIA costume over broken semantics, clickable div, fake link, `href="#"`, missing Enter or Space behavior, tabIndex sprawl, positive tabindex, invisible focus, focus hidden behind sticky layers, modal focus leak, unnamed icon button, visible text fighting `aria-label`, broken `aria-labelledby`, interactive child hidden by `aria-hidden`, duplicate SVG announcement, useless image alt, placeholder-only field, missing legend, color-only error, disconnected error text, submit failure silence, unannounced async status, menu or combobox keyboard mismatch, unnecessary custom select, offscreen focus trap, non-text contrast failure, tiny pointer target, drag-only operation, axe-only proof, or accessibility-tree evidence gap | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Frontend accessibility tree reviewed, semantic/keyboard/focus/name/form/status/widget evidence, findings, fixes or recommendation, automated-evidence limits, verification, and remaining accessibility-tree risk |
622
- | Frontend UI, product copy, forms, validation messages, empty states, toasts, dialogs, metadata, SEO or Open Graph text, charts, canvas, SVG text, emails, push notifications, share text, exports, downloads, PDFs, CSVs, calendar invites, translation keys, `t(...)`, ICU messages, placeholders, `aria-label`, `title`, `alt`, browser `confirm`, date/time/relative-time formatting, numbers, currency, units, search, sort, collation, Unicode normalization, grapheme truncation, RTL, bidirectional text, font fallback, pseudo localization, SSR locale, hydration, fallback, backend error-code mapping, or localized rich text needs localization review beyond visible JSX text | `.mustflow/skills/frontend-localization-review/SKILL.md` | User goal, current diff or target files, framework and i18n library signals, supported locale policy, string exposure ledger, message-shape ledger, format ledger, text-processing ledger, direction and layout ledger, runtime locale ledger, evidence level, and configured command intents | Message catalog wiring, full-sentence keys, named interpolation, context-specific messages, plural and zero handling, grammar-safe dynamic values, tone consistency, locale-aware formatters, display/storage value split, collation and search normalization, grapheme-safe truncation, RTL and `dir="auto"` handling, logical direction fixes, icon mirroring decisions, font fallback checks, pseudo-localization fixtures, SSR locale agreement, missing-key handling, backend error-code mapping, component interpolation for rich text, export and notification text coverage, focused tests, and directly synchronized docs or templates | visible-JSX-only scan, hardcoded placeholder or metadata, concatenated translation fragments, reused dictionary key, `Delete {item}` grammar trap, English-only plural, missing zero state, broken Korean particle or inflection, mixed tone, manual date string, time-zone shifted deadline, hydration relative-time mismatch, comma-only number format, locale-agnostic input parse, language/region/currency conflation, default `sort()`, unsafe lowercasing, accent or Unicode normalization miss, emoji-splitting `.length`, wrong ellipsis owner, RTL afterthought, missing `dir="auto"`, blanket icon mirroring, fixed-width translated button, missing glyph fallback, no pseudo localization, single-locale screenshot proof, server/client locale mismatch, silent English fallback, raw HTML in translations, raw backend prose, untranslated export, or static-only localization claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Frontend localization reviewed, string exposure and message-shape ledgers, formatting/search/sort/RTL/SSR/export checks, fixes or recommendation, evidence level, verification, and remaining localization risk |
664
+ | Frontend component library, design system package, UI kit, shared component package, token system, primitive layer, compound component, variant API, theming surface, Storybook or docs contract, package export, public CSS variable, data attribute, slot, ref target, controlled or uncontrolled component API, visual regression suite, codemod, SemVer policy, or breaking-change plan is created, changed, reviewed, or reported | `.mustflow/skills/frontend-component-library-review/SKILL.md` | User goal, target package or library, framework signals, consumer audience, current diff or target files, package API ledger, token ledger, primitive behavior ledger, component contract ledger, state contract ledger, variant and theming ledger, docs and test ledger, release ledger, and configured command intents | Package exports and deep-import policy, peer dependencies, side-effect CSS, token source and generated CSS variables or types, primitive focus and keyboard contracts, component props and slots, stable data attributes, CSS variable hooks, controlled and uncontrolled state pairs, semantic variant axes, impossible-combination guards, theme-axis separation, documented DOM ownership, Storybook stories as executable specs, type/export tests, role/name behavior tests, accessibility evidence, representative visual regression matrix, SSR and hydration checks, bundle checks, deprecation warnings, migration docs, codemods, changelog, route metadata, and directly synchronized templates | pretty-button pile, Figma-copy repo, raw hex or raw Figma token leak, token source and generated output drift, semantic token bypass, theme logic spread across components, primitive behavior gap, ARIA costume, app store or router coupling, mixed controlled and uncontrolled ownership, prop-list dump, impossible variant combo, unsafe `as` or `asChild`, `className` escape hatch as system policy, incidental DOM selector contract, undocumented deep import reliance, docs-as-gallery, props-table-only docs, snapshot-only tests, axe-only proof, visual matrix explosion, tree-shaking drag, missing codemod, SemVer underclassification, or unverified reusable-library claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Frontend component library reviewed, package API/token/primitive/component/state/variant/theme/docs/test/release ledgers, findings, fixes or recommendation, breaking-change and migration classification, evidence level, narrower skills used or deferred, verification, and remaining component-library contract risk |
665
+ | Frontend UI, product copy, forms, validation messages, empty states, toasts, dialogs, metadata, SEO or Open Graph text, `hreflang`, canonical links, localized routes, locale sitemaps, charts, canvas, SVG text, emails, push notifications, share text, exports, downloads, PDFs, CSVs, calendar invites, translation keys, key lifecycle, message catalogs, TMS or XLIFF workflow, `t(...)`, ICU messages, placeholders, `aria-label`, `title`, `alt`, browser `confirm`, date/time/relative-time formatting, numbers, currency, units, search, sort, collation, Unicode normalization, grapheme truncation, RTL, bidirectional text, font fallback, pseudo localization, SSR locale, hydration, fallback, missing-key telemetry, backend error-code mapping, or localized rich text needs localization review beyond visible JSX text | `.mustflow/skills/frontend-localization-review/SKILL.md` | User goal, current diff or target files, framework and i18n library signals, supported locale policy, locale model ledger, string exposure ledger, translation-key ledger, message-shape ledger, format ledger, text-processing ledger, direction and layout ledger, runtime locale ledger, SEO and routing ledger, translation workflow ledger, operations ledger, evidence level, and configured command intents | Message catalog wiring, stable contextual keys, key lifecycle checks, full-sentence keys, named interpolation, placeholder metadata, context-specific messages, plural/select/zero handling, grammar-safe dynamic values, tone consistency, locale-aware formatters, display/storage value split, collation and search normalization, grapheme-safe truncation, global name/address/phone assumptions, RTL and `dir="auto"` handling, logical direction fixes, icon mirroring decisions, font fallback checks, pseudo-localization fixtures, locale route priority, SSR locale agreement, missing-key and fallback telemetry, SEO `hreflang`/canonical/sitemap checks, backend error-code mapping, component interpolation for rich text, translation workflow gates, export and notification text coverage, focused tests, and directly synchronized docs or templates | visible-JSX-only scan, hardcoded placeholder or metadata, concatenated translation fragments, reused dictionary key, source-prose-as-key churn, orphan or missing key, placeholder mismatch, `Delete {item}` grammar trap, English-only plural, missing select or zero state, broken Korean particle or inflection, mixed tone, manual date string, naive recurring timezone, comma-only number format, `toFixed(2)` currency assumption, language/region/currency/time-zone conflation, default `sort()`, unsafe lowercasing, accent or Unicode normalization miss, first-name/last-name or numeric postal-code assumption, emoji-splitting `.length`, wrong ellipsis owner, RTL afterthought, missing `dir="auto"`, blanket icon mirroring, fixed-width translated button, missing glyph fallback, no pseudo localization, single-locale screenshot proof, server/client locale mismatch, silent English fallback, wrong localized canonical, missing reciprocal `hreflang`, forced locale redirect, raw HTML in translations, raw backend prose, text baked into images, untranslated export, unreviewed machine translation, or static-only localization claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Frontend localization reviewed, locale model/string/key/message-shape ledgers, formatting/search/sort/RTL/SSR/SEO/workflow/export checks, fixes or recommendation, evidence level, verification, and remaining localization risk |
666
+ | Public website, landing page, marketing page, ecommerce page, signup flow, checkout flow, account page, support surface, navigation, search, form, cookie or consent surface, pricing page, mobile web surface, or conversion path is planned, edited, reviewed, or reported and common visitor complaints need website-task friction review | `.mustflow/skills/website-task-friction-review/SKILL.md` | Primary visitor task, target audience, entry point, completion point, changed route or surface, product constraints, pricing/account/support/privacy facts, likely devices, complaint evidence, and configured command intents | Website copy, navigation labels, page order, form fields, validation, error states, mobile layout, support links, trust disclosures, pricing visibility, consent behavior, recovery paths, focused tests, docs, templates, and reports | popup blocking first task, forced signup, hidden cost, confusing navigation, invisible search, mobile hover dependency, tiny target, vague error, lost form data, inaccessible task path, slow first interaction, weak trust, hard-to-find support, dark pattern, invented policy claim, or unverified conversion-ready claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Website task reviewed, entry and completion path, friction findings by severity, likely user complaint, cause, fix, acceptance test, focused checks, narrower skills used or recommended, verification, and remaining website task risk |
623
667
  | Frontend navigation flicker, theme flash, FOUC, hydration flash, blank first render, unstable loading shell, route transition jank, state loss across navigation, or first-paint instability is reported, created, edited, reviewed, or verified | `.mustflow/skills/frontend-render-stability/SKILL.md` | Symptom, affected routes, framework and version signals, root shell, links/router, theme init, root CSS, font/media loading, data-loading owner, and configured verification entries | Root HTML, layouts, router links/config, early theme scripts, root CSS, theme tokens, skeletons, hydration boundaries, route data loaders, directly tied tests, docs, and templates | masked full document reload, late theme application, hydration mismatch, client-only first data, loading layout shift, duplicate view-transition names, reduced-motion regression, or false visual proof | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `docs_validate_fast`, `mustflow_check` | Symptom phase, evidence inspected, instability layer found or ruled out, framework-specific skills used, files changed, verification, skipped visual checks, and remaining render-stability risk |
624
668
  | User-facing UI, dashboard, settings, navigation, form, copy, responsive layout, accessibility, visual geometry, interaction flow, or visual state changes are planned, edited, reviewed, or reported | `.mustflow/skills/ui-quality-gate/SKILL.md` | Changed UI surface, user task, interaction path, existing patterns, state combinations, localization rules, content stress cases, geometry-sensitive component facts, and command contract entries | UI controls, labels, states, layout constraints, geometry contracts, accessibility attributes, localization hooks, task-flow recovery, docs, templates, and reports | decorative UI drift, inaccessible controls, icon/text misalignment, overflow or layout breakage, missing empty/error/permission recovery, or unverified visual claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | UI surface reviewed, states checked, geometry/layout/accessibility/localization/recovery notes, skipped visual checks, and remaining UI risk |
625
669
  | HTML, templates, component markup, forms, controls, dialogs, navigation, tables, media, metadata, SEO head content, or structured data are created or changed | `.mustflow/skills/html-code-change/SKILL.md` | Page shell, markup patterns, form/control components, metadata source, changed files, and command contract entries | HTML and template markup, metadata, forms, interactive controls, tests, and docs examples | invalid semantics, inaccessible control, broken focus path, metadata drift, or invalid browser markup | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Semantic, form, focus, metadata, and validation boundary checked, verification, and remaining HTML risk |
@@ -641,6 +685,7 @@ routes. Event routes stay inactive until their event occurs.
641
685
  | --- | --- | --- | --- | --- | --- | --- |
642
686
  | Architecture, module boundaries, codebase structure, structural improvement, codebase deepening, or testability needs review before choosing a refactor or abstraction | `.mustflow/skills/architecture-deepening-review/SKILL.md` | Target area, structural pain, local patterns, behavior evidence, current changed files, and command contract entries | Review notes, ranked structure candidates, and at most one scoped structural follow-up when requested | speculative abstraction, broad rewrite, pattern-first design, hidden behavior change, or unverified structure claim | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Review target, evidence, candidate scores, selected next action, narrower skill choice, verification, and remaining architecture risk |
643
687
  | Service boundaries, modular-monolith boundaries, bounded contexts, team ownership, data ownership, source-of-truth maps, event or queue boundaries, multi-tenant isolation, failure flows, independent deployment, operational recovery, disaster recovery, cost, toil, or large-scale architecture split decisions are designed, reviewed, or changed | `.mustflow/skills/service-boundary-architecture/SKILL.md` | Candidate domains, owners, data truth map, communication paths, shared database or cache coupling, failure flows, boundary proof ledger, idempotency, queue/retry/dead-letter behavior, cache consistency, tenant/auth/audit boundaries, observability, deployment, migration, retention, operations tools, and command contract entries | Architecture docs, decision records, context files, boundary source, API/event/queue/cache/read-model contracts, operational runbooks, tests, and directly synchronized docs or templates | noun-first service split, shared database coupling, unknown data owner, repeated cross-team co-change, independent-deploy theater, dependency cycle, happy-path-only design, retry storm, queue backlog with no owner, cache as accidental authority, tenant leak, command-like events, missing observability, unsafe migration, weak health probe, untested graceful shutdown, version incompatibility, untested restore or DR, or manual recovery without audit | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Boundary checked, data owners, co-change/deploy/dependency proof, failure/idempotency/queue/cache/event notes, tenant/auth/retention/observability/deployment/health/recovery/cost/toil notes, verification, and remaining service-boundary risk |
688
+ | Multi-product platform, app factory, many-small-services architecture, shared account portal, Product Registry, shared auth, billing, credits, entitlements, admin console, deployment factory, analytics spine, logging, i18n, common UI, templates, or operations automation must support many product apps without per-service copy-paste | `.mustflow/skills/small-service-platform-architecture-review/SKILL.md` | User goal, target product count, product types, Product Registry ledger, identity ledger, money and access ledger, operations ledger, app factory ledger, observability and analytics ledger, shared product surface ledger, current diff or target files, and configured command intents | Product Registry, shared account portal, identity and organization model, billing catalog, entitlement service, credit ledger, usage meters, admin and support console, app generator, thin app shells, shared packages, CI/CD, deployment templates, analytics event schema, logging/tracing, notification, i18n, legal, consent, shared UI, file/job/integration services, feature flags, AI Gateway, license service, runbooks, tests, docs, route metadata, and directly synchronized templates | per-service auth or billing copy, Stripe or provider dashboard as only authority, missing Product Registry, plan-string feature gates, balance-only credits, no reservation lifecycle, direct database support surgery, template copy drift, no account portal, no first-value-created event, logs without app or tenant identity, missing webhook replay, missing backup or restore proof, product-specific privacy facts hidden in code, operations by memory, or unverified 100-service readiness claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Platform surface reviewed, Product Registry/identity/billing/credit/entitlement/admin/app-factory/deployment/analytics/observability/shared-surface/security/privacy/operations/phase ledgers, shared versus app-specific ownership decisions, specialist skills applied or deferred, evidence level, verification, and remaining small-service platform architecture risk |
644
689
  | Code is being refactored, reorganized, renamed, deduplicated, simplified, or structurally improved while existing behavior should be preserved | `.mustflow/skills/behavior-preserving-refactor/SKILL.md` | Refactoring goal, target area, behavior evidence, local patterns, current changed files, and command contract entries | Small behavior-preserving refactor steps, related tests, and directly synchronized docs or contracts | hidden behavior change, broad cleanup, misleading abstraction, unsafe deduplication, or unverified legacy change | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Goal, behavior evidence, structural risks, refactoring ladder, changes made, excluded behavior changes, verification, and remaining risks |
645
690
  | Class inheritance, base classes, abstract classes, template methods, protected state, mixins, framework subclasses, or subtype hierarchies are introduced, reviewed, or refactored, especially for behavior reuse or feature variants | `.mustflow/skills/composition-over-inheritance/SKILL.md` | Inheritance surface, reuse goal, change dimensions, local composition patterns, compatibility constraints, current changed files, and command contract entries | Classes, functions, role interfaces, policies, strategies, adapters, decorators, state machines, tests, wrappers, and directly synchronized docs or templates | fragile parent-child coupling, subclass explosion, broken substitutability, hidden protected state, over-composition, or untested behavior-preserving refactor | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Inheritance review, keep-or-replace decision, change dimensions, composition pattern, tests, verification, and remaining hierarchy risk |
646
691
  | Multiple interchangeable algorithms, policies, calculations, scoring methods, sorting methods, recommendation methods, pricing rules, discount rules, shipping methods, payment methods, notification methods, permission policies, provider choices, feature-flag variants, or repeated branches choose how to do the same kind of work | `.mustflow/skills/strategy-pattern/SKILL.md` | Stable workflow, variants and shared purpose, current branch locations, common input and output shape, selection criteria, local Result, dependency injection, decorator, registry, and test patterns, current changed files, and command contract entries | Strategy function types, interfaces, concrete strategies, selectors, resolvers, registries, decorators, context wiring, tests, and directly synchronized docs or templates | over-abstracted small branch, wrong use-case grouping, context knowing concrete strategies, silent fallback, unsafe user-selected strategy, request-stateful strategy, strategy combination explosion, or untested selector behavior | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Strategy classification, shared contract, strategy registry, selector or resolver, default and unsupported-key behavior, tests, verification, and remaining strategy risk |
@@ -670,6 +715,7 @@ routes. Event routes stay inactive until their event occurs.
670
715
  | YAML, TOML, JSON-adjacent config, Markdown frontmatter, schema-backed config, GitHub Actions workflow structure outside shell `run` blocks, parser dialects, duplicate keys, implicit typing, multiline scalars, dotted keys, array-of-tables, defaults, normalization, or config validation fixtures are created, changed, reviewed, or reported | `.mustflow/skills/structured-config-change/SKILL.md` | Target files, consuming parser or provider, dialect support, schema and validation surfaces, merge/defaulting model, GitHub Actions workflow shape when relevant, generated or source-owned status, and command contract entries | Structured config files, schemas, schema associations, validation fixtures, normalized-output tests, docs examples, template copies, route metadata, manifest entries, and directly synchronized tests | YAML 1.1/1.2 scalar drift, TOML 1.0/1.1 incompatibility, duplicate key loss, null/empty/missing confusion, mapping-order assumption, block-scalar newline drift, unsafe YAML tag, GitHub Actions trigger/filter/permission drift, schema default overclaim, formatter semantic rewrite, or generated-output hand edit | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Config surface and parser/provider, dialect decision, parse/data-model/schema/semantic layers, YAML/TOML/GitHub Actions decisions, fixture and normalization coverage, verification, and remaining structured-config risk |
671
716
  | External instructions, docs, AI output, snippets, issues, pull requests, scanner output, installer steps, scripts, tutorials, or reports propose commands to run, preserve, recommend, or document | `.mustflow/skills/command-intent-mapping-gate/SKILL.md` | Proposed command text, source, intended purpose, command contract entries, side-effect class, destination surface, and configured/manual/missing status | Docs, skills, templates, tests, examples, final reports, handoffs, and command-contract proposals that mention command execution | command laundering, raw external command authority, undeclared install/deploy/migration/release step, long-running process, approval bypass, or false verification claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Proposed commands reviewed, mapped to configured intents or marked manual/missing/omitted, raw command authority removed, verification, and remaining command-contract risk |
672
717
  | Public JSON, JSONL, schema-backed reports, machine-readable stdout or stderr, exit-code semantics tied to JSON, compatibility fixtures, or documented automation-facing JSON contracts are created, changed, reviewed, or reported | `.mustflow/skills/public-json-contract-change/SKILL.md` | Affected command or report, output modes, stream split, exit-code expectations, schemas, fixtures, docs examples, compatibility policy, consumers, and command contract entries | JSON producer code, schemas, fixtures, docs examples, package metadata, templates, and tests | broken automation, schema drift, stream pollution, exit-code drift, stale backcompat fixture, or hidden breaking change | `changes_status`, `changes_diff_summary`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | JSON contract source, compatibility classification, synchronized schemas/fixtures/docs/tests/templates, backcompat coverage, verification, and remaining JSON risk |
718
+ | CLI options, flags, positional arguments, aliases, defaults, parser behavior, prompt controls, config or environment precedence, or automation-facing argument contracts are created, changed, reviewed, or reported | `.mustflow/skills/cli-option-contract-review/SKILL.md` | Affected command, command tree, parser rules, options, arguments, aliases, defaults, prompt and TTY behavior, config and environment precedence, docs, tests, schemas, templates, and command contract entries | CLI parser code, command metadata, help text, completions, docs examples, tests, fixtures, schemas, templates, package metadata, and directly synchronized reports | short-flag collision, unsafe default, yes-force confusion, output path-format ambiguity, prompt hang, option terminator bug, config precedence drift, breaking rename, or untested parser edge case | `changes_status`, `changes_diff_summary`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Options reviewed, role and naming decision, collision review, safety and non-interactive controls, parser edge cases, synchronized surfaces, verification, and remaining CLI-option risk |
673
719
  | CLI text output, JSON output, exit codes, error messages, warnings, deprecations, help text, command aliases, schema-backed reports, or automation-facing command behavior are created, changed, reviewed, or reported | `.mustflow/skills/cli-output-contract-review/SKILL.md` | Affected command, output modes, exit-code expectations, docs examples, schemas, fixtures, consumers, and command contract entries | CLI output code, schemas, fixtures, docs, README examples, package tests, templates, and reports | broken automation, misleading success, schema drift, undocumented deprecation, stale example, or incompatible output change | `changes_status`, `changes_diff_summary`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Output surfaces reviewed, status and exit-code semantics, synchronized schemas/docs/tests/templates, verification, and remaining CLI-output risk |
674
720
  | mustflow template install surfaces, template manifests, skill profiles, locale source files, init or update behavior, managed file lists, package inclusion, template command contracts, or source-to-template workflow copies are created, changed, reviewed, or reported | `.mustflow/skills/template-install-surface-sync/SKILL.md` | Changed files, intended installed behavior, source file, template copy, manifest entries, profile impact, locale policy, init/update tests, and intentional divergence rules | Source workflow files, canonical template copies, route metadata, manifest creates/profiles, locale metadata, init/update tests, package tests, and docs examples | source/template drift, blind command-contract copy, missing installed file, profile bloat, stale locale policy, broken update preview, or package omission | `changes_status`, `changes_diff_summary`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Installed surface, must-match sync, intentional divergences, manifest/profile updates, locale/init/update/package checks, verification, and remaining template drift risk |
675
721
  | Dates, versions, counts, durations, limits, metrics, benchmarks, prices, percentages, or other numeric facts are created, edited, or reported | `.mustflow/skills/date-number-audit/SKILL.md` | Date or numeric fact, source of truth, dependent surfaces, precision expectation, and command contract entries | Numeric statements, metadata, tests, docs, templates, and reports | invented, stale, or mismatched numeric claim | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Audited values, source of truth, synchronized surfaces, skipped checks, and remaining numeric risk |