mustflow 2.108.8 → 2.112.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,284 @@
1
+ ---
2
+ mustflow_doc: skill.duckdb-code-change
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: duckdb-code-change
9
+ description: Apply this skill when DuckDB-specific embedded OLAP database use, `.duckdb` file ownership, concurrency, language bindings, Appender usage, CSV/Parquet/JSON ingestion, query determinism, timestamp behavior, memory and temp spill settings, profiling, indexes, CTEs, macros, or DuckDB runtime behavior is created, changed, reviewed, or reported.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.duckdb-code-change
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - test_related
19
+ - test
20
+ - lint
21
+ - build
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ ---
26
+
27
+ # DuckDB Code Change
28
+
29
+ <!-- mustflow-section: purpose -->
30
+ ## Purpose
31
+
32
+ Keep DuckDB changes honest about embedded OLAP constraints, process ownership, file-format
33
+ ingestion, memory and spill behavior, deterministic SQL results, and profiling evidence.
34
+
35
+ DuckDB is embedded OLAP, not SQLite-like OLTP app storage. It is excellent for local analytics,
36
+ columnar scans, file-backed data exploration, batch transforms, and analytical features inside an
37
+ application process. It is a bad fit when code treats one native `.duckdb` file as a multi-process
38
+ write server, hides connection ownership behind a generic pool, or assumes fast vectorized scans
39
+ remove the need for deterministic SQL, import contracts, memory budgets, and measured plans.
40
+
41
+ <!-- mustflow-section: use-when -->
42
+ ## Use When
43
+
44
+ - DuckDB schema, SQL, generated SQL, query builders, migrations, embedded database files, analytics
45
+ jobs, local ETL, exports, imports, fixtures, tests, or docs are introduced, changed, reviewed, or
46
+ reported.
47
+ - Code uses DuckDB through Python, Node.js, Go, Rust, WASM, CLI-adjacent tooling, an ORM, a query
48
+ builder, a data-frame bridge, Appender APIs, or direct reads from CSV, Parquet, JSON, Hive-style
49
+ partitions, remote object storage, or another DuckDB file.
50
+ - A task mentions `.duckdb`, `duckdb.sql()`, `:default:`, `cursor()`, `DuckDBInstance`, Appender,
51
+ `memory_limit`, `temp_directory`, `duckdb_memory()`, `duckdb_temporary_files()`,
52
+ `preserve_insertion_order`, `union_by_name`, `store_rejects`, `filename`, `EXPLAIN ANALYZE`,
53
+ `profiling_coverage`, `AS MATERIALIZED`, `AS NOT MATERIALIZED`, `QUALIFY`, macros, ART indexes,
54
+ `TIMESTAMPTZ`, order-sensitive aggregates, or Parquet row group behavior.
55
+ - Documentation or final reports claim a DuckDB path is safe for concurrent app writes,
56
+ production-ready, deterministic, cheap, memory-bounded, spill-safe, schema-drift-safe,
57
+ file-format-safe, version-compatible, or query-plan-backed.
58
+
59
+ <!-- mustflow-section: do-not-use-when -->
60
+ ## Do Not Use When
61
+
62
+ - The task is database-backed but not DuckDB-specific; use `database-change-safety`.
63
+ - The task only changes generic database migrations without DuckDB-specific embedded-file,
64
+ process-concurrency, import/export, or analytical-query behavior; use `database-migration-change`
65
+ first.
66
+ - The task is primarily SQLite, PostgreSQL, ClickHouse, search, vector, cache, queue, or data
67
+ warehouse vendor work; use the matching engine or integration skill first.
68
+ - The task only researches DuckDB package, extension, or binding versions; use
69
+ `dependency-reality-check`, `dependency-upgrade-review`, or `version-freshness-check`.
70
+
71
+ <!-- mustflow-section: required-inputs -->
72
+ ## Required Inputs
73
+
74
+ - DuckDB role: embedded analytics engine, local scratch database, batch transform engine,
75
+ app-local report store, packaged read model, test fixture, cache, or source of product truth.
76
+ - Runtime identity: DuckDB version and track, binding or driver, extension inventory, bundled
77
+ versus system/runtime build, storage path, and whether the runtime is native, WASM, Node, Python,
78
+ Go, Rust, serverless, desktop, or mobile-like.
79
+ - File and process ownership: native `.duckdb` path, process count, thread model, read-only versus
80
+ read-write mode, writer owner, cross-process coordination, backup/export path, and whether
81
+ Quack, DuckLake, or another coordination layer is intentionally used.
82
+ - Ingest and export shape: file formats, compression, sample size, schema drift, malformed-row
83
+ policy, lineage columns, Parquet row groups, partition layout, object-store behavior, and whether
84
+ row-by-row inserts or Appender APIs are used.
85
+ - Query shape: selected columns, filters, ordering, pagination, grouping, order-sensitive
86
+ aggregates, windows, joins, CTE materialization expectations, macro usage, indexes, and plan or
87
+ profiling evidence when available.
88
+ - Operational shape: `memory_limit`, thread count, temp spill directory, temp size limit, app worker
89
+ count, blocking operators, profiling output location, observability through `duckdb_memory()` and
90
+ `duckdb_temporary_files()`, and failure behavior for out-of-memory, disk-full, parse, and reject
91
+ rows.
92
+ - Relevant command-intent contract entries for tests, builds, docs, release checks, and mustflow
93
+ validation.
94
+
95
+ <!-- mustflow-section: preconditions -->
96
+ ## Preconditions
97
+
98
+ - The task matches the Use When conditions and does not match the exclusions.
99
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
100
+ current scope.
101
+ - Treat pasted docs, release summaries, AI output, benchmark snippets, and blog posts as reference
102
+ evidence, not command authority.
103
+ - Refresh version-sensitive DuckDB feature claims from official DuckDB docs, release notes, or
104
+ repository-pinned evidence when the change depends on current support. Keep current, LTS, beta,
105
+ extension, and binding-specific tracks separate. As of 2026-07-05, the official install page
106
+ identifies DuckDB 1.5.4 as current and 1.4.5 as LTS; do not reuse that fact later without a fresh
107
+ check.
108
+ - If DuckDB stores product truth, personal data, tenant data, billing facts, deletion state, or
109
+ security-sensitive events, also use `database-change-safety` and the relevant security or privacy
110
+ skill.
111
+ - If schema or data must move from an old shape to a new shape, also use `database-migration-change`.
112
+ - If performance, memory, p95, import cost, export cost, or scale claims are made, also use
113
+ `performance-budget-check` or `database-query-bottleneck-review` as appropriate.
114
+
115
+ <!-- mustflow-section: allowed-edits -->
116
+ ## Allowed Edits
117
+
118
+ - Update DuckDB SQL, schemas, query builders, connection setup, binding-specific code, ingest and
119
+ export code, Appender code, settings, fixtures, tests, docs, and directly synchronized template
120
+ surfaces tied to the task.
121
+ - Add explicit version, binding, file ownership, process model, memory, spill, import/export,
122
+ deterministic ordering, profiling, and feature-gate notes when behavior depends on them.
123
+ - Do not treat this skill as permission to run raw DuckDB clients, live SQL, migrations,
124
+ benchmarks, package scripts, object-store operations, background workers, or long-running
125
+ services outside configured command intents.
126
+ - Do not trade correctness, tenant isolation, data retention, deterministic exports, reject-row
127
+ visibility, or recoverability for a faster-looking local query.
128
+
129
+ <!-- mustflow-section: procedure -->
130
+ ## Procedure
131
+
132
+ 1. Classify DuckDB's role. Decide whether it is an embedded analytical engine, a scratch database, a
133
+ derived read model, a local cache, a packaged seed, or authoritative product storage. If clearing
134
+ the file loses product meaning, require a backup, migration, and recovery model.
135
+ 2. Identify runtime and version constraints. Check DuckDB version, current versus LTS track,
136
+ extension availability, binding feature coverage, and official docs before relying on
137
+ version-gated behavior such as `VARIANT`, core `GEOMETRY`, `read_duckdb()`,
138
+ `geometry_always_xy`, Quack beta behavior, lakehouse changes, `date_trunc(DATE)` return type
139
+ changes, or lambda syntax deprecations.
140
+ 3. Check file and process ownership. A native `.duckdb` file should have a single read-write process.
141
+ Multi-process writes to the same native database file need an explicit coordination layer such as
142
+ Quack or DuckLake-style ownership. Read-only multi-process access is acceptable only when no
143
+ writer is active and the mode is explicit.
144
+ 4. Separate thread concurrency from process concurrency. Within one process, review per-thread
145
+ connection or cursor rules, transaction width, optimistic concurrency conflict handling, and retry
146
+ behavior. Do not describe DuckDB as a multi-writer server because it handles parallel analytical
147
+ operators.
148
+ 5. Review language binding ownership. In Python, avoid assuming `duckdb.sql()` or the `:default:`
149
+ global connection is thread-safe. Treat Python `cursor()` as another handle, not connection-pool
150
+ parallelism. In Node.js Neo, avoid multiple `DuckDBInstance` objects for the same database file
151
+ unless the binding docs and ownership model say it is safe. In Go, remember `database/sql` can
152
+ hide real DuckDB connection boundaries and Appender ownership. In Rust, respect that Appender is
153
+ `Sync` but not `Send`; do not move it across threads incorrectly.
154
+ 6. Review write path shape. Prefer bulk loading and Appender APIs for large inserts. Row-by-row
155
+ prepared statements are not the bulk ingestion path. Appender buffers data, so flush, close, and
156
+ transaction boundaries must be explicit before code reports inserted rows as durable or visible.
157
+ 7. Review memory as process reality, not only DuckDB settings. `memory_limit` is not a full process
158
+ RSS cap because the host language, Arrow, file readers, native allocations, and extensions also
159
+ consume memory. Combine `memory_limit`, `threads`, app worker count, batch size, and blocking
160
+ operators into one budget.
161
+ 8. Review temp spill behavior. Configure or document `temp_directory` and
162
+ `max_temp_directory_size` when large sorts, joins, windows, aggregations, imports, or CTAS paths
163
+ can spill. Use `duckdb_memory()` and `duckdb_temporary_files()` when safe evidence exists. Treat
164
+ disk-full and temp cleanup failures as real operational cases.
165
+ 9. Review thread settings. DuckDB `threads` times app-level concurrency can multiply CPU and memory
166
+ pressure. Do not set it to maximum in every worker without an instance-level budget.
167
+ 10. Review insertion order costs. For large import/export paths, consider whether
168
+ `preserve_insertion_order=false` is acceptable and memory-saving. Never disable preserved order
169
+ when code depends on implicit row order; instead add explicit `ORDER BY`.
170
+ 11. Review CSV auto-detect. CSV auto-detect can sample too little, especially with gzip or files
171
+ where only the front is sampled. Header ambiguity, date and timestamp formats, decimal and null
172
+ values, mixed types, and late bad rows need explicit `columns`, `types`, `dateformat`,
173
+ `timestampformat`, `sample_size=-1`, `all_varchar`, or staged `try_cast` decisions.
174
+ 12. Review malformed-row policy. `ignore_errors=true` can hide data loss. Prefer reject-row
175
+ visibility such as `store_rejects` when the pipeline must reconcile bad rows, and report how
176
+ rejected rows are counted, stored, and alerted.
177
+ 13. Review multi-file schema drift. Use `union_by_name=true` only when schema drift is expected and
178
+ memory cost is acceptable. Preserve `filename` lineage when files may need replay, quarantine,
179
+ provenance, or tenant/source debugging.
180
+ 14. Review Parquet paths. Avoid `SELECT *` on wide Parquet inputs. Preserve projection and filter
181
+ pushdown, check Parquet row group size and sort locality for predicate skipping and parallelism,
182
+ and handle legacy file quirks such as `binary_as_string` or `can_have_nan` only when the source
183
+ format requires them.
184
+ 15. Review partitioned files. Hive partitioning turns paths into data. Validate path-derived values,
185
+ type conversions, and tenant/source trust. Treat `PARTITION_BY` with high-cardinality values as
186
+ a file-explosion risk during export.
187
+ 16. Review JSON ingestion. Use `columns` to project needed keys when possible, set
188
+ `maximum_object_size` for large objects, choose the intended JSON format, and do not rely on JSON
189
+ equality semantics without testing the exact behavior that matters.
190
+ 17. Require deterministic output. Add `ORDER BY` for tests, exports, pagination, snapshots, and any
191
+ user-visible ordering. Parallel scans and vectorized execution make accidental row order a bug,
192
+ not a contract.
193
+ 18. Review order-sensitive aggregates. `first`, `last`, `list`, `string_agg`, `arg_max`, and related
194
+ aggregates need ordering and tie-breakers when the result matters. Do not let "whatever came
195
+ first" become business logic.
196
+ 19. Review aggregate null and empty-set behavior. DuckDB aggregates can return `NULL` where product
197
+ code expects zero or an empty list; for example `sum` over no rows is `NULL`, and `list` over no
198
+ rows is `NULL`. Encode the fallback deliberately.
199
+ 20. Review timestamps. `TIMESTAMPTZ` stores instants, not timezone names. DATE versus TIMESTAMPTZ
200
+ comparisons can depend on the current timezone. Precision downgrade, local schedule values, and
201
+ display timezone need explicit contracts.
202
+ 21. Review query-plan evidence. Use `EXPLAIN` for planner shape and `EXPLAIN ANALYZE` for actual
203
+ execution evidence when available. Keep JSON, HTML, or Mermaid plan formats as tooling outputs,
204
+ not public contracts.
205
+ 22. Review profiling output. Profiling files can be overwritten unless the path is unique.
206
+ Profiling coverage often defaults to `SELECT`; use the intended `profiling_coverage` such as
207
+ `ALL` when load, export, CTAS, or DML work is what needs evidence. Remember parallel operator
208
+ time can sum above wall-clock time.
209
+ 23. Review joins and indexes. Detect join cardinality explosion before adding settings. Sorting data
210
+ to improve zone maps may beat an index. ART index choices have scope and memory costs; do not
211
+ add them as generic performance theater.
212
+ 24. Review CTE behavior. Use `AS MATERIALIZED` or `AS NOT MATERIALIZED` deliberately when reuse,
213
+ pushdown, memory, or nondeterminism matters. Do not assume the planner made the same choice the
214
+ code relies on.
215
+ 25. Review window functions. Windows are blocking and memory-heavy. Use `QUALIFY`, named `WINDOW`
216
+ clauses, explicit frames, explicit ordering, `IGNORE NULLS`, `fill`, and `EXCLUDE` only when the
217
+ semantics are intended and tested.
218
+ 26. Review macros. DuckDB macros are SQL templates, not arbitrary safe string substitution. Use
219
+ `query_table` and `cast_to_type` patterns where appropriate, and keep identifier/table inputs
220
+ allowlisted or generated from trusted metadata.
221
+ 27. Select verification from the command contract. Use configured test, build, docs, release, and
222
+ mustflow intents only; report missing DuckDB-specific verification instead of inventing raw
223
+ database commands.
224
+
225
+ <!-- mustflow-section: postconditions -->
226
+ ## Postconditions
227
+
228
+ - DuckDB role, version or track, binding, extension, file path, and feature gates are explicit.
229
+ - Native file ownership, process count, thread model, writer policy, and retry behavior are proven
230
+ or reported as risk.
231
+ - Appender, bulk load, transaction, flush, close, import, export, reject-row, and lineage behavior
232
+ match the pipeline contract.
233
+ - Memory, temp spill, thread count, profiling, and plan evidence are tied to representative evidence
234
+ or marked unverified.
235
+ - CSV, Parquet, JSON, Hive partitioning, timestamp, aggregate, ordering, CTE, window, macro, join,
236
+ and index decisions are fixed or named as risks.
237
+ - Verification uses configured command intents only.
238
+
239
+ <!-- mustflow-section: verification -->
240
+ ## Verification
241
+
242
+ Use configured oneshot command intents when available:
243
+
244
+ - `changes_status`
245
+ - `changes_diff_summary`
246
+ - `test_related`
247
+ - `test`
248
+ - `lint`
249
+ - `build`
250
+ - `docs_validate_fast`
251
+ - `test_release`
252
+ - `mustflow_check`
253
+
254
+ Prefer the narrowest configured test, build, docs, release, or mustflow intent that exercises the
255
+ changed DuckDB path. Do not infer raw DuckDB clients, live SQL, migration tools, profiling commands,
256
+ benchmarks, package-manager commands, or object-store operations.
257
+
258
+ <!-- mustflow-section: failure-handling -->
259
+ ## Failure Handling
260
+
261
+ - If DuckDB version, binding, extension, file mode, or feature gates cannot be identified, do not
262
+ claim support for version-sensitive DuckDB behavior.
263
+ - If process ownership, writer identity, retry rules, transaction boundaries, Appender flush, or
264
+ close behavior are unknown, mark concurrency and visibility as static risk.
265
+ - If import sampling, reject handling, schema drift, or lineage behavior is unknown, avoid claiming
266
+ the load path is lossless or replayable.
267
+ - If memory, temp spill, plan, or profiling evidence is unavailable, avoid claiming a query, index,
268
+ file layout, or setting is faster or safe under load.
269
+ - If configured verification is missing, report the missing command intent instead of running raw
270
+ database, profiling, migration, package, or provider commands.
271
+
272
+ <!-- mustflow-section: output-format -->
273
+ ## Output Format
274
+
275
+ - DuckDB role, version or track, binding, extension, file ownership, and process model inspected
276
+ - Concurrency, transaction, Appender, bulk load, and retry classification
277
+ - CSV, Parquet, JSON, partitioning, reject-row, lineage, and import/export decisions
278
+ - Ordering, aggregate, timestamp, window, CTE, macro, join, index, and query-plan findings
279
+ - Memory, temp spill, profiling, and evidence level: static diff risk, configured-test evidence,
280
+ DuckDB plan evidence, profiling evidence, measured production evidence, manual-only, missing, or
281
+ not applicable
282
+ - Command intents run
283
+ - Skipped DuckDB checks and reasons
284
+ - Remaining DuckDB risk
@@ -2,7 +2,7 @@
2
2
  mustflow_doc: skill.failure-triage
3
3
  locale: en
4
4
  canonical: true
5
- revision: 5
5
+ revision: 6
6
6
  lifecycle: mustflow-owned
7
7
  authority: procedure
8
8
  name: failure-triage
@@ -28,6 +28,8 @@ Identify the most probable root cause of a failed command or verification step b
28
28
 
29
29
  - A configured command intent returns a non-zero exit code.
30
30
  - Validation, build, test, or documentation checks fail.
31
+ - A local release or publish path succeeded, but a remote CI job, check suite, or platform-specific
32
+ runner still shows a failure for the pushed branch, tag, or commit.
31
33
  - The root cause of the failure is not yet apparent.
32
34
  - A test or build failure may have been caused by an overlapping run, orphaned process, stale lock, or deleted build output.
33
35
  - Several failures appear together and the first root cause needs to be separated from follow-on noise.
@@ -45,6 +47,8 @@ Identify the most probable root cause of a failed command or verification step b
45
47
  - Original command intent
46
48
  - Exit code
47
49
  - Truncated stdout and stderr output
50
+ - Remote run context when applicable: branch, tag, commit SHA, job name, runner OS, matrix entry,
51
+ and whether the failure belongs to a push, pull request, tag, release, or scheduled run
48
52
  - Recently modified files
49
53
  - Relevant command contract entry
50
54
  - Active or recently active build/test/profile processes when the failure mentions missing compiled files, stale output, port/resource conflicts, or unexpected file deletion
@@ -74,17 +78,27 @@ Identify the most probable root cause of a failed command or verification step b
74
78
  - `documentation`: docs navigation, frontmatter, generated content, or localized metadata drifted.
75
79
  - `environment`: missing tool, platform difference, path, permission, lock, stale build output, or orphaned process.
76
80
  - `tool_runner`: the verification runner, scheduler, cache, or build wrapper failed independently from the code under test.
77
- 4. If several failures appear, triage in this order: environment and overlapping processes, build or generated output, configuration/schema drift, fixture setup, then behavior logic.
78
- 5. For failures involving `dist/`, generated output, temporary files, ports, databases, or abrupt test termination, check whether another build/test/profile process for the same repository is still running.
79
- 6. If an orphaned or overlapping process is found, stop or wait for it before changing source files, then rerun the narrowest failing intent to confirm the failure is reproducible.
80
- 7. Pick one rerun target:
81
+ 4. For remote CI failures, record the failing ref, commit, job name, runner OS, and matrix before
82
+ editing. Compare that runner to local verification instead of assuming local success covers the
83
+ remote job.
84
+ 5. Treat Windows-only, path-only, or runner-only failures as real until proven otherwise. If the
85
+ error mentions `inside the current root`, `.mustflow/cache/**`, `.mustflow/review/docs.toml`,
86
+ symlinks, junctions, realpaths, drive-letter casing, path separators, or root containment, inspect
87
+ path normalization and containment helpers first. Add or update a regression test that models the
88
+ platform/root-alias behavior instead of weakening containment checks.
89
+ 6. If several failures appear, triage in this order: environment and overlapping processes, build or generated output, configuration/schema drift, fixture setup, then behavior logic.
90
+ 7. For failures involving `dist/`, generated output, temporary files, ports, databases, or abrupt test termination, check whether another build/test/profile process for the same repository is still running.
91
+ 8. If an orphaned or overlapping process is found, stop or wait for it before changing source files, then rerun the narrowest failing intent to confirm the failure is reproducible.
92
+ 9. Pick one rerun target:
81
93
  - the original failing intent when it is narrow enough;
82
94
  - `test_related` when changed files map to a focused suite;
83
95
  - `docs_validate_fast` for docs navigation or content-only failures;
84
96
  - `test_release` for package, template, schema, or release metadata drift;
85
97
  - `mustflow_check` for workflow, skill, command-contract, or manifest-lock failures.
86
- 8. Examine the most relevant files.
87
- 9. Develop a single hypothesis and verify it using the most targeted configured intent.
98
+ 10. Examine the most relevant files.
99
+ 11. Develop a single hypothesis and verify it using the most targeted configured intent. When the
100
+ failure came from remote CI, also confirm the replacement run or check suite for the affected
101
+ ref before reporting that the remote failure is fixed.
88
102
 
89
103
  <!-- mustflow-section: postconditions -->
90
104
  ## Postconditions
@@ -105,6 +119,9 @@ intent that isolates the same failure area.
105
119
  - If the failure is due to missing tools, report the missing tool and the command that revealed the issue.
106
120
  - If the failure was caused by an orphaned or overlapping process, report that the original run was invalid and add or use a guard that prevents the same overlap before taking new measurements.
107
121
  - If rerunning the same intent produces a different failure without code changes, classify the issue as flaky or environmental and avoid weakening assertions until the unstable dependency is identified.
122
+ - If publication, release creation, or artifact upload succeeded while another check on the same
123
+ pushed commit failed, report those as separate states and triage the failed check before using
124
+ all-clear language.
108
125
  - If sensitive data appears in the output, cease copying raw output and summarize the information safely.
109
126
 
110
127
  <!-- mustflow-section: output-format -->