mustflow 2.107.9 → 2.108.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/templates/default/i18n.toml +44 -8
- package/templates/default/locales/en/.mustflow/docs/agent-workflow.md +24 -1
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +40 -5
- package/templates/default/locales/en/.mustflow/skills/admin-control-plane-safety-review/SKILL.md +200 -0
- package/templates/default/locales/en/.mustflow/skills/ai-product-readiness-review/SKILL.md +158 -0
- package/templates/default/locales/en/.mustflow/skills/auth-permission-change/SKILL.md +91 -28
- package/templates/default/locales/en/.mustflow/skills/browser-automation-reliability-review/SKILL.md +279 -0
- package/templates/default/locales/en/.mustflow/skills/database-change-safety/SKILL.md +21 -2
- package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +25 -7
- package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md +117 -43
- package/templates/default/locales/en/.mustflow/skills/frontend-component-library-review/SKILL.md +299 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-localization-review/SKILL.md +128 -36
- package/templates/default/locales/en/.mustflow/skills/notification-delivery-integrity-review/SKILL.md +226 -0
- package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +34 -14
- package/templates/default/locales/en/.mustflow/skills/routes.toml +36 -0
- package/templates/default/locales/en/.mustflow/skills/small-service-platform-architecture-review/SKILL.md +273 -0
- package/templates/default/manifest.toml +43 -1
package/templates/default/locales/en/.mustflow/skills/admin-control-plane-safety-review/SKILL.md
ADDED
|
@@ -0,0 +1,200 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.admin-control-plane-safety-review
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: admin-control-plane-safety-review
|
|
9
|
+
description: Apply this skill when code is created, changed, reviewed, or reported and admin panels, backoffice tools, operator consoles, support tools, internal dashboards, staff APIs, admin RBAC or ABAC, scoped operator roles, audit logs, change history, impersonation, dangerous action confirmation, approval flows, exports, imports, bulk operations, admin search and filters, production guardrails, PII masking, admin sessions, MFA, or operational evidence need review as a high-risk control plane rather than a convenience UI.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.admin-control-plane-safety-review
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- test_audit
|
|
23
|
+
- docs_validate_fast
|
|
24
|
+
- test_release
|
|
25
|
+
- mustflow_check
|
|
26
|
+
---
|
|
27
|
+
|
|
28
|
+
# Admin Control Plane Safety Review
|
|
29
|
+
|
|
30
|
+
<!-- mustflow-section: purpose -->
|
|
31
|
+
## Purpose
|
|
32
|
+
|
|
33
|
+
Review administrator and operator surfaces as production control planes.
|
|
34
|
+
|
|
35
|
+
An admin page is not just a place where staff edits rows faster. It is where one mistaken click, stale permission, unscoped search, silent export, or confused impersonation session can delete customer data, leak private information, grant privilege, break billing, or make incident reconstruction impossible.
|
|
36
|
+
|
|
37
|
+
<!-- mustflow-section: use-when -->
|
|
38
|
+
## Use When
|
|
39
|
+
|
|
40
|
+
- Admin panels, backoffice tools, support consoles, operator dashboards, staff APIs, internal routes, admin GraphQL or RPC procedures, moderation queues, billing consoles, tenant management tools, feature-flag consoles, data repair tools, or emergency-access tools are created, changed, reviewed, or reported.
|
|
41
|
+
- Work touches scoped admin roles, RBAC or ABAC for operators, support permissions, organization or tenant admin scope, role assignment, privilege factories, approval flows, impersonation, break-glass access, or admin session boundaries.
|
|
42
|
+
- Work touches admin audit logs, object change history, before/after snapshots, security event logs, denied admin attempts, read access to sensitive data, export logs, import logs, bulk-operation logs, or operational evidence.
|
|
43
|
+
- Work touches dangerous actions such as delete, restore, refund, charge, ban, unban, transfer ownership, change roles, reset MFA, invalidate sessions, purge cache, reindex search, run migration-like repair, edit production config, or bulk update.
|
|
44
|
+
- Work touches admin search, filtering, sorting, pagination, saved views, exports, imports, bulk actions, CSV or spreadsheet output, PII masking, tenant isolation, production versus staging indicators, or environment guardrails.
|
|
45
|
+
|
|
46
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
47
|
+
## Do Not Use When
|
|
48
|
+
|
|
49
|
+
- The task changes the core authentication, authorization, session, token, RBAC, ABAC, tenant, or permission engine. Use `auth-permission-change` first, then this skill for the admin control-plane surface around it.
|
|
50
|
+
- The task needs API-specific BOLA, IDOR, object, property, or function authorization review. Use `api-access-control-review` for the API proof and this skill for admin workflow controls, auditability, and operator safety.
|
|
51
|
+
- The task is a broad sensitive-data, retention, logging, dependency, or privacy review with no admin surface. Use `security-privacy-review`.
|
|
52
|
+
- The task primarily changes a domain workflow such as payment, notification, credit ledger, deletion, deployment, or database migration. Use that domain skill for domain correctness and this skill only for the admin operation that exposes or overrides it.
|
|
53
|
+
- The task only changes public website UI copy or layout with no staff-only action, permission, audit, export, or operational evidence surface.
|
|
54
|
+
|
|
55
|
+
<!-- mustflow-section: required-inputs -->
|
|
56
|
+
## Required Inputs
|
|
57
|
+
|
|
58
|
+
- User goal, current diff or target files, affected admin surfaces, operator personas, protected resources, tenant or organization scopes, and environments.
|
|
59
|
+
- Admin actor and session ledger: staff identity, authentication method, MFA or passkey status, session lifetime, reauthentication points, device or network constraints, support account status, and revocation behavior.
|
|
60
|
+
- Permission ledger: role, capability, scope, tenant, resource, field, condition, explicit deny, policy version, assignment path, approval path, and why the operator may perform the action now.
|
|
61
|
+
- Resource and field ledger: object type, tenant, owner, lifecycle state, sensitive fields, masked fields, read-only fields, mutable fields, derived fields, and privileged field update policy.
|
|
62
|
+
- Dangerous action ledger: action type, impact, target count, preview, confirmation, reauthentication, approval, idempotency key, queued job, cancel or stop behavior, rollback or compensation path, and final server-side recomputation.
|
|
63
|
+
- Audit and change-history ledger: actor, subject, target, action, reason, ticket, before and after values, redaction, denied attempts, read/export events, retention, immutability, correlation id, and reviewer or SIEM handoff when relevant.
|
|
64
|
+
- Impersonation ledger: who acts, who is viewed or acted as, purpose, ticket or reason, TTL, visible banner, prohibited actions, notification policy, exit path, and separate actor plus subject logging.
|
|
65
|
+
- Search, filter, export, import, and bulk ledger: query dimensions, tenant constraints, row limits, pagination, PII masking, field allowlist, file lifetime, watermarking, download audit, dry run, per-item authorization, and partial-failure policy.
|
|
66
|
+
- Existing tests, role matrix, admin docs, runbooks, support procedures, incident expectations, and configured command intents.
|
|
67
|
+
|
|
68
|
+
<!-- mustflow-section: preconditions -->
|
|
69
|
+
## Preconditions
|
|
70
|
+
|
|
71
|
+
- Treat admin access as an elevated security boundary, not a feature flag or hidden route.
|
|
72
|
+
- Treat UI hiding, disabled buttons, menu filtering, and route redirects as operator UX only. Server, service, policy, or database checks must own permission.
|
|
73
|
+
- Treat one `is_admin` flag as insufficient unless the product truly has one global superuser role and has accepted the audit and blast-radius risk.
|
|
74
|
+
- Identify whether the surface is production, staging, preview, local, or sandbox. Production-like tools need visible environment identity and stronger action friction.
|
|
75
|
+
- Separate audit log from object change history before claiming traceability. Audit explains who did what and why; change history explains how the object changed over time.
|
|
76
|
+
- Do not let support tooling bypass tenant, field, export, payment, deletion, notification, or privacy policy merely because staff can see the UI.
|
|
77
|
+
|
|
78
|
+
<!-- mustflow-section: allowed-edits -->
|
|
79
|
+
## Allowed Edits
|
|
80
|
+
|
|
81
|
+
- Add or tighten admin permission checks, scoped role checks, server-side field allowlists, tenant-scoped lookups, step-up authentication, dangerous-action confirmations, approval gates, audit logs, change-history records, export controls, bulk-operation controls, tests, docs, and role matrices.
|
|
82
|
+
- Add explicit operator safety states such as dry-run, preview, pending approval, queued, running, partially failed, cancelled, completed, compensated, or blocked.
|
|
83
|
+
- Add masking, redaction, purpose capture, ticket capture, download expiry, and operational evidence fields when the changed admin surface justifies them.
|
|
84
|
+
- Keep edits scoped to the admin control plane and directly synchronized domain surfaces. Do not redesign the entire auth model or domain workflow under this skill alone.
|
|
85
|
+
|
|
86
|
+
<!-- mustflow-section: procedure -->
|
|
87
|
+
## Procedure
|
|
88
|
+
|
|
89
|
+
1. Classify the admin surface.
|
|
90
|
+
- Identify whether it is read-only support, customer support mutation, content moderation, billing, security, tenant management, feature/config operation, data repair, incident response, or emergency access.
|
|
91
|
+
- Name the operator persona, tenant scope, environment, target resource, and blast radius.
|
|
92
|
+
2. Write the control-plane question before editing.
|
|
93
|
+
- Ask whether this operator can do this action on this tenant, object, field, and environment right now, and whether the system can explain it after an incident.
|
|
94
|
+
3. Replace role labels with effective capability evidence.
|
|
95
|
+
- `admin`, `staff`, `support`, and `owner` are labels. The decision needs scoped capability, resource relationship, tenant boundary, explicit deny behavior, and policy version.
|
|
96
|
+
4. Enforce permissions at the trusted layer.
|
|
97
|
+
- Check server routes, service methods, jobs, database policies, queue workers, export generators, and storage signers.
|
|
98
|
+
- UI guards may make the console easier to use, but they do not authorize anything.
|
|
99
|
+
5. Separate admin role types.
|
|
100
|
+
- Global admin, tenant admin, billing admin, security admin, content moderator, support viewer, support mutator, impersonating operator, and break-glass operator are different roles.
|
|
101
|
+
- Role assignment, API-key issuance, MFA reset, session invalidation, ownership transfer, impersonation, export approval, and emergency access are privilege factories.
|
|
102
|
+
6. Review admin sessions.
|
|
103
|
+
- Require MFA or passkeys for elevated admin access when product risk justifies it.
|
|
104
|
+
- Use idle timeout, absolute timeout, session revocation, CSRF protection for browser admin tools, and step-up reauthentication for sensitive actions.
|
|
105
|
+
- Keep customer and staff identity planes separate unless the product intentionally models and audits the shared path.
|
|
106
|
+
7. Build an audit record for every meaningful operator action.
|
|
107
|
+
- Log actor, target, tenant, action, result, reason or ticket when useful, source IP or safe session id, request id, correlation id, before and after values when safe, and denial reason for rejected attempts.
|
|
108
|
+
- Audit reads of sensitive PII, exports, impersonation start and stop, role changes, approval decisions, failed dangerous confirmations, and bulk jobs.
|
|
109
|
+
- Do not log secrets, tokens, full payment data, raw private documents, or excessive PII just to make the audit feel complete.
|
|
110
|
+
8. Keep audit logs durable and tamper-resistant enough for the product risk.
|
|
111
|
+
- Append-only storage, restricted delete access, retention policy, clock source, hash chaining, WORM storage, SIEM export, or reviewer workflow may be needed for high-impact products.
|
|
112
|
+
- If the log can be edited by the same operator whose actions it records, report audit-integrity risk.
|
|
113
|
+
9. Keep object change history separate.
|
|
114
|
+
- Change history should show field-level before and after values, who or what changed them, effective time, source action, and restore or comparison behavior when useful.
|
|
115
|
+
- Redact or omit sensitive values. Prefer value hashes, labels, or structured diffs when full before/after snapshots would leak data.
|
|
116
|
+
10. Harden impersonation.
|
|
117
|
+
- Require explicit capability, reason or ticket, reauthentication, TTL, visible banner, easy exit, and actor plus subject logs.
|
|
118
|
+
- Prohibit or step-up high-risk actions during impersonation: password or MFA changes, payment method changes, role changes, exports, destructive actions, and irreversible account actions unless policy explicitly allows them.
|
|
119
|
+
- Consider user notification or post-action review for sensitive impersonation.
|
|
120
|
+
11. Add friction to dangerous actions.
|
|
121
|
+
- Show an impact preview, target identity, tenant, count, irreversible consequences, related resources, and recovery path before the action.
|
|
122
|
+
- Use typed confirmation, step-up authentication, approval, or delay for destructive or broad actions.
|
|
123
|
+
- Recompute target counts and permission server-side at execution time; do not trust the preview payload.
|
|
124
|
+
12. Treat bulk operations as jobs, not giant button clicks.
|
|
125
|
+
- Require dry run, sample rows, target count, per-item authorization, idempotency, concurrency control, progress state, cancel behavior, partial-failure report, and audit trail.
|
|
126
|
+
- Define whether one denied item fails the whole job or produces per-item failures.
|
|
127
|
+
13. Govern exports.
|
|
128
|
+
- Use field allowlists, masking, row limits, async jobs for large exports, purpose or ticket capture, approval for sensitive data, file expiry, watermarking when useful, download audit, and tenant-scoped storage.
|
|
129
|
+
- Do not treat CSV generation as a harmless read. A local spreadsheet can become the real data breach.
|
|
130
|
+
14. Govern imports.
|
|
131
|
+
- Use preview, validation report, schema version, row limits, duplicate policy, dry run, idempotency key, rollback or compensation plan, and per-row error reporting.
|
|
132
|
+
- Never let import files mass-assign privileged fields such as role, tenant, owner, balance, entitlement, deletion state, or verified status without explicit policy.
|
|
133
|
+
15. Review admin search and filters.
|
|
134
|
+
- Enforce tenant and field scopes in the query, not only in rendered rows.
|
|
135
|
+
- Use cursor pagination or bounded result windows for scale, stable sorting, query limits, and PII masking.
|
|
136
|
+
- Audit sensitive lookups such as email, phone, account id, payment id, VIP user, security event, or cross-tenant search when product risk requires it.
|
|
137
|
+
16. Protect production from environment confusion.
|
|
138
|
+
- Display the environment, tenant, and target resource clearly.
|
|
139
|
+
- Require stronger confirmation for production than staging, block production-only dangerous actions from preview environments, and avoid shared cookies or staff sessions across environments when risk justifies it.
|
|
140
|
+
17. Review observability and incident reconstruction.
|
|
141
|
+
- Admin jobs need progress, result, failure reason, retry state, initiator, target count, affected item ids or safe references, and correlation ids.
|
|
142
|
+
- Security-relevant admin events should be alertable: role grant, break-glass access, export, mass deletion, impersonation, MFA reset, ownership transfer, and repeated denied attempts.
|
|
143
|
+
18. Align admin docs and role matrices.
|
|
144
|
+
- Update role matrices, support runbooks, approval policy, escalation notes, and user-facing support commitments when behavior changes.
|
|
145
|
+
19. Add hostile-path tests when the project has a usable test surface.
|
|
146
|
+
- Cover direct API calls with hidden buttons bypassed, wrong tenant, wrong admin scope, denied field update, role assignment by low privilege actor, impersonation prohibited action, export field masking, export expiry, audit event creation, bulk dry-run versus execution consistency, partial failures, reauthorization at execution time, and production guardrails where relevant.
|
|
147
|
+
20. Report every admin surface that remains only "trusted because staff will be careful" as a risk.
|
|
148
|
+
|
|
149
|
+
<!-- mustflow-section: postconditions -->
|
|
150
|
+
## Postconditions
|
|
151
|
+
|
|
152
|
+
- Admin actions are authorized at a trusted layer with scoped roles, resource relationships, tenant boundaries, and default-deny behavior.
|
|
153
|
+
- Audit logs and object change history are distinct, durable enough for the risk, and redacted where needed.
|
|
154
|
+
- Impersonation, dangerous actions, export, import, bulk operations, search, filters, production guardrails, admin sessions, and approval paths are checked or explicitly scoped out.
|
|
155
|
+
- Server-side recomputation, idempotency, job evidence, cancellation, partial-failure, and recovery or compensation are explicit for broad or irreversible actions.
|
|
156
|
+
- Tests, docs, role matrices, runbooks, and release notes are synchronized when the admin behavior is public, packaged, or operationally promised.
|
|
157
|
+
|
|
158
|
+
<!-- mustflow-section: verification -->
|
|
159
|
+
## Verification
|
|
160
|
+
|
|
161
|
+
Use configured oneshot command intents when available:
|
|
162
|
+
|
|
163
|
+
- `changes_status`
|
|
164
|
+
- `changes_diff_summary`
|
|
165
|
+
- `lint`
|
|
166
|
+
- `build`
|
|
167
|
+
- `test_related`
|
|
168
|
+
- `test`
|
|
169
|
+
- `test_audit`
|
|
170
|
+
- `docs_validate_fast`
|
|
171
|
+
- `test_release`
|
|
172
|
+
- `mustflow_check`
|
|
173
|
+
|
|
174
|
+
Prefer the narrowest configured tests that prove denial behavior, audit completeness, export masking or expiry, impersonation limits, bulk dry-run consistency, and dangerous-action server-side recomputation. Use release and docs checks when installed skills, templates, public docs, role matrices, or package metadata change.
|
|
175
|
+
|
|
176
|
+
<!-- mustflow-section: failure-handling -->
|
|
177
|
+
## Failure Handling
|
|
178
|
+
|
|
179
|
+
- If operator scope, tenant boundary, target resource, field policy, or decision source of truth is unclear, report the missing ledger instead of adding another broad admin condition.
|
|
180
|
+
- If audit evidence is missing, do not claim the action is traceable. Add the audit event or report the traceability gap.
|
|
181
|
+
- If the UI hides a dangerous action but the API still permits it, treat the control as incomplete.
|
|
182
|
+
- If a dangerous action cannot be rolled back, require stronger preview, approval, delay, or compensation evidence before treating the workflow as safe.
|
|
183
|
+
- If tests cannot be added in the current task, name the exact untested admin actor, tenant, action, field, export, impersonation, or bulk-job case.
|
|
184
|
+
- If sensitive data appears in logs, exports, fixtures, screenshots, or command output, stop repeating it and use `secret-exposure-response` or `security-privacy-review` as appropriate.
|
|
185
|
+
|
|
186
|
+
<!-- mustflow-section: output-format -->
|
|
187
|
+
## Output Format
|
|
188
|
+
|
|
189
|
+
- Admin control plane reviewed
|
|
190
|
+
- Operator persona, tenant, resource, action, field, and environment scope
|
|
191
|
+
- Effective permission, explicit deny, policy version, and trusted enforcement findings
|
|
192
|
+
- Admin session, MFA or step-up, CSRF, revocation, and environment guardrail findings
|
|
193
|
+
- Audit log versus change-history findings
|
|
194
|
+
- Impersonation, dangerous action, approval, export, import, bulk, search, and filter findings
|
|
195
|
+
- Job, idempotency, recomputation, cancellation, rollback, compensation, and incident evidence
|
|
196
|
+
- Tests or hostile cases covered
|
|
197
|
+
- Files changed
|
|
198
|
+
- Command intents run
|
|
199
|
+
- Skipped checks and reasons
|
|
200
|
+
- Remaining admin-control-plane risk
|
|
@@ -0,0 +1,158 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.ai-product-readiness-review
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: ai-product-readiness-review
|
|
9
|
+
description: Apply this skill when an AI product feature, AI Gateway, model or provider integration, prompt/RAG/tool path, AI cache, fallback path, streaming path, evaluation gate, user-data flow, model registry, AI observability surface, or model portability plan is created, changed, reviewed, or reported and the risk is end-to-end product readiness rather than one narrow prompt, cost, latency, or agent concern.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.ai-product-readiness-review
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- prompt_cache_audit
|
|
23
|
+
- docs_validate_fast
|
|
24
|
+
- test_release
|
|
25
|
+
- mustflow_check
|
|
26
|
+
---
|
|
27
|
+
|
|
28
|
+
# AI Product Readiness Review
|
|
29
|
+
|
|
30
|
+
<!-- mustflow-section: purpose -->
|
|
31
|
+
## Purpose
|
|
32
|
+
|
|
33
|
+
Review AI features as product and operating systems, not as model calls. A production AI path should make the AI role modest, route every request through a controlled gateway, separate instructions from untrusted data, cap cost, isolate caches, evaluate regressions, expose fallback states, protect user data, stream safely, observe without raw-content leakage, and allow model replacement.
|
|
34
|
+
|
|
35
|
+
<!-- mustflow-section: use-when -->
|
|
36
|
+
## Use When
|
|
37
|
+
|
|
38
|
+
- A change adds, edits, reviews, or reports an AI feature, AI Gateway, LLM provider adapter, model router, prompt registry, RAG path, tool proposal flow, AI cache, fallback path, streaming path, eval gate, user-data flow, model registry, AI observability surface, AI incident runbook, or model migration plan.
|
|
39
|
+
- A task asks whether an AI feature is launch-ready, production-ready, safe to automate, cost-bounded, prompt-injection-resistant, privacy-safe, eval-ready, fallback-ready, cache-safe, streaming-safe, or provider/model-portable.
|
|
40
|
+
- The feature sends user input, documents, conversation history, files, images, retrieved content, tool observations, logs, or business records to a model.
|
|
41
|
+
- The AI can influence money, permissions, account state, external messages, deletion, workflow status, support outcomes, generated code, compliance claims, or customer-visible answers.
|
|
42
|
+
- Multiple narrower AI skills could apply and the first question is whether the product boundary itself is sound.
|
|
43
|
+
|
|
44
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
45
|
+
## Do Not Use When
|
|
46
|
+
|
|
47
|
+
- The whole task is one narrow prompt-contract, hallucination, token-cost, response-latency, agent-execution, agent-eval, UX, prompt-injection, privacy, cache, adapter, rate-limit, idempotency, or cloud-cost concern. Use the narrower skill directly.
|
|
48
|
+
- The task only changes ordinary non-AI code with no model, prompt, retrieval, tool, generated output, or AI telemetry path.
|
|
49
|
+
- The task only chooses between model vendors or current model versions. Use `source-freshness-check` or the provider-specific workflow before making stale-sensitive claims.
|
|
50
|
+
- The task only edits marketing copy that says a feature uses AI but does not change product behavior, documentation contract, or release claims.
|
|
51
|
+
|
|
52
|
+
<!-- mustflow-section: required-inputs -->
|
|
53
|
+
## Required Inputs
|
|
54
|
+
|
|
55
|
+
- Product role ledger: feature goal, user, AI role, human-review boundary, harm if wrong, non-AI fallback, and whether the AI drafts, suggests, classifies, searches, executes, or decides.
|
|
56
|
+
- Gateway ledger: request entrypoint, auth, quota, rate limit, request shaping, prompt version, model routing, redaction, cache, retry, fallback, logging, eval hooks, and kill switch.
|
|
57
|
+
- Authority and action ledger: system/developer instructions, user input, retrieved data, tool results, allowed tool proposals, server-side policy engine, side-effect execution, approval state, idempotency key, and audit trail.
|
|
58
|
+
- Data ledger: data classes, tenant and permission scope, uploaded files, RAG corpus, vector store, provider region or endpoint, retention, logs, analytics, crash reports, staff access, and deletion path.
|
|
59
|
+
- Cost and cache ledger: request volume, user/org/feature budget, input/output/reasoning token caps, retry caps, model tiers, provider prompt-cache boundary, app cache keys, TTL, invalidation, and cache redaction.
|
|
60
|
+
- Eval ledger: golden set, adversarial set, regression set, cost and latency set, privacy leak set, prompt injection set, refusal set, locale set, pass criteria, owner, and CI or release gate.
|
|
61
|
+
- Fallback and streaming ledger: provider failure, rate-limit failure, quality fallback, safety fallback, partial-output policy, cancellation, final validation, and recovery UX.
|
|
62
|
+
- Model portability ledger: model registry, provider adapters, capability map, prompt and schema versions, migration evals, rollout plan, rollback plan, and deprecation monitoring owner.
|
|
63
|
+
- Observability ledger: request ID, user or tenant hash, feature, prompt version, provider, model, tokens, cached tokens, latency breakdown, retrieval IDs, retries, fallback, refusal, validation failures, tool calls, user feedback, cost, and redaction.
|
|
64
|
+
|
|
65
|
+
<!-- mustflow-section: preconditions -->
|
|
66
|
+
## Preconditions
|
|
67
|
+
|
|
68
|
+
- The task matches the Use When conditions and does not match the exclusions.
|
|
69
|
+
- Current repository instructions, command contract, AI service code, prompt files, retrieval paths, provider adapters, telemetry, tests, and docs in scope have been inspected before editing.
|
|
70
|
+
- External AI-safety guidance, model documentation, vendor deprecation schedules, pricing, rate limits, retention promises, cache behavior, and legal requirements are stale-sensitive. Do not embed exact claims unless refreshed through an authorized source path.
|
|
71
|
+
- Command execution remains governed by `.mustflow/config/commands.toml`; this skill does not authorize raw model calls, vendor dashboard checks, network requests, eval harness runs, migrations, releases, or billing commands.
|
|
72
|
+
|
|
73
|
+
<!-- mustflow-section: allowed-edits -->
|
|
74
|
+
## Allowed Edits
|
|
75
|
+
|
|
76
|
+
- Add or refine AI Gateway boundaries, provider adapters, model registries, prompt registries, policy engines, tool proposal gates, quota guards, token budgets, cache keys, redaction, retry and fallback state machines, streaming validators, eval fixtures, observability fields, incident runbooks, tests, docs, route metadata, and directly synchronized templates.
|
|
77
|
+
- Add launch-readiness docs, risk ledgers, model migration notes, privacy-safe telemetry contracts, and release notes tied to implemented behavior.
|
|
78
|
+
- Route narrow subproblems to specialist skills instead of duplicating deep prompt, RAG, latency, cost, eval, agent-control, cache, privacy, or UX guidance inside this skill.
|
|
79
|
+
- Do not approve fully automated high-risk decisions without a server-side policy gate, human review path, audit trail, and rollback or appeal path.
|
|
80
|
+
- Do not let clients call model providers directly when product auth, quota, redaction, logging, eval, or policy enforcement must be controlled server-side.
|
|
81
|
+
- Do not log raw prompts, raw responses, retrieved documents, uploaded files, secrets, tokens, private identifiers, or personal data by default while adding AI observability.
|
|
82
|
+
- Do not treat streaming, a second provider, a stronger model, or a longer prompt as proof of safety, quality, privacy, or cost control.
|
|
83
|
+
|
|
84
|
+
<!-- mustflow-section: procedure -->
|
|
85
|
+
## Procedure
|
|
86
|
+
|
|
87
|
+
1. Classify the AI role. Prefer draft, suggestion, search, classification, extraction, summarization, or proposal roles. Flag automatic decisions about money, permissions, legal, medical, hiring, credit, account status, external sending, deletion, or production execution as high-risk and require human review or a non-AI decision owner.
|
|
88
|
+
2. Name the harm model. Write the failure case in product terms: wrong answer, leaked data, unauthorized action, cost spike, stale source, over-refusal, unsafe advice, duplicate side effect, unsupported citation, broken locale, or missing fallback.
|
|
89
|
+
3. Require an AI Gateway boundary. The client should call the product backend, and the gateway should own auth, quota, request shaping, prompt version, model routing, redaction, cache, retry, fallback, logging, eval hooks, and kill switches.
|
|
90
|
+
4. Separate model speech from product authority. Treat model output as a proposal or draft until server code validates schema, business rules, permission, ownership, rate limits, action risk, confirmation state, idempotency, and audit requirements.
|
|
91
|
+
5. Treat external text as data. Retrieved documents, webpages, emails, tickets, Slack messages, GitHub issues, uploads, logs, tool results, and RAG chunks must not become instructions. Use `external-prompt-injection-defense` when untrusted text can override scope, tools, secrets, or policy.
|
|
92
|
+
6. Check permission and tenant narrowing before retrieval or tool use. The model should receive only data the authenticated user may access. Vector search, document search, and tool calls must enforce tenant, workspace, object, field, and role boundaries outside the prompt.
|
|
93
|
+
7. Validate output before use. Use structured schemas, semantic validators, business-rule checks, HTML or Markdown sanitization, URL allowlists, path sandboxing, SQL parameterization, command allowlists, and refusal or failure envelopes where relevant.
|
|
94
|
+
8. Put cost controls at the product layer. Add user, tenant, org, and feature budgets; request input and output caps; retry caps; model tiering; queue or batch separation; dedupe; cancellation accounting; budget breach events; and an operator kill switch.
|
|
95
|
+
9. Design cache keys as security boundaries. Include tenant, permission scope, feature, prompt version, model, provider, source corpus version, locale, policy version, and TTL when they affect correctness. Never use raw personal data, secrets, tokens, uploaded-file bodies, or sensitive text as cache keys.
|
|
96
|
+
10. Separate cache layers. Review provider prompt-cache prefix stability, app response cache safety, retrieval-result cache invalidation, and RAG corpus versioning separately. Use `llm-token-cost-control-review` or `cache-integrity-review` when cache shape is the main risk.
|
|
97
|
+
11. Build evals before launch claims. Require golden, adversarial, regression, privacy leak, prompt injection, refusal, cost, latency, and locale cases appropriate to the feature. Treat manual spot checks as exploration, not readiness evidence.
|
|
98
|
+
12. Make fallback a product state machine. Distinguish provider outage, rate limit, quality failure, safety failure, validation failure, no evidence, and human-review fallback. Do not make fallback only "try another model".
|
|
99
|
+
13. Guard side effects against retry. Tool actions that send messages, charge or refund money, delete data, change permissions, update records, execute code, or call external APIs need idempotency keys, approval state, request IDs, resource IDs, policy checks, and audit logs.
|
|
100
|
+
14. Review streaming by risk. Low-risk text can stream if cancellation and partial-output policy are clear. High-risk answers, tool arguments, external actions, private data, generated code execution, and compliance-sensitive output should be validated before display or execution.
|
|
101
|
+
15. Protect data beyond provider training policy. Check redaction before model calls, retention in provider state, product DB, vector DB, logs, analytics, crash reports, eval traces, staff tools, exports, backups, and deletion workflows.
|
|
102
|
+
16. Make model portability explicit. Use a task-level model registry or router instead of scattering provider model names through code. Keep a capability map for structured output, tool use, streaming, caching, context limits, refusal behavior, token accounting, regions, and retention.
|
|
103
|
+
17. Plan model changes as migrations. Compare accuracy, hallucination, citation behavior, JSON validity, refusal rate, tool precision, latency, cost, prompt-injection robustness, locale quality, tone, and long-context behavior before rollout. Keep rollback possible.
|
|
104
|
+
18. Instrument without raw-content leakage. Log IDs, hashes, versions, counts, sizes, reason codes, validation status, retrieval IDs, token counts, cached-token counts, latency, retries, fallback, tool outcomes, user feedback, and cost. Store raw content only under explicit debug approval, masking, retention, and deletion policy.
|
|
105
|
+
19. Check UX expectation boundaries. The interface should show when AI is involved, what evidence was used, what was not seen, when manual approval is needed, how to report bad output, and how to recover. Use `llm-service-ux-review` when UI state is the main risk.
|
|
106
|
+
20. Route the sharp edges. Apply specialist skills for prompt contracts, hallucination/RAG grounding, token cost, latency, agent execution, agent evals, prompt injection, privacy, cache integrity, adapter boundaries, rate limits, idempotency, and cloud cost when one of those owns the remaining work.
|
|
107
|
+
21. Verify with the narrowest configured tests, fixture runs, docs validation, release checks, prompt-cache audit, and mustflow validation that cover the changed AI product surface.
|
|
108
|
+
|
|
109
|
+
<!-- mustflow-section: postconditions -->
|
|
110
|
+
## Postconditions
|
|
111
|
+
|
|
112
|
+
- The AI role, harm model, human-review boundary, and non-AI or degraded fallback are explicit.
|
|
113
|
+
- AI calls pass through a controlled gateway or the absence of a gateway is reported as residual risk.
|
|
114
|
+
- Prompt injection, output validation, tool side effects, tenant permissions, privacy, cost, cache, eval, fallback, streaming, observability, and model-portability surfaces are each accepted, fixed, or routed to a narrower skill.
|
|
115
|
+
- Launch or readiness claims are backed by implemented controls, tests, eval evidence, docs, or explicit remaining risks.
|
|
116
|
+
|
|
117
|
+
<!-- mustflow-section: verification -->
|
|
118
|
+
## Verification
|
|
119
|
+
|
|
120
|
+
Use configured oneshot command intents when available:
|
|
121
|
+
|
|
122
|
+
- `changes_status`
|
|
123
|
+
- `changes_diff_summary`
|
|
124
|
+
- `lint`
|
|
125
|
+
- `build`
|
|
126
|
+
- `test_related`
|
|
127
|
+
- `test`
|
|
128
|
+
- `prompt_cache_audit`
|
|
129
|
+
- `docs_validate_fast`
|
|
130
|
+
- `test_release`
|
|
131
|
+
- `mustflow_check`
|
|
132
|
+
|
|
133
|
+
Use the narrowest configured fixture, eval, schema, integration, docs, package, release, or mustflow check that proves the changed AI product-readiness contract. Do not infer raw provider, billing, eval, migration, or dashboard commands.
|
|
134
|
+
|
|
135
|
+
<!-- mustflow-section: failure-handling -->
|
|
136
|
+
## Failure Handling
|
|
137
|
+
|
|
138
|
+
- If the AI role or harm model is unknown, do not claim readiness. Record the missing product decision and keep automation conservative.
|
|
139
|
+
- If no gateway exists, report which controls are missing and avoid spreading partial controls across clients, prompts, and provider dashboards.
|
|
140
|
+
- If evals are missing, classify the change as static risk reduction or draft readiness rather than proven quality improvement.
|
|
141
|
+
- If cost, privacy, retention, or provider behavior depends on current vendor facts, route exact claims through `source-freshness-check` before embedding them in docs or release notes.
|
|
142
|
+
- If fallback can duplicate side effects, stop and route through `idempotency-integrity-review` before retry or provider-fallback changes.
|
|
143
|
+
- If streaming reveals unvalidated private, unsafe, or irreversible content, switch to buffered validation or report the missing safe state.
|
|
144
|
+
- If model portability conflicts with a provider-specific capability, keep the capability map explicit instead of hiding differences behind a leaky abstraction.
|
|
145
|
+
|
|
146
|
+
<!-- mustflow-section: output-format -->
|
|
147
|
+
## Output Format
|
|
148
|
+
|
|
149
|
+
- AI product surface reviewed
|
|
150
|
+
- AI role, harm model, human-review boundary, and fallback state
|
|
151
|
+
- AI Gateway, provider adapter, policy engine, tool execution, and kill-switch status
|
|
152
|
+
- Prompt injection, data protection, output validation, tenant permission, and side-effect boundaries checked
|
|
153
|
+
- Cost budget, cache key, eval gate, streaming, observability, and model portability checked
|
|
154
|
+
- Specialist skills applied or intentionally deferred
|
|
155
|
+
- Files changed
|
|
156
|
+
- Command intents run
|
|
157
|
+
- Skipped checks and reasons
|
|
158
|
+
- Remaining AI product-readiness risk
|
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.auth-permission-change
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 4
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: auth-permission-change
|
|
9
|
-
description: Apply this skill when authentication, authorization, permissions, roles,
|
|
9
|
+
description: Apply this skill when authentication, authorization, permissions, roles, RBAC or ABAC policy decisions, tenants, organization or team memberships, sessions, cookies, JWTs, refresh tokens, OAuth or OIDC, passkeys, MFA, account recovery, API keys, route guards, admin access, database policies, object-level access control, signed delivery URLs, credentialed event streams, private cache behavior, or account-takeover response paths are created or changed.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -36,7 +36,7 @@ Authentication answers who the requester is. Authorization answers what that pri
|
|
|
36
36
|
<!-- mustflow-section: use-when -->
|
|
37
37
|
## Use When
|
|
38
38
|
|
|
39
|
-
- Authentication, authorization, role, permission, capability, policy, tenant, workspace, organization, session, JWT, OAuth, OIDC, API key, invite, reset token, route guard, admin, impersonation, audit, or database policy behavior changes.
|
|
39
|
+
- Authentication, authorization, role, permission, capability, RBAC, ABAC, policy, tenant, workspace, organization, team, session, cookie, JWT, refresh token, OAuth, OIDC, passkey, MFA, API key, invite, reset token, email change, account recovery, route guard, admin, impersonation, audit, or database policy behavior changes.
|
|
40
40
|
- A route, resolver, controller, service, command handler, job, webhook, API client, generated SDK, UI guard, or database query starts relying on user, tenant, role, ownership, membership, or resource identity.
|
|
41
41
|
- A change affects object-level access control, multi-tenant isolation, shared resources, signed URLs, exports, search, autocomplete, background jobs, webhooks, or admin/support tooling.
|
|
42
42
|
- A change affects credentialed EventSource/SSE streams, WebTransport sessions, WebSocket fallback, signed delivery URLs, private file delivery, CDN/proxy cache keys, CORS credentials, cookies, or auth tokens embedded in delivery URLs.
|
|
@@ -53,21 +53,29 @@ Authentication answers who the requester is. Authorization answers what that pri
|
|
|
53
53
|
<!-- mustflow-section: required-inputs -->
|
|
54
54
|
## Required Inputs
|
|
55
55
|
|
|
56
|
-
- Changed files, user goal, affected actors, protected resources, actions, tenants, roles, and status-code expectations.
|
|
56
|
+
- Changed files, user goal, affected actors, protected resources, actions, tenants, organizations, teams, roles, and status-code expectations.
|
|
57
57
|
- Permission decision tuple for each changed protected action: subject, action, object, tenant or
|
|
58
58
|
organization, relationship path, request environment, policy version, data revision, token issue
|
|
59
59
|
time, and final allow or deny reason.
|
|
60
60
|
- Effective-permission evidence, not only role names: computed capabilities, inherited
|
|
61
61
|
relationships, explicit denies, wildcard policies, policy-combination rules, and default-deny
|
|
62
62
|
behavior.
|
|
63
|
-
-
|
|
63
|
+
- Attribute and relationship evidence for ABAC or relationship-based policy: attribute source of
|
|
64
|
+
truth, freshness, trust boundary, failure behavior, policy version, and explainable deny reason.
|
|
65
|
+
- Auth middleware, framework hooks, gateway checks, session config, cookie config, JWT verifier,
|
|
66
|
+
refresh-token store, OAuth/OIDC callback, MFA or passkey verifier, API key verifier, and logout
|
|
67
|
+
or revocation code when relevant.
|
|
64
68
|
- Route guards, client guards, server controllers, resolvers, command handlers, services, policy functions, role or permission tables, database queries, RLS, views, stored procedures, and ORM scopes.
|
|
65
|
-
- Tenant, organization, workspace, project, membership, invite, suspension, ownership,
|
|
69
|
+
- Tenant, organization, workspace, project, team, membership, invite, suspension, ownership,
|
|
70
|
+
last-owner, sharing, account-recovery, and admin-support data models.
|
|
66
71
|
- Background jobs, queue payloads, webhooks, import/export flows, search or autocomplete indexes, signed URL generation, storage keys, SSE or streaming channels, WebTransport sessions, WebSocket fallback, CDN cache, proxy cache, and permission caches when they can expose protected data.
|
|
67
72
|
- Audit logs, admin action logs, impersonation records, denied-access logs, API docs, role matrix docs, migrations, and tests.
|
|
68
73
|
- Revocation and cache evidence: token claim freshness, session lifetime, permission-cache key and
|
|
69
74
|
TTL, policy replication delay, search-index or export lag, stale queue payloads, and rollback or
|
|
70
75
|
shadow-evaluation behavior when policy changes.
|
|
76
|
+
- Account-takeover and recovery evidence: login throttling, credential-stuffing controls, password
|
|
77
|
+
reset, magic-link, MFA reset, email change, trusted-device, session-kill, notification, and
|
|
78
|
+
high-risk-action hold behavior.
|
|
71
79
|
- Configured verification intents.
|
|
72
80
|
|
|
73
81
|
<!-- mustflow-section: preconditions -->
|
|
@@ -76,6 +84,9 @@ Authentication answers who the requester is. Authorization answers what that pri
|
|
|
76
84
|
- Classify the change as authentication, authorization, or both before editing.
|
|
77
85
|
- Identify principal, tenant, resource, action, and context for each protected operation.
|
|
78
86
|
- Treat client-provided `userId`, `tenantId`, `workspaceId`, `role`, `isAdmin`, object id, API key label, token claim, and local storage value as untrusted.
|
|
87
|
+
- For browser web apps, identify whether auth state is server-held, BFF-mediated, or token-held by
|
|
88
|
+
browser code. Treat local storage, session storage, URL tokens, and JavaScript-readable long-lived
|
|
89
|
+
tokens as exposure risks, not neutral implementation details.
|
|
79
90
|
- Find the current policy source of truth. If authorization is scattered across routes, do not add another scattered condition without first considering a central policy function.
|
|
80
91
|
- Know whether the product intentionally hides resource existence with 404 or exposes permission denial with 403.
|
|
81
92
|
- If SSE, WebTransport, WebSocket fallback, signed URL, CORS, cookie, CDN cache, proxy cache, or streaming delivery behavior changes, use `http-delivery-streaming` for the transport contract while this skill checks access control.
|
|
@@ -92,12 +103,16 @@ Authentication answers who the requester is. Authorization answers what that pri
|
|
|
92
103
|
## Procedure
|
|
93
104
|
|
|
94
105
|
1. Classify the boundary:
|
|
95
|
-
- authentication: verifies a principal from a session,
|
|
106
|
+
- authentication: verifies a principal from a session, cookie, JWT, refresh token, OAuth/OIDC
|
|
107
|
+
account, passkey, MFA event, API key, service account, reset token, magic link, or anonymous
|
|
108
|
+
state;
|
|
96
109
|
- authorization: decides whether that principal can perform an action on a resource within a tenant and context.
|
|
97
110
|
2. Read the mandatory surfaces that apply:
|
|
98
|
-
- auth middleware, hooks, gateway, session store, cookies, JWT, OAuth/OIDC,
|
|
111
|
+
- auth middleware, hooks, gateway, session store, cookies, JWT, refresh tokens, OAuth/OIDC,
|
|
112
|
+
passkeys, MFA, API key verification, logout, revocation, and token rotation;
|
|
99
113
|
- route guards, client redirects, server controllers, resolvers, services, command handlers, policy calls, and admin tools;
|
|
100
|
-
- tenant resolver, membership schema, role assignment, invite flow, suspension, ownership,
|
|
114
|
+
- tenant resolver, membership schema, role assignment, invite flow, suspension, ownership,
|
|
115
|
+
last-owner, sharing, account-recovery, and impersonation model;
|
|
101
116
|
- database queries, tenant scopes, ownership joins, soft-delete filters, RLS, views, stored procedures, and ORM helpers;
|
|
102
117
|
- background jobs, queues, webhooks, import/export, file storage, signed URLs, SSE or streaming channels, WebTransport sessions, WebSocket fallback, search, autocomplete, caches, CDN or proxy cache rules, audit logs, docs, migrations, and tests.
|
|
103
118
|
3. Write the permission decision inputs for each protected action: principal, tenant, resource, action, and context.
|
|
@@ -118,41 +133,75 @@ Authentication answers who the requester is. Authorization answers what that pri
|
|
|
118
133
|
9. Define policy-combination semantics. Check whether multiple policies combine by union,
|
|
119
134
|
intersection, priority, explicit deny, boundary policy, or tenant override; write tests for
|
|
120
135
|
allow-plus-deny and no-match cases.
|
|
121
|
-
10.
|
|
122
|
-
|
|
136
|
+
10. Check ABAC and relationship-policy inputs.
|
|
137
|
+
- Subject attributes, object attributes, device posture, employment status, department,
|
|
138
|
+
resource classification, IP or region, and time windows are only useful when their source of
|
|
139
|
+
truth, freshness, tamper resistance, and unknown-value behavior are explicit.
|
|
140
|
+
- Attribute fetch failure, policy-store timeout, stale policy bundle, or missing relationship
|
|
141
|
+
data should deny or degrade to a documented low-risk mode, not silently allow.
|
|
142
|
+
11. Validate every request. Do not rely on login-time checks, client guards, disabled buttons, hidden menus, generated types, OpenAPI docs, or mobile local checks.
|
|
143
|
+
12. Load resources safely before final authorization:
|
|
123
144
|
- include tenant, membership, owner, sharing, and soft-delete constraints in the resource lookup when possible;
|
|
124
145
|
- when existence must be hidden, keep wrong-tenant and missing-resource behavior consistent with the project's 404 policy.
|
|
125
|
-
|
|
146
|
+
13. Check multi-tenant and organization/team risks:
|
|
126
147
|
- body, query, header, path, JWT claim, or local storage tenant ids must not become trusted tenant context;
|
|
127
148
|
- tenant-scoped queries must include tenant or membership constraints;
|
|
128
149
|
- pending, suspended, removed, revoked, deleted, disabled, and invited states must not be treated as active access;
|
|
150
|
+
- user-level roles must not stand in for organization, team, project, billing, security, or
|
|
151
|
+
support scope;
|
|
152
|
+
- invitations need target email, target organization, target role, single-use, expiration, and
|
|
153
|
+
accepter-identity binding;
|
|
154
|
+
- owner transfer, owner removal, organization deletion, and account deletion must preserve a
|
|
155
|
+
last-owner or break-glass policy with audit and time bounds.
|
|
129
156
|
- shared links, exports, signed URLs, previews, search, cache, and CDN entries must stay inside the permission model.
|
|
130
157
|
- event streams, WebTransport sessions, WebSocket fallback channels, private downloads, and reconnect URLs must not bypass tenant, resource, role, token expiry, or revocation policy.
|
|
131
|
-
|
|
132
|
-
|
|
158
|
+
14. Check session, browser-token, JWT, refresh-token, OAuth/OIDC, MFA, recovery, and API-key
|
|
159
|
+
contracts when touched:
|
|
160
|
+
- browser web apps should prefer server sessions or BFF-mediated tokens with `HttpOnly`,
|
|
161
|
+
`Secure`, appropriately scoped `SameSite`, and preferably host-only cookies; broad domain
|
|
162
|
+
cookies and JavaScript-readable long-lived tokens need an explicit risk decision.
|
|
163
|
+
- sessions need idle expiry, absolute expiry, renewal, session-id rotation, logout, all-device
|
|
164
|
+
revocation, server-side invalidation, cookie flags, and CSRF posture;
|
|
165
|
+
- refresh tokens need hash storage, family or device binding, rotation, reuse detection,
|
|
166
|
+
single-flight or short grace handling for multi-tab and retry races, and revocation triggers;
|
|
133
167
|
- JWTs need signature verification, algorithm allowlist, issuer, audience, subject, expiry, not-before, key rotation, and stale-claim handling;
|
|
134
168
|
- OAuth/OIDC needs exact redirect binding, state, nonce, PKCE when relevant, provider account binding, and safe account linking;
|
|
169
|
+
- password reset, magic-link, email change, and account recovery tokens need purpose binding,
|
|
170
|
+
single use, short expiry, safe storage, enumeration-safe responses, and post-success session
|
|
171
|
+
invalidation;
|
|
172
|
+
- MFA and passkey flows need step-up policy, recovery-code storage, reset policy, phishing
|
|
173
|
+
resistance expectations, trusted-device boundaries, and failure notifications;
|
|
135
174
|
- API keys need hashing, prefix-only display, owner type, scope, tenant/resource constraints, expiry, rotation, revocation, last-used, rate limit, and audit.
|
|
136
|
-
|
|
175
|
+
15. Check permission creators more strictly than ordinary permissions.
|
|
137
176
|
- Role creation, role assignment, invitation, service-account issuance, API-key creation,
|
|
138
|
-
impersonation, support access,
|
|
177
|
+
impersonation, support access, MFA reset, account recovery, email change, ownership transfer,
|
|
178
|
+
and token minting are privilege factories.
|
|
139
179
|
- A low-privilege actor that can attach a high privilege to itself collapses the whole model.
|
|
140
|
-
|
|
180
|
+
16. Check revocation time.
|
|
141
181
|
- Demotion, removal, suspension, role deletion, membership expiry, subscription cancellation,
|
|
142
|
-
|
|
143
|
-
|
|
182
|
+
ownership transfer, password change, MFA change, email change, account recovery, refresh-token
|
|
183
|
+
reuse, suspected account takeover, and support access expiry should say how long old sessions,
|
|
184
|
+
refresh tokens, JWT claims, caches, search indexes, queued jobs, signed URLs, and replicas can
|
|
185
|
+
keep authorizing the old state.
|
|
144
186
|
- Sensitive actions need server-side recheck, short-lived tokens, revocation lists, or policy
|
|
145
187
|
version gates when stale tokens would be harmful.
|
|
146
|
-
|
|
188
|
+
17. Check account-takeover response paths.
|
|
189
|
+
- Login, signup, password reset, magic link, OTP, MFA, invite acceptance, email verification,
|
|
190
|
+
API-key creation, and support impersonation need rate limits, account/IP/device dimensions,
|
|
191
|
+
enumeration-safe responses, audit events, and notification policy.
|
|
192
|
+
- High-risk sequences such as new-device login followed by MFA reset, email change, API-key
|
|
193
|
+
creation, organization invite, export, billing change, or ownership transfer should trigger
|
|
194
|
+
step-up, hold, read-only quarantine, or session revocation according to product risk.
|
|
195
|
+
18. Check dependent surfaces: API routes, controllers, services, DB schema, DB queries, RLS, UI navigation, UI actions, API clients, audit logs, notifications, jobs, webhooks, search, file storage, docs, migrations, monitoring, and tests.
|
|
147
196
|
- For credentialed delivery surfaces, check whether EventSource can supply the intended credentials, whether CORS and cookies match the policy, whether signed URLs expire and scope correctly, and whether caches vary on auth, tenant, and private response dimensions.
|
|
148
|
-
|
|
149
|
-
|
|
197
|
+
19. Require denial-first tests for changed protected actions when the project has a usable test surface. Cover anonymous, expired, revoked, no role, wrong tenant, wrong team, wrong owner, suspended or removed member, stale token, refresh-token reuse, stale cache, unknown role, unknown action, wildcard policy, explicit deny, shared-link, read-only API key, org admin, team admin, billing admin, global admin, support user, and impersonating admin cases as applicable.
|
|
198
|
+
20. When changing policies, consider shadow evaluation.
|
|
150
199
|
- Compute old and new decisions side by side for representative requests before flipping broad
|
|
151
200
|
policy changes when the product has the infrastructure to do so.
|
|
152
201
|
- Log policy version and data revision for both decisions without exposing secrets or sensitive
|
|
153
202
|
object contents.
|
|
154
|
-
|
|
155
|
-
|
|
203
|
+
21. Update docs and role matrices when external behavior, status codes, role names, permission names, admin scope, or API errors change.
|
|
204
|
+
22. Report the policy source of truth, effective-permission evidence, decision explanation, server/database enforcement, client UX-only guards, revocation window, account-takeover response, test coverage, skipped checks, and remaining permission risk.
|
|
156
205
|
|
|
157
206
|
## Boundary Rules
|
|
158
207
|
|
|
@@ -161,8 +210,15 @@ Authentication answers who the requester is. Authorization answers what that pri
|
|
|
161
210
|
- Database RLS, tenant-scoped queries, views, and stored procedures are defense-in-depth and may be the strongest final boundary, but they do not excuse unclear application policy.
|
|
162
211
|
- Background jobs, webhooks, imports, exports, and cron paths need actor or service-principal context. User-request paths are not the only permission paths.
|
|
163
212
|
- Admin is scoped. Global admin, org admin, project admin, billing admin, support, and impersonating admin are different roles and need different audit and action rules.
|
|
213
|
+
- Organization and team membership are authorization relationships, not user attributes. A user can
|
|
214
|
+
be owner in one organization, viewer in another, removed from a team, and still retain a direct
|
|
215
|
+
resource grant unless the policy says otherwise.
|
|
164
216
|
- Owner is not a wildcard permission. Owners may still lack delete, export, invite, transfer, billing, or admin powers.
|
|
165
217
|
- API keys are principals with scopes and owners, not user sessions with unlimited power.
|
|
218
|
+
- ABAC inputs are security dependencies. Unknown, stale, or client-controlled attributes should not
|
|
219
|
+
become allow decisions.
|
|
220
|
+
- Account recovery, MFA reset, email change, and invite acceptance are login-equivalent or
|
|
221
|
+
privilege-factory flows.
|
|
166
222
|
- Wildcard permissions are future permissions. Adding a new action under an old wildcard should be
|
|
167
223
|
treated as a permission expansion and reviewed accordingly.
|
|
168
224
|
- Unknown roles, unknown actions, malformed identifiers, and missing relationship data deny by
|
|
@@ -177,8 +233,15 @@ Authentication answers who the requester is. Authorization answers what that pri
|
|
|
177
233
|
- Treating membership row existence as active membership without checking status.
|
|
178
234
|
- Treating OAuth provider scopes as internal app permissions.
|
|
179
235
|
- Treating JWT role claims as fresh authorization after role changes.
|
|
236
|
+
- Storing long-lived browser auth tokens in local storage or URLs without an explicit browser-threat
|
|
237
|
+
model and revocation plan.
|
|
238
|
+
- Treating refresh tokens as harmless because access tokens are short-lived.
|
|
239
|
+
- Accepting OAuth account links by email alone instead of provider issuer and subject plus
|
|
240
|
+
reauthentication.
|
|
180
241
|
- Treating API keys as normal user sessions.
|
|
181
242
|
- Mixing org admin, global admin, support admin, and impersonation into one `admin` check.
|
|
243
|
+
- Treating team membership, invitation, account recovery, or last-owner handling as UI workflow
|
|
244
|
+
only.
|
|
182
245
|
- Changing 403 to 404, or 404 to 403, without naming the information-disclosure policy.
|
|
183
246
|
- Relaxing permissions without denial-case tests or a written migration and audit plan.
|
|
184
247
|
- Letting role changes ship without permission-cache or token-staleness handling.
|
|
@@ -195,11 +258,11 @@ Authentication answers who the requester is. Authorization answers what that pri
|
|
|
195
258
|
|
|
196
259
|
- Authentication and authorization are separated in code and report language.
|
|
197
260
|
- Every changed protected action has a server-side or database-side permission boundary.
|
|
198
|
-
- Tenant isolation, resource ownership, sharing, admin scope, and status-code behavior are explicit.
|
|
261
|
+
- Tenant isolation, organization or team membership, resource ownership, sharing, admin scope, and status-code behavior are explicit.
|
|
199
262
|
- Effective permissions, policy-combination rules, decision explanation, policy version, data
|
|
200
263
|
revision, and revocation window are explicit when relevant.
|
|
201
264
|
- Client guards are described as UX only.
|
|
202
|
-
- Session, token, OAuth/OIDC, API key, cache, audit, docs, migration, and tests are synchronized when touched.
|
|
265
|
+
- Session, cookie, browser-token, refresh-token, OAuth/OIDC, MFA, passkey, recovery, API key, cache, audit, docs, migration, and tests are synchronized when touched.
|
|
203
266
|
- Signed URL, event-stream, WebTransport, WebSocket fallback, CORS, cookie, CDN/proxy cache, and reconnect behavior remains inside the permission model when touched.
|
|
204
267
|
|
|
205
268
|
<!-- mustflow-section: verification -->
|
|
@@ -217,7 +280,7 @@ Use configured oneshot command intents when available:
|
|
|
217
280
|
- `test_release`
|
|
218
281
|
- `mustflow_check`
|
|
219
282
|
|
|
220
|
-
Prefer the narrowest configured test intent that covers the changed protected actions and denial cases. Report missing auth-specific policy tests, tenant-isolation tests, token/session tests, API-key tests, cache-staleness tests, audit-log checks, docs validation, or database-policy verification when relevant.
|
|
283
|
+
Prefer the narrowest configured test intent that covers the changed protected actions and denial cases. Report missing auth-specific policy tests, tenant-isolation tests, organization/team permission tests, token/session/refresh-token tests, account-recovery tests, API-key tests, cache-staleness tests, audit-log checks, docs validation, or database-policy verification when relevant.
|
|
221
284
|
|
|
222
285
|
<!-- mustflow-section: failure-handling -->
|
|
223
286
|
## Failure Handling
|
|
@@ -238,7 +301,7 @@ Prefer the narrowest configured test intent that covers the changed protected ac
|
|
|
238
301
|
- Effective permission, policy version, data revision, decision explanation, and revocation window
|
|
239
302
|
- Server/database enforcement notes
|
|
240
303
|
- Client guard UX-only notes
|
|
241
|
-
- Tenant, ownership, sharing, admin, token/session/API-key, cache, and audit notes
|
|
304
|
+
- Tenant, organization/team, ownership, sharing, admin, token/session/refresh-token/MFA/API-key, account-recovery, cache, and audit notes
|
|
242
305
|
- Event stream, WebTransport, WebSocket fallback, signed URL, CORS, cookie, and CDN/proxy cache notes when relevant
|
|
243
306
|
- Tests or denial cases covered
|
|
244
307
|
- Files changed
|