mustflow 2.107.9 → 2.108.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (26) hide show
  1. package/dist/cli/commands/api/serve.js +73 -10
  2. package/dist/core/run-receipt-state.js +23 -2
  3. package/dist/core/secret-redaction.js +6 -1
  4. package/package.json +1 -1
  5. package/schemas/api-serve-response.schema.json +1 -0
  6. package/templates/default/i18n.toml +48 -12
  7. package/templates/default/locales/en/.mustflow/docs/agent-workflow.md +24 -1
  8. package/templates/default/locales/en/.mustflow/skills/INDEX.md +52 -14
  9. package/templates/default/locales/en/.mustflow/skills/admin-control-plane-safety-review/SKILL.md +200 -0
  10. package/templates/default/locales/en/.mustflow/skills/ai-product-readiness-review/SKILL.md +158 -0
  11. package/templates/default/locales/en/.mustflow/skills/auth-permission-change/SKILL.md +91 -28
  12. package/templates/default/locales/en/.mustflow/skills/browser-automation-reliability-review/SKILL.md +279 -0
  13. package/templates/default/locales/en/.mustflow/skills/ci-pipeline-triage/SKILL.md +39 -11
  14. package/templates/default/locales/en/.mustflow/skills/cloud-cost-guardrail-review/SKILL.md +4 -1
  15. package/templates/default/locales/en/.mustflow/skills/database-change-safety/SKILL.md +21 -2
  16. package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +25 -7
  17. package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md +117 -43
  18. package/templates/default/locales/en/.mustflow/skills/frontend-component-library-review/SKILL.md +299 -0
  19. package/templates/default/locales/en/.mustflow/skills/frontend-localization-review/SKILL.md +128 -36
  20. package/templates/default/locales/en/.mustflow/skills/notification-delivery-integrity-review/SKILL.md +226 -0
  21. package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +34 -14
  22. package/templates/default/locales/en/.mustflow/skills/routes.toml +36 -0
  23. package/templates/default/locales/en/.mustflow/skills/small-service-platform-architecture-review/SKILL.md +273 -0
  24. package/templates/default/locales/en/.mustflow/skills/tauri-code-change/SKILL.md +41 -3
  25. package/templates/default/locales/en/.mustflow/skills/wails-code-change/SKILL.md +34 -4
  26. package/templates/default/manifest.toml +43 -1
@@ -2,11 +2,11 @@
2
2
  mustflow_doc: skill.payment-integrity-review
3
3
  locale: en
4
4
  canonical: true
5
- revision: 3
5
+ revision: 4
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: payment-integrity-review
9
- description: Apply this skill when payment, checkout, authorization, capture, refund, partial refund, subscription, invoice, trial, grace period, coupon, promotion, inventory reservation, fulfillment, entitlement, settlement, fee, chargeback, dispute, provider webhook, payment outbox, payment session, payment link, payment-provider integration, admin manual payment operation, payment logs, PCI-sensitive data handling, or payment-related tests need review for money-event integrity, idempotency, ordering, ownership, amount, currency, retry, reconciliation, ledger, or audit risk.
9
+ description: Apply this skill when payment, checkout, authorization, capture, refund, partial refund, subscription, invoice, credit note, receipt, tax document, trial, grace period, coupon, promotion, inventory reservation, fulfillment, entitlement, settlement, fee, payout, chargeback, dispute, fraud review, card testing, provider webhook, payment outbox, payment session, payment link, payment-provider integration, admin manual payment operation, payment logs, PCI-sensitive data handling, or payment-related tests need review for money-event integrity, idempotency, ordering, ownership, amount, currency, retry, reconciliation, ledger, or audit risk.
10
10
  metadata:
11
11
  mustflow_schema: "1"
12
12
  mustflow_kind: procedure
@@ -35,7 +35,7 @@ Review payment code as money-event integrity, not provider API success. The core
35
35
  <!-- mustflow-section: use-when -->
36
36
  ## Use When
37
37
 
38
- - Payment, checkout, payment-session, payment-link, authorization, capture, refund, partial refund, dispute, chargeback, settlement, fee, receipt, entitlement, fulfillment, subscription, invoice, trial, grace period, coupon, promotion, or inventory reservation logic is created, changed, reviewed, or reported.
38
+ - Payment, checkout, payment-session, payment-link, authorization, capture, refund, partial refund, dispute, chargeback, settlement, fee, payout, receipt, invoice, credit note, tax document, entitlement, fulfillment, subscription, trial, grace period, coupon, promotion, fraud review, card testing, or inventory reservation logic is created, changed, reviewed, or reported.
39
39
  - Provider webhook handling, provider callback handling, payment outbox records, payment retry handling, timeout handling, provider reconciliation, or async payment method handling can change internal money state.
40
40
  - Client-supplied amount, currency, quantity, product, discount, shipping, tax, order, subscription, refund, or customer identifiers can influence a payment action.
41
41
  - Manual admin payment operations, payment logs, audit trails, or payment-related tests need review.
@@ -52,7 +52,7 @@ Review payment code as money-event integrity, not provider API success. The core
52
52
  <!-- mustflow-section: required-inputs -->
53
53
  ## Required Inputs
54
54
 
55
- - Money-event ledger: every create, authorize, capture, fulfill, refund, dispute, chargeback, settlement, adjustment, cancellation, expiration, and entitlement event that can move money or access.
55
+ - Money-event ledger: every create, authorize, capture, fulfill, refund, partial refund, tax reversal, credit note, receipt, dispute, chargeback, settlement, payout, adjustment, cancellation, expiration, and entitlement event that can move money, evidence, or access.
56
56
  - Provider interaction ledger: payment provider calls, webhook event types, redirect handlers,
57
57
  polling, reconciliation jobs, SDK clients, idempotency keys, internal order IDs, internal payment
58
58
  IDs, attempt IDs, provider object IDs, provider reference IDs, and provider environment selection.
@@ -66,7 +66,9 @@ Review payment code as money-event integrity, not provider API success. The core
66
66
  parser or validator, database constraint when available, and the rejection path for unknown,
67
67
  stale, misspelled, or provider-shaped event types.
68
68
  - Idempotency and uniqueness ledger: logical operation IDs, provider idempotency keys, database uniqueness constraints, webhook event dedupe keys, fulfillment dedupe keys, and retry behavior.
69
- - Amount and currency ledger: product/cart snapshot, server-side calculation path, quantity, discounts, coupons, tax, shipping, minor-unit representation, currency, provider amount, internal ledger amount, receipt amount, and settlement amount.
69
+ - Amount and currency ledger: product/cart snapshot, invoice and line-item snapshot, server-side calculation path, quantity, discounts, coupons, tax, shipping, minor-unit representation, currency, provider amount, internal ledger amount, receipt amount, refund amount, dispute amount, payout amount, and settlement amount.
70
+ - Invoice, receipt, and tax ledger: invoice status, invoice line items, credit notes, receipt generation, receipt delivery, receipt lookup identifiers, tax behavior, tax jurisdiction, tax-exemption evidence, tax-rate snapshots, tax reversals, and tax-document issuance state.
71
+ - Dispute and fraud ledger: dispute reason, evidence deadline, evidence packet inputs, refund-dispute collision policy, fraud review state, card-testing defenses, risk holds, descriptor or customer-communication evidence, and network-monitoring exposure when available.
70
72
  - Ownership ledger: user, tenant, account, order, payment session, refund, subscription, invoice, entitlement, admin actor, and provider customer ownership checks.
71
73
  - Fulfillment and entitlement ledger: when access, inventory, shipment, credits, licenses, notifications, or downstream side effects are granted or revoked.
72
74
  - Webhook and retry ledger: signature verification, raw-body handling, event storage, queue handoff, duplicate and out-of-order handling, timeout classification, backoff, and dead-letter behavior.
@@ -84,7 +86,7 @@ Review payment code as money-event integrity, not provider API success. The core
84
86
  <!-- mustflow-section: allowed-edits -->
85
87
  ## Allowed Edits
86
88
 
87
- - Tighten payment state machines, server-side amount calculation, minor-unit money handling, ownership checks, idempotency keys, provider-ID uniqueness, webhook signature verification, webhook dedupe, outbox event-type validation, queue handoff, one-time fulfillment, async payment handling, authorization/capture distinction, refund/dispute/subscription transitions, inventory and coupon reservation, timeout and retry classification, append-only ledgers, secret and card-data redaction, admin audit trails, stale payment endpoint cleanup notes, focused nightmare-path tests, and directly synchronized docs or templates.
89
+ - Tighten payment state machines, server-side amount calculation, invoice and line-item snapshots, minor-unit money handling, tax snapshots and reversals, receipt delivery tracking, ownership checks, idempotency keys, provider-ID uniqueness, webhook signature verification, webhook dedupe, outbox event-type validation, queue handoff, one-time fulfillment, async payment handling, authorization/capture distinction, refund/dispute/subscription transitions, inventory and coupon reservation, timeout and retry classification, payout reconciliation, append-only ledgers, secret and card-data redaction, fraud and card-testing defenses, admin audit trails, stale payment endpoint cleanup notes, focused nightmare-path tests, and directly synchronized docs or templates.
88
90
  - Do not replace a focused payment-integrity fix with a broad payment platform rewrite unless the current code cannot preserve money correctness with a smaller boundary.
89
91
  - Do not add live payment secrets, real card data, real refunds, real charges, or live-provider side effects.
90
92
 
@@ -104,8 +106,11 @@ Review payment code as money-event integrity, not provider API success. The core
104
106
  strings, provider event names, stale constants, or user-controlled values become trusted outbox
105
107
  operation types.
106
108
  4. Calculate amount on the server. Treat client-supplied amount, currency, quantity, discount, coupon, tax, shipping, product ID, plan ID, or cart totals as input claims only; rebuild the payable total from trusted product, cart, account, and policy snapshots.
109
+ - Freeze the cart, order, invoice, subscription period, product, price, discount, shipping, tax behavior, tax rate, exchange rate, and entitlement snapshot used for the payment. Do not recalculate paid orders, refunds, chargebacks, receipts, or tax documents from current product tables.
110
+ - For partial refunds, calculate from line items and tax lines, not only from a manual total. Preserve refunded quantity, refunded subtotal, tax reversal, discount allocation, shipping decision, credit note link, and refund reason.
107
111
  5. Bind every payment object to its owner. Verify user, tenant, order, payment session, refund, subscription, invoice, provider customer, and admin actor ownership before read, write, refund, cancel, fulfillment, or entitlement changes.
108
112
  6. Compare every amount ledger. Trace order amount, provider request amount, provider response amount, internal money ledger, receipt, settlement, fee, refund, and entitlement amount. Flag any path where one amount can drift without reconciliation.
113
+ - Distinguish gross charge, captured amount, processor fee, application or platform fee, tax collected, tax liability, refund, tax reversal, dispute withdrawal, dispute fee, dispute reinstatement, payout, payout failure, reserve, and negative provider balance. Provider dashboard totals and bank deposits are not the same fact as revenue.
109
114
  7. Use integer minor units. Reject float, double, string-concatenated, rounded-late, locale-formatted, or JavaScript-number money math when it can cross currency or precision boundaries.
110
115
  8. Make payment creation idempotent. Use a stable key for one logical payment attempt, not a fresh UUID per retry. Include operation identity such as order or attempt ID, but do not include secrets or raw personal data.
111
116
  9. Use database uniqueness as the last gate. Add or verify unique constraints for provider payment IDs, provider session IDs, provider event IDs, provider refund IDs, internal ledger IDs, and fulfillment records where duplicates would move money or access twice.
@@ -115,11 +120,18 @@ Review payment code as money-event integrity, not provider API success. The core
115
120
  13. Return from webhook endpoints quickly. Persist the event, enqueue durable work, and return a provider-acceptable response without doing slow fulfillment, network fan-out, file work, or long transactions in the webhook request.
116
121
  14. Never use success redirects as proof. Treat checkout success pages, return URLs, frontend callbacks, and local storage flags as user navigation only; fulfillment must depend on verified provider state or signed server-side evidence.
117
122
  15. Run fulfillment exactly once. Guard entitlement grants, shipments, credit issuance, license creation, invoice finalization, emails with money meaning, and inventory release with unique records or state transitions.
123
+ - Keep internal entitlement state separate from provider subscription state. `past_due`, `unpaid`, grace period, restricted access, revocation, reactivation, and manual invoice-paid events should map through product policy rather than a direct provider-status copy.
118
124
  16. Handle asynchronous payment methods. Do not fulfill on checkout completion when the provider can still move through pending, requires_action, processing, delayed success, delayed failure, or expiry states.
119
125
  17. Separate authorization from capture. Do not treat an authorization hold as captured money. Review capture windows, partial captures, expired authorizations, cancellations, orphan authorized-but-not-captured operations, and post-authorization amount changes.
120
126
  18. Review refunds as money-out events. Check requested, pending, completed, failed, cancelled, and partial refund states; double refunds; refund failures; refund idempotency; refund ownership; refund amount/currency; ledger reversal; entitlement revocation; and receipt updates.
127
+ - Treat refund requests and provider refunds as separate records when provider outcomes can be pending, require customer action, fail, cancel, or arrive through provider dashboards. Use refund-request idempotency keys, not a fresh key per click and not the whole order ID when multiple partial refunds are valid.
128
+ - Lock or reserve refundable balance while a refund is pending when concurrent operators, jobs, or customer flows can otherwise exceed the captured amount.
121
129
  19. Handle disputes and chargebacks. Ensure dispute events affect access, account risk, support workflow, ledger entries, settlement reports, and customer-visible state without pretending the original capture still stands unchanged.
122
- 20. Review subscriptions as state machines. Separate trialing, active, past_due, grace, unpaid, cancelled, pending cancellation, retrying, upgraded, downgraded, invoice-open, invoice-paid, and invoice-failed states.
130
+ - Define the refund-dispute collision policy. A pending or completed refund can collide with a dispute; avoid double compensation, preserve refund IDs and receipt evidence, and decide whether to accept, contest, or block new refunds while a dispute is open.
131
+ - Track evidence deadlines, reason categories, evidence packet fields, customer communications, receipt and invoice links, refund history, shipping or delivery proof, usage logs, login or download evidence, cancellation evidence, and support decisions. Winning a dispute does not erase the operational need to prevent future dispute-rate or fraud-rate exposure.
132
+ 20. Review subscriptions as state machines. Separate trialing, active, incomplete, incomplete_expired, past_due, grace, unpaid, cancelled, pending cancellation, retrying, upgraded, downgraded, invoice-open, invoice-paid, and invoice-failed states.
133
+ - Model dunning and entitlement policy explicitly: first-payment failure, off-session authentication required, hard decline, soft decline, retry schedule, payment-method update link, reminder sequence, grace period, restriction, revocation, reactivation, and manual invoice resolution.
134
+ - Review plan changes as money and entitlement events. Upgrades, downgrades, seat-count changes, proration, coupon changes, tax changes, account credits, and mid-cycle cancellations must update invoice, entitlement, credit, and refund ledgers consistently.
123
135
  21. Reserve inventory before confirming it. Check that payment, inventory, cancellation, expiration, refund, and fulfillment cannot oversell, lose stock, or keep stock reserved after an abandoned payment.
124
136
  22. Reserve coupons before consuming them. Under concurrent attempts, a coupon should not be spent twice or lost forever after a failed or expired payment. Review reservation, consumption, release, and expiry paths.
125
137
  23. Treat timeouts as unknown outcomes. A provider timeout after request submission is not a failure proof. Verify by idempotency key, provider object lookup, webhook, or reconciliation before retrying or cancelling.
@@ -127,24 +139,31 @@ Review payment code as money-event integrity, not provider API success. The core
127
139
  25. Segment the payment path. When diagnosing approval rate or decline spikes, separate frontend validation, backend request creation, provider gateway, acquirer, card network, issuer, bank, 3DS or additional authentication, and settlement evidence instead of reading one blended failure count.
128
140
  26. Keep an append-only money ledger. Prefer immutable entries for payment, capture, refund, fee, settlement, chargeback, adjustment, and correction. Flag mutable balance-only code with no event history.
129
141
  27. Reconcile provider and internal state. Check scheduled or manual reconciliation for missed webhooks, stale internal states, provider-side refunds, settlement fees, disputes, orphan authorizations, and permanently unknown operations.
142
+ - Reconcile payouts separately from sales. A payout is movement from provider balance to a bank account, not revenue. Check payout failure, negative provider balance, reserves, platform or connected-account liability, refunded-after-payout flows, and dispute-after-payout recovery.
143
+ - Reconcile provider-dashboard manual actions back into local state. Provider-side refunds, subscription cancellations, invoice voids, paid invoice overrides, dispute decisions, and tax document changes need webhook ingestion, reconciliation jobs, or explicit manual import evidence.
130
144
  28. Redact payment-sensitive data. Never log card numbers, CVV, track data, PINs, raw payment credentials, webhook secrets, bearer tokens, provider secret keys, or full provider payloads containing sensitive fields.
145
+ - Keep PCI scope intentionally small. Hosted checkout, tokenized payment methods, mandates, and provider components are preferable when they keep raw card data away from application servers. Never store CVC/CVV after authorization, even for recurring payments.
131
146
  29. Separate test and live payment planes. Verify API keys, webhook secrets, product IDs, price IDs, environment flags, provider account IDs, and fixtures cannot cross between test and live modes.
132
147
  30. Audit manual payment operations. Require role, reason, target object, before/after values, approver or policy evidence, operator identity, timestamp, and rollback or correction path for admin overrides.
148
+ - Separate admin abilities for refund, credit, invoice void, tax document reissue, dispute evidence access, subscription cancellation, entitlement override, and provider-dashboard action reconciliation. Money operations need least privilege and audit evidence, not one broad support-admin flag.
133
149
  31. Add a payment hold or kill-switch path for unsafe flows. Risky provider migrations, webhook
134
150
  regressions, reconciliation uncertainty, fraud spikes, or duplicate-money incidents need a way
135
151
  to hold fulfillment, stop captures, pause refunds, or disable a provider path without corrupting
136
152
  ledger state.
153
+ - Treat fraud review and card testing as payment integrity risks. High failure velocity, repeated card fingerprints, bot-like checkout attempts, high-risk score, mismatched geography, descriptor confusion, unusually fast disputes, and chargeback-rate monitoring need hold, review, rate-limit, or provider-rule evidence before fulfillment.
137
154
  32. Search for stale payment endpoints. Review old checkout paths, hidden callback URLs, deprecated provider versions, old mobile endpoints, webhook v1 handlers, and manual scripts that still mutate money state.
138
- 33. Check public errors and support evidence. Payment failures must not lie about success, leak sensitive payment facts, or leave support with no safe correlation ID, provider object ID, or internal event ID.
139
- 34. Test the nightmare paths. Include repeated pay-button clicks, replayed webhooks, out-of-order webhooks, success redirect plus database failure, database success plus provider timeout, amount or currency tampering, wrong order ID, concurrent double refund, pay then cancel, expired-session completion, subscription retry, provider missed webhook, orphan authorization cleanup, provider kill switch or hold state, and admin override rollback.
155
+ 33. Check invoice, receipt, and tax-document delivery. Payment success is separate from receipt generation, receipt email delivery, invoice finalization, credit note issuance, refund receipt delivery, and tax document issuance. Support should be able to find records by order ID, payment ID, invoice number, receipt number, provider object, safe customer identifier, and correlation ID.
156
+ 34. Check public errors and support evidence. Payment failures must not lie about success, leak sensitive payment facts, or leave support with no safe correlation ID, provider object ID, receipt or invoice ID, dispute ID, refund ID, or internal event ID.
157
+ 35. Test the nightmare paths. Include repeated pay-button clicks, replayed webhooks, out-of-order webhooks, success redirect plus database failure, database success plus provider timeout, amount or currency tampering, wrong order ID, concurrent double refund, pay then cancel, expired-session completion, partial refund tax reversal, refund failure, refund then dispute, dispute then refund attempt, subscription retry and dunning, provider-side manual refund, receipt delivery failure, tax-document gap, payout failure, card-testing spike, orphan authorization cleanup, provider kill switch or hold state, and admin override rollback.
140
158
 
141
159
  <!-- mustflow-section: postconditions -->
142
160
  ## Postconditions
143
161
 
144
162
  - The payment surface has a money-event map, provider interaction map, identifier map,
145
163
  state-transition map, immutable event log, idempotency and uniqueness map, amount and currency map,
146
- ownership map, fulfillment and entitlement map, webhook/retry map, outbox event-type validation
147
- map, reconciliation and hold-state map, and audit/sensitive-data map.
164
+ invoice/receipt/tax map, ownership map, fulfillment and entitlement map, webhook/retry map,
165
+ outbox event-type validation map, reconciliation and hold-state map, dispute/fraud map, payout
166
+ map, and audit/sensitive-data map.
148
167
  - Any false success, duplicate money movement, duplicate fulfillment, wrong-owner action, wrong amount, wrong currency, stale event overwrite, timeout misclassification, or missing reconciliation is fixed or reported with evidence.
149
168
  - Tests or explicit verification cover the highest-risk nightmare paths available in the current scope.
150
169
 
@@ -164,7 +183,7 @@ Use configured oneshot command intents when available:
164
183
  - `test_release`
165
184
  - `mustflow_check`
166
185
 
167
- Prefer focused tests for duplicate operations, webhook replay, out-of-order events, ownership denial, amount tampering, timeout unknowns, and one-time fulfillment. Use broader checks when payment integrity touches shared state machines, provider adapters, database migrations, or template surfaces.
186
+ Prefer focused tests for duplicate operations, webhook replay, out-of-order events, ownership denial, amount tampering, timeout unknowns, one-time fulfillment, partial refunds, failed refunds, refund-dispute collisions, subscription retry and dunning, receipt delivery failure, tax reversal, payout reconciliation, fraud holds, and card-testing controls. Use broader checks when payment integrity touches shared state machines, provider adapters, database migrations, or template surfaces.
168
187
 
169
188
  <!-- mustflow-section: failure-handling -->
170
189
  ## Failure Handling
@@ -173,14 +192,15 @@ Prefer focused tests for duplicate operations, webhook replay, out-of-order even
173
192
  - If a provider outcome is unknown, do not mark it failed or paid without reconciliation evidence.
174
193
  - If webhook signature verification cannot be proven because middleware hides the raw body, report that as a blocking integrity risk.
175
194
  - If duplicate prevention relies only on in-memory flags, frontend disabling, or sequential UI behavior, report the missing durable idempotency gate.
195
+ - If invoice, receipt, tax, dispute, payout, or provider-dashboard manual-action evidence is missing, report the missing operational ledger instead of treating provider success as complete payment evidence.
176
196
  - If tests cannot hit live-provider behavior, use provider fixtures, signed webhook fixtures, fake adapters, or state-machine tests and report remaining live integration risk.
177
197
 
178
198
  <!-- mustflow-section: output-format -->
179
199
  ## Output Format
180
200
 
181
201
  - Payment surface and provider boundary reviewed
182
- - Money-event, provider, identifier, state, event-log, outbox event-type, idempotency, amount, ownership, fulfillment, webhook, retry, reconciliation, hold-state, audit, and sensitive-data ledgers
183
- - Findings or fixes for duplicate, late, out-of-order, wrong-actor, wrong-amount, wrong-currency, timeout, retry, reconciliation, and audit risks
202
+ - Money-event, provider, identifier, state, event-log, outbox event-type, idempotency, amount, invoice, receipt, tax, ownership, fulfillment, webhook, retry, dispute, fraud, payout, reconciliation, hold-state, audit, and sensitive-data ledgers
203
+ - Findings or fixes for duplicate, late, out-of-order, wrong-actor, wrong-amount, wrong-currency, timeout, retry, refund, subscription, tax, receipt, chargeback, fraud, payout, reconciliation, and audit risks
184
204
  - Nightmare-path tests or evidence added, run, skipped, or still missing
185
205
  - Command intents run
186
206
  - Remaining payment-integrity risk
@@ -18,6 +18,12 @@ route_type = "primary"
18
18
  priority = 82
19
19
  applies_to_reasons = ["code_change", "behavior_change", "data_change", "migration_change", "performance_change", "security_change", "privacy_change", "public_api_change"]
20
20
 
21
+ [routes."small-service-platform-architecture-review"]
22
+ category = "architecture_patterns"
23
+ route_type = "primary"
24
+ priority = 84
25
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "docs_change", "public_api_change", "data_change", "migration_change", "performance_change", "security_change", "privacy_change", "ui_change", "product_change", "package_metadata_change", "release_risk"]
26
+
21
27
  [routes."code-review"]
22
28
  category = "general_code"
23
29
  route_type = "primary"
@@ -216,6 +222,12 @@ route_type = "adjunct"
216
222
  priority = 81
217
223
  applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change", "package_metadata_change", "release_risk"]
218
224
 
225
+ [routes."notification-delivery-integrity-review"]
226
+ category = "general_code"
227
+ route_type = "adjunct"
228
+ priority = 82
229
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change", "package_metadata_change", "release_risk"]
230
+
219
231
  [routes."api-misuse-resistance-review"]
220
232
  category = "general_code"
221
233
  route_type = "adjunct"
@@ -600,6 +612,12 @@ route_type = "primary"
600
612
  priority = 65
601
613
  applies_to_reasons = ["ui_change", "product_change"]
602
614
 
615
+ [routes."ai-product-readiness-review"]
616
+ category = "general_code"
617
+ route_type = "primary"
618
+ priority = 64
619
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "docs_change", "public_api_change", "data_change", "performance_change", "security_change", "privacy_change", "ui_change", "product_change", "package_metadata_change", "release_risk"]
620
+
603
621
  [routes."prompt-contract-quality-review"]
604
622
  category = "general_code"
605
623
  route_type = "primary"
@@ -636,6 +654,12 @@ route_type = "primary"
636
654
  priority = 70
637
655
  applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "docs_change", "public_api_change", "data_change", "performance_change", "security_change", "privacy_change", "package_metadata_change", "release_risk"]
638
656
 
657
+ [routes."browser-automation-reliability-review"]
658
+ category = "general_code"
659
+ route_type = "primary"
660
+ priority = 73
661
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "docs_change", "public_api_change", "data_change", "performance_change", "security_change", "privacy_change", "ui_change", "product_change", "package_metadata_change", "release_risk"]
662
+
639
663
  [routes."agent-eval-integrity-review"]
640
664
  category = "general_code"
641
665
  route_type = "primary"
@@ -858,6 +882,12 @@ route_type = "adjunct"
858
882
  priority = 77
859
883
  applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "public_api_change", "security_change", "privacy_change", "data_change", "test_change", "docs_change", "package_metadata_change", "release_risk"]
860
884
 
885
+ [routes."admin-control-plane-safety-review"]
886
+ category = "security_privacy"
887
+ route_type = "adjunct"
888
+ priority = 79
889
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "public_api_change", "security_change", "privacy_change", "data_change", "test_change", "docs_change", "package_metadata_change", "release_risk"]
890
+
861
891
  [routes."file-upload-security-review"]
862
892
  category = "security_privacy"
863
893
  route_type = "adjunct"
@@ -972,6 +1002,12 @@ route_type = "adjunct"
972
1002
  priority = 82
973
1003
  applies_to_reasons = ["ui_change", "behavior_change", "code_change", "test_change", "docs_change", "web_asset_change"]
974
1004
 
1005
+ [routes."frontend-component-library-review"]
1006
+ category = "ui_assets"
1007
+ route_type = "adjunct"
1008
+ priority = 84
1009
+ applies_to_reasons = ["ui_change", "behavior_change", "code_change", "test_change", "docs_change", "public_api_change", "package_metadata_change", "performance_change", "security_change", "privacy_change", "web_asset_change", "release_risk"]
1010
+
975
1011
  [routes."frontend-localization-review"]
976
1012
  category = "ui_assets"
977
1013
  route_type = "adjunct"
@@ -0,0 +1,273 @@
1
+ ---
2
+ mustflow_doc: skill.small-service-platform-architecture-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: small-service-platform-architecture-review
9
+ description: Apply this skill when a multi-product platform, app factory, solo-developer portfolio platform, many-small-services architecture, shared account portal, Product Registry, shared auth, billing, credits, entitlements, admin console, deployment factory, analytics, logging, i18n, common UI, templates, or operations automation for multiple product apps is created, changed, reviewed, or reported.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.small-service-platform-architecture-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ ---
26
+
27
+ # Small Service Platform Architecture Review
28
+
29
+ <!-- mustflow-section: purpose -->
30
+ ## Purpose
31
+
32
+ Review a shared platform for many small products as an app factory, not as many copied services.
33
+
34
+ The core question is: "Can a new product be added mostly by declaring product facts, while auth,
35
+ billing, credits, entitlements, admin, analytics, observability, legal, deployment, and operations
36
+ stay shared and explainable?" If not, the portfolio is just copy-paste debt with domains attached.
37
+
38
+ <!-- mustflow-section: use-when -->
39
+ ## Use When
40
+
41
+ - A repository, architecture plan, template, generator, or product platform is intended to support
42
+ many small apps, micro-SaaS products, SEO tools, AI tools, API products, downloads, extensions,
43
+ or similar product shells.
44
+ - Code, docs, schemas, templates, or reviews touch a Product Registry, app catalog, shared account
45
+ portal, shared identity, organization, billing, credit ledger, usage meter, entitlement, admin,
46
+ analytics, logging, notification, i18n, legal, feature flag, app template, deployment factory,
47
+ file service, job queue, integration service, outbound webhook, AI Gateway, or license service.
48
+ - A review or final report claims that creating another service is easy, the platform is reusable,
49
+ templates are shared, billing or credits are common, apps are tenant-safe, or operations can scale
50
+ beyond a few products.
51
+ - A solo developer or small team wants to avoid reimplementing account, payment, admin, deploy,
52
+ telemetry, localization, support, and incident workflows for each product.
53
+
54
+ <!-- mustflow-section: do-not-use-when -->
55
+ ## Do Not Use When
56
+
57
+ - The task concerns one standalone app with no multi-product platform, app factory, shared package,
58
+ or cross-product operational surface.
59
+ - The task only changes a single auth flow, OAuth callback, session, token, or permission rule. Use
60
+ `auth-permission-change`, `auth-flow-triage`, or `api-access-control-review`.
61
+ - The task only changes one payment, subscription, refund, webhook, credit, or usage path. Use
62
+ `payment-integrity-review` or `credit-ledger-integrity-review`.
63
+ - The task only changes an admin screen, notification path, i18n path, deployment pipeline,
64
+ component library, AI feature, file upload, queue, or service boundary. Use the matching
65
+ specialist skill first.
66
+ - The task is an organization-scale microservice split decision rather than a product-app factory.
67
+ Use `service-boundary-architecture` first.
68
+
69
+ <!-- mustflow-section: required-inputs -->
70
+ ## Required Inputs
71
+
72
+ - User goal, target product count, product types, expected shared versus app-specific behavior,
73
+ repository layout, current diff or target files, and configured command intents.
74
+ - Product Registry ledger: `app_id`, domains, environments, product names, auth modes, plan and
75
+ price mapping, entitlement keys, usage meters, credit costs, analytics namespace, admin panels,
76
+ i18n namespace, email templates, legal and consent versions, data categories, and deploy config.
77
+ - Identity ledger: users, identities, sessions, organizations, workspaces, memberships, roles,
78
+ permissions, invitations, API keys, service accounts, account linking, and account portal scope.
79
+ - Money and access ledger: customers, provider customers, subscriptions, invoices, tax profiles,
80
+ webhook events, refunds, disputes, wallets, credit grants, credit transactions, usage events,
81
+ reservations, quotas, limits, grace periods, and local entitlement state.
82
+ - Operations ledger: support view, admin action log, resource change history, impersonation,
83
+ refunds, manual credits, feature overrides, account merge or delete, job logs, webhook logs,
84
+ email logs, runbooks, alerts, backups, and restore tests.
85
+ - App factory ledger: app templates, `create-product` or equivalent generator, shared packages,
86
+ thin app shells, CI/CD, preview, staging, production, migration policy, smoke tests, rollback,
87
+ secrets, environment variables, DNS, TLS, CDN, storage, cache, queue, cron, and workers.
88
+ - Observability and analytics ledger: event schema, first-value-created event, revenue metrics,
89
+ usage rollups, structured logs, traces, request IDs, app IDs, tenant IDs, alerts, status pages,
90
+ and cost monitors.
91
+ - Shared product surface ledger: i18n, legal, consent, notifications, file service, job service,
92
+ integrations, outbound webhooks, SEO, marketing pages, shared UI, feature flags, remote config,
93
+ AI Gateway, license service, and developer portal where relevant.
94
+
95
+ <!-- mustflow-section: preconditions -->
96
+ ## Preconditions
97
+
98
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
99
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
100
+ current scope.
101
+ - Existing local platform, template, package, registry, billing, auth, admin, analytics, deploy,
102
+ and operations patterns have been searched before proposing a new platform layer.
103
+ - If the change touches money, auth, privacy, admin, deployment, AI, localization, files, queues, or
104
+ notifications, also apply the narrower matching skill for that boundary.
105
+
106
+ <!-- mustflow-section: allowed-edits -->
107
+ ## Allowed Edits
108
+
109
+ - Create or refine platform architecture docs, skill procedures, route metadata, templates, tests,
110
+ registry schemas, app factory contracts, shared package boundaries, operational runbooks, and
111
+ directly synchronized template copies tied to the multi-product platform surface.
112
+ - Tighten platform boundaries by moving copied product logic into shared packages, registries,
113
+ policy services, ledgers, generators, runbooks, or explicit app-specific extension points.
114
+ - Add focused tests for registry validation, entitlement resolution, credit ledger behavior,
115
+ webhook idempotency, template generation, app profile installation, admin permissions,
116
+ analytics event shape, i18n key coverage, smoke checks, and operation runbooks when existing
117
+ project patterns support them.
118
+ - Do not migrate to a new cloud, framework, auth provider, billing provider, queue, database,
119
+ analytics tool, or orchestration platform unless the current task explicitly requires that
120
+ migration.
121
+ - Do not turn every possible future product feature into mandatory platform scope. Separate the
122
+ phase-one spine from phase-two and phase-three extensions.
123
+
124
+ <!-- mustflow-section: procedure -->
125
+ ## Procedure
126
+
127
+ 1. Decide whether this is a platform factory or a single product.
128
+ - A platform factory has several product shells, shared packages, shared ledgers, common
129
+ operations, and a path for adding a product through declaration plus thin app code.
130
+ - If the surface is one app, route to the narrower product or framework skill and report that
131
+ this skill does not apply.
132
+ 2. Build the Product Registry ledger first.
133
+ - Require one source of truth for app identity, domains, environments, auth policy, billing
134
+ catalog mapping, entitlement keys, usage meters, credit costs, analytics namespace, admin
135
+ panels, i18n namespace, email templates, legal versions, data categories, and deploy config.
136
+ - Flag product facts scattered across routes, Stripe dashboards, environment variables,
137
+ seed scripts, marketing pages, and app-specific constants.
138
+ 3. Review identity as a shared account operating system.
139
+ - Separate `User` from `Identity` so email, OAuth, passkeys, and account linking can evolve.
140
+ - Require common organization, workspace, membership, invitation, role, permission, API key,
141
+ service account, session management, device session, forced logout, and account portal paths.
142
+ - Keep billing, security, data export, data deletion, and login methods anchored in the account
143
+ portal even when product apps have their own settings.
144
+ 4. Review billing, entitlements, credits, and usage as local ledgers.
145
+ - Treat the payment provider as an event source, not as the application's only authority.
146
+ - Require provider webhooks to be stored, signature-checked, idempotent, replayable, and mapped
147
+ into local customer, subscription, invoice, refund, dispute, tax, and entitlement state.
148
+ - Reject feature gates such as `plan === "pro"`; require entitlement and limit checks.
149
+ - Reject balance-only credits; require append-only credit transactions, grants, usage events,
150
+ reservations, capture, release, partial capture, expiry, reconciliation, and audit evidence.
151
+ 5. Review admin and support as production control planes.
152
+ - Require a support view that connects user, organization, apps used, plan, payment state,
153
+ credit ledger, usage, recent errors, jobs, webhooks, notifications, experiments, and blocks.
154
+ - Separate audit logs from resource change history.
155
+ - Require scoped operator permissions, impersonation controls, dangerous-action confirmation,
156
+ reason capture, step-up authentication where needed, production guardrails, and PII masking.
157
+ 6. Review the app factory.
158
+ - Prefer a generator that registers a product and creates thin app shell files over a large
159
+ template copy that drifts.
160
+ - Keep shared auth, billing, credits, entitlements, analytics, logging, i18n, UI, email, jobs,
161
+ files, deployment, and support behavior in packages or services that remain upgradeable.
162
+ - Require templates for common product shapes only when they still depend on shared packages.
163
+ 7. Review deployment and database rollout.
164
+ - Require preview, staging, and production separation, environment-scoped secrets, provider
165
+ sandbox separation, migration checks, expand-migrate-contract sequencing, smoke tests,
166
+ rollback or rollback-forward runbooks, and post-deploy observation.
167
+ - Treat manual DNS, TLS, storage, queue, cron, backup, or monitoring setup as product launch
168
+ debt unless it is captured in a reproducible checklist or generator.
169
+ 8. Review analytics, logging, and operations before product count grows.
170
+ - Standardize event names, `app_id`, anonymous and authenticated user identity, tenant identity,
171
+ locale, country, campaign, plan, experiment, and request or trace identifiers.
172
+ - Require each product to declare its first-value-created event.
173
+ - Require structured logs, traces, alerts, dashboards, runbooks, backup checks, restore tests,
174
+ cost spike alerts, domain and certificate expiry alerts, job dead-letter handling, and webhook
175
+ replay.
176
+ 9. Review shared product surfaces.
177
+ - Keep notification categories, transactional versus marketing consent, i18n namespaces,
178
+ fallback behavior, legal and consent versions, shared UI layouts, file ownership, job
179
+ idempotency, integration tokens, outbound webhook signing, SEO templates, feature flags,
180
+ remote config, AI Gateway calls, and license keys common unless product-specific behavior is
181
+ deliberately declared.
182
+ 10. Review privacy and security as cross-product invariants.
183
+ - Require `app_id`, `tenant_id`, `user_id`, `request_id`, and `trace_id` on records where they
184
+ explain ownership, access, audit, or support.
185
+ - Require PII redaction, retention policy, consent records, cookie and marketing preferences,
186
+ data export, delete, anonymize, backup encryption, dependency scanning, abuse detection,
187
+ card-testing detection, and admin read audit for sensitive data.
188
+ 11. Phase the platform spine.
189
+ - Phase one should cover Product Registry, identity and organization, billing basics, credit
190
+ ledger, entitlement, basic admin, analytics events, structured logging, app template or
191
+ generator, CI/CD, and basic transactional email.
192
+ - Phase two should cover account portal depth, webhook replay, usage rollups, feature flags,
193
+ file service, job queue, support view, i18n, legal and consent, SEO templates, monitoring,
194
+ backups, and restore checks.
195
+ - Phase three should cover AI Gateway, affiliate or referral, license service, outbound
196
+ webhooks, developer portal, advanced experiments, advanced RBAC, warehouse, churn automation,
197
+ abuse detection, and cost optimization.
198
+ 12. Route specialist risks deliberately.
199
+ - Apply `payment-integrity-review`, `credit-ledger-integrity-review`,
200
+ `admin-control-plane-safety-review`, `notification-delivery-integrity-review`,
201
+ `frontend-localization-review`, `frontend-component-library-review`,
202
+ `deployment-rollout-safety-review`, `ai-product-readiness-review`,
203
+ `file-upload-security-review`, `queue-processing-integrity-review`, or
204
+ `service-boundary-architecture` when the platform review exposes a narrower implementation
205
+ risk.
206
+ 13. Report evidence level honestly.
207
+ - Separate architecture inspection, schema or registry evidence, package boundary evidence,
208
+ generated template evidence, test evidence, operational runbook evidence, provider webhook
209
+ fixture evidence, and real production-readiness evidence.
210
+ - Name missing configured intents or manual review for provider dashboards, cloud consoles,
211
+ browser smoke tests, visual review, or deployment checks instead of claiming readiness.
212
+
213
+ <!-- mustflow-section: postconditions -->
214
+ ## Postconditions
215
+
216
+ - Product Registry, identity, billing, credit, entitlement, admin, app factory, deployment,
217
+ analytics, logging, shared product surface, security, privacy, operations, and phased rollout
218
+ ledgers are fixed, ruled out, or reported.
219
+ - New product creation depends more on declared product facts and thin app code than on duplicated
220
+ auth, payment, admin, analytics, i18n, deployment, and operations code.
221
+ - Product-specific behavior is declared as product-specific, and shared behavior has a clear owner.
222
+ - Missing provider, deployment, telemetry, security, privacy, localization, or operational evidence
223
+ is named instead of hidden.
224
+
225
+ <!-- mustflow-section: verification -->
226
+ ## Verification
227
+
228
+ Use configured oneshot command intents when available:
229
+
230
+ - `changes_status`
231
+ - `changes_diff_summary`
232
+ - `lint`
233
+ - `build`
234
+ - `test_related`
235
+ - `test`
236
+ - `docs_validate_fast`
237
+ - `test_release`
238
+ - `mustflow_check`
239
+
240
+ Use the narrowest configured unit, template, registry, docs, release, package, build, or mustflow
241
+ intent that covers the changed platform contract. Do not infer provider dashboard, cloud console,
242
+ deployment, browser, visual-regression, package-manager, or dev-server commands outside the command
243
+ contract.
244
+
245
+ <!-- mustflow-section: failure-handling -->
246
+ ## Failure Handling
247
+
248
+ - If no Product Registry or equivalent source of truth exists, stop treating the platform as
249
+ reusable and report the missing product authority.
250
+ - If payment, credit, entitlement, or usage facts are split between provider dashboards and app
251
+ constants, apply the money and ledger specialist skills before claiming platform readiness.
252
+ - If templates are copied but shared packages cannot be upgraded across product shells, report
253
+ template drift risk instead of calling the generator complete.
254
+ - If admin or support paths require direct database edits, apply `admin-control-plane-safety-review`
255
+ and report the operational safety gap.
256
+ - If verification fails, preserve the configured intent name and failure evidence, then fix the
257
+ platform contract surface rather than weakening tests or removing installed files.
258
+ - If release impact is unclear, apply `date-number-audit` before editing versions or release notes.
259
+
260
+ <!-- mustflow-section: output-format -->
261
+ ## Output Format
262
+
263
+ - Platform surface reviewed
264
+ - Product Registry, identity, billing, credit, entitlement, admin, app factory, deployment,
265
+ analytics, observability, shared surface, security, privacy, operations, and phase ledgers
266
+ - Findings, fixes, or recommendations
267
+ - Shared versus product-specific ownership decisions
268
+ - Specialist skills used or deferred
269
+ - Evidence level by registry, schema, package, template, tests, provider, deployment, telemetry,
270
+ and runbook surface
271
+ - Command intents run
272
+ - Skipped platform-readiness checks and reasons
273
+ - Remaining small-service platform architecture risk
@@ -2,11 +2,11 @@
2
2
  mustflow_doc: skill.tauri-code-change
3
3
  locale: en
4
4
  canonical: true
5
- revision: 3
5
+ revision: 4
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: tauri-code-change
9
- description: Apply this skill when Tauri frontend invokes, Rust commands, capabilities, permissions, scopes, plugins, filesystem, dialog, shell, opener, updater, sidecar, or mobile native permissions are created or changed.
9
+ description: Apply this skill when Tauri frontend invokes, Rust commands, capabilities, permissions, scopes, plugins, filesystem, dialog, shell, opener, updater, sidecar, mobile native permissions, Tauri bundling targets, release package formats, or native desktop CI build matrices are created or changed.
10
10
  metadata:
11
11
  mustflow_schema: "1"
12
12
  mustflow_kind: procedure
@@ -38,6 +38,8 @@ Treat the WebView as low trust and the Rust/native side as high authority. Front
38
38
  - `src-tauri`, `tauri.conf.*`, `Cargo.toml`, `#[tauri::command]`, `invoke`, Tauri JavaScript APIs, plugin config, capabilities, permissions, scopes, CSP, WebView bootstrap HTML, fs, dialog, shell, opener, updater, sidecar, mobile manifests, or native permissions change.
39
39
  - A frontend button, menu, or workflow calls native resources through Tauri.
40
40
  - A packaged Tauri app shows a blank or black WebView after release and browser console or built HTML may point to Content Security Policy blocking the frontend bootstrap.
41
+ - Tauri release packaging, `bundle.targets`, platform target triples, updater artifacts, signing,
42
+ or CI matrix behavior changes.
41
43
 
42
44
  <!-- mustflow-section: do-not-use-when -->
43
45
  ## Do Not Use When
@@ -49,6 +51,9 @@ Treat the WebView as low trust and the Rust/native side as high authority. Front
49
51
  ## Required Inputs
50
52
 
51
53
  - Frontend package metadata, static build output or generated entry HTML, Tauri config, Rust manifests, main/lib command modules, command registration, capability and permission files, plugin config, updater config, sidecar config, mobile permissions, and tests.
54
+ - Build and release evidence when packaging is in scope: CI workflow or task definitions, runner
55
+ OS matrix, package formats, `bundle.targets`, Rust and frontend cache strategy, signing or
56
+ notarization gates, updater artifacts, artifact retention, and release asset upload path.
52
57
  - Map of frontend calls to Rust commands or plugin APIs, permission scopes, exact window labels, exact webview labels, CSP directives, remote origins, WebView custom protocols or IPC origins, and actual OS resources.
53
58
  - Permission diff: previous permissions, new permissions, newly reachable windows/webviews, new scopes, and native operations enabled.
54
59
  - Configured verification intents.
@@ -69,6 +74,8 @@ Treat the WebView as low trust and the Rust/native side as high authority. Front
69
74
  - Prefer app-owned directories and stable app IDs over broad filesystem paths.
70
75
  - Keep shell, opener, sidecar, and updater behavior narrowly scoped.
71
76
  - Prefer Rust commands that map small enums or ids to fixed native operations over exposing broad plugin APIs directly to the frontend.
77
+ - Keep package target lists explicit. Do not rely on broad "all targets" behavior when the product
78
+ only ships a small set of installers or archives.
72
79
 
73
80
  <!-- mustflow-section: procedure -->
74
81
  ## Procedure
@@ -81,7 +88,9 @@ Treat the WebView as low trust and the Rust/native side as high authority. Front
81
88
  6. Apply the CSP and WebView bootstrap policy below before tightening `script-src`, `connect-src`, `style-src`, `worker-src`, `img-src`, `font-src`, or remote-origin policy.
82
89
  7. Apply the command input policy below before adding or changing `#[tauri::command]` handlers or `invoke` wrappers.
83
90
  8. Apply the filesystem, dialog, shell, opener, updater, and sidecar policies below when those plugins or native operations are touched.
84
- 9. Choose configured verification intents that cover Rust, frontend, Tauri build, permission/capability drift, CSP behavior, and security-sensitive behavior when available.
91
+ 9. Apply the build and release matrix policy below when `tauri.conf.*`, release scripts, CI
92
+ workflows, updater artifacts, signing, or bundle targets change.
93
+ 10. Choose configured verification intents that cover Rust, frontend, Tauri build, permission/capability drift, CSP behavior, and security-sensitive behavior when available.
85
94
 
86
95
  ## Capability And Permission Policy
87
96
 
@@ -138,6 +147,28 @@ Treat the WebView as low trust and the Rust/native side as high authority. Front
138
147
  - Frontend update input may select only a closed channel enum when needed. Rust or static config must map that enum to hard-coded HTTPS endpoints and configured public keys.
139
148
  - Do not enable insecure updater transport in production unless the user explicitly accepts the supply-chain boundary change and the repository records why.
140
149
 
150
+ ## Build And Release Matrix Policy
151
+
152
+ - Treat Tauri release builds as Rust release builds plus frontend build plus bundling. Cold Cargo
153
+ builds can dominate CI time, so check Rust cache, Node or package-manager cache, lockfile keys,
154
+ and target-specific cache dimensions before blaming frontend code.
155
+ - Do not run full native bundles for every pull request by default. Prefer PR checks that prove the
156
+ frontend build, Rust compile or checks, command contracts, and permission files on the cheapest
157
+ adequate runner. Reserve full Windows, Linux, macOS, signing, notarization, updater, and installer
158
+ matrices for release tags, release branches, or protected manual gates unless the repository
159
+ explicitly requires more.
160
+ - Keep `bundle.targets` or equivalent packaging configuration to the formats actually shipped. Do
161
+ not leave broad all-format packaging enabled when the release only needs, for example, one Windows
162
+ installer, one macOS disk image or app bundle, and one Linux package format.
163
+ - For macOS distribution, prefer one deliberate universal or architecture-specific strategy rather
164
+ than accidental duplicate jobs. Name signing and notarization boundaries separately from compile
165
+ time.
166
+ - Keep test artifacts short-lived and promote durable distributables through the release or package
167
+ channel. Do not use long-retention CI artifacts as the canonical release surface.
168
+ - If a cost comparison between Tauri and another desktop stack is requested, route the CI billing,
169
+ runner-minute, artifact-storage, and matrix-shape analysis through `ci-pipeline-triage`; use this
170
+ skill for Tauri-specific bundle targets, Cargo cache, updater, signing, and packaging behavior.
171
+
141
172
  ## Review Rejection Criteria
142
173
 
143
174
  Reject or revise a change when:
@@ -163,6 +194,8 @@ Reject or revise a change when:
163
194
  - Permission and capability changes have a clear diff and native-operation justification.
164
195
  - CSP changes have been checked against the generated frontend entry HTML and required Tauri IPC or custom protocol origins.
165
196
  - Missing Tauri-specific verification is reported.
197
+ - Tauri package targets, release matrix, cache strategy, and artifact retention are explicit when
198
+ packaging is touched.
166
199
 
167
200
  <!-- mustflow-section: verification -->
168
201
  ## Verification
@@ -188,6 +221,9 @@ Report missing native build, packaged WebView smoke, CSP violation, permission d
188
221
  - If a CSP change breaks packaged app startup, inspect generated HTML and console CSP violations before widening policy; prefer nonce, hash, or externalized bootstrap before accepting `unsafe-inline`.
189
222
  - If a command accepts broad input, replace it with a typed request and Rust-side validation before exposing it to the frontend.
190
223
  - If updater, shell, opener, sidecar, or filesystem access cannot be narrowed, report the security boundary change instead of hiding it as a normal feature fix.
224
+ - If packaging cost or duration grows unexpectedly, check `bundle.targets`, release-only matrix
225
+ gating, Rust cache, frontend cache, macOS job count, signing and notarization split, and artifact
226
+ retention before changing unrelated app code.
191
227
 
192
228
  <!-- mustflow-section: output-format -->
193
229
  ## Output Format
@@ -196,6 +232,8 @@ Report missing native build, packaged WebView smoke, CSP violation, permission d
196
232
  - IPC, command input, CSP, permission, capability, window/webview, and scope notes
197
233
  - Permission diff: old permissions, new permissions, newly reachable windows/webviews, new scopes, and native operation justification
198
234
  - Filesystem, dialog, shell, opener, updater, sidecar, or mobile risk
235
+ - Build matrix, bundle target, signing or notarization, cache, artifact retention, and release asset
236
+ notes when packaging is touched
199
237
  - Files changed
200
238
  - Command intents run
201
239
  - Skipped checks and reasons