mustflow 2.107.9 → 2.108.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (26) hide show
  1. package/dist/cli/commands/api/serve.js +73 -10
  2. package/dist/core/run-receipt-state.js +23 -2
  3. package/dist/core/secret-redaction.js +6 -1
  4. package/package.json +1 -1
  5. package/schemas/api-serve-response.schema.json +1 -0
  6. package/templates/default/i18n.toml +48 -12
  7. package/templates/default/locales/en/.mustflow/docs/agent-workflow.md +24 -1
  8. package/templates/default/locales/en/.mustflow/skills/INDEX.md +52 -14
  9. package/templates/default/locales/en/.mustflow/skills/admin-control-plane-safety-review/SKILL.md +200 -0
  10. package/templates/default/locales/en/.mustflow/skills/ai-product-readiness-review/SKILL.md +158 -0
  11. package/templates/default/locales/en/.mustflow/skills/auth-permission-change/SKILL.md +91 -28
  12. package/templates/default/locales/en/.mustflow/skills/browser-automation-reliability-review/SKILL.md +279 -0
  13. package/templates/default/locales/en/.mustflow/skills/ci-pipeline-triage/SKILL.md +39 -11
  14. package/templates/default/locales/en/.mustflow/skills/cloud-cost-guardrail-review/SKILL.md +4 -1
  15. package/templates/default/locales/en/.mustflow/skills/database-change-safety/SKILL.md +21 -2
  16. package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +25 -7
  17. package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md +117 -43
  18. package/templates/default/locales/en/.mustflow/skills/frontend-component-library-review/SKILL.md +299 -0
  19. package/templates/default/locales/en/.mustflow/skills/frontend-localization-review/SKILL.md +128 -36
  20. package/templates/default/locales/en/.mustflow/skills/notification-delivery-integrity-review/SKILL.md +226 -0
  21. package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +34 -14
  22. package/templates/default/locales/en/.mustflow/skills/routes.toml +36 -0
  23. package/templates/default/locales/en/.mustflow/skills/small-service-platform-architecture-review/SKILL.md +273 -0
  24. package/templates/default/locales/en/.mustflow/skills/tauri-code-change/SKILL.md +41 -3
  25. package/templates/default/locales/en/.mustflow/skills/wails-code-change/SKILL.md +34 -4
  26. package/templates/default/manifest.toml +43 -1
@@ -2,11 +2,11 @@
2
2
  mustflow_doc: skill.frontend-localization-review
3
3
  locale: en
4
4
  canonical: true
5
- revision: 1
5
+ revision: 2
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: frontend-localization-review
9
- description: Apply this skill when frontend UI, product copy, messages, metadata, notifications, exports, locale handling, formatting, sorting, search, SSR hydration, RTL behavior, or i18n tests are created, changed, reviewed, or reported and localization correctness must be checked beyond visible JSX text.
9
+ description: Apply this skill when frontend UI, product copy, messages, translation keys, message catalogs, metadata, SEO or hreflang, localized routes, notifications, exports, locale handling, fallback, translation workflow, formatting, sorting, search, SSR hydration, RTL behavior, or i18n tests are created, changed, reviewed, or reported and localization correctness must be checked beyond visible JSX text.
10
10
  metadata:
11
11
  mustflow_schema: "1"
12
12
  mustflow_kind: procedure
@@ -29,18 +29,20 @@ metadata:
29
29
  <!-- mustflow-section: purpose -->
30
30
  ## Purpose
31
31
 
32
- Review frontend localization by tracing every user-visible string, locale-sensitive value, direction-sensitive layout choice, and exported text surface instead of only scanning visible JSX text.
32
+ Review frontend localization by tracing every user-visible string, locale-sensitive value, locale route, direction-sensitive layout choice, translation workflow, and exported text surface instead of only scanning visible JSX text.
33
33
 
34
- The core question is: "Can the product say the right thing, in the right grammar, format, direction, tone, and channel for this user's language, region, currency, unit, and time zone?" A translated screen is not localized if placeholders, validation errors, file names, emails, metadata, numbers, dates, sort order, or fallback behavior still leak the source locale.
34
+ The core question is: "Can the product say the right thing, in the right grammar, format, direction, tone, URL, search result, and channel for this user's language, region, currency, unit, and time zone?" A translated screen is not localized if placeholders, validation errors, file names, emails, metadata, numbers, dates, sort order, URL structure, or fallback behavior still leak the source locale.
35
35
 
36
36
  <!-- mustflow-section: use-when -->
37
37
  ## Use When
38
38
 
39
39
  - Frontend UI, product copy, forms, validation, error messages, empty states, toasts, dialogs, emails, push notifications, share text, exports, downloads, PDFs, CSVs, calendar invites, charts, canvas, SVG text, document titles, metadata, Open Graph, or SEO text are created, changed, reviewed, or reported.
40
- - Code adds or changes translation keys, message catalogs, `t(...)`, ICU messages, placeholders, `aria-label`, `title`, `alt`, `meta` tags, Open Graph text, browser `confirm` text, chart labels, file names, copy-to-clipboard text, or backend error-code mapping.
40
+ - Code adds or changes translation keys, key naming, stale or missing key behavior, message catalogs, `t(...)`, ICU messages, placeholders, `aria-label`, `title`, `alt`, `meta` tags, Open Graph text, browser `confirm` text, chart labels, file names, copy-to-clipboard text, or backend error-code mapping.
41
41
  - Code adds or changes date, time, relative-time, number, currency, percent, unit, plural, list, case, collation, search normalization, truncation, string length, or user-input parsing logic.
42
- - UI needs to support long translated labels, pseudo localization, RTL or bidirectional text, locale-specific font fallback, language switching, server rendering, hydration, or client/server locale agreement.
43
- - A review or final report claims a surface is translated, localization-safe, i18n-ready, RTL-ready, locale-aware, or global-ready.
42
+ - UI needs to support long translated labels, pseudo localization, RTL or bidirectional text, locale-specific font fallback, language switching, locale-specific routes, server rendering, hydration, or client/server locale agreement.
43
+ - International SEO changes involve language-specific URLs, canonical links, `hreflang`, `x-default`, locale sitemaps, localized title or meta description, Open Graph, structured data, or automatic locale redirects.
44
+ - Translation workflow, TMS sync, string freeze, glossary, translation memory, screenshot context, placeholder metadata, locale launch readiness, missing-key telemetry, or fallback monitoring is created, changed, reviewed, or reported.
45
+ - A review or final report claims a surface is translated, localization-safe, i18n-ready, l10n-ready, RTL-ready, locale-aware, SEO-localized, or global-ready.
44
46
 
45
47
  <!-- mustflow-section: do-not-use-when -->
46
48
  ## Do Not Use When
@@ -48,6 +50,7 @@ The core question is: "Can the product say the right thing, in the right grammar
48
50
  - The task is only hostile layout resilience from long translated text or RTL layout without translation, formatting, or locale-state risk; use `frontend-stress-layout-review` first and this skill only for localization semantics.
49
51
  - The task is only accessibility names, labels, ARIA, keyboard, focus, or assistive-technology behavior; use `frontend-accessibility-tree-review` first and this skill only when translated names or visible-label consistency are involved.
50
52
  - The task is only copy tone in one language with no locale, formatting, fallback, or translation-key surface.
53
+ - The task is only generic SEO unrelated to locale-specific URLs, metadata, hreflang, translated content, or locale routing.
51
54
  - No user-visible text, locale-sensitive value, user-entered text, exported text, metadata, search, sort, SSR locale, or direction-sensitive behavior is affected.
52
55
  - Verification would require an unconfigured pseudo-localization, screenshot, browser, or translation-management workflow. Report the missing localization evidence instead of inventing raw commands.
53
56
 
@@ -55,12 +58,27 @@ The core question is: "Can the product say the right thing, in the right grammar
55
58
  ## Required Inputs
56
59
 
57
60
  - User goal, changed UI or text surface, current diff or target files, framework and i18n library signals, supported locale policy, and configured command intents.
61
+ - Locale model ledger: language, script, region, calendar, numbering system, time zone, currency,
62
+ measurement unit, explicit user preference, URL locale, cookie or account locale, browser hint,
63
+ and fallback order.
58
64
  - String exposure ledger: visible text, placeholders, labels, `aria-label`, `title`, `alt`, document title, metadata, Open Graph, toasts, validation, errors, empty states, confirm prompts, chart labels, SVG text, canvas text, clipboard text, download file names, emails, push notifications, exports, PDFs, CSV headers, and calendar invites.
59
- - Message-shape ledger: full sentence keys, interpolation values, grammatical context, plural categories, zero case, Korean particles or other inflection needs, tone or formality, reusable key risks, and HTML or component interpolation.
65
+ - Translation-key ledger: key naming policy, domain or screen namespace, context, source text,
66
+ translator notes, key reuse, key lifecycle, stale keys, missing keys, fallback behavior, and
67
+ source-of-truth catalog.
68
+ - Message-shape ledger: full sentence keys, interpolation values, placeholder names and examples, grammatical context, plural categories, select cases, zero case, Korean particles or other inflection needs, tone or formality, reusable key risks, and HTML or component interpolation.
60
69
  - Format ledger: dates, times, relative times, time zones, calendars, numbers, currency, percent, units, measurement systems, list formatting, input parsing, and display versus storage values.
61
70
  - Text-processing ledger: case conversion, search, sort, collation, accent handling, Unicode normalization, grapheme segmentation, truncation, ellipsis policy, and file or user name handling.
62
71
  - Direction and layout ledger: RTL, bidirectional user content, `dir="auto"`, logical CSS properties, direction-sensitive icons, font fallback, line height, long translated labels, pseudo localization, and locale-specific screenshot coverage.
63
72
  - Runtime locale ledger: language versus region versus currency versus time zone versus unit settings, fallback behavior, missing-key handling, server-rendered locale, client hydration locale, and backend error-code mapping.
73
+ - SEO and routing ledger: localized URL shape, route locale priority, automatic redirects, canonical
74
+ links, `hreflang`, `x-default`, locale sitemap, translated metadata, Open Graph, structured data,
75
+ and crawler-visible content.
76
+ - Translation workflow ledger: key extraction, static validation, TMS or XLIFF sync, glossary,
77
+ translation memory, screenshot context, string freeze, human review requirements, AI translation
78
+ limits, locale launch threshold, and release blocking rules.
79
+ - Operations ledger: missing-key rate, fallback rate, bundle load failures, per-locale error rate,
80
+ conversion or task metrics, locale-specific support tickets, and safe logging fields such as
81
+ requested locale, resolved locale, fallback chain, time zone, and currency.
64
82
  - Evidence level: static string inventory, catalog diff, pseudo-localization evidence, locale snapshot evidence, configured tests, SSR hydration evidence, or missing evidence.
65
83
 
66
84
  <!-- mustflow-section: preconditions -->
@@ -69,6 +87,8 @@ The core question is: "Can the product say the right thing, in the right grammar
69
87
  - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
70
88
  - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the current scope.
71
89
  - Existing local patterns for message catalogs, ICU syntax, locale routing, formatters, error-code mapping, pseudo localization, RTL support, and exported text have been searched before adding a new pattern.
90
+ - Locale decisions are treated as product state, not only presentation. Do not assume language,
91
+ country, currency, time zone, and measurement unit are the same setting.
72
92
  - If localization changes affect layout, accessibility, payment, business rules, security, or API contracts, also apply the narrower matching skill for that boundary.
73
93
 
74
94
  <!-- mustflow-section: allowed-edits -->
@@ -79,7 +99,9 @@ The core question is: "Can the product say the right thing, in the right grammar
79
99
  - Add or correct plural, zero, context-specific, tone-specific, Korean particle, or inflection-safe messages when the project pattern supports them.
80
100
  - Replace ad hoc date, time, number, currency, unit, list, sort, search, and segmentation logic with locale-aware helpers or existing project formatters.
81
101
  - Add or refine RTL, `dir="auto"`, logical CSS property, pseudo-localization, locale screenshot, missing-key, backend error-code mapping, and export-text coverage where existing project patterns support them.
82
- - Do not invent a translation-management system, rewrite all catalogs, install i18n packages, machine-translate production copy, or broaden product language policy beyond the changed surface.
102
+ - Add or refine localized route metadata, `hreflang`, canonical, locale sitemap, fallback telemetry,
103
+ or key lifecycle checks where existing project patterns support them.
104
+ - Do not invent a translation-management system, rewrite all catalogs, install i18n packages, machine-translate production copy, change legal or pricing copy semantics, or broaden product language policy beyond the changed surface.
83
105
 
84
106
  <!-- mustflow-section: procedure -->
85
107
  ## Procedure
@@ -93,74 +115,144 @@ The core question is: "Can the product say the right thing, in the right grammar
93
115
  3. Check context-specific wording.
94
116
  - Do not reuse a generic key when the same source word means different things, such as file open, business open, and public status.
95
117
  - Prefer keys that name the product context, user action, and destination surface rather than a short dictionary word.
96
- 4. Check destructive and action labels as complete phrases.
118
+ 4. Check translation-key lifecycle.
119
+ - Do not use raw source prose as a stable key when ordinary copy editing would invalidate all
120
+ translations.
121
+ - Do not use dictionary keys such as `ok`, `title`, `description`, or `submit` when the key
122
+ lacks product context.
123
+ - Check added, renamed, unused, orphaned, and missing keys, including keys that exist only in
124
+ default-language catalogs or only in the translation platform.
125
+ - Missing keys and fallback usage should be visible in development, CI, staging, or production
126
+ diagnostics according to project policy.
127
+ 5. Check destructive and action labels as complete phrases.
97
128
  - Do not build labels like `Delete {item}` from separate translated parts when languages need different order, case, or particles.
98
129
  - Use context-specific messages such as delete project, delete file, or delete account.
99
- 5. Check plural and zero cases.
130
+ 6. Check plural, select, and zero cases.
100
131
  - Do not model plural as only `count === 1`.
101
- - Use ICU plural or the project's plural system for all supported locale categories.
132
+ - Use ICU plural, select, or the project's message system for all supported locale categories and
133
+ state or gender variants.
102
134
  - Give zero-result states their own UX wording when "0 items" would be awkward or misleading.
103
- 6. Check language-specific grammar traps.
135
+ - Keep complex plural or select branches as complete sentences so translators can move words,
136
+ variables, and clauses safely.
137
+ 7. Check language-specific grammar traps.
104
138
  - For Korean, review particles such as eun/neun, i/ga, eul/reul, and wa/gwa or avoid the particle with a safer sentence shape.
105
139
  - For other languages, check case, gender, noun class, politeness, or inflection needs when dynamic values are inserted into prose.
106
- 7. Check tone and formality inside one flow.
140
+ - Prefer neutral rewrites over collecting sensitive profile attributes such as gender only to
141
+ satisfy grammar in one message.
142
+ 8. Check placeholder and rich-context metadata.
143
+ - Named placeholders should explain whether the value is a person, organization, URL, amount,
144
+ count, product name, untranslated brand term, or user-provided text.
145
+ - Translators need screenshots, character limits, tone, glossary terms, and examples for
146
+ ambiguous words such as free, open, archive, owner, and plan.
147
+ 9. Check tone and formality inside one flow.
107
148
  - Compare adjacent labels, confirmations, validation messages, empty states, and recovery actions.
108
149
  - A flow that mixes formal and casual voice should be fixed or reported as product-language drift.
109
- 8. Check date, time, and relative-time formatting.
150
+ 10. Check date, time, calendar, and relative-time formatting.
110
151
  - Reject manual assembly such as `year + '.' + month + '.' + day`.
111
152
  - Use locale-aware formatters and confirm whether the user's time zone, server time zone, and stored instant can shift deadlines, bookings, billing dates, or "yesterday" labels.
153
+ - Store instants and local event time-zone identifiers intentionally. Recurring local-time events
154
+ should not become naive UTC repeats when daylight-saving or civil-time rules matter.
112
155
  - Treat `new Date()` in render paths, server-rendered relative time, and client hydration time as mismatch risks.
113
- 9. Check numbers, currency, percent, and units.
156
+ 11. Check numbers, currency, percent, and units.
114
157
  - Do not rely on comma insertion, fixed decimal assumptions, or locale-agnostic `Number(input)` parsing.
115
158
  - Separate display format from canonical stored value.
116
159
  - Keep language, region, currency, time zone, and measurement unit as separate settings unless the product has an explicit rule tying them together.
117
- 10. Check collation, search, and normalization.
160
+ - For prices, invoices, receipts, taxes, and billing text, distinguish display currency,
161
+ settlement or charge currency, tax inclusion, rounding, exchange-rate snapshot, and legal
162
+ document requirements.
163
+ 12. Check collation, search, and normalization.
118
164
  - Do not trust default `sort()`, raw `localeCompare` without locale intent, or plain `toLowerCase()` for user-facing search and sort.
119
165
  - Use locale-aware collation where order matters.
120
166
  - Normalize Unicode when comparing user names, filenames, tags, search queries, accents, combining characters, or Hangul variants.
121
- 11. Check grapheme-safe length, truncation, and ellipsis.
167
+ - Align client filtering, database collation, and search-engine analyzers so search results do
168
+ not differ by layer.
169
+ 13. Check names, addresses, phone numbers, and user data.
170
+ - Do not force global users into first-name/last-name, state/ZIP-only addresses, numeric phone
171
+ numbers, numeric postal codes, ASCII-only names, or fixed short field limits.
172
+ - Treat names, phone numbers, postal codes, and identifiers as display strings unless the domain
173
+ has a validated canonical structure.
174
+ 14. Check grapheme-safe length, truncation, and ellipsis.
122
175
  - Do not use `.length` and `slice(0, n)` when user-visible text may contain emoji, flags, skin tones, combining marks, or complex scripts.
123
176
  - Use grapheme-aware segmentation or existing utilities.
124
177
  - Choose ellipsis by content meaning: paths may need middle truncation, names may need enough disambiguating text, and amounts should not be truncated.
125
- 12. Check RTL and bidirectional text.
178
+ 15. Check RTL and bidirectional text.
126
179
  - Replace physical `left` and `right` assumptions with logical `start`, `end`, `inline-start`, and `inline-end` where direction depends on language.
127
180
  - Use `dir="auto"` for user-generated names, comments, reviews, addresses, chat, and profile text when direction may differ from the UI locale.
181
+ - Ensure document or route shells set compatible `lang` and `dir` values, not only leaf text.
128
182
  - Do not mirror all icons blindly. Back, next, drawer, and carousel direction may flip; play, download, clock, and brand icons usually should not.
129
- 13. Check translated layout resilience.
183
+ 16. Check translated layout resilience.
130
184
  - Long German, French, Vietnamese, Arabic, pseudo-localized, and compact CJK labels need real fixtures.
131
185
  - Fixed-width buttons, tabs, table headers, modal titles, `white-space: nowrap`, and fixed-height rows should be routed to `frontend-stress-layout-review` when geometry changes are needed.
132
- 14. Check font fallback.
186
+ 17. Check font fallback.
133
187
  - CJK, Thai, Arabic, Hindi, and emoji may need safe fallback fonts, line-height tolerance, and real glyph coverage.
134
188
  - Watch icon fonts, fake bold, missing weights, and square tofu glyphs.
135
- 15. Check pseudo localization and locale snapshots.
189
+ 18. Check pseudo localization and locale snapshots.
136
190
  - Prefer pseudo localization for hardcoded strings, missing keys, broken interpolation, glyph support, and expansion stress before real translations arrive.
137
191
  - For high-trust flows, compare at least a long-language locale, an RTL locale, and a dense CJK or Japanese-style locale when the project has such coverage.
138
- 16. Check SSR and hydration locale agreement.
192
+ 19. Check locale routing and preference priority.
193
+ - Prefer explicit user or URL locale over `Accept-Language` or browser hints. Browser hints
194
+ should not overwrite a user's saved or URL-selected language.
195
+ - Define priority across URL locale, account preference, cookie, browser hint, and default
196
+ locale so server and client choose the same locale.
197
+ - Avoid one URL serving many languages unless cache, SEO, and `Vary` behavior are explicitly
198
+ designed.
199
+ 20. Check SSR and hydration locale agreement.
139
200
  - Server and client must receive compatible locale, time zone, messages, and formatter inputs.
140
201
  - Default-language server output followed by client language switching can cause flicker, hydration mismatch, SEO drift, and different date or number text on first render.
141
- 17. Check fallback and missing-key behavior.
202
+ 21. Check fallback and missing-key behavior.
142
203
  - In development, missing keys should be loud enough to catch.
143
204
  - In production, fallback should protect the user while logs, metrics, or diagnostics make the missing translation visible to maintainers.
144
205
  - Do not treat silent English fallback as a successful localization state.
145
- 18. Check HTML and rich text in translations.
206
+ - Separate locale fallback, namespace fallback, key fallback, runtime bundle-load fallback, and
207
+ SEO fallback. They solve different failures and need different evidence.
208
+ 22. Check international SEO.
209
+ - Locale variants should have crawler-visible, stable URLs when SEO matters.
210
+ - Check `lang`, localized title and meta description, Open Graph, canonical URL,
211
+ self-referencing and reciprocal `hreflang`, `x-default`, locale sitemap, and structured data
212
+ when those surfaces exist.
213
+ - Do not canonical every translated page to the source-language URL unless the product intends
214
+ those localized pages not to be indexed.
215
+ - Avoid forced automatic redirects that prevent users or crawlers from reaching other locale
216
+ versions.
217
+ 23. Check HTML and rich text in translations.
146
218
  - Do not let translators edit raw HTML when component interpolation can preserve link, emphasis, and accessibility structure safely.
147
219
  - Links and emphasis inside a sentence must be movable by locale without exposing XSS, broken tags, or fixed English word order.
148
- 19. Check backend error message boundaries.
220
+ 24. Check backend error message boundaries.
149
221
  - Do not show raw backend prose such as "Invalid password" directly in localized UI.
150
222
  - Prefer stable error codes mapped to localized frontend messages, with safe fallback for unknown codes.
151
- 20. Check export, share, and notification surfaces.
223
+ 25. Check image, media, and culturally loaded assets.
224
+ - Text embedded in images, screenshots, app-store assets, email headers, PDFs, videos, and
225
+ onboarding media bypasses normal translation pipelines unless assets are locale-keyed.
226
+ - Review flags-as-language selectors, culturally loaded symbols, gestures, holidays, maps,
227
+ colors, and people imagery when the surface is public or high-trust.
228
+ 26. Check export, share, and notification surfaces.
152
229
  - Confirm CSV headers, PDF receipts, downloaded file names, email subjects, email bodies, push notifications, share text, clipboard output, printed output, and calendar invites follow the same language and formatting policy as the screen.
153
- 21. Report evidence by surface.
230
+ 27. Check translation workflow and release gates.
231
+ - Key extraction, catalog validation, placeholder parity, ICU syntax, unused-key cleanup,
232
+ missing-key blocking, TMS or XLIFF sync, glossary, translation memory, screenshot context,
233
+ string freeze, human review, and locale launch thresholds should be named when the task claims
234
+ production localization readiness.
235
+ - AI or machine translation may be a draft input, but legal, billing, privacy, security,
236
+ medical, tax, refund, and marketing claims need the review path required by the product.
237
+ 28. Check operations and telemetry.
238
+ - Per-locale missing-key rate, fallback rate, bundle load failure, error rate, conversion,
239
+ support tickets, search traffic, refund or billing contacts, and localized-route crawl health
240
+ should be observable for launched locales when the project has such telemetry.
241
+ - Logs may include requested locale, resolved locale, fallback chain, time zone, currency, and
242
+ route locale, but should not become user fingerprinting or leak sensitive content.
243
+ 29. Report evidence by surface.
154
244
  - Separate string-inventory evidence, catalog evidence, formatter evidence, pseudo-localization evidence, screenshot evidence, SSR evidence, and export or notification evidence.
155
- - If a claim is static-only, say which runtime locale, time zone, RTL, pseudo-localization, or export proof is missing.
245
+ - If a claim is static-only, say which runtime locale, time zone, RTL, pseudo-localization, SEO,
246
+ translation workflow, or export proof is missing.
156
247
 
157
248
  <!-- mustflow-section: postconditions -->
158
249
  ## Postconditions
159
250
 
160
251
  - User-visible strings across screen, metadata, notifications, exports, downloads, and assistive labels are either localized, intentionally excluded, or reported.
161
- - Messages use full translation units, named interpolation, contextual keys, plural and zero handling, tone consistency, and grammar-safe dynamic values where relevant.
162
- - Dates, times, numbers, currencies, units, search, sort, case conversion, Unicode normalization, grapheme length, truncation, RTL, bidi text, font fallback, SSR locale, fallback, backend errors, and rich text are fixed, ruled out, or reported where relevant.
163
- - Localization readiness claims distinguish static catalog evidence from pseudo-localization, locale snapshot, SSR, runtime formatter, and export evidence.
252
+ - Messages use full translation units, named interpolation, contextual keys, plural, select, zero handling, tone consistency, and grammar-safe dynamic values where relevant.
253
+ - Translation keys, locale routes, fallback behavior, SEO metadata, `hreflang`, canonical behavior, translation workflow, and missing-key telemetry are fixed, ruled out, or reported where relevant.
254
+ - Dates, times, numbers, currencies, units, names, addresses, search, sort, case conversion, Unicode normalization, grapheme length, truncation, RTL, bidi text, font fallback, SSR locale, fallback, backend errors, and rich text are fixed, ruled out, or reported where relevant.
255
+ - Localization readiness claims distinguish static catalog evidence from pseudo-localization, locale snapshot, SSR, runtime formatter, SEO, translation workflow, operations telemetry, and export evidence.
164
256
 
165
257
  <!-- mustflow-section: verification -->
166
258
  ## Verification
@@ -183,9 +275,9 @@ Use the narrowest configured unit, component, i18n, screenshot, build, docs, rel
183
275
  ## Failure Handling
184
276
 
185
277
  - If a string surface cannot be enumerated, report the missing exposure ledger before claiming localization coverage.
186
- - If the project has no plural, formatter, collation, segmentation, pseudo-localization, or missing-key pattern, preserve existing behavior and report the missing project contract instead of inventing a broad framework.
278
+ - If the project has no plural, formatter, collation, segmentation, localized-route, SEO, pseudo-localization, translation-workflow, or missing-key pattern, preserve existing behavior and report the missing project contract instead of inventing a broad framework.
187
279
  - If language, region, currency, time zone, or unit settings are conflated, avoid patching one locale branch only; report the model issue or make the smallest local split required by the changed surface.
188
- - If translation changes alter accessibility names, focus recovery, layout geometry, payment meaning, legal copy, or security-sensitive messaging, apply the matching skill before continuing that part.
280
+ - If translation changes alter accessibility names, focus recovery, layout geometry, payment meaning, legal copy, SEO indexing, privacy disclosures, or security-sensitive messaging, apply the matching skill before continuing that part.
189
281
  - If a configured test or build fails after a localization change, preserve the failing intent and output tail, then use `failure-triage` before broadening the fix.
190
282
  - If verification requires unconfigured browser, pseudo-localization, screenshot, SSR, export, or translation-management tooling, stop at that boundary and report the skipped check.
191
283
 
@@ -194,9 +286,9 @@ Use the narrowest configured unit, component, i18n, screenshot, build, docs, rel
194
286
 
195
287
  - Frontend localization surface reviewed
196
288
  - String exposure ledger
197
- - Message-shape, plural, zero, grammar, tone, formatter, search, sort, normalization, segmentation, RTL, bidi, font, SSR, fallback, backend-error, rich-text, export, share, and notification checks where relevant
289
+ - Locale model, translation-key, message-shape, plural, select, zero, grammar, tone, formatter, search, sort, normalization, segmentation, RTL, bidi, font, locale routing, SEO, SSR, fallback, backend-error, rich-text, workflow, operations, export, share, and notification checks where relevant
198
290
  - Localization fixes or recommendations
199
- - Evidence level: static inventory, catalog, configured test, pseudo-localization, screenshot, SSR, export, manual-only, missing, or not applicable
291
+ - Evidence level: static inventory, catalog, configured test, pseudo-localization, screenshot, SEO, SSR, translation workflow, operations telemetry, export, manual-only, missing, or not applicable
200
292
  - Command intents run
201
293
  - Skipped localization checks and reasons
202
294
  - Remaining localization risk
@@ -0,0 +1,226 @@
1
+ ---
2
+ mustflow_doc: skill.notification-delivery-integrity-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: notification-delivery-integrity-review
9
+ description: Apply this skill when code is created, changed, reviewed, or reported and notification systems, email, push, in-app notifications, SMS, notification preferences, unsubscribe, suppression, digest, quiet hours, timezone scheduling, rate limits, deduplication, retries, provider webhooks, delivery attempts, templates, notification inboxes, notification audit logs, or notification provider integrations need review for delivery integrity, user consent, duplicate prevention, channel policy, and explainability.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.notification-delivery-integrity-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ ---
26
+
27
+ # Notification Delivery Integrity Review
28
+
29
+ <!-- mustflow-section: purpose -->
30
+ ## Purpose
31
+
32
+ Review notification systems as event, policy, schedule, delivery, provider, suppression, inbox, and audit flows rather than as a single send call.
33
+
34
+ The review question is not "did the code send a notification?" It is "can the system explain which source event created which notification intent, why each recipient and channel was allowed or suppressed, when delivery was attempted, what the provider accepted or rejected, and how retries, duplicates, preferences, timezone, digest, and user safety were handled?"
35
+
36
+ <!-- mustflow-section: use-when -->
37
+ ## Use When
38
+
39
+ - Code creates, changes, reviews, or reports notification generation, recipient selection, email, push, SMS, in-app notification, digest, reminder, campaign, announcement, marketing message, transactional message, security alert, receipt, legal notice, or product activity alert behavior.
40
+ - Code touches notification preferences, unsubscribe links, preference centers, one-click unsubscribe headers, suppression lists, bounce handling, spam complaints, invalid push tokens, quiet hours, timezone scheduling, rate limits, duplicate prevention, aggregation windows, retry policy, queue workers, provider adapters, provider webhooks, or delivery audit logs.
41
+ - Code adds or changes notification templates, localization, subject lines, push payloads, in-app cards, deep links, sensitive preview text, provider message IDs, message tags, campaign IDs, or operator tools that answer why a notification was sent or suppressed.
42
+ - A review or final report claims notification delivery is idempotent, retry-safe, unsubscribe-safe, digest-safe, timezone-safe, zero-downtime, provider-ready, inbox-ready, privacy-safe, or explainable to support and operators.
43
+
44
+ <!-- mustflow-section: do-not-use-when -->
45
+ ## Do Not Use When
46
+
47
+ - The task is only a generic external provider boundary with no notification lifecycle, preference, or user-message semantics; use `adapter-boundary`.
48
+ - The task is only generic rate-limit mechanics, retry policy, queue settlement, or idempotency outside notifications; use the narrower integrity skill first.
49
+ - The task is only visible frontend copy, translation keys, date or number formatting, RTL, SEO, or export localization; use `frontend-localization-review` first and this skill only for notification channel semantics.
50
+ - The task is primarily payment, credit, authentication, security, file, or deployment integrity; use the narrower domain skill first and this skill for notification-specific delivery and preference behavior.
51
+ - The operation is local-only logging, analytics, or telemetry that no user receives and no operator treats as a notification.
52
+
53
+ <!-- mustflow-section: required-inputs -->
54
+ ## Required Inputs
55
+
56
+ - Notification event ledger: source event, producer, causation ID, event schema version, outbox record, replay or backfill source, and whether the event is a fact, request, or best-effort signal.
57
+ - Notification intent ledger: notification type, recipient, tenant or scope, category, priority, semantic dedupe key, template or semantic version, policy snapshot, and intended user-visible outcome.
58
+ - Recipient, channel, and category ledger: security, transactional, receipt, legal, product activity, social, marketing, recommendation, reminder, or digest classification; channel eligibility; fallback policy; and mandatory versus optional delivery rules.
59
+ - Preference and legal policy ledger: user, email address, device, tenant, workspace, channel, category, scope, consent source, unsubscribe state, legal override, and final pre-send preference recheck.
60
+ - Suppression ledger: hard bounce, soft bounce, complaint, unsubscribe, invalid push token, inactive device, deleted account, privacy deletion, operator block, provider suppression, and whether suppression overrides user preferences.
61
+ - Schedule, timezone, quiet hours, and digest ledger: user, device, workspace, or tenant timezone; recurring local intent; next UTC run; daylight-saving behavior; quiet hours; aggregation window; digest window; digest ID; and delayed or canceled delivery rules.
62
+ - Delivery job and attempt ledger: queue, priority, channel, provider, provider account or domain, idempotency key, next attempt time, attempt count, retry class, request hash, provider message ID, outcome, latency, and dead-letter state.
63
+ - Provider event ledger: provider webhook signature, provider event ID, message ID, bounce, complaint, delivered or accepted event, open or click event, token invalidation, duplicate event, out-of-order event, and reconciliation path.
64
+ - In-app inbox ledger: inbox item snapshot, read or unread state, archive, delete, expiry, unread count, pagination, mark-all-read boundary, resource deletion fallback, and permission-lost behavior.
65
+ - Audit, security, privacy, and operations ledger: why sent, why suppressed, who or what triggered it, sensitive body retention, redaction, account deletion behavior, operator resend rules, dry run, sample, canary, ramp-up, kill switch, campaign cancel, and cost or volume estimate.
66
+ - Relevant command-intent contract entries for tests, builds, docs, release metadata, and mustflow validation.
67
+
68
+ <!-- mustflow-section: preconditions -->
69
+ ## Preconditions
70
+
71
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
72
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the current scope.
73
+ - Existing local notification, outbox, queue, idempotency, preference, provider adapter, template, localization, audit, and operator patterns have been searched before adding new shapes.
74
+ - Missing source event, preference, suppression, provider webhook, or audit evidence can be reported without guessing.
75
+ - If repeated attempts move money, permissions, personal data, security alerts, legal notices, or durable business state, also apply the matching payment, security, idempotency, queue, retry, rate-limit, transaction, or localization skill.
76
+
77
+ <!-- mustflow-section: allowed-edits -->
78
+ ## Allowed Edits
79
+
80
+ - Add or tighten notification event, notification intent, schedule, delivery job, delivery attempt, provider event, suppression, preference snapshot, in-app inbox, audit, and operator evidence records.
81
+ - Split one `sendNotification`-style path into source event, intent, schedule, delivery attempt, provider event, inbox, and audit boundaries when local architecture supports it.
82
+ - Add or tighten semantic dedupe keys, unique constraints, aggregation windows, digest state, pre-send preference rechecks, bounce and complaint suppression, provider webhook verification, retry classification, DLQ handling, quiet-hour handling, timezone-safe scheduling, and focused tests.
83
+ - Add or tighten template snapshot, sensitive-content redaction, lockscreen-safe push payload, deep-link permission recheck, account deletion cancellation, and support-facing why sent or why suppressed evidence.
84
+ - Do not add live provider calls, mass sends, campaigns, local servers, worker daemons, browser sessions, provider dashboard changes, load tests, or raw production replay outside the configured command contract.
85
+ - Do not treat provider API success, push acceptance, email open, frontend disabling, in-memory dedupe, or a log line as proof of actual user delivery or delivery integrity.
86
+
87
+ <!-- mustflow-section: procedure -->
88
+ ## Procedure
89
+
90
+ 1. Split the lifecycle before judging correctness.
91
+ - Name the source event, notification intent, schedule or delivery plan, delivery attempt, provider event, suppression decision, in-app inbox item, and audit record.
92
+ - A source event such as comment created, payment failed, password changed, or terms updated should not directly become an email API call unless the system intentionally accepts the missing replay and audit boundary.
93
+ - If source event, notification intent, schedule, delivery attempt, and provider event are collapsed into one row or function, report which duplicate, retry, suppression, or explainability risk that hides.
94
+ 2. Classify the notification type.
95
+ - Security alerts, transactional messages, receipts, legal notices, product activity, social updates, marketing, recommendations, reminders, and digests have different consent, urgency, content, and retry rules.
96
+ - Do not use one global opt-out to decide every category.
97
+ - Do not use a product notification label to bypass marketing consent.
98
+ 3. Keep source events durable.
99
+ - Prefer an outbox or equivalent durable record when a business transaction should produce notifications after commit.
100
+ - Backfill and replay should be able to regenerate missing intents while excluding already-sent or intentionally suppressed notifications.
101
+ - Record causation and event schema version so later operators can explain why the intent exists.
102
+ 4. Review recipient and scope selection.
103
+ - Bind recipients to tenant, workspace, organization, team, project, resource, role, and permission at intent creation time.
104
+ - Recheck permission before send and again on click when the target resource may have been deleted, hidden, or permission-revoked.
105
+ - B2B notifications should not let one tenant's preference or suppression silence another tenant's legally or operationally distinct message.
106
+ 5. Review preference and legal policy as data.
107
+ - Store preference decisions by user, address or device, channel, category, and scope where the product needs those dimensions.
108
+ - Snapshot the policy used for an intent, then re-evaluate the latest preference, permission, and suppression before delivery.
109
+ - Record "why suppressed" with enough detail for support without logging sensitive content.
110
+ 6. Review email as provider acceptance, not inbox truth.
111
+ - API success usually means the provider accepted the request, not that the message reached an inbox.
112
+ - Check sender domain separation, SPF, DKIM, DMARC, reverse DNS, TLS, From alignment, Message-ID, tracking-domain reputation, and provider account or IP pool boundaries where the repository owns them.
113
+ - Separate transactional or relationship mail from commercial or marketing mail.
114
+ - Implement one-click unsubscribe where the channel and jurisdiction require it, and keep preference-page GET links from mutating state under link scanners.
115
+ - Treat hard bounce and complaint as suppression events. Soft bounces need counted policy, not infinite retry. Suppression should override a user's "send me mail" preference when the address is not deliverable or has complained.
116
+ 7. Review push as a wake-up signal, not guaranteed display.
117
+ - FCM, APNs, or another push provider accepting a message does not prove the user saw it.
118
+ - Store push token records per device, app installation, account, tenant, platform, permission status, locale, timezone, app version, last seen, last success, and invalidated time where those dimensions matter.
119
+ - Logout and account switching must detach or fence old push tokens so one account's private notification cannot appear on another account's device.
120
+ - Use a collapse key only for replaceable messages. Do not collapse chat, security, payment, or audit-significant events that users must receive individually.
121
+ - Keep lockscreen push text safe for the most sensitive supported tenant and account setting.
122
+ 8. Review the in-app inbox as a product record.
123
+ - In-app inbox entries need stable snapshots, read or unread state, archive, delete, expiry, pagination, unread count, and multi-device sync semantics.
124
+ - Use a mark_all_read_before boundary or equivalent when mark-all-read races with newly created notifications.
125
+ - Decide whether opening a push, visiting the target resource, explicit read, or mark-all-read changes inbox state.
126
+ - Handle deleted resources and permission-lost targets with safe fallback text instead of leaking or dead-ending.
127
+ 9. Separate dedupe from aggregation.
128
+ - Exactly-once delivery is not a realistic assumption. Make duplicate handling durable and observable.
129
+ - Use a semantic dedupe key such as source event, notification type, recipient, scope, channel, and template or semantic version.
130
+ - Keep notification intent dedupe separate from delivery-attempt dedupe. One intent may create email, push, and in-app channel attempts.
131
+ - Aggregation windows intentionally merge related events; dedupe prevents the same event from being applied twice. Do not hide aggregation as "already sent."
132
+ 10. Review digest as a separate product.
133
+ - Define the digest window, timezone, quiet hours, priority, maximum items, ordering, inclusion rule, retry policy, failure policy, and whether entries are event bundles or current-state snapshots.
134
+ - Persist digest_id, digested_at, included item identities, and excluded item reasons.
135
+ - Decide whether failed digest delivery returns items to a later digest, retries the same digest, or marks them intentionally missed.
136
+ 11. Review scheduling and civil time.
137
+ - Identify whether profile timezone, device timezone, browser timezone, workspace timezone, billing timezone, or tenant timezone owns the schedule.
138
+ - Store recurring local intent plus next UTC run when a user asks for local-time delivery.
139
+ - Handle daylight-saving transitions, nonexistent local times, duplicated local times, missing timezone, user travel, and workspace changes.
140
+ - Scheduled workers need claim, lease, visibility, and reaper behavior so multiple workers do not send the same due notification.
141
+ 12. Review rate limits by purpose.
142
+ - Separate user-experience limits, system overload limits, provider limits, tenant fairness limits, channel limits, category limits, and sender-domain or provider-account limits.
143
+ - A marketing campaign should not starve password resets, receipts, or security alerts.
144
+ - Burn enqueue quota before creating expensive fanout work when the producer can overload queues or providers.
145
+ 13. Review retries and queues by outcome uncertainty.
146
+ - Use exponential backoff with jitter and bounded attempts.
147
+ - Classify retryable failures, permanent failures, and unknown provider outcome separately.
148
+ - Do not retry malformed templates, unsubscribed recipients, hard-bounced addresses, invalid push tokens, permission-denied targets, or deleted accounts as transient failures.
149
+ - Separate critical, transactional, normal, bulk, and digest queues or concurrency budgets where one class can starve another.
150
+ - Poison messages need DLQ reason, safe payload summary, replay eligibility, and ownership.
151
+ 14. Review provider webhooks as untrusted and replayable.
152
+ - Verify provider webhook signatures before accepting bounce, complaint, delivery, open, click, token invalidation, or provider status events.
153
+ - Store provider event IDs or normalized message ID plus event type to make handlers idempotent.
154
+ - Tolerate duplicate and out-of-order webhook events. Provider delivered, bounced, complaint, open, and click events may not arrive in useful order.
155
+ - Keep provider receipt separate from follow-up actions such as suppression, token invalidation, inbox update, or campaign metrics.
156
+ 15. Review templates and rendering time.
157
+ - Decide whether subject, body, push text, in-app card, deep link, and fallback text are snapshotted at intent creation or rendered at delivery.
158
+ - Snapshot legal, receipt, payment, and security content that must reflect the facts at send time.
159
+ - Re-render product activity content only when deleted resources, missing permissions, localization, and fallback states are safe.
160
+ - Escape variables for each channel separately: HTML email, plaintext email, push payload, in-app UI, URL, log, and provider metadata are different output domains.
161
+ 16. Review security, privacy, and deletion.
162
+ - Do not put sensitive customer, payment, document, health, legal, or security details in lockscreen push text, email subject lines, logs, provider tags, analytics, or provider metadata unless the product policy explicitly allows it.
163
+ - Account deletion, tenant deletion, and privacy erasure should cancel pending deliveries and mask retained notification bodies while preserving legally required records separately.
164
+ - Unsubscribe tokens should be scoped, opaque or HMAC-protected, non-enumerable, and unable to expose account settings beyond the intended preference action.
165
+ 17. Review channel fallback deliberately.
166
+ - In-app can be the durable product record, push can be immediacy, email can be long-form asynchronous delivery, digest can be low-frequency summary, and SMS can be high-cost exceptional delivery.
167
+ - Do not automatically email because push timed out unless the notification category explicitly allows that user experience and duplicate risk.
168
+ - Record fallback decisions so support can distinguish "not sent by policy" from "sent on another channel."
169
+ 18. Review fanout, campaigns, and operations.
170
+ - Large announcements need target-count preview, dry run, sample, canary, ramp-up, rate control, campaign cancel, kill switch, expected cost, suppression count, and actual send count.
171
+ - Queue jobs should check campaign cancel or kill-switch state immediately before send.
172
+ - Tenant quotas should prevent one customer's automation or campaign from delaying other tenants' critical messages.
173
+ 19. Review observability and operator tools.
174
+ - Operators need to answer why sent, why suppressed, when scheduled, which attempt ran, which provider response arrived, what webhook updated state, and what preference or suppression state applied.
175
+ - Logs and metrics should use bounded labels and safe IDs, not full message bodies, email bodies, private resource names, raw prompts, or direct personal data.
176
+ - Re-send tools must define whether they reuse the old intent, create a new intent, respect current preferences, or preserve the original policy snapshot.
177
+ 20. Test the hostile paths.
178
+ - Cover duplicate source events, concurrent intents, provider timeout after request send, retry after unknown provider outcome, hard bounce, complaint, invalid push token, unsubscribe, link scanner, quiet hours, DST, missing timezone, digest failure, mark_all_read_before race, deleted resource, permission loss, account deletion, provider webhook duplicate, provider webhook out of order, DLQ replay, campaign cancel, and backfill exclusion of already-sent notifications.
179
+ - If deterministic provider, timezone, push, email, webhook, queue, or browser evidence is not configured, report static risk and missing manual or integration proof instead of claiming production delivery safety.
180
+
181
+ <!-- mustflow-section: postconditions -->
182
+ ## Postconditions
183
+
184
+ - Source event, notification intent, schedule, delivery attempt, provider event, suppression, preference, in-app inbox, and audit boundaries are explicit or the missing boundary is reported.
185
+ - Channel classification, consent, unsubscribe, suppression, legal override, final pre-send recheck, and fallback behavior are explicit.
186
+ - Email, push, in-app, digest, timezone, quiet hours, rate-limit, retry, queue, provider webhook, template, security, privacy, deletion, campaign, and operator-tool risks are fixed or reported.
187
+ - Notification-delivery claims distinguish provider acceptance, delivery attempt, user-visible inbox record, provider webhook event, open or click telemetry, and actual user action.
188
+ - Tests or evidence cover duplicate, retry, suppression, digest, timezone, webhook, permission, deletion, and operations paths according to scope.
189
+
190
+ <!-- mustflow-section: verification -->
191
+ ## Verification
192
+
193
+ Use configured oneshot command intents when available:
194
+
195
+ - `changes_status`
196
+ - `changes_diff_summary`
197
+ - `lint`
198
+ - `build`
199
+ - `test_related`
200
+ - `test`
201
+ - `docs_validate_fast`
202
+ - `test_release`
203
+ - `mustflow_check`
204
+
205
+ Prefer the narrowest configured test, build, docs, release, or mustflow intent that covers changed notification behavior and synchronized template surfaces. Do not infer raw email sends, push sends, live provider calls, provider dashboard actions, local servers, queue workers, webhook tunnels, load tests, browser sessions, or campaign dry runs outside the command contract.
206
+
207
+ <!-- mustflow-section: failure-handling -->
208
+ ## Failure Handling
209
+
210
+ - If the source event or notification intent cannot be named, report that the notification path is not reviewable for delivery integrity yet.
211
+ - If duplicate prevention depends only on frontend disabling, memory, provider acceptance, or a log line, report the missing durable gate.
212
+ - If preference, suppression, legal override, or permission evidence is missing, fail closed for optional notifications and report mandatory-notification policy gaps.
213
+ - If a configured command fails, preserve the failing intent, failing assertion or output tail, and the notification invariant it exercised before editing again.
214
+ - If safe repair requires schema migration, provider configuration, DNS or sender-domain setup, live deliverability testing, push entitlement setup, legal review, production traffic replay, or operator dashboard work outside the current scope, complete local verification and report the missing boundary.
215
+
216
+ <!-- mustflow-section: output-format -->
217
+ ## Output Format
218
+
219
+ - Notification delivery boundary reviewed
220
+ - Source event, notification intent, recipient/channel/category, preference/legal policy, suppression, schedule/timezone/quiet-hours/digest, delivery job and attempt, provider event, in-app inbox, audit, security, privacy, fanout, and operations ledgers checked
221
+ - Email, push, in-app, digest, dedupe, rate-limit, retry, queue, provider webhook, template, deletion, and fallback findings
222
+ - Notification-delivery fixes made or recommended
223
+ - Evidence level: configured-test evidence, schema evidence, provider or framework evidence, static review risk, manual-only, missing, or not applicable
224
+ - Command intents run
225
+ - Skipped notification diagnostics and reasons
226
+ - Remaining notification-delivery risk