mustflow 2.107.9 → 2.108.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli/commands/api/serve.js +73 -10
- package/dist/core/run-receipt-state.js +23 -2
- package/dist/core/secret-redaction.js +6 -1
- package/package.json +1 -1
- package/schemas/api-serve-response.schema.json +1 -0
- package/templates/default/i18n.toml +48 -12
- package/templates/default/locales/en/.mustflow/docs/agent-workflow.md +24 -1
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +52 -14
- package/templates/default/locales/en/.mustflow/skills/admin-control-plane-safety-review/SKILL.md +200 -0
- package/templates/default/locales/en/.mustflow/skills/ai-product-readiness-review/SKILL.md +158 -0
- package/templates/default/locales/en/.mustflow/skills/auth-permission-change/SKILL.md +91 -28
- package/templates/default/locales/en/.mustflow/skills/browser-automation-reliability-review/SKILL.md +279 -0
- package/templates/default/locales/en/.mustflow/skills/ci-pipeline-triage/SKILL.md +39 -11
- package/templates/default/locales/en/.mustflow/skills/cloud-cost-guardrail-review/SKILL.md +4 -1
- package/templates/default/locales/en/.mustflow/skills/database-change-safety/SKILL.md +21 -2
- package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +25 -7
- package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md +117 -43
- package/templates/default/locales/en/.mustflow/skills/frontend-component-library-review/SKILL.md +299 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-localization-review/SKILL.md +128 -36
- package/templates/default/locales/en/.mustflow/skills/notification-delivery-integrity-review/SKILL.md +226 -0
- package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +34 -14
- package/templates/default/locales/en/.mustflow/skills/routes.toml +36 -0
- package/templates/default/locales/en/.mustflow/skills/small-service-platform-architecture-review/SKILL.md +273 -0
- package/templates/default/locales/en/.mustflow/skills/tauri-code-change/SKILL.md +41 -3
- package/templates/default/locales/en/.mustflow/skills/wails-code-change/SKILL.md +34 -4
- package/templates/default/manifest.toml +43 -1
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.payment-integrity-review
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 4
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: payment-integrity-review
|
|
9
|
-
description: Apply this skill when payment, checkout, authorization, capture, refund, partial refund, subscription, invoice, trial, grace period, coupon, promotion, inventory reservation, fulfillment, entitlement, settlement, fee, chargeback, dispute, provider webhook, payment outbox, payment session, payment link, payment-provider integration, admin manual payment operation, payment logs, PCI-sensitive data handling, or payment-related tests need review for money-event integrity, idempotency, ordering, ownership, amount, currency, retry, reconciliation, ledger, or audit risk.
|
|
9
|
+
description: Apply this skill when payment, checkout, authorization, capture, refund, partial refund, subscription, invoice, credit note, receipt, tax document, trial, grace period, coupon, promotion, inventory reservation, fulfillment, entitlement, settlement, fee, payout, chargeback, dispute, fraud review, card testing, provider webhook, payment outbox, payment session, payment link, payment-provider integration, admin manual payment operation, payment logs, PCI-sensitive data handling, or payment-related tests need review for money-event integrity, idempotency, ordering, ownership, amount, currency, retry, reconciliation, ledger, or audit risk.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -35,7 +35,7 @@ Review payment code as money-event integrity, not provider API success. The core
|
|
|
35
35
|
<!-- mustflow-section: use-when -->
|
|
36
36
|
## Use When
|
|
37
37
|
|
|
38
|
-
- Payment, checkout, payment-session, payment-link, authorization, capture, refund, partial refund, dispute, chargeback, settlement, fee, receipt, entitlement, fulfillment, subscription,
|
|
38
|
+
- Payment, checkout, payment-session, payment-link, authorization, capture, refund, partial refund, dispute, chargeback, settlement, fee, payout, receipt, invoice, credit note, tax document, entitlement, fulfillment, subscription, trial, grace period, coupon, promotion, fraud review, card testing, or inventory reservation logic is created, changed, reviewed, or reported.
|
|
39
39
|
- Provider webhook handling, provider callback handling, payment outbox records, payment retry handling, timeout handling, provider reconciliation, or async payment method handling can change internal money state.
|
|
40
40
|
- Client-supplied amount, currency, quantity, product, discount, shipping, tax, order, subscription, refund, or customer identifiers can influence a payment action.
|
|
41
41
|
- Manual admin payment operations, payment logs, audit trails, or payment-related tests need review.
|
|
@@ -52,7 +52,7 @@ Review payment code as money-event integrity, not provider API success. The core
|
|
|
52
52
|
<!-- mustflow-section: required-inputs -->
|
|
53
53
|
## Required Inputs
|
|
54
54
|
|
|
55
|
-
- Money-event ledger: every create, authorize, capture, fulfill, refund, dispute, chargeback, settlement, adjustment, cancellation, expiration, and entitlement event that can move money or access.
|
|
55
|
+
- Money-event ledger: every create, authorize, capture, fulfill, refund, partial refund, tax reversal, credit note, receipt, dispute, chargeback, settlement, payout, adjustment, cancellation, expiration, and entitlement event that can move money, evidence, or access.
|
|
56
56
|
- Provider interaction ledger: payment provider calls, webhook event types, redirect handlers,
|
|
57
57
|
polling, reconciliation jobs, SDK clients, idempotency keys, internal order IDs, internal payment
|
|
58
58
|
IDs, attempt IDs, provider object IDs, provider reference IDs, and provider environment selection.
|
|
@@ -66,7 +66,9 @@ Review payment code as money-event integrity, not provider API success. The core
|
|
|
66
66
|
parser or validator, database constraint when available, and the rejection path for unknown,
|
|
67
67
|
stale, misspelled, or provider-shaped event types.
|
|
68
68
|
- Idempotency and uniqueness ledger: logical operation IDs, provider idempotency keys, database uniqueness constraints, webhook event dedupe keys, fulfillment dedupe keys, and retry behavior.
|
|
69
|
-
- Amount and currency ledger: product/cart snapshot, server-side calculation path, quantity, discounts, coupons, tax, shipping, minor-unit representation, currency, provider amount, internal ledger amount, receipt amount, and settlement amount.
|
|
69
|
+
- Amount and currency ledger: product/cart snapshot, invoice and line-item snapshot, server-side calculation path, quantity, discounts, coupons, tax, shipping, minor-unit representation, currency, provider amount, internal ledger amount, receipt amount, refund amount, dispute amount, payout amount, and settlement amount.
|
|
70
|
+
- Invoice, receipt, and tax ledger: invoice status, invoice line items, credit notes, receipt generation, receipt delivery, receipt lookup identifiers, tax behavior, tax jurisdiction, tax-exemption evidence, tax-rate snapshots, tax reversals, and tax-document issuance state.
|
|
71
|
+
- Dispute and fraud ledger: dispute reason, evidence deadline, evidence packet inputs, refund-dispute collision policy, fraud review state, card-testing defenses, risk holds, descriptor or customer-communication evidence, and network-monitoring exposure when available.
|
|
70
72
|
- Ownership ledger: user, tenant, account, order, payment session, refund, subscription, invoice, entitlement, admin actor, and provider customer ownership checks.
|
|
71
73
|
- Fulfillment and entitlement ledger: when access, inventory, shipment, credits, licenses, notifications, or downstream side effects are granted or revoked.
|
|
72
74
|
- Webhook and retry ledger: signature verification, raw-body handling, event storage, queue handoff, duplicate and out-of-order handling, timeout classification, backoff, and dead-letter behavior.
|
|
@@ -84,7 +86,7 @@ Review payment code as money-event integrity, not provider API success. The core
|
|
|
84
86
|
<!-- mustflow-section: allowed-edits -->
|
|
85
87
|
## Allowed Edits
|
|
86
88
|
|
|
87
|
-
- Tighten payment state machines, server-side amount calculation, minor-unit money handling, ownership checks, idempotency keys, provider-ID uniqueness, webhook signature verification, webhook dedupe, outbox event-type validation, queue handoff, one-time fulfillment, async payment handling, authorization/capture distinction, refund/dispute/subscription transitions, inventory and coupon reservation, timeout and retry classification, append-only ledgers, secret and card-data redaction, admin audit trails, stale payment endpoint cleanup notes, focused nightmare-path tests, and directly synchronized docs or templates.
|
|
89
|
+
- Tighten payment state machines, server-side amount calculation, invoice and line-item snapshots, minor-unit money handling, tax snapshots and reversals, receipt delivery tracking, ownership checks, idempotency keys, provider-ID uniqueness, webhook signature verification, webhook dedupe, outbox event-type validation, queue handoff, one-time fulfillment, async payment handling, authorization/capture distinction, refund/dispute/subscription transitions, inventory and coupon reservation, timeout and retry classification, payout reconciliation, append-only ledgers, secret and card-data redaction, fraud and card-testing defenses, admin audit trails, stale payment endpoint cleanup notes, focused nightmare-path tests, and directly synchronized docs or templates.
|
|
88
90
|
- Do not replace a focused payment-integrity fix with a broad payment platform rewrite unless the current code cannot preserve money correctness with a smaller boundary.
|
|
89
91
|
- Do not add live payment secrets, real card data, real refunds, real charges, or live-provider side effects.
|
|
90
92
|
|
|
@@ -104,8 +106,11 @@ Review payment code as money-event integrity, not provider API success. The core
|
|
|
104
106
|
strings, provider event names, stale constants, or user-controlled values become trusted outbox
|
|
105
107
|
operation types.
|
|
106
108
|
4. Calculate amount on the server. Treat client-supplied amount, currency, quantity, discount, coupon, tax, shipping, product ID, plan ID, or cart totals as input claims only; rebuild the payable total from trusted product, cart, account, and policy snapshots.
|
|
109
|
+
- Freeze the cart, order, invoice, subscription period, product, price, discount, shipping, tax behavior, tax rate, exchange rate, and entitlement snapshot used for the payment. Do not recalculate paid orders, refunds, chargebacks, receipts, or tax documents from current product tables.
|
|
110
|
+
- For partial refunds, calculate from line items and tax lines, not only from a manual total. Preserve refunded quantity, refunded subtotal, tax reversal, discount allocation, shipping decision, credit note link, and refund reason.
|
|
107
111
|
5. Bind every payment object to its owner. Verify user, tenant, order, payment session, refund, subscription, invoice, provider customer, and admin actor ownership before read, write, refund, cancel, fulfillment, or entitlement changes.
|
|
108
112
|
6. Compare every amount ledger. Trace order amount, provider request amount, provider response amount, internal money ledger, receipt, settlement, fee, refund, and entitlement amount. Flag any path where one amount can drift without reconciliation.
|
|
113
|
+
- Distinguish gross charge, captured amount, processor fee, application or platform fee, tax collected, tax liability, refund, tax reversal, dispute withdrawal, dispute fee, dispute reinstatement, payout, payout failure, reserve, and negative provider balance. Provider dashboard totals and bank deposits are not the same fact as revenue.
|
|
109
114
|
7. Use integer minor units. Reject float, double, string-concatenated, rounded-late, locale-formatted, or JavaScript-number money math when it can cross currency or precision boundaries.
|
|
110
115
|
8. Make payment creation idempotent. Use a stable key for one logical payment attempt, not a fresh UUID per retry. Include operation identity such as order or attempt ID, but do not include secrets or raw personal data.
|
|
111
116
|
9. Use database uniqueness as the last gate. Add or verify unique constraints for provider payment IDs, provider session IDs, provider event IDs, provider refund IDs, internal ledger IDs, and fulfillment records where duplicates would move money or access twice.
|
|
@@ -115,11 +120,18 @@ Review payment code as money-event integrity, not provider API success. The core
|
|
|
115
120
|
13. Return from webhook endpoints quickly. Persist the event, enqueue durable work, and return a provider-acceptable response without doing slow fulfillment, network fan-out, file work, or long transactions in the webhook request.
|
|
116
121
|
14. Never use success redirects as proof. Treat checkout success pages, return URLs, frontend callbacks, and local storage flags as user navigation only; fulfillment must depend on verified provider state or signed server-side evidence.
|
|
117
122
|
15. Run fulfillment exactly once. Guard entitlement grants, shipments, credit issuance, license creation, invoice finalization, emails with money meaning, and inventory release with unique records or state transitions.
|
|
123
|
+
- Keep internal entitlement state separate from provider subscription state. `past_due`, `unpaid`, grace period, restricted access, revocation, reactivation, and manual invoice-paid events should map through product policy rather than a direct provider-status copy.
|
|
118
124
|
16. Handle asynchronous payment methods. Do not fulfill on checkout completion when the provider can still move through pending, requires_action, processing, delayed success, delayed failure, or expiry states.
|
|
119
125
|
17. Separate authorization from capture. Do not treat an authorization hold as captured money. Review capture windows, partial captures, expired authorizations, cancellations, orphan authorized-but-not-captured operations, and post-authorization amount changes.
|
|
120
126
|
18. Review refunds as money-out events. Check requested, pending, completed, failed, cancelled, and partial refund states; double refunds; refund failures; refund idempotency; refund ownership; refund amount/currency; ledger reversal; entitlement revocation; and receipt updates.
|
|
127
|
+
- Treat refund requests and provider refunds as separate records when provider outcomes can be pending, require customer action, fail, cancel, or arrive through provider dashboards. Use refund-request idempotency keys, not a fresh key per click and not the whole order ID when multiple partial refunds are valid.
|
|
128
|
+
- Lock or reserve refundable balance while a refund is pending when concurrent operators, jobs, or customer flows can otherwise exceed the captured amount.
|
|
121
129
|
19. Handle disputes and chargebacks. Ensure dispute events affect access, account risk, support workflow, ledger entries, settlement reports, and customer-visible state without pretending the original capture still stands unchanged.
|
|
122
|
-
|
|
130
|
+
- Define the refund-dispute collision policy. A pending or completed refund can collide with a dispute; avoid double compensation, preserve refund IDs and receipt evidence, and decide whether to accept, contest, or block new refunds while a dispute is open.
|
|
131
|
+
- Track evidence deadlines, reason categories, evidence packet fields, customer communications, receipt and invoice links, refund history, shipping or delivery proof, usage logs, login or download evidence, cancellation evidence, and support decisions. Winning a dispute does not erase the operational need to prevent future dispute-rate or fraud-rate exposure.
|
|
132
|
+
20. Review subscriptions as state machines. Separate trialing, active, incomplete, incomplete_expired, past_due, grace, unpaid, cancelled, pending cancellation, retrying, upgraded, downgraded, invoice-open, invoice-paid, and invoice-failed states.
|
|
133
|
+
- Model dunning and entitlement policy explicitly: first-payment failure, off-session authentication required, hard decline, soft decline, retry schedule, payment-method update link, reminder sequence, grace period, restriction, revocation, reactivation, and manual invoice resolution.
|
|
134
|
+
- Review plan changes as money and entitlement events. Upgrades, downgrades, seat-count changes, proration, coupon changes, tax changes, account credits, and mid-cycle cancellations must update invoice, entitlement, credit, and refund ledgers consistently.
|
|
123
135
|
21. Reserve inventory before confirming it. Check that payment, inventory, cancellation, expiration, refund, and fulfillment cannot oversell, lose stock, or keep stock reserved after an abandoned payment.
|
|
124
136
|
22. Reserve coupons before consuming them. Under concurrent attempts, a coupon should not be spent twice or lost forever after a failed or expired payment. Review reservation, consumption, release, and expiry paths.
|
|
125
137
|
23. Treat timeouts as unknown outcomes. A provider timeout after request submission is not a failure proof. Verify by idempotency key, provider object lookup, webhook, or reconciliation before retrying or cancelling.
|
|
@@ -127,24 +139,31 @@ Review payment code as money-event integrity, not provider API success. The core
|
|
|
127
139
|
25. Segment the payment path. When diagnosing approval rate or decline spikes, separate frontend validation, backend request creation, provider gateway, acquirer, card network, issuer, bank, 3DS or additional authentication, and settlement evidence instead of reading one blended failure count.
|
|
128
140
|
26. Keep an append-only money ledger. Prefer immutable entries for payment, capture, refund, fee, settlement, chargeback, adjustment, and correction. Flag mutable balance-only code with no event history.
|
|
129
141
|
27. Reconcile provider and internal state. Check scheduled or manual reconciliation for missed webhooks, stale internal states, provider-side refunds, settlement fees, disputes, orphan authorizations, and permanently unknown operations.
|
|
142
|
+
- Reconcile payouts separately from sales. A payout is movement from provider balance to a bank account, not revenue. Check payout failure, negative provider balance, reserves, platform or connected-account liability, refunded-after-payout flows, and dispute-after-payout recovery.
|
|
143
|
+
- Reconcile provider-dashboard manual actions back into local state. Provider-side refunds, subscription cancellations, invoice voids, paid invoice overrides, dispute decisions, and tax document changes need webhook ingestion, reconciliation jobs, or explicit manual import evidence.
|
|
130
144
|
28. Redact payment-sensitive data. Never log card numbers, CVV, track data, PINs, raw payment credentials, webhook secrets, bearer tokens, provider secret keys, or full provider payloads containing sensitive fields.
|
|
145
|
+
- Keep PCI scope intentionally small. Hosted checkout, tokenized payment methods, mandates, and provider components are preferable when they keep raw card data away from application servers. Never store CVC/CVV after authorization, even for recurring payments.
|
|
131
146
|
29. Separate test and live payment planes. Verify API keys, webhook secrets, product IDs, price IDs, environment flags, provider account IDs, and fixtures cannot cross between test and live modes.
|
|
132
147
|
30. Audit manual payment operations. Require role, reason, target object, before/after values, approver or policy evidence, operator identity, timestamp, and rollback or correction path for admin overrides.
|
|
148
|
+
- Separate admin abilities for refund, credit, invoice void, tax document reissue, dispute evidence access, subscription cancellation, entitlement override, and provider-dashboard action reconciliation. Money operations need least privilege and audit evidence, not one broad support-admin flag.
|
|
133
149
|
31. Add a payment hold or kill-switch path for unsafe flows. Risky provider migrations, webhook
|
|
134
150
|
regressions, reconciliation uncertainty, fraud spikes, or duplicate-money incidents need a way
|
|
135
151
|
to hold fulfillment, stop captures, pause refunds, or disable a provider path without corrupting
|
|
136
152
|
ledger state.
|
|
153
|
+
- Treat fraud review and card testing as payment integrity risks. High failure velocity, repeated card fingerprints, bot-like checkout attempts, high-risk score, mismatched geography, descriptor confusion, unusually fast disputes, and chargeback-rate monitoring need hold, review, rate-limit, or provider-rule evidence before fulfillment.
|
|
137
154
|
32. Search for stale payment endpoints. Review old checkout paths, hidden callback URLs, deprecated provider versions, old mobile endpoints, webhook v1 handlers, and manual scripts that still mutate money state.
|
|
138
|
-
33. Check
|
|
139
|
-
34.
|
|
155
|
+
33. Check invoice, receipt, and tax-document delivery. Payment success is separate from receipt generation, receipt email delivery, invoice finalization, credit note issuance, refund receipt delivery, and tax document issuance. Support should be able to find records by order ID, payment ID, invoice number, receipt number, provider object, safe customer identifier, and correlation ID.
|
|
156
|
+
34. Check public errors and support evidence. Payment failures must not lie about success, leak sensitive payment facts, or leave support with no safe correlation ID, provider object ID, receipt or invoice ID, dispute ID, refund ID, or internal event ID.
|
|
157
|
+
35. Test the nightmare paths. Include repeated pay-button clicks, replayed webhooks, out-of-order webhooks, success redirect plus database failure, database success plus provider timeout, amount or currency tampering, wrong order ID, concurrent double refund, pay then cancel, expired-session completion, partial refund tax reversal, refund failure, refund then dispute, dispute then refund attempt, subscription retry and dunning, provider-side manual refund, receipt delivery failure, tax-document gap, payout failure, card-testing spike, orphan authorization cleanup, provider kill switch or hold state, and admin override rollback.
|
|
140
158
|
|
|
141
159
|
<!-- mustflow-section: postconditions -->
|
|
142
160
|
## Postconditions
|
|
143
161
|
|
|
144
162
|
- The payment surface has a money-event map, provider interaction map, identifier map,
|
|
145
163
|
state-transition map, immutable event log, idempotency and uniqueness map, amount and currency map,
|
|
146
|
-
ownership map, fulfillment and entitlement map, webhook/retry map,
|
|
147
|
-
map, reconciliation and hold-state map,
|
|
164
|
+
invoice/receipt/tax map, ownership map, fulfillment and entitlement map, webhook/retry map,
|
|
165
|
+
outbox event-type validation map, reconciliation and hold-state map, dispute/fraud map, payout
|
|
166
|
+
map, and audit/sensitive-data map.
|
|
148
167
|
- Any false success, duplicate money movement, duplicate fulfillment, wrong-owner action, wrong amount, wrong currency, stale event overwrite, timeout misclassification, or missing reconciliation is fixed or reported with evidence.
|
|
149
168
|
- Tests or explicit verification cover the highest-risk nightmare paths available in the current scope.
|
|
150
169
|
|
|
@@ -164,7 +183,7 @@ Use configured oneshot command intents when available:
|
|
|
164
183
|
- `test_release`
|
|
165
184
|
- `mustflow_check`
|
|
166
185
|
|
|
167
|
-
Prefer focused tests for duplicate operations, webhook replay, out-of-order events, ownership denial, amount tampering, timeout unknowns,
|
|
186
|
+
Prefer focused tests for duplicate operations, webhook replay, out-of-order events, ownership denial, amount tampering, timeout unknowns, one-time fulfillment, partial refunds, failed refunds, refund-dispute collisions, subscription retry and dunning, receipt delivery failure, tax reversal, payout reconciliation, fraud holds, and card-testing controls. Use broader checks when payment integrity touches shared state machines, provider adapters, database migrations, or template surfaces.
|
|
168
187
|
|
|
169
188
|
<!-- mustflow-section: failure-handling -->
|
|
170
189
|
## Failure Handling
|
|
@@ -173,14 +192,15 @@ Prefer focused tests for duplicate operations, webhook replay, out-of-order even
|
|
|
173
192
|
- If a provider outcome is unknown, do not mark it failed or paid without reconciliation evidence.
|
|
174
193
|
- If webhook signature verification cannot be proven because middleware hides the raw body, report that as a blocking integrity risk.
|
|
175
194
|
- If duplicate prevention relies only on in-memory flags, frontend disabling, or sequential UI behavior, report the missing durable idempotency gate.
|
|
195
|
+
- If invoice, receipt, tax, dispute, payout, or provider-dashboard manual-action evidence is missing, report the missing operational ledger instead of treating provider success as complete payment evidence.
|
|
176
196
|
- If tests cannot hit live-provider behavior, use provider fixtures, signed webhook fixtures, fake adapters, or state-machine tests and report remaining live integration risk.
|
|
177
197
|
|
|
178
198
|
<!-- mustflow-section: output-format -->
|
|
179
199
|
## Output Format
|
|
180
200
|
|
|
181
201
|
- Payment surface and provider boundary reviewed
|
|
182
|
-
- Money-event, provider, identifier, state, event-log, outbox event-type, idempotency, amount, ownership, fulfillment, webhook, retry, reconciliation, hold-state, audit, and sensitive-data ledgers
|
|
183
|
-
- Findings or fixes for duplicate, late, out-of-order, wrong-actor, wrong-amount, wrong-currency, timeout, retry, reconciliation, and audit risks
|
|
202
|
+
- Money-event, provider, identifier, state, event-log, outbox event-type, idempotency, amount, invoice, receipt, tax, ownership, fulfillment, webhook, retry, dispute, fraud, payout, reconciliation, hold-state, audit, and sensitive-data ledgers
|
|
203
|
+
- Findings or fixes for duplicate, late, out-of-order, wrong-actor, wrong-amount, wrong-currency, timeout, retry, refund, subscription, tax, receipt, chargeback, fraud, payout, reconciliation, and audit risks
|
|
184
204
|
- Nightmare-path tests or evidence added, run, skipped, or still missing
|
|
185
205
|
- Command intents run
|
|
186
206
|
- Remaining payment-integrity risk
|
|
@@ -18,6 +18,12 @@ route_type = "primary"
|
|
|
18
18
|
priority = 82
|
|
19
19
|
applies_to_reasons = ["code_change", "behavior_change", "data_change", "migration_change", "performance_change", "security_change", "privacy_change", "public_api_change"]
|
|
20
20
|
|
|
21
|
+
[routes."small-service-platform-architecture-review"]
|
|
22
|
+
category = "architecture_patterns"
|
|
23
|
+
route_type = "primary"
|
|
24
|
+
priority = 84
|
|
25
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "docs_change", "public_api_change", "data_change", "migration_change", "performance_change", "security_change", "privacy_change", "ui_change", "product_change", "package_metadata_change", "release_risk"]
|
|
26
|
+
|
|
21
27
|
[routes."code-review"]
|
|
22
28
|
category = "general_code"
|
|
23
29
|
route_type = "primary"
|
|
@@ -216,6 +222,12 @@ route_type = "adjunct"
|
|
|
216
222
|
priority = 81
|
|
217
223
|
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change", "package_metadata_change", "release_risk"]
|
|
218
224
|
|
|
225
|
+
[routes."notification-delivery-integrity-review"]
|
|
226
|
+
category = "general_code"
|
|
227
|
+
route_type = "adjunct"
|
|
228
|
+
priority = 82
|
|
229
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change", "package_metadata_change", "release_risk"]
|
|
230
|
+
|
|
219
231
|
[routes."api-misuse-resistance-review"]
|
|
220
232
|
category = "general_code"
|
|
221
233
|
route_type = "adjunct"
|
|
@@ -600,6 +612,12 @@ route_type = "primary"
|
|
|
600
612
|
priority = 65
|
|
601
613
|
applies_to_reasons = ["ui_change", "product_change"]
|
|
602
614
|
|
|
615
|
+
[routes."ai-product-readiness-review"]
|
|
616
|
+
category = "general_code"
|
|
617
|
+
route_type = "primary"
|
|
618
|
+
priority = 64
|
|
619
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "docs_change", "public_api_change", "data_change", "performance_change", "security_change", "privacy_change", "ui_change", "product_change", "package_metadata_change", "release_risk"]
|
|
620
|
+
|
|
603
621
|
[routes."prompt-contract-quality-review"]
|
|
604
622
|
category = "general_code"
|
|
605
623
|
route_type = "primary"
|
|
@@ -636,6 +654,12 @@ route_type = "primary"
|
|
|
636
654
|
priority = 70
|
|
637
655
|
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "docs_change", "public_api_change", "data_change", "performance_change", "security_change", "privacy_change", "package_metadata_change", "release_risk"]
|
|
638
656
|
|
|
657
|
+
[routes."browser-automation-reliability-review"]
|
|
658
|
+
category = "general_code"
|
|
659
|
+
route_type = "primary"
|
|
660
|
+
priority = 73
|
|
661
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "docs_change", "public_api_change", "data_change", "performance_change", "security_change", "privacy_change", "ui_change", "product_change", "package_metadata_change", "release_risk"]
|
|
662
|
+
|
|
639
663
|
[routes."agent-eval-integrity-review"]
|
|
640
664
|
category = "general_code"
|
|
641
665
|
route_type = "primary"
|
|
@@ -858,6 +882,12 @@ route_type = "adjunct"
|
|
|
858
882
|
priority = 77
|
|
859
883
|
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "public_api_change", "security_change", "privacy_change", "data_change", "test_change", "docs_change", "package_metadata_change", "release_risk"]
|
|
860
884
|
|
|
885
|
+
[routes."admin-control-plane-safety-review"]
|
|
886
|
+
category = "security_privacy"
|
|
887
|
+
route_type = "adjunct"
|
|
888
|
+
priority = 79
|
|
889
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "public_api_change", "security_change", "privacy_change", "data_change", "test_change", "docs_change", "package_metadata_change", "release_risk"]
|
|
890
|
+
|
|
861
891
|
[routes."file-upload-security-review"]
|
|
862
892
|
category = "security_privacy"
|
|
863
893
|
route_type = "adjunct"
|
|
@@ -972,6 +1002,12 @@ route_type = "adjunct"
|
|
|
972
1002
|
priority = 82
|
|
973
1003
|
applies_to_reasons = ["ui_change", "behavior_change", "code_change", "test_change", "docs_change", "web_asset_change"]
|
|
974
1004
|
|
|
1005
|
+
[routes."frontend-component-library-review"]
|
|
1006
|
+
category = "ui_assets"
|
|
1007
|
+
route_type = "adjunct"
|
|
1008
|
+
priority = 84
|
|
1009
|
+
applies_to_reasons = ["ui_change", "behavior_change", "code_change", "test_change", "docs_change", "public_api_change", "package_metadata_change", "performance_change", "security_change", "privacy_change", "web_asset_change", "release_risk"]
|
|
1010
|
+
|
|
975
1011
|
[routes."frontend-localization-review"]
|
|
976
1012
|
category = "ui_assets"
|
|
977
1013
|
route_type = "adjunct"
|
|
@@ -0,0 +1,273 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.small-service-platform-architecture-review
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: small-service-platform-architecture-review
|
|
9
|
+
description: Apply this skill when a multi-product platform, app factory, solo-developer portfolio platform, many-small-services architecture, shared account portal, Product Registry, shared auth, billing, credits, entitlements, admin console, deployment factory, analytics, logging, i18n, common UI, templates, or operations automation for multiple product apps is created, changed, reviewed, or reported.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.small-service-platform-architecture-review
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- docs_validate_fast
|
|
23
|
+
- test_release
|
|
24
|
+
- mustflow_check
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
# Small Service Platform Architecture Review
|
|
28
|
+
|
|
29
|
+
<!-- mustflow-section: purpose -->
|
|
30
|
+
## Purpose
|
|
31
|
+
|
|
32
|
+
Review a shared platform for many small products as an app factory, not as many copied services.
|
|
33
|
+
|
|
34
|
+
The core question is: "Can a new product be added mostly by declaring product facts, while auth,
|
|
35
|
+
billing, credits, entitlements, admin, analytics, observability, legal, deployment, and operations
|
|
36
|
+
stay shared and explainable?" If not, the portfolio is just copy-paste debt with domains attached.
|
|
37
|
+
|
|
38
|
+
<!-- mustflow-section: use-when -->
|
|
39
|
+
## Use When
|
|
40
|
+
|
|
41
|
+
- A repository, architecture plan, template, generator, or product platform is intended to support
|
|
42
|
+
many small apps, micro-SaaS products, SEO tools, AI tools, API products, downloads, extensions,
|
|
43
|
+
or similar product shells.
|
|
44
|
+
- Code, docs, schemas, templates, or reviews touch a Product Registry, app catalog, shared account
|
|
45
|
+
portal, shared identity, organization, billing, credit ledger, usage meter, entitlement, admin,
|
|
46
|
+
analytics, logging, notification, i18n, legal, feature flag, app template, deployment factory,
|
|
47
|
+
file service, job queue, integration service, outbound webhook, AI Gateway, or license service.
|
|
48
|
+
- A review or final report claims that creating another service is easy, the platform is reusable,
|
|
49
|
+
templates are shared, billing or credits are common, apps are tenant-safe, or operations can scale
|
|
50
|
+
beyond a few products.
|
|
51
|
+
- A solo developer or small team wants to avoid reimplementing account, payment, admin, deploy,
|
|
52
|
+
telemetry, localization, support, and incident workflows for each product.
|
|
53
|
+
|
|
54
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
55
|
+
## Do Not Use When
|
|
56
|
+
|
|
57
|
+
- The task concerns one standalone app with no multi-product platform, app factory, shared package,
|
|
58
|
+
or cross-product operational surface.
|
|
59
|
+
- The task only changes a single auth flow, OAuth callback, session, token, or permission rule. Use
|
|
60
|
+
`auth-permission-change`, `auth-flow-triage`, or `api-access-control-review`.
|
|
61
|
+
- The task only changes one payment, subscription, refund, webhook, credit, or usage path. Use
|
|
62
|
+
`payment-integrity-review` or `credit-ledger-integrity-review`.
|
|
63
|
+
- The task only changes an admin screen, notification path, i18n path, deployment pipeline,
|
|
64
|
+
component library, AI feature, file upload, queue, or service boundary. Use the matching
|
|
65
|
+
specialist skill first.
|
|
66
|
+
- The task is an organization-scale microservice split decision rather than a product-app factory.
|
|
67
|
+
Use `service-boundary-architecture` first.
|
|
68
|
+
|
|
69
|
+
<!-- mustflow-section: required-inputs -->
|
|
70
|
+
## Required Inputs
|
|
71
|
+
|
|
72
|
+
- User goal, target product count, product types, expected shared versus app-specific behavior,
|
|
73
|
+
repository layout, current diff or target files, and configured command intents.
|
|
74
|
+
- Product Registry ledger: `app_id`, domains, environments, product names, auth modes, plan and
|
|
75
|
+
price mapping, entitlement keys, usage meters, credit costs, analytics namespace, admin panels,
|
|
76
|
+
i18n namespace, email templates, legal and consent versions, data categories, and deploy config.
|
|
77
|
+
- Identity ledger: users, identities, sessions, organizations, workspaces, memberships, roles,
|
|
78
|
+
permissions, invitations, API keys, service accounts, account linking, and account portal scope.
|
|
79
|
+
- Money and access ledger: customers, provider customers, subscriptions, invoices, tax profiles,
|
|
80
|
+
webhook events, refunds, disputes, wallets, credit grants, credit transactions, usage events,
|
|
81
|
+
reservations, quotas, limits, grace periods, and local entitlement state.
|
|
82
|
+
- Operations ledger: support view, admin action log, resource change history, impersonation,
|
|
83
|
+
refunds, manual credits, feature overrides, account merge or delete, job logs, webhook logs,
|
|
84
|
+
email logs, runbooks, alerts, backups, and restore tests.
|
|
85
|
+
- App factory ledger: app templates, `create-product` or equivalent generator, shared packages,
|
|
86
|
+
thin app shells, CI/CD, preview, staging, production, migration policy, smoke tests, rollback,
|
|
87
|
+
secrets, environment variables, DNS, TLS, CDN, storage, cache, queue, cron, and workers.
|
|
88
|
+
- Observability and analytics ledger: event schema, first-value-created event, revenue metrics,
|
|
89
|
+
usage rollups, structured logs, traces, request IDs, app IDs, tenant IDs, alerts, status pages,
|
|
90
|
+
and cost monitors.
|
|
91
|
+
- Shared product surface ledger: i18n, legal, consent, notifications, file service, job service,
|
|
92
|
+
integrations, outbound webhooks, SEO, marketing pages, shared UI, feature flags, remote config,
|
|
93
|
+
AI Gateway, license service, and developer portal where relevant.
|
|
94
|
+
|
|
95
|
+
<!-- mustflow-section: preconditions -->
|
|
96
|
+
## Preconditions
|
|
97
|
+
|
|
98
|
+
- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
|
|
99
|
+
- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
|
|
100
|
+
current scope.
|
|
101
|
+
- Existing local platform, template, package, registry, billing, auth, admin, analytics, deploy,
|
|
102
|
+
and operations patterns have been searched before proposing a new platform layer.
|
|
103
|
+
- If the change touches money, auth, privacy, admin, deployment, AI, localization, files, queues, or
|
|
104
|
+
notifications, also apply the narrower matching skill for that boundary.
|
|
105
|
+
|
|
106
|
+
<!-- mustflow-section: allowed-edits -->
|
|
107
|
+
## Allowed Edits
|
|
108
|
+
|
|
109
|
+
- Create or refine platform architecture docs, skill procedures, route metadata, templates, tests,
|
|
110
|
+
registry schemas, app factory contracts, shared package boundaries, operational runbooks, and
|
|
111
|
+
directly synchronized template copies tied to the multi-product platform surface.
|
|
112
|
+
- Tighten platform boundaries by moving copied product logic into shared packages, registries,
|
|
113
|
+
policy services, ledgers, generators, runbooks, or explicit app-specific extension points.
|
|
114
|
+
- Add focused tests for registry validation, entitlement resolution, credit ledger behavior,
|
|
115
|
+
webhook idempotency, template generation, app profile installation, admin permissions,
|
|
116
|
+
analytics event shape, i18n key coverage, smoke checks, and operation runbooks when existing
|
|
117
|
+
project patterns support them.
|
|
118
|
+
- Do not migrate to a new cloud, framework, auth provider, billing provider, queue, database,
|
|
119
|
+
analytics tool, or orchestration platform unless the current task explicitly requires that
|
|
120
|
+
migration.
|
|
121
|
+
- Do not turn every possible future product feature into mandatory platform scope. Separate the
|
|
122
|
+
phase-one spine from phase-two and phase-three extensions.
|
|
123
|
+
|
|
124
|
+
<!-- mustflow-section: procedure -->
|
|
125
|
+
## Procedure
|
|
126
|
+
|
|
127
|
+
1. Decide whether this is a platform factory or a single product.
|
|
128
|
+
- A platform factory has several product shells, shared packages, shared ledgers, common
|
|
129
|
+
operations, and a path for adding a product through declaration plus thin app code.
|
|
130
|
+
- If the surface is one app, route to the narrower product or framework skill and report that
|
|
131
|
+
this skill does not apply.
|
|
132
|
+
2. Build the Product Registry ledger first.
|
|
133
|
+
- Require one source of truth for app identity, domains, environments, auth policy, billing
|
|
134
|
+
catalog mapping, entitlement keys, usage meters, credit costs, analytics namespace, admin
|
|
135
|
+
panels, i18n namespace, email templates, legal versions, data categories, and deploy config.
|
|
136
|
+
- Flag product facts scattered across routes, Stripe dashboards, environment variables,
|
|
137
|
+
seed scripts, marketing pages, and app-specific constants.
|
|
138
|
+
3. Review identity as a shared account operating system.
|
|
139
|
+
- Separate `User` from `Identity` so email, OAuth, passkeys, and account linking can evolve.
|
|
140
|
+
- Require common organization, workspace, membership, invitation, role, permission, API key,
|
|
141
|
+
service account, session management, device session, forced logout, and account portal paths.
|
|
142
|
+
- Keep billing, security, data export, data deletion, and login methods anchored in the account
|
|
143
|
+
portal even when product apps have their own settings.
|
|
144
|
+
4. Review billing, entitlements, credits, and usage as local ledgers.
|
|
145
|
+
- Treat the payment provider as an event source, not as the application's only authority.
|
|
146
|
+
- Require provider webhooks to be stored, signature-checked, idempotent, replayable, and mapped
|
|
147
|
+
into local customer, subscription, invoice, refund, dispute, tax, and entitlement state.
|
|
148
|
+
- Reject feature gates such as `plan === "pro"`; require entitlement and limit checks.
|
|
149
|
+
- Reject balance-only credits; require append-only credit transactions, grants, usage events,
|
|
150
|
+
reservations, capture, release, partial capture, expiry, reconciliation, and audit evidence.
|
|
151
|
+
5. Review admin and support as production control planes.
|
|
152
|
+
- Require a support view that connects user, organization, apps used, plan, payment state,
|
|
153
|
+
credit ledger, usage, recent errors, jobs, webhooks, notifications, experiments, and blocks.
|
|
154
|
+
- Separate audit logs from resource change history.
|
|
155
|
+
- Require scoped operator permissions, impersonation controls, dangerous-action confirmation,
|
|
156
|
+
reason capture, step-up authentication where needed, production guardrails, and PII masking.
|
|
157
|
+
6. Review the app factory.
|
|
158
|
+
- Prefer a generator that registers a product and creates thin app shell files over a large
|
|
159
|
+
template copy that drifts.
|
|
160
|
+
- Keep shared auth, billing, credits, entitlements, analytics, logging, i18n, UI, email, jobs,
|
|
161
|
+
files, deployment, and support behavior in packages or services that remain upgradeable.
|
|
162
|
+
- Require templates for common product shapes only when they still depend on shared packages.
|
|
163
|
+
7. Review deployment and database rollout.
|
|
164
|
+
- Require preview, staging, and production separation, environment-scoped secrets, provider
|
|
165
|
+
sandbox separation, migration checks, expand-migrate-contract sequencing, smoke tests,
|
|
166
|
+
rollback or rollback-forward runbooks, and post-deploy observation.
|
|
167
|
+
- Treat manual DNS, TLS, storage, queue, cron, backup, or monitoring setup as product launch
|
|
168
|
+
debt unless it is captured in a reproducible checklist or generator.
|
|
169
|
+
8. Review analytics, logging, and operations before product count grows.
|
|
170
|
+
- Standardize event names, `app_id`, anonymous and authenticated user identity, tenant identity,
|
|
171
|
+
locale, country, campaign, plan, experiment, and request or trace identifiers.
|
|
172
|
+
- Require each product to declare its first-value-created event.
|
|
173
|
+
- Require structured logs, traces, alerts, dashboards, runbooks, backup checks, restore tests,
|
|
174
|
+
cost spike alerts, domain and certificate expiry alerts, job dead-letter handling, and webhook
|
|
175
|
+
replay.
|
|
176
|
+
9. Review shared product surfaces.
|
|
177
|
+
- Keep notification categories, transactional versus marketing consent, i18n namespaces,
|
|
178
|
+
fallback behavior, legal and consent versions, shared UI layouts, file ownership, job
|
|
179
|
+
idempotency, integration tokens, outbound webhook signing, SEO templates, feature flags,
|
|
180
|
+
remote config, AI Gateway calls, and license keys common unless product-specific behavior is
|
|
181
|
+
deliberately declared.
|
|
182
|
+
10. Review privacy and security as cross-product invariants.
|
|
183
|
+
- Require `app_id`, `tenant_id`, `user_id`, `request_id`, and `trace_id` on records where they
|
|
184
|
+
explain ownership, access, audit, or support.
|
|
185
|
+
- Require PII redaction, retention policy, consent records, cookie and marketing preferences,
|
|
186
|
+
data export, delete, anonymize, backup encryption, dependency scanning, abuse detection,
|
|
187
|
+
card-testing detection, and admin read audit for sensitive data.
|
|
188
|
+
11. Phase the platform spine.
|
|
189
|
+
- Phase one should cover Product Registry, identity and organization, billing basics, credit
|
|
190
|
+
ledger, entitlement, basic admin, analytics events, structured logging, app template or
|
|
191
|
+
generator, CI/CD, and basic transactional email.
|
|
192
|
+
- Phase two should cover account portal depth, webhook replay, usage rollups, feature flags,
|
|
193
|
+
file service, job queue, support view, i18n, legal and consent, SEO templates, monitoring,
|
|
194
|
+
backups, and restore checks.
|
|
195
|
+
- Phase three should cover AI Gateway, affiliate or referral, license service, outbound
|
|
196
|
+
webhooks, developer portal, advanced experiments, advanced RBAC, warehouse, churn automation,
|
|
197
|
+
abuse detection, and cost optimization.
|
|
198
|
+
12. Route specialist risks deliberately.
|
|
199
|
+
- Apply `payment-integrity-review`, `credit-ledger-integrity-review`,
|
|
200
|
+
`admin-control-plane-safety-review`, `notification-delivery-integrity-review`,
|
|
201
|
+
`frontend-localization-review`, `frontend-component-library-review`,
|
|
202
|
+
`deployment-rollout-safety-review`, `ai-product-readiness-review`,
|
|
203
|
+
`file-upload-security-review`, `queue-processing-integrity-review`, or
|
|
204
|
+
`service-boundary-architecture` when the platform review exposes a narrower implementation
|
|
205
|
+
risk.
|
|
206
|
+
13. Report evidence level honestly.
|
|
207
|
+
- Separate architecture inspection, schema or registry evidence, package boundary evidence,
|
|
208
|
+
generated template evidence, test evidence, operational runbook evidence, provider webhook
|
|
209
|
+
fixture evidence, and real production-readiness evidence.
|
|
210
|
+
- Name missing configured intents or manual review for provider dashboards, cloud consoles,
|
|
211
|
+
browser smoke tests, visual review, or deployment checks instead of claiming readiness.
|
|
212
|
+
|
|
213
|
+
<!-- mustflow-section: postconditions -->
|
|
214
|
+
## Postconditions
|
|
215
|
+
|
|
216
|
+
- Product Registry, identity, billing, credit, entitlement, admin, app factory, deployment,
|
|
217
|
+
analytics, logging, shared product surface, security, privacy, operations, and phased rollout
|
|
218
|
+
ledgers are fixed, ruled out, or reported.
|
|
219
|
+
- New product creation depends more on declared product facts and thin app code than on duplicated
|
|
220
|
+
auth, payment, admin, analytics, i18n, deployment, and operations code.
|
|
221
|
+
- Product-specific behavior is declared as product-specific, and shared behavior has a clear owner.
|
|
222
|
+
- Missing provider, deployment, telemetry, security, privacy, localization, or operational evidence
|
|
223
|
+
is named instead of hidden.
|
|
224
|
+
|
|
225
|
+
<!-- mustflow-section: verification -->
|
|
226
|
+
## Verification
|
|
227
|
+
|
|
228
|
+
Use configured oneshot command intents when available:
|
|
229
|
+
|
|
230
|
+
- `changes_status`
|
|
231
|
+
- `changes_diff_summary`
|
|
232
|
+
- `lint`
|
|
233
|
+
- `build`
|
|
234
|
+
- `test_related`
|
|
235
|
+
- `test`
|
|
236
|
+
- `docs_validate_fast`
|
|
237
|
+
- `test_release`
|
|
238
|
+
- `mustflow_check`
|
|
239
|
+
|
|
240
|
+
Use the narrowest configured unit, template, registry, docs, release, package, build, or mustflow
|
|
241
|
+
intent that covers the changed platform contract. Do not infer provider dashboard, cloud console,
|
|
242
|
+
deployment, browser, visual-regression, package-manager, or dev-server commands outside the command
|
|
243
|
+
contract.
|
|
244
|
+
|
|
245
|
+
<!-- mustflow-section: failure-handling -->
|
|
246
|
+
## Failure Handling
|
|
247
|
+
|
|
248
|
+
- If no Product Registry or equivalent source of truth exists, stop treating the platform as
|
|
249
|
+
reusable and report the missing product authority.
|
|
250
|
+
- If payment, credit, entitlement, or usage facts are split between provider dashboards and app
|
|
251
|
+
constants, apply the money and ledger specialist skills before claiming platform readiness.
|
|
252
|
+
- If templates are copied but shared packages cannot be upgraded across product shells, report
|
|
253
|
+
template drift risk instead of calling the generator complete.
|
|
254
|
+
- If admin or support paths require direct database edits, apply `admin-control-plane-safety-review`
|
|
255
|
+
and report the operational safety gap.
|
|
256
|
+
- If verification fails, preserve the configured intent name and failure evidence, then fix the
|
|
257
|
+
platform contract surface rather than weakening tests or removing installed files.
|
|
258
|
+
- If release impact is unclear, apply `date-number-audit` before editing versions or release notes.
|
|
259
|
+
|
|
260
|
+
<!-- mustflow-section: output-format -->
|
|
261
|
+
## Output Format
|
|
262
|
+
|
|
263
|
+
- Platform surface reviewed
|
|
264
|
+
- Product Registry, identity, billing, credit, entitlement, admin, app factory, deployment,
|
|
265
|
+
analytics, observability, shared surface, security, privacy, operations, and phase ledgers
|
|
266
|
+
- Findings, fixes, or recommendations
|
|
267
|
+
- Shared versus product-specific ownership decisions
|
|
268
|
+
- Specialist skills used or deferred
|
|
269
|
+
- Evidence level by registry, schema, package, template, tests, provider, deployment, telemetry,
|
|
270
|
+
and runbook surface
|
|
271
|
+
- Command intents run
|
|
272
|
+
- Skipped platform-readiness checks and reasons
|
|
273
|
+
- Remaining small-service platform architecture risk
|
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.tauri-code-change
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 4
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: tauri-code-change
|
|
9
|
-
description: Apply this skill when Tauri frontend invokes, Rust commands, capabilities, permissions, scopes, plugins, filesystem, dialog, shell, opener, updater, sidecar,
|
|
9
|
+
description: Apply this skill when Tauri frontend invokes, Rust commands, capabilities, permissions, scopes, plugins, filesystem, dialog, shell, opener, updater, sidecar, mobile native permissions, Tauri bundling targets, release package formats, or native desktop CI build matrices are created or changed.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -38,6 +38,8 @@ Treat the WebView as low trust and the Rust/native side as high authority. Front
|
|
|
38
38
|
- `src-tauri`, `tauri.conf.*`, `Cargo.toml`, `#[tauri::command]`, `invoke`, Tauri JavaScript APIs, plugin config, capabilities, permissions, scopes, CSP, WebView bootstrap HTML, fs, dialog, shell, opener, updater, sidecar, mobile manifests, or native permissions change.
|
|
39
39
|
- A frontend button, menu, or workflow calls native resources through Tauri.
|
|
40
40
|
- A packaged Tauri app shows a blank or black WebView after release and browser console or built HTML may point to Content Security Policy blocking the frontend bootstrap.
|
|
41
|
+
- Tauri release packaging, `bundle.targets`, platform target triples, updater artifacts, signing,
|
|
42
|
+
or CI matrix behavior changes.
|
|
41
43
|
|
|
42
44
|
<!-- mustflow-section: do-not-use-when -->
|
|
43
45
|
## Do Not Use When
|
|
@@ -49,6 +51,9 @@ Treat the WebView as low trust and the Rust/native side as high authority. Front
|
|
|
49
51
|
## Required Inputs
|
|
50
52
|
|
|
51
53
|
- Frontend package metadata, static build output or generated entry HTML, Tauri config, Rust manifests, main/lib command modules, command registration, capability and permission files, plugin config, updater config, sidecar config, mobile permissions, and tests.
|
|
54
|
+
- Build and release evidence when packaging is in scope: CI workflow or task definitions, runner
|
|
55
|
+
OS matrix, package formats, `bundle.targets`, Rust and frontend cache strategy, signing or
|
|
56
|
+
notarization gates, updater artifacts, artifact retention, and release asset upload path.
|
|
52
57
|
- Map of frontend calls to Rust commands or plugin APIs, permission scopes, exact window labels, exact webview labels, CSP directives, remote origins, WebView custom protocols or IPC origins, and actual OS resources.
|
|
53
58
|
- Permission diff: previous permissions, new permissions, newly reachable windows/webviews, new scopes, and native operations enabled.
|
|
54
59
|
- Configured verification intents.
|
|
@@ -69,6 +74,8 @@ Treat the WebView as low trust and the Rust/native side as high authority. Front
|
|
|
69
74
|
- Prefer app-owned directories and stable app IDs over broad filesystem paths.
|
|
70
75
|
- Keep shell, opener, sidecar, and updater behavior narrowly scoped.
|
|
71
76
|
- Prefer Rust commands that map small enums or ids to fixed native operations over exposing broad plugin APIs directly to the frontend.
|
|
77
|
+
- Keep package target lists explicit. Do not rely on broad "all targets" behavior when the product
|
|
78
|
+
only ships a small set of installers or archives.
|
|
72
79
|
|
|
73
80
|
<!-- mustflow-section: procedure -->
|
|
74
81
|
## Procedure
|
|
@@ -81,7 +88,9 @@ Treat the WebView as low trust and the Rust/native side as high authority. Front
|
|
|
81
88
|
6. Apply the CSP and WebView bootstrap policy below before tightening `script-src`, `connect-src`, `style-src`, `worker-src`, `img-src`, `font-src`, or remote-origin policy.
|
|
82
89
|
7. Apply the command input policy below before adding or changing `#[tauri::command]` handlers or `invoke` wrappers.
|
|
83
90
|
8. Apply the filesystem, dialog, shell, opener, updater, and sidecar policies below when those plugins or native operations are touched.
|
|
84
|
-
9.
|
|
91
|
+
9. Apply the build and release matrix policy below when `tauri.conf.*`, release scripts, CI
|
|
92
|
+
workflows, updater artifacts, signing, or bundle targets change.
|
|
93
|
+
10. Choose configured verification intents that cover Rust, frontend, Tauri build, permission/capability drift, CSP behavior, and security-sensitive behavior when available.
|
|
85
94
|
|
|
86
95
|
## Capability And Permission Policy
|
|
87
96
|
|
|
@@ -138,6 +147,28 @@ Treat the WebView as low trust and the Rust/native side as high authority. Front
|
|
|
138
147
|
- Frontend update input may select only a closed channel enum when needed. Rust or static config must map that enum to hard-coded HTTPS endpoints and configured public keys.
|
|
139
148
|
- Do not enable insecure updater transport in production unless the user explicitly accepts the supply-chain boundary change and the repository records why.
|
|
140
149
|
|
|
150
|
+
## Build And Release Matrix Policy
|
|
151
|
+
|
|
152
|
+
- Treat Tauri release builds as Rust release builds plus frontend build plus bundling. Cold Cargo
|
|
153
|
+
builds can dominate CI time, so check Rust cache, Node or package-manager cache, lockfile keys,
|
|
154
|
+
and target-specific cache dimensions before blaming frontend code.
|
|
155
|
+
- Do not run full native bundles for every pull request by default. Prefer PR checks that prove the
|
|
156
|
+
frontend build, Rust compile or checks, command contracts, and permission files on the cheapest
|
|
157
|
+
adequate runner. Reserve full Windows, Linux, macOS, signing, notarization, updater, and installer
|
|
158
|
+
matrices for release tags, release branches, or protected manual gates unless the repository
|
|
159
|
+
explicitly requires more.
|
|
160
|
+
- Keep `bundle.targets` or equivalent packaging configuration to the formats actually shipped. Do
|
|
161
|
+
not leave broad all-format packaging enabled when the release only needs, for example, one Windows
|
|
162
|
+
installer, one macOS disk image or app bundle, and one Linux package format.
|
|
163
|
+
- For macOS distribution, prefer one deliberate universal or architecture-specific strategy rather
|
|
164
|
+
than accidental duplicate jobs. Name signing and notarization boundaries separately from compile
|
|
165
|
+
time.
|
|
166
|
+
- Keep test artifacts short-lived and promote durable distributables through the release or package
|
|
167
|
+
channel. Do not use long-retention CI artifacts as the canonical release surface.
|
|
168
|
+
- If a cost comparison between Tauri and another desktop stack is requested, route the CI billing,
|
|
169
|
+
runner-minute, artifact-storage, and matrix-shape analysis through `ci-pipeline-triage`; use this
|
|
170
|
+
skill for Tauri-specific bundle targets, Cargo cache, updater, signing, and packaging behavior.
|
|
171
|
+
|
|
141
172
|
## Review Rejection Criteria
|
|
142
173
|
|
|
143
174
|
Reject or revise a change when:
|
|
@@ -163,6 +194,8 @@ Reject or revise a change when:
|
|
|
163
194
|
- Permission and capability changes have a clear diff and native-operation justification.
|
|
164
195
|
- CSP changes have been checked against the generated frontend entry HTML and required Tauri IPC or custom protocol origins.
|
|
165
196
|
- Missing Tauri-specific verification is reported.
|
|
197
|
+
- Tauri package targets, release matrix, cache strategy, and artifact retention are explicit when
|
|
198
|
+
packaging is touched.
|
|
166
199
|
|
|
167
200
|
<!-- mustflow-section: verification -->
|
|
168
201
|
## Verification
|
|
@@ -188,6 +221,9 @@ Report missing native build, packaged WebView smoke, CSP violation, permission d
|
|
|
188
221
|
- If a CSP change breaks packaged app startup, inspect generated HTML and console CSP violations before widening policy; prefer nonce, hash, or externalized bootstrap before accepting `unsafe-inline`.
|
|
189
222
|
- If a command accepts broad input, replace it with a typed request and Rust-side validation before exposing it to the frontend.
|
|
190
223
|
- If updater, shell, opener, sidecar, or filesystem access cannot be narrowed, report the security boundary change instead of hiding it as a normal feature fix.
|
|
224
|
+
- If packaging cost or duration grows unexpectedly, check `bundle.targets`, release-only matrix
|
|
225
|
+
gating, Rust cache, frontend cache, macOS job count, signing and notarization split, and artifact
|
|
226
|
+
retention before changing unrelated app code.
|
|
191
227
|
|
|
192
228
|
<!-- mustflow-section: output-format -->
|
|
193
229
|
## Output Format
|
|
@@ -196,6 +232,8 @@ Report missing native build, packaged WebView smoke, CSP violation, permission d
|
|
|
196
232
|
- IPC, command input, CSP, permission, capability, window/webview, and scope notes
|
|
197
233
|
- Permission diff: old permissions, new permissions, newly reachable windows/webviews, new scopes, and native operation justification
|
|
198
234
|
- Filesystem, dialog, shell, opener, updater, sidecar, or mobile risk
|
|
235
|
+
- Build matrix, bundle target, signing or notarization, cache, artifact retention, and release asset
|
|
236
|
+
notes when packaging is touched
|
|
199
237
|
- Files changed
|
|
200
238
|
- Command intents run
|
|
201
239
|
- Skipped checks and reasons
|