mustflow 2.108.0 → 2.108.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +3 -0
- package/dist/cli/commands/api/serve.js +73 -10
- package/dist/cli/commands/script-pack.js +3 -0
- package/dist/cli/i18n/en.js +37 -0
- package/dist/cli/i18n/es.js +37 -0
- package/dist/cli/i18n/fr.js +37 -0
- package/dist/cli/i18n/hi.js +37 -0
- package/dist/cli/i18n/ko.js +37 -0
- package/dist/cli/i18n/zh.js +37 -0
- package/dist/cli/lib/command-registry.js +3 -0
- package/dist/cli/lib/script-pack-registry.js +84 -0
- package/dist/cli/script-packs/repo-automation-surface.js +88 -0
- package/dist/cli/script-packs/repo-dependency-surface.js +87 -0
- package/dist/cli/script-packs/repo-toolchain-provenance.js +90 -0
- package/dist/core/public-json-contracts.js +27 -0
- package/dist/core/repo-automation-surface.js +376 -0
- package/dist/core/repo-dependency-surface.js +282 -0
- package/dist/core/repo-toolchain-provenance.js +421 -0
- package/dist/core/run-receipt-state.js +23 -2
- package/dist/core/script-pack-suggestions.js +33 -1
- package/dist/core/secret-redaction.js +6 -1
- package/package.json +1 -1
- package/schemas/README.md +10 -0
- package/schemas/api-serve-response.schema.json +1 -0
- package/schemas/repo-automation-surface-report.schema.json +148 -0
- package/schemas/repo-dependency-surface-report.schema.json +121 -0
- package/schemas/repo-toolchain-provenance-report.schema.json +124 -0
- package/templates/default/i18n.toml +9 -9
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +17 -14
- package/templates/default/locales/en/.mustflow/skills/ci-pipeline-triage/SKILL.md +39 -11
- package/templates/default/locales/en/.mustflow/skills/cloud-cost-guardrail-review/SKILL.md +4 -1
- package/templates/default/locales/en/.mustflow/skills/go-code-change/SKILL.md +56 -17
- package/templates/default/locales/en/.mustflow/skills/python-code-change/SKILL.md +86 -27
- package/templates/default/locales/en/.mustflow/skills/routes.toml +4 -4
- package/templates/default/locales/en/.mustflow/skills/rust-code-change/SKILL.md +51 -32
- package/templates/default/locales/en/.mustflow/skills/tauri-code-change/SKILL.md +41 -3
- package/templates/default/locales/en/.mustflow/skills/typescript-code-change/SKILL.md +47 -29
- package/templates/default/locales/en/.mustflow/skills/wails-code-change/SKILL.md +34 -4
- package/templates/default/manifest.toml +1 -1
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
mustflow_doc: skills.index
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 211
|
|
6
6
|
authority: router
|
|
7
7
|
lifecycle: mustflow-owned
|
|
8
8
|
---
|
|
@@ -180,8 +180,9 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
|
|
|
180
180
|
registry, or runtime failure is not yet localized to host, daemon, image, app, network, storage,
|
|
181
181
|
resource, or registry boundaries.
|
|
182
182
|
- Use `ci-pipeline-triage` as a primary route when CI/CD workflow, pipeline, job, runner, trigger,
|
|
183
|
-
cache, artifact,
|
|
184
|
-
|
|
183
|
+
cache, artifact, runner-minute billing, artifact storage or retention, deployment job, required
|
|
184
|
+
check, or post-deploy verification failure or cost is not yet localized to trigger, runner,
|
|
185
|
+
environment, build, test, cache, artifact, billing, deploy, or verification.
|
|
185
186
|
- Use `web-render-performance-review` as an adjunct when web frontend routes need first-render,
|
|
186
187
|
Core Web Vitals, LCP, CLS, FCP, TTFB, critical CSS, font, image, iframe, third-party script,
|
|
187
188
|
hydration, first-view data, resource-hint, CDN/cache, route-prefetch, or long-task review.
|
|
@@ -286,8 +287,9 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
|
|
|
286
287
|
changed, reviewed, or upgraded.
|
|
287
288
|
- Use `wails-code-change` as a primary route when Wails v3 apps, Go services, generated bindings,
|
|
288
289
|
TypeScript runtime calls, windows, menus, system tray, dialogs, events, WebView platform
|
|
289
|
-
behavior, Taskfile or build config, signing, packaging,
|
|
290
|
-
server builds, or Wails-related tests are created,
|
|
290
|
+
behavior, Taskfile or build config, signing, packaging, platform targets, native desktop CI build
|
|
291
|
+
matrices, custom protocols, file associations, server builds, or Wails-related tests are created,
|
|
292
|
+
changed, reviewed, or upgraded.
|
|
291
293
|
- Use `axum-code-change` as a primary route when Axum routers, handlers, extractors, state,
|
|
292
294
|
extensions, middleware, Tower or Tower-HTTP layers, CORS, cookies, headers, Tokio tasks or locks,
|
|
293
295
|
SQLx pools, rejections, error responses, body limits, WebSockets, or Rust HTTP API tests are
|
|
@@ -370,7 +372,8 @@ refer to `AGENTS.md` and `.mustflow/config/commands.toml` to implement the most
|
|
|
370
372
|
egress, CDN, logs, metrics, traces, autoscaling, quotas, budgets, tags, temporary resources,
|
|
371
373
|
container registries, Marketplace, LLM API, or third-party SaaS usage needs review for whether
|
|
372
374
|
spend can silently explode without account isolation, caps, lifecycle, retention, attribution,
|
|
373
|
-
or automated non-production stop guardrails.
|
|
375
|
+
or automated non-production stop guardrails. For CI runner-minute, workflow matrix, artifact
|
|
376
|
+
retention, cache quota, or release-asset handoff cost, use `ci-pipeline-triage` first.
|
|
374
377
|
- Use `rate-limit-integrity-review` as an adjunct when rate limits, throttling, quotas, API usage
|
|
375
378
|
limits, request costs, token buckets, fixed or sliding windows, GCRA, Redis counters, edge,
|
|
376
379
|
gateway, service, tenant, user, API key, route-group, IP, 429, `Retry-After`, `RateLimit`,
|
|
@@ -495,7 +498,7 @@ routes. Event routes stay inactive until their event occurs.
|
|
|
495
498
|
| Reported API, SDK, browser, mobile, webhook, gateway, CDN, load balancer, provider, wrong-status, wrong-body, CORS preflight, auth, rate-limit, cache, OpenAPI, or deployment-config failure is not yet localized to the client, network, proxy, app, database, cache, provider, or deployment boundary | `.mustflow/skills/api-failure-triage/SKILL.md` | Failing request packet, success comparator, boundary ledger, timing ledger, contract ledger, auth ledger, change ledger, redaction constraints, and configured command intents | Request/response evidence preservation, success/failure wire comparison, boundary localization, timing decomposition, status/body/content-type mapping, CORS/preflight split, redirect and proxy header checks, authn/authz split, retry/timeout/rate-limit/idempotency classification, cache and OpenAPI drift checks, focused reproduction fixtures, and directly synchronized docs or templates | log-first debugging, SDK argument theater, missing failing packet, success-only comparison, CORS blamed for server-to-server calls, redirect losing auth or method, proxy stripping idempotency or trace headers, `200` error body, HTML body with JSON content type, authn/authz collapse, object-auth incident missed, clock-skew flake, retry storm, non-idempotent replay, 429 hidden as 500, stale CDN or browser cache, OpenAPI drift, deployment config drift, or unfalsifiable log reading | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | API failure triaged, request packet and comparator, boundary and timing ledger, localized cause or evidence gap, hypotheses killed or open, fix or recommendation, evidence level, verification, and remaining API-failure risk |
|
|
496
499
|
| Login, signup, logout, refresh, password reset, magic link, passkey, MFA, OAuth, OIDC, JWT, cookie, session, token exchange, provider callback, account-linking, or authorization-after-login behavior is failing or intermittent before the failing identity boundary is known | `.mustflow/skills/auth-flow-triage/SKILL.md` | Auth attempt packet, stage ledger, token and session ledger, browser and proxy ledger, provider ledger, denial and privacy ledger, redaction constraints, and configured command intents | Auth stage localization, sanitized success/failure comparison, cookie and CORS credential checks, proxy trust and redirect URI checks, state, nonce, PKCE, issuer and subject checks, token and JWKS validation, session refresh and logout checks, passkey and MFA checks, account-linking checks, focused denial tests, and directly synchronized docs or templates | login-as-one-bucket debugging, token or cookie logging, account enumeration, loose redirect matching, state or nonce bypass, PKCE mismatch hidden, issuer plus subject ignored, SameSite or Secure drift, forwarded-header trust bug, refresh-token race, session fixation, email-only account linking, stale token claims, clock-skew flake, broad CORS wildcard, or unverified provider-console assumption | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | Auth flow triaged, failing stage and comparator, cookie/proxy/provider/token/session/passkey/MFA findings, fix or recommendation, evidence level, verification, and remaining auth-flow risk |
|
|
497
500
|
| Docker Engine, Docker Desktop, daemon, context, Compose, container start, crash loop, health check, image pull, build cache, port mapping, DNS, network, volume, bind mount, storage, proxy, registry, cgroup, OOM, signal handling, PID 1, or runtime behavior is failing before the failing container boundary is known | `.mustflow/skills/docker-runtime-triage/SKILL.md` | Runtime packet, container ledger, actual config ledger, host resource ledger, network ledger, storage ledger, evidence-preservation constraints, and configured command intents | Host, daemon, context, image, container, Compose, process, resource, storage, network, proxy, registry, and build boundary localization; evidence preservation before cleanup; focused Dockerfile, Compose, health, entrypoint, network, volume, resource, docs, fixture, or test edits only after localization | prune-before-evidence, restart loop hiding first error, app blame before daemon proof, logs-only diagnosis, exit code 137 treated as automatic OOM, PID 1 signal loss, container localhost confusion, bind mount hiding image files, Compose variable drift, tag identity confusion, stale build cache, broad firewall reset, volume deletion, or unbounded raw Docker command | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Docker runtime triaged, boundary findings, evidence preserved and missing, fix or recommendation, evidence level, verification, and remaining Docker runtime risk |
|
|
498
|
-
| CI/CD workflow, pipeline, job, matrix, trigger, required check, runner, cache, artifact, deployment step, or post-deploy verification is failing, skipped, queued, flaky, slow, or green despite broken output before the failing pipeline boundary is known | `.mustflow/skills/ci-pipeline-triage/SKILL.md` | Failure classification, run identity ledger, last-good comparison, boundary ledger, redaction constraints, and configured command intents | Trigger, parsed graph, queue, runner, environment, dependency, build, test, cache, artifact, deploy, smoke, and final status localization; false-green checks; safe diagnostic evidence; focused workflow, package, docs, fixture, or test edits only after localization | last-red-line debugging, latest-code comparison, rerun-green treated as fixed, skipped required check, path-filter pending state, hidden `continue-on-error`, queue time mistaken for build time, floating `latest`, secret logging, sleep-based service readiness, cache-as-artifact confusion, deploying untested rebuilt artifacts, fork token scope surprise, unguarded environment concurrency, or zero-exit deploy without smoke evidence | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | CI pipeline triaged, failure shape and localized boundary, run identity and last-good comparison, trigger/runner/environment/build/test/cache/artifact/deploy/verification findings, verification, and remaining CI pipeline risk |
|
|
501
|
+
| CI/CD workflow, pipeline, job, matrix, trigger, required check, runner, cache, artifact, runner-minute billing, artifact storage or retention, deployment step, or post-deploy verification is failing, skipped, queued, flaky, slow, unexpectedly expensive, or green despite broken output before the failing or expensive pipeline boundary is known | `.mustflow/skills/ci-pipeline-triage/SKILL.md` | Failure classification, run identity ledger, last-good comparison, CI billing ledger when cost is in scope, boundary ledger, redaction constraints, and configured command intents | Trigger, parsed graph, queue, runner, environment, dependency, build, test, cache, artifact, billing, deploy, smoke, and final status localization; false-green checks; runner-minute and storage-quota separation; safe diagnostic evidence; focused workflow, package, docs, fixture, or test edits only after localization | last-red-line debugging, latest-code comparison, rerun-green treated as fixed, skipped required check, path-filter pending state, hidden `continue-on-error`, queue time mistaken for build time, runner-minute billing mistaken for artifact storage, plan allowance unit confusion, matrix split rounding loss, premium runner surprise, floating `latest`, secret logging, sleep-based service readiness, cache-as-artifact confusion, deploying untested rebuilt artifacts, fork token scope surprise, unguarded environment concurrency, or zero-exit deploy without smoke evidence | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | CI pipeline triaged, failure or cost shape and localized boundary, run identity and last-good comparison, trigger/runner/environment/build/test/cache/artifact/billing/deploy/verification findings, verification, and remaining CI pipeline risk |
|
|
499
502
|
|
|
500
503
|
### General Code Change
|
|
501
504
|
|
|
@@ -538,7 +541,7 @@ routes. Event routes stay inactive until their event occurs.
|
|
|
538
541
|
| Code review or implementation needs observability-debuggability triage for logs, metrics, traces, spans, structured events, telemetry context, collectors, exporters, telemetry queues, dashboards, alerts, runbooks, sampling, redaction, dependency calls, queues, batch jobs, caches, pools, rate limits, feature flags, releases, migrations, or partial-success paths where operators need to narrow incidents quickly without high-cardinality metric explosions, missing denominator counters, lost trace context, silent telemetry loss, or sensitive telemetry leakage | `.mustflow/skills/observability-debuggability-review/SKILL.md` | Incident question, signal inventory, request or job identity, metric model, trace and event model, log model, operational domain, telemetry pipeline evidence, privacy and retention constraints, verification evidence, and configured command intents | Structured event names, safe reason codes, total and failure counters, latency distributions, low-cardinality labels, trace and span context, dependency and operation names, async propagation, per-attempt telemetry, queue or batch lag signals, pool saturation metrics, release and feature attribution, telemetry self-metrics, signal pipeline survival checks, redaction, focused tests, and directly synchronized docs or templates | success-only log, no denominator, average-only latency, mixed success and error latency, raw URL label, raw user label, raw SQL telemetry, high-cardinality metric label, missing trace or span id, broken async trace propagation, attempt and operation collapse, generic timeout bucket, missing dependency name, missing idempotency or message evidence, missing queue age, missing batch last-success timestamp, missing pool saturation, missing release attribution, decorative metric, alert without action, dropped telemetry invisible, read-path visibility blind spot, sampling drops errors, unsafe baggage, or sink-side-only masking | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Observability boundary reviewed, incident question and signal ledger, metric/trace/log/pipeline/cardinality/privacy findings, evidence level, verification, and remaining observability-debuggability risk |
|
|
539
542
|
| Code review, runbook work, or incident report needs incident-triage review for outages, degradations, timeout spikes, p95 or p99 latency spikes, queue backlog, pool saturation, CPU-idle slowness, memory pressure, OOM, disk or inode pressure, DNS or network failure, load balancer 5xx, Kubernetes node or pod issues, deployment regression, cache stampede, cron or batch spikes, Redis slowdown, DB lock waits, connection leaks, ephemeral-port exhaustion, conntrack saturation, or log floods where operators need to narrow the first bad time, affected slice, recent change, wait class, dependency, and manual-only diagnostics before reading every log | `.mustflow/skills/incident-triage-review/SKILL.md` | Incident frame, time evidence, scope axes, saturation and wait evidence, dependency evidence, change evidence, safety constraints, repository runbook or telemetry evidence, and configured command intents | Runbook steps, alert metadata, incident evidence checklists, telemetry contract notes, dashboard descriptions, test fixtures, docs, and directly synchronized templates that preserve first-bad-time, scope split, change ledger, wait classification, dependency split, success-versus-failure comparison, and manual-only diagnostic boundaries | average-only latency, all-logs-first triage, deployment dismissal, success-only comparison, proxy/app 5xx mixing, app-log-only OOM review, CPU-idle slowness ambiguity, DB-index reflex, pool-wait blindness, queue-lag understatement, cache-hit-rate overtrust, ping-only network checks, pod-only Kubernetes review, disk-capacity-only checks, log-volume blind spots, private incident-log capture, or raw live diagnostic commands treated as agent-authorized | `changes_status`, `changes_diff_summary`, `docs_validate_fast`, `test_release`, `mustflow_check` | Incident boundary reviewed, first bad time and affected scope, change/success-failure/latency/resource/wait/dependency evidence, elimination ledger, manual-only diagnostics, verification, and remaining incident-triage risk |
|
|
540
543
|
| Code review, implementation, runbook work, or release preparation needs deployment-rollout safety review for server, backend, worker, scheduler, queue, cron, container, VM, serverless, DB migration, config, feature flag, cache, deployment pipeline, release envelope, image digest, deployment history, traffic rollback, canary, rollback, health check, readiness/liveness/startup probe, graceful shutdown, artifact promotion, release observability, or post-deploy smoke behavior where the deploy must be rolled out, stopped, observed, and rolled back safely | `.mustflow/skills/deployment-rollout-safety-review/SKILL.md` | Deployment resource ledger, release envelope, artifact identity, environment promotion path, deployment model, compatibility matrix, config diff, migration order, rollback history, traffic rollback path, cache and message compatibility, probe model, shutdown and drain behavior, canary cohort, version-split telemetry, stop conditions, rollback limits, synthetic transactions, post-deploy metrics, and configured command intents | Runbooks, release checklists, pipeline metadata, smoke tests, probe tests, config validation, feature-flag defaults, cache-key versions, worker-drain handling, deployment attribution, rollback compatibility notes, focused tests, and directly synchronized templates | unknown blast radius, missing release id, mutable latest tag, tag without digest, per-environment rebuild drift, deleted rollout history, cold old version, traffic rollback tied to rebuild, code and migration lockstep, destructive rollback SQL overclaim, missing PITR practice, config in-place mutation, missing startup config validation, process-only health check, readiness/liveness/startup probe collapse, liveness restart loop, ungraceful shutdown, load balancer drain shorter than app shutdown, worker work loss, non-idempotent queue retry, N-1 message incompatibility, unknown event poison message, missing external compensation, API N-1 or N+1 break, missing kill switch, unsafe flag fallback, vague canary cohort, global-average canary metrics, no automatic stop condition, read-only smoke, log format alert breakage, blanket cache flush, scheduler duplicate execution, CRD or operator downgrade break, missing deployment lock, production command without dry-run, or code-only rollback overclaim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Deployment rollout boundary reviewed, resource ledger and release envelope, artifact identity, config/migration/cache/queue/API/probe/shutdown/canary/rollback/observation findings, verification, and remaining deployment-rollout risk |
|
|
541
|
-
| Code review, implementation, runbook work, or infrastructure review needs cloud-cost-guardrail review for cloud accounts, projects, subscriptions, environments, Kubernetes namespaces, serverless, databases, object storage, block storage, snapshots, NAT, private endpoints, public IPs, egress, CDN, logs, metrics, traces, autoscaling, quotas, budgets, tags, temporary resources, container registries, Marketplace, LLM APIs, external APIs, or third-party SaaS where spend must be attributed, capped, lifecycle-managed, alerted, and safely stoppable before a silent bill explosion | `.mustflow/skills/cloud-cost-guardrail-review/SKILL.md` | Cost surface ledger, budget actual and forecast thresholds, automated non-production action path, account or project isolation, quota and cap model, tag taxonomy, temporary resource expiration, network cost model, telemetry cost model, storage lifecycle model, commitment baseline, Marketplace or LLM usage limits, and configured command intents | Cost guardrail docs, infrastructure policy files, review checklists, tag schemas, quota notes, budget-action runbooks, cleanup rules, retention defaults, autoscale caps, Kubernetes ResourceQuota and LimitRange notes, registry lifecycle policies, provider usage caps, focused tests, and directly synchronized templates | notification-only budget, imagined hard spending limit, mixed prod and dev account, over-wide service quota, missing owner tag, tag-key chaos, no expires_at, stopped VM with NAT or DB still running, unbounded autoscale, missing Kubernetes ResourceQuota, inflated requests growing nodes, cloud-native service through NAT, untracked egress, cross-AZ surprise, idle public IPv4, no CDN cache cost control, log ingest flood, infinite retention, high-cardinality metric label, unbounded flow or audit logs, object lifecycle missing, cold-storage minimum-duration trap, stale block volume type, snapshot landfill, sticky DB storage growth, unbounded registry images, premature commitment, stateful spot misuse, unmonitored Marketplace or LLM spend, or no safe cost stop runbook | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Cloud cost boundary reviewed, cost surface ledger, budget and action model, isolation/quota/tag/autoscale/Kubernetes/network/telemetry/storage/registry/commitment/spot/Marketplace/LLM/SaaS guardrail findings, manual-only provider checks, verification, and remaining cloud-cost risk |
|
|
544
|
+
| Code review, implementation, runbook work, or infrastructure review needs cloud-cost-guardrail review for cloud accounts, projects, subscriptions, environments, Kubernetes namespaces, serverless, databases, object storage, block storage, snapshots, NAT, private endpoints, public IPs, egress, CDN, logs, metrics, traces, autoscaling, quotas, budgets, tags, temporary resources, container registries, Marketplace, LLM APIs, external APIs, or third-party SaaS where spend must be attributed, capped, lifecycle-managed, alerted, and safely stoppable before a silent bill explosion | `.mustflow/skills/cloud-cost-guardrail-review/SKILL.md` | Cost surface ledger, budget actual and forecast thresholds, automated non-production action path, account or project isolation, quota and cap model, tag taxonomy, temporary resource expiration, network cost model, telemetry cost model, storage lifecycle model, commitment baseline, Marketplace or LLM usage limits, and configured command intents | Cost guardrail docs, infrastructure policy files, review checklists, tag schemas, quota notes, budget-action runbooks, cleanup rules, retention defaults, autoscale caps, Kubernetes ResourceQuota and LimitRange notes, registry lifecycle policies, provider usage caps, focused tests, and directly synchronized templates. CI runner minutes, workflow matrix cost, artifact retention, cache quota, and release asset handoff route to `ci-pipeline-triage` first | notification-only budget, imagined hard spending limit, mixed prod and dev account, over-wide service quota, missing owner tag, tag-key chaos, no expires_at, stopped VM with NAT or DB still running, unbounded autoscale, missing Kubernetes ResourceQuota, inflated requests growing nodes, cloud-native service through NAT, untracked egress, cross-AZ surprise, idle public IPv4, no CDN cache cost control, log ingest flood, infinite retention, high-cardinality metric label, unbounded flow or audit logs, object lifecycle missing, cold-storage minimum-duration trap, stale block volume type, snapshot landfill, sticky DB storage growth, unbounded registry images, premature commitment, stateful spot misuse, unmonitored Marketplace or LLM spend, CI billing routed to broad cloud review before localizing workflow cost, or no safe cost stop runbook | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Cloud cost boundary reviewed, cost surface ledger, budget and action model, isolation/quota/tag/autoscale/Kubernetes/network/telemetry/storage/registry/commitment/spot/Marketplace/LLM/SaaS guardrail findings, manual-only provider checks, verification, and remaining cloud-cost risk |
|
|
542
545
|
| Code review or implementation needs rate-limit integrity triage for rate limits, throttling, quotas, API usage limits, request costs, token bucket, leaky bucket, fixed window, sliding window counter, sliding window log, GCRA, Redis counters, Lua or EVAL updates, CDN or WAF limits, gateway limits, service limits, tenant, user, API key, route group, IP, 429, `Retry-After`, `RateLimit`, shadow mode, operator reset, async enqueue, cached-hit counting, or concurrency-limit overlap that must protect a named resource without bypass, unfairness, counter drift, storage growth, retry storms, or misleading client hints | `.mustflow/skills/rate-limit-integrity-review/SKILL.md` | Protected resource ledger, cost-weighted request ledger, layer model, key model, algorithm and storage model, failure mode model, response contract, observability and operator evidence, and configured command intents | Protected-resource definitions, request cost weights, per-key policy, layered limit placement, route-template keys, atomic counter updates, TTLs, storage-time use, fail-open or fail-closed policy, blocked-decision cache, shadow mode, 429 response shape, observability fields, operator lookup or reset behavior, focused tests, and directly synchronized docs or templates | algorithm-first limiter, request-count-only quota, IP-only authenticated key, raw URL key explosion, missing identity-header policy, fixed-window boundary burst, costly sliding-window log on hot paths, non-atomic Redis read-modify-write, missing counter TTL, Redis Cluster hash-slot failure, app-server clock reset drift, process-local global quota, approximate edge limit treated as precise, hidden fail-open, free failed responses, rate versus concurrency confusion, unhelpful or leaky 429, synchronized retry wave, unsafe allow-decision cache, no shadow-mode ramp, missing policy id logs, raw Redis reset, unlimited async enqueue, cached CDN hit ambiguity, or rate limit treated as authorization or hard cost control | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Rate-limit policy boundary reviewed, protected resource and cost/layer/key/storage/fail-mode/response/operator model mapped, evidence level, verification, and remaining rate-limit-integrity risk |
|
|
543
546
|
| Code review or implementation needs idempotency-integrity triage for repeated requests, retries, duplicate POST/PATCH/DELETE calls, webhooks, provider callbacks, queue redelivery, scheduler or batch reruns, double clicks, app restarts, timeout recovery, external API callbacks, or duplicate business commands that can apply the same logical operation more than once | `.mustflow/skills/idempotency-integrity-review/SKILL.md` | Operation identity ledger, side-effect ledger, durable dedupe evidence, duplicate response policy, concurrency and recovery evidence, queue/webhook/scheduler/batch evidence, test evidence, and configured command intents | Durable idempotency records, request body hash checks, user and tenant binding, operation-type and target-resource binding, unique constraints, atomic insert-or-return behavior, state guards, affected-row checks, inbox and outbox records, applied-event ledgers, provider result lookup, response replay, processing lease recovery, focused duplicate tests, and directly synchronized docs or templates | POST-only assumption, idempotency key without durable storage, key not bound to payload or actor, memory-only or Redis-TTL-only dedupe, app-only `exists` then `insert`, missing unique index, duplicate success response drift, failed-attempt caching mistake, timeout treated as failure, external API before local operation record, provider idempotency used as internal proof, unconditional status update, duplicate increment, DELETE side-effect replay, GET hidden mutation, queue ack before durable commit, queue redelivery damage, webhook replay or stale event overwrite, scheduler rerun duplication, missing outbox or inbox, double compensation, stuck `PROCESSING`, lock-only proof, frontend-only debounce, or missing duplicate-path tests | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Idempotency boundary reviewed, logical operation and duplicate sources mapped, operation identity/payload/response/recovery evidence, durable dedupe and side-effect findings, tests or evidence level, verification, and remaining idempotency-integrity risk |
|
|
544
547
|
| Code review or implementation needs retry-policy integrity triage for retry loops, SDK retry configs, client middleware, `while true`, `for (;;)`, recursive retry, `maxAttempts`, `maxRetries`, `maxElapsedTime`, deadline, timeout, sleep, backoff, jitter, `Retry-After`, retry predicates, layered retries, circuit breakers, bulkheads, token buckets, queue redelivery, broker retry, cancellation-aware sleep, or retry observability that can amplify failures, duplicate side effects, hide permanent errors, exhaust pools, or overload dependencies | `.mustflow/skills/retry-policy-integrity-review/SKILL.md` | Retry surface, layered retry ledger, attempt budget, retry predicate, side-effect and idempotency ledger, backoff and jitter policy, overload and throttling evidence, observability and test evidence, and configured command intents | Bounded attempts, max elapsed time, per-attempt timeout, total deadline, cancellation propagation, retry predicates, exponential backoff with jitter, `Retry-After` parsing and clamping, idempotency key reuse, dependency-specific policy, retry wrapper diagnostics, per-attempt logs and metrics, focused retry tests, and directly synchronized docs or templates | retry amplification, infinite retry, capped backoff without stop condition, timeout gap for DNS, TLS, pool wait, streaming, or parsing, fixed-sleep herd behavior, broad catch-and-retry, permanent error retry, unknown-outcome replay, new idempotency key per attempt, key not bound to actor or payload, retry inside transaction or lock, pool starvation, unlimited parallel retry, stale per-key failure counter, global limiter unfairness, wrong circuit breaker or bulkhead order, wrapper losing cause/status/retry-after/request id, committed-response retry, non-replayable streaming body retry, app-plus-broker retry multiplication, cancellation-ignoring sleep, generic dependency policy, missing retry metrics, or happy-path-only retry tests | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Retry policy boundary reviewed, layer multiplication and attempt budget mapped, timeout/backoff/predicate/idempotency/throttling findings, evidence level, verification, and remaining retry-policy-integrity risk |
|
|
@@ -559,12 +562,12 @@ routes. Event routes stay inactive until their event occurs.
|
|
|
559
562
|
| Node.js runtime code, package manager ownership, module format, package entry metadata, native dependencies, Node test runner behavior, TypeScript execution mode, or deployment runtime support is created or changed | `.mustflow/skills/node-code-change/SKILL.md` | Node version signals, package manager and lockfile owner, module/package metadata, TypeScript loader, test runner, native dependency, deployment target, and command contract entries | Node runtime code, package metadata, lockfiles, scripts, CI or Docker runtime declarations, test runner config, native dependency handling, docs examples, and directly synchronized package surfaces | newest-Node assumption, package manager drift, ESM/CJS break, blocked deep import, native dependency break, Node native TypeScript overclaim, test runner migration risk, deployment mismatch, or permission-model overclaim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Runtime and package manager decision, module/package entry notes, TypeScript/test runner notes, native/deployment risks, verification, and remaining Node.js risk |
|
|
560
563
|
| Bun runtime code, `Bun.serve`, Elysia-on-Bun server behavior, Bun package manager behavior, `bun.lock`, `bunfig.toml`, Bun test runner behavior, Bun bundling, Bun compile, Bun TypeScript execution, Docker deployment, or Bun-specific APIs are created or changed | `.mustflow/skills/bun-code-change/SKILL.md` | Bun role signals, `package.json`, Bun and non-Bun lockfiles, `bunfig.toml`, CI/Docker Bun setup, TypeScript config, Bun APIs, server timeout and WebSocket settings, compile target, native dependency signals, and command contract entries | Bun runtime code, server config, package manager metadata, lockfiles, `bunfig.toml`, scripts, tests, bundler or compile config, TypeScript/declaration pipeline, Docker/deploy config, package metadata, and directly synchronized docs | Bun role confusion, lockfile drift, trusted dependency overgrant, runtime/package-manager conflation, Bun TypeScript typecheck overclaim, Bun build declaration gap, server timeout or WebSocket backpressure gap, compile target break, Node compatibility break, shebang mismatch, Docker/PORT drift, observability loss, or native binary break | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Bun role classification, lockfile/trust notes, runtime/type/build/test/deploy notes, Node compatibility risks, verification, and remaining Bun risk |
|
|
561
564
|
| Dockerfiles, `.dockerignore`, Docker Compose files, BuildKit or buildx behavior, container image metadata, tags, entrypoints, health checks, Docker CI workflows, image security scanning, SBOM or provenance settings, registry publishing, or container runtime validation are created or changed | `.mustflow/skills/docker-code-change/SKILL.md` | Docker surfaces, project image shape, base image and platform signals, build context and cache signals, runtime contract, security and supply-chain contract, and command contract entries | Dockerfiles, `.dockerignore`, Compose files, container CI workflow snippets, image metadata, package tests, docs examples, template metadata, and directly synchronized skill routes | cache breakage, secret leak, root runtime, host access escape, dev dependency in final image, mutable tag drift, untrusted CI publish, missing SBOM/provenance, unverified runtime, or false production-readiness claim | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Docker surface classification, image/base/cache/stage decisions, secret/user/runtime/Compose/CI supply-chain notes, verification, and remaining Docker risk |
|
|
562
|
-
| TypeScript source, declarations, tsconfig, package exports, module resolution, public API, compiler-version behavior, TypeScript 6-to-7 migration surfaces, TypeScript 7 RC or nightly tooling, or TypeScript tests are created or changed | `.mustflow/skills/typescript-code-change/SKILL.md` | TypeScript config, compiler track, package entry metadata, target runtime, changed files, declaration, TS6 API, TS7 RC, and optional TS7 nightly surfaces, and command contract entries | TypeScript source, declarations, compiler config, exports, tests, compiler-track comparison notes, and directly synchronized docs | weakened type safety, module drift, public API drift, unverified declaration output, TypeScript 6 deprecation suppression, TS7 RC over-adoption, TS7 nightly over-adoption, or compiler API track drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Runtime, module, type, public API, compiler-version, RC, nightly, and API-track boundary checked, changes made, verification, and remaining TypeScript risk |
|
|
565
|
+
| TypeScript source, declarations, tsconfig, package exports, module resolution, project references, type-check performance, public API, compiler-version behavior, TypeScript 6-to-7 migration surfaces, TypeScript 7 RC or nightly tooling, runtime data validation, or TypeScript tests are created or changed | `.mustflow/skills/typescript-code-change/SKILL.md` | TypeScript config, compiler track, package entry metadata, target runtime, changed files, declaration, project references, package graph, TS6 API, TS7 RC, and optional TS7 nightly surfaces, and command contract entries | TypeScript source, declarations, compiler config, exports, tests, project-reference and type-graph notes, compiler-track comparison notes, and directly synchronized docs | weakened type safety, module drift, public API drift, DTO/domain drift, runtime validation gap, type-graph bloat, path alias boundary bypass, unverified declaration output, TypeScript 6 deprecation suppression, TS7 RC over-adoption, TS7 nightly over-adoption, or compiler API track drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Runtime, module, type, public API, project-reference, type-performance, compiler-version, RC, nightly, and API-track boundary checked, changes made, verification, and remaining TypeScript risk |
|
|
563
566
|
| JavaScript source, module format, package entry, browser or Node runtime, dependency usage, Promise handling, bundler config, or JavaScript tests are created or changed | `.mustflow/skills/javascript-code-change/SKILL.md` | Package metadata, module system, runtime target, entrypoints, changed files, and command contract entries | JavaScript source, package exports, bundler config, dependencies, tests, and docs examples | runtime API leakage, ESM/CJS drift, discarded Promise, dependency bloat, or broken package entry | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Runtime and module boundary checked, async and dependency notes, verification, and remaining JavaScript risk |
|
|
564
|
-
| Python source, package metadata, runtime version, import layout, type checking, linting, CLI entry points, or tests are created or changed | `.mustflow/skills/python-code-change/SKILL.md` | Python version source, packaging files, import layout, lint/type/test config, changed files, and command contract entries | Python source, packaging metadata, imports, type hints, tests, and docs examples | unsupported syntax, import hacks, packaging drift, swallowed
|
|
567
|
+
| Python source, package metadata, runtime version, import layout, architecture boundaries, type checking, async tasks, exception/logging/retry behavior, collection performance, pytest fixtures or mocks, linting, CLI entry points, or tests are created or changed | `.mustflow/skills/python-code-change/SKILL.md` | Python version source, packaging files, build backend or package-manager owner, import layout, architecture boundary, lint/type/test config, async/failure/performance surface, changed files, and command contract entries | Python source, packaging metadata, imports, type hints, adapters, async ownership, exception/logging/retry code, collection hot paths, tests, and docs examples | unsupported syntax, import hacks, packaging drift, framework or ORM leakage into domain code, false type safety, unowned task, swallowed cancellation, retry storm, hidden fallback, copy-heavy hot path, fixture state leak, bare mock lie, or weakened lint/type checks | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Runtime, packaging, import, architecture, type, async, failure, performance, and test boundary checked, verification, and remaining Python risk |
|
|
565
568
|
| PowerShell scripts, modules, command examples, `pwsh` invocations, native-command wrappers, quoting, here-strings, splatting, regex, wildcard, replacement strings, or PowerShell argument passing are created or changed | `.mustflow/skills/powershell-code-change/SKILL.md` | PowerShell version and invocation path, parser layers, native-command boundary, dynamic input boundaries, changed files, and command contract entries | PowerShell scripts, modules, package scripts, CI snippets, docs examples, native-command wrappers, tests, and directly synchronized docs | parser-layer confusion, quote loss, variable over-expansion, metacharacter interpretation, native argv drift, command injection, `--%` overuse, or cross-shell `-Command` breakage | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | PowerShell version and invocation boundary, parser ledger, string/here-string/regex/wildcard/replacement/native argv decisions, verification, and remaining PowerShell risk |
|
|
566
|
-
| Go source, modules, package APIs, interfaces, errors, goroutines, channels, context propagation, HTTP clients or servers, reverse proxies, JSON encoding, filesystem roots, network addresses, runtime limits, benchmarks, tools, tests, or generated-code boundaries are created or changed | `.mustflow/skills/go-code-change/SKILL.md` | Module files, Go version support, full package files, tests, public API surface, concurrency owner, runtime/deployment context, changed files, and command contract entries | Go packages, module metadata, interfaces, errors, concurrency code, HTTP/proxy code, JSON encoding, filesystem and network helpers, runtime settings, tests, tools, and docs examples | unnecessary abstraction, unsupported Go feature, context loss, goroutine leak, missing timeout, JSON contract drift, filesystem traversal, IPv6 host-port bug, runtime tuning drift, error contract drift, or
|
|
567
|
-
| Rust source, Cargo metadata, features, traits, errors, ownership, async
|
|
569
|
+
| Go source, modules, workspaces, package APIs, package layout, `internal` boundaries, interfaces, structs, errors, goroutines, channels, context propagation, HTTP clients or servers, graceful shutdown, reverse proxies, JSON encoding, filesystem roots, network addresses, runtime limits, profiling, benchmarks, tools, tests, or generated-code boundaries are created or changed | `.mustflow/skills/go-code-change/SKILL.md` | Module files, workspace policy, Go version support, full package files, tests, public API surface, package ownership, concurrency owner, runtime/deployment context, changed files, and command contract entries | Go packages, module and workspace metadata, internal boundaries, interfaces, structs, errors, concurrency code, HTTP/shutdown/proxy code, JSON encoding, filesystem and network helpers, runtime settings, profiling and benchmarks, tests, tools, and docs examples | unnecessary abstraction, module boundary drift, unsupported Go feature, context loss, goroutine leak, missing timeout, unsafe shutdown, JSON contract drift, filesystem traversal, IPv6 host-port bug, runtime tuning drift, performance folklore, error contract drift, or dependency drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Package, API, module/workspace, Go version, context, concurrency, runtime, HTTP/shutdown, JSON, filesystem, profiling, tool, and error boundary checked, verification, and remaining Go risk |
|
|
570
|
+
| Rust source, Cargo metadata, features, traits, errors, ownership, borrowing, lifetimes, `Clone`, `Rc`, `Arc`, `Mutex`, `RefCell`, async tasks, channels, cancellation, unsafe code, allocation, zero-copy, tests, examples, benchmarks, release profiles, MSRV, toolchain declarations, standard-library APIs, or public crate APIs are created or changed | `.mustflow/skills/rust-code-change/SKILL.md` | Cargo metadata, feature flags, public exports, ownership map, error convention, async runtime, task and channel policy, unsafe invariants, allocation or benchmark evidence, `rust-version`, edition, toolchain, workspace policy, changed files, and command contract entries | Rust source, Cargo metadata, features, errors, traits, ownership signatures, async task/channel code, tests, examples, benchmarks, profiles, and docs | clone or shared-state aliasing, lifetime debt, error opacity, unsupported Rust feature, feature drift, Cargo resolver drift, async runtime mixing, task or channel leak, zero-copy retention bug, allocation folklore, unsafe invariant loss, release-profile overclaim, or public API breakage | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Ownership, MSRV, standard-library API, Cargo feature, error, async task/channel/cancellation, allocation, unsafe, release-profile, and public API boundary checked, verification, and remaining Rust risk |
|
|
568
571
|
| Axum apps, routers, handlers, extractors, state, extensions, middleware, Tower or Tower-HTTP layers, CORS, cookies, headers, WebSockets, body limits, rejections, error responses, Tokio tasks or locks, SQLx pools, or Rust HTTP API tests are created, changed, reviewed, or upgraded | `.mustflow/skills/axum-code-change/SKILL.md` | Cargo and Axum-related crate version evidence, router ledger, handler and extractor contracts, state and extension owners, middleware and Tower stack, response envelope, Tokio runtime, SQLx pool and transaction boundaries, changed files, and command contract entries | Axum routers, handlers, extractors, state, extensions, middleware, Tower layers, CORS/cookie/header policy, error and rejection mapping, Tokio task and lock boundaries, SQLx pool setup, tests, and docs examples | stale Axum version claim, route syntax migration drift, auth or body-consuming extractor bug, `State` versus `Extension` leak, inconsistent error envelope, fallible Tower error not mapped to response, CORS-as-auth mistake, cookie confidentiality gap, sensitive header logging, body-limit bypass, unbounded spawn, lock contention, pool starvation, or transaction lifetime leak | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Axum version, route, handler, extractor, state, response, Tower middleware, CORS/cookie/header/body-limit, Tokio task/lock, SQLx pool, verification, and remaining Axum risk |
|
|
569
572
|
| Godot projects, scenes, nodes, GDScript, C# scripts, Resources, Autoloads, signals, groups, save/load systems, rendering, physics, UI, input, exports, plugins, editor tools, or Godot version migrations are created, changed, reviewed, or upgraded | `.mustflow/skills/godot-code-change/SKILL.md` | Godot version, renderer, platform targets, project settings, input map, autoloads, addons, affected scenes, scripts, Resources, save/load participants, export presets, profiler evidence when performance is claimed, and command contract entries | Godot scenes, nodes, GDScript or C# scripts, Resources, Autoloads, signals, groups, save/load systems, rendering, physics, UI, input, exports, plugins, editor tools, tests, and docs examples | stale Godot version claim, scene-tree reach-through, global-state sprawl, shared Resource mutation, hidden signal flow, save corruption, thread-unsafe SceneTree access, renderer regression, target-device drift, export preset drift, or stale migration advice | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Godot version, renderer, scene, node, signal, Resource, Autoload, save/load, rendering, physics, UI, input, export, verification, and remaining Godot risk |
|
|
570
573
|
| Dart source, pub package metadata, null safety, Futures, Streams, isolates, analyzer lints, tests, CLI entry points, or public package APIs are created or changed | `.mustflow/skills/dart-code-change/SKILL.md` | Pub metadata, analyzer config, public exports, async ownership, package layout, changed files, and command contract entries | Dart source, pub metadata, exports, async code, tests, examples, and docs | null-safety bypass, discarded Future, uncanceled Stream, isolate ownership drift, or public API breakage | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Nullability, async, stream, isolate, and API boundary checked, verification, and remaining Dart risk |
|
|
@@ -637,8 +640,8 @@ routes. Event routes stay inactive until their event occurs.
|
|
|
637
640
|
| Generated or edited code, configuration, CI workflows, package metadata, install instructions, examples, Docker images, framework setup, runtime declarations, toolchain declarations, TypeScript compiler-track references, Rust release or MSRV references, or migration-sensitive snippets introduce explicit external version references, action refs, package ranges, runtime versions, framework majors, Docker image tags, or scaffold commands that may be stale | `.mustflow/skills/version-freshness-check/SKILL.md` | Versioned reference, owning files, repository version policy, approved freshness source, compatibility context, migration risk, TypeScript compiler track or Rust MSRV/toolchain track when relevant, and command contract entries | Package metadata, lockfiles, CI workflows, Dockerfiles, runtime files, framework config, docs, examples, templates, tests, and version-decision reports | stale default version, false latest claim, accidental major migration, repository policy mismatch, unsupported generated example, TypeScript RC/nightly/API-track confusion, Rust stable/nightly/MSRV confusion, floating-tag drift, or unverified security/support claim | `changes_status`, `changes_diff_summary`, `build`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Versioned surfaces checked, repository policy and freshness source, selected version track, compatibility classification, TypeScript stable/RC/nightly/API-track and Rust stable/nightly/MSRV split when relevant, approval need, synchronized surfaces, verification, and remaining version-freshness risk |
|
|
638
641
|
| External systems, protocols, SDKs, databases, webhooks, queues, files, object storage, signed upload or download URLs, caches, API response models, framework requests or responses, server actions, route handlers, edge functions, worker handlers, AI models, browser storage, search engines, analytics tools, email platforms, no-code tools, observability backends, trace or request context, provider data, or volatile component implementations cross the core boundary or need stable port/adapter translation, change isolation, error mapping, timeout, retry, circuit-breaker, bulkhead, idempotency, reconciliation, security, core-state ownership, vendor portability, or observability handling | `.mustflow/skills/adapter-boundary/SKILL.md` | External system or protocol, inbound/outbound direction, delivery boundary, internal use case, local port/adapter patterns, provider risk, provider failure policy, core-state ownership risk, vendor portability risk, observability identifier policy, API contract risk, change-isolation ledger, preserved consumer contract, changed files, and command contract entries | Ports, adapters, mappers, controllers, workers, stores, gateways, response mappers, telemetry mappers, timeout and retry policies, circuit breakers, bulkhead boundaries, tests, fixtures, assembly wiring, and directly synchronized docs or templates | provider leakage, caller churn from adapter-only changes, framework business-rule leakage, telemetry backend leakage, storage-key leakage, screen-shaped API coupling, pass-through wrapper, SaaS dashboard as truth source, search or analytics policy leakage, queue contract leakage, unclassified external failure, duplicate side effect, unsafe retry, missing timeout, missing circuit breaker, missing bulkhead, unresolved unknown provider outcome, broken identifier propagation, secret or personal-data leak, or untested integration drift | `changes_status`, `changes_diff_summary`, `test_related`, `test`, `lint`, `build`, `docs_validate_fast`, `test_release`, `mustflow_check` | Boundary classification, change-isolation ledger, preserved consumer contract, delivery adapter responsibility, internal port, provider containment, core-state ownership, vendor portability, validation and mapping, API response mapping, observability identifier flow, timeout/retry/circuit-breaker/bulkhead/idempotency handling, reconciliation behavior, security notes, verification, and remaining provider risk |
|
|
639
642
|
| Third-party SDK or external API integration, review, debugging, upgrade, webhook handling, auth scope change, sandbox or production setup, provider SDK version change, API version migration, rate-limit handling, retry policy, idempotency key usage, pagination, provider error mapping, request id logging, changelog review, deprecation response, or provider operational-readiness test needs production integration review | `.mustflow/skills/third-party-api-integration-review/SKILL.md` | Provider and SDK/API ledger, source-of-truth docs, auth and scope ledger, operation and side-effect ledger, webhook ledger, error and observability ledger, changelog or migration evidence, existing fakes or sandbox tests, and configured command intents | Provider adapters, wrappers, typed request and response models, error mappers, timeout and retry policies, rate-limit handling, idempotency key handling, pagination handling, webhook signature verification and dedupe, redacted observability, sandbox tests, fixtures, runbooks, migration notes, and directly synchronized docs or templates | demo-only integration, stale provider docs, SDK/API drift, sandbox-production mixup, hardcoded secret, overbroad scope, token refresh gap, missing timeout, infinite retry, retrying permanent errors, mutating retry without idempotency, per-attempt idempotency key, 429 retry storm, ignored Retry-After, offset pagination assumption, raw provider error leak, string-only provider error, missing request id, trusted webhook payload, JSON-parsed signature breakage, duplicate webhook side effect, event-order assumption, success redirect as proof, unhandled unknown provider outcome, dashboard-only setting, untested SDK upgrade, or happy-path-only sandbox test | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `test_audit`, `docs_validate_fast`, `test_release`, `mustflow_check` | Third-party integration reviewed, provider source-of-truth and SDK/API version evidence, auth/environment/scope decisions, timeout/retry/rate-limit/idempotency/pagination decisions, webhook delivery and dedupe checks, error and observability mapping, tests or missing evidence, verification, and remaining provider operational risk |
|
|
640
|
-
| Tauri frontend invokes, Rust commands, capabilities, permissions, scopes, plugins, filesystem, dialog, shell, opener, updater, sidecar,
|
|
641
|
-
| Wails v3 applications, Go services, generated bindings, TypeScript runtime calls, windows, menus, system tray, dialogs, events, frontend bridge payloads, WebView platform behavior, Taskfile or build config, signing, packaging, custom protocols, file associations, server builds, or Wails-related tests are created, changed, reviewed, or upgraded | `.mustflow/skills/wails-code-change/SKILL.md` | Wails version track, Go module and frontend package metadata, generated bindings, app entry point, service/window/event/menu/tray/dialog/build/package evidence, changed files, and command contract entries | Wails app assembly, Go services, frontend bridge calls, generated bindings, windows, events, menus, tray, dialogs, WebView platform behavior, platform packaging, tests, and docs | Electron or Wails v2 migration drift, accidental exported RPC, binding or runtime version drift, shared-service race, unsafe frontend input, oversized bridge payload, event leak or broadcast, WebView platform mismatch,
|
|
643
|
+
| Tauri frontend invokes, Rust commands, capabilities, permissions, scopes, plugins, filesystem, dialog, shell, opener, updater, sidecar, mobile native permissions, Tauri bundling targets, release package formats, or native desktop CI build matrices are created or changed | `.mustflow/skills/tauri-code-change/SKILL.md` | Frontend call sites, Tauri config, Rust commands, capability and permission files, plugin config, bundle targets, release matrix evidence, changed files, and command contract entries | Tauri frontend, Rust commands, capabilities, permissions, scopes, plugins, bundle target narrowing, package target notes, tests, and docs | broad native permission, untrusted IPC input, filesystem escape, shell or updater risk, WebView/native boundary drift, all-target bundling surprise, cold Cargo cache cost, duplicated macOS packaging jobs, or long-retention CI artifacts posing as release assets | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | IPC, permission, scope, filesystem, shell, updater, native boundary, bundle target, release matrix, artifact retention, verification, and remaining Tauri risk |
|
|
644
|
+
| Wails v3 applications, Go services, generated bindings, TypeScript runtime calls, windows, menus, system tray, dialogs, events, frontend bridge payloads, WebView platform behavior, Taskfile or build config, signing, packaging, platform targets, native desktop CI build matrices, custom protocols, file associations, server builds, or Wails-related tests are created, changed, reviewed, or upgraded | `.mustflow/skills/wails-code-change/SKILL.md` | Wails version track, Go module and frontend package metadata, generated bindings, app entry point, service/window/event/menu/tray/dialog/build/package evidence, platform target and release matrix evidence, changed files, and command contract entries | Wails app assembly, Go services, frontend bridge calls, generated bindings, windows, events, menus, tray, dialogs, WebView platform behavior, platform packaging, target narrowing, tests, and docs | Electron or Wails v2 migration drift, accidental exported RPC, binding or runtime version drift, shared-service race, unsafe frontend input, oversized bridge payload, event leak or broadcast, WebView platform mismatch, packaging/signing drift, all-platform PR packaging, duplicated macOS packaging jobs, or long-retention CI artifacts posing as release assets | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `mustflow_check` | Wails version/app/service/bridge/binding/window/event/menu/tray/dialog/platform packaging, release matrix, artifact retention notes, verification, and remaining Wails risk |
|
|
642
645
|
| File path handling, cross-platform path behavior, path helpers, safe filesystem wrappers, clone or checkout destinations, scaffold roots, temp or cache paths, atomic writes, locks, archive extraction, uploads, downloads, scanners, CLI/API/schema path contracts, snapshots, generated outputs, or package artifact paths are created, changed, reviewed, or reported | `.mustflow/skills/file-path-cross-platform-change/SKILL.md` | Path ledger, trust classes, accepted path representation, base root, path helpers, safe filesystem wrappers, clone/checkout/scaffold/install/extract outputs, staging and promotion policy, temp/cache helpers, lock policy, archive policy, upload/download policy, scanner policy, CLI/API/schema/snapshot/generated/package surfaces, platform expectations, failure taxonomy, and command contract entries | Path validators, helpers, wrappers, schemas, CLI/API parsing, snapshots, fixtures, docs, tests, generated-output paths, package artifact paths, clone or scaffold destinations, archive extraction, scanner bounds, temp/cache handling, locks, and cleanup code | path traversal, base containment bypass, drive-relative path bug, reserved-name bug, case-collision bug, Unicode-collision bug, Git checkout path-length failure misreported as network or auth, unsafe archive extraction, non-atomic write claim, stale lock, scanner loop, partial-output cleanup data loss, user-selected destination deletion, path contract drift, or package artifact path drift | `changes_status`, `changes_diff_summary`, `lint`, `build`, `test_related`, `test`, `docs_validate_fast`, `test_release`, `mustflow_check` | Path contract, path ledger, trust classes, root policy, preflight/staging/promotion decisions, Windows/macOS/Linux/archive/upload/download/scanner/lock/temp/cache/atomic/cleanup decisions, failure taxonomy, synchronized contract surfaces, verification, and remaining path risk |
|
|
643
646
|
| File paths, directories, symlinks, real paths, traversal, atomic writes, file copies, generated outputs, temporary files, clone or checkout materialization, cleanup, or Windows/POSIX filesystem behavior are created, changed, reviewed, or reported | `.mustflow/skills/cross-platform-filesystem-safety/SKILL.md` | Path inputs, base directory, trust boundary, symlink policy, write or cleanup strategy, clone/checkout/scaffold/install/extract path budget, app-owned staging boundary, platform expectations, failure taxonomy, and command contract entries | Path validation, file helpers, copy/update/delete code, clone/scaffold/archive cleanup code, scan bounds, fixtures, tests, docs, and templates | path traversal, symlink escape, unsafe overwrite, platform-only behavior, stale output, path-length or filename-length misclassification, watcher/resource misclassification, or cleanup data loss | `changes_status`, `changes_diff_summary`, `test_related`, `docs_validate_fast`, `test_release`, `mustflow_check` | Path trust classes, root boundary, symlink/write/delete/scan decisions, preflight and staging boundaries, clone/scaffold/extract classification, platform assumptions, verification, and remaining filesystem risk |
|
|
644
647
|
| Child processes, shell or argv execution, built-in command reruns, Git/package-manager/scaffolder failures, timeouts, process trees, output limits, streaming, environment policy, command eligibility, failure classification, command-line length limits, or execution receipts are created, changed, reviewed, or reported | `.mustflow/skills/process-execution-safety/SKILL.md` | Execution path, timeout, output limit, stdin, argv and shell command-length budget, environment, cwd, process tree behavior, failure taxonomy, receipt and write-tracking expectations, and command contract entries | Process execution code, process-tree helpers, output buffers, environment creation, eligibility checks, failure classifiers, receipts, tests, and docs | runaway process, unbounded output, leaked environment, argv-too-long failure, shell-command-too-long failure, inconsistent JSON/text execution, false cleanup claim, Git checkout path failure misreported as network or auth, blind retry, diagnostic loss, or unreliable receipt | `changes_status`, `changes_diff_summary`, `test_related`, `test_release`, `mustflow_check` | Execution surface, timeout/output/environment/process-tree boundaries, argv and shell length handling, failure classification, diagnostic preservation, receipt consistency, tests, verification, and remaining process risk |
|
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.ci-pipeline-triage
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 2
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: ci-pipeline-triage
|
|
9
|
-
description: Apply this skill when a CI/CD workflow, pipeline, job, runner, matrix, trigger, cache, artifact, deployment job, required check, or post-deploy verification is failing, skipped, queued, flaky, slow, green despite broken output, or not yet localized to trigger, runner, environment, build, test, artifact, deploy, or verification boundaries.
|
|
9
|
+
description: Apply this skill when a CI/CD workflow, pipeline, job, runner, matrix, trigger, cache, artifact, runner-minute billing, artifact storage or retention, deployment job, required check, or post-deploy verification is failing, skipped, queued, flaky, slow, unexpectedly expensive, green despite broken output, or not yet localized to trigger, runner, environment, build, test, cache, artifact, billing, deploy, or verification boundaries.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -46,6 +46,9 @@ changed from the last known-good run, and what evidence would disprove each boun
|
|
|
46
46
|
deployment permissions, rollout completion, or post-deploy verification.
|
|
47
47
|
- A pipeline suddenly breaks without application-code changes, or only fails on forks, protected
|
|
48
48
|
branches, specific runners, specific regions, specific matrix entries, or reruns.
|
|
49
|
+
- A CI workflow becomes unexpectedly expensive, burns private-repository minutes too quickly,
|
|
50
|
+
exhausts artifact storage, keeps long-lived test artifacts, or needs a release matrix cost review
|
|
51
|
+
before the expensive boundary is known.
|
|
49
52
|
|
|
50
53
|
<!-- mustflow-section: do-not-use-when -->
|
|
51
54
|
## Do Not Use When
|
|
@@ -66,6 +69,10 @@ changed from the last known-good run, and what evidence would disprove each boun
|
|
|
66
69
|
- Run identity ledger: commit SHA, branch or tag, trigger event, workflow file revision, matrix
|
|
67
70
|
entry, runner label and image, architecture, region, toolchain versions, package-manager version,
|
|
68
71
|
execution time, and run or job id.
|
|
72
|
+
- CI billing ledger when cost is in scope: public versus private repository behavior, plan or
|
|
73
|
+
allowance snapshot, provider billing page or docs date, runner OS and size, job count, matrix
|
|
74
|
+
shape, per-job rounding behavior, queue versus execution time, artifact retention days, cache
|
|
75
|
+
retention or quota, and release asset handoff.
|
|
69
76
|
- Last-good comparison: last successful commit and first failing commit, including workflow files,
|
|
70
77
|
lockfiles, base images, shared scripts, secrets or permission scopes, runner labels, cache keys,
|
|
71
78
|
feature flags, deployment config, and required-check settings.
|
|
@@ -88,9 +95,9 @@ changed from the last known-good run, and what evidence would disprove each boun
|
|
|
88
95
|
## Allowed Edits
|
|
89
96
|
|
|
90
97
|
- Add or tighten workflow triggers, path filters, matrix guards, version pinning, cache keys,
|
|
91
|
-
artifact manifests,
|
|
92
|
-
|
|
93
|
-
test isolation, docs, and focused fixtures.
|
|
98
|
+
artifact manifests, artifact retention, release-asset promotion, status aggregation, debug
|
|
99
|
+
evidence collection, secret-safe diagnostics, timeout classification, runner labels, concurrency
|
|
100
|
+
locks, environment validation, smoke checks, test isolation, docs, and focused fixtures.
|
|
94
101
|
- Add tests or docs that prove workflow contract behavior, package metadata, template output,
|
|
95
102
|
release checks, artifact identity, or command-contract mapping when the repository owns those
|
|
96
103
|
surfaces.
|
|
@@ -134,21 +141,37 @@ changed from the last known-good run, and what evidence would disprove each boun
|
|
|
134
141
|
dimensions. Artifacts need file list, size, hash, build SHA, and download verification.
|
|
135
142
|
14. Verify that the tested artifact is the deployed artifact. Rebuilding during deploy can make CI
|
|
136
143
|
test one thing and production receive another.
|
|
137
|
-
15.
|
|
144
|
+
15. For CI cost or quota questions, split the bill before optimizing:
|
|
145
|
+
- runner execution minutes, not artifact bytes, usually dominate native app release cost;
|
|
146
|
+
- macOS or other premium runners can dominate a matrix even when Linux jobs are longer;
|
|
147
|
+
- job-level minimum billing or rounding can make many tiny split jobs cost more than one
|
|
148
|
+
grouped job;
|
|
149
|
+
- public repository standard-runner rules can differ from private repository included minutes;
|
|
150
|
+
- billing pages may display currency spend while plan allowances are minute or storage quotas,
|
|
151
|
+
so confirm the unit before comparing options.
|
|
152
|
+
16. Separate Actions artifacts, caches, package registries, and release assets. Short-lived test
|
|
153
|
+
bundles should use short retention. Long-lived distributables should be promoted through the
|
|
154
|
+
repository's release or package channel when that is the intended public artifact. Do not treat
|
|
155
|
+
cache quota as artifact storage or release assets as CI retention.
|
|
156
|
+
17. For native desktop matrices, avoid full bundles on every PR unless the repository explicitly
|
|
157
|
+
requires it. Prefer PR checks that prove frontend build plus native compile or type contracts on
|
|
158
|
+
the cheapest adequate runner, then run signed or full OS package matrices only on release tags,
|
|
159
|
+
release branches, or protected manual gates.
|
|
160
|
+
18. Check auth and permissions by execution context. Fork PRs, protected branches, environments,
|
|
138
161
|
OIDC identity, package publishing identity, cloud role, and repository token scopes can differ
|
|
139
162
|
across otherwise similar runs.
|
|
140
|
-
|
|
163
|
+
19. For deployment jobs, require rollout evidence, readiness, smoke checks, error and latency
|
|
141
164
|
thresholds, and environment concurrency locks instead of treating a zero exit code as success.
|
|
142
|
-
|
|
165
|
+
20. Preserve evidence before cleanup. Do not delete runners, caches, artifacts, temporary dirs, or
|
|
143
166
|
diagnostic logs until the boundary and redaction plan are clear.
|
|
144
|
-
|
|
167
|
+
21. Apply the smallest localized fix and verify with the narrowest configured intent that covers the
|
|
145
168
|
changed workflow, package, docs, template, or test surface.
|
|
146
169
|
|
|
147
170
|
<!-- mustflow-section: postconditions -->
|
|
148
171
|
## Postconditions
|
|
149
172
|
|
|
150
|
-
- The pipeline failure is localized to trigger, runner, environment, build, test, artifact,
|
|
151
|
-
verification, or a named evidence gap.
|
|
173
|
+
- The pipeline failure is localized to trigger, runner, environment, build, test, artifact, billing
|
|
174
|
+
or storage quota, deploy, verification, or a named evidence gap.
|
|
152
175
|
- Last-good versus first-failure comparison, run identity, false-green risk, cache and artifact
|
|
153
176
|
behavior, permission scope, and rerun determinism are explicit where relevant.
|
|
154
177
|
- Follow-up deployment, test performance, security, command-contract, or package-release work is
|
|
@@ -178,6 +201,9 @@ CI reruns, deploys, cloud shell commands, or provider dashboard writes outside t
|
|
|
178
201
|
|
|
179
202
|
- If run identity, last-good comparison, trigger graph, runner, cache, artifact, or permission
|
|
180
203
|
evidence is missing, report the missing field instead of guessing.
|
|
204
|
+
- If CI pricing, included minutes, storage quotas, or runner rates are time-sensitive and not
|
|
205
|
+
locally available, avoid exact price claims and name the provider billing evidence that must be
|
|
206
|
+
checked.
|
|
181
207
|
- If debug logs contain secrets or private data, stop copying raw output and summarize safely.
|
|
182
208
|
- If CI evidence requires remote provider access that is unavailable or unconfigured, report the
|
|
183
209
|
manual evidence boundary and continue with local workflow or static evidence.
|
|
@@ -191,6 +217,8 @@ CI reruns, deploys, cloud shell commands, or provider dashboard writes outside t
|
|
|
191
217
|
- Failure shape and localized boundary
|
|
192
218
|
- Run identity and last-good comparison
|
|
193
219
|
- Trigger, runner, environment, build, test, cache, artifact, deploy, and verification findings
|
|
220
|
+
- Billing unit, runner-minute, matrix rounding, artifact retention, cache quota, and release asset
|
|
221
|
+
findings when cost is in scope
|
|
194
222
|
- Hypotheses killed, still open, and selected follow-up boundary
|
|
195
223
|
- Fix applied or recommended
|
|
196
224
|
- Evidence level: provider run evidence, configured-test evidence, static review risk, manual-only,
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
mustflow_doc: skill.cloud-cost-guardrail-review
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 2
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: cloud-cost-guardrail-review
|
|
@@ -65,6 +65,9 @@ lifecycle cleanup, and service-specific caps before the bill becomes the first a
|
|
|
65
65
|
narrower security skill first, then use this skill for spend blast radius.
|
|
66
66
|
- The task only changes local development code with no cloud, provider, telemetry, storage,
|
|
67
67
|
network, external API, or deployable infrastructure surface.
|
|
68
|
+
- The task is primarily CI runner minutes, workflow matrix cost, Actions artifact retention,
|
|
69
|
+
build-cache quota, release asset handoff, or CI job billing; use `ci-pipeline-triage` first, then
|
|
70
|
+
return here only when broader cloud, SaaS, or provider spend guardrails remain.
|
|
68
71
|
|
|
69
72
|
<!-- mustflow-section: required-inputs -->
|
|
70
73
|
## Required Inputs
|
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.go-code-change
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 5
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: go-code-change
|
|
9
|
-
description: Apply this skill when Go source, modules, package APIs, interfaces, errors, goroutines, channels, context propagation, HTTP clients or servers, reverse proxies, JSON encoding, filesystem roots, network addresses, runtime limits, benchmarks, tests, tools, or generated code boundaries are created or changed.
|
|
9
|
+
description: Apply this skill when Go source, modules, workspaces, package APIs, package layout, internal boundaries, interfaces, structs, errors, goroutines, channels, context propagation, HTTP clients or servers, graceful shutdown, reverse proxies, JSON encoding, filesystem roots, network addresses, runtime limits, profiling, benchmarks, tests, tools, or generated code boundaries are created or changed.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -28,13 +28,13 @@ metadata:
|
|
|
28
28
|
<!-- mustflow-section: purpose -->
|
|
29
29
|
## Purpose
|
|
30
30
|
|
|
31
|
-
Preserve Go package, module, API, error, context, concurrency, runtime, HTTP, JSON, filesystem, and test boundaries without adding needless abstraction.
|
|
31
|
+
Preserve Go package, module, workspace, API, error, context, concurrency, runtime, HTTP, JSON, filesystem, performance, and test boundaries without adding needless abstraction.
|
|
32
32
|
|
|
33
33
|
<!-- mustflow-section: use-when -->
|
|
34
34
|
## Use When
|
|
35
35
|
|
|
36
|
-
- `.go`, `go.mod`, `go.sum`, `go.work`, build tags, generated code, public package API, tests, benchmarks, goroutines, channels, context propagation, HTTP clients or servers, reverse proxies, JSON encoding, filesystem access, network addresses, runtime tuning, tools, or module dependencies change.
|
|
37
|
-
- The task touches interfaces, error wrapping, package structure, concurrency ownership, cancellation, timeout policy, memory limits, race-sensitive code, benchmark measurement, or module dependencies.
|
|
36
|
+
- `.go`, `go.mod`, `go.sum`, `go.work`, build tags, generated code, public package API, tests, benchmarks, goroutines, channels, context propagation, HTTP clients or servers, graceful shutdown, reverse proxies, JSON encoding, filesystem access, network addresses, runtime tuning, profiling, tools, or module dependencies change.
|
|
37
|
+
- The task touches interfaces, structs, zero-value behavior, error wrapping, package structure, `internal` boundaries, import direction, concurrency ownership, cancellation, timeout policy, memory limits, race-sensitive code, benchmark measurement, or module dependencies.
|
|
38
38
|
- Code or docs use Go-version-gated features such as expression operands to `new`, range-over-function iterators, generic type aliases, reflect iterators, `errors.AsType`, `sync.WaitGroup.Go`, `testing/synctest`, `testing.B.Loop`, `T.ArtifactDir`, `B.ArtifactDir`, `F.ArtifactDir`, `testing/cryptotest.SetGlobalRandom`, `os.Root` or `os.OpenInRoot`, `omitzero`, `go.mod` `tool`, `go fix` modernizers, `encoding/json/v2`, experimental `GOEXPERIMENT` features, or newer runtime defaults.
|
|
39
39
|
|
|
40
40
|
<!-- mustflow-section: do-not-use-when -->
|
|
@@ -49,6 +49,7 @@ Preserve Go package, module, API, error, context, concurrency, runtime, HTTP, JS
|
|
|
49
49
|
- `go.mod`, `go.sum`, `go.work`, build tooling, lint config, and CI hints.
|
|
50
50
|
- All files in the changed package, including `_test.go`, build-tagged files, examples, and generated-file markers.
|
|
51
51
|
- The public API surface when exported identifiers, errors, or package paths change.
|
|
52
|
+
- Package ownership, import direction, `internal` visibility, module path, major-version suffix, workspace usage, and whether the project is an importable library, self-contained server, tool, or monorepo.
|
|
52
53
|
- Runtime and deployment context when the change touches HTTP, goroutines, timers, memory, `GOMAXPROCS`, cgroups, race detection, PGO, profiling, or container behavior.
|
|
53
54
|
- Minimum supported Go version, `go` directive, `toolchain` directive, `GOEXPERIMENT`, and whether the feature is stable, experimental, or repository-pinned.
|
|
54
55
|
- Configured verification intents.
|
|
@@ -67,6 +68,9 @@ Preserve Go package, module, API, error, context, concurrency, runtime, HTTP, JS
|
|
|
67
68
|
- Keep interfaces small and preferably owned by the consuming side.
|
|
68
69
|
- Return concrete provider types from provider packages unless the package intentionally hides multiple implementations as its public API.
|
|
69
70
|
- Keep domain and use-case packages free of SQL, HTTP transport, queue, cloud SDK, ORM, and vendor persistence types unless those types are the explicit public API.
|
|
71
|
+
- Use `internal` to protect implementation freedom for server and tool packages that are not meant to be imported.
|
|
72
|
+
- Keep structs, constructors, and zero values aligned with invariants: make the zero value useful, harmless, or impossible to misuse.
|
|
73
|
+
- Split domain, storage, JSON, and transport DTO shapes when they have different owners, lifetimes, validation rules, or compatibility contracts.
|
|
70
74
|
- Preserve context propagation across API and goroutine boundaries.
|
|
71
75
|
- Return actionable errors and wrap causes when callers need `errors.Is` or `errors.As`.
|
|
72
76
|
- Add table-driven tests when they clarify behavior.
|
|
@@ -76,43 +80,57 @@ Preserve Go package, module, API, error, context, concurrency, runtime, HTTP, JS
|
|
|
76
80
|
## Procedure
|
|
77
81
|
|
|
78
82
|
1. Read module files, package files, tests, build tags, and generated-code markers.
|
|
79
|
-
2. Classify the change as package API, internal implementation, dependency, error behavior, context flow, concurrency, HTTP or proxy behavior, JSON encoding, filesystem safety, runtime or deployment behavior, benchmark, tooling, or test-only.
|
|
83
|
+
2. Classify the change as module or workspace metadata, package API, package layout, internal implementation, dependency, error behavior, context flow, concurrency, HTTP or proxy behavior, JSON encoding, filesystem safety, runtime or deployment behavior, performance measurement, benchmark, tooling, or test-only.
|
|
80
84
|
3. Check the Go version contract before using newer syntax or APIs:
|
|
81
85
|
- treat the `go` directive as a language and module compatibility switch, not decoration;
|
|
82
86
|
- do not use `new(expr)`, range-over-function iterators, generic type aliases, reflect iterator methods, `errors.AsType`, `sync.WaitGroup.Go`, `testing/synctest`, `testing.B.Loop`, `T.ArtifactDir`, `B.ArtifactDir`, `F.ArtifactDir`, `testing/cryptotest.SetGlobalRandom`, `os.Root`, `os.OpenInRoot`, `omitzero`, `go.mod` `tool`, `go fix` modernizers, `encoding/json/v2`, or any `GOEXPERIMENT` feature unless the repository's supported Go version and build path allow it;
|
|
83
87
|
- distinguish stable standard-library APIs from experimental APIs that require `GOEXPERIMENT`;
|
|
84
|
-
- when `go.mod` or `go.work` changes, report language-version, module-graph, toolchain, and downstream support impact.
|
|
88
|
+
- when `go.mod` or `go.work` changes, report language-version, module-graph, workspace, toolchain, and downstream support impact.
|
|
85
89
|
4. Check package boundaries before adding a package or interface:
|
|
90
|
+
- treat a module as a release, version, and distribution boundary, not a folder-cleanup tool;
|
|
91
|
+
- treat `go.work` as a local multi-module development surface unless the repository explicitly supports committing and verifying workspace mode;
|
|
92
|
+
- keep module paths stable and use the required major-version suffix for v2+ modules;
|
|
93
|
+
- prefer `internal` for server implementation packages that are not intended as public imports;
|
|
94
|
+
- check import direction before function bodies: domain packages should not import HTTP status codes, ORM rows, SQL drivers, queues, cloud SDKs, or vendor transport shapes unless that dependency is the package's explicit contract;
|
|
86
95
|
- reject shared bucket packages named `common`, `util`, `types`, `interfaces`, `api`, or `models` unless the repository already has a specific local convention with a narrower meaning;
|
|
87
96
|
- put an interface in the package that consumes the methods, not in the package that merely implements them;
|
|
88
97
|
- create an interface only after a real consumer needs that exact method set;
|
|
89
98
|
- shrink an interface to the methods the immediate consumer calls;
|
|
90
99
|
- reject provider-side interfaces that exist only for mocks;
|
|
91
100
|
- reject provider constructors that return interfaces by default; prefer concrete exported types such as `*Client`, `*Store`, or `*Service`;
|
|
101
|
+
- use generics for reusable containers, algorithms, and type-safe plumbing, not as a substitute for clear domain boundaries;
|
|
92
102
|
- verify that a package split reduces a real dependency direction problem or creates a coherent capability instead of hiding imports.
|
|
93
103
|
5. If exported identifiers or package paths change, classify the public API impact:
|
|
94
104
|
- treat exported functions, variables, constants, types, methods, struct fields, interfaces, interface method sets, sentinel errors, typed errors, module path, package import path, and minimum Go version as contracts;
|
|
95
105
|
- assume exported symbols in a v1+ module are public API unless the package is internal or local evidence proves otherwise;
|
|
96
106
|
- do not remove, rename, or change exported signatures, exported field types, exported interface methods, or observable error behavior without an explicit breaking-change plan;
|
|
97
|
-
- adding a method to an exported interface is breaking for external implementations even when adding a method to a concrete type would be safe
|
|
107
|
+
- adding a method to an exported interface is breaking for external implementations even when adding a method to a concrete type would be safe;
|
|
108
|
+
- changing exported struct fields or JSON tags can be an API change even when function signatures stay stable.
|
|
98
109
|
6. Preserve error contracts:
|
|
99
110
|
- use `errors.Is` and `errors.As` semantics as observable API when documented or already tested;
|
|
100
111
|
- do not compare error strings;
|
|
112
|
+
- do not rely on `err == sentinel` when callers may receive wrapped errors;
|
|
101
113
|
- do not expose dependency sentinel or typed errors through wrapping unless the package intentionally supports them as API;
|
|
102
114
|
- treat a change between observable wrapping and non-observable formatting as API-sensitive;
|
|
115
|
+
- classify context cancellation, context deadlines, dependency timeouts, and domain failures at package boundaries instead of letting infrastructure errors leak upward unchanged;
|
|
116
|
+
- keep typed error pointer/value behavior consistent and avoid typed-nil errors behind an `error` interface;
|
|
117
|
+
- use `errors.Join` or multiple `%w` only when callers are expected to use `errors.Is` or `errors.As` rather than simple unwrap behavior;
|
|
103
118
|
- use `errors.AsType` only when the supported Go version allows it and the shorter form preserves the same typed-error contract;
|
|
104
119
|
- add tests for documented sentinel or typed errors when the error behavior changes.
|
|
105
|
-
7. If goroutines or channels change, name the owner, stop condition, cancellation path, wait path, error path, close responsibility, and test synchronization.
|
|
120
|
+
7. If goroutines or channels change, name the owner, stop condition, cancellation path, wait path, error path, panic policy, close responsibility, backpressure boundary, and test synchronization.
|
|
106
121
|
8. Choose the right goroutine primitive:
|
|
107
122
|
- use `sync.WaitGroup.Go` only for tasks that do not return errors and must not panic;
|
|
123
|
+
- call manual `WaitGroup.Add` before starting the goroutine and do not copy a `WaitGroup` after first use;
|
|
108
124
|
- use an errgroup-style boundary when work needs error propagation, context cancellation, or concurrency limits;
|
|
109
125
|
- do not hand-roll `WaitGroup` plus error channel plus cancellation plus semaphore unless the local code already owns that exact pattern and tests cover it;
|
|
110
126
|
- treat buffered-channel semaphores as semantic backpressure, not just a performance knob; changing capacity can change ordering and pressure;
|
|
127
|
+
- do not treat a channel as a data-race shield for maps, slices, pointers, or structs still shared across goroutines;
|
|
111
128
|
- treat `TryLock` as suspicious unless skipping the work is genuinely correct and observable.
|
|
112
129
|
9. Reject fire-and-forget goroutines unless they are owned by a long-lived object with a shutdown path, joined before return, managed by a group with a wait path, or explicitly documented as safely detached.
|
|
113
130
|
10. Preserve context propagation:
|
|
114
131
|
- request-scoped functions accept `ctx` first and pass it down;
|
|
115
132
|
- do not store request context in structs;
|
|
133
|
+
- do not use `context.Value` as dependency injection, optional parameters, or a hidden configuration bag;
|
|
116
134
|
- do not pass nil context;
|
|
117
135
|
- do not introduce `context.Background()` inside request or operation depth unless it is a true process root with a documented owner;
|
|
118
136
|
- derived contexts must release their cancel function on every path;
|
|
@@ -124,11 +142,20 @@ Preserve Go package, module, API, error, context, concurrency, runtime, HTTP, JS
|
|
|
124
142
|
- the sender that knows all sends are complete closes the channel;
|
|
125
143
|
- receivers do not close borrowed input channels;
|
|
126
144
|
- multiple senders require a coordinator that closes only after all senders finish;
|
|
127
|
-
- cancellable pipelines must avoid permanently blocking upstream goroutines when downstream stops early
|
|
145
|
+
- cancellable pipelines must avoid permanently blocking upstream goroutines when downstream stops early;
|
|
146
|
+
- buffered channels are not durable queues and must not hide unbounded producer or retry behavior;
|
|
147
|
+
- avoid busy-loop `select` statements with a `default` branch unless skipping work immediately is the intended behavior and CPU impact is bounded.
|
|
128
148
|
12. Use iterator functions only for pull-style traversal, not hidden concurrency. Honor the `yield` return value immediately, call the `stop` function from pull iterators, keep resource ownership visible, and keep channels for actual concurrent communication or backpressure.
|
|
129
149
|
13. Keep timeout policy at request, command, API, or operation boundaries. Do not hide arbitrary sleeps or timeouts in reusable helpers unless that helper explicitly owns the policy.
|
|
130
150
|
14. Check HTTP and proxy defaults:
|
|
131
|
-
-
|
|
151
|
+
- use an explicit `http.Server` for production-facing servers rather than bare convenience helpers;
|
|
152
|
+
- set deliberate `ReadHeaderTimeout`, request/body read policy, `WriteTimeout`, `IdleTimeout`, `MaxHeaderBytes`, `BaseContext`, `ConnState`, and `ErrorLog` where the server owns those behaviors; zero timeout means no limit in important cases;
|
|
153
|
+
- protect request bodies separately from headers with size limits and route-appropriate read deadlines;
|
|
154
|
+
- treat `WriteTimeout` carefully for SSE, long polling, chunked streaming, and large downloads; streaming paths need heartbeat, flush, per-write deadline, and disconnect behavior instead of a single short global timeout;
|
|
155
|
+
- do not treat `http.TimeoutHandler` as cancellation of the underlying business work; pass `r.Context()` through database, RPC, cache, queue, and outbound HTTP calls;
|
|
156
|
+
- do not use `ResponseWriter` or request bodies after `ServeHTTP` returns; background work must copy the needed payload and use a lifecycle context that is not the finished request context;
|
|
157
|
+
- design graceful shutdown as a state transition: drain readiness, stop new traffic, wait for `Shutdown`, fall back to `Close` only after the shutdown budget, and keep the main goroutine alive until shutdown completes;
|
|
158
|
+
- track WebSocket, hijacked, upgraded, or long-lived connections separately because ordinary `Shutdown` does not wait for them;
|
|
132
159
|
- reuse clients and transports instead of creating them per request;
|
|
133
160
|
- prefer reverse-proxy rewrite hooks over deprecated or unsafe director-style mutation when the supported Go version allows it;
|
|
134
161
|
- keep hop-by-hop header, forwarded-host, scheme, cancellation, streaming, and error-mapping behavior explicit.
|
|
@@ -147,18 +174,30 @@ Preserve Go package, module, API, error, context, concurrency, runtime, HTTP, JS
|
|
|
147
174
|
- use PGO only with representative profiles and keep `default.pgo` ownership clear;
|
|
148
175
|
- treat goroutine leak profiling, SIMD, JSON v2, and other experiments as opt-in evidence-gathering, not default production assumptions;
|
|
149
176
|
- remember that `-race` only finds races on executed paths and carries significant overhead.
|
|
150
|
-
18.
|
|
177
|
+
18. For performance changes, measure before simplifying or optimizing:
|
|
178
|
+
- require profile or benchmark evidence before accepting a more complex hot-path change;
|
|
179
|
+
- inspect CPU, heap, allocation, goroutine, block, and mutex evidence according to the symptom instead of assuming CPU is the bottleneck;
|
|
180
|
+
- treat allocation reduction as GC-pressure reduction only when benchmark or profile evidence supports it;
|
|
181
|
+
- use escape-analysis findings to explain heap movement instead of assuming pointers are faster than values;
|
|
182
|
+
- use `sync.Pool` only for disposable temporary objects that may vanish at any time, not as a durable cache or lifecycle owner.
|
|
183
|
+
19. Keep tests and benchmarks deterministic:
|
|
151
184
|
- do not use elapsed real time to wait for goroutine progress; use explicit synchronization, owned lifecycle waits, fake time, `testing/synctest` when supported, or the repository's established concurrency test helper;
|
|
152
185
|
- prefer `testing.B.Loop` for new benchmarks when the supported Go version allows it, and keep setup, cleanup, allocation measurement, and compiler optimization boundaries honest;
|
|
186
|
+
- compare benchmark changes across repeated runs and include `B/op` and `allocs/op` when allocation behavior is part of the claim;
|
|
153
187
|
- use test artifact directories for files that should survive a test run only when the supported Go version and test invocation preserve artifacts; otherwise use the repository's existing temporary-file or golden-output policy;
|
|
154
188
|
- for deterministic crypto tests, prefer the standard cryptographic test hook when the supported Go version provides it instead of overriding global readers in production code paths.
|
|
155
|
-
|
|
189
|
+
20. Keep Go tools and modernization explicit:
|
|
156
190
|
- prefer the `tool` directive over `tools.go` pinning only when the repository's supported Go version allows it;
|
|
157
191
|
- use `go fix` modernizers as reviewed migrations, not silent drive-by rewrites;
|
|
158
192
|
- update code generators, schema generators, lint helpers, and reflection-heavy tooling for generic aliases, alias node behavior, and reflect iterator methods only with fixture coverage;
|
|
159
193
|
- prefer standard-library helpers such as `min`, `max`, `clear`, `slices`, `maps`, and `cmp` over new local utility packages when the supported Go version allows them.
|
|
160
|
-
|
|
161
|
-
|
|
194
|
+
21. If dependency metadata changes, keep module files and dependent tests synchronized:
|
|
195
|
+
- do not raise the `go` directive, add toolchain requirements, change module path, or introduce direct dependencies unless the task requires it and the final report calls out the support impact;
|
|
196
|
+
- treat `go.sum` as checksum evidence, not a package lockfile and not disposable noise;
|
|
197
|
+
- treat `replace`, especially local-path `replace`, as temporary main-module or workspace-only wiring unless the repository documents a release plan for it;
|
|
198
|
+
- verify vendor output is regenerated by a configured intent when vendoring is part of the repository contract;
|
|
199
|
+
- check private module settings before adding private import paths so module names do not leak through public proxy or checksum lookups.
|
|
200
|
+
22. Choose configured verification intents that cover formatting, tests, race-sensitive behavior, lint, API drift, module drift, docs, and release metadata when available.
|
|
162
201
|
|
|
163
202
|
<!-- mustflow-section: postconditions -->
|
|
164
203
|
## Postconditions
|
|
@@ -166,7 +205,7 @@ Preserve Go package, module, API, error, context, concurrency, runtime, HTTP, JS
|
|
|
166
205
|
- Package ownership and exported API impact are clear.
|
|
167
206
|
- Context, goroutine, channel, and error ownership are explicit.
|
|
168
207
|
- Go-version-gated syntax, standard-library APIs, runtime defaults, experiments, and module metadata are compatible with the repository's supported Go version.
|
|
169
|
-
- HTTP timeout, proxy, JSON, filesystem, network address, runtime, test-time, benchmark, and tool decisions are explicit where touched.
|
|
208
|
+
- HTTP timeout, graceful shutdown, proxy, JSON, filesystem, network address, runtime, profiling, test-time, benchmark, and tool decisions are explicit where touched.
|
|
170
209
|
- Tests cover the changed behavior without sleeps as synchronization.
|
|
171
210
|
- Module drift is reported when dependency verification cannot run.
|
|
172
211
|
|
|
@@ -206,7 +245,7 @@ For concurrency-sensitive changes, report whether a configured race or equivalen
|
|
|
206
245
|
- Boundary checked
|
|
207
246
|
- Package and API impact
|
|
208
247
|
- Context/concurrency/error notes
|
|
209
|
-
- Go version, runtime, HTTP, JSON, filesystem, benchmark, and tool notes when relevant
|
|
248
|
+
- Go version, module/workspace, runtime, HTTP/shutdown, JSON, filesystem, profiling, benchmark, and tool notes when relevant
|
|
210
249
|
- Files changed
|
|
211
250
|
- Command intents run
|
|
212
251
|
- Skipped checks and reasons
|