mustflow 2.108.2 → 2.108.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (31) hide show
  1. package/README.md +3 -0
  2. package/dist/cli/commands/script-pack.js +3 -0
  3. package/dist/cli/i18n/en.js +37 -0
  4. package/dist/cli/i18n/es.js +37 -0
  5. package/dist/cli/i18n/fr.js +37 -0
  6. package/dist/cli/i18n/hi.js +37 -0
  7. package/dist/cli/i18n/ko.js +37 -0
  8. package/dist/cli/i18n/zh.js +37 -0
  9. package/dist/cli/lib/command-registry.js +3 -0
  10. package/dist/cli/lib/script-pack-registry.js +84 -0
  11. package/dist/cli/script-packs/repo-automation-surface.js +88 -0
  12. package/dist/cli/script-packs/repo-dependency-surface.js +87 -0
  13. package/dist/cli/script-packs/repo-toolchain-provenance.js +90 -0
  14. package/dist/core/public-json-contracts.js +27 -0
  15. package/dist/core/repo-automation-surface.js +376 -0
  16. package/dist/core/repo-dependency-surface.js +282 -0
  17. package/dist/core/repo-toolchain-provenance.js +421 -0
  18. package/dist/core/script-pack-suggestions.js +33 -1
  19. package/package.json +1 -1
  20. package/schemas/README.md +10 -0
  21. package/schemas/repo-automation-surface-report.schema.json +148 -0
  22. package/schemas/repo-dependency-surface-report.schema.json +121 -0
  23. package/schemas/repo-toolchain-provenance-report.schema.json +124 -0
  24. package/templates/default/i18n.toml +5 -5
  25. package/templates/default/locales/en/.mustflow/skills/INDEX.md +5 -5
  26. package/templates/default/locales/en/.mustflow/skills/go-code-change/SKILL.md +56 -17
  27. package/templates/default/locales/en/.mustflow/skills/python-code-change/SKILL.md +86 -27
  28. package/templates/default/locales/en/.mustflow/skills/routes.toml +4 -4
  29. package/templates/default/locales/en/.mustflow/skills/rust-code-change/SKILL.md +51 -32
  30. package/templates/default/locales/en/.mustflow/skills/typescript-code-change/SKILL.md +47 -29
  31. package/templates/default/manifest.toml +1 -1
package/README.md CHANGED
@@ -309,6 +309,9 @@ mf run mustflow_update_apply
309
309
  | `mf script-pack run code/export-diff compare --base HEAD --json` | Compare exported TypeScript or JavaScript declarations, return metadata, and package surface hints against a git base. |
310
310
  | `mf script-pack run docs/reference-drift check [path...] --json` | Check documentation references to `mf` commands, script-pack refs, schema files, and repository paths against current local surfaces. |
311
311
  | `mf script-pack run repo/config-chain inspect <path...> --json` | Inspect nearby package, TypeScript, ESLint, Vite, Tailwind, test, and mustflow config files plus static inheritance edges without executing dynamic config code. |
312
+ | `mf script-pack run repo/toolchain-provenance inspect --json` | Inspect repository-visible runtime, package-manager, lockfile, Docker, and CI toolchain provenance without running those tools. |
313
+ | `mf script-pack run repo/automation-surface inspect --json` | Inventory package scripts, task runners, CI workflows, and mustflow command-intent coverage before adopting automation advice. |
314
+ | `mf script-pack run repo/dependency-surface inspect --json` | Inspect dependency manifests, lockfiles, update automation, and policy surfaces without installing or updating packages. |
312
315
  | `mf script-pack run repo/env-contract scan [path...] --json` | Scan code, CI, docs, config, and env examples for environment-variable contract drift without reading or printing real secret env values. |
313
316
  | `mf script-pack run repo/secret-risk-scan scan [path...] --json` | Scan code, docs, config, CI, and examples for plausible hardcoded secrets while reporting only redacted fingerprints. |
314
317
  | `mf script-pack run repo/generated-boundary check <path...> --json` | Check whether candidate paths cross generated, ignored, protected, vendor, or cache boundaries before or after edits. |
@@ -75,6 +75,9 @@ export function getScriptPackHelp(lang = 'en') {
75
75
  'mf script-pack run test/performance-report summarize --json',
76
76
  'mf script-pack run test/regression-selector select --base HEAD --json',
77
77
  'mf script-pack run repo/config-chain inspect src/cli/index.ts --json',
78
+ 'mf script-pack run repo/toolchain-provenance inspect --json',
79
+ 'mf script-pack run repo/automation-surface inspect --json',
80
+ 'mf script-pack run repo/dependency-surface inspect --json',
78
81
  'mf script-pack run repo/env-contract scan --json',
79
82
  'mf script-pack run repo/secret-risk-scan scan src README.md --json',
80
83
  'mf script-pack run repo/security-pattern-scan scan src .github/workflows --json',
@@ -806,6 +806,9 @@ Read these files before working:
806
806
  "scriptPack.script.relatedFiles.summary": "Map likely related files for source-oriented repository navigation",
807
807
  "scriptPack.script.testPerformanceReport.summary": "Summarize retained mf run performance evidence and test-suite bottlenecks",
808
808
  "scriptPack.script.testRegressionSelector.summary": "Select likely regression tests and conservative fallback verification",
809
+ "scriptPack.script.toolchainProvenance.summary": "Inspect repository toolchain version contract sources and lockfile provenance",
810
+ "scriptPack.script.automationSurface.summary": "Inventory automation surfaces and mustflow command-intent coverage",
811
+ "scriptPack.script.dependencySurface.summary": "Inspect dependency manifests, lockfiles, update automation, and policy surfaces",
809
812
  "scriptPack.label.script": "Script",
810
813
  "scriptPack.label.actions": "actions",
811
814
  "scriptPack.label.schema": "schema",
@@ -1189,6 +1192,40 @@ Read these files before working:
1189
1192
  "scriptPack.script.versionSource.summary": "Inspect repository version sources before release metadata changes",
1190
1193
  "scriptPack.script.approvalGate.summary": "Check planned actions against repository approval policy gates",
1191
1194
  "scriptPack.script.deploySurface.summary": "Inspect repository deploy and release surfaces with verification gates",
1195
+ "toolchainProvenance.help.summary": "Inspect repository runtime, package-manager, lockfile, Docker, and CI toolchain provenance without running tools.",
1196
+ "toolchainProvenance.help.exit.ok": "The toolchain-provenance report was generated without blocking findings",
1197
+ "toolchainProvenance.help.exit.fail": "The toolchain-provenance report found provenance drift or unreadable metadata",
1198
+ "toolchainProvenance.title": "mustflow toolchain provenance",
1199
+ "toolchainProvenance.label.sources": "Sources",
1200
+ "toolchainProvenance.label.lockfiles": "Lockfiles",
1201
+ "toolchainProvenance.label.sourceDetails": "Source details",
1202
+ "toolchainProvenance.label.findings": "Findings",
1203
+ "toolchainProvenance.label.issues": "Issues",
1204
+ "toolchainProvenance.clean": "No repository toolchain provenance sources were detected.",
1205
+ "toolchainProvenance.error.missingAction": "Specify a toolchain-provenance action: inspect",
1206
+ "toolchainProvenance.error.unknownAction": "Unknown toolchain-provenance action: {action}",
1207
+ "automationSurface.help.summary": "Inventory package scripts, task runners, CI workflows, and mustflow intents without executing automation.",
1208
+ "automationSurface.help.exit.ok": "The automation-surface report was generated without blocking findings",
1209
+ "automationSurface.help.exit.fail": "The automation-surface report found risky automation or unreadable metadata",
1210
+ "automationSurface.title": "mustflow automation surface",
1211
+ "automationSurface.label.surfaces": "Surfaces",
1212
+ "automationSurface.label.risky": "Risky surfaces",
1213
+ "automationSurface.label.surfaceDetails": "Surface details",
1214
+ "automationSurface.label.findings": "Findings",
1215
+ "automationSurface.label.issues": "Issues",
1216
+ "automationSurface.error.missingAction": "Specify an automation-surface action: inspect",
1217
+ "automationSurface.error.unknownAction": "Unknown automation-surface action: {action}",
1218
+ "dependencySurface.help.summary": "Inspect dependency manifests, lockfiles, update automation, audit, license, and SBOM policy surfaces without installing packages.",
1219
+ "dependencySurface.help.exit.ok": "The dependency-surface report was generated without blocking findings",
1220
+ "dependencySurface.help.exit.fail": "The dependency-surface report found dependency policy drift or unreadable metadata",
1221
+ "dependencySurface.title": "mustflow dependency surface",
1222
+ "dependencySurface.label.surfaces": "Surfaces",
1223
+ "dependencySurface.label.ecosystems": "Ecosystems",
1224
+ "dependencySurface.label.surfaceDetails": "Surface details",
1225
+ "dependencySurface.label.findings": "Findings",
1226
+ "dependencySurface.label.issues": "Issues",
1227
+ "dependencySurface.error.missingAction": "Specify a dependency-surface action: inspect",
1228
+ "dependencySurface.error.unknownAction": "Unknown dependency-surface action: {action}",
1192
1229
  "scriptPack.script.mergeConflictScan.summary": "Scan repository files for unresolved Git merge conflict markers",
1193
1230
  "scriptPack.script.gitIgnoreAudit.summary": "Audit Git ignore rules and path visibility evidence",
1194
1231
  "scriptPack.script.manifestLockDrift.summary": "Check manifest-lock file hashes against current repository files",
@@ -806,6 +806,9 @@ Lee estos archivos antes de trabajar:
806
806
  "scriptPack.script.relatedFiles.summary": "Map likely related files for source-oriented repository navigation",
807
807
  "scriptPack.script.testPerformanceReport.summary": "Summarize retained mf run performance evidence and test-suite bottlenecks",
808
808
  "scriptPack.script.testRegressionSelector.summary": "Select likely regression tests and conservative fallback verification",
809
+ "scriptPack.script.toolchainProvenance.summary": "Inspect repository toolchain version contract sources and lockfile provenance",
810
+ "scriptPack.script.automationSurface.summary": "Inventory automation surfaces and mustflow command-intent coverage",
811
+ "scriptPack.script.dependencySurface.summary": "Inspect dependency manifests, lockfiles, update automation, and policy surfaces",
809
812
  "scriptPack.label.script": "Script",
810
813
  "scriptPack.label.actions": "actions",
811
814
  "scriptPack.label.schema": "schema",
@@ -1189,6 +1192,40 @@ Lee estos archivos antes de trabajar:
1189
1192
  "scriptPack.script.versionSource.summary": "Inspect repository version sources before release metadata changes",
1190
1193
  "scriptPack.script.approvalGate.summary": "Check planned actions against repository approval policy gates",
1191
1194
  "scriptPack.script.deploySurface.summary": "Inspect repository deploy and release surfaces with verification gates",
1195
+ "toolchainProvenance.help.summary": "Inspect repository runtime, package-manager, lockfile, Docker, and CI toolchain provenance without running tools.",
1196
+ "toolchainProvenance.help.exit.ok": "The toolchain-provenance report was generated without blocking findings",
1197
+ "toolchainProvenance.help.exit.fail": "The toolchain-provenance report found provenance drift or unreadable metadata",
1198
+ "toolchainProvenance.title": "mustflow toolchain provenance",
1199
+ "toolchainProvenance.label.sources": "Sources",
1200
+ "toolchainProvenance.label.lockfiles": "Lockfiles",
1201
+ "toolchainProvenance.label.sourceDetails": "Source details",
1202
+ "toolchainProvenance.label.findings": "Findings",
1203
+ "toolchainProvenance.label.issues": "Issues",
1204
+ "toolchainProvenance.clean": "No repository toolchain provenance sources were detected.",
1205
+ "toolchainProvenance.error.missingAction": "Specify a toolchain-provenance action: inspect",
1206
+ "toolchainProvenance.error.unknownAction": "Unknown toolchain-provenance action: {action}",
1207
+ "automationSurface.help.summary": "Inventory package scripts, task runners, CI workflows, and mustflow intents without executing automation.",
1208
+ "automationSurface.help.exit.ok": "The automation-surface report was generated without blocking findings",
1209
+ "automationSurface.help.exit.fail": "The automation-surface report found risky automation or unreadable metadata",
1210
+ "automationSurface.title": "mustflow automation surface",
1211
+ "automationSurface.label.surfaces": "Surfaces",
1212
+ "automationSurface.label.risky": "Risky surfaces",
1213
+ "automationSurface.label.surfaceDetails": "Surface details",
1214
+ "automationSurface.label.findings": "Findings",
1215
+ "automationSurface.label.issues": "Issues",
1216
+ "automationSurface.error.missingAction": "Specify an automation-surface action: inspect",
1217
+ "automationSurface.error.unknownAction": "Unknown automation-surface action: {action}",
1218
+ "dependencySurface.help.summary": "Inspect dependency manifests, lockfiles, update automation, audit, license, and SBOM policy surfaces without installing packages.",
1219
+ "dependencySurface.help.exit.ok": "The dependency-surface report was generated without blocking findings",
1220
+ "dependencySurface.help.exit.fail": "The dependency-surface report found dependency policy drift or unreadable metadata",
1221
+ "dependencySurface.title": "mustflow dependency surface",
1222
+ "dependencySurface.label.surfaces": "Surfaces",
1223
+ "dependencySurface.label.ecosystems": "Ecosystems",
1224
+ "dependencySurface.label.surfaceDetails": "Surface details",
1225
+ "dependencySurface.label.findings": "Findings",
1226
+ "dependencySurface.label.issues": "Issues",
1227
+ "dependencySurface.error.missingAction": "Specify a dependency-surface action: inspect",
1228
+ "dependencySurface.error.unknownAction": "Unknown dependency-surface action: {action}",
1192
1229
  "scriptPack.script.mergeConflictScan.summary": "Scan repository files for unresolved Git merge conflict markers",
1193
1230
  "scriptPack.script.gitIgnoreAudit.summary": "Audit Git ignore rules and path visibility evidence",
1194
1231
  "scriptPack.script.manifestLockDrift.summary": "Check manifest-lock file hashes against current repository files",
@@ -806,6 +806,9 @@ Lisez ces fichiers avant de travailler :
806
806
  "scriptPack.script.relatedFiles.summary": "Map likely related files for source-oriented repository navigation",
807
807
  "scriptPack.script.testPerformanceReport.summary": "Summarize retained mf run performance evidence and test-suite bottlenecks",
808
808
  "scriptPack.script.testRegressionSelector.summary": "Select likely regression tests and conservative fallback verification",
809
+ "scriptPack.script.toolchainProvenance.summary": "Inspect repository toolchain version contract sources and lockfile provenance",
810
+ "scriptPack.script.automationSurface.summary": "Inventory automation surfaces and mustflow command-intent coverage",
811
+ "scriptPack.script.dependencySurface.summary": "Inspect dependency manifests, lockfiles, update automation, and policy surfaces",
809
812
  "scriptPack.label.script": "Script",
810
813
  "scriptPack.label.actions": "actions",
811
814
  "scriptPack.label.schema": "schema",
@@ -1189,6 +1192,40 @@ Lisez ces fichiers avant de travailler :
1189
1192
  "scriptPack.script.versionSource.summary": "Inspect repository version sources before release metadata changes",
1190
1193
  "scriptPack.script.approvalGate.summary": "Check planned actions against repository approval policy gates",
1191
1194
  "scriptPack.script.deploySurface.summary": "Inspect repository deploy and release surfaces with verification gates",
1195
+ "toolchainProvenance.help.summary": "Inspect repository runtime, package-manager, lockfile, Docker, and CI toolchain provenance without running tools.",
1196
+ "toolchainProvenance.help.exit.ok": "The toolchain-provenance report was generated without blocking findings",
1197
+ "toolchainProvenance.help.exit.fail": "The toolchain-provenance report found provenance drift or unreadable metadata",
1198
+ "toolchainProvenance.title": "mustflow toolchain provenance",
1199
+ "toolchainProvenance.label.sources": "Sources",
1200
+ "toolchainProvenance.label.lockfiles": "Lockfiles",
1201
+ "toolchainProvenance.label.sourceDetails": "Source details",
1202
+ "toolchainProvenance.label.findings": "Findings",
1203
+ "toolchainProvenance.label.issues": "Issues",
1204
+ "toolchainProvenance.clean": "No repository toolchain provenance sources were detected.",
1205
+ "toolchainProvenance.error.missingAction": "Specify a toolchain-provenance action: inspect",
1206
+ "toolchainProvenance.error.unknownAction": "Unknown toolchain-provenance action: {action}",
1207
+ "automationSurface.help.summary": "Inventory package scripts, task runners, CI workflows, and mustflow intents without executing automation.",
1208
+ "automationSurface.help.exit.ok": "The automation-surface report was generated without blocking findings",
1209
+ "automationSurface.help.exit.fail": "The automation-surface report found risky automation or unreadable metadata",
1210
+ "automationSurface.title": "mustflow automation surface",
1211
+ "automationSurface.label.surfaces": "Surfaces",
1212
+ "automationSurface.label.risky": "Risky surfaces",
1213
+ "automationSurface.label.surfaceDetails": "Surface details",
1214
+ "automationSurface.label.findings": "Findings",
1215
+ "automationSurface.label.issues": "Issues",
1216
+ "automationSurface.error.missingAction": "Specify an automation-surface action: inspect",
1217
+ "automationSurface.error.unknownAction": "Unknown automation-surface action: {action}",
1218
+ "dependencySurface.help.summary": "Inspect dependency manifests, lockfiles, update automation, audit, license, and SBOM policy surfaces without installing packages.",
1219
+ "dependencySurface.help.exit.ok": "The dependency-surface report was generated without blocking findings",
1220
+ "dependencySurface.help.exit.fail": "The dependency-surface report found dependency policy drift or unreadable metadata",
1221
+ "dependencySurface.title": "mustflow dependency surface",
1222
+ "dependencySurface.label.surfaces": "Surfaces",
1223
+ "dependencySurface.label.ecosystems": "Ecosystems",
1224
+ "dependencySurface.label.surfaceDetails": "Surface details",
1225
+ "dependencySurface.label.findings": "Findings",
1226
+ "dependencySurface.label.issues": "Issues",
1227
+ "dependencySurface.error.missingAction": "Specify a dependency-surface action: inspect",
1228
+ "dependencySurface.error.unknownAction": "Unknown dependency-surface action: {action}",
1192
1229
  "scriptPack.script.mergeConflictScan.summary": "Scan repository files for unresolved Git merge conflict markers",
1193
1230
  "scriptPack.script.gitIgnoreAudit.summary": "Audit Git ignore rules and path visibility evidence",
1194
1231
  "scriptPack.script.manifestLockDrift.summary": "Check manifest-lock file hashes against current repository files",
@@ -806,6 +806,9 @@ export const hiMessages = {
806
806
  "scriptPack.script.relatedFiles.summary": "Map likely related files for source-oriented repository navigation",
807
807
  "scriptPack.script.testPerformanceReport.summary": "Summarize retained mf run performance evidence and test-suite bottlenecks",
808
808
  "scriptPack.script.testRegressionSelector.summary": "Select likely regression tests and conservative fallback verification",
809
+ "scriptPack.script.toolchainProvenance.summary": "Inspect repository toolchain version contract sources and lockfile provenance",
810
+ "scriptPack.script.automationSurface.summary": "Inventory automation surfaces and mustflow command-intent coverage",
811
+ "scriptPack.script.dependencySurface.summary": "Inspect dependency manifests, lockfiles, update automation, and policy surfaces",
809
812
  "scriptPack.label.script": "Script",
810
813
  "scriptPack.label.actions": "actions",
811
814
  "scriptPack.label.schema": "schema",
@@ -1189,6 +1192,40 @@ export const hiMessages = {
1189
1192
  "scriptPack.script.versionSource.summary": "Inspect repository version sources before release metadata changes",
1190
1193
  "scriptPack.script.approvalGate.summary": "Check planned actions against repository approval policy gates",
1191
1194
  "scriptPack.script.deploySurface.summary": "Inspect repository deploy and release surfaces with verification gates",
1195
+ "toolchainProvenance.help.summary": "Inspect repository runtime, package-manager, lockfile, Docker, and CI toolchain provenance without running tools.",
1196
+ "toolchainProvenance.help.exit.ok": "The toolchain-provenance report was generated without blocking findings",
1197
+ "toolchainProvenance.help.exit.fail": "The toolchain-provenance report found provenance drift or unreadable metadata",
1198
+ "toolchainProvenance.title": "mustflow toolchain provenance",
1199
+ "toolchainProvenance.label.sources": "Sources",
1200
+ "toolchainProvenance.label.lockfiles": "Lockfiles",
1201
+ "toolchainProvenance.label.sourceDetails": "Source details",
1202
+ "toolchainProvenance.label.findings": "Findings",
1203
+ "toolchainProvenance.label.issues": "Issues",
1204
+ "toolchainProvenance.clean": "No repository toolchain provenance sources were detected.",
1205
+ "toolchainProvenance.error.missingAction": "Specify a toolchain-provenance action: inspect",
1206
+ "toolchainProvenance.error.unknownAction": "Unknown toolchain-provenance action: {action}",
1207
+ "automationSurface.help.summary": "Inventory package scripts, task runners, CI workflows, and mustflow intents without executing automation.",
1208
+ "automationSurface.help.exit.ok": "The automation-surface report was generated without blocking findings",
1209
+ "automationSurface.help.exit.fail": "The automation-surface report found risky automation or unreadable metadata",
1210
+ "automationSurface.title": "mustflow automation surface",
1211
+ "automationSurface.label.surfaces": "Surfaces",
1212
+ "automationSurface.label.risky": "Risky surfaces",
1213
+ "automationSurface.label.surfaceDetails": "Surface details",
1214
+ "automationSurface.label.findings": "Findings",
1215
+ "automationSurface.label.issues": "Issues",
1216
+ "automationSurface.error.missingAction": "Specify an automation-surface action: inspect",
1217
+ "automationSurface.error.unknownAction": "Unknown automation-surface action: {action}",
1218
+ "dependencySurface.help.summary": "Inspect dependency manifests, lockfiles, update automation, audit, license, and SBOM policy surfaces without installing packages.",
1219
+ "dependencySurface.help.exit.ok": "The dependency-surface report was generated without blocking findings",
1220
+ "dependencySurface.help.exit.fail": "The dependency-surface report found dependency policy drift or unreadable metadata",
1221
+ "dependencySurface.title": "mustflow dependency surface",
1222
+ "dependencySurface.label.surfaces": "Surfaces",
1223
+ "dependencySurface.label.ecosystems": "Ecosystems",
1224
+ "dependencySurface.label.surfaceDetails": "Surface details",
1225
+ "dependencySurface.label.findings": "Findings",
1226
+ "dependencySurface.label.issues": "Issues",
1227
+ "dependencySurface.error.missingAction": "Specify a dependency-surface action: inspect",
1228
+ "dependencySurface.error.unknownAction": "Unknown dependency-surface action: {action}",
1192
1229
  "scriptPack.script.mergeConflictScan.summary": "Scan repository files for unresolved Git merge conflict markers",
1193
1230
  "scriptPack.script.gitIgnoreAudit.summary": "Audit Git ignore rules and path visibility evidence",
1194
1231
  "scriptPack.script.manifestLockDrift.summary": "Check manifest-lock file hashes against current repository files",
@@ -806,6 +806,9 @@ export const koMessages = {
806
806
  "scriptPack.script.relatedFiles.summary": "Map likely related files for source-oriented repository navigation",
807
807
  "scriptPack.script.testPerformanceReport.summary": "Summarize retained mf run performance evidence and test-suite bottlenecks",
808
808
  "scriptPack.script.testRegressionSelector.summary": "Select likely regression tests and conservative fallback verification",
809
+ "scriptPack.script.toolchainProvenance.summary": "Inspect repository toolchain version contract sources and lockfile provenance",
810
+ "scriptPack.script.automationSurface.summary": "Inventory automation surfaces and mustflow command-intent coverage",
811
+ "scriptPack.script.dependencySurface.summary": "Inspect dependency manifests, lockfiles, update automation, and policy surfaces",
809
812
  "scriptPack.label.script": "Script",
810
813
  "scriptPack.label.actions": "작업",
811
814
  "scriptPack.label.schema": "스키마",
@@ -1189,6 +1192,40 @@ export const koMessages = {
1189
1192
  "scriptPack.script.versionSource.summary": "Inspect repository version sources before release metadata changes",
1190
1193
  "scriptPack.script.approvalGate.summary": "Check planned actions against repository approval policy gates",
1191
1194
  "scriptPack.script.deploySurface.summary": "Inspect repository deploy and release surfaces with verification gates",
1195
+ "toolchainProvenance.help.summary": "Inspect repository runtime, package-manager, lockfile, Docker, and CI toolchain provenance without running tools.",
1196
+ "toolchainProvenance.help.exit.ok": "The toolchain-provenance report was generated without blocking findings",
1197
+ "toolchainProvenance.help.exit.fail": "The toolchain-provenance report found provenance drift or unreadable metadata",
1198
+ "toolchainProvenance.title": "mustflow toolchain provenance",
1199
+ "toolchainProvenance.label.sources": "Sources",
1200
+ "toolchainProvenance.label.lockfiles": "Lockfiles",
1201
+ "toolchainProvenance.label.sourceDetails": "Source details",
1202
+ "toolchainProvenance.label.findings": "Findings",
1203
+ "toolchainProvenance.label.issues": "Issues",
1204
+ "toolchainProvenance.clean": "No repository toolchain provenance sources were detected.",
1205
+ "toolchainProvenance.error.missingAction": "Specify a toolchain-provenance action: inspect",
1206
+ "toolchainProvenance.error.unknownAction": "Unknown toolchain-provenance action: {action}",
1207
+ "automationSurface.help.summary": "Inventory package scripts, task runners, CI workflows, and mustflow intents without executing automation.",
1208
+ "automationSurface.help.exit.ok": "The automation-surface report was generated without blocking findings",
1209
+ "automationSurface.help.exit.fail": "The automation-surface report found risky automation or unreadable metadata",
1210
+ "automationSurface.title": "mustflow automation surface",
1211
+ "automationSurface.label.surfaces": "Surfaces",
1212
+ "automationSurface.label.risky": "Risky surfaces",
1213
+ "automationSurface.label.surfaceDetails": "Surface details",
1214
+ "automationSurface.label.findings": "Findings",
1215
+ "automationSurface.label.issues": "Issues",
1216
+ "automationSurface.error.missingAction": "Specify an automation-surface action: inspect",
1217
+ "automationSurface.error.unknownAction": "Unknown automation-surface action: {action}",
1218
+ "dependencySurface.help.summary": "Inspect dependency manifests, lockfiles, update automation, audit, license, and SBOM policy surfaces without installing packages.",
1219
+ "dependencySurface.help.exit.ok": "The dependency-surface report was generated without blocking findings",
1220
+ "dependencySurface.help.exit.fail": "The dependency-surface report found dependency policy drift or unreadable metadata",
1221
+ "dependencySurface.title": "mustflow dependency surface",
1222
+ "dependencySurface.label.surfaces": "Surfaces",
1223
+ "dependencySurface.label.ecosystems": "Ecosystems",
1224
+ "dependencySurface.label.surfaceDetails": "Surface details",
1225
+ "dependencySurface.label.findings": "Findings",
1226
+ "dependencySurface.label.issues": "Issues",
1227
+ "dependencySurface.error.missingAction": "Specify a dependency-surface action: inspect",
1228
+ "dependencySurface.error.unknownAction": "Unknown dependency-surface action: {action}",
1192
1229
  "scriptPack.script.mergeConflictScan.summary": "Scan repository files for unresolved Git merge conflict markers",
1193
1230
  "scriptPack.script.gitIgnoreAudit.summary": "Audit Git ignore rules and path visibility evidence",
1194
1231
  "scriptPack.script.manifestLockDrift.summary": "Check manifest-lock file hashes against current repository files",
@@ -806,6 +806,9 @@ export const zhMessages = {
806
806
  "scriptPack.script.relatedFiles.summary": "Map likely related files for source-oriented repository navigation",
807
807
  "scriptPack.script.testPerformanceReport.summary": "Summarize retained mf run performance evidence and test-suite bottlenecks",
808
808
  "scriptPack.script.testRegressionSelector.summary": "Select likely regression tests and conservative fallback verification",
809
+ "scriptPack.script.toolchainProvenance.summary": "Inspect repository toolchain version contract sources and lockfile provenance",
810
+ "scriptPack.script.automationSurface.summary": "Inventory automation surfaces and mustflow command-intent coverage",
811
+ "scriptPack.script.dependencySurface.summary": "Inspect dependency manifests, lockfiles, update automation, and policy surfaces",
809
812
  "scriptPack.label.script": "Script",
810
813
  "scriptPack.label.actions": "actions",
811
814
  "scriptPack.label.schema": "schema",
@@ -1189,6 +1192,40 @@ export const zhMessages = {
1189
1192
  "scriptPack.script.versionSource.summary": "Inspect repository version sources before release metadata changes",
1190
1193
  "scriptPack.script.approvalGate.summary": "Check planned actions against repository approval policy gates",
1191
1194
  "scriptPack.script.deploySurface.summary": "Inspect repository deploy and release surfaces with verification gates",
1195
+ "toolchainProvenance.help.summary": "Inspect repository runtime, package-manager, lockfile, Docker, and CI toolchain provenance without running tools.",
1196
+ "toolchainProvenance.help.exit.ok": "The toolchain-provenance report was generated without blocking findings",
1197
+ "toolchainProvenance.help.exit.fail": "The toolchain-provenance report found provenance drift or unreadable metadata",
1198
+ "toolchainProvenance.title": "mustflow toolchain provenance",
1199
+ "toolchainProvenance.label.sources": "Sources",
1200
+ "toolchainProvenance.label.lockfiles": "Lockfiles",
1201
+ "toolchainProvenance.label.sourceDetails": "Source details",
1202
+ "toolchainProvenance.label.findings": "Findings",
1203
+ "toolchainProvenance.label.issues": "Issues",
1204
+ "toolchainProvenance.clean": "No repository toolchain provenance sources were detected.",
1205
+ "toolchainProvenance.error.missingAction": "Specify a toolchain-provenance action: inspect",
1206
+ "toolchainProvenance.error.unknownAction": "Unknown toolchain-provenance action: {action}",
1207
+ "automationSurface.help.summary": "Inventory package scripts, task runners, CI workflows, and mustflow intents without executing automation.",
1208
+ "automationSurface.help.exit.ok": "The automation-surface report was generated without blocking findings",
1209
+ "automationSurface.help.exit.fail": "The automation-surface report found risky automation or unreadable metadata",
1210
+ "automationSurface.title": "mustflow automation surface",
1211
+ "automationSurface.label.surfaces": "Surfaces",
1212
+ "automationSurface.label.risky": "Risky surfaces",
1213
+ "automationSurface.label.surfaceDetails": "Surface details",
1214
+ "automationSurface.label.findings": "Findings",
1215
+ "automationSurface.label.issues": "Issues",
1216
+ "automationSurface.error.missingAction": "Specify an automation-surface action: inspect",
1217
+ "automationSurface.error.unknownAction": "Unknown automation-surface action: {action}",
1218
+ "dependencySurface.help.summary": "Inspect dependency manifests, lockfiles, update automation, audit, license, and SBOM policy surfaces without installing packages.",
1219
+ "dependencySurface.help.exit.ok": "The dependency-surface report was generated without blocking findings",
1220
+ "dependencySurface.help.exit.fail": "The dependency-surface report found dependency policy drift or unreadable metadata",
1221
+ "dependencySurface.title": "mustflow dependency surface",
1222
+ "dependencySurface.label.surfaces": "Surfaces",
1223
+ "dependencySurface.label.ecosystems": "Ecosystems",
1224
+ "dependencySurface.label.surfaceDetails": "Surface details",
1225
+ "dependencySurface.label.findings": "Findings",
1226
+ "dependencySurface.label.issues": "Issues",
1227
+ "dependencySurface.error.missingAction": "Specify a dependency-surface action: inspect",
1228
+ "dependencySurface.error.unknownAction": "Unknown dependency-surface action: {action}",
1192
1229
  "scriptPack.script.mergeConflictScan.summary": "Scan repository files for unresolved Git merge conflict markers",
1193
1230
  "scriptPack.script.gitIgnoreAudit.summary": "Audit Git ignore rules and path visibility evidence",
1194
1231
  "scriptPack.script.manifestLockDrift.summary": "Check manifest-lock file hashes against current repository files",
@@ -169,6 +169,9 @@ export const COMMAND_DEFINITIONS = [
169
169
  'repo-manifest-lock-drift-report',
170
170
  'skill-route-audit-report',
171
171
  'repo-version-source-report',
172
+ 'repo-toolchain-provenance-report',
173
+ 'repo-automation-surface-report',
174
+ 'repo-dependency-surface-report',
172
175
  'repo-approval-gate-report',
173
176
  'repo-deploy-surface-report',
174
177
  'config-chain-report',
@@ -436,6 +436,90 @@ export const SCRIPT_PACKS = [
436
436
  reportSchemaFile: 'config-chain-report.schema.json',
437
437
  loadRunner: async () => (await import('../script-packs/repo-config-chain.js')).runRepoConfigChainScript,
438
438
  },
439
+ {
440
+ packId: 'repo',
441
+ id: 'toolchain-provenance',
442
+ ref: scriptRef('repo', 'toolchain-provenance'),
443
+ usage: 'mf script-pack run repo/toolchain-provenance inspect [options]',
444
+ summaryKey: 'scriptPack.script.toolchainProvenance.summary',
445
+ actions: ['inspect'],
446
+ useWhen: [
447
+ 'Inspect repository runtime, package-manager, lockfile, Docker, and CI version contract sources before debugging local environment drift.',
448
+ 'Review toolchain provenance when package metadata, CI, Docker, setup, bootstrap, or doctor automation changes.',
449
+ ],
450
+ phases: ['before_change', 'after_change', 'review'],
451
+ readOnly: true,
452
+ mutates: false,
453
+ network: false,
454
+ inputs: [],
455
+ outputs: ['human_summary', 'json_report', 'toolchain_sources', 'lockfiles', 'toolchain_findings'],
456
+ relatedSkills: [
457
+ 'command-intent-mapping-gate',
458
+ 'config-env-change',
459
+ 'dependency-reality-check',
460
+ 'version-freshness-check',
461
+ ],
462
+ riskLevel: 'low',
463
+ cost: 'low',
464
+ reportSchemaFile: 'repo-toolchain-provenance-report.schema.json',
465
+ loadRunner: async () => (await import('../script-packs/repo-toolchain-provenance.js')).runRepoToolchainProvenanceScript,
466
+ },
467
+ {
468
+ packId: 'repo',
469
+ id: 'automation-surface',
470
+ ref: scriptRef('repo', 'automation-surface'),
471
+ usage: 'mf script-pack run repo/automation-surface inspect [options]',
472
+ summaryKey: 'scriptPack.script.automationSurface.summary',
473
+ actions: ['inspect'],
474
+ useWhen: [
475
+ 'Inventory package scripts, task runners, CI workflows, and mustflow command intents before mapping external automation advice to safe actions.',
476
+ 'Review raw automation surfaces, long-running commands, release/deploy scripts, and missing command-contract coverage.',
477
+ ],
478
+ phases: ['before_change', 'after_change', 'review'],
479
+ readOnly: true,
480
+ mutates: false,
481
+ network: false,
482
+ inputs: [],
483
+ outputs: ['human_summary', 'json_report', 'automation_surfaces', 'automation_findings'],
484
+ relatedSkills: [
485
+ 'command-intent-mapping-gate',
486
+ 'completion-evidence-gate',
487
+ 'proactive-risk-surfacing',
488
+ 'release-publish-change',
489
+ ],
490
+ riskLevel: 'medium',
491
+ cost: 'low',
492
+ reportSchemaFile: 'repo-automation-surface-report.schema.json',
493
+ loadRunner: async () => (await import('../script-packs/repo-automation-surface.js')).runRepoAutomationSurfaceScript,
494
+ },
495
+ {
496
+ packId: 'repo',
497
+ id: 'dependency-surface',
498
+ ref: scriptRef('repo', 'dependency-surface'),
499
+ usage: 'mf script-pack run repo/dependency-surface inspect [options]',
500
+ summaryKey: 'scriptPack.script.dependencySurface.summary',
501
+ actions: ['inspect'],
502
+ useWhen: [
503
+ 'Inspect dependency manifests, lockfiles, update-bot config, audit, license, and SBOM surfaces before dependency automation work.',
504
+ 'Review package-manager lockfile conflicts, missing update automation, and missing dependency policy evidence.',
505
+ ],
506
+ phases: ['before_change', 'after_change', 'review'],
507
+ readOnly: true,
508
+ mutates: false,
509
+ network: false,
510
+ inputs: [],
511
+ outputs: ['human_summary', 'json_report', 'dependency_surfaces', 'dependency_findings'],
512
+ relatedSkills: [
513
+ 'dependency-reality-check',
514
+ 'dependency-upgrade-review',
515
+ 'provenance-license-gate',
516
+ 'public-json-contract-change',
517
+ ],
518
+ riskLevel: 'medium',
519
+ cost: 'low',
520
+ reportSchemaFile: 'repo-dependency-surface-report.schema.json',
521
+ loadRunner: async () => (await import('../script-packs/repo-dependency-surface.js')).runRepoDependencySurfaceScript,
522
+ },
439
523
  {
440
524
  packId: 'repo',
441
525
  id: 'env-contract',
@@ -0,0 +1,88 @@
1
+ import { printUsageError, renderHelp } from '../lib/cli-output.js';
2
+ import { t } from '../lib/i18n.js';
3
+ import { formatCliOptionParseError, hasCliOptionToken, hasParsedCliOption, parseCliOptions, } from '../lib/option-parser.js';
4
+ import { resolveMustflowRoot } from '../lib/project-root.js';
5
+ import { inspectRepoAutomationSurface, REPO_AUTOMATION_SURFACE_SCRIPT_REF, } from '../../core/repo-automation-surface.js';
6
+ const REPO_AUTOMATION_SURFACE_OPTIONS = [{ name: '--json', kind: 'boolean' }];
7
+ export function getRepoAutomationSurfaceHelp(lang = 'en') {
8
+ return renderHelp({
9
+ usage: 'mf script-pack run repo/automation-surface inspect [options]',
10
+ summary: t(lang, 'automationSurface.help.summary'),
11
+ options: [
12
+ { label: '--json', description: t(lang, 'cli.option.json') },
13
+ { label: '-h, --help', description: t(lang, 'cli.option.help') },
14
+ ],
15
+ examples: [
16
+ 'mf script-pack run repo/automation-surface inspect',
17
+ 'mf script-pack run repo/automation-surface inspect --json',
18
+ ],
19
+ exitCodes: [
20
+ { label: '0', description: t(lang, 'automationSurface.help.exit.ok') },
21
+ { label: '1', description: t(lang, 'automationSurface.help.exit.fail') },
22
+ ],
23
+ }, lang);
24
+ }
25
+ function parseRepoAutomationSurfaceOptions(args, lang) {
26
+ const [action, ...rest] = args;
27
+ const parsed = parseCliOptions(rest, REPO_AUTOMATION_SURFACE_OPTIONS, { allowPositionals: false });
28
+ const json = hasParsedCliOption(parsed, '--json');
29
+ if (action !== 'inspect') {
30
+ return {
31
+ action: 'inspect',
32
+ json,
33
+ error: action
34
+ ? t(lang, 'automationSurface.error.unknownAction', { action })
35
+ : t(lang, 'automationSurface.error.missingAction'),
36
+ };
37
+ }
38
+ if (parsed.error) {
39
+ return { action, json, error: formatCliOptionParseError(parsed.error, lang) };
40
+ }
41
+ return { action, json };
42
+ }
43
+ function renderRepoAutomationSurfaceSummary(report, lang) {
44
+ const lines = [
45
+ t(lang, 'automationSurface.title'),
46
+ `${t(lang, 'scriptPack.label.script')}: ${REPO_AUTOMATION_SURFACE_SCRIPT_REF}`,
47
+ `${t(lang, 'label.status')}: ${report.status}`,
48
+ `${t(lang, 'automationSurface.label.surfaces')}: ${report.summary.surface_count}`,
49
+ `${t(lang, 'automationSurface.label.risky')}: ${report.summary.risky_surface_count}`,
50
+ `${t(lang, 'automationSurface.label.findings')}: ${report.findings.length}`,
51
+ ];
52
+ if (report.surfaces.length > 0) {
53
+ lines.push(t(lang, 'automationSurface.label.surfaceDetails'));
54
+ for (const surface of report.surfaces.slice(0, 30)) {
55
+ const location = surface.line === null ? surface.path : `${surface.path}:${surface.line}`;
56
+ const mapped = surface.mapped_intent === null ? 'unmapped' : `intent ${surface.mapped_intent}`;
57
+ lines.push(`- ${surface.name} (${surface.category}, ${surface.kind}, ${mapped}) at ${location}`);
58
+ }
59
+ }
60
+ if (report.findings.length > 0) {
61
+ lines.push(t(lang, 'automationSurface.label.findings'));
62
+ for (const finding of report.findings) {
63
+ lines.push(`- ${finding.path}: ${finding.code} (${finding.message})`);
64
+ }
65
+ }
66
+ if (report.issues.length > 0) {
67
+ lines.push(t(lang, 'automationSurface.label.issues'), ...report.issues.map((issue) => `- ${issue}`));
68
+ }
69
+ return lines.join('\n');
70
+ }
71
+ export function runRepoAutomationSurfaceScript(args, reporter, lang = 'en') {
72
+ if (hasCliOptionToken(args, '--help', ['-h'])) {
73
+ reporter.stdout(getRepoAutomationSurfaceHelp(lang));
74
+ return 0;
75
+ }
76
+ const options = parseRepoAutomationSurfaceOptions(args, lang);
77
+ if (options.error) {
78
+ printUsageError(reporter, options.error, 'mf script-pack run repo/automation-surface --help', getRepoAutomationSurfaceHelp(lang), lang);
79
+ return 1;
80
+ }
81
+ const report = inspectRepoAutomationSurface(resolveMustflowRoot());
82
+ if (options.json) {
83
+ reporter.stdout(JSON.stringify(report, null, 2));
84
+ return report.ok ? 0 : 1;
85
+ }
86
+ reporter.stdout(renderRepoAutomationSurfaceSummary(report, lang));
87
+ return report.ok ? 0 : 1;
88
+ }
@@ -0,0 +1,87 @@
1
+ import { printUsageError, renderHelp } from '../lib/cli-output.js';
2
+ import { t } from '../lib/i18n.js';
3
+ import { formatCliOptionParseError, hasCliOptionToken, hasParsedCliOption, parseCliOptions, } from '../lib/option-parser.js';
4
+ import { resolveMustflowRoot } from '../lib/project-root.js';
5
+ import { inspectRepoDependencySurface, REPO_DEPENDENCY_SURFACE_SCRIPT_REF, } from '../../core/repo-dependency-surface.js';
6
+ const REPO_DEPENDENCY_SURFACE_OPTIONS = [{ name: '--json', kind: 'boolean' }];
7
+ export function getRepoDependencySurfaceHelp(lang = 'en') {
8
+ return renderHelp({
9
+ usage: 'mf script-pack run repo/dependency-surface inspect [options]',
10
+ summary: t(lang, 'dependencySurface.help.summary'),
11
+ options: [
12
+ { label: '--json', description: t(lang, 'cli.option.json') },
13
+ { label: '-h, --help', description: t(lang, 'cli.option.help') },
14
+ ],
15
+ examples: [
16
+ 'mf script-pack run repo/dependency-surface inspect',
17
+ 'mf script-pack run repo/dependency-surface inspect --json',
18
+ ],
19
+ exitCodes: [
20
+ { label: '0', description: t(lang, 'dependencySurface.help.exit.ok') },
21
+ { label: '1', description: t(lang, 'dependencySurface.help.exit.fail') },
22
+ ],
23
+ }, lang);
24
+ }
25
+ function parseRepoDependencySurfaceOptions(args, lang) {
26
+ const [action, ...rest] = args;
27
+ const parsed = parseCliOptions(rest, REPO_DEPENDENCY_SURFACE_OPTIONS, { allowPositionals: false });
28
+ const json = hasParsedCliOption(parsed, '--json');
29
+ if (action !== 'inspect') {
30
+ return {
31
+ action: 'inspect',
32
+ json,
33
+ error: action
34
+ ? t(lang, 'dependencySurface.error.unknownAction', { action })
35
+ : t(lang, 'dependencySurface.error.missingAction'),
36
+ };
37
+ }
38
+ if (parsed.error) {
39
+ return { action, json, error: formatCliOptionParseError(parsed.error, lang) };
40
+ }
41
+ return { action, json };
42
+ }
43
+ function renderRepoDependencySurfaceSummary(report, lang) {
44
+ const lines = [
45
+ t(lang, 'dependencySurface.title'),
46
+ `${t(lang, 'scriptPack.label.script')}: ${REPO_DEPENDENCY_SURFACE_SCRIPT_REF}`,
47
+ `${t(lang, 'label.status')}: ${report.status}`,
48
+ `${t(lang, 'dependencySurface.label.surfaces')}: ${report.summary.surface_count}`,
49
+ `${t(lang, 'dependencySurface.label.ecosystems')}: ${report.summary.ecosystem_count}`,
50
+ `${t(lang, 'dependencySurface.label.findings')}: ${report.summary.finding_count}`,
51
+ ];
52
+ if (report.surfaces.length > 0) {
53
+ lines.push(t(lang, 'dependencySurface.label.surfaceDetails'));
54
+ for (const surface of report.surfaces) {
55
+ const location = surface.line === null ? surface.path : `${surface.path}:${surface.line}`;
56
+ lines.push(`- ${surface.ecosystem} ${surface.kind} ${surface.name} at ${location}`);
57
+ }
58
+ }
59
+ if (report.findings.length > 0) {
60
+ lines.push(t(lang, 'dependencySurface.label.findings'));
61
+ for (const finding of report.findings) {
62
+ lines.push(`- ${finding.path}: ${finding.code} (${finding.message})`);
63
+ }
64
+ }
65
+ if (report.issues.length > 0) {
66
+ lines.push(t(lang, 'dependencySurface.label.issues'), ...report.issues.map((issue) => `- ${issue}`));
67
+ }
68
+ return lines.join('\n');
69
+ }
70
+ export function runRepoDependencySurfaceScript(args, reporter, lang = 'en') {
71
+ if (hasCliOptionToken(args, '--help', ['-h'])) {
72
+ reporter.stdout(getRepoDependencySurfaceHelp(lang));
73
+ return 0;
74
+ }
75
+ const options = parseRepoDependencySurfaceOptions(args, lang);
76
+ if (options.error) {
77
+ printUsageError(reporter, options.error, 'mf script-pack run repo/dependency-surface --help', getRepoDependencySurfaceHelp(lang), lang);
78
+ return 1;
79
+ }
80
+ const report = inspectRepoDependencySurface(resolveMustflowRoot());
81
+ if (options.json) {
82
+ reporter.stdout(JSON.stringify(report, null, 2));
83
+ return report.ok ? 0 : 1;
84
+ }
85
+ reporter.stdout(renderRepoDependencySurfaceSummary(report, lang));
86
+ return report.ok ? 0 : 1;
87
+ }