mustflow 2.108.0 → 2.108.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli/commands/api/serve.js +73 -10
- package/dist/core/run-receipt-state.js +23 -2
- package/dist/core/secret-redaction.js +6 -1
- package/package.json +1 -1
- package/schemas/api-serve-response.schema.json +1 -0
- package/templates/default/i18n.toml +5 -5
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +13 -10
- package/templates/default/locales/en/.mustflow/skills/ci-pipeline-triage/SKILL.md +39 -11
- package/templates/default/locales/en/.mustflow/skills/cloud-cost-guardrail-review/SKILL.md +4 -1
- package/templates/default/locales/en/.mustflow/skills/tauri-code-change/SKILL.md +41 -3
- package/templates/default/locales/en/.mustflow/skills/wails-code-change/SKILL.md +34 -4
- package/templates/default/manifest.toml +1 -1
|
@@ -1,10 +1,10 @@
|
|
|
1
|
-
import { createInterface } from 'node:readline';
|
|
2
1
|
import { apiReportActionSpec, isApiReportAction } from './actions.js';
|
|
3
2
|
import { printUsageError } from '../../lib/cli-output.js';
|
|
4
3
|
import { formatCliOptionParseError, hasParsedCliOption, parseCliOptions, } from '../../lib/option-parser.js';
|
|
5
4
|
import { isRecord } from '../../lib/command-contract.js';
|
|
6
5
|
import { t } from '../../lib/i18n.js';
|
|
7
6
|
const API_SERVE_SCHEMA_VERSION = '1';
|
|
7
|
+
const API_SERVE_MAX_LINE_CHARS = 1024 * 1024;
|
|
8
8
|
const API_SERVE_OPTIONS = [
|
|
9
9
|
{ name: '--stdio', kind: 'boolean' },
|
|
10
10
|
{ name: '--help', kind: 'boolean', aliases: ['-h'] },
|
|
@@ -53,6 +53,15 @@ function readApiServeId(request) {
|
|
|
53
53
|
}
|
|
54
54
|
return null;
|
|
55
55
|
}
|
|
56
|
+
function readApiServeChanged(request, id) {
|
|
57
|
+
if (!Object.hasOwn(request, 'changed')) {
|
|
58
|
+
return undefined;
|
|
59
|
+
}
|
|
60
|
+
if (typeof request.changed === 'boolean') {
|
|
61
|
+
return request.changed;
|
|
62
|
+
}
|
|
63
|
+
return createApiServeError(id, 'invalid_request', 'Request field "changed" must be a boolean when provided.');
|
|
64
|
+
}
|
|
56
65
|
function parseApiServeRequestLine(line) {
|
|
57
66
|
let parsed;
|
|
58
67
|
try {
|
|
@@ -72,11 +81,18 @@ function parseApiServeRequestLine(line) {
|
|
|
72
81
|
error: createApiServeError(id, 'invalid_request', 'Request must be a JSON object.'),
|
|
73
82
|
};
|
|
74
83
|
}
|
|
84
|
+
const changed = readApiServeChanged(parsed, id);
|
|
85
|
+
if (typeof changed !== 'boolean' && changed !== undefined) {
|
|
86
|
+
return {
|
|
87
|
+
request: null,
|
|
88
|
+
error: changed,
|
|
89
|
+
};
|
|
90
|
+
}
|
|
75
91
|
return {
|
|
76
92
|
request: {
|
|
77
93
|
id,
|
|
78
94
|
action: parsed.action,
|
|
79
|
-
changed
|
|
95
|
+
changed,
|
|
80
96
|
},
|
|
81
97
|
error: null,
|
|
82
98
|
};
|
|
@@ -99,8 +115,8 @@ function createApiServeResponse(request, runtime) {
|
|
|
99
115
|
try {
|
|
100
116
|
return createApiServeSuccess(id, runtime.createReport(request.action));
|
|
101
117
|
}
|
|
102
|
-
catch
|
|
103
|
-
return createApiServeError(id, 'report_unavailable',
|
|
118
|
+
catch {
|
|
119
|
+
return createApiServeError(id, 'report_unavailable', 'Report is unavailable for this action.');
|
|
104
120
|
}
|
|
105
121
|
}
|
|
106
122
|
function writeApiServeResponse(response, reporter) {
|
|
@@ -111,6 +127,53 @@ function writeApiServeResponse(response, reporter) {
|
|
|
111
127
|
}
|
|
112
128
|
reporter.stdout(line.trimEnd());
|
|
113
129
|
}
|
|
130
|
+
async function* readApiServeInputLines(input) {
|
|
131
|
+
input.setEncoding('utf8');
|
|
132
|
+
let buffer = '';
|
|
133
|
+
let discardingOversizedLine = false;
|
|
134
|
+
for await (const chunk of input) {
|
|
135
|
+
const text = typeof chunk === 'string' ? chunk : String(chunk);
|
|
136
|
+
let start = 0;
|
|
137
|
+
while (start < text.length) {
|
|
138
|
+
const newlineIndex = text.indexOf('\n', start);
|
|
139
|
+
const segmentEnd = newlineIndex === -1 ? text.length : newlineIndex;
|
|
140
|
+
const segment = text.slice(start, segmentEnd);
|
|
141
|
+
if (discardingOversizedLine) {
|
|
142
|
+
if (newlineIndex !== -1) {
|
|
143
|
+
yield { oversized: true };
|
|
144
|
+
discardingOversizedLine = false;
|
|
145
|
+
}
|
|
146
|
+
}
|
|
147
|
+
else if (buffer.length + segment.length > API_SERVE_MAX_LINE_CHARS) {
|
|
148
|
+
buffer = '';
|
|
149
|
+
if (newlineIndex === -1) {
|
|
150
|
+
discardingOversizedLine = true;
|
|
151
|
+
}
|
|
152
|
+
else {
|
|
153
|
+
yield { oversized: true };
|
|
154
|
+
}
|
|
155
|
+
}
|
|
156
|
+
else {
|
|
157
|
+
buffer += segment;
|
|
158
|
+
if (newlineIndex !== -1) {
|
|
159
|
+
yield { line: buffer.endsWith('\r') ? buffer.slice(0, -1) : buffer };
|
|
160
|
+
buffer = '';
|
|
161
|
+
}
|
|
162
|
+
}
|
|
163
|
+
if (newlineIndex === -1) {
|
|
164
|
+
break;
|
|
165
|
+
}
|
|
166
|
+
start = newlineIndex + 1;
|
|
167
|
+
}
|
|
168
|
+
}
|
|
169
|
+
if (discardingOversizedLine) {
|
|
170
|
+
yield { oversized: true };
|
|
171
|
+
return;
|
|
172
|
+
}
|
|
173
|
+
if (buffer.length > 0) {
|
|
174
|
+
yield { line: buffer.endsWith('\r') ? buffer.slice(0, -1) : buffer };
|
|
175
|
+
}
|
|
176
|
+
}
|
|
114
177
|
export async function runApiServe(args, reporter, lang, runtime) {
|
|
115
178
|
const parsed = parseCliOptions(args, API_SERVE_OPTIONS);
|
|
116
179
|
if (hasParsedCliOption(parsed, '--help')) {
|
|
@@ -125,12 +188,12 @@ export async function runApiServe(args, reporter, lang, runtime) {
|
|
|
125
188
|
printUsageError(reporter, t(lang, 'api.error.serveRequiresStdio'), 'mf api --help', runtime.getHelp(lang), lang);
|
|
126
189
|
return 1;
|
|
127
190
|
}
|
|
128
|
-
const
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
|
|
133
|
-
const line =
|
|
191
|
+
for await (const inputLine of readApiServeInputLines(process.stdin)) {
|
|
192
|
+
if (inputLine.oversized) {
|
|
193
|
+
writeApiServeResponse(createApiServeError(null, 'request_too_large', `Request line exceeds ${API_SERVE_MAX_LINE_CHARS} characters.`), reporter);
|
|
194
|
+
continue;
|
|
195
|
+
}
|
|
196
|
+
const line = inputLine.line?.trim() ?? '';
|
|
134
197
|
if (line.length === 0) {
|
|
135
198
|
continue;
|
|
136
199
|
}
|
|
@@ -3,6 +3,7 @@ import path from 'node:path';
|
|
|
3
3
|
import { ensureInside, writeJsonFileInsideWithoutSymlinks } from './safe-filesystem.js';
|
|
4
4
|
const RUN_RECEIPT_SCHEMA_VERSION = '1';
|
|
5
5
|
const RUN_RECEIPT_DIR = path.join('.mustflow', 'state', 'runs');
|
|
6
|
+
const RUN_RECEIPT_DIR_POSIX = '.mustflow/state/runs';
|
|
6
7
|
const LATEST_RUN_RECEIPT_INDEX = 'latest.index.json';
|
|
7
8
|
const STATE_DIR_PREFIXES = ['run-', 'verify-'];
|
|
8
9
|
const MIN_RETAINED_RUN_DIRS = 1;
|
|
@@ -131,6 +132,24 @@ function stringField(value) {
|
|
|
131
132
|
function stringArrayField(value) {
|
|
132
133
|
return Array.isArray(value) && value.every((entry) => typeof entry === 'string') ? value : undefined;
|
|
133
134
|
}
|
|
135
|
+
function resolveReceiptPathInsideRunsDir(runsDir, receiptPath) {
|
|
136
|
+
if (path.isAbsolute(receiptPath)) {
|
|
137
|
+
return null;
|
|
138
|
+
}
|
|
139
|
+
const normalizedReceiptPath = receiptPath.replace(/\\/gu, '/');
|
|
140
|
+
const runsPrefix = `${RUN_RECEIPT_DIR_POSIX}/`;
|
|
141
|
+
if (!normalizedReceiptPath.startsWith(runsPrefix)) {
|
|
142
|
+
return null;
|
|
143
|
+
}
|
|
144
|
+
const relativeToRunsDir = normalizedReceiptPath.slice(runsPrefix.length);
|
|
145
|
+
const parts = relativeToRunsDir.split('/');
|
|
146
|
+
if (parts.length === 0 || parts.some((part) => part.length === 0 || part === '.' || part === '..')) {
|
|
147
|
+
return null;
|
|
148
|
+
}
|
|
149
|
+
const receiptAbsolutePath = path.resolve(runsDir, ...parts);
|
|
150
|
+
ensureInside(runsDir, receiptAbsolutePath);
|
|
151
|
+
return receiptAbsolutePath;
|
|
152
|
+
}
|
|
134
153
|
function createRunEntry(directory) {
|
|
135
154
|
const receipt = readJsonObject(path.join(directory.absolutePath, 'receipt.json'));
|
|
136
155
|
if (!receipt || receipt.command !== 'run' || typeof receipt.receipt_path !== 'string') {
|
|
@@ -154,8 +173,10 @@ function readVerifyIntentEntry(directory, manifest, manifestPath, manifestReceip
|
|
|
154
173
|
return null;
|
|
155
174
|
}
|
|
156
175
|
const runsDir = path.dirname(directory.absolutePath);
|
|
157
|
-
const receiptAbsolutePath =
|
|
158
|
-
|
|
176
|
+
const receiptAbsolutePath = resolveReceiptPathInsideRunsDir(runsDir, receiptPath);
|
|
177
|
+
if (!receiptAbsolutePath) {
|
|
178
|
+
return null;
|
|
179
|
+
}
|
|
159
180
|
const receipt = readJsonObject(receiptAbsolutePath);
|
|
160
181
|
return {
|
|
161
182
|
command: 'verify',
|
|
@@ -8,9 +8,14 @@ const SECRET_REDACTION_RULES = [
|
|
|
8
8
|
},
|
|
9
9
|
{
|
|
10
10
|
kind: 'secret_token',
|
|
11
|
-
pattern: /\b(?:sk-[A-Za-z0-
|
|
11
|
+
pattern: /\b(?:sk-[A-Za-z0-9_-]{16,}|ghp_[A-Za-z0-9_]{20,}|github_pat_[A-Za-z0-9_]{20,}|xox[baprs]-[A-Za-z0-9-]{20,}|AKIA[0-9A-Z]{16})\b/gu,
|
|
12
12
|
replace: () => REDACTED_SECRET_MARKER,
|
|
13
13
|
},
|
|
14
|
+
{
|
|
15
|
+
kind: 'secret_bearer_token',
|
|
16
|
+
pattern: /\b(Bearer\s+)([A-Za-z0-9._~+/=-]{24,})\b/gu,
|
|
17
|
+
replace: (_match, prefix) => `${prefix}${REDACTED_SECRET_MARKER}`,
|
|
18
|
+
},
|
|
14
19
|
];
|
|
15
20
|
export const SECRET_LIKE_PATTERNS = SECRET_REDACTION_RULES.map((rule) => {
|
|
16
21
|
const flags = rule.pattern.flags.replace('g', '');
|
package/package.json
CHANGED
|
@@ -62,7 +62,7 @@ translations = {}
|
|
|
62
62
|
[documents."skills.index"]
|
|
63
63
|
source = "locales/en/.mustflow/skills/INDEX.md"
|
|
64
64
|
source_locale = "en"
|
|
65
|
-
revision =
|
|
65
|
+
revision = 207
|
|
66
66
|
translations = {}
|
|
67
67
|
|
|
68
68
|
[documents."skill.adapter-boundary"]
|
|
@@ -242,7 +242,7 @@ translations = {}
|
|
|
242
242
|
[documents."skill.ci-pipeline-triage"]
|
|
243
243
|
source = "locales/en/.mustflow/skills/ci-pipeline-triage/SKILL.md"
|
|
244
244
|
source_locale = "en"
|
|
245
|
-
revision =
|
|
245
|
+
revision = 2
|
|
246
246
|
translations = {}
|
|
247
247
|
|
|
248
248
|
[documents."skill.auth-flow-triage"]
|
|
@@ -428,7 +428,7 @@ translations = {}
|
|
|
428
428
|
[documents."skill.cloud-cost-guardrail-review"]
|
|
429
429
|
source = "locales/en/.mustflow/skills/cloud-cost-guardrail-review/SKILL.md"
|
|
430
430
|
source_locale = "en"
|
|
431
|
-
revision =
|
|
431
|
+
revision = 2
|
|
432
432
|
translations = {}
|
|
433
433
|
|
|
434
434
|
[documents."skill.rate-limit-integrity-review"]
|
|
@@ -823,13 +823,13 @@ translations = {}
|
|
|
823
823
|
[documents."skill.tauri-code-change"]
|
|
824
824
|
source = "locales/en/.mustflow/skills/tauri-code-change/SKILL.md"
|
|
825
825
|
source_locale = "en"
|
|
826
|
-
revision =
|
|
826
|
+
revision = 4
|
|
827
827
|
translations = {}
|
|
828
828
|
|
|
829
829
|
[documents."skill.wails-code-change"]
|
|
830
830
|
source = "locales/en/.mustflow/skills/wails-code-change/SKILL.md"
|
|
831
831
|
source_locale = "en"
|
|
832
|
-
revision =
|
|
832
|
+
revision = 2
|
|
833
833
|
translations = {}
|
|
834
834
|
|
|
835
835
|
[documents."skill.typescript-code-change"]
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
mustflow_doc: skills.index
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 207
|
|
6
6
|
authority: router
|
|
7
7
|
lifecycle: mustflow-owned
|
|
8
8
|
---
|
|
@@ -180,8 +180,9 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
|
|
|
180
180
|
registry, or runtime failure is not yet localized to host, daemon, image, app, network, storage,
|
|
181
181
|
resource, or registry boundaries.
|
|
182
182
|
- Use `ci-pipeline-triage` as a primary route when CI/CD workflow, pipeline, job, runner, trigger,
|
|
183
|
-
cache, artifact,
|
|
184
|
-
|
|
183
|
+
cache, artifact, runner-minute billing, artifact storage or retention, deployment job, required
|
|
184
|
+
check, or post-deploy verification failure or cost is not yet localized to trigger, runner,
|
|
185
|
+
environment, build, test, cache, artifact, billing, deploy, or verification.
|
|
185
186
|
- Use `web-render-performance-review` as an adjunct when web frontend routes need first-render,
|
|
186
187
|
Core Web Vitals, LCP, CLS, FCP, TTFB, critical CSS, font, image, iframe, third-party script,
|
|
187
188
|
hydration, first-view data, resource-hint, CDN/cache, route-prefetch, or long-task review.
|
|
@@ -286,8 +287,9 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
|
|
|
286
287
|
changed, reviewed, or upgraded.
|
|
287
288
|
- Use `wails-code-change` as a primary route when Wails v3 apps, Go services, generated bindings,
|
|
288
289
|
TypeScript runtime calls, windows, menus, system tray, dialogs, events, WebView platform
|
|
289
|
-
behavior, Taskfile or build config, signing, packaging,
|
|
290
|
-
server builds, or Wails-related tests are created,
|
|
290
|
+
behavior, Taskfile or build config, signing, packaging, platform targets, native desktop CI build
|
|
291
|
+
matrices, custom protocols, file associations, server builds, or Wails-related tests are created,
|
|
292
|
+
changed, reviewed, or upgraded.
|
|
291
293
|
- Use `axum-code-change` as a primary route when Axum routers, handlers, extractors, state,
|
|
292
294
|
extensions, middleware, Tower or Tower-HTTP layers, CORS, cookies, headers, Tokio tasks or locks,
|
|
293
295
|
SQLx pools, rejections, error responses, body limits, WebSockets, or Rust HTTP API tests are
|
|
@@ -370,7 +372,8 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
|
|
|
370
372
|
egress, CDN, logs, metrics, traces, autoscaling, quotas, budgets, tags, temporary resources,
|
|
371
373
|
container registries, Marketplace, LLM API, or third-party SaaS usage needs review for whether
|
|
372
374
|
spend can silently explode without account isolation, caps, lifecycle, retention, attribution,
|
|
373
|
-
or automated non-production stop guardrails.
|
|
375
|
+
or automated non-production stop guardrails. For CI runner-minute, workflow matrix, artifact
|
|
376
|
+
retention, cache quota, or release-asset handoff cost, use `ci-pipeline-triage` first.
|
|
374
377
|
- Use `rate-limit-integrity-review` as an adjunct when rate limits, throttling, quotas, API usage
|
|
375
378
|
limits, request costs, token buckets, fixed or sliding windows, GCRA, Redis counters, edge,
|
|
376
379
|
gateway, service, tenant, user, API key, route-group, IP, 429, `Retry-After`, `RateLimit`,
|
|
@@ -495,7 +498,7 @@ routes. Event routes stay inactive until their event occurs.
|
|
|
495
498
|
| Reported API, SDK, browser, mobile, webhook, gateway, CDN, load balancer, provider, wrong-status, wrong-body, CORS preflight, auth, rate-limit, cache, OpenAPI, or deployment-config failure is not yet localized to the client, network, proxy, app, database, cache, provider, or deployment boundary | `.mustflow/skills/api-failure-triage/SKILL.md` | Failing request packet, success comparator, boundary ledger, timing ledger, contract ledger, auth ledger, change ledger, redaction constraints, and configured command intents | Request/response evidence preservation, success/failure wire comparison, boundary localization, timing decomposition, status/body/content-type mapping, CORS/preflight split, redirect and proxy header checks, authn/authz split, retry/timeout/rate-limit/idempotency classification, cache and OpenAPI drift checks, focused reproduction fixtures, and directly synchronized docs or templates | log-first debugging, SDK argument theater, missing failing packet, success-only comparison, CORS blamed for server-to-server calls, redirect losing auth or method, proxy stripping idempotency or trace headers, `200` error body, HTML body with JSON content type, authn/authz collapse, object-auth incident missed, clock-skew flake, retry storm, non-idempotent replay, 429 hidden as 500, stale CDN or browser cache, OpenAPI drift, deployment config drift, or unfalsifiable log reading | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | API failure triaged, request packet and comparator, boundary and timing ledger, localized cause or evidence gap, hypotheses killed or open, fix or recommendation, evidence level, verification, and remaining API-failure risk |
|
|
496
499
|
| Login, signup, logout, refresh, password reset, magic link, passkey, MFA, OAuth, OIDC, JWT, cookie, session, token exchange, provider callback, account-linking, or authorization-after-login behavior is failing or intermittent before the failing identity boundary is known | `.mustflow/skills/auth-flow-triage/SKILL.md` | Auth attempt packet, stage ledger, token and session ledger, browser and proxy ledger, provider ledger, denial and privacy ledger, redaction constraints, and configured command intents | Auth stage localization, sanitized success/failure comparison, cookie and CORS credential checks, proxy trust and redirect URI checks, state, nonce, PKCE, issuer and subject checks, token and JWKS validation, session refresh and logout checks, passkey and MFA checks, account-linking checks, focused denial tests, and directly synchronized docs or templates | login-as-one-bucket debugging, token or cookie logging, account enumeration, loose redirect matching, state or nonce bypass, PKCE mismatch hidden, issuer plus subject ignored, SameSite or Secure drift, forwarded-header trust bug, refresh-token race, session fixation, email-only account linking, stale token claims, clock-skew flake, broad CORS wildcard, or unverified provider-console assumption | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | Auth flow triaged, failing stage and comparator, cookie/proxy/provider/token/session/passkey/MFA findings, fix or recommendation, evidence level, verification, and remaining auth-flow risk |
|
|
497
500
|
| Docker Engine, Docker Desktop, daemon, context, Compose, container start, crash loop, health check, image pull, build cache, port mapping, DNS, network, volume, bind mount, storage, proxy, registry, cgroup, OOM, signal handling, PID 1, or runtime behavior is failing before the failing container boundary is known | `.mustflow/skills/docker-runtime-triage/SKILL.md` | Runtime packet, container ledger, actual config ledger, host resource ledger, network ledger, storage ledger, evidence-preservation constraints, and configured command intents | Host, daemon, context, image, container, Compose, process, resource, storage, network, proxy, registry, and build boundary localization; evidence preservation before cleanup; focused Dockerfile, Compose, health, entrypoint, network, volume, resource, docs, fixture, or test edits only after localization | prune-before-evidence, restart loop hiding first error, app blame before daemon proof, logs-only diagnosis, exit code 137 treated as automatic OOM, PID 1 signal loss, container localhost confusion, bind mount hiding image files, Compose variable drift, tag identity confusion, stale build cache, broad firewall reset, volume deletion, or unbounded raw Docker command | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Docker runtime triaged, boundary findings, evidence preserved and missing, fix or recommendation, evidence level, verification, and remaining Docker runtime risk |
|
|
498
|
-
| CI/CD workflow, pipeline, job, matrix, trigger, required check, runner, cache, artifact, deployment step, or post-deploy verification is failing, skipped, queued, flaky, slow, or green despite broken output before the failing pipeline boundary is known | `.mustflow/skills/ci-pipeline-triage/SKILL.md` | Failure classification, run identity ledger, last-good comparison, boundary ledger, redaction constraints, and configured command intents | Trigger, parsed graph, queue, runner, environment, dependency, build, test, cache, artifact, deploy, smoke, and final status localization; false-green checks; safe diagnostic evidence; focused workflow, package, docs, fixture, or test edits only after localization | last-red-line debugging, latest-code comparison, rerun-green treated as fixed, skipped required check, path-filter pending state, hidden `continue-on-error`, queue time mistaken for build time, floating `latest`, secret logging, sleep-based service readiness, cache-as-artifact confusion, deploying untested rebuilt artifacts, fork token scope surprise, unguarded environment concurrency, or zero-exit deploy without smoke evidence | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | CI pipeline triaged, failure shape and localized boundary, run identity and last-good comparison, trigger/runner/environment/build/test/cache/artifact/deploy/verification findings, verification, and remaining CI pipeline risk |
|
|
501
|
+
| CI/CD workflow, pipeline, job, matrix, trigger, required check, runner, cache, artifact, runner-minute billing, artifact storage or retention, deployment step, or post-deploy verification is failing, skipped, queued, flaky, slow, unexpectedly expensive, or green despite broken output before the failing or expensive pipeline boundary is known | `.mustflow/skills/ci-pipeline-triage/SKILL.md` | Failure classification, run identity ledger, last-good comparison, CI billing ledger when cost is in scope, boundary ledger, redaction constraints, and configured command intents | Trigger, parsed graph, queue, runner, environment, dependency, build, test, cache, artifact, billing, deploy, smoke, and final status localization; false-green checks; runner-minute and storage-quota separation; safe diagnostic evidence; focused workflow, package, docs, fixture, or test edits only after localization | last-red-line debugging, latest-code comparison, rerun-green treated as fixed, skipped required check, path-filter pending state, hidden `continue-on-error`, queue time mistaken for build time, runner-minute billing mistaken for artifact storage, plan allowance unit confusion, matrix split rounding loss, premium runner surprise, floating `latest`, secret logging, sleep-based service readiness, cache-as-artifact confusion, deploying untested rebuilt artifacts, fork token scope surprise, unguarded environment concurrency, or zero-exit deploy without smoke evidence | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | CI pipeline triaged, failure or cost shape and localized boundary, run identity and last-good comparison, trigger/runner/environment/build/test/cache/artifact/billing/deploy/verification findings, verification, and remaining CI pipeline risk |
|
|
499
502
|
|
|
500
503
|
### General Code Change
|
|
501
504
|
|
|
@@ -538,7 +541,7 @@ routes. Event routes stay inactive until their event occurs.
|
|
|
538
541
|
| Code review or implementation needs observability-debuggability triage for logs, metrics, traces, spans, structured events, telemetry context, collectors, exporters, telemetry queues, dashboards, alerts, runbooks, sampling, redaction, dependency calls, queues, batch jobs, caches, pools, rate limits, feature flags, releases, migrations, or partial-success paths where operators need to narrow incidents quickly without high-cardinality metric explosions, missing denominator counters, lost trace context, silent telemetry loss, or sensitive telemetry leakage | `.mustflow/skills/observability-debuggability-review/SKILL.md` | Incident question, signal inventory, request or job identity, metric model, trace and event model, log model, operational domain, telemetry pipeline evidence, privacy and retention constraints, verification evidence, and configured command intents | Structured event names, safe reason codes, total and failure counters, latency distributions, low-cardinality labels, trace and span context, dependency and operation names, async propagation, per-attempt telemetry, queue or batch lag signals, pool saturation metrics, release and feature attribution, telemetry self-metrics, signal pipeline survival checks, redaction, focused tests, and directly synchronized docs or templates | success-only log, no denominator, average-only latency, mixed success and error latency, raw URL label, raw user label, raw SQL telemetry, high-cardinality metric label, missing trace or span id, broken async trace propagation, attempt and operation collapse, generic timeout bucket, missing dependency name, missing idempotency or message evidence, missing queue age, missing batch last-success timestamp, missing pool saturation, missing release attribution, decorative metric, alert without action, dropped telemetry invisible, read-path visibility blind spot, sampling drops errors, unsafe baggage, or sink-side-only masking | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Observability boundary reviewed, incident question and signal ledger, metric/trace/log/pipeline/cardinality/privacy findings, evidence level, verification, and remaining observability-debuggability risk |
|
|
539
542
|
| Code review, runbook work, or incident report needs incident-triage review for outages, degradations, timeout spikes, p95 or p99 latency spikes, queue backlog, pool saturation, CPU-idle slowness, memory pressure, OOM, disk or inode pressure, DNS or network failure, load balancer 5xx, Kubernetes node or pod issues, deployment regression, cache stampede, cron or batch spikes, Redis slowdown, DB lock waits, connection leaks, ephemeral-port exhaustion, conntrack saturation, or log floods where operators need to narrow the first bad time, affected slice, recent change, wait class, dependency, and manual-only diagnostics before reading every log | `.mustflow/skills/incident-triage-review/SKILL.md` | Incident frame, time evidence, scope axes, saturation and wait evidence, dependency evidence, change evidence, safety constraints, repository runbook or telemetry evidence, and configured command intents | Runbook steps, alert metadata, incident evidence checklists, telemetry contract notes, dashboard descriptions, test fixtures, docs, and directly synchronized templates that preserve first-bad-time, scope split, change ledger, wait classification, dependency split, success-versus-failure comparison, and manual-only diagnostic boundaries | average-only latency, all-logs-first triage, deployment dismissal, success-only comparison, proxy/app 5xx mixing, app-log-only OOM review, CPU-idle slowness ambiguity, DB-index reflex, pool-wait blindness, queue-lag understatement, cache-hit-rate overtrust, ping-only network checks, pod-only Kubernetes review, disk-capacity-only checks, log-volume blind spots, private incident-log capture, or raw live diagnostic commands treated as agent-authorized | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Incident boundary reviewed, first bad time and affected scope, change/success-failure/latency/resource/wait/dependency evidence, elimination ledger, manual-only diagnostics, verification, and remaining incident-triage risk |
|
|
540
543
|
| Code review, implementation, runbook work, or release preparation needs deployment-rollout safety review for server, backend, worker, scheduler, queue, cron, container, VM, serverless, DB migration, config, feature flag, cache, deployment pipeline, release envelope, image digest, deployment history, traffic rollback, canary, rollback, health check, readiness/liveness/startup probe, graceful shutdown, artifact promotion, release observability, or post-deploy smoke behavior where the deploy must be rolled out, stopped, observed, and rolled back safely | `.mustflow/skills/deployment-rollout-safety-review/SKILL.md` | Deployment resource ledger, release envelope, artifact identity, environment promotion path, deployment model, compatibility matrix, config diff, migration order, rollback history, traffic rollback path, cache and message compatibility, probe model, shutdown and drain behavior, canary cohort, version-split telemetry, stop conditions, rollback limits, synthetic transactions, post-deploy metrics, and configured command intents | Runbooks, release checklists, pipeline metadata, smoke tests, probe tests, config validation, feature-flag defaults, cache-key versions, worker-drain handling, deployment attribution, rollback compatibility notes, focused tests, and directly synchronized templates | unknown blast radius, missing release id, mutable latest tag, tag without digest, per-environment rebuild drift, deleted rollout history, cold old version, traffic rollback tied to rebuild, code and migration lockstep, destructive rollback SQL overclaim, missing PITR practice, config in-place mutation, missing startup config validation, process-only health check, readiness/liveness/startup probe collapse, liveness restart loop, ungraceful shutdown, load balancer drain shorter than app shutdown, worker work loss, non-idempotent queue retry, N-1 message incompatibility, unknown event poison message, missing external compensation, API N-1 or N+1 break, missing kill switch, unsafe flag fallback, vague canary cohort, global-average canary metrics, no automatic stop condition, read-only smoke, log format alert breakage, blanket cache flush, scheduler duplicate execution, CRD or operator downgrade break, missing deployment lock, production command without dry-run, or code-only rollback overclaim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Deployment rollout boundary reviewed, resource ledger and release envelope, artifact identity, config/migration/cache/queue/API/probe/shutdown/canary/rollback/observation findings, verification, and remaining deployment-rollout risk |
|
|
541
|
-
| Code review, implementation, runbook work, or infrastructure review needs cloud-cost-guardrail review for cloud accounts, projects, subscriptions, environments, Kubernetes namespaces, serverless, databases, object storage, block storage, snapshots, NAT, private endpoints, public IPs, egress, CDN, logs, metrics, traces, autoscaling, quotas, budgets, tags, temporary resources, container registries, Marketplace, LLM APIs, external APIs, or third-party SaaS where spend must be attributed, capped, lifecycle-managed, alerted, and safely stoppable before a silent bill explosion | `.mustflow/skills/cloud-cost-guardrail-review/SKILL.md` | Cost surface ledger, budget actual and forecast thresholds, automated non-production action path, account or project isolation, quota and cap model, tag taxonomy, temporary resource expiration, network cost model, telemetry cost model, storage lifecycle model, commitment baseline, Marketplace or LLM usage limits, and configured command intents | Cost guardrail docs, infrastructure policy files, review checklists, tag schemas, quota notes, budget-action runbooks, cleanup rules, retention defaults, autoscale caps, Kubernetes ResourceQuota and LimitRange notes, registry lifecycle policies, provider usage caps, focused tests, and directly synchronized templates | notification-only budget, imagined hard spending limit, mixed prod and dev account, over-wide service quota, missing owner tag, tag-key chaos, no expires_at, stopped VM with NAT or DB still running, unbounded autoscale, missing Kubernetes ResourceQuota, inflated requests growing nodes, cloud-native service through NAT, untracked egress, cross-AZ surprise, idle public IPv4, no CDN cache cost control, log ingest flood, infinite retention, high-cardinality metric label, unbounded flow or audit logs, object lifecycle missing, cold-storage minimum-duration trap, stale block volume type, snapshot landfill, sticky DB storage growth, unbounded registry images, premature commitment, stateful spot misuse, unmonitored Marketplace or LLM spend, or no safe cost stop runbook | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Cloud cost boundary reviewed, cost surface ledger, budget and action model, isolation/quota/tag/autoscale/Kubernetes/network/telemetry/storage/registry/commitment/spot/Marketplace/LLM/SaaS guardrail findings, manual-only provider checks, verification, and remaining cloud-cost risk |
|
|
544
|
+
| Code review, implementation, runbook work, or infrastructure review needs cloud-cost-guardrail review for cloud accounts, projects, subscriptions, environments, Kubernetes namespaces, serverless, databases, object storage, block storage, snapshots, NAT, private endpoints, public IPs, egress, CDN, logs, metrics, traces, autoscaling, quotas, budgets, tags, temporary resources, container registries, Marketplace, LLM APIs, external APIs, or third-party SaaS where spend must be attributed, capped, lifecycle-managed, alerted, and safely stoppable before a silent bill explosion | `.mustflow/skills/cloud-cost-guardrail-review/SKILL.md` | Cost surface ledger, budget actual and forecast thresholds, automated non-production action path, account or project isolation, quota and cap model, tag taxonomy, temporary resource expiration, network cost model, telemetry cost model, storage lifecycle model, commitment baseline, Marketplace or LLM usage limits, and configured command intents | Cost guardrail docs, infrastructure policy files, review checklists, tag schemas, quota notes, budget-action runbooks, cleanup rules, retention defaults, autoscale caps, Kubernetes ResourceQuota and LimitRange notes, registry lifecycle policies, provider usage caps, focused tests, and directly synchronized templates. CI runner minutes, workflow matrix cost, artifact retention, cache quota, and release asset handoff route to `ci-pipeline-triage` first | notification-only budget, imagined hard spending limit, mixed prod and dev account, over-wide service quota, missing owner tag, tag-key chaos, no expires_at, stopped VM with NAT or DB still running, unbounded autoscale, missing Kubernetes ResourceQuota, inflated requests growing nodes, cloud-native service through NAT, untracked egress, cross-AZ surprise, idle public IPv4, no CDN cache cost control, log ingest flood, infinite retention, high-cardinality metric label, unbounded flow or audit logs, object lifecycle missing, cold-storage minimum-duration trap, stale block volume type, snapshot landfill, sticky DB storage growth, unbounded registry images, premature commitment, stateful spot misuse, unmonitored Marketplace or LLM spend, CI billing routed to broad cloud review before localizing workflow cost, or no safe cost stop runbook | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Cloud cost boundary reviewed, cost surface ledger, budget and action model, isolation/quota/tag/autoscale/Kubernetes/network/telemetry/storage/registry/commitment/spot/Marketplace/LLM/SaaS guardrail findings, manual-only provider checks, verification, and remaining cloud-cost risk |
|
|
542
545
|
| Code review or implementation needs rate-limit integrity triage for rate limits, throttling, quotas, API usage limits, request costs, token bucket, leaky bucket, fixed window, sliding window counter, sliding window log, GCRA, Redis counters, Lua or EVAL updates, CDN or WAF limits, gateway limits, service limits, tenant, user, API key, route group, IP, 429, `Retry-After`, `RateLimit`, shadow mode, operator reset, async enqueue, cached-hit counting, or concurrency-limit overlap that must protect a named resource without bypass, unfairness, counter drift, storage growth, retry storms, or misleading client hints | `.mustflow/skills/rate-limit-integrity-review/SKILL.md` | Protected resource ledger, cost-weighted request ledger, layer model, key model, algorithm and storage model, failure mode model, response contract, observability and operator evidence, and configured command intents | Protected-resource definitions, request cost weights, per-key policy, layered limit placement, route-template keys, atomic counter updates, TTLs, storage-time use, fail-open or fail-closed policy, blocked-decision cache, shadow mode, 429 response shape, observability fields, operator lookup or reset behavior, focused tests, and directly synchronized docs or templates | algorithm-first limiter, request-count-only quota, IP-only authenticated key, raw URL key explosion, missing identity-header policy, fixed-window boundary burst, costly sliding-window log on hot paths, non-atomic Redis read-modify-write, missing counter TTL, Redis Cluster hash-slot failure, app-server clock reset drift, process-local global quota, approximate edge limit treated as precise, hidden fail-open, free failed responses, rate versus concurrency confusion, unhelpful or leaky 429, synchronized retry wave, unsafe allow-decision cache, no shadow-mode ramp, missing policy id logs, raw Redis reset, unlimited async enqueue, cached CDN hit ambiguity, or rate limit treated as authorization or hard cost control | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Rate-limit policy boundary reviewed, protected resource and cost/layer/key/storage/fail-mode/response/operator model mapped, evidence level, verification, and remaining rate-limit-integrity risk |
|
|
543
546
|
| Code review or implementation needs idempotency-integrity triage for repeated requests, retries, duplicate POST/PATCH/DELETE calls, webhooks, provider callbacks, queue redelivery, scheduler or batch reruns, double clicks, app restarts, timeout recovery, external API callbacks, or duplicate business commands that can apply the same logical operation more than once | `.mustflow/skills/idempotency-integrity-review/SKILL.md` | Operation identity ledger, side-effect ledger, durable dedupe evidence, duplicate response policy, concurrency and recovery evidence, queue/webhook/scheduler/batch evidence, test evidence, and configured command intents | Durable idempotency records, request body hash checks, user and tenant binding, operation-type and target-resource binding, unique constraints, atomic insert-or-return behavior, state guards, affected-row checks, inbox and outbox records, applied-event ledgers, provider result lookup, response replay, processing lease recovery, focused duplicate tests, and directly synchronized docs or templates | POST-only assumption, idempotency key without durable storage, key not bound to payload or actor, memory-only or Redis-TTL-only dedupe, app-only `exists` then `insert`, missing unique index, duplicate success response drift, failed-attempt caching mistake, timeout treated as failure, external API before local operation record, provider idempotency used as internal proof, unconditional status update, duplicate increment, DELETE side-effect replay, GET hidden mutation, queue ack before durable commit, queue redelivery damage, webhook replay or stale event overwrite, scheduler rerun duplication, missing outbox or inbox, double compensation, stuck `PROCESSING`, lock-only proof, frontend-only debounce, or missing duplicate-path tests | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Idempotency boundary reviewed, logical operation and duplicate sources mapped, operation identity/payload/response/recovery evidence, durable dedupe and side-effect findings, tests or evidence level, verification, and remaining idempotency-integrity risk |
|
|
544
547
|
| Code review or implementation needs retry-policy integrity triage for retry loops, SDK retry configs, client middleware, `while true`, `for (;;)`, recursive retry, `maxAttempts`, `maxRetries`, `maxElapsedTime`, deadline, timeout, sleep, backoff, jitter, `Retry-After`, retry predicates, layered retries, circuit breakers, bulkheads, token buckets, queue redelivery, broker retry, cancellation-aware sleep, or retry observability that can amplify failures, duplicate side effects, hide permanent errors, exhaust pools, or overload dependencies | `.mustflow/skills/retry-policy-integrity-review/SKILL.md` | Retry surface, layered retry ledger, attempt budget, retry predicate, side-effect and idempotency ledger, backoff and jitter policy, overload and throttling evidence, observability and test evidence, and configured command intents | Bounded attempts, max elapsed time, per-attempt timeout, total deadline, cancellation propagation, retry predicates, exponential backoff with jitter, `Retry-After` parsing and clamping, idempotency key reuse, dependency-specific policy, retry wrapper diagnostics, per-attempt logs and metrics, focused retry tests, and directly synchronized docs or templates | retry amplification, infinite retry, capped backoff without stop condition, timeout gap for DNS, TLS, pool wait, streaming, or parsing, fixed-sleep herd behavior, broad catch-and-retry, permanent error retry, unknown-outcome replay, new idempotency key per attempt, key not bound to actor or payload, retry inside transaction or lock, pool starvation, unlimited parallel retry, stale per-key failure counter, global limiter unfairness, wrong circuit breaker or bulkhead order, wrapper losing cause/status/retry-after/request id, committed-response retry, non-replayable streaming body retry, app-plus-broker retry multiplication, cancellation-ignoring sleep, generic dependency policy, missing retry metrics, or happy-path-only retry tests | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Retry policy boundary reviewed, layer multiplication and attempt budget mapped, timeout/backoff/predicate/idempotency/throttling findings, evidence level, verification, and remaining retry-policy-integrity risk |
|
|
@@ -637,8 +640,8 @@ routes. Event routes stay inactive until their event occurs.
|
|
|
637
640
|
| Generated or edited code, configuration, CI workflows, package metadata, install instructions, examples, Docker images, framework setup, runtime declarations, toolchain declarations, TypeScript compiler-track references, Rust release or MSRV references, or migration-sensitive snippets introduce explicit external version references, action refs, package ranges, runtime versions, framework majors, Docker image tags, or scaffold commands that may be stale | `.mustflow/skills/version-freshness-check/SKILL.md` | Versioned reference, owning files, repository version policy, approved freshness source, compatibility context, migration risk, TypeScript compiler track or Rust MSRV/toolchain track when relevant, and command contract entries | Package metadata, lockfiles, CI workflows, Dockerfiles, runtime files, framework config, docs, examples, templates, tests, and version-decision reports | stale default version, false latest claim, accidental major migration, repository policy mismatch, unsupported generated example, TypeScript RC/nightly/API-track confusion, Rust stable/nightly/MSRV confusion, floating-tag drift, or unverified security/support claim | `changes_status`, `changes_diff_summary`, `build`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Versioned surfaces checked, repository policy and freshness source, selected version track, compatibility classification, TypeScript stable/RC/nightly/API-track and Rust stable/nightly/MSRV split when relevant, approval need, synchronized surfaces, verification, and remaining version-freshness risk |
|
|
638
641
|
| External systems, protocols, SDKs, databases, webhooks, queues, files, object storage, signed upload or download URLs, caches, API response models, framework requests or responses, server actions, route handlers, edge functions, worker handlers, AI models, browser storage, search engines, analytics tools, email platforms, no-code tools, observability backends, trace or request context, provider data, or volatile component implementations cross the core boundary or need stable port/adapter translation, change isolation, error mapping, timeout, retry, circuit-breaker, bulkhead, idempotency, reconciliation, security, core-state ownership, vendor portability, or observability handling | `.mustflow/skills/adapter-boundary/SKILL.md` | External system or protocol, inbound/outbound direction, delivery boundary, internal use case, local port/adapter patterns, provider risk, provider failure policy, core-state ownership risk, vendor portability risk, observability identifier policy, API contract risk, change-isolation ledger, preserved consumer contract, changed files, and command contract entries | Ports, adapters, mappers, controllers, workers, stores, gateways, response mappers, telemetry mappers, timeout and retry policies, circuit breakers, bulkhead boundaries, tests, fixtures, assembly wiring, and directly synchronized docs or templates | provider leakage, caller churn from adapter-only changes, framework business-rule leakage, telemetry backend leakage, storage-key leakage, screen-shaped API coupling, pass-through wrapper, SaaS dashboard as truth source, search or analytics policy leakage, queue contract leakage, unclassified external failure, duplicate side effect, unsafe retry, missing timeout, missing circuit breaker, missing bulkhead, unresolved unknown provider outcome, broken identifier propagation, secret or personal-data leak, or untested integration drift | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Boundary classification, change-isolation ledger, preserved consumer contract, delivery adapter responsibility, internal port, provider containment, core-state ownership, vendor portability, validation and mapping, API response mapping, observability identifier flow, timeout/retry/circuit-breaker/bulkhead/idempotency handling, reconciliation behavior, security notes, verification, and remaining provider risk |
|
|
639
642
|
| Third-party SDK or external API integration, review, debugging, upgrade, webhook handling, auth scope change, sandbox or production setup, provider SDK version change, API version migration, rate-limit handling, retry policy, idempotency key usage, pagination, provider error mapping, request id logging, changelog review, deprecation response, or provider operational-readiness test needs production integration review | `.mustflow/skills/third-party-api-integration-review/SKILL.md` | Provider and SDK/API ledger, source-of-truth docs, auth and scope ledger, operation and side-effect ledger, webhook ledger, error and observability ledger, changelog or migration evidence, existing fakes or sandbox tests, and configured command intents | Provider adapters, wrappers, typed request and response models, error mappers, timeout and retry policies, rate-limit handling, idempotency key handling, pagination handling, webhook signature verification and dedupe, redacted observability, sandbox tests, fixtures, runbooks, migration notes, and directly synchronized docs or templates | demo-only integration, stale provider docs, SDK/API drift, sandbox-production mixup, hardcoded secret, overbroad scope, token refresh gap, missing timeout, infinite retry, retrying permanent errors, mutating retry without idempotency, per-attempt idempotency key, 429 retry storm, ignored Retry-After, offset pagination assumption, raw provider error leak, string-only provider error, missing request id, trusted webhook payload, JSON-parsed signature breakage, duplicate webhook side effect, event-order assumption, success redirect as proof, unhandled unknown provider outcome, dashboard-only setting, untested SDK upgrade, or happy-path-only sandbox test | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | Third-party integration reviewed, provider source-of-truth and SDK/API version evidence, auth/environment/scope decisions, timeout/retry/rate-limit/idempotency/pagination decisions, webhook delivery and dedupe checks, error and observability mapping, tests or missing evidence, verification, and remaining provider operational risk |
|
|
640
|
-
| Tauri frontend invokes, Rust commands, capabilities, permissions, scopes, plugins, filesystem, dialog, shell, opener, updater, sidecar,
|
|
641
|
-
| Wails v3 applications, Go services, generated bindings, TypeScript runtime calls, windows, menus, system tray, dialogs, events, frontend bridge payloads, WebView platform behavior, Taskfile or build config, signing, packaging, custom protocols, file associations, server builds, or Wails-related tests are created, changed, reviewed, or upgraded | `.mustflow/skills/wails-code-change/SKILL.md` | Wails version track, Go module and frontend package metadata, generated bindings, app entry point, service/window/event/menu/tray/dialog/build/package evidence, changed files, and command contract entries | Wails app assembly, Go services, frontend bridge calls, generated bindings, windows, events, menus, tray, dialogs, WebView platform behavior, platform packaging, tests, and docs | Electron or Wails v2 migration drift, accidental exported RPC, binding or runtime version drift, shared-service race, unsafe frontend input, oversized bridge payload, event leak or broadcast, WebView platform mismatch,
|
|
643
|
+
| Tauri frontend invokes, Rust commands, capabilities, permissions, scopes, plugins, filesystem, dialog, shell, opener, updater, sidecar, mobile native permissions, Tauri bundling targets, release package formats, or native desktop CI build matrices are created or changed | `.mustflow/skills/tauri-code-change/SKILL.md` | Frontend call sites, Tauri config, Rust commands, capability and permission files, plugin config, bundle targets, release matrix evidence, changed files, and command contract entries | Tauri frontend, Rust commands, capabilities, permissions, scopes, plugins, bundle target narrowing, package target notes, tests, and docs | broad native permission, untrusted IPC input, filesystem escape, shell or updater risk, WebView/native boundary drift, all-target bundling surprise, cold Cargo cache cost, duplicated macOS packaging jobs, or long-retention CI artifacts posing as release assets | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | IPC, permission, scope, filesystem, shell, updater, native boundary, bundle target, release matrix, artifact retention, verification, and remaining Tauri risk |
|
|
644
|
+
| Wails v3 applications, Go services, generated bindings, TypeScript runtime calls, windows, menus, system tray, dialogs, events, frontend bridge payloads, WebView platform behavior, Taskfile or build config, signing, packaging, platform targets, native desktop CI build matrices, custom protocols, file associations, server builds, or Wails-related tests are created, changed, reviewed, or upgraded | `.mustflow/skills/wails-code-change/SKILL.md` | Wails version track, Go module and frontend package metadata, generated bindings, app entry point, service/window/event/menu/tray/dialog/build/package evidence, platform target and release matrix evidence, changed files, and command contract entries | Wails app assembly, Go services, frontend bridge calls, generated bindings, windows, events, menus, tray, dialogs, WebView platform behavior, platform packaging, target narrowing, tests, and docs | Electron or Wails v2 migration drift, accidental exported RPC, binding or runtime version drift, shared-service race, unsafe frontend input, oversized bridge payload, event leak or broadcast, WebView platform mismatch, packaging/signing drift, all-platform PR packaging, duplicated macOS packaging jobs, or long-retention CI artifacts posing as release assets | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Wails version/app/service/bridge/binding/window/event/menu/tray/dialog/platform packaging, release matrix, artifact retention notes, verification, and remaining Wails risk |
|
|
642
645
|
| File path handling, cross-platform path behavior, path helpers, safe filesystem wrappers, clone or checkout destinations, scaffold roots, temp or cache paths, atomic writes, locks, archive extraction, uploads, downloads, scanners, CLI/API/schema path contracts, snapshots, generated outputs, or package artifact paths are created, changed, reviewed, or reported | `.mustflow/skills/file-path-cross-platform-change/SKILL.md` | Path ledger, trust classes, accepted path representation, base root, path helpers, safe filesystem wrappers, clone/checkout/scaffold/install/extract outputs, staging and promotion policy, temp/cache helpers, lock policy, archive policy, upload/download policy, scanner policy, CLI/API/schema/snapshot/generated/package surfaces, platform expectations, failure taxonomy, and command contract entries | Path validators, helpers, wrappers, schemas, CLI/API parsing, snapshots, fixtures, docs, tests, generated-output paths, package artifact paths, clone or scaffold destinations, archive extraction, scanner bounds, temp/cache handling, locks, and cleanup code | path traversal, base containment bypass, drive-relative path bug, reserved-name bug, case-collision bug, Unicode-collision bug, Git checkout path-length failure misreported as network or auth, unsafe archive extraction, non-atomic write claim, stale lock, scanner loop, partial-output cleanup data loss, user-selected destination deletion, path contract drift, or package artifact path drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Path contract, path ledger, trust classes, root policy, preflight/staging/promotion decisions, Windows/macOS/Linux/archive/upload/download/scanner/lock/temp/cache/atomic/cleanup decisions, failure taxonomy, synchronized contract surfaces, verification, and remaining path risk |
|
|
643
646
|
| File paths, directories, symlinks, real paths, traversal, atomic writes, file copies, generated outputs, temporary files, clone or checkout materialization, cleanup, or Windows/POSIX filesystem behavior are created, changed, reviewed, or reported | `.mustflow/skills/cross-platform-filesystem-safety/SKILL.md` | Path inputs, base directory, trust boundary, symlink policy, write or cleanup strategy, clone/checkout/scaffold/install/extract path budget, app-owned staging boundary, platform expectations, failure taxonomy, and command contract entries | Path validation, file helpers, copy/update/delete code, clone/scaffold/archive cleanup code, scan bounds, fixtures, tests, docs, and templates | path traversal, symlink escape, unsafe overwrite, platform-only behavior, stale output, path-length or filename-length misclassification, watcher/resource misclassification, or cleanup data loss | `changes_status`, `changes_diff_summary`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Path trust classes, root boundary, symlink/write/delete/scan decisions, preflight and staging boundaries, clone/scaffold/extract classification, platform assumptions, verification, and remaining filesystem risk |
|
|
644
647
|
| Child processes, shell or argv execution, built-in command reruns, Git/package-manager/scaffolder failures, timeouts, process trees, output limits, streaming, environment policy, command eligibility, failure classification, command-line length limits, or execution receipts are created, changed, reviewed, or reported | `.mustflow/skills/process-execution-safety/SKILL.md` | Execution path, timeout, output limit, stdin, argv and shell command-length budget, environment, cwd, process tree behavior, failure taxonomy, receipt and write-tracking expectations, and command contract entries | Process execution code, process-tree helpers, output buffers, environment creation, eligibility checks, failure classifiers, receipts, tests, and docs | runaway process, unbounded output, leaked environment, argv-too-long failure, shell-command-too-long failure, inconsistent JSON/text execution, false cleanup claim, Git checkout path failure misreported as network or auth, blind retry, diagnostic loss, or unreliable receipt | `changes_status`, `changes_diff_summary`, `test_related`, `test_release`, `mustflow_check` | Execution surface, timeout/output/environment/process-tree boundaries, argv and shell length handling, failure classification, diagnostic preservation, receipt consistency, tests, verification, and remaining process risk |
|
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.ci-pipeline-triage
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 2
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: ci-pipeline-triage
|
|
9
|
-
description: Apply this skill when a CI/CD workflow, pipeline, job, runner, matrix, trigger, cache, artifact, deployment job, required check, or post-deploy verification is failing, skipped, queued, flaky, slow, green despite broken output, or not yet localized to trigger, runner, environment, build, test, artifact, deploy, or verification boundaries.
|
|
9
|
+
description: Apply this skill when a CI/CD workflow, pipeline, job, runner, matrix, trigger, cache, artifact, runner-minute billing, artifact storage or retention, deployment job, required check, or post-deploy verification is failing, skipped, queued, flaky, slow, unexpectedly expensive, green despite broken output, or not yet localized to trigger, runner, environment, build, test, cache, artifact, billing, deploy, or verification boundaries.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -46,6 +46,9 @@ changed from the last known-good run, and what evidence would disprove each boun
|
|
|
46
46
|
deployment permissions, rollout completion, or post-deploy verification.
|
|
47
47
|
- A pipeline suddenly breaks without application-code changes, or only fails on forks, protected
|
|
48
48
|
branches, specific runners, specific regions, specific matrix entries, or reruns.
|
|
49
|
+
- A CI workflow becomes unexpectedly expensive, burns private-repository minutes too quickly,
|
|
50
|
+
exhausts artifact storage, keeps long-lived test artifacts, or needs a release matrix cost review
|
|
51
|
+
before the expensive boundary is known.
|
|
49
52
|
|
|
50
53
|
<!-- mustflow-section: do-not-use-when -->
|
|
51
54
|
## Do Not Use When
|
|
@@ -66,6 +69,10 @@ changed from the last known-good run, and what evidence would disprove each boun
|
|
|
66
69
|
- Run identity ledger: commit SHA, branch or tag, trigger event, workflow file revision, matrix
|
|
67
70
|
entry, runner label and image, architecture, region, toolchain versions, package-manager version,
|
|
68
71
|
execution time, and run or job id.
|
|
72
|
+
- CI billing ledger when cost is in scope: public versus private repository behavior, plan or
|
|
73
|
+
allowance snapshot, provider billing page or docs date, runner OS and size, job count, matrix
|
|
74
|
+
shape, per-job rounding behavior, queue versus execution time, artifact retention days, cache
|
|
75
|
+
retention or quota, and release asset handoff.
|
|
69
76
|
- Last-good comparison: last successful commit and first failing commit, including workflow files,
|
|
70
77
|
lockfiles, base images, shared scripts, secrets or permission scopes, runner labels, cache keys,
|
|
71
78
|
feature flags, deployment config, and required-check settings.
|
|
@@ -88,9 +95,9 @@ changed from the last known-good run, and what evidence would disprove each boun
|
|
|
88
95
|
## Allowed Edits
|
|
89
96
|
|
|
90
97
|
- Add or tighten workflow triggers, path filters, matrix guards, version pinning, cache keys,
|
|
91
|
-
artifact manifests,
|
|
92
|
-
|
|
93
|
-
test isolation, docs, and focused fixtures.
|
|
98
|
+
artifact manifests, artifact retention, release-asset promotion, status aggregation, debug
|
|
99
|
+
evidence collection, secret-safe diagnostics, timeout classification, runner labels, concurrency
|
|
100
|
+
locks, environment validation, smoke checks, test isolation, docs, and focused fixtures.
|
|
94
101
|
- Add tests or docs that prove workflow contract behavior, package metadata, template output,
|
|
95
102
|
release checks, artifact identity, or command-contract mapping when the repository owns those
|
|
96
103
|
surfaces.
|
|
@@ -134,21 +141,37 @@ changed from the last known-good run, and what evidence would disprove each boun
|
|
|
134
141
|
dimensions. Artifacts need file list, size, hash, build SHA, and download verification.
|
|
135
142
|
14. Verify that the tested artifact is the deployed artifact. Rebuilding during deploy can make CI
|
|
136
143
|
test one thing and production receive another.
|
|
137
|
-
15.
|
|
144
|
+
15. For CI cost or quota questions, split the bill before optimizing:
|
|
145
|
+
- runner execution minutes, not artifact bytes, usually dominate native app release cost;
|
|
146
|
+
- macOS or other premium runners can dominate a matrix even when Linux jobs are longer;
|
|
147
|
+
- job-level minimum billing or rounding can make many tiny split jobs cost more than one
|
|
148
|
+
grouped job;
|
|
149
|
+
- public repository standard-runner rules can differ from private repository included minutes;
|
|
150
|
+
- billing pages may display currency spend while plan allowances are minute or storage quotas,
|
|
151
|
+
so confirm the unit before comparing options.
|
|
152
|
+
16. Separate Actions artifacts, caches, package registries, and release assets. Short-lived test
|
|
153
|
+
bundles should use short retention. Long-lived distributables should be promoted through the
|
|
154
|
+
repository's release or package channel when that is the intended public artifact. Do not treat
|
|
155
|
+
cache quota as artifact storage or release assets as CI retention.
|
|
156
|
+
17. For native desktop matrices, avoid full bundles on every PR unless the repository explicitly
|
|
157
|
+
requires it. Prefer PR checks that prove frontend build plus native compile or type contracts on
|
|
158
|
+
the cheapest adequate runner, then run signed or full OS package matrices only on release tags,
|
|
159
|
+
release branches, or protected manual gates.
|
|
160
|
+
18. Check auth and permissions by execution context. Fork PRs, protected branches, environments,
|
|
138
161
|
OIDC identity, package publishing identity, cloud role, and repository token scopes can differ
|
|
139
162
|
across otherwise similar runs.
|
|
140
|
-
|
|
163
|
+
19. For deployment jobs, require rollout evidence, readiness, smoke checks, error and latency
|
|
141
164
|
thresholds, and environment concurrency locks instead of treating a zero exit code as success.
|
|
142
|
-
|
|
165
|
+
20. Preserve evidence before cleanup. Do not delete runners, caches, artifacts, temporary dirs, or
|
|
143
166
|
diagnostic logs until the boundary and redaction plan are clear.
|
|
144
|
-
|
|
167
|
+
21. Apply the smallest localized fix and verify with the narrowest configured intent that covers the
|
|
145
168
|
changed workflow, package, docs, template, or test surface.
|
|
146
169
|
|
|
147
170
|
<!-- mustflow-section: postconditions -->
|
|
148
171
|
## Postconditions
|
|
149
172
|
|
|
150
|
-
- The pipeline failure is localized to trigger, runner, environment, build, test, artifact,
|
|
151
|
-
verification, or a named evidence gap.
|
|
173
|
+
- The pipeline failure is localized to trigger, runner, environment, build, test, artifact, billing
|
|
174
|
+
or storage quota, deploy, verification, or a named evidence gap.
|
|
152
175
|
- Last-good versus first-failure comparison, run identity, false-green risk, cache and artifact
|
|
153
176
|
behavior, permission scope, and rerun determinism are explicit where relevant.
|
|
154
177
|
- Follow-up deployment, test performance, security, command-contract, or package-release work is
|
|
@@ -178,6 +201,9 @@ CI reruns, deploys, cloud shell commands, or provider dashboard writes outside t
|
|
|
178
201
|
|
|
179
202
|
- If run identity, last-good comparison, trigger graph, runner, cache, artifact, or permission
|
|
180
203
|
evidence is missing, report the missing field instead of guessing.
|
|
204
|
+
- If CI pricing, included minutes, storage quotas, or runner rates are time-sensitive and not
|
|
205
|
+
locally available, avoid exact price claims and name the provider billing evidence that must be
|
|
206
|
+
checked.
|
|
181
207
|
- If debug logs contain secrets or private data, stop copying raw output and summarize safely.
|
|
182
208
|
- If CI evidence requires remote provider access that is unavailable or unconfigured, report the
|
|
183
209
|
manual evidence boundary and continue with local workflow or static evidence.
|
|
@@ -191,6 +217,8 @@ CI reruns, deploys, cloud shell commands, or provider dashboard writes outside t
|
|
|
191
217
|
- Failure shape and localized boundary
|
|
192
218
|
- Run identity and last-good comparison
|
|
193
219
|
- Trigger, runner, environment, build, test, cache, artifact, deploy, and verification findings
|
|
220
|
+
- Billing unit, runner-minute, matrix rounding, artifact retention, cache quota, and release asset
|
|
221
|
+
findings when cost is in scope
|
|
194
222
|
- Hypotheses killed, still open, and selected follow-up boundary
|
|
195
223
|
- Fix applied or recommended
|
|
196
224
|
- Evidence level: provider run evidence, configured-test evidence, static review risk, manual-only,
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
mustflow_doc: skill.cloud-cost-guardrail-review
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 2
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: cloud-cost-guardrail-review
|
|
@@ -65,6 +65,9 @@ lifecycle cleanup, and service-specific caps before the bill becomes the first a
|
|
|
65
65
|
narrower security skill first, then use this skill for spend blast radius.
|
|
66
66
|
- The task only changes local development code with no cloud, provider, telemetry, storage,
|
|
67
67
|
network, external API, or deployable infrastructure surface.
|
|
68
|
+
- The task is primarily CI runner minutes, workflow matrix cost, Actions artifact retention,
|
|
69
|
+
build-cache quota, release asset handoff, or CI job billing; use `ci-pipeline-triage` first, then
|
|
70
|
+
return here only when broader cloud, SaaS, or provider spend guardrails remain.
|
|
68
71
|
|
|
69
72
|
<!-- mustflow-section: required-inputs -->
|
|
70
73
|
## Required Inputs
|
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.tauri-code-change
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 4
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: tauri-code-change
|
|
9
|
-
description: Apply this skill when Tauri frontend invokes, Rust commands, capabilities, permissions, scopes, plugins, filesystem, dialog, shell, opener, updater, sidecar,
|
|
9
|
+
description: Apply this skill when Tauri frontend invokes, Rust commands, capabilities, permissions, scopes, plugins, filesystem, dialog, shell, opener, updater, sidecar, mobile native permissions, Tauri bundling targets, release package formats, or native desktop CI build matrices are created or changed.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -38,6 +38,8 @@ Treat the WebView as low trust and the Rust/native side as high authority. Front
|
|
|
38
38
|
- `src-tauri`, `tauri.conf.*`, `Cargo.toml`, `#[tauri::command]`, `invoke`, Tauri JavaScript APIs, plugin config, capabilities, permissions, scopes, CSP, WebView bootstrap HTML, fs, dialog, shell, opener, updater, sidecar, mobile manifests, or native permissions change.
|
|
39
39
|
- A frontend button, menu, or workflow calls native resources through Tauri.
|
|
40
40
|
- A packaged Tauri app shows a blank or black WebView after release and browser console or built HTML may point to Content Security Policy blocking the frontend bootstrap.
|
|
41
|
+
- Tauri release packaging, `bundle.targets`, platform target triples, updater artifacts, signing,
|
|
42
|
+
or CI matrix behavior changes.
|
|
41
43
|
|
|
42
44
|
<!-- mustflow-section: do-not-use-when -->
|
|
43
45
|
## Do Not Use When
|
|
@@ -49,6 +51,9 @@ Treat the WebView as low trust and the Rust/native side as high authority. Front
|
|
|
49
51
|
## Required Inputs
|
|
50
52
|
|
|
51
53
|
- Frontend package metadata, static build output or generated entry HTML, Tauri config, Rust manifests, main/lib command modules, command registration, capability and permission files, plugin config, updater config, sidecar config, mobile permissions, and tests.
|
|
54
|
+
- Build and release evidence when packaging is in scope: CI workflow or task definitions, runner
|
|
55
|
+
OS matrix, package formats, `bundle.targets`, Rust and frontend cache strategy, signing or
|
|
56
|
+
notarization gates, updater artifacts, artifact retention, and release asset upload path.
|
|
52
57
|
- Map of frontend calls to Rust commands or plugin APIs, permission scopes, exact window labels, exact webview labels, CSP directives, remote origins, WebView custom protocols or IPC origins, and actual OS resources.
|
|
53
58
|
- Permission diff: previous permissions, new permissions, newly reachable windows/webviews, new scopes, and native operations enabled.
|
|
54
59
|
- Configured verification intents.
|
|
@@ -69,6 +74,8 @@ Treat the WebView as low trust and the Rust/native side as high authority. Front
|
|
|
69
74
|
- Prefer app-owned directories and stable app IDs over broad filesystem paths.
|
|
70
75
|
- Keep shell, opener, sidecar, and updater behavior narrowly scoped.
|
|
71
76
|
- Prefer Rust commands that map small enums or ids to fixed native operations over exposing broad plugin APIs directly to the frontend.
|
|
77
|
+
- Keep package target lists explicit. Do not rely on broad "all targets" behavior when the product
|
|
78
|
+
only ships a small set of installers or archives.
|
|
72
79
|
|
|
73
80
|
<!-- mustflow-section: procedure -->
|
|
74
81
|
## Procedure
|
|
@@ -81,7 +88,9 @@ Treat the WebView as low trust and the Rust/native side as high authority. Front
|
|
|
81
88
|
6. Apply the CSP and WebView bootstrap policy below before tightening `script-src`, `connect-src`, `style-src`, `worker-src`, `img-src`, `font-src`, or remote-origin policy.
|
|
82
89
|
7. Apply the command input policy below before adding or changing `#[tauri::command]` handlers or `invoke` wrappers.
|
|
83
90
|
8. Apply the filesystem, dialog, shell, opener, updater, and sidecar policies below when those plugins or native operations are touched.
|
|
84
|
-
9.
|
|
91
|
+
9. Apply the build and release matrix policy below when `tauri.conf.*`, release scripts, CI
|
|
92
|
+
workflows, updater artifacts, signing, or bundle targets change.
|
|
93
|
+
10. Choose configured verification intents that cover Rust, frontend, Tauri build, permission/capability drift, CSP behavior, and security-sensitive behavior when available.
|
|
85
94
|
|
|
86
95
|
## Capability And Permission Policy
|
|
87
96
|
|
|
@@ -138,6 +147,28 @@ Treat the WebView as low trust and the Rust/native side as high authority. Front
|
|
|
138
147
|
- Frontend update input may select only a closed channel enum when needed. Rust or static config must map that enum to hard-coded HTTPS endpoints and configured public keys.
|
|
139
148
|
- Do not enable insecure updater transport in production unless the user explicitly accepts the supply-chain boundary change and the repository records why.
|
|
140
149
|
|
|
150
|
+
## Build And Release Matrix Policy
|
|
151
|
+
|
|
152
|
+
- Treat Tauri release builds as Rust release builds plus frontend build plus bundling. Cold Cargo
|
|
153
|
+
builds can dominate CI time, so check Rust cache, Node or package-manager cache, lockfile keys,
|
|
154
|
+
and target-specific cache dimensions before blaming frontend code.
|
|
155
|
+
- Do not run full native bundles for every pull request by default. Prefer PR checks that prove the
|
|
156
|
+
frontend build, Rust compile or checks, command contracts, and permission files on the cheapest
|
|
157
|
+
adequate runner. Reserve full Windows, Linux, macOS, signing, notarization, updater, and installer
|
|
158
|
+
matrices for release tags, release branches, or protected manual gates unless the repository
|
|
159
|
+
explicitly requires more.
|
|
160
|
+
- Keep `bundle.targets` or equivalent packaging configuration to the formats actually shipped. Do
|
|
161
|
+
not leave broad all-format packaging enabled when the release only needs, for example, one Windows
|
|
162
|
+
installer, one macOS disk image or app bundle, and one Linux package format.
|
|
163
|
+
- For macOS distribution, prefer one deliberate universal or architecture-specific strategy rather
|
|
164
|
+
than accidental duplicate jobs. Name signing and notarization boundaries separately from compile
|
|
165
|
+
time.
|
|
166
|
+
- Keep test artifacts short-lived and promote durable distributables through the release or package
|
|
167
|
+
channel. Do not use long-retention CI artifacts as the canonical release surface.
|
|
168
|
+
- If a cost comparison between Tauri and another desktop stack is requested, route the CI billing,
|
|
169
|
+
runner-minute, artifact-storage, and matrix-shape analysis through `ci-pipeline-triage`; use this
|
|
170
|
+
skill for Tauri-specific bundle targets, Cargo cache, updater, signing, and packaging behavior.
|
|
171
|
+
|
|
141
172
|
## Review Rejection Criteria
|
|
142
173
|
|
|
143
174
|
Reject or revise a change when:
|
|
@@ -163,6 +194,8 @@ Reject or revise a change when:
|
|
|
163
194
|
- Permission and capability changes have a clear diff and native-operation justification.
|
|
164
195
|
- CSP changes have been checked against the generated frontend entry HTML and required Tauri IPC or custom protocol origins.
|
|
165
196
|
- Missing Tauri-specific verification is reported.
|
|
197
|
+
- Tauri package targets, release matrix, cache strategy, and artifact retention are explicit when
|
|
198
|
+
packaging is touched.
|
|
166
199
|
|
|
167
200
|
<!-- mustflow-section: verification -->
|
|
168
201
|
## Verification
|
|
@@ -188,6 +221,9 @@ Report missing native build, packaged WebView smoke, CSP violation, permission d
|
|
|
188
221
|
- If a CSP change breaks packaged app startup, inspect generated HTML and console CSP violations before widening policy; prefer nonce, hash, or externalized bootstrap before accepting `unsafe-inline`.
|
|
189
222
|
- If a command accepts broad input, replace it with a typed request and Rust-side validation before exposing it to the frontend.
|
|
190
223
|
- If updater, shell, opener, sidecar, or filesystem access cannot be narrowed, report the security boundary change instead of hiding it as a normal feature fix.
|
|
224
|
+
- If packaging cost or duration grows unexpectedly, check `bundle.targets`, release-only matrix
|
|
225
|
+
gating, Rust cache, frontend cache, macOS job count, signing and notarization split, and artifact
|
|
226
|
+
retention before changing unrelated app code.
|
|
191
227
|
|
|
192
228
|
<!-- mustflow-section: output-format -->
|
|
193
229
|
## Output Format
|
|
@@ -196,6 +232,8 @@ Report missing native build, packaged WebView smoke, CSP violation, permission d
|
|
|
196
232
|
- IPC, command input, CSP, permission, capability, window/webview, and scope notes
|
|
197
233
|
- Permission diff: old permissions, new permissions, newly reachable windows/webviews, new scopes, and native operation justification
|
|
198
234
|
- Filesystem, dialog, shell, opener, updater, sidecar, or mobile risk
|
|
235
|
+
- Build matrix, bundle target, signing or notarization, cache, artifact retention, and release asset
|
|
236
|
+
notes when packaging is touched
|
|
199
237
|
- Files changed
|
|
200
238
|
- Command intents run
|
|
201
239
|
- Skipped checks and reasons
|
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.wails-code-change
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 2
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: wails-code-change
|
|
9
|
-
description: Apply this skill when Wails v3 applications, Go services, generated bindings, TypeScript runtime calls, windows, menus, system tray, dialogs, events, frontend bridge payloads, WebView platform behavior, Taskfile or build config, signing, packaging, custom protocols, file associations, server builds, or Wails-related tests are created, changed, reviewed, or upgraded.
|
|
9
|
+
description: Apply this skill when Wails v3 applications, Go services, generated bindings, TypeScript runtime calls, windows, menus, system tray, dialogs, events, frontend bridge payloads, WebView platform behavior, Taskfile or build config, signing, packaging, platform targets, native desktop CI build matrices, custom protocols, file associations, server builds, or Wails-related tests are created, changed, reviewed, or upgraded.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -38,6 +38,8 @@ Treat Wails as a native shell around OS WebViews plus a Go-to-frontend bridge. D
|
|
|
38
38
|
- `wails.json`, `build/config.yml`, `Taskfile.yml`, `go.mod`, Wails Go APIs, `application.New`, services, generated bindings, `@wailsio/runtime`, frontend calls to Go methods, events, raw messages, windows, menus, system tray, dialogs, browser, clipboard, autostart, notifications, file associations, custom protocols, single-instance handling, signing, packaging, server builds, or Wails tests change.
|
|
39
39
|
- A task touches Wails v2-to-v3 migration, Electron-to-Wails migration, multi-window design, bridge payloads, binding generation, platform WebView behavior, OS integration, or cross-platform packaging.
|
|
40
40
|
- The task writes durable guidance about Wails version status, Wails CLI or runtime versions, WebView2, WKWebView, WebKitGTK, GTK build tags, Taskfile behavior, or platform packaging.
|
|
41
|
+
- Wails release packaging, `Taskfile.yml`, `build/config.yml`, `wails build` flags, platform
|
|
42
|
+
targets, installer formats, signing, or CI matrix behavior changes.
|
|
41
43
|
|
|
42
44
|
<!-- mustflow-section: do-not-use-when -->
|
|
43
45
|
## Do Not Use When
|
|
@@ -54,6 +56,9 @@ Treat Wails as a native shell around OS WebViews plus a Go-to-frontend bridge. D
|
|
|
54
56
|
- Map of frontend calls to Go services: generated function, Go method, request DTO, response DTO, error contract, concurrency owner, cancellation path, and security or permission boundary.
|
|
55
57
|
- Window and native integration ledger: window name or id, owner, lifecycle, hide versus close policy, event subscriptions, runtime-ready handshake, menu projection, tray behavior, dialog decision flow, file association, custom protocol, and single-instance policy.
|
|
56
58
|
- Platform ledger: Windows WebView2 runtime and user-data folder assumptions, macOS WKWebView and signing or notarization expectations, Linux GTK/WebKitGTK target, build tags, package format, and unsupported or legacy distribution targets.
|
|
59
|
+
- Build and release ledger when packaging is in scope: Taskfile targets, build config, Wails CLI
|
|
60
|
+
flags, runner OS matrix, package formats, frontend and Go cache strategy, signing or
|
|
61
|
+
notarization gates, artifact retention, and release asset upload path.
|
|
57
62
|
- Official or repository-local source evidence before preserving exact Wails status, alpha, release, CLI, runtime, package, platform dependency, or OS-support claims.
|
|
58
63
|
- Configured verification intents.
|
|
59
64
|
|
|
@@ -72,6 +77,8 @@ Treat Wails as a native shell around OS WebViews plus a Go-to-frontend bridge. D
|
|
|
72
77
|
- Keep Go services as app capability boundaries with typed DTOs, validation, thread-safe state, and explicit errors.
|
|
73
78
|
- Keep frontend calls thin around generated bindings and runtime event subscriptions with cleanup.
|
|
74
79
|
- Keep build and package changes in declared Wails config, Taskfile, Go module, frontend package, signing, installer, and docs surfaces.
|
|
80
|
+
- Keep platform and package targets explicit. Do not build every OS, architecture, or installer on
|
|
81
|
+
every PR unless the repository has a clear compatibility contract requiring it.
|
|
75
82
|
- Do not expose debug, destructive, secret, filesystem, shell, updater, protocol, or raw-message behavior through exported Go methods without an explicit product and security boundary.
|
|
76
83
|
|
|
77
84
|
<!-- mustflow-section: procedure -->
|
|
@@ -130,8 +137,24 @@ Treat Wails as a native shell around OS WebViews plus a Go-to-frontend bridge. D
|
|
|
130
137
|
- Wails v3 build and package behavior is Taskfile and build-config oriented;
|
|
131
138
|
- do not assume one host can produce all signed distributable artifacts without platform-specific runners or signing steps;
|
|
132
139
|
- keep WebView runtime strategy, installer format, macOS notarization, Linux distribution matrix, custom protocol registration, and file association registration explicit.
|
|
133
|
-
16.
|
|
134
|
-
|
|
140
|
+
16. Keep CI release matrices narrow and deliberate:
|
|
141
|
+
- Wails builds are usually Go compile plus frontend build plus packaging, but signing,
|
|
142
|
+
notarization, WebView runtime checks, and Linux package dependencies can still dominate;
|
|
143
|
+
- prefer PR checks that prove frontend build, Go compile or tests, generated bindings, and
|
|
144
|
+
bridge contracts on the cheapest adequate runner;
|
|
145
|
+
- reserve full Windows, Linux, macOS, installer, signing, notarization, and cross-architecture
|
|
146
|
+
matrices for release tags, release branches, or protected manual gates unless the repository
|
|
147
|
+
explicitly requires every PR to produce distributables;
|
|
148
|
+
- use platform target and packaging flags such as no-package, installer-only, or universal
|
|
149
|
+
macOS behavior intentionally, according to the repository's Wails version and Taskfile style;
|
|
150
|
+
- keep test artifacts short-lived and promote durable distributables through the release or
|
|
151
|
+
package channel.
|
|
152
|
+
17. When a cost comparison between Wails and another desktop stack is requested, route the CI
|
|
153
|
+
billing, runner-minute, artifact-storage, and matrix-shape analysis through
|
|
154
|
+
`ci-pipeline-triage`; use this skill for Wails-specific Taskfile, build config, Go/frontend
|
|
155
|
+
cache, platform dependency, signing, and packaging behavior.
|
|
156
|
+
18. When migration is involved, reject search-and-replace migrations. Rebuild the app assembly around application, services, windows, managers, lifecycle, generated bindings, events, and build tasks.
|
|
157
|
+
19. Choose configured verification intents that cover Go code, frontend typecheck, generated bindings, package build, Wails build, platform package smoke, and docs. If those intents are missing, report the exact missing coverage.
|
|
135
158
|
|
|
136
159
|
<!-- mustflow-section: hard-bans -->
|
|
137
160
|
## Hard Bans
|
|
@@ -152,6 +175,8 @@ Treat Wails as a native shell around OS WebViews plus a Go-to-frontend bridge. D
|
|
|
152
175
|
- Go service methods, DTOs, errors, shared state, and concurrency ownership are clear.
|
|
153
176
|
- Window lifecycle, event subscriptions, menu/tray/dialog/native integration, and runtime-ready behavior are explicit.
|
|
154
177
|
- Platform WebView and packaging assumptions are recorded when touched.
|
|
178
|
+
- Wails package targets, release matrix, cache strategy, and artifact retention are explicit when
|
|
179
|
+
packaging is touched.
|
|
155
180
|
- Missing Wails-specific verification is reported rather than hidden behind generic Go or frontend checks.
|
|
156
181
|
|
|
157
182
|
<!-- mustflow-section: verification -->
|
|
@@ -176,6 +201,9 @@ Report missing Wails-specific intents when relevant: generated binding check, fr
|
|
|
176
201
|
- If bridge calls race or return stale results, add request sequencing, cancellation, job ownership, or synchronized Go state before adding frontend retries.
|
|
177
202
|
- If a large payload stalls, move the payload to pagination, chunks, file handles, or pull-after-notification events.
|
|
178
203
|
- If a tray, menu, dialog, file association, protocol, or packaging behavior differs by OS, document and test the platform-specific path instead of forcing a fake cross-platform abstraction.
|
|
204
|
+
- If packaging cost or duration grows unexpectedly, check Taskfile targets, build config, package
|
|
205
|
+
flags, release-only matrix gating, Go cache, frontend cache, macOS job count, signing and
|
|
206
|
+
notarization split, and artifact retention before changing unrelated app code.
|
|
179
207
|
- If exact Wails version or platform support claims cannot be refreshed from official sources, keep the skill behavior version-agnostic and report the unverified source boundary.
|
|
180
208
|
|
|
181
209
|
<!-- mustflow-section: output-format -->
|
|
@@ -184,6 +212,8 @@ Report missing Wails-specific intents when relevant: generated binding check, fr
|
|
|
184
212
|
- Boundary checked
|
|
185
213
|
- Wails version, app assembly, service, bridge, binding, window, event, menu, tray, dialog, and OS integration notes
|
|
186
214
|
- WebView platform and packaging notes when touched
|
|
215
|
+
- Build matrix, platform target, signing or notarization, cache, artifact retention, and release
|
|
216
|
+
asset notes when packaging is touched
|
|
187
217
|
- Files changed
|
|
188
218
|
- Command intents run
|
|
189
219
|
- Skipped checks and reasons
|