mustflow 2.22.16 → 2.22.46

package/dist/core/safe-filesystem.js

@@ -1,7 +1,11 @@
-import { closeSync, constants, fstatSync, lstatSync, mkdirSync, openSync, readFileSync, renameSync, unlinkSync, writeFileSync, } from 'node:fs';
+import { closeSync, constants, fstatSync, lstatSync, mkdirSync, openSync, readFileSync, readSync, renameSync, unlinkSync, writeFileSync, } from 'node:fs';
 import { randomBytes } from 'node:crypto';
 import path from 'node:path';
 const NOFOLLOW_FLAG = typeof constants.O_NOFOLLOW === 'number' ? constants.O_NOFOLLOW : 0;
+const WINDOWS_RENAME_RETRY_DELAYS_MS = [10, 25, 50, 100, 200];
+const WINDOWS_RENAME_RETRY_CODES = new Set(['EBUSY', 'ENOTEMPTY', 'EPERM']);
+const WRITE_SLEEP_BUFFER = new Int32Array(new SharedArrayBuffer(4));
+const READ_CHUNK_BYTES = 64 * 1024;
 function isMissingPathError(error) {
     return error instanceof Error && 'code' in error && error.code === 'ENOENT';
 }
@@ -9,6 +13,30 @@ function tempFilePath(targetPath) {
     const suffix = `${process.pid}-${Date.now()}-${randomBytes(6).toString('hex')}`;
     return path.join(path.dirname(targetPath), `.${path.basename(targetPath)}.${suffix}.tmp`);
 }
+function sleep(milliseconds) {
+    Atomics.wait(WRITE_SLEEP_BUFFER, 0, 0, milliseconds);
+}
+function isRetryableWindowsRenameError(error) {
+    if (process.platform !== 'win32' || !error || typeof error !== 'object' || !('code' in error)) {
+        return false;
+    }
+    return WINDOWS_RENAME_RETRY_CODES.has(String(error.code));
+}
+function renameWithWindowsRetry(sourcePath, targetPath) {
+    for (let attempt = 0;; attempt += 1) {
+        try {
+            renameSync(sourcePath, targetPath);
+            return;
+        }
+        catch (error) {
+            const delay = WINDOWS_RENAME_RETRY_DELAYS_MS[attempt];
+            if (delay === undefined || !isRetryableWindowsRenameError(error)) {
+                throw error;
+            }
+            sleep(delay);
+        }
+    }
+}
 export function ensureInside(parentPath, childPath) {
     const parent = path.resolve(parentPath);
     const child = path.resolve(childPath);
@@ -42,13 +70,29 @@ export function ensureInsideWithoutSymlinks(parentPath, childPath, options = {})
             }
         }
         catch (error) {
-            if (isMissingPathError(error) && options.allowMissingLeaf) {
+            if (isMissingPathError(error) && (options.allowMissingDescendant || (isLeaf && options.allowMissingLeaf))) {
                 return;
             }
             throw error;
         }
     }
 }
+function readBoundedFileDescriptor(fileDescriptor, childPath, maxBytes) {
+    const chunks = [];
+    let totalBytes = 0;
+    while (true) {
+        const chunk = Buffer.allocUnsafe(Math.min(READ_CHUNK_BYTES, maxBytes + 1 - totalBytes));
+        const bytesRead = readSync(fileDescriptor, chunk, 0, chunk.byteLength, null);
+        if (bytesRead === 0) {
+            return Buffer.concat(chunks, totalBytes);
+        }
+        totalBytes += bytesRead;
+        if (totalBytes > maxBytes) {
+            throw new Error(`File exceeds maximum size ${maxBytes} bytes: ${childPath}`);
+        }
+        chunks.push(bytesRead === chunk.byteLength ? chunk : chunk.subarray(0, bytesRead));
+    }
+}
 function ensureDirectoryInsideWithoutSymlinks(parentPath, directoryPath) {
     ensureInside(parentPath, directoryPath);
     const parent = path.resolve(parentPath);
@@ -86,7 +130,7 @@ function ensureDirectoryInsideWithoutSymlinks(parentPath, directoryPath) {
 export function ensureFileTargetInsideWithoutSymlinks(parentPath, childPath, options = {}) {
     const absoluteChildPath = path.resolve(childPath);
     ensureInside(parentPath, absoluteChildPath);
-    ensureInsideWithoutSymlinks(parentPath, path.dirname(absoluteChildPath), { allowMissingLeaf: true });
+    ensureInsideWithoutSymlinks(parentPath, path.dirname(absoluteChildPath), { allowMissingDescendant: true });
     try {
         const stats = lstatSync(absoluteChildPath);
         if (stats.isSymbolicLink()) {
@@ -108,6 +152,9 @@ export function readFileInsideWithoutSymlinks(parentPath, childPath, options = {
     ensureInsideWithoutSymlinks(parentPath, absoluteChildPath);
     const fileDescriptor = openSync(absoluteChildPath, constants.O_RDONLY | NOFOLLOW_FLAG);
     try {
+        if (NOFOLLOW_FLAG === 0 && lstatSync(absoluteChildPath).isSymbolicLink()) {
+            throw new Error(`Path must not contain symlinks: ${childPath}`);
+        }
         const stats = fstatSync(fileDescriptor);
         if (!stats.isFile()) {
             throw new Error(`Path must be a regular file: ${childPath}`);
@@ -115,7 +162,9 @@ export function readFileInsideWithoutSymlinks(parentPath, childPath, options = {
         if (options.maxBytes !== undefined && stats.size > options.maxBytes) {
             throw new Error(`File exceeds maximum size ${options.maxBytes} bytes: ${childPath}`);
         }
-        return readFileSync(fileDescriptor);
+        return options.maxBytes === undefined
+            ? readFileSync(fileDescriptor)
+            : readBoundedFileDescriptor(fileDescriptor, childPath, options.maxBytes);
     }
     finally {
         closeSync(fileDescriptor);
@@ -137,7 +186,7 @@ export function writeFileInsideWithoutSymlinks(parentPath, childPath, content) {
         closeSync(fileDescriptor);
         fileDescriptor = null;
         ensureFileTargetInsideWithoutSymlinks(parentPath, absoluteChildPath, { allowMissingLeaf: true });
-        renameSync(temporaryPath, absoluteChildPath);
+        renameWithWindowsRetry(temporaryPath, absoluteChildPath);
     }
     catch (error) {
         if (fileDescriptor !== null) {

package/dist/core/skill-route-explanation.js

@@ -16,7 +16,8 @@ function readFrontmatterLines(content) {
     if (!content.startsWith('---')) {
         return [];
     }
-    const end = content.indexOf('\n---', 3);
+    const endMatch = /\n---(?:\r?\n|$)/u.exec(content.slice(3));
+    const end = endMatch ? 3 + endMatch.index : -1;
     if (end < 0) {
         return [];
     }

package/dist/core/source-anchors.js

@@ -21,6 +21,7 @@ export const SOURCE_ANCHOR_GENERATED_PATH_PARTS = new Set([
     'vendor',
 ]);
 export const SOURCE_ANCHOR_ALLOWED_FIELDS = new Set(['purpose', 'search', 'invariant', 'risk']);
+const MAX_SOURCE_ANCHOR_DIRECTORY_DEPTH = 200;
 export const SOURCE_ANCHOR_ALLOWED_RISKS = new Set([
     'authn',
     'authz',
@@ -79,10 +80,13 @@ function fileIsWithinSizeLimit(filePath, maxFileBytes) {
         return false;
     }
 }
-function listFilesRecursive(root, options, current = root) {
+function listFilesRecursive(root, options, current = root, depth = 0) {
     if (!existsSync(current)) {
         return [];
     }
+    if (depth > MAX_SOURCE_ANCHOR_DIRECTORY_DEPTH) {
+        return [];
+    }
     const currentRealPath = realpathSync(current);
     if (!pathIsInsideRoot(options.rootRealPath, currentRealPath) || options.visitedRealDirectories.has(currentRealPath)) {
         return [];
@@ -96,7 +100,7 @@ function listFilesRecursive(root, options, current = root) {
             continue;
         }
         if (entry.isDirectory()) {
-            files.push(...listFilesRecursive(root, options, entryPath));
+            files.push(...listFilesRecursive(root, options, entryPath, depth + 1));
             continue;
         }
         if (entry.isSymbolicLink()) {
@@ -121,7 +125,7 @@ function listFilesRecursive(root, options, current = root) {
                 continue;
             }
             if (stat.isDirectory()) {
-                files.push(...listFilesRecursive(root, options, entryPath));
+                files.push(...listFilesRecursive(root, options, entryPath, depth + 1));
                 continue;
             }
             if (stat.isFile()) {

package/dist/core/test-selection.js

@@ -1,6 +1,7 @@
 import { existsSync } from 'node:fs';
 import { isRecord, readMustflowOwnedTomlFile, readStringArray, resolveMustflowConfigPath, } from './config-loading.js';
 import { classifyVerificationCandidate, } from './verification-plan.js';
+import { normalizeSafeTestTargetPath } from './test-target-paths.js';
 export const TEST_SELECTION_CONFIG_RELATIVE_PATH = '.mustflow/config/test-selection.toml';
 const STALE_OR_MISSING_RULES_NOTE = 'Project-declared test selection rules did not cover the current changed files; review .mustflow/config/test-selection.toml for stale or missing rules.';
 function uniqueSorted(values) {
@@ -47,8 +48,18 @@ function readRule(value) {
     const surfaces = readStringArray(value.match, 'surfaces');
     const intent = readStringField(value.select, 'intent');
     const fallbackIntent = readStringField(value.select, 'fallback_intent');
-    const testTargets = readStringArray(value.select, 'test_targets') ?? [];
-    if (!id || !risk || !reason || !paths || paths.length === 0 || !surfaces || surfaces.length === 0 || !intent || !fallbackIntent) {
+    const rawTestTargets = readStringArray(value.select, 'test_targets') ?? [];
+    const testTargets = rawTestTargets.map((target) => normalizeSafeTestTargetPath(target));
+    if (!id ||
+        !risk ||
+        !reason ||
+        !paths ||
+        paths.length === 0 ||
+        !surfaces ||
+        surfaces.length === 0 ||
+        !intent ||
+        !fallbackIntent ||
+        !testTargets.every((target) => target !== null)) {
         return null;
     }
     return {

package/dist/core/test-target-paths.js

@@ -0,0 +1,17 @@
+import path from 'node:path';
+export const TEST_TARGET_PATH_ERROR = "entries must be non-empty relative paths that do not start with '-'";
+export function normalizeSafeTestTargetPath(value) {
+    if (typeof value !== 'string') {
+        return null;
+    }
+    const raw = value.trim();
+    const normalized = raw.replace(/\\/g, '/');
+    if (normalized.length === 0 ||
+        normalized.startsWith('-') ||
+        path.posix.isAbsolute(normalized) ||
+        path.win32.isAbsolute(raw)) {
+        return null;
+    }
+    const segments = normalized.split('/');
+    return segments.every((segment) => segment.length > 0 && segment !== '.' && segment !== '..') ? normalized : null;
+}

package/dist/core/validation-ratchet.js

@@ -1,6 +1,9 @@
 import { spawnSync } from 'node:child_process';
 import { existsSync, readFileSync } from 'node:fs';
 import path from 'node:path';
+import { createCommandEnv } from './command-env.js';
+const GIT_DIFF_TIMEOUT_MS = 10_000;
+const GIT_DIFF_MAX_BUFFER_BYTES = 16 * 1024 * 1024;
 const TEST_CHANGE_KINDS = new Set(['test', 'test_fixture']);
 const SKIP_OR_ONLY_MARKER = /\b(?:describe|it|test)\s*\.\s*(?:skip|only)\s*\(/u;
 const TODO_OR_PENDING_MARKER = /\b(?:describe|it|test)\s*\.\s*(?:todo|pending)\s*\(/u;
@@ -48,29 +51,66 @@ function fileTextIfReadable(projectRoot, relativePath) {
         return null;
     }
 }
-function gitDiffLines(projectRoot, relativePath) {
-    const result = spawnSync('git', ['diff', '--no-ext-diff', '--unified=0', '--', relativePath], {
-        cwd: projectRoot,
-        encoding: 'utf8',
-        windowsHide: true,
-    });
-    if (result.status !== 0 || typeof result.stdout !== 'string' || result.stdout.length === 0) {
-        return { added: [], removed: [] };
-    }
-    const added = [];
-    const removed = [];
-    for (const line of result.stdout.split(/\r?\n/u)) {
-        if (line.startsWith('+++') || line.startsWith('---')) {
+function normalizeGitDiffPath(value) {
+    return value
+        .replace(/^"(.*)"$/u, '$1')
+        .replace(/^(?:a|b)\//u, '')
+        .replaceAll('\\', '/');
+}
+function parseGitDiffLines(stdout) {
+    const byPath = new Map();
+    let oldPath = null;
+    let currentPath = null;
+    for (const line of stdout.split(/\r?\n/u)) {
+        if (line.startsWith('--- ')) {
+            const rawPath = line.slice(4).trim();
+            oldPath = rawPath === '/dev/null' ? null : normalizeGitDiffPath(rawPath);
+            continue;
+        }
+        if (line.startsWith('+++ ')) {
+            const rawPath = line.slice(4).trim();
+            currentPath = rawPath === '/dev/null' ? oldPath : normalizeGitDiffPath(rawPath);
+            if (currentPath && !byPath.has(currentPath)) {
+                byPath.set(currentPath, { added: [], removed: [] });
+            }
+            continue;
+        }
+        if (!currentPath || line.startsWith('@@')) {
+            continue;
+        }
+        const diff = byPath.get(currentPath);
+        if (!diff) {
             continue;
         }
         if (line.startsWith('+')) {
-            added.push(line.slice(1));
+            diff.added.push(line.slice(1));
         }
         else if (line.startsWith('-')) {
-            removed.push(line.slice(1));
+            diff.removed.push(line.slice(1));
         }
     }
-    return { added, removed };
+    return new Map([...byPath.entries()].map(([filePath, diff]) => [
+        filePath,
+        { added: diff.added, removed: diff.removed },
+    ]));
+}
+function gitDiffLinesByPath(projectRoot, relativePaths) {
+    const uniquePaths = [...new Set(relativePaths)].filter((relativePath) => resolveInsideRoot(projectRoot, relativePath) !== null);
+    if (uniquePaths.length === 0) {
+        return new Map();
+    }
+    const result = spawnSync('git', ['diff', '--no-ext-diff', '--unified=0', '--', ...uniquePaths], {
+        cwd: projectRoot,
+        encoding: 'utf8',
+        env: createCommandEnv(projectRoot, { policy: 'minimal', allowlist: [] }),
+        maxBuffer: GIT_DIFF_MAX_BUFFER_BYTES,
+        timeout: GIT_DIFF_TIMEOUT_MS,
+        windowsHide: true,
+    });
+    if (result.status !== 0 || typeof result.stdout !== 'string' || result.stdout.length === 0) {
+        return new Map();
+    }
+    return parseGitDiffLines(result.stdout);
 }
 function countMatching(lines, pattern) {
     return lines.filter((line) => pattern.test(line)).length;
@@ -103,6 +143,9 @@ export function countValidationRatchetVerdictEffects(risks) {
 export function createValidationRatchetRisks(report, projectRoot) {
     const risks = [];
     const seenRisks = new Set();
+    const changedDiffs = report.source === 'changed'
+        ? gitDiffLinesByPath(projectRoot, report.classifications.map((classification) => classification.path))
+        : new Map();
     function addRisk(code, severity, pathText, detail) {
         const key = `${pathText}\0${code}`;
         if (seenRisks.has(key)) {
@@ -113,7 +156,9 @@ export function createValidationRatchetRisks(report, projectRoot) {
     }
     for (const classification of report.classifications) {
         const resolvedPath = resolveInsideRoot(projectRoot, classification.path);
-        const diff = report.source === 'changed' ? gitDiffLines(projectRoot, classification.path) : { added: [], removed: [] };
+        const diff = report.source === 'changed'
+            ? changedDiffs.get(classification.path) ?? { added: [], removed: [] }
+            : { added: [], removed: [] };
         const addedText = diff.added.join('\n');
         if (isTestClassification(classification)) {
             if (report.source === 'changed' && (resolvedPath === null || !existsSync(resolvedPath))) {

package/dist/core/verification-decision-graph.js

@@ -1,7 +1,14 @@
+import { createHash } from 'node:crypto';
 import { isRecord, readString, readStringArray, } from './config-loading.js';
 export const VERIFICATION_DECISION_GRAPH_SCHEMA_VERSION = '1';
 function stableIdPart(value) {
-    return value.trim().replace(/[^A-Za-z0-9_.-]+/gu, '_') || 'none';
+    const trimmed = value.trim();
+    if (trimmed.length === 0) {
+        return 'none';
+    }
+    const readable = trimmed.replace(/[^A-Za-z0-9_.-]+/gu, '_') || 'value';
+    const digest = createHash('sha256').update(trimmed).digest('hex').slice(0, 10);
+    return `${readable}_${digest}`;
 }
 function readBoolean(table, key) {
     const value = table[key];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mustflow",
-  "version": "2.22.16",
+  "version": "2.22.46",
   "description": "Agent workflow documents and CLI for mustflow repository roots.",
   "type": "module",
   "license": "MIT-0",

package/templates/default/i18n.toml

@@ -56,7 +56,7 @@ translations = {}
 [documents."skills.index"]
 source = "locales/en/.mustflow/skills/INDEX.md"
 source_locale = "en"
-revision = 73
+revision = 81
 translations = {}
 
 [documents."skill.adapter-boundary"]
@@ -77,6 +77,12 @@ source_locale = "en"
 revision = 2
 translations = {}
 
+[documents."skill.api-contract-change"]
+source = "locales/en/.mustflow/skills/api-contract-change/SKILL.md"
+source_locale = "en"
+revision = 1
+translations = {}
+
 [documents."skill.behavior-preserving-refactor"]
 source = "locales/en/.mustflow/skills/behavior-preserving-refactor/SKILL.md"
 source_locale = "en"
@@ -107,6 +113,12 @@ source_locale = "en"
 revision = 16
 translations = {}
 
+[documents."skill.database-migration-change"]
+source = "locales/en/.mustflow/skills/database-migration-change/SKILL.md"
+source_locale = "en"
+revision = 1
+translations = {}
+
 [documents."skill.dependency-injection"]
 source = "locales/en/.mustflow/skills/dependency-injection/SKILL.md"
 source_locale = "en"
@@ -119,12 +131,24 @@ source_locale = "en"
 revision = 6
 translations = {}
 
+[documents."skill.dependency-upgrade-review"]
+source = "locales/en/.mustflow/skills/dependency-upgrade-review/SKILL.md"
+source_locale = "en"
+revision = 1
+translations = {}
+
 [documents."skill.line-ending-hygiene"]
 source = "locales/en/.mustflow/skills/line-ending-hygiene/SKILL.md"
 source_locale = "en"
 revision = 1
 translations = {}
 
+[documents."skill.file-path-cross-platform-change"]
+source = "locales/en/.mustflow/skills/file-path-cross-platform-change/SKILL.md"
+source_locale = "en"
+revision = 1
+translations = {}
+
 [documents."skill.diff-risk-review"]
 source = "locales/en/.mustflow/skills/diff-risk-review/SKILL.md"
 source_locale = "en"
@@ -137,6 +161,114 @@ source_locale = "en"
 revision = 2
 translations = {}
 
+[documents."skill.astro-code-change"]
+source = "locales/en/.mustflow/skills/astro-code-change/SKILL.md"
+source_locale = "en"
+revision = 2
+translations = {}
+
+[documents."skill.auth-permission-change"]
+source = "locales/en/.mustflow/skills/auth-permission-change/SKILL.md"
+source_locale = "en"
+revision = 1
+translations = {}
+
+[documents."skill.config-env-change"]
+source = "locales/en/.mustflow/skills/config-env-change/SKILL.md"
+source_locale = "en"
+revision = 1
+translations = {}
+
+[documents."skill.css-code-change"]
+source = "locales/en/.mustflow/skills/css-code-change/SKILL.md"
+source_locale = "en"
+revision = 2
+translations = {}
+
+[documents."skill.dart-code-change"]
+source = "locales/en/.mustflow/skills/dart-code-change/SKILL.md"
+source_locale = "en"
+revision = 2
+translations = {}
+
+[documents."skill.elysia-code-change"]
+source = "locales/en/.mustflow/skills/elysia-code-change/SKILL.md"
+source_locale = "en"
+revision = 1
+translations = {}
+
+[documents."skill.flutter-code-change"]
+source = "locales/en/.mustflow/skills/flutter-code-change/SKILL.md"
+source_locale = "en"
+revision = 1
+translations = {}
+
+[documents."skill.go-code-change"]
+source = "locales/en/.mustflow/skills/go-code-change/SKILL.md"
+source_locale = "en"
+revision = 2
+translations = {}
+
+[documents."skill.hono-code-change"]
+source = "locales/en/.mustflow/skills/hono-code-change/SKILL.md"
+source_locale = "en"
+revision = 1
+translations = {}
+
+[documents."skill.html-code-change"]
+source = "locales/en/.mustflow/skills/html-code-change/SKILL.md"
+source_locale = "en"
+revision = 2
+translations = {}
+
+[documents."skill.javascript-code-change"]
+source = "locales/en/.mustflow/skills/javascript-code-change/SKILL.md"
+source_locale = "en"
+revision = 2
+translations = {}
+
+[documents."skill.python-code-change"]
+source = "locales/en/.mustflow/skills/python-code-change/SKILL.md"
+source_locale = "en"
+revision = 2
+translations = {}
+
+[documents."skill.rust-code-change"]
+source = "locales/en/.mustflow/skills/rust-code-change/SKILL.md"
+source_locale = "en"
+revision = 2
+translations = {}
+
+[documents."skill.svelte-code-change"]
+source = "locales/en/.mustflow/skills/svelte-code-change/SKILL.md"
+source_locale = "en"
+revision = 2
+translations = {}
+
+[documents."skill.tailwind-code-change"]
+source = "locales/en/.mustflow/skills/tailwind-code-change/SKILL.md"
+source_locale = "en"
+revision = 2
+translations = {}
+
+[documents."skill.tauri-code-change"]
+source = "locales/en/.mustflow/skills/tauri-code-change/SKILL.md"
+source_locale = "en"
+revision = 2
+translations = {}
+
+[documents."skill.typescript-code-change"]
+source = "locales/en/.mustflow/skills/typescript-code-change/SKILL.md"
+source_locale = "en"
+revision = 2
+translations = {}
+
+[documents."skill.unocss-code-change"]
+source = "locales/en/.mustflow/skills/unocss-code-change/SKILL.md"
+source_locale = "en"
+revision = 2
+translations = {}
+
 [documents."skill.cli-output-contract-review"]
 source = "locales/en/.mustflow/skills/cli-output-contract-review/SKILL.md"
 source_locale = "en"
@@ -322,16 +454,22 @@ source_locale = "en"
 revision = 2
 translations = {}
 
+[documents."skill.release-publish-change"]
+source = "locales/en/.mustflow/skills/release-publish-change/SKILL.md"
+source_locale = "en"
+revision = 1
+translations = {}
+
 [documents."skill.security-privacy-review"]
 source = "locales/en/.mustflow/skills/security-privacy-review/SKILL.md"
 source_locale = "en"
-revision = 17
+revision = 19
 translations = {}
 
 [documents."skill.security-regression-tests"]
 source = "locales/en/.mustflow/skills/security-regression-tests/SKILL.md"
 source_locale = "en"
-revision = 9
+revision = 11
 translations = {}
 
 [documents."skill.search-ad-content-authoring"]