mustflow 2.107.9 → 2.108.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/templates/default/i18n.toml +44 -8
- package/templates/default/locales/en/.mustflow/docs/agent-workflow.md +24 -1
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +40 -5
- package/templates/default/locales/en/.mustflow/skills/admin-control-plane-safety-review/SKILL.md +200 -0
- package/templates/default/locales/en/.mustflow/skills/ai-product-readiness-review/SKILL.md +158 -0
- package/templates/default/locales/en/.mustflow/skills/auth-permission-change/SKILL.md +91 -28
- package/templates/default/locales/en/.mustflow/skills/browser-automation-reliability-review/SKILL.md +279 -0
- package/templates/default/locales/en/.mustflow/skills/database-change-safety/SKILL.md +21 -2
- package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +25 -7
- package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md +117 -43
- package/templates/default/locales/en/.mustflow/skills/frontend-component-library-review/SKILL.md +299 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-localization-review/SKILL.md +128 -36
- package/templates/default/locales/en/.mustflow/skills/notification-delivery-integrity-review/SKILL.md +226 -0
- package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +34 -14
- package/templates/default/locales/en/.mustflow/skills/routes.toml +36 -0
- package/templates/default/locales/en/.mustflow/skills/small-service-platform-architecture-review/SKILL.md +273 -0
- package/templates/default/manifest.toml +43 -1
package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md
CHANGED
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.deployment-rollout-safety-review
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 3
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: deployment-rollout-safety-review
|
|
9
|
-
description: Apply this skill when server, backend, worker, scheduler, queue consumer, cron, container, VM, serverless,
|
|
9
|
+
description: Apply this skill when CI/CD pipeline gates, required checks, preview deploys, migration checks, server, backend, worker, scheduler, queue consumer, cron, container, VM, serverless, IaC, config, secret handling, feature-flag, cache, canary, rollback, release envelope, image digest, deployment history, traffic rollback, health check, readiness/liveness/startup probe, graceful shutdown, artifact promotion, release observability, or post-deploy smoke behavior is created, changed, reviewed, or reported and the risk is whether a deployment can be rolled out, stopped, observed, or rolled back safely.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -29,13 +29,15 @@ metadata:
|
|
|
29
29
|
<!-- mustflow-section: purpose -->
|
|
30
30
|
## Purpose
|
|
31
31
|
|
|
32
|
-
Review a server deployment as a runtime state transition, not as "the build passed"
|
|
32
|
+
Review a server deployment as a runtime state transition, not as "the build passed" or
|
|
33
|
+
"CI is green".
|
|
33
34
|
|
|
34
35
|
Deployment failures usually come from changed ordering, config, data, cache, queues, rollback shape,
|
|
35
|
-
permissions,
|
|
36
|
-
release surviving today's data, config, cache,
|
|
37
|
-
|
|
38
|
-
|
|
36
|
+
permissions, secrets, infrastructure policy, human approvals, and observability. Rollback is not
|
|
37
|
+
just restarting an older container. It is the older release surviving today's data, config, cache,
|
|
38
|
+
queue messages, external side effects, secret versions, and traffic state. This skill makes the
|
|
39
|
+
agent prove that a wrong deploy has small blast radius, is detected quickly, can be stopped quickly,
|
|
40
|
+
and can be rolled back or safely rolled forward without inventing a recovery plan during the
|
|
39
41
|
incident.
|
|
40
42
|
|
|
41
43
|
<!-- mustflow-section: use-when -->
|
|
@@ -43,10 +45,12 @@ incident.
|
|
|
43
45
|
|
|
44
46
|
- A change touches server deployment, backend runtime behavior, workers, schedulers, cron, queue
|
|
45
47
|
consumers, containers, VMs, serverless functions, Kubernetes manifests, process managers,
|
|
46
|
-
deployment pipelines, release gates, canaries, release
|
|
48
|
+
CI/CD workflows, preview environments, deployment pipelines, release gates, canaries, release
|
|
49
|
+
envelopes, or rollback procedures.
|
|
47
50
|
- A change touches DB migration order, config or env vars, feature flags, cache keys, queue or topic
|
|
48
51
|
message formats, external API dependencies, storage paths, startup probes, readiness probes,
|
|
49
|
-
liveness probes, graceful shutdown, worker drain, deployment locks,
|
|
52
|
+
liveness probes, graceful shutdown, worker drain, deployment locks, secret scope, IaC policy, or
|
|
53
|
+
post-deploy smoke checks.
|
|
50
54
|
- A review needs to decide whether code, config, database, cache, queue, and scheduler changes can
|
|
51
55
|
coexist across old and new versions while traffic is still moving.
|
|
52
56
|
|
|
@@ -77,11 +81,26 @@ incident.
|
|
|
77
81
|
- Deployment model: environment order, artifact promotion path, rolling/blue-green/canary strategy,
|
|
78
82
|
traffic rollback path, old-version retention, deployment history retention, deployment
|
|
79
83
|
concurrency, and deployment lock owner.
|
|
84
|
+
- Pipeline gate model: required status checks, branch protection or merge gate, reviewer or
|
|
85
|
+
CODEOWNER gate, fast-fail ordering, clean CI environment, test data setup, flaky-test quarantine
|
|
86
|
+
owner, artifact retention, and security scan coverage.
|
|
87
|
+
- Preview model: preview URL, isolated namespace or schema, ephemeral database or seeded data,
|
|
88
|
+
teardown policy, cost guardrail, deployment protection, and proof that production secrets and
|
|
89
|
+
production PII are not exposed.
|
|
90
|
+
- Migration check model: dry-run or shadow database evidence, destructive-change detection,
|
|
91
|
+
lock or table-rewrite risk, online DDL assumptions, backfill separation, N-1 app compatibility,
|
|
92
|
+
and rollback or roll-forward boundary.
|
|
93
|
+
- Secret and approval model: environment-scoped secrets, production approval gate, OIDC or
|
|
94
|
+
short-lived credential path, log masking, rotation or revocation path, external secret store or
|
|
95
|
+
encryption-at-rest boundary, and least-privilege deploy job permissions.
|
|
80
96
|
- Compatibility model: old code with old data, old code with new data, new code with old data, new
|
|
81
97
|
code with new data, N-1 message compatibility, cache key version, and rollback survivability.
|
|
82
98
|
- Runtime control model: startup/liveness/readiness probes, graceful shutdown behavior, load
|
|
83
99
|
balancer connection draining, worker drain, cron duplicate guard, kill switch, safe flag defaults,
|
|
84
100
|
automatic stop conditions, synthetic transactions, and post-deploy observation window.
|
|
101
|
+
- Infrastructure and observability model: rendered manifests or plan output, policy checks, image
|
|
102
|
+
digest pinning, resource requests and limits, probe presence, privileged or hostPath use,
|
|
103
|
+
plaintext-secret checks, release-labeled logs, metrics, traces, alerts, and dashboard slices.
|
|
85
104
|
|
|
86
105
|
<!-- mustflow-section: preconditions -->
|
|
87
106
|
## Preconditions
|
|
@@ -99,6 +118,9 @@ incident.
|
|
|
99
118
|
- Add or update deploy runbooks, release checklists, pipeline metadata, smoke tests, probe tests,
|
|
100
119
|
config validation, feature-flag defaults, rollback notes, canary gates, and deployment safety
|
|
101
120
|
tests when they match the repository style.
|
|
121
|
+
- Add or update preview-deploy guardrails, migration preflight notes, manifest or IaC validation
|
|
122
|
+
fixtures, secret-scope checks, required-check documentation, and release evidence templates when
|
|
123
|
+
they are already within the task scope.
|
|
102
124
|
- Add local code guards for startup config validation, readiness separation, shutdown handling,
|
|
103
125
|
worker drain, cache-key versioning, and deployment attribution when the task scope includes the
|
|
104
126
|
affected runtime code.
|
|
@@ -115,131 +137,171 @@ incident.
|
|
|
115
137
|
external APIs, permissions, config, and feature flags. If the ledger is unknown, report that the
|
|
116
138
|
deployment blast radius is unknown instead of guessing.
|
|
117
139
|
|
|
118
|
-
2.
|
|
140
|
+
2. Check the merge and CI gate before the deploy gate.
|
|
141
|
+
Required status checks, protected branches, review or CODEOWNER gates, and stale-review handling
|
|
142
|
+
should stop unreviewed or partially verified production changes. Order checks so cheap failures
|
|
143
|
+
happen before slow checks: format, lint, typecheck, unit tests, build, security scans,
|
|
144
|
+
integration or contract tests, then focused end-to-end smoke. Require a clean reproducible CI
|
|
145
|
+
environment, explicit test database setup, seeded data, dependency and container scan coverage,
|
|
146
|
+
IaC or configuration scans when those files changed, secret scanning, and a named owner or SLA for
|
|
147
|
+
flaky-test quarantine. A flaky test silently bypassed by the merge gate is a deployment-safety
|
|
148
|
+
risk, not a testing nuisance.
|
|
149
|
+
|
|
150
|
+
3. Build the release envelope.
|
|
119
151
|
Rollback needs more than an image tag. Bind image digest, chart or manifest revision, values
|
|
120
152
|
file hash, ConfigMap name or version, Secret version, migration range, feature flag snapshot,
|
|
121
153
|
ingress or router weight, deployer, and deployment time under one `release_id` when the platform
|
|
122
154
|
exposes those facts. If only a mutable tag such as `latest` identifies production, report that
|
|
123
155
|
rollback identity is not reproducible.
|
|
124
156
|
|
|
125
|
-
|
|
157
|
+
4. Make preview deployment a rehearsal, not just a link.
|
|
158
|
+
Preview deploys should use an isolated namespace, schema, or ephemeral database with explicit
|
|
159
|
+
seed data and teardown. Do not allow production secrets, production OAuth callbacks, production
|
|
160
|
+
webhooks, or production PII in preview. Name deployment protection, access control, teardown
|
|
161
|
+
failure alerts, and cost cleanup. Run or identify the preview checks that matter for the changed
|
|
162
|
+
flow: smoke, selected E2E, API compatibility, accessibility, visual regression, and thin DAST or
|
|
163
|
+
security probes where the repository owns them.
|
|
164
|
+
|
|
165
|
+
5. Separate artifact promotion from environment rebuilds.
|
|
126
166
|
Verify whether staging and production receive the same artifact identity. Prefer promoting one
|
|
127
|
-
built artifact over rebuilding per environment. If per-environment rebuild is
|
|
128
|
-
the drift risk and require commit SHA, dependency lock,
|
|
129
|
-
|
|
167
|
+
built immutable artifact over rebuilding per environment. If per-environment rebuild is
|
|
168
|
+
unavoidable, name the drift risk and require commit SHA, dependency lock, build run, SBOM or
|
|
169
|
+
package inventory when available, image digest, and build input evidence. Treat image tags as
|
|
170
|
+
human labels and image digests as the rollback proof.
|
|
130
171
|
|
|
131
|
-
|
|
172
|
+
6. Preserve rollback history and warm capacity.
|
|
132
173
|
For platform-managed rollbacks, check whether old revisions, ReplicaSets, Helm release history,
|
|
133
174
|
blue/green environments, or rollout controller history are retained long enough to be useful.
|
|
134
175
|
Do not treat a rollback path as safe if the old version is immediately scaled to zero, cold, or
|
|
135
176
|
deleted. Prefer traffic rollback to an already-warm old version before rebuilding or pulling a
|
|
136
177
|
replacement during an incident.
|
|
137
178
|
|
|
138
|
-
|
|
179
|
+
7. Split deploy order from migration order.
|
|
139
180
|
For DB changes, check expand/migrate/read-write/switch/contract sequencing. New code must tolerate
|
|
140
181
|
old data, old code must tolerate expanded schema or new data, and contraction must wait until old
|
|
141
182
|
code is impossible. Check migration lock timeout, batch size, retryability, partial progress
|
|
142
183
|
markers, rollback preview evidence, point-in-time recovery practice, database config backup, and
|
|
143
|
-
rollback limits.
|
|
184
|
+
rollback limits. Require dry-run or shadow database evidence when the repository has a migration
|
|
185
|
+
surface. Treat destructive rollback SQL as a data-loss risk, not a recovery guarantee.
|
|
144
186
|
|
|
145
|
-
|
|
187
|
+
8. Treat config and IaC changes as code changes.
|
|
146
188
|
Diff config and environment variables. Require startup validation for missing, misspelled, empty,
|
|
147
189
|
malformed, or incompatible values. A service should fail fast before accepting traffic when a
|
|
148
190
|
required setting is unsafe. Prefer versioned or immutable config names over in-place config
|
|
149
191
|
mutation, and name whether env-var, mounted-file, or subpath-style config updates require pod or
|
|
150
|
-
process restart.
|
|
151
|
-
|
|
152
|
-
|
|
192
|
+
process restart. For infrastructure files, review rendered manifests or plans rather than only
|
|
193
|
+
source snippets. Check resource requests and limits, probes, privileged mode, hostPath mounts,
|
|
194
|
+
plaintext secrets, IAM or service account scope, image digest pinning, and policy validation
|
|
195
|
+
coverage.
|
|
196
|
+
|
|
197
|
+
9. Keep secrets out of the wrong stage.
|
|
198
|
+
Test, preview, staging, and production jobs should use environment-scoped secrets with the
|
|
199
|
+
smallest permission set that can complete that job. Prefer OIDC or short-lived credentials over
|
|
200
|
+
long-lived cloud keys in CI. Production secrets should require the production environment gate,
|
|
201
|
+
and preview jobs should not be able to read them. Check secret masking, rotation or revocation
|
|
202
|
+
notes, external secret store or encryption-at-rest boundary, and whether platform-native secrets
|
|
203
|
+
also need RBAC, namespace, and audit controls.
|
|
204
|
+
|
|
205
|
+
10. Separate startup, liveness, and readiness.
|
|
153
206
|
Startup should protect slow boots, liveness should detect stuck processes, and readiness should
|
|
154
207
|
gate whether the instance can serve real dependencies. Do not count "process is running" as
|
|
155
208
|
deployment readiness. Keep liveness conservative enough that overload or long GC pauses do not
|
|
156
209
|
turn a recoverable incident into a restart loop.
|
|
157
210
|
|
|
158
|
-
|
|
211
|
+
11. Check graceful shutdown before rolling traffic.
|
|
159
212
|
Verify SIGTERM or platform shutdown handling for in-flight requests, DB transactions, uploads,
|
|
160
213
|
payment or webhook callbacks, and streaming responses. The app shutdown timeout must be shorter
|
|
161
214
|
than load balancer connection draining.
|
|
162
215
|
|
|
163
|
-
|
|
216
|
+
12. Drain workers deliberately.
|
|
164
217
|
Queue workers need a stop-accepting-new-work phase, a current-work completion or checkpoint phase,
|
|
165
218
|
and an idempotent retry path for interrupted work. Ack, delete, offset commit, and visibility
|
|
166
219
|
timeout behavior must match the shutdown path. Rollback should name consumer pause, in-flight
|
|
167
220
|
work completion, idempotency-key checks, and dead-letter or quarantine inspection for worker and
|
|
168
221
|
scheduler surfaces.
|
|
169
222
|
|
|
170
|
-
|
|
223
|
+
13. Prove message compatibility.
|
|
171
224
|
Producers and consumers are rarely deployed at the exact same instant. Message format changes need
|
|
172
225
|
N-1 message compatibility, tolerant readers, versioned fields, defaults for missing data, and a
|
|
173
226
|
plan for queued old messages. Unknown event types should not crash old consumers; require
|
|
174
227
|
quarantine, dead-letter, or ignore policy that preserves investigation evidence.
|
|
175
228
|
|
|
176
|
-
|
|
229
|
+
14. Design external side effects as compensation.
|
|
177
230
|
Emails, payment authorizations, third-party webhooks, provider state, and object-storage writes
|
|
178
231
|
do not disappear when code rolls back. Require outbox, idempotency key, state machine,
|
|
179
232
|
reconciliation, or compensation notes for side effects that cannot be undone by reverting code.
|
|
180
233
|
|
|
181
|
-
|
|
234
|
+
15. Keep API compatibility wider than the deploy window.
|
|
182
235
|
Server versions and clients do not change at the same instant. Check N-1 and N+1 compatibility
|
|
183
236
|
for request fields, response fields, enum values, error codes, API versions, and mobile or SDK
|
|
184
237
|
clients. Removing fields, narrowing enums, or adding required inputs can make rollback fail even
|
|
185
238
|
when the old container starts.
|
|
186
239
|
|
|
187
|
-
|
|
240
|
+
16. Add a kill switch, not just a flag.
|
|
188
241
|
Feature flags that only select a new path are not enough. Require a fast disable path, a safe
|
|
189
|
-
default when flag lookup fails,
|
|
190
|
-
|
|
191
|
-
|
|
242
|
+
default when flag lookup fails, an owner who can flip it during the observation window, rollout
|
|
243
|
+
percentages or cohorts, and an expiry or removal plan so release flags do not become permanent
|
|
244
|
+
hidden branches.
|
|
245
|
+
|
|
246
|
+
17. Run production preflight before touching traffic.
|
|
247
|
+
Preflight should name the active incident status, deployment window, error budget or SLO burn,
|
|
248
|
+
DB replication lag, queue depth, cache health, dependency health, cloud quota, feature flag
|
|
249
|
+
defaults, rollback target digest, migration compatibility, alert mute state, and on-call owner.
|
|
250
|
+
If the system is already degraded, default to blocking or narrowing the deploy rather than adding
|
|
251
|
+
another variable to an incident.
|
|
252
|
+
|
|
253
|
+
18. Define the canary cohort.
|
|
192
254
|
Percent-only canaries can hide the exact risky traffic. Name which users, tenants, regions,
|
|
193
255
|
routes, worker partitions, queues, payment methods, or dependency paths receive the new version.
|
|
194
256
|
Prefer a cohort that exercises the changed behavior without making the blast radius vague.
|
|
195
257
|
|
|
196
|
-
|
|
258
|
+
19. Measure canaries by version and by user harm.
|
|
197
259
|
A small canary can disappear in global averages. Require metrics split by service version,
|
|
198
260
|
release id, route, cohort, or worker partition where safe. Prefer user-impact signals such as
|
|
199
261
|
5xx, p95 or p99 latency, login failure, payment failure, order failure, queue backlog, or retry
|
|
200
262
|
explosion over CPU-only rollback triggers.
|
|
201
263
|
|
|
202
|
-
|
|
264
|
+
20. Make automatic stop conditions numeric.
|
|
203
265
|
Before rollout, define stop or rollback thresholds for error rate, p95 or p99 latency, login or
|
|
204
266
|
payment failure, queue backlog, retry rate, dependency timeout, and saturation. "Watch it" is not
|
|
205
267
|
a stop condition.
|
|
206
268
|
|
|
207
|
-
|
|
269
|
+
21. Verify read and write paths separately.
|
|
208
270
|
A read-only health check can pass while writes are broken. Add or identify smoke checks and
|
|
209
271
|
synthetic transactions that cover the changed read path, changed write path, and visible business
|
|
210
272
|
result without corrupting production data.
|
|
211
273
|
|
|
212
|
-
|
|
274
|
+
22. Preserve release attribution in logs and telemetry.
|
|
213
275
|
Deployment logs and runtime logs should expose commit SHA, image tag or digest, config version,
|
|
214
276
|
chart or manifest revision, config version, migration version, feature flag state, deployment
|
|
215
277
|
environment, deployment id, service version, and instance. Log format changes must not silently
|
|
216
278
|
break alerts, dashboards, or search queries.
|
|
217
279
|
|
|
218
|
-
|
|
280
|
+
23. Version cache keys and narrow invalidation.
|
|
219
281
|
Cache changes need cache key versioning or compatibility. Avoid blanket flushes unless the cold
|
|
220
282
|
DB load has been budgeted. Prefer narrow, gradual invalidation with fallback behavior named.
|
|
221
283
|
Old code must not deserialize new cache payloads without a compatibility plan.
|
|
222
284
|
|
|
223
|
-
|
|
285
|
+
24. Guard scheduler duplication.
|
|
224
286
|
Cron and scheduled jobs can overlap during rolling deploys. Check singleton locks, leader
|
|
225
287
|
election, idempotency keys, deployment locks, and duplicate execution behavior for old and new
|
|
226
288
|
versions.
|
|
227
289
|
|
|
228
|
-
|
|
290
|
+
25. Treat CRDs and operators as schema rollouts.
|
|
229
291
|
Custom resources, operators, storage versions, conversion strategies, and controller downgrade
|
|
230
292
|
behavior can block rollback even when application pods are healthy. When those surfaces change,
|
|
231
293
|
require stored-object migration, old-client compatibility, and operator downgrade notes.
|
|
232
294
|
|
|
233
|
-
|
|
295
|
+
26. Use deployment locks per service and environment.
|
|
234
296
|
Two deploys, migrations, or production commands against the same service/environment need an
|
|
235
297
|
explicit conflict rule. Name the lock scope and the operator-visible owner.
|
|
236
298
|
|
|
237
|
-
|
|
299
|
+
27. Make production commands boring.
|
|
238
300
|
Any production command touched by the change should have dry-run output, bounded target scope,
|
|
239
301
|
explicit confirmation or ticket reference, and refusal behavior for ambiguous environment,
|
|
240
302
|
tenant, region, or time range.
|
|
241
303
|
|
|
242
|
-
|
|
304
|
+
28. Reserve post-deploy observation time.
|
|
243
305
|
Deployment is not done when traffic flips. Require a post-deploy observation window with owners
|
|
244
306
|
available, synthetic transaction results, dashboards, logs, queue backlog, dependency health, and
|
|
245
307
|
stop-condition status checked.
|
|
@@ -257,13 +319,22 @@ incident.
|
|
|
257
319
|
## Review Checklist
|
|
258
320
|
|
|
259
321
|
- Deployment resource ledger is complete enough to name the blast radius.
|
|
322
|
+
- Merge and CI gates include required checks, branch protection or equivalent merge policy,
|
|
323
|
+
fast-fail ordering, clean test data, flaky-test ownership, and security scan coverage.
|
|
260
324
|
- Release envelope binds image digest, config, Secret, migration, flag, traffic, deployer, and time
|
|
261
325
|
under a stable release identity where those platform concepts exist.
|
|
326
|
+
- Preview deploys are isolated, seeded, protected, cleaned up, and kept away from production secrets
|
|
327
|
+
and production PII.
|
|
262
328
|
- Same artifact is promoted across environments or rebuild drift is explicitly controlled.
|
|
263
329
|
- Rollback history is retained, the old version can stay warm when needed, and traffic rollback is
|
|
264
330
|
separated from rebuilding or repulling code.
|
|
265
|
-
- DB migration, code deploy, data backfill, cache, queue, and
|
|
266
|
-
|
|
331
|
+
- DB migration, migration dry-run or shadow evidence, code deploy, data backfill, cache, queue, and
|
|
332
|
+
rollback order are separated.
|
|
333
|
+
- Required config is validated at startup, deployment config diff is inspectable, and rendered
|
|
334
|
+
manifests or IaC plans are policy-checked for resources, probes, privileges, secrets, and digest
|
|
335
|
+
pinning.
|
|
336
|
+
- Secrets are environment-scoped, production-gated, least-privilege, short-lived where possible,
|
|
337
|
+
masked in logs, and rotatable.
|
|
267
338
|
- Startup, liveness, and readiness probes answer different questions.
|
|
268
339
|
- Graceful shutdown, load balancer connection draining, worker drain, and interrupted work retry are
|
|
269
340
|
compatible.
|
|
@@ -272,6 +343,8 @@ incident.
|
|
|
272
343
|
- External side effects have idempotency, reconciliation, or compensation instead of rollback
|
|
273
344
|
overclaim.
|
|
274
345
|
- Feature flag lookup failure chooses the safe default and a kill switch can stop the change.
|
|
346
|
+
- Production preflight checks active incidents, error budget, queue depth, DB lag, dependency
|
|
347
|
+
health, quota, rollback target, feature defaults, alert mute state, and owner availability.
|
|
275
348
|
- Canary cohort, version-split telemetry, and automatic stop condition are concrete, numeric, and
|
|
276
349
|
tied to the changed flow.
|
|
277
350
|
- Read smoke, write smoke, synthetic transaction, deployment logs, and post-deploy metrics are
|
|
@@ -315,7 +388,8 @@ When reporting a review or change, include:
|
|
|
315
388
|
- Skills used.
|
|
316
389
|
- Deployment resources touched.
|
|
317
390
|
- Rollout and rollback risks found or guarded.
|
|
318
|
-
-
|
|
391
|
+
- CI, preview, artifact promotion, config, secret, migration, IaC, cache, queue, probe, shutdown,
|
|
392
|
+
canary, rollback, and observation decisions.
|
|
319
393
|
- Verification commands run and their result.
|
|
320
394
|
- Remaining manual deployment checks, especially production-only smoke, canary, and observation
|
|
321
395
|
steps that cannot be executed locally.
|
package/templates/default/locales/en/.mustflow/skills/frontend-component-library-review/SKILL.md
ADDED
|
@@ -0,0 +1,299 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.frontend-component-library-review
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: frontend-component-library-review
|
|
9
|
+
description: Apply this skill when a frontend component library, design system package, UI kit, shared component package, token system, primitive layer, variant API, theming surface, Storybook or docs site, package exports, public CSS or data attributes, accessibility behavior, controlled or uncontrolled component contract, visual regression suite, codemod, SemVer policy, or breaking-change plan is created, changed, reviewed, or reported.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.frontend-component-library-review
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- docs_validate_fast
|
|
23
|
+
- test_release
|
|
24
|
+
- mustflow_check
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
# Frontend Component Library Review
|
|
28
|
+
|
|
29
|
+
<!-- mustflow-section: purpose -->
|
|
30
|
+
## Purpose
|
|
31
|
+
|
|
32
|
+
Review frontend component libraries as public API platforms, not collections of pretty
|
|
33
|
+
components copied from a design file.
|
|
34
|
+
|
|
35
|
+
The core question is: "Can multiple product teams upgrade this package without guessing which
|
|
36
|
+
tokens, props, slots, DOM shape, CSS variables, keyboard behavior, exports, docs examples, and
|
|
37
|
+
release notes are contractual?" If the answer is unclear, the library is a shared copy-paste
|
|
38
|
+
folder wearing a package name.
|
|
39
|
+
|
|
40
|
+
<!-- mustflow-section: use-when -->
|
|
41
|
+
## Use When
|
|
42
|
+
|
|
43
|
+
- A design system, component library, UI kit, shared React, Vue, Svelte, Web Component, CSS, or
|
|
44
|
+
framework-agnostic component package is created, changed, reviewed, or reported.
|
|
45
|
+
- Code or docs touch design tokens, CSS variables, theme modes, brand themes, density, contrast,
|
|
46
|
+
motion settings, primitive components, compound components, slots, variant props, polymorphic
|
|
47
|
+
`as` or `asChild`, public data attributes, `className` escape hatches, or package exports.
|
|
48
|
+
- Button, Link, TextField, Dialog, Popover, Menu, Select, Combobox, Tabs, Tooltip, Toast, Table,
|
|
49
|
+
Data Grid, Icon, Badge, Card, Alert, or similar reusable components gain public behavior.
|
|
50
|
+
- Storybook, docs, examples, props tables, visual regression stories, interaction tests,
|
|
51
|
+
accessibility tests, type tests, SSR or hydration checks, bundle-size checks, changelog entries,
|
|
52
|
+
migration guides, deprecation warnings, or codemods define consumer-facing behavior.
|
|
53
|
+
- A review or final report claims a component library is reusable, accessible, themeable,
|
|
54
|
+
design-system-ready, stable, backward compatible, SemVer-safe, or ready for external teams.
|
|
55
|
+
|
|
56
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
57
|
+
## Do Not Use When
|
|
58
|
+
|
|
59
|
+
- The task is ordinary app UI with no reusable package, public component API, token contract, or
|
|
60
|
+
cross-team consumer surface. Use the framework, UI quality, layout, or accessibility skill.
|
|
61
|
+
- The task only checks accessibility-tree semantics, keyboard behavior, labels, forms, dialogs, or
|
|
62
|
+
ARIA for a specific UI. Use `frontend-accessibility-tree-review` first.
|
|
63
|
+
- The task only checks frontend state drift in an application. Use `frontend-state-ownership-review`
|
|
64
|
+
first.
|
|
65
|
+
- The task only checks localization, RTL text behavior, translated layout stress, or locale SEO.
|
|
66
|
+
Use `frontend-localization-review` or `frontend-stress-layout-review` first.
|
|
67
|
+
- The task only changes package metadata or exports without component-library contracts. Use the
|
|
68
|
+
matching package, public API, or CLI contract skill.
|
|
69
|
+
- Verification would require unconfigured Storybook, browser, screenshot, visual-regression, or
|
|
70
|
+
package-manager commands. Report the missing evidence instead of inventing commands.
|
|
71
|
+
|
|
72
|
+
<!-- mustflow-section: required-inputs -->
|
|
73
|
+
## Required Inputs
|
|
74
|
+
|
|
75
|
+
- User goal, target package or library, framework signals, consumer audience, current diff or
|
|
76
|
+
target files, package manager and build signals, and configured command intents.
|
|
77
|
+
- Package API ledger: public entrypoints, `package.json` exports, documented imports, deep-import
|
|
78
|
+
policy, peer dependencies, side-effect CSS, generated styles, tree-shaking claims, SSR support,
|
|
79
|
+
and bundle boundaries.
|
|
80
|
+
- Token ledger: primitive tokens, semantic tokens, component tokens, aliases, generated outputs,
|
|
81
|
+
CSS variables, TypeScript types, platform exports, descriptions, deprecations, owners, contrast
|
|
82
|
+
checks, and source-of-truth files.
|
|
83
|
+
- Primitive behavior ledger: dialog, popover, menu, select, combobox, tabs, tooltip, toast, focus
|
|
84
|
+
scope, portal, scroll lock, typeahead, roving focus, escape behavior, outside interaction, and
|
|
85
|
+
restore-focus contracts.
|
|
86
|
+
- Component contract ledger: props, slots, compound parts, refs, events, DOM ownership, data
|
|
87
|
+
attributes, CSS variable hooks, `className` or style overrides, polymorphic behavior, default
|
|
88
|
+
element, form participation, and documented examples.
|
|
89
|
+
- State contract ledger: controlled and uncontrolled pairs such as `value`, `defaultValue`,
|
|
90
|
+
`onValueChange`, `open`, `defaultOpen`, `onOpenChange`, reset rules, disabled behavior, loading
|
|
91
|
+
behavior, and duplicate-submit policy.
|
|
92
|
+
- Variant and theming ledger: semantic variant axes, impossible combinations, required accessible
|
|
93
|
+
names, brand, light and dark mode, density, contrast, reduced motion, forced colors, responsive
|
|
94
|
+
behavior, and theme-resolution order.
|
|
95
|
+
- Docs and test ledger: Storybook stories, anatomy docs, do and do-not guidance, accessibility and
|
|
96
|
+
keyboard docs, controlled examples, theme-token docs, migration docs, type tests, behavior tests,
|
|
97
|
+
visual regression matrix, accessibility automation, manual evidence, SSR, hydration, and bundle
|
|
98
|
+
checks.
|
|
99
|
+
- Release ledger: SemVer classification, public API definition, deprecation warnings, migration
|
|
100
|
+
guide, codemods, changelog, consumer upgrade path, and known breaking-change inventory.
|
|
101
|
+
|
|
102
|
+
<!-- mustflow-section: preconditions -->
|
|
103
|
+
## Preconditions
|
|
104
|
+
|
|
105
|
+
- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
|
|
106
|
+
- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
|
|
107
|
+
current scope.
|
|
108
|
+
- Existing local patterns for tokens, primitives, variant helpers, styling, package exports, docs,
|
|
109
|
+
tests, and release notes have been searched before inventing a new component-library pattern.
|
|
110
|
+
- If the change touches app data, auth, payments, notifications, deployment, database, or security
|
|
111
|
+
behavior, also apply the narrower matching skill for that boundary.
|
|
112
|
+
|
|
113
|
+
<!-- mustflow-section: allowed-edits -->
|
|
114
|
+
## Allowed Edits
|
|
115
|
+
|
|
116
|
+
- Create or refine component-library skill, docs, tests, route metadata, package metadata, template
|
|
117
|
+
copies, token docs, story contracts, migration notes, or release notes directly tied to the
|
|
118
|
+
changed component-library surface.
|
|
119
|
+
- Tighten public API boundaries by documenting exports, removing undocumented example deep imports,
|
|
120
|
+
making internal paths private, or marking such changes as breaking when consumers may rely on
|
|
121
|
+
them.
|
|
122
|
+
- Add focused tests for exports, types, roles and names, keyboard behavior, controlled and
|
|
123
|
+
uncontrolled state, variant constraints, token output, visual regression stories, SSR, hydration,
|
|
124
|
+
and bundle boundaries when existing project patterns support them.
|
|
125
|
+
- Do not migrate the library to a new framework, styling engine, primitive library, package manager,
|
|
126
|
+
Storybook setup, or token compiler unless the current task explicitly requires that migration.
|
|
127
|
+
- Do not treat `className`, raw `style`, hex-color props, arbitrary DOM selectors, or undocumented
|
|
128
|
+
internal files as harmless flexibility when they become consumer contracts.
|
|
129
|
+
|
|
130
|
+
<!-- mustflow-section: procedure -->
|
|
131
|
+
## Procedure
|
|
132
|
+
|
|
133
|
+
1. Decide whether this is a component library or ordinary app UI.
|
|
134
|
+
- A library has downstream consumers, public imports, reusable components, upgrade risk, docs
|
|
135
|
+
examples, and package or workspace boundaries.
|
|
136
|
+
- If it is just one screen, route to the narrower app UI skill and report that this skill does
|
|
137
|
+
not apply.
|
|
138
|
+
2. Build the public API ledger first.
|
|
139
|
+
- List public exports, documented imports, package entrypoints, peer dependencies, CSS side
|
|
140
|
+
effects, token exports, generated files, and documented slot or DOM hooks.
|
|
141
|
+
- Treat docs examples as public API. Consumers copy them.
|
|
142
|
+
- Flag undocumented deep imports such as `dist/internal/*`, helper hooks, generated class files,
|
|
143
|
+
or internal token maps. Blocking existing deep imports can be breaking.
|
|
144
|
+
3. Separate top-level library layers.
|
|
145
|
+
- Prefer clear boundaries for tokens, primitives, components, icons, utilities, docs, testing,
|
|
146
|
+
and codemods.
|
|
147
|
+
- Reject a structure where every reusable concern lands in `components/*` and the Button prop
|
|
148
|
+
list becomes the escape hatch for the whole system.
|
|
149
|
+
4. Review token architecture.
|
|
150
|
+
- Separate primitive tokens such as raw colors and spacing, semantic tokens such as
|
|
151
|
+
action-background and text-primary, and component tokens only when component-specific tuning
|
|
152
|
+
is truly needed.
|
|
153
|
+
- Product components should usually consume semantic tokens, not Figma variable names, raw hex
|
|
154
|
+
values, or one-off pixel literals.
|
|
155
|
+
- Token source, generated CSS variables, generated TypeScript types, docs tables, platform
|
|
156
|
+
outputs, deprecations, and contrast checks must agree.
|
|
157
|
+
5. Review theming as value substitution, not logic spread.
|
|
158
|
+
- Prefer root attributes, classes, or scopes that swap CSS variable values.
|
|
159
|
+
- Keep brand, mode, density, contrast, and motion as independent axes unless the product has a
|
|
160
|
+
documented reason to bundle them.
|
|
161
|
+
- Flag per-component `theme.mode === ...` branches, theme-object reads on every component, and
|
|
162
|
+
theme names that encode every axis into one untestable mega-theme.
|
|
163
|
+
6. Review primitives before styled components.
|
|
164
|
+
- Dialog, Popover, Menu, Select, Combobox, Tabs, Tooltip, Toast, and similar primitives own
|
|
165
|
+
accessibility behavior, focus, keyboard, portal, layering, scroll, and dismissal policy.
|
|
166
|
+
- Styled components should wrap or compose primitive behavior without weakening it.
|
|
167
|
+
- If the project hand-rolls a primitive, require the same behavior ledger a proven primitive
|
|
168
|
+
library would have supplied.
|
|
169
|
+
7. Treat accessibility as public API.
|
|
170
|
+
- Native elements, accessible names, labels, keyboard behavior, focus management, form
|
|
171
|
+
participation, disabled behavior, live regions, and high contrast behavior are contractual.
|
|
172
|
+
- `role`, `aria-*`, and data attributes imply behavior promises. Attributes without keyboard
|
|
173
|
+
and focus behavior are not accessibility.
|
|
174
|
+
- Route detailed accessibility fixes to `frontend-accessibility-tree-review`.
|
|
175
|
+
8. Review component state contracts.
|
|
176
|
+
- Controlled and uncontrolled modes need consistent pairs: `value` with `onValueChange`,
|
|
177
|
+
`defaultValue` for initial internal state, `open` with `onOpenChange`, and `defaultOpen`.
|
|
178
|
+
- Do not mix controlled and uncontrolled ownership silently.
|
|
179
|
+
- Components should not couple to app stores, routers, data-fetching libraries, or form
|
|
180
|
+
libraries except through explicit adapters.
|
|
181
|
+
9. Review variant API shape.
|
|
182
|
+
- Keep axes semantic and small, such as tone, emphasis, size, loading, icon-only, and disabled.
|
|
183
|
+
- Prevent impossible combinations with types, runtime guards, docs, or component split.
|
|
184
|
+
- Require an accessible name for icon-only controls, block duplicate submit when loading, and
|
|
185
|
+
review polymorphic `as` or `asChild` combinations for semantic breakage.
|
|
186
|
+
10. Review styling contracts.
|
|
187
|
+
- Stable slots, data attributes, CSS variables, and documented class hooks are safer than
|
|
188
|
+
consumers styling incidental DOM shape.
|
|
189
|
+
- Decide which DOM parts are public and which are internal.
|
|
190
|
+
- If internal DOM, class names, or data attributes appear in docs, tests, examples, or consumer
|
|
191
|
+
code, changing them may be breaking.
|
|
192
|
+
11. Review component-specific traps.
|
|
193
|
+
- Button: native button behavior, `type`, loading duplicate-submit policy, icon-only names,
|
|
194
|
+
disabled versus `aria-disabled`, and focus-visible styling.
|
|
195
|
+
- TextField: durable label, description, error wiring, `aria-invalid`, required, readOnly,
|
|
196
|
+
disabled, prefix and suffix, clear button, password reveal, and form reset behavior.
|
|
197
|
+
- Dialog: name, initial focus, focus containment, restore focus, Escape, outside interaction,
|
|
198
|
+
background inertness, scroll lock, nested overlays, and portal container.
|
|
199
|
+
- Select and Combobox: do not conflate them. Review typeahead, search, highlighted option,
|
|
200
|
+
selected option, groups, disabled items, mobile fallback, IME, scroll, and form behavior.
|
|
201
|
+
- Table and Data Grid: separate semantic table from product-grade grid behavior such as
|
|
202
|
+
sorting, pagination, virtualization, editing, export, and fetching.
|
|
203
|
+
- Icon: `currentColor`, tree-shaking, viewBox consistency, decorative `aria-hidden`, and
|
|
204
|
+
meaningful label strategy.
|
|
205
|
+
12. Review docs as executable specs.
|
|
206
|
+
- Storybook or docs should show anatomy, when to use, when not to use, variants, controlled and
|
|
207
|
+
uncontrolled examples, accessibility names, keyboard behavior, theme tokens, form behavior,
|
|
208
|
+
migration notes, and do-not patterns.
|
|
209
|
+
- Props tables are not enough.
|
|
210
|
+
- Happy-path-only stories are weak contracts; important states need stories that tests can
|
|
211
|
+
target.
|
|
212
|
+
13. Review test layers.
|
|
213
|
+
- Type and export tests catch public API drift.
|
|
214
|
+
- Behavior tests should use roles, names, keyboard events, state changes, and form behavior
|
|
215
|
+
instead of brittle internal selectors.
|
|
216
|
+
- Accessibility automation is a floor, not proof. Manual keyboard, focus, screen-reader smoke,
|
|
217
|
+
forced-colors, reduced-motion, and target-size evidence may still be needed.
|
|
218
|
+
- Visual regression should cover a representative matrix, not every combinatorial explosion.
|
|
219
|
+
Keep failures diagnosable.
|
|
220
|
+
- SSR, hydration, bundle size, tree-shaking, and CSS side-effect checks matter when the package
|
|
221
|
+
claims app-framework or library-mode support.
|
|
222
|
+
14. Classify breaking changes broadly.
|
|
223
|
+
- Public API includes exports, props, prop meaning, defaults, event timing, refs, CSS variables,
|
|
224
|
+
token names, slot names, data attributes, documented DOM hooks, keyboard behavior, form
|
|
225
|
+
behavior, theme resolution order, peer dependency ranges, generated files, and docs examples.
|
|
226
|
+
- Removing, renaming, narrowing, changing defaults, changing ref targets, changing event order,
|
|
227
|
+
blocking deep imports, deleting CSS variables, or changing documented data attributes may be
|
|
228
|
+
major-version work.
|
|
229
|
+
15. Plan migrations before removals.
|
|
230
|
+
- Prefer deprecation warnings and docs in a compatible release before removal.
|
|
231
|
+
- Provide migration notes and codemods for broad prop, import, token, or slot renames.
|
|
232
|
+
- Keep examples, changelog, tests, and generated docs aligned with the migration path.
|
|
233
|
+
16. Report the evidence level honestly.
|
|
234
|
+
- Separate static package inspection, docs inspection, type-test evidence, behavior-test
|
|
235
|
+
evidence, visual-regression evidence, accessibility evidence, browser evidence, and
|
|
236
|
+
consumer-upgrade evidence.
|
|
237
|
+
- If an evidence path is unconfigured, name the missing configured intent or manual review
|
|
238
|
+
instead of claiming readiness.
|
|
239
|
+
|
|
240
|
+
<!-- mustflow-section: postconditions -->
|
|
241
|
+
## Postconditions
|
|
242
|
+
|
|
243
|
+
- Public API, token, primitive behavior, component contract, state contract, variant, theming,
|
|
244
|
+
styling, docs, test, and release ledgers are fixed, ruled out, or reported.
|
|
245
|
+
- Component-library consumers can tell what is safe to import, style, theme, override, test, and
|
|
246
|
+
rely on across upgrades.
|
|
247
|
+
- Breaking-change risk is classified across code, tokens, CSS, docs, tests, package exports, and
|
|
248
|
+
runtime behavior.
|
|
249
|
+
- Missing Storybook, browser, visual, accessibility, package, or consumer-upgrade evidence is named
|
|
250
|
+
instead of hidden.
|
|
251
|
+
|
|
252
|
+
<!-- mustflow-section: verification -->
|
|
253
|
+
## Verification
|
|
254
|
+
|
|
255
|
+
Use configured oneshot command intents when available:
|
|
256
|
+
|
|
257
|
+
- `changes_status`
|
|
258
|
+
- `changes_diff_summary`
|
|
259
|
+
- `lint`
|
|
260
|
+
- `build`
|
|
261
|
+
- `test_related`
|
|
262
|
+
- `test`
|
|
263
|
+
- `docs_validate_fast`
|
|
264
|
+
- `test_release`
|
|
265
|
+
- `mustflow_check`
|
|
266
|
+
|
|
267
|
+
Use the narrowest configured unit, component, docs, release, build, package, visual, accessibility,
|
|
268
|
+
or mustflow intent that covers the changed component-library contract. Do not infer raw Storybook,
|
|
269
|
+
browser, package-manager, visual-regression, or dev-server commands outside the command contract.
|
|
270
|
+
|
|
271
|
+
<!-- mustflow-section: failure-handling -->
|
|
272
|
+
## Failure Handling
|
|
273
|
+
|
|
274
|
+
- If the public API ledger cannot be built, stop treating the change as SemVer-safe and report the
|
|
275
|
+
missing source of truth.
|
|
276
|
+
- If token source, generated CSS variables, generated types, and docs disagree, fix the source and
|
|
277
|
+
generated-surface contract before changing individual components.
|
|
278
|
+
- If a component requires custom primitive behavior but keyboard and focus behavior are unknown,
|
|
279
|
+
route to `frontend-accessibility-tree-review` or report the missing evidence.
|
|
280
|
+
- If a variant or theming change creates impossible combinations, narrow the API, split the
|
|
281
|
+
component, or report the product decision needed.
|
|
282
|
+
- If tests fail, preserve the configured intent name and failure evidence, then fix the contract
|
|
283
|
+
surface rather than weakening tests.
|
|
284
|
+
- If release impact is unclear, apply `date-number-audit` before editing versions or release notes.
|
|
285
|
+
|
|
286
|
+
<!-- mustflow-section: output-format -->
|
|
287
|
+
## Output Format
|
|
288
|
+
|
|
289
|
+
- Component-library surface reviewed
|
|
290
|
+
- Package API, token, primitive, component, state, variant, theming, styling, docs, test, and release
|
|
291
|
+
ledgers
|
|
292
|
+
- Findings, fixes, or recommendations
|
|
293
|
+
- Breaking-change and migration classification
|
|
294
|
+
- Evidence level by docs, types, behavior, accessibility, visual, package, browser, and consumer
|
|
295
|
+
upgrade surface
|
|
296
|
+
- Narrower skills used or deferred
|
|
297
|
+
- Command intents run
|
|
298
|
+
- Skipped component-library checks and reasons
|
|
299
|
+
- Remaining component-library contract risk
|