mustflow 2.107.9 → 2.108.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (26) hide show
  1. package/dist/cli/commands/api/serve.js +73 -10
  2. package/dist/core/run-receipt-state.js +23 -2
  3. package/dist/core/secret-redaction.js +6 -1
  4. package/package.json +1 -1
  5. package/schemas/api-serve-response.schema.json +1 -0
  6. package/templates/default/i18n.toml +48 -12
  7. package/templates/default/locales/en/.mustflow/docs/agent-workflow.md +24 -1
  8. package/templates/default/locales/en/.mustflow/skills/INDEX.md +52 -14
  9. package/templates/default/locales/en/.mustflow/skills/admin-control-plane-safety-review/SKILL.md +200 -0
  10. package/templates/default/locales/en/.mustflow/skills/ai-product-readiness-review/SKILL.md +158 -0
  11. package/templates/default/locales/en/.mustflow/skills/auth-permission-change/SKILL.md +91 -28
  12. package/templates/default/locales/en/.mustflow/skills/browser-automation-reliability-review/SKILL.md +279 -0
  13. package/templates/default/locales/en/.mustflow/skills/ci-pipeline-triage/SKILL.md +39 -11
  14. package/templates/default/locales/en/.mustflow/skills/cloud-cost-guardrail-review/SKILL.md +4 -1
  15. package/templates/default/locales/en/.mustflow/skills/database-change-safety/SKILL.md +21 -2
  16. package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +25 -7
  17. package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md +117 -43
  18. package/templates/default/locales/en/.mustflow/skills/frontend-component-library-review/SKILL.md +299 -0
  19. package/templates/default/locales/en/.mustflow/skills/frontend-localization-review/SKILL.md +128 -36
  20. package/templates/default/locales/en/.mustflow/skills/notification-delivery-integrity-review/SKILL.md +226 -0
  21. package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +34 -14
  22. package/templates/default/locales/en/.mustflow/skills/routes.toml +36 -0
  23. package/templates/default/locales/en/.mustflow/skills/small-service-platform-architecture-review/SKILL.md +273 -0
  24. package/templates/default/locales/en/.mustflow/skills/tauri-code-change/SKILL.md +41 -3
  25. package/templates/default/locales/en/.mustflow/skills/wails-code-change/SKILL.md +34 -4
  26. package/templates/default/manifest.toml +43 -1
@@ -2,11 +2,11 @@
2
2
  mustflow_doc: skill.deployment-rollout-safety-review
3
3
  locale: en
4
4
  canonical: true
5
- revision: 2
5
+ revision: 3
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: deployment-rollout-safety-review
9
- description: Apply this skill when server, backend, worker, scheduler, queue consumer, cron, container, VM, serverless, migration, config, feature-flag, cache, deployment pipeline, canary, rollback, release envelope, image digest, deployment history, traffic rollback, health check, readiness/liveness/startup probe, graceful shutdown, artifact promotion, release observability, or post-deploy smoke behavior is created, changed, reviewed, or reported and the risk is whether a deployment can be rolled out, stopped, observed, or rolled back safely.
9
+ description: Apply this skill when CI/CD pipeline gates, required checks, preview deploys, migration checks, server, backend, worker, scheduler, queue consumer, cron, container, VM, serverless, IaC, config, secret handling, feature-flag, cache, canary, rollback, release envelope, image digest, deployment history, traffic rollback, health check, readiness/liveness/startup probe, graceful shutdown, artifact promotion, release observability, or post-deploy smoke behavior is created, changed, reviewed, or reported and the risk is whether a deployment can be rolled out, stopped, observed, or rolled back safely.
10
10
  metadata:
11
11
  mustflow_schema: "1"
12
12
  mustflow_kind: procedure
@@ -29,13 +29,15 @@ metadata:
29
29
  <!-- mustflow-section: purpose -->
30
30
  ## Purpose
31
31
 
32
- Review a server deployment as a runtime state transition, not as "the build passed".
32
+ Review a server deployment as a runtime state transition, not as "the build passed" or
33
+ "CI is green".
33
34
 
34
35
  Deployment failures usually come from changed ordering, config, data, cache, queues, rollback shape,
35
- permissions, and observability. Rollback is not just restarting an older container. It is the older
36
- release surviving today's data, config, cache, queue messages, external side effects, and traffic
37
- state. This skill makes the agent prove that a wrong deploy has small blast radius, is detected
38
- quickly, can be stopped quickly, and can be rolled back without inventing a recovery plan during the
36
+ permissions, secrets, infrastructure policy, human approvals, and observability. Rollback is not
37
+ just restarting an older container. It is the older release surviving today's data, config, cache,
38
+ queue messages, external side effects, secret versions, and traffic state. This skill makes the
39
+ agent prove that a wrong deploy has small blast radius, is detected quickly, can be stopped quickly,
40
+ and can be rolled back or safely rolled forward without inventing a recovery plan during the
39
41
  incident.
40
42
 
41
43
  <!-- mustflow-section: use-when -->
@@ -43,10 +45,12 @@ incident.
43
45
 
44
46
  - A change touches server deployment, backend runtime behavior, workers, schedulers, cron, queue
45
47
  consumers, containers, VMs, serverless functions, Kubernetes manifests, process managers,
46
- deployment pipelines, release gates, canaries, release envelopes, or rollback procedures.
48
+ CI/CD workflows, preview environments, deployment pipelines, release gates, canaries, release
49
+ envelopes, or rollback procedures.
47
50
  - A change touches DB migration order, config or env vars, feature flags, cache keys, queue or topic
48
51
  message formats, external API dependencies, storage paths, startup probes, readiness probes,
49
- liveness probes, graceful shutdown, worker drain, deployment locks, or post-deploy smoke checks.
52
+ liveness probes, graceful shutdown, worker drain, deployment locks, secret scope, IaC policy, or
53
+ post-deploy smoke checks.
50
54
  - A review needs to decide whether code, config, database, cache, queue, and scheduler changes can
51
55
  coexist across old and new versions while traffic is still moving.
52
56
 
@@ -77,11 +81,26 @@ incident.
77
81
  - Deployment model: environment order, artifact promotion path, rolling/blue-green/canary strategy,
78
82
  traffic rollback path, old-version retention, deployment history retention, deployment
79
83
  concurrency, and deployment lock owner.
84
+ - Pipeline gate model: required status checks, branch protection or merge gate, reviewer or
85
+ CODEOWNER gate, fast-fail ordering, clean CI environment, test data setup, flaky-test quarantine
86
+ owner, artifact retention, and security scan coverage.
87
+ - Preview model: preview URL, isolated namespace or schema, ephemeral database or seeded data,
88
+ teardown policy, cost guardrail, deployment protection, and proof that production secrets and
89
+ production PII are not exposed.
90
+ - Migration check model: dry-run or shadow database evidence, destructive-change detection,
91
+ lock or table-rewrite risk, online DDL assumptions, backfill separation, N-1 app compatibility,
92
+ and rollback or roll-forward boundary.
93
+ - Secret and approval model: environment-scoped secrets, production approval gate, OIDC or
94
+ short-lived credential path, log masking, rotation or revocation path, external secret store or
95
+ encryption-at-rest boundary, and least-privilege deploy job permissions.
80
96
  - Compatibility model: old code with old data, old code with new data, new code with old data, new
81
97
  code with new data, N-1 message compatibility, cache key version, and rollback survivability.
82
98
  - Runtime control model: startup/liveness/readiness probes, graceful shutdown behavior, load
83
99
  balancer connection draining, worker drain, cron duplicate guard, kill switch, safe flag defaults,
84
100
  automatic stop conditions, synthetic transactions, and post-deploy observation window.
101
+ - Infrastructure and observability model: rendered manifests or plan output, policy checks, image
102
+ digest pinning, resource requests and limits, probe presence, privileged or hostPath use,
103
+ plaintext-secret checks, release-labeled logs, metrics, traces, alerts, and dashboard slices.
85
104
 
86
105
  <!-- mustflow-section: preconditions -->
87
106
  ## Preconditions
@@ -99,6 +118,9 @@ incident.
99
118
  - Add or update deploy runbooks, release checklists, pipeline metadata, smoke tests, probe tests,
100
119
  config validation, feature-flag defaults, rollback notes, canary gates, and deployment safety
101
120
  tests when they match the repository style.
121
+ - Add or update preview-deploy guardrails, migration preflight notes, manifest or IaC validation
122
+ fixtures, secret-scope checks, required-check documentation, and release evidence templates when
123
+ they are already within the task scope.
102
124
  - Add local code guards for startup config validation, readiness separation, shutdown handling,
103
125
  worker drain, cache-key versioning, and deployment attribution when the task scope includes the
104
126
  affected runtime code.
@@ -115,131 +137,171 @@ incident.
115
137
  external APIs, permissions, config, and feature flags. If the ledger is unknown, report that the
116
138
  deployment blast radius is unknown instead of guessing.
117
139
 
118
- 2. Build the release envelope.
140
+ 2. Check the merge and CI gate before the deploy gate.
141
+ Required status checks, protected branches, review or CODEOWNER gates, and stale-review handling
142
+ should stop unreviewed or partially verified production changes. Order checks so cheap failures
143
+ happen before slow checks: format, lint, typecheck, unit tests, build, security scans,
144
+ integration or contract tests, then focused end-to-end smoke. Require a clean reproducible CI
145
+ environment, explicit test database setup, seeded data, dependency and container scan coverage,
146
+ IaC or configuration scans when those files changed, secret scanning, and a named owner or SLA for
147
+ flaky-test quarantine. A flaky test silently bypassed by the merge gate is a deployment-safety
148
+ risk, not a testing nuisance.
149
+
150
+ 3. Build the release envelope.
119
151
  Rollback needs more than an image tag. Bind image digest, chart or manifest revision, values
120
152
  file hash, ConfigMap name or version, Secret version, migration range, feature flag snapshot,
121
153
  ingress or router weight, deployer, and deployment time under one `release_id` when the platform
122
154
  exposes those facts. If only a mutable tag such as `latest` identifies production, report that
123
155
  rollback identity is not reproducible.
124
156
 
125
- 3. Separate artifact promotion from environment rebuilds.
157
+ 4. Make preview deployment a rehearsal, not just a link.
158
+ Preview deploys should use an isolated namespace, schema, or ephemeral database with explicit
159
+ seed data and teardown. Do not allow production secrets, production OAuth callbacks, production
160
+ webhooks, or production PII in preview. Name deployment protection, access control, teardown
161
+ failure alerts, and cost cleanup. Run or identify the preview checks that matter for the changed
162
+ flow: smoke, selected E2E, API compatibility, accessibility, visual regression, and thin DAST or
163
+ security probes where the repository owns them.
164
+
165
+ 5. Separate artifact promotion from environment rebuilds.
126
166
  Verify whether staging and production receive the same artifact identity. Prefer promoting one
127
- built artifact over rebuilding per environment. If per-environment rebuild is unavoidable, name
128
- the drift risk and require commit SHA, dependency lock, image digest, and build input evidence.
129
- Treat image tags as human labels and image digests as the rollback proof.
167
+ built immutable artifact over rebuilding per environment. If per-environment rebuild is
168
+ unavoidable, name the drift risk and require commit SHA, dependency lock, build run, SBOM or
169
+ package inventory when available, image digest, and build input evidence. Treat image tags as
170
+ human labels and image digests as the rollback proof.
130
171
 
131
- 4. Preserve rollback history and warm capacity.
172
+ 6. Preserve rollback history and warm capacity.
132
173
  For platform-managed rollbacks, check whether old revisions, ReplicaSets, Helm release history,
133
174
  blue/green environments, or rollout controller history are retained long enough to be useful.
134
175
  Do not treat a rollback path as safe if the old version is immediately scaled to zero, cold, or
135
176
  deleted. Prefer traffic rollback to an already-warm old version before rebuilding or pulling a
136
177
  replacement during an incident.
137
178
 
138
- 5. Split deploy order from migration order.
179
+ 7. Split deploy order from migration order.
139
180
  For DB changes, check expand/migrate/read-write/switch/contract sequencing. New code must tolerate
140
181
  old data, old code must tolerate expanded schema or new data, and contraction must wait until old
141
182
  code is impossible. Check migration lock timeout, batch size, retryability, partial progress
142
183
  markers, rollback preview evidence, point-in-time recovery practice, database config backup, and
143
- rollback limits. Treat destructive rollback SQL as a data-loss risk, not a recovery guarantee.
184
+ rollback limits. Require dry-run or shadow database evidence when the repository has a migration
185
+ surface. Treat destructive rollback SQL as a data-loss risk, not a recovery guarantee.
144
186
 
145
- 6. Treat config changes as code changes.
187
+ 8. Treat config and IaC changes as code changes.
146
188
  Diff config and environment variables. Require startup validation for missing, misspelled, empty,
147
189
  malformed, or incompatible values. A service should fail fast before accepting traffic when a
148
190
  required setting is unsafe. Prefer versioned or immutable config names over in-place config
149
191
  mutation, and name whether env-var, mounted-file, or subpath-style config updates require pod or
150
- process restart.
151
-
152
- 7. Separate startup, liveness, and readiness.
192
+ process restart. For infrastructure files, review rendered manifests or plans rather than only
193
+ source snippets. Check resource requests and limits, probes, privileged mode, hostPath mounts,
194
+ plaintext secrets, IAM or service account scope, image digest pinning, and policy validation
195
+ coverage.
196
+
197
+ 9. Keep secrets out of the wrong stage.
198
+ Test, preview, staging, and production jobs should use environment-scoped secrets with the
199
+ smallest permission set that can complete that job. Prefer OIDC or short-lived credentials over
200
+ long-lived cloud keys in CI. Production secrets should require the production environment gate,
201
+ and preview jobs should not be able to read them. Check secret masking, rotation or revocation
202
+ notes, external secret store or encryption-at-rest boundary, and whether platform-native secrets
203
+ also need RBAC, namespace, and audit controls.
204
+
205
+ 10. Separate startup, liveness, and readiness.
153
206
  Startup should protect slow boots, liveness should detect stuck processes, and readiness should
154
207
  gate whether the instance can serve real dependencies. Do not count "process is running" as
155
208
  deployment readiness. Keep liveness conservative enough that overload or long GC pauses do not
156
209
  turn a recoverable incident into a restart loop.
157
210
 
158
- 8. Check graceful shutdown before rolling traffic.
211
+ 11. Check graceful shutdown before rolling traffic.
159
212
  Verify SIGTERM or platform shutdown handling for in-flight requests, DB transactions, uploads,
160
213
  payment or webhook callbacks, and streaming responses. The app shutdown timeout must be shorter
161
214
  than load balancer connection draining.
162
215
 
163
- 9. Drain workers deliberately.
216
+ 12. Drain workers deliberately.
164
217
  Queue workers need a stop-accepting-new-work phase, a current-work completion or checkpoint phase,
165
218
  and an idempotent retry path for interrupted work. Ack, delete, offset commit, and visibility
166
219
  timeout behavior must match the shutdown path. Rollback should name consumer pause, in-flight
167
220
  work completion, idempotency-key checks, and dead-letter or quarantine inspection for worker and
168
221
  scheduler surfaces.
169
222
 
170
- 10. Prove message compatibility.
223
+ 13. Prove message compatibility.
171
224
  Producers and consumers are rarely deployed at the exact same instant. Message format changes need
172
225
  N-1 message compatibility, tolerant readers, versioned fields, defaults for missing data, and a
173
226
  plan for queued old messages. Unknown event types should not crash old consumers; require
174
227
  quarantine, dead-letter, or ignore policy that preserves investigation evidence.
175
228
 
176
- 11. Design external side effects as compensation.
229
+ 14. Design external side effects as compensation.
177
230
  Emails, payment authorizations, third-party webhooks, provider state, and object-storage writes
178
231
  do not disappear when code rolls back. Require outbox, idempotency key, state machine,
179
232
  reconciliation, or compensation notes for side effects that cannot be undone by reverting code.
180
233
 
181
- 12. Keep API compatibility wider than the deploy window.
234
+ 15. Keep API compatibility wider than the deploy window.
182
235
  Server versions and clients do not change at the same instant. Check N-1 and N+1 compatibility
183
236
  for request fields, response fields, enum values, error codes, API versions, and mobile or SDK
184
237
  clients. Removing fields, narrowing enums, or adding required inputs can make rollback fail even
185
238
  when the old container starts.
186
239
 
187
- 13. Add a kill switch, not just a flag.
240
+ 16. Add a kill switch, not just a flag.
188
241
  Feature flags that only select a new path are not enough. Require a fast disable path, a safe
189
- default when flag lookup fails, and an owner who can flip it during the observation window.
190
-
191
- 14. Define the canary cohort.
242
+ default when flag lookup fails, an owner who can flip it during the observation window, rollout
243
+ percentages or cohorts, and an expiry or removal plan so release flags do not become permanent
244
+ hidden branches.
245
+
246
+ 17. Run production preflight before touching traffic.
247
+ Preflight should name the active incident status, deployment window, error budget or SLO burn,
248
+ DB replication lag, queue depth, cache health, dependency health, cloud quota, feature flag
249
+ defaults, rollback target digest, migration compatibility, alert mute state, and on-call owner.
250
+ If the system is already degraded, default to blocking or narrowing the deploy rather than adding
251
+ another variable to an incident.
252
+
253
+ 18. Define the canary cohort.
192
254
  Percent-only canaries can hide the exact risky traffic. Name which users, tenants, regions,
193
255
  routes, worker partitions, queues, payment methods, or dependency paths receive the new version.
194
256
  Prefer a cohort that exercises the changed behavior without making the blast radius vague.
195
257
 
196
- 15. Measure canaries by version and by user harm.
258
+ 19. Measure canaries by version and by user harm.
197
259
  A small canary can disappear in global averages. Require metrics split by service version,
198
260
  release id, route, cohort, or worker partition where safe. Prefer user-impact signals such as
199
261
  5xx, p95 or p99 latency, login failure, payment failure, order failure, queue backlog, or retry
200
262
  explosion over CPU-only rollback triggers.
201
263
 
202
- 16. Make automatic stop conditions numeric.
264
+ 20. Make automatic stop conditions numeric.
203
265
  Before rollout, define stop or rollback thresholds for error rate, p95 or p99 latency, login or
204
266
  payment failure, queue backlog, retry rate, dependency timeout, and saturation. "Watch it" is not
205
267
  a stop condition.
206
268
 
207
- 17. Verify read and write paths separately.
269
+ 21. Verify read and write paths separately.
208
270
  A read-only health check can pass while writes are broken. Add or identify smoke checks and
209
271
  synthetic transactions that cover the changed read path, changed write path, and visible business
210
272
  result without corrupting production data.
211
273
 
212
- 18. Preserve release attribution in logs and telemetry.
274
+ 22. Preserve release attribution in logs and telemetry.
213
275
  Deployment logs and runtime logs should expose commit SHA, image tag or digest, config version,
214
276
  chart or manifest revision, config version, migration version, feature flag state, deployment
215
277
  environment, deployment id, service version, and instance. Log format changes must not silently
216
278
  break alerts, dashboards, or search queries.
217
279
 
218
- 19. Version cache keys and narrow invalidation.
280
+ 23. Version cache keys and narrow invalidation.
219
281
  Cache changes need cache key versioning or compatibility. Avoid blanket flushes unless the cold
220
282
  DB load has been budgeted. Prefer narrow, gradual invalidation with fallback behavior named.
221
283
  Old code must not deserialize new cache payloads without a compatibility plan.
222
284
 
223
- 20. Guard scheduler duplication.
285
+ 24. Guard scheduler duplication.
224
286
  Cron and scheduled jobs can overlap during rolling deploys. Check singleton locks, leader
225
287
  election, idempotency keys, deployment locks, and duplicate execution behavior for old and new
226
288
  versions.
227
289
 
228
- 21. Treat CRDs and operators as schema rollouts.
290
+ 25. Treat CRDs and operators as schema rollouts.
229
291
  Custom resources, operators, storage versions, conversion strategies, and controller downgrade
230
292
  behavior can block rollback even when application pods are healthy. When those surfaces change,
231
293
  require stored-object migration, old-client compatibility, and operator downgrade notes.
232
294
 
233
- 22. Use deployment locks per service and environment.
295
+ 26. Use deployment locks per service and environment.
234
296
  Two deploys, migrations, or production commands against the same service/environment need an
235
297
  explicit conflict rule. Name the lock scope and the operator-visible owner.
236
298
 
237
- 23. Make production commands boring.
299
+ 27. Make production commands boring.
238
300
  Any production command touched by the change should have dry-run output, bounded target scope,
239
301
  explicit confirmation or ticket reference, and refusal behavior for ambiguous environment,
240
302
  tenant, region, or time range.
241
303
 
242
- 24. Reserve post-deploy observation time.
304
+ 28. Reserve post-deploy observation time.
243
305
  Deployment is not done when traffic flips. Require a post-deploy observation window with owners
244
306
  available, synthetic transaction results, dashboards, logs, queue backlog, dependency health, and
245
307
  stop-condition status checked.
@@ -257,13 +319,22 @@ incident.
257
319
  ## Review Checklist
258
320
 
259
321
  - Deployment resource ledger is complete enough to name the blast radius.
322
+ - Merge and CI gates include required checks, branch protection or equivalent merge policy,
323
+ fast-fail ordering, clean test data, flaky-test ownership, and security scan coverage.
260
324
  - Release envelope binds image digest, config, Secret, migration, flag, traffic, deployer, and time
261
325
  under a stable release identity where those platform concepts exist.
326
+ - Preview deploys are isolated, seeded, protected, cleaned up, and kept away from production secrets
327
+ and production PII.
262
328
  - Same artifact is promoted across environments or rebuild drift is explicitly controlled.
263
329
  - Rollback history is retained, the old version can stay warm when needed, and traffic rollback is
264
330
  separated from rebuilding or repulling code.
265
- - DB migration, code deploy, data backfill, cache, queue, and rollback order are separated.
266
- - Required config is validated at startup and deployment config diff is inspectable.
331
+ - DB migration, migration dry-run or shadow evidence, code deploy, data backfill, cache, queue, and
332
+ rollback order are separated.
333
+ - Required config is validated at startup, deployment config diff is inspectable, and rendered
334
+ manifests or IaC plans are policy-checked for resources, probes, privileges, secrets, and digest
335
+ pinning.
336
+ - Secrets are environment-scoped, production-gated, least-privilege, short-lived where possible,
337
+ masked in logs, and rotatable.
267
338
  - Startup, liveness, and readiness probes answer different questions.
268
339
  - Graceful shutdown, load balancer connection draining, worker drain, and interrupted work retry are
269
340
  compatible.
@@ -272,6 +343,8 @@ incident.
272
343
  - External side effects have idempotency, reconciliation, or compensation instead of rollback
273
344
  overclaim.
274
345
  - Feature flag lookup failure chooses the safe default and a kill switch can stop the change.
346
+ - Production preflight checks active incidents, error budget, queue depth, DB lag, dependency
347
+ health, quota, rollback target, feature defaults, alert mute state, and owner availability.
275
348
  - Canary cohort, version-split telemetry, and automatic stop condition are concrete, numeric, and
276
349
  tied to the changed flow.
277
350
  - Read smoke, write smoke, synthetic transaction, deployment logs, and post-deploy metrics are
@@ -315,7 +388,8 @@ When reporting a review or change, include:
315
388
  - Skills used.
316
389
  - Deployment resources touched.
317
390
  - Rollout and rollback risks found or guarded.
318
- - Config, migration, cache, queue, probe, shutdown, canary, and observation decisions.
391
+ - CI, preview, artifact promotion, config, secret, migration, IaC, cache, queue, probe, shutdown,
392
+ canary, rollback, and observation decisions.
319
393
  - Verification commands run and their result.
320
394
  - Remaining manual deployment checks, especially production-only smoke, canary, and observation
321
395
  steps that cannot be executed locally.
@@ -0,0 +1,299 @@
1
+ ---
2
+ mustflow_doc: skill.frontend-component-library-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: frontend-component-library-review
9
+ description: Apply this skill when a frontend component library, design system package, UI kit, shared component package, token system, primitive layer, variant API, theming surface, Storybook or docs site, package exports, public CSS or data attributes, accessibility behavior, controlled or uncontrolled component contract, visual regression suite, codemod, SemVer policy, or breaking-change plan is created, changed, reviewed, or reported.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.frontend-component-library-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ ---
26
+
27
+ # Frontend Component Library Review
28
+
29
+ <!-- mustflow-section: purpose -->
30
+ ## Purpose
31
+
32
+ Review frontend component libraries as public API platforms, not collections of pretty
33
+ components copied from a design file.
34
+
35
+ The core question is: "Can multiple product teams upgrade this package without guessing which
36
+ tokens, props, slots, DOM shape, CSS variables, keyboard behavior, exports, docs examples, and
37
+ release notes are contractual?" If the answer is unclear, the library is a shared copy-paste
38
+ folder wearing a package name.
39
+
40
+ <!-- mustflow-section: use-when -->
41
+ ## Use When
42
+
43
+ - A design system, component library, UI kit, shared React, Vue, Svelte, Web Component, CSS, or
44
+ framework-agnostic component package is created, changed, reviewed, or reported.
45
+ - Code or docs touch design tokens, CSS variables, theme modes, brand themes, density, contrast,
46
+ motion settings, primitive components, compound components, slots, variant props, polymorphic
47
+ `as` or `asChild`, public data attributes, `className` escape hatches, or package exports.
48
+ - Button, Link, TextField, Dialog, Popover, Menu, Select, Combobox, Tabs, Tooltip, Toast, Table,
49
+ Data Grid, Icon, Badge, Card, Alert, or similar reusable components gain public behavior.
50
+ - Storybook, docs, examples, props tables, visual regression stories, interaction tests,
51
+ accessibility tests, type tests, SSR or hydration checks, bundle-size checks, changelog entries,
52
+ migration guides, deprecation warnings, or codemods define consumer-facing behavior.
53
+ - A review or final report claims a component library is reusable, accessible, themeable,
54
+ design-system-ready, stable, backward compatible, SemVer-safe, or ready for external teams.
55
+
56
+ <!-- mustflow-section: do-not-use-when -->
57
+ ## Do Not Use When
58
+
59
+ - The task is ordinary app UI with no reusable package, public component API, token contract, or
60
+ cross-team consumer surface. Use the framework, UI quality, layout, or accessibility skill.
61
+ - The task only checks accessibility-tree semantics, keyboard behavior, labels, forms, dialogs, or
62
+ ARIA for a specific UI. Use `frontend-accessibility-tree-review` first.
63
+ - The task only checks frontend state drift in an application. Use `frontend-state-ownership-review`
64
+ first.
65
+ - The task only checks localization, RTL text behavior, translated layout stress, or locale SEO.
66
+ Use `frontend-localization-review` or `frontend-stress-layout-review` first.
67
+ - The task only changes package metadata or exports without component-library contracts. Use the
68
+ matching package, public API, or CLI contract skill.
69
+ - Verification would require unconfigured Storybook, browser, screenshot, visual-regression, or
70
+ package-manager commands. Report the missing evidence instead of inventing commands.
71
+
72
+ <!-- mustflow-section: required-inputs -->
73
+ ## Required Inputs
74
+
75
+ - User goal, target package or library, framework signals, consumer audience, current diff or
76
+ target files, package manager and build signals, and configured command intents.
77
+ - Package API ledger: public entrypoints, `package.json` exports, documented imports, deep-import
78
+ policy, peer dependencies, side-effect CSS, generated styles, tree-shaking claims, SSR support,
79
+ and bundle boundaries.
80
+ - Token ledger: primitive tokens, semantic tokens, component tokens, aliases, generated outputs,
81
+ CSS variables, TypeScript types, platform exports, descriptions, deprecations, owners, contrast
82
+ checks, and source-of-truth files.
83
+ - Primitive behavior ledger: dialog, popover, menu, select, combobox, tabs, tooltip, toast, focus
84
+ scope, portal, scroll lock, typeahead, roving focus, escape behavior, outside interaction, and
85
+ restore-focus contracts.
86
+ - Component contract ledger: props, slots, compound parts, refs, events, DOM ownership, data
87
+ attributes, CSS variable hooks, `className` or style overrides, polymorphic behavior, default
88
+ element, form participation, and documented examples.
89
+ - State contract ledger: controlled and uncontrolled pairs such as `value`, `defaultValue`,
90
+ `onValueChange`, `open`, `defaultOpen`, `onOpenChange`, reset rules, disabled behavior, loading
91
+ behavior, and duplicate-submit policy.
92
+ - Variant and theming ledger: semantic variant axes, impossible combinations, required accessible
93
+ names, brand, light and dark mode, density, contrast, reduced motion, forced colors, responsive
94
+ behavior, and theme-resolution order.
95
+ - Docs and test ledger: Storybook stories, anatomy docs, do and do-not guidance, accessibility and
96
+ keyboard docs, controlled examples, theme-token docs, migration docs, type tests, behavior tests,
97
+ visual regression matrix, accessibility automation, manual evidence, SSR, hydration, and bundle
98
+ checks.
99
+ - Release ledger: SemVer classification, public API definition, deprecation warnings, migration
100
+ guide, codemods, changelog, consumer upgrade path, and known breaking-change inventory.
101
+
102
+ <!-- mustflow-section: preconditions -->
103
+ ## Preconditions
104
+
105
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
106
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
107
+ current scope.
108
+ - Existing local patterns for tokens, primitives, variant helpers, styling, package exports, docs,
109
+ tests, and release notes have been searched before inventing a new component-library pattern.
110
+ - If the change touches app data, auth, payments, notifications, deployment, database, or security
111
+ behavior, also apply the narrower matching skill for that boundary.
112
+
113
+ <!-- mustflow-section: allowed-edits -->
114
+ ## Allowed Edits
115
+
116
+ - Create or refine component-library skill, docs, tests, route metadata, package metadata, template
117
+ copies, token docs, story contracts, migration notes, or release notes directly tied to the
118
+ changed component-library surface.
119
+ - Tighten public API boundaries by documenting exports, removing undocumented example deep imports,
120
+ making internal paths private, or marking such changes as breaking when consumers may rely on
121
+ them.
122
+ - Add focused tests for exports, types, roles and names, keyboard behavior, controlled and
123
+ uncontrolled state, variant constraints, token output, visual regression stories, SSR, hydration,
124
+ and bundle boundaries when existing project patterns support them.
125
+ - Do not migrate the library to a new framework, styling engine, primitive library, package manager,
126
+ Storybook setup, or token compiler unless the current task explicitly requires that migration.
127
+ - Do not treat `className`, raw `style`, hex-color props, arbitrary DOM selectors, or undocumented
128
+ internal files as harmless flexibility when they become consumer contracts.
129
+
130
+ <!-- mustflow-section: procedure -->
131
+ ## Procedure
132
+
133
+ 1. Decide whether this is a component library or ordinary app UI.
134
+ - A library has downstream consumers, public imports, reusable components, upgrade risk, docs
135
+ examples, and package or workspace boundaries.
136
+ - If it is just one screen, route to the narrower app UI skill and report that this skill does
137
+ not apply.
138
+ 2. Build the public API ledger first.
139
+ - List public exports, documented imports, package entrypoints, peer dependencies, CSS side
140
+ effects, token exports, generated files, and documented slot or DOM hooks.
141
+ - Treat docs examples as public API. Consumers copy them.
142
+ - Flag undocumented deep imports such as `dist/internal/*`, helper hooks, generated class files,
143
+ or internal token maps. Blocking existing deep imports can be breaking.
144
+ 3. Separate top-level library layers.
145
+ - Prefer clear boundaries for tokens, primitives, components, icons, utilities, docs, testing,
146
+ and codemods.
147
+ - Reject a structure where every reusable concern lands in `components/*` and the Button prop
148
+ list becomes the escape hatch for the whole system.
149
+ 4. Review token architecture.
150
+ - Separate primitive tokens such as raw colors and spacing, semantic tokens such as
151
+ action-background and text-primary, and component tokens only when component-specific tuning
152
+ is truly needed.
153
+ - Product components should usually consume semantic tokens, not Figma variable names, raw hex
154
+ values, or one-off pixel literals.
155
+ - Token source, generated CSS variables, generated TypeScript types, docs tables, platform
156
+ outputs, deprecations, and contrast checks must agree.
157
+ 5. Review theming as value substitution, not logic spread.
158
+ - Prefer root attributes, classes, or scopes that swap CSS variable values.
159
+ - Keep brand, mode, density, contrast, and motion as independent axes unless the product has a
160
+ documented reason to bundle them.
161
+ - Flag per-component `theme.mode === ...` branches, theme-object reads on every component, and
162
+ theme names that encode every axis into one untestable mega-theme.
163
+ 6. Review primitives before styled components.
164
+ - Dialog, Popover, Menu, Select, Combobox, Tabs, Tooltip, Toast, and similar primitives own
165
+ accessibility behavior, focus, keyboard, portal, layering, scroll, and dismissal policy.
166
+ - Styled components should wrap or compose primitive behavior without weakening it.
167
+ - If the project hand-rolls a primitive, require the same behavior ledger a proven primitive
168
+ library would have supplied.
169
+ 7. Treat accessibility as public API.
170
+ - Native elements, accessible names, labels, keyboard behavior, focus management, form
171
+ participation, disabled behavior, live regions, and high contrast behavior are contractual.
172
+ - `role`, `aria-*`, and data attributes imply behavior promises. Attributes without keyboard
173
+ and focus behavior are not accessibility.
174
+ - Route detailed accessibility fixes to `frontend-accessibility-tree-review`.
175
+ 8. Review component state contracts.
176
+ - Controlled and uncontrolled modes need consistent pairs: `value` with `onValueChange`,
177
+ `defaultValue` for initial internal state, `open` with `onOpenChange`, and `defaultOpen`.
178
+ - Do not mix controlled and uncontrolled ownership silently.
179
+ - Components should not couple to app stores, routers, data-fetching libraries, or form
180
+ libraries except through explicit adapters.
181
+ 9. Review variant API shape.
182
+ - Keep axes semantic and small, such as tone, emphasis, size, loading, icon-only, and disabled.
183
+ - Prevent impossible combinations with types, runtime guards, docs, or component split.
184
+ - Require an accessible name for icon-only controls, block duplicate submit when loading, and
185
+ review polymorphic `as` or `asChild` combinations for semantic breakage.
186
+ 10. Review styling contracts.
187
+ - Stable slots, data attributes, CSS variables, and documented class hooks are safer than
188
+ consumers styling incidental DOM shape.
189
+ - Decide which DOM parts are public and which are internal.
190
+ - If internal DOM, class names, or data attributes appear in docs, tests, examples, or consumer
191
+ code, changing them may be breaking.
192
+ 11. Review component-specific traps.
193
+ - Button: native button behavior, `type`, loading duplicate-submit policy, icon-only names,
194
+ disabled versus `aria-disabled`, and focus-visible styling.
195
+ - TextField: durable label, description, error wiring, `aria-invalid`, required, readOnly,
196
+ disabled, prefix and suffix, clear button, password reveal, and form reset behavior.
197
+ - Dialog: name, initial focus, focus containment, restore focus, Escape, outside interaction,
198
+ background inertness, scroll lock, nested overlays, and portal container.
199
+ - Select and Combobox: do not conflate them. Review typeahead, search, highlighted option,
200
+ selected option, groups, disabled items, mobile fallback, IME, scroll, and form behavior.
201
+ - Table and Data Grid: separate semantic table from product-grade grid behavior such as
202
+ sorting, pagination, virtualization, editing, export, and fetching.
203
+ - Icon: `currentColor`, tree-shaking, viewBox consistency, decorative `aria-hidden`, and
204
+ meaningful label strategy.
205
+ 12. Review docs as executable specs.
206
+ - Storybook or docs should show anatomy, when to use, when not to use, variants, controlled and
207
+ uncontrolled examples, accessibility names, keyboard behavior, theme tokens, form behavior,
208
+ migration notes, and do-not patterns.
209
+ - Props tables are not enough.
210
+ - Happy-path-only stories are weak contracts; important states need stories that tests can
211
+ target.
212
+ 13. Review test layers.
213
+ - Type and export tests catch public API drift.
214
+ - Behavior tests should use roles, names, keyboard events, state changes, and form behavior
215
+ instead of brittle internal selectors.
216
+ - Accessibility automation is a floor, not proof. Manual keyboard, focus, screen-reader smoke,
217
+ forced-colors, reduced-motion, and target-size evidence may still be needed.
218
+ - Visual regression should cover a representative matrix, not every combinatorial explosion.
219
+ Keep failures diagnosable.
220
+ - SSR, hydration, bundle size, tree-shaking, and CSS side-effect checks matter when the package
221
+ claims app-framework or library-mode support.
222
+ 14. Classify breaking changes broadly.
223
+ - Public API includes exports, props, prop meaning, defaults, event timing, refs, CSS variables,
224
+ token names, slot names, data attributes, documented DOM hooks, keyboard behavior, form
225
+ behavior, theme resolution order, peer dependency ranges, generated files, and docs examples.
226
+ - Removing, renaming, narrowing, changing defaults, changing ref targets, changing event order,
227
+ blocking deep imports, deleting CSS variables, or changing documented data attributes may be
228
+ major-version work.
229
+ 15. Plan migrations before removals.
230
+ - Prefer deprecation warnings and docs in a compatible release before removal.
231
+ - Provide migration notes and codemods for broad prop, import, token, or slot renames.
232
+ - Keep examples, changelog, tests, and generated docs aligned with the migration path.
233
+ 16. Report the evidence level honestly.
234
+ - Separate static package inspection, docs inspection, type-test evidence, behavior-test
235
+ evidence, visual-regression evidence, accessibility evidence, browser evidence, and
236
+ consumer-upgrade evidence.
237
+ - If an evidence path is unconfigured, name the missing configured intent or manual review
238
+ instead of claiming readiness.
239
+
240
+ <!-- mustflow-section: postconditions -->
241
+ ## Postconditions
242
+
243
+ - Public API, token, primitive behavior, component contract, state contract, variant, theming,
244
+ styling, docs, test, and release ledgers are fixed, ruled out, or reported.
245
+ - Component-library consumers can tell what is safe to import, style, theme, override, test, and
246
+ rely on across upgrades.
247
+ - Breaking-change risk is classified across code, tokens, CSS, docs, tests, package exports, and
248
+ runtime behavior.
249
+ - Missing Storybook, browser, visual, accessibility, package, or consumer-upgrade evidence is named
250
+ instead of hidden.
251
+
252
+ <!-- mustflow-section: verification -->
253
+ ## Verification
254
+
255
+ Use configured oneshot command intents when available:
256
+
257
+ - `changes_status`
258
+ - `changes_diff_summary`
259
+ - `lint`
260
+ - `build`
261
+ - `test_related`
262
+ - `test`
263
+ - `docs_validate_fast`
264
+ - `test_release`
265
+ - `mustflow_check`
266
+
267
+ Use the narrowest configured unit, component, docs, release, build, package, visual, accessibility,
268
+ or mustflow intent that covers the changed component-library contract. Do not infer raw Storybook,
269
+ browser, package-manager, visual-regression, or dev-server commands outside the command contract.
270
+
271
+ <!-- mustflow-section: failure-handling -->
272
+ ## Failure Handling
273
+
274
+ - If the public API ledger cannot be built, stop treating the change as SemVer-safe and report the
275
+ missing source of truth.
276
+ - If token source, generated CSS variables, generated types, and docs disagree, fix the source and
277
+ generated-surface contract before changing individual components.
278
+ - If a component requires custom primitive behavior but keyboard and focus behavior are unknown,
279
+ route to `frontend-accessibility-tree-review` or report the missing evidence.
280
+ - If a variant or theming change creates impossible combinations, narrow the API, split the
281
+ component, or report the product decision needed.
282
+ - If tests fail, preserve the configured intent name and failure evidence, then fix the contract
283
+ surface rather than weakening tests.
284
+ - If release impact is unclear, apply `date-number-audit` before editing versions or release notes.
285
+
286
+ <!-- mustflow-section: output-format -->
287
+ ## Output Format
288
+
289
+ - Component-library surface reviewed
290
+ - Package API, token, primitive, component, state, variant, theming, styling, docs, test, and release
291
+ ledgers
292
+ - Findings, fixes, or recommendations
293
+ - Breaking-change and migration classification
294
+ - Evidence level by docs, types, behavior, accessibility, visual, package, browser, and consumer
295
+ upgrade surface
296
+ - Narrower skills used or deferred
297
+ - Command intents run
298
+ - Skipped component-library checks and reasons
299
+ - Remaining component-library contract risk