mustflow 2.32.0 → 2.37.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli/commands/api/actions.js +55 -0
- package/dist/cli/commands/api/report-runner.js +62 -0
- package/dist/cli/commands/api/serve.js +149 -0
- package/dist/cli/commands/api/workspace-recommendations.js +13 -0
- package/dist/cli/commands/api.js +15 -275
- package/dist/cli/lib/local-index/search-read-model.js +44 -7
- package/dist/cli/lib/validation/frontmatter.js +75 -0
- package/dist/cli/lib/validation/index.js +4 -86
- package/dist/cli/lib/validation/safe-read.js +13 -0
- package/dist/core/active-run-locks.js +110 -10
- package/dist/core/run-performance-history.js +14 -1
- package/dist/core/validation-ratchet.js +1 -1
- package/package.json +1 -1
- package/templates/default/i18n.toml +55 -19
- package/templates/default/locales/en/.mustflow/docs/agent-workflow.md +15 -7
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +20 -8
- package/templates/default/locales/en/.mustflow/skills/adapter-boundary/SKILL.md +9 -2
- package/templates/default/locales/en/.mustflow/skills/ai-generated-code-hardening/SKILL.md +249 -0
- package/templates/default/locales/en/.mustflow/skills/api-contract-change/SKILL.md +16 -11
- package/templates/default/locales/en/.mustflow/skills/auth-permission-change/SKILL.md +11 -4
- package/templates/default/locales/en/.mustflow/skills/backend-reliability-change/SKILL.md +289 -0
- package/templates/default/locales/en/.mustflow/skills/css-code-change/SKILL.md +24 -14
- package/templates/default/locales/en/.mustflow/skills/dependency-upgrade-review/SKILL.md +18 -7
- package/templates/default/locales/en/.mustflow/skills/frontend-render-stability/SKILL.md +144 -0
- package/templates/default/locales/en/.mustflow/skills/go-code-change/SKILL.md +70 -18
- package/templates/default/locales/en/.mustflow/skills/html-code-change/SKILL.md +20 -13
- package/templates/default/locales/en/.mustflow/skills/http-delivery-streaming/SKILL.md +205 -0
- package/templates/default/locales/en/.mustflow/skills/performance-budget-check/SKILL.md +9 -7
- package/templates/default/locales/en/.mustflow/skills/proactive-risk-surfacing/SKILL.md +198 -0
- package/templates/default/locales/en/.mustflow/skills/python-code-change/SKILL.md +27 -11
- package/templates/default/locales/en/.mustflow/skills/routes.toml +37 -1
- package/templates/default/locales/en/.mustflow/skills/rust-code-change/SKILL.md +41 -17
- package/templates/default/locales/en/.mustflow/skills/service-boundary-architecture/SKILL.md +167 -0
- package/templates/default/locales/en/.mustflow/skills/tailwind-code-change/SKILL.md +37 -23
- package/templates/default/locales/en/.mustflow/skills/tauri-code-change/SKILL.md +27 -10
- package/templates/default/locales/en/.mustflow/skills/typescript-code-change/SKILL.md +22 -4
- package/templates/default/locales/en/.mustflow/skills/unocss-code-change/SKILL.md +34 -15
- package/templates/default/locales/en/.mustflow/skills/version-freshness-check/SKILL.md +29 -5
- package/templates/default/locales/en/AGENTS.md +3 -2
- package/templates/default/locales/ko/.mustflow/docs/agent-workflow.md +13 -8
- package/templates/default/locales/ko/AGENTS.md +2 -2
- package/templates/default/manifest.toml +37 -1
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.api-contract-change
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 2
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: api-contract-change
|
|
9
|
-
description: Apply this skill when HTTP, REST, GraphQL, tRPC, Hono RPC, Elysia Eden, gRPC, protobuf, OpenAPI, API schemas, generated clients, SDKs, status codes, headers, error envelopes, pagination, filtering, sorting, search, or public API examples are created or changed.
|
|
9
|
+
description: Apply this skill when HTTP, REST, GraphQL, tRPC, Hono RPC, Elysia Eden, gRPC, protobuf, OpenAPI, API schemas, generated clients, SDKs, status codes, headers, content negotiation, cache headers, error envelopes, pagination, filtering, sorting, search, or public API examples are created or changed.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -29,7 +29,7 @@ metadata:
|
|
|
29
29
|
<!-- mustflow-section: purpose -->
|
|
30
30
|
## Purpose
|
|
31
31
|
|
|
32
|
-
Treat an API change as a contract change, not as a route or controller edit. The contract includes request schema, response schema, status code, headers, error shape, auth and permission behavior, pagination, filtering, sorting, search semantics, generated clients, SDKs, mocks, fixtures, examples, and documentation.
|
|
32
|
+
Treat an API change as a contract change, not as a route or controller edit. The contract includes request schema, response schema, status code, headers, content negotiation, cache semantics, error shape, auth and permission behavior, pagination, filtering, sorting, search semantics, generated clients, SDKs, mocks, fixtures, examples, and documentation.
|
|
33
33
|
|
|
34
34
|
The goal is to keep runtime behavior, type contracts, generated artifacts, callers, tests, and docs aligned.
|
|
35
35
|
|
|
@@ -37,10 +37,11 @@ The goal is to keep runtime behavior, type contracts, generated artifacts, calle
|
|
|
37
37
|
## Use When
|
|
38
38
|
|
|
39
39
|
- HTTP, REST, RPC, GraphQL, tRPC, Hono RPC, Elysia Eden, gRPC, protobuf, OpenAPI, AsyncAPI, webhook, callback, public endpoint, internal endpoint, generated client, SDK, schema, mock, fixture, or API docs behavior changes.
|
|
40
|
-
- Request body, query parameters, path parameters, headers, cookies, response body, status codes, redirects, caching headers, rate-limit headers, error envelopes, validation errors, auth errors, or permission errors change.
|
|
40
|
+
- Request body, query parameters, path parameters, headers, cookies, response body, content negotiation, content coding, status codes, redirects, caching headers, rate-limit headers, error envelopes, validation errors, auth errors, or permission errors change.
|
|
41
|
+
- SSE, streaming response, WebTransport handshake, WebSocket fallback, compression negotiation, or delivery headers become part of the API behavior that callers rely on.
|
|
41
42
|
- Pagination, filtering, sorting, search, includes, field selection, sparse fields, expansions, cursor shape, or total-count semantics change.
|
|
42
43
|
- A route is renamed, moved, split, merged, deprecated, versioned, or made more restrictive.
|
|
43
|
-
- A framework-specific API surface changes and may need another skill as a follow-up, such as `hono-code-change`, `elysia-code-change`, `typescript-code-change`, `auth-permission-change`, or `security-regression-tests`.
|
|
44
|
+
- A framework-specific API surface changes and may need another skill as a follow-up, such as `hono-code-change`, `elysia-code-change`, `typescript-code-change`, `http-delivery-streaming`, `auth-permission-change`, or `security-regression-tests`.
|
|
44
45
|
|
|
45
46
|
<!-- mustflow-section: do-not-use-when -->
|
|
46
47
|
## Do Not Use When
|
|
@@ -53,7 +54,7 @@ The goal is to keep runtime behavior, type contracts, generated artifacts, calle
|
|
|
53
54
|
## Required Inputs
|
|
54
55
|
|
|
55
56
|
- Changed route, controller, resolver, handler, schema, validator, generated client, SDK, tests, fixtures, mocks, and docs.
|
|
56
|
-
- Current request and response schema, status code map, headers, error envelope, auth and permission behavior, rate-limit behavior, cache behavior, pagination/filter/sort/search contract, and deprecation/versioning policy.
|
|
57
|
+
- Current request and response schema, status code map, headers, content negotiation, content coding, error envelope, auth and permission behavior, rate-limit behavior, cache behavior, streaming or reconnect behavior, pagination/filter/sort/search contract, and deprecation/versioning policy.
|
|
57
58
|
- OpenAPI, GraphQL schema, tRPC router, Hono app type, Elysia Eden type surface, protobuf files, generated clients, SDK examples, frontend callers, mobile callers, integration tests, docs examples, and mock servers when present.
|
|
58
59
|
- Current public consumers, backwards-compatibility expectations, supported client versions, and migration or deprecation policy.
|
|
59
60
|
- Configured verification intents.
|
|
@@ -65,6 +66,7 @@ The goal is to keep runtime behavior, type contracts, generated artifacts, calle
|
|
|
65
66
|
- Identify whether the change is source-compatible, runtime-compatible, behavior-compatible, or breaking for existing callers.
|
|
66
67
|
- Read the schema and generated client source of truth before editing route code.
|
|
67
68
|
- If auth, permission, tenant, object-level access, or API key behavior changes, also apply `auth-permission-change`.
|
|
69
|
+
- If compression, content coding, streaming responses, SSE, WebTransport, WebSocket fallback, proxy buffering, CDN behavior, or browser delivery behavior changes, also apply `http-delivery-streaming`.
|
|
68
70
|
- If the change needs denied-abuse coverage, also apply `security-regression-tests`.
|
|
69
71
|
|
|
70
72
|
<!-- mustflow-section: allowed-edits -->
|
|
@@ -86,7 +88,7 @@ The goal is to keep runtime behavior, type contracts, generated artifacts, calle
|
|
|
86
88
|
- auth and permission requirement;
|
|
87
89
|
- response success status and body;
|
|
88
90
|
- error status and body;
|
|
89
|
-
- relevant headers;
|
|
91
|
+
- relevant headers, content negotiation, content coding, and cache variance;
|
|
90
92
|
- pagination, filtering, sorting, and search semantics;
|
|
91
93
|
- generated clients, SDK functions, mocks, fixtures, examples, and docs.
|
|
92
94
|
3. Classify each change:
|
|
@@ -96,6 +98,7 @@ The goal is to keep runtime behavior, type contracts, generated artifacts, calle
|
|
|
96
98
|
- response field removed, renamed, narrowed, widened, or made nullable;
|
|
97
99
|
- status code changed;
|
|
98
100
|
- header added, removed, or changed;
|
|
101
|
+
- content coding, compression negotiation, streaming, reconnect, or cache-variance behavior changed;
|
|
99
102
|
- error code or envelope changed;
|
|
100
103
|
- pagination cursor or total semantics changed;
|
|
101
104
|
- auth/permission requirement changed;
|
|
@@ -109,7 +112,7 @@ The goal is to keep runtime behavior, type contracts, generated artifacts, calle
|
|
|
109
112
|
|
|
110
113
|
## API Style Policy
|
|
111
114
|
|
|
112
|
-
- REST and HTTP APIs must keep method semantics, status code meanings, headers, content type, cache behavior, redirects, and error envelope stable.
|
|
115
|
+
- REST and HTTP APIs must keep method semantics, status code meanings, headers, content type, content coding, cache behavior, redirects, streaming behavior, and error envelope stable.
|
|
113
116
|
- OpenAPI changes must include every status/body/header variant that callers rely on. A schema-only success response is not enough when errors are part of the contract.
|
|
114
117
|
- GraphQL must not be forced into a REST envelope. Preserve GraphQL `data`, `errors`, `extensions`, partial response, nullability, and resolver error propagation semantics.
|
|
115
118
|
- GraphQL nullable-to-non-null and non-null-to-null changes are contract changes. Nullability can change whether partial data survives an error.
|
|
@@ -128,7 +131,7 @@ The goal is to keep runtime behavior, type contracts, generated artifacts, calle
|
|
|
128
131
|
- Pagination must define cursor opacity, sort stability, page size limits, `next` and `previous` meaning, empty page behavior, total-count semantics, and whether filters affect counts.
|
|
129
132
|
- Filtering and sorting must define allowed fields, default sort, null ordering, case sensitivity, timezone or locale behavior, invalid filter behavior, and whether unknown fields are rejected or ignored.
|
|
130
133
|
- Search must define query normalization, tokenization, ranking stability expectations, highlight fields, typo tolerance, permissions, and private-data exclusion.
|
|
131
|
-
- Headers such as cache-control, etag, location, retry-after, rate-limit, pagination links, content-disposition, and deprecation headers are contract surfaces.
|
|
134
|
+
- Headers such as content-type, content-encoding, vary, cache-control, etag, location, retry-after, rate-limit, pagination links, content-disposition, and deprecation headers are contract surfaces.
|
|
132
135
|
|
|
133
136
|
## Dependent Surface Checklist
|
|
134
137
|
|
|
@@ -144,6 +147,7 @@ Check every relevant surface before finalizing:
|
|
|
144
147
|
- API docs, README snippets, changelog, migration notes, deprecation notices, role matrix, and status-code docs;
|
|
145
148
|
- auth and permission checks;
|
|
146
149
|
- rate limits, cache keys, cache headers, search indexes, pagination cursors, and background jobs;
|
|
150
|
+
- streaming delivery, SSE event ids, reconnect behavior, proxy or CDN delivery settings, content-coding variants, and fallback clients when they are caller-visible;
|
|
147
151
|
- observability dashboards, audit logs, analytics events, and alerting that parse status or error codes.
|
|
148
152
|
|
|
149
153
|
## Strongly Forbidden Patterns
|
|
@@ -152,6 +156,7 @@ Check every relevant surface before finalizing:
|
|
|
152
156
|
- Returning raw database rows as API responses.
|
|
153
157
|
- Treating TypeScript inference as proof that runtime JSON is compatible.
|
|
154
158
|
- Changing status codes without updating callers, docs, tests, and audit expectations.
|
|
159
|
+
- Changing content encoding, streaming flush, reconnect, cache variance, or fallback behavior without updating callers, docs, tests, and delivery verification.
|
|
155
160
|
- Treating generated clients as disposable when they are the public API.
|
|
156
161
|
- Mixing GraphQL partial-response semantics with REST success/error envelopes.
|
|
157
162
|
- Adding required request fields in a minor-compatible change without a default or compatibility path.
|
|
@@ -166,7 +171,7 @@ Check every relevant surface before finalizing:
|
|
|
166
171
|
## Postconditions
|
|
167
172
|
|
|
168
173
|
- The API contract source of truth is known.
|
|
169
|
-
- Request, response, status, header, error, auth, permission, pagination, filtering, sorting, and search impacts are classified.
|
|
174
|
+
- Request, response, status, header, content negotiation, cache, error, auth, permission, pagination, filtering, sorting, and search impacts are classified.
|
|
170
175
|
- Breaking or compatibility-sensitive changes are named.
|
|
171
176
|
- Generated clients, mocks, fixtures, tests, docs, and examples are synchronized or explicitly reported as skipped.
|
|
172
177
|
- Framework-specific protocol semantics are preserved.
|
|
@@ -204,7 +209,7 @@ Prefer the narrowest configured checks that exercise the changed contract from a
|
|
|
204
209
|
- API style and contract source of truth
|
|
205
210
|
- Changed operations or endpoints
|
|
206
211
|
- Compatibility classification
|
|
207
|
-
- Request, response, status, header, error, auth, permission, pagination, filter, sort, and search notes
|
|
212
|
+
- Request, response, status, header, content negotiation, cache, error, auth, permission, pagination, filter, sort, and search notes
|
|
208
213
|
- Generated client, SDK, mock, fixture, docs, and caller surfaces synchronized
|
|
209
214
|
- Files changed
|
|
210
215
|
- Command intents run
|
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.auth-permission-change
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 2
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: auth-permission-change
|
|
9
|
-
description: Apply this skill when authentication, authorization, permissions, roles, tenants, sessions, JWTs, OAuth or OIDC, API keys, route guards, admin access, database policies,
|
|
9
|
+
description: Apply this skill when authentication, authorization, permissions, roles, tenants, sessions, JWTs, OAuth or OIDC, API keys, route guards, admin access, database policies, object-level access control, signed delivery URLs, credentialed event streams, or private cache behavior are created or changed.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -39,6 +39,7 @@ Authentication answers who the requester is. Authorization answers what that pri
|
|
|
39
39
|
- Authentication, authorization, role, permission, capability, policy, tenant, workspace, organization, session, JWT, OAuth, OIDC, API key, invite, reset token, route guard, admin, impersonation, audit, or database policy behavior changes.
|
|
40
40
|
- A route, resolver, controller, service, command handler, job, webhook, API client, generated SDK, UI guard, or database query starts relying on user, tenant, role, ownership, membership, or resource identity.
|
|
41
41
|
- A change affects object-level access control, multi-tenant isolation, shared resources, signed URLs, exports, search, autocomplete, background jobs, webhooks, or admin/support tooling.
|
|
42
|
+
- A change affects credentialed EventSource/SSE streams, WebTransport sessions, WebSocket fallback, signed delivery URLs, private file delivery, CDN/proxy cache keys, CORS credentials, cookies, or auth tokens embedded in delivery URLs.
|
|
42
43
|
- A change modifies status code behavior for auth failures, especially 401, 403, or policy-driven 404.
|
|
43
44
|
- A permission model, role matrix, API docs, admin docs, migration, or tests need to stay aligned with authorization behavior.
|
|
44
45
|
|
|
@@ -56,7 +57,7 @@ Authentication answers who the requester is. Authorization answers what that pri
|
|
|
56
57
|
- Auth middleware, framework hooks, gateway checks, session config, cookie config, JWT verifier, OAuth/OIDC callback, API key verifier, and logout or revocation code when relevant.
|
|
57
58
|
- Route guards, client guards, server controllers, resolvers, command handlers, services, policy functions, role or permission tables, database queries, RLS, views, stored procedures, and ORM scopes.
|
|
58
59
|
- Tenant, organization, workspace, project, membership, invite, suspension, ownership, sharing, and admin-support data models.
|
|
59
|
-
- Background jobs, queue payloads, webhooks, import/export flows, search or autocomplete indexes, signed URL generation, storage keys, CDN cache, and permission caches when they can expose protected data.
|
|
60
|
+
- Background jobs, queue payloads, webhooks, import/export flows, search or autocomplete indexes, signed URL generation, storage keys, SSE or streaming channels, WebTransport sessions, WebSocket fallback, CDN cache, proxy cache, and permission caches when they can expose protected data.
|
|
60
61
|
- Audit logs, admin action logs, impersonation records, denied-access logs, API docs, role matrix docs, migrations, and tests.
|
|
61
62
|
- Configured verification intents.
|
|
62
63
|
|
|
@@ -68,6 +69,7 @@ Authentication answers who the requester is. Authorization answers what that pri
|
|
|
68
69
|
- Treat client-provided `userId`, `tenantId`, `workspaceId`, `role`, `isAdmin`, object id, API key label, token claim, and local storage value as untrusted.
|
|
69
70
|
- Find the current policy source of truth. If authorization is scattered across routes, do not add another scattered condition without first considering a central policy function.
|
|
70
71
|
- Know whether the product intentionally hides resource existence with 404 or exposes permission denial with 403.
|
|
72
|
+
- If SSE, WebTransport, WebSocket fallback, signed URL, CORS, cookie, CDN cache, proxy cache, or streaming delivery behavior changes, use `http-delivery-streaming` for the transport contract while this skill checks access control.
|
|
71
73
|
|
|
72
74
|
<!-- mustflow-section: allowed-edits -->
|
|
73
75
|
## Allowed Edits
|
|
@@ -88,7 +90,7 @@ Authentication answers who the requester is. Authorization answers what that pri
|
|
|
88
90
|
- route guards, client redirects, server controllers, resolvers, services, command handlers, policy calls, and admin tools;
|
|
89
91
|
- tenant resolver, membership schema, role assignment, invite flow, suspension, ownership, sharing, and impersonation model;
|
|
90
92
|
- database queries, tenant scopes, ownership joins, soft-delete filters, RLS, views, stored procedures, and ORM helpers;
|
|
91
|
-
- background jobs, queues, webhooks, import/export, file storage, signed URLs, search, autocomplete, caches, audit logs, docs, migrations, and tests.
|
|
93
|
+
- background jobs, queues, webhooks, import/export, file storage, signed URLs, SSE or streaming channels, WebTransport sessions, WebSocket fallback, search, autocomplete, caches, CDN or proxy cache rules, audit logs, docs, migrations, and tests.
|
|
92
94
|
3. Write the permission decision inputs for each protected action: principal, tenant, resource, action, and context.
|
|
93
95
|
4. Separate identity from permission:
|
|
94
96
|
- `req.user`, a valid session, verified email, valid JWT, OAuth scope, or API key proves identity only;
|
|
@@ -104,12 +106,14 @@ Authentication answers who the requester is. Authorization answers what that pri
|
|
|
104
106
|
- tenant-scoped queries must include tenant or membership constraints;
|
|
105
107
|
- pending, suspended, removed, revoked, deleted, disabled, and invited states must not be treated as active access;
|
|
106
108
|
- shared links, exports, signed URLs, previews, search, cache, and CDN entries must stay inside the permission model.
|
|
109
|
+
- event streams, WebTransport sessions, WebSocket fallback channels, private downloads, and reconnect URLs must not bypass tenant, resource, role, token expiry, or revocation policy.
|
|
107
110
|
10. Check session, JWT, OAuth/OIDC, and API key contracts when touched:
|
|
108
111
|
- sessions need expiry, refresh, rotation, logout, revocation, cookie flags, and CSRF posture;
|
|
109
112
|
- JWTs need signature verification, algorithm allowlist, issuer, audience, subject, expiry, not-before, key rotation, and stale-claim handling;
|
|
110
113
|
- OAuth/OIDC needs exact redirect binding, state, nonce, PKCE when relevant, provider account binding, and safe account linking;
|
|
111
114
|
- API keys need hashing, prefix-only display, owner type, scope, tenant/resource constraints, expiry, rotation, revocation, last-used, rate limit, and audit.
|
|
112
115
|
11. Check dependent surfaces: API routes, controllers, services, DB schema, DB queries, RLS, UI navigation, UI actions, API clients, audit logs, notifications, jobs, webhooks, search, file storage, docs, migrations, monitoring, and tests.
|
|
116
|
+
- For credentialed delivery surfaces, check whether EventSource can supply the intended credentials, whether CORS and cookies match the policy, whether signed URLs expire and scope correctly, and whether caches vary on auth, tenant, and private response dimensions.
|
|
113
117
|
12. Require denial-first tests for changed protected actions when the project has a usable test surface. Cover anonymous, expired, revoked, no role, wrong tenant, wrong owner, suspended or removed member, stale cache, shared-link, read-only API key, org admin, global admin, and impersonating admin cases as applicable.
|
|
114
118
|
13. Update docs and role matrices when external behavior, status codes, role names, permission names, admin scope, or API errors change.
|
|
115
119
|
14. Report the policy source of truth, server/database enforcement, client UX-only guards, test coverage, skipped checks, and remaining permission risk.
|
|
@@ -139,6 +143,7 @@ Authentication answers who the requester is. Authorization answers what that pri
|
|
|
139
143
|
- Relaxing permissions without denial-case tests or a written migration and audit plan.
|
|
140
144
|
- Letting role changes ship without permission-cache or token-staleness handling.
|
|
141
145
|
- Creating shared links, signed URLs, exports, search results, or CDN responses outside tenant and resource policy.
|
|
146
|
+
- Creating credentialed event streams, WebTransport sessions, WebSocket fallback channels, signed delivery URLs, or private caches outside tenant and resource policy.
|
|
142
147
|
- Logging impersonation without separate actor and subject.
|
|
143
148
|
- Backfilling broad permissions to every existing user because migration is easier.
|
|
144
149
|
|
|
@@ -150,6 +155,7 @@ Authentication answers who the requester is. Authorization answers what that pri
|
|
|
150
155
|
- Tenant isolation, resource ownership, sharing, admin scope, and status-code behavior are explicit.
|
|
151
156
|
- Client guards are described as UX only.
|
|
152
157
|
- Session, token, OAuth/OIDC, API key, cache, audit, docs, migration, and tests are synchronized when touched.
|
|
158
|
+
- Signed URL, event-stream, WebTransport, WebSocket fallback, CORS, cookie, CDN/proxy cache, and reconnect behavior remains inside the permission model when touched.
|
|
153
159
|
|
|
154
160
|
<!-- mustflow-section: verification -->
|
|
155
161
|
## Verification
|
|
@@ -187,6 +193,7 @@ Prefer the narrowest configured test intent that covers the changed protected ac
|
|
|
187
193
|
- Server/database enforcement notes
|
|
188
194
|
- Client guard UX-only notes
|
|
189
195
|
- Tenant, ownership, sharing, admin, token/session/API-key, cache, and audit notes
|
|
196
|
+
- Event stream, WebTransport, WebSocket fallback, signed URL, CORS, cookie, and CDN/proxy cache notes when relevant
|
|
190
197
|
- Tests or denial cases covered
|
|
191
198
|
- Files changed
|
|
192
199
|
- Command intents run
|
|
@@ -0,0 +1,289 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.backend-reliability-change
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: backend-reliability-change
|
|
9
|
+
description: Apply this skill when backend APIs, workers, jobs, queues, caches, database write paths, external service calls, health checks, observability, feature flags, idempotency, retries, outbox/inbox processing, or operational failure handling are created, changed, reviewed, or reported.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.backend-reliability-change
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- docs_validate_fast
|
|
23
|
+
- test_release
|
|
24
|
+
- mustflow_check
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
# Backend Reliability Change
|
|
28
|
+
|
|
29
|
+
<!-- mustflow-section: purpose -->
|
|
30
|
+
## Purpose
|
|
31
|
+
|
|
32
|
+
Keep backend changes safe under retries, slow dependencies, duplicate messages, partial failures,
|
|
33
|
+
cache misses, operational probes, and production debugging pressure.
|
|
34
|
+
|
|
35
|
+
Backend reliability is not a framework feature. It is the set of small contracts that stop one
|
|
36
|
+
request, job, tenant, cache miss, retry loop, or external provider outage from turning into a
|
|
37
|
+
system-wide incident. Prefer explicit idempotency, bounded waiting, database-enforced facts,
|
|
38
|
+
low-cardinality telemetry, and reversible rollout switches over optimistic controller code.
|
|
39
|
+
|
|
40
|
+
<!-- mustflow-section: use-when -->
|
|
41
|
+
## Use When
|
|
42
|
+
|
|
43
|
+
- A backend route, RPC handler, command handler, webhook, mutation, job, worker, queue consumer,
|
|
44
|
+
scheduled task, or integration path is created, changed, reviewed, or reported.
|
|
45
|
+
- Code handles write APIs, retries, timeouts, cancellation, external HTTP/RPC/database/cache calls,
|
|
46
|
+
payment or provider calls, health checks, readiness, startup, graceful degradation, or fallback
|
|
47
|
+
behavior.
|
|
48
|
+
- Code changes idempotency keys, request fingerprints, duplicate handling, final response replay,
|
|
49
|
+
outbox publishing, inbox deduplication, dead-letter queues, poison messages, queue retention,
|
|
50
|
+
backoff, jitter, or consumer concurrency.
|
|
51
|
+
- Code changes database uniqueness, constraints, indexes, soft-delete uniqueness, cursor
|
|
52
|
+
pagination, lock usage, table-backed queues, `FOR UPDATE SKIP LOCKED`, advisory locks,
|
|
53
|
+
distributed locks, or transaction boundaries.
|
|
54
|
+
- Code changes cache keys, cache TTLs, negative caching, request coalescing, stampede prevention,
|
|
55
|
+
cache authority, tenant-aware caching, or stale-data behavior.
|
|
56
|
+
- Code changes logs, metrics, traces, correlation ids, OpenTelemetry baggage, audit records,
|
|
57
|
+
alert inputs, feature flags, rollout gates, kill switches, or operational admin actions.
|
|
58
|
+
- A final report claims a backend path is safe to retry, resilient, scalable, observable,
|
|
59
|
+
production-ready, fault-tolerant, idempotent, cache-safe, queue-safe, or easy to debug.
|
|
60
|
+
|
|
61
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
62
|
+
## Do Not Use When
|
|
63
|
+
|
|
64
|
+
- The task is only an architecture split or service ownership decision with no concrete backend
|
|
65
|
+
implementation surface; use `service-boundary-architecture`.
|
|
66
|
+
- The task is only an API schema/status/header change with no operational failure behavior; use
|
|
67
|
+
`api-contract-change`.
|
|
68
|
+
- The task is only database-engine-specific DDL, query, or migration work; use the matching
|
|
69
|
+
database skill first, then this skill only for retries, queues, cache, observability, or
|
|
70
|
+
operational behavior around that database path.
|
|
71
|
+
- The task is purely frontend rendering, styling, or browser delivery behavior.
|
|
72
|
+
|
|
73
|
+
<!-- mustflow-section: required-inputs -->
|
|
74
|
+
## Required Inputs
|
|
75
|
+
|
|
76
|
+
- Backend surface: route, handler, worker, queue, scheduled job, database write path, cache path,
|
|
77
|
+
provider integration, health probe, feature flag, or admin operation.
|
|
78
|
+
- Trigger shape: user request, webhook, retry, scheduled run, queue message, backfill, migration,
|
|
79
|
+
manual operator action, startup, shutdown, or dependency callback.
|
|
80
|
+
- Idempotency boundary: principal, tenant, resource, action, request fingerprint, key storage,
|
|
81
|
+
in-progress state, final response, conflict behavior, TTL, and replay contract.
|
|
82
|
+
- External-call boundary: dependency owner, deadline, cancellation propagation, connect/request/read
|
|
83
|
+
or write timeout support, retryable errors, retry budget, backoff, jitter, and fallback behavior.
|
|
84
|
+
- Persistence and transaction boundary: unique facts, constraints, indexes, lock scope, transaction
|
|
85
|
+
length, outbox/inbox tables, query evidence, pagination keys, and migration safety needs.
|
|
86
|
+
- Queue or async boundary: delivery semantics, ordering assumptions, duplicate handling, poison
|
|
87
|
+
handling, dead-letter policy, retention, backlog metrics, consumer concurrency, and replay tools.
|
|
88
|
+
- Cache boundary: key dimensions, tenant/auth scope, TTL, jitter, negative caching, coalescing,
|
|
89
|
+
stale/error behavior, invalidation, and whether cached data is allowed to be wrong.
|
|
90
|
+
- Observability boundary: request id, trace id, correlation id, log fields, metrics labels,
|
|
91
|
+
alert inputs, sensitive data exclusions, audit fields, and debugging path.
|
|
92
|
+
- Rollout boundary: feature flag, kill switch, default state, rollout scope, rollback or disable
|
|
93
|
+
behavior, and user-visible degradation.
|
|
94
|
+
- Relevant command-intent contract entries for tests, builds, docs, release checks, and mustflow
|
|
95
|
+
validation.
|
|
96
|
+
|
|
97
|
+
<!-- mustflow-section: preconditions -->
|
|
98
|
+
## Preconditions
|
|
99
|
+
|
|
100
|
+
- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
|
|
101
|
+
- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
|
|
102
|
+
current scope.
|
|
103
|
+
- If request/response schema, status code, headers, pagination, cache headers, or generated clients
|
|
104
|
+
change, also use `api-contract-change`.
|
|
105
|
+
- If service ownership, data source of truth, tenant isolation, event contract, or module split
|
|
106
|
+
decisions change, also use `service-boundary-architecture`.
|
|
107
|
+
- If database schema, migration, query plan, index, transaction isolation, or engine-specific lock
|
|
108
|
+
behavior changes, also use `database-migration-change`, `database-change-safety`, or the matching
|
|
109
|
+
database engine skill.
|
|
110
|
+
- If authentication, authorization, object-level access, tenant isolation, secrets, personal data,
|
|
111
|
+
logs, telemetry, retention, or audit behavior changes, also use `auth-permission-change`,
|
|
112
|
+
`security-privacy-review`, or `security-regression-tests`.
|
|
113
|
+
- If performance, p95/p99 latency, throughput, queue depth, connection pool pressure, cache hit
|
|
114
|
+
rate, or cost is claimed, also use `performance-budget-check`.
|
|
115
|
+
|
|
116
|
+
<!-- mustflow-section: allowed-edits -->
|
|
117
|
+
## Allowed Edits
|
|
118
|
+
|
|
119
|
+
- Update backend handlers, services, workers, retry policy, timeout policy, idempotency storage,
|
|
120
|
+
outbox/inbox code, cache boundaries, health endpoints, observability fields, flags, tests, docs,
|
|
121
|
+
and directly synchronized templates tied to the reliability behavior.
|
|
122
|
+
- Add or tighten tests for duplicate requests, retry replay, same idempotency key with a different
|
|
123
|
+
request fingerprint, timeout/cancellation, dependency failure, queue redelivery, cache miss,
|
|
124
|
+
stale data, object-level denial, DTO allowlists, and kill-switch behavior.
|
|
125
|
+
- Do not replace missing reliability contracts with comments that say "should be idempotent",
|
|
126
|
+
"eventually consistent", "handled by the queue", or "covered by Kubernetes" without executable
|
|
127
|
+
behavior, storage constraints, or operational evidence.
|
|
128
|
+
|
|
129
|
+
<!-- mustflow-section: procedure -->
|
|
130
|
+
## Procedure
|
|
131
|
+
|
|
132
|
+
1. Classify the backend surface and failure multiplier. Name whether the change is a write API,
|
|
133
|
+
read API, webhook, provider call, worker, queue consumer, cache path, database write path, health
|
|
134
|
+
probe, admin action, or rollout gate. Identify what repeats under failure: user retries,
|
|
135
|
+
client retries, load balancer retries, server retries, queue redelivery, scheduled reruns, or
|
|
136
|
+
operator replay.
|
|
137
|
+
2. For write APIs and side effects, build an idempotency ledger.
|
|
138
|
+
- Scope the idempotency key by tenant, principal, action, and resource so one actor cannot replay
|
|
139
|
+
another actor's operation.
|
|
140
|
+
- Store the idempotency key, request fingerprint or hash, processing state, final status/body or
|
|
141
|
+
result reference, timestamps, TTL, and owner.
|
|
142
|
+
- Return the saved result for the same key and same request fingerprint after the operation
|
|
143
|
+
commits. Reject or conflict the same key with a different request fingerprint.
|
|
144
|
+
- Define the in-progress response when the first request is still running. Avoid running the
|
|
145
|
+
side effect twice just because the first response was lost.
|
|
146
|
+
3. Bound all external waiting.
|
|
147
|
+
- Propagate an end-to-end deadline or cancellation signal across internal calls, DB calls, cache
|
|
148
|
+
calls, provider calls, and queue work when the platform supports it.
|
|
149
|
+
- Configure connect, request, read, and write timeouts separately when the client exposes them;
|
|
150
|
+
otherwise document the closest supported boundary.
|
|
151
|
+
- Retry only operations that are idempotent or guarded by an idempotency key. Use bounded retry
|
|
152
|
+
counts, exponential backoff, jitter, and a retry budget. Avoid stacked retries at every layer.
|
|
153
|
+
- Define fallback, degradation, or user-visible failure behavior instead of waiting forever.
|
|
154
|
+
4. Split operational health checks.
|
|
155
|
+
- Keep `/live` shallow: process is running and the event loop or runtime is not wedged. Do not
|
|
156
|
+
put database, cache, or external-provider checks in liveness.
|
|
157
|
+
- Put dependency availability in `/ready` only when traffic should be removed if the dependency
|
|
158
|
+
is unavailable. Make readiness cheap, bounded, and resistant to cascading probe load.
|
|
159
|
+
- Use `/startup` or an equivalent startup probe when initialization can legitimately take longer
|
|
160
|
+
than normal liveness timing.
|
|
161
|
+
5. Enforce facts in the database, not only in application code.
|
|
162
|
+
- Use a unique constraint or unique index for facts that must be globally unique. Do not rely on
|
|
163
|
+
a read-then-insert check in application code.
|
|
164
|
+
- For soft deletes, use a partial unique index or an explicit active-state uniqueness strategy
|
|
165
|
+
when the database supports it.
|
|
166
|
+
- Handle duplicate-key conflicts as a normal path. Convert the database decision into the same
|
|
167
|
+
domain result a retried request should see.
|
|
168
|
+
- For PostgreSQL query and index changes, gather `EXPLAIN ANALYZE` with buffer evidence when
|
|
169
|
+
available, inspect `pg_stat_statements` or equivalent workload evidence when present, and
|
|
170
|
+
respect online index, lock-timeout, and expand-contract migration procedures.
|
|
171
|
+
- For pagination, prefer a stable compound cursor over deep `OFFSET` when data can grow or
|
|
172
|
+
mutate while users page.
|
|
173
|
+
6. Keep observability useful and low-risk.
|
|
174
|
+
- Use structured logs with request id, trace id, correlation id, tenant-safe identifiers, route
|
|
175
|
+
name, operation name, dependency name, result class, duration, retry count, and idempotency
|
|
176
|
+
outcome where useful.
|
|
177
|
+
- Do not put secrets, tokens, raw request bodies, full personal data, payment data, or unbounded
|
|
178
|
+
payloads in logs, traces, metrics, OpenTelemetry baggage, queue dead letters, or audit comments.
|
|
179
|
+
- Keep metrics labels low-cardinality. Do not label metrics by user id, email, raw URL, request
|
|
180
|
+
body, trace id, order id, idempotency key, or provider payload id. Put high-cardinality details
|
|
181
|
+
in logs or traces instead.
|
|
182
|
+
- Follow one request through API, queue, worker, provider, and database with the same correlation
|
|
183
|
+
or trace id when possible.
|
|
184
|
+
7. Treat cache as a consistency and failure contract.
|
|
185
|
+
- Include tenant, auth, locale, variant, and resource dimensions in cache keys when they affect
|
|
186
|
+
visibility or meaning.
|
|
187
|
+
- Define TTL, invalidation, stale-data allowance, error fallback, hit/miss metrics, max size, and
|
|
188
|
+
cache authority. Name when a cached value may be wrong and for how long.
|
|
189
|
+
- Add stampede protection: request coalescing, single-flight, prewarming, TTL jitter, soft TTLs,
|
|
190
|
+
or bounded regeneration. Use negative caching for expensive missing values only with a short
|
|
191
|
+
and intentional TTL.
|
|
192
|
+
8. Make async consumers safe for at-least-once delivery.
|
|
193
|
+
- Assume messages can be delivered more than once, out of order, after the original request
|
|
194
|
+
timed out, or after a deploy.
|
|
195
|
+
- Use an inbox table or equivalent durable deduplication keyed by event id or message id for
|
|
196
|
+
side-effecting consumers.
|
|
197
|
+
- Use an outbox pattern or equivalent transactional publication when a database state change and
|
|
198
|
+
event publish must agree.
|
|
199
|
+
- Define poison-message handling, dead-letter storage, retry schedule, jitter, retention, replay,
|
|
200
|
+
backlog age, and consumer scaling triggers.
|
|
201
|
+
- For PostgreSQL table-backed queues, prefer row locks such as `FOR UPDATE SKIP LOCKED` when the
|
|
202
|
+
schema and workload fit. Treat distributed locks as a last resort after unique constraints,
|
|
203
|
+
state machines, row locks, or advisory locks are ruled out.
|
|
204
|
+
9. Keep authorization and DTO boundaries server-side.
|
|
205
|
+
- Check object-level authorization on every backend path that accepts a resource id, event id,
|
|
206
|
+
object id, file id, tenant id, or provider id. Do not trust client-side filtering or hidden UI.
|
|
207
|
+
- Return allowlisted DTOs instead of raw ORM entities, provider payloads, or internal records.
|
|
208
|
+
Keep public response fields separate from database columns.
|
|
209
|
+
10. Put risky behavior behind controllable rollout gates.
|
|
210
|
+
- Use server-side feature flags for risky paths, external provider changes, queue consumers,
|
|
211
|
+
cache authority changes, and new failure behavior.
|
|
212
|
+
- Include a kill switch, safe default, rollout scope, audit or metric evidence, and cleanup plan.
|
|
213
|
+
Do not use a flag to hide an unsafe migration or permanent forked behavior.
|
|
214
|
+
11. Select verification from the command contract.
|
|
215
|
+
- Prefer focused tests that prove duplicate execution, timeout, retry, queue redelivery, cache
|
|
216
|
+
miss, BOLA denial, DTO allowlist, health-probe split, and kill-switch behavior.
|
|
217
|
+
- Run configured test, build, docs, release, and mustflow intents only. Report missing backend
|
|
218
|
+
reliability verification instead of inventing raw service, database, or cluster commands.
|
|
219
|
+
|
|
220
|
+
<!-- mustflow-section: forbidden-patterns -->
|
|
221
|
+
## Strongly Avoid
|
|
222
|
+
|
|
223
|
+
- Accepting the same idempotency key with a different request fingerprint.
|
|
224
|
+
- Retrying a non-idempotent provider call without an idempotency key or durable side-effect guard.
|
|
225
|
+
- Adding retries without a deadline, bounded attempt count, backoff, jitter, and retry budget.
|
|
226
|
+
- Letting every layer retry the same failing dependency.
|
|
227
|
+
- Putting database, cache, provider, or queue checks in liveness.
|
|
228
|
+
- Treating a queue as proof that backpressure, retention, dead letters, or replay are solved.
|
|
229
|
+
- Publishing an event outside the same durable boundary as the state change it describes when the
|
|
230
|
+
event is critical.
|
|
231
|
+
- Using application read-then-insert logic as the uniqueness guarantee.
|
|
232
|
+
- Returning raw ORM entities or provider payloads from an API.
|
|
233
|
+
- Logging tokens, raw request bodies, personal data, or high-cardinality metric labels.
|
|
234
|
+
- Using distributed locks as the first solution to duplicate work.
|
|
235
|
+
- Relying on `OFFSET` pagination for large or frequently mutated result sets.
|
|
236
|
+
|
|
237
|
+
<!-- mustflow-section: verification -->
|
|
238
|
+
## Verification
|
|
239
|
+
|
|
240
|
+
- Prefer the narrowest configured test intent that exercises the changed reliability contract:
|
|
241
|
+
duplicate request replay, different request fingerprint conflict, dependency timeout, bounded
|
|
242
|
+
retry, queue redelivery, cache miss or stampede guard, health-probe split, object-level denial,
|
|
243
|
+
DTO allowlist, and kill-switch behavior.
|
|
244
|
+
- Use `test_related` for code or behavior changes when related tests cover the touched backend
|
|
245
|
+
surface. Use `test` only when the reliability behavior crosses broad shared infrastructure.
|
|
246
|
+
- Use `docs_validate_fast` when skill, workflow, docs, examples, or template text changes.
|
|
247
|
+
- Use `test_release` when package metadata, template manifest, install surface, release notes, or
|
|
248
|
+
version metadata changes.
|
|
249
|
+
- Use `mustflow_check` after mustflow-owned skill, route, template, or command-contract changes.
|
|
250
|
+
- Report missing evidence explicitly when the repository has no configured provider, database,
|
|
251
|
+
queue, load, cluster, or integration check for the changed reliability surface.
|
|
252
|
+
|
|
253
|
+
<!-- mustflow-section: failure-handling -->
|
|
254
|
+
## Failure Handling
|
|
255
|
+
|
|
256
|
+
- If verification fails, preserve the failing intent, failing assertion or output tail, and the
|
|
257
|
+
backend reliability surface it exercised before editing again.
|
|
258
|
+
- If the failure involves missing or stale required skill sections, route metadata, template
|
|
259
|
+
manifest entries, i18n metadata, or installed-template sync, fix the contract surface first and
|
|
260
|
+
rerun the same configured intent.
|
|
261
|
+
- If a runtime test reveals duplicate execution, unbounded retry, stale cache authority, liveness
|
|
262
|
+
dependency checks, missing object-level authorization, raw DTO exposure, or telemetry leakage,
|
|
263
|
+
treat the failure as a contract bug. Do not weaken the test without stronger repository evidence.
|
|
264
|
+
- If the needed proof requires live provider, queue, database, Kubernetes, or load-test access not
|
|
265
|
+
configured in `.mustflow/config/commands.toml`, stop at local verification and report the missing
|
|
266
|
+
operational evidence instead of inventing commands.
|
|
267
|
+
|
|
268
|
+
<!-- mustflow-section: postconditions -->
|
|
269
|
+
## Postconditions
|
|
270
|
+
|
|
271
|
+
- Idempotency, retry, timeout, queue, cache, database, health-probe, observability, auth, DTO, and
|
|
272
|
+
rollout behavior have been classified or explicitly marked out of scope.
|
|
273
|
+
- Duplicate execution, partial failure, slow dependency, redelivery, stale cache, and operational
|
|
274
|
+
debugging paths have concrete behavior, not just prose promises.
|
|
275
|
+
- Sensitive data and high-cardinality telemetry risks have been checked.
|
|
276
|
+
- Tests, docs, templates, and release metadata changed by the backend reliability behavior are
|
|
277
|
+
synchronized.
|
|
278
|
+
|
|
279
|
+
<!-- mustflow-section: output-format -->
|
|
280
|
+
## Output Format
|
|
281
|
+
|
|
282
|
+
Include in the final report when this skill is used:
|
|
283
|
+
|
|
284
|
+
- Backend surface and selected reliability boundary.
|
|
285
|
+
- Idempotency, retry/timeout, queue/cache/database, health-probe, observability, auth/DTO, and
|
|
286
|
+
rollout decisions that changed or were verified.
|
|
287
|
+
- Tests or configured command intents run.
|
|
288
|
+
- Remaining backend reliability risk, especially missing load, provider, database, or cluster
|
|
289
|
+
evidence.
|
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.css-code-change
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 3
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: css-code-change
|
|
9
|
-
description: Apply this skill when CSS, Sass, Less, CSS Modules, CSS-in-JS, global styles, cascade layers, selector specificity, design tokens, layout, responsive behavior, focus styles, animation, color, or component styling are created or changed.
|
|
9
|
+
description: Apply this skill when CSS, Sass, Less, CSS Modules, CSS-in-JS, global styles, cascade layers, selector specificity, design tokens, container queries, browser-native state selectors, layout, responsive behavior, focus styles, animation, color, or component styling are created or changed.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -34,7 +34,7 @@ Preserve cascade order, specificity discipline, resilient responsive layout, des
|
|
|
34
34
|
## Use When
|
|
35
35
|
|
|
36
36
|
- `.css`, Sass, Less, CSS Modules, CSS-in-JS, global styles, reset, theme variables, cascade layers, selectors, design tokens, component styles, animations, or responsive rules change.
|
|
37
|
-
- The task touches specificity, `!important`, inline styles, negative margins, layout shift, browser compatibility, dark mode, focus style, contrast, typography, zoom, text scaling, or motion preference.
|
|
37
|
+
- The task touches specificity, `!important`, inline styles, negative margins, layout shift, browser compatibility, dark mode, focus style, contrast, typography, zoom, text scaling, container queries, browser-native state selectors, viewport units, content visibility, or motion preference.
|
|
38
38
|
|
|
39
39
|
<!-- mustflow-section: do-not-use-when -->
|
|
40
40
|
## Do Not Use When
|
|
@@ -48,6 +48,7 @@ Preserve cascade order, specificity discipline, resilient responsive layout, des
|
|
|
48
48
|
- Global CSS entrypoints, reset/base styles, cascade layer strategy, token files, theme config, component CSS, parent layout styles, browserslist, build config, and style lint config.
|
|
49
49
|
- Existing responsive, dark mode, accessibility, focus, reduced-motion, breakpoint, and design-token conventions.
|
|
50
50
|
- Target surfaces for narrow viewports, 200% zoom, text scaling, delayed media, third-party markup, and browser compatibility.
|
|
51
|
+
- Browser-native capabilities in use or available for the target: cascade layers, `:where`, `:is`, `:has`, container queries, logical properties, `dvh`/`svh`/`lvh`, `color-scheme`, `content-visibility`, `contain-intrinsic-size`, `text-wrap`, and view-transition styling.
|
|
51
52
|
- Configured verification intents.
|
|
52
53
|
|
|
53
54
|
<!-- mustflow-section: preconditions -->
|
|
@@ -62,6 +63,7 @@ Preserve cascade order, specificity discipline, resilient responsive layout, des
|
|
|
62
63
|
|
|
63
64
|
- Add styles in the correct layer or module.
|
|
64
65
|
- Use class-level selectors, custom properties, design tokens, intrinsic sizing, flex, grid, container queries, or media queries according to local patterns.
|
|
66
|
+
- Use browser-native selectors, layout, and containment features as progressive enhancement when they reduce JavaScript ownership and fit the browser target.
|
|
65
67
|
- Preserve visible focus, contrast, text scaling, reduced motion, and reserved space for late-loaded media.
|
|
66
68
|
- Use narrow exceptions for legacy/third-party markup, runtime geometry, rich text/prose wrappers, and urgent accessibility overrides when lower-specificity or token-based fixes cannot solve the issue.
|
|
67
69
|
|
|
@@ -77,17 +79,22 @@ Preserve cascade order, specificity discipline, resilient responsive layout, des
|
|
|
77
79
|
7. Use existing color, spacing, font, radius, shadow, z-index, and breakpoint tokens before adding literals.
|
|
78
80
|
8. Keep raw color values out of component CSS. Add or reuse semantic tokens for surfaces, text, borders, actions, danger states, focus, disabled states, and dark mode.
|
|
79
81
|
9. Avoid raw pixel values for typography, spacing, layout dimensions, and radius. Allow narrow values such as one-pixel borders, intrinsic icon/media dimensions, and established breakpoint tokens.
|
|
80
|
-
10. Make layout responsive through constraints, `min-width: 0`, min/max sizing, flex/grid, wrapping, gap, intrinsic media dimensions, container/media queries, and content-based rules rather than fixed viewport assumptions.
|
|
81
|
-
11.
|
|
82
|
-
12. Do not
|
|
83
|
-
13.
|
|
84
|
-
14.
|
|
85
|
-
15.
|
|
86
|
-
16.
|
|
87
|
-
17. Prefer
|
|
88
|
-
18.
|
|
89
|
-
19.
|
|
90
|
-
20.
|
|
82
|
+
10. Make layout responsive through constraints, `min-width: 0`, `min-height: 0`, min/max sizing, flex/grid, wrapping, gap, intrinsic media dimensions, container/media queries, logical properties, and content-based rules rather than fixed viewport assumptions.
|
|
83
|
+
11. Prefer named containers and container queries when a component responds to its actual slot, not the whole viewport. Keep media queries for page-level viewport decisions.
|
|
84
|
+
12. Do not set fixed width on page, section, container, card, modal, or form layouts. Do not set fixed height on components that contain text.
|
|
85
|
+
13. Use dynamic viewport units intentionally: `dvh` for current viewport height, `svh` for stable small viewport layout, and `lvh` only when the larger viewport behavior is intended. Avoid hard `100vh` for mobile app shells unless the target proves safe.
|
|
86
|
+
14. Do not use viewport-only typography. Use bounded responsive type patterns that survive small screens and large displays.
|
|
87
|
+
15. Do not use `overflow: hidden` to hide layout bugs. Allow it only for intentional clipping such as avatars, media crops, masks, or animation containers.
|
|
88
|
+
16. Reserve dimensions or aspect ratio for images, videos, iframes, ads, embeds, skeletons, fonts, and lazy content that could cause layout shift.
|
|
89
|
+
17. Prefer `:where` to keep wrapper and rich-text selector specificity low. Use `:has` only when it improves state ownership and the fallback remains usable for target browsers.
|
|
90
|
+
18. Use `content-visibility` only for offscreen or below-the-fold content whose skipped rendering will not hide focus targets, search-relevant initial content, or accessibility-critical relationships. Pair it with `contain-intrinsic-size` to avoid layout jumps.
|
|
91
|
+
19. Use `color-scheme` with theme tokens so native controls, scrollbars, and form UI match the active theme before component JavaScript runs.
|
|
92
|
+
20. Preserve visible focus, sufficient contrast, 200% text resize behavior, text-spacing stress, keyboard navigation, and reduced-motion behavior.
|
|
93
|
+
21. If hover styling changes an interactive affordance, provide a matching focus-visible affordance.
|
|
94
|
+
22. Prefer outline and outline-offset for focus indicators. Do not rely only on shadows when ancestors may clip overflow.
|
|
95
|
+
23. Respect reduced motion for parallax, large transforms, auto-scroll, route transitions, autoplay carousels, skeleton shimmer, and looping decorative animation.
|
|
96
|
+
24. Check browser compatibility before adding new CSS features. Use progressive enhancement for newly available features and avoid limited-availability features unless the project browser target allows them.
|
|
97
|
+
25. Choose configured verification intents that cover style lint, build, visual states, accessibility, and browser target risk when available.
|
|
91
98
|
|
|
92
99
|
<!-- mustflow-section: cascade-specificity-policy -->
|
|
93
100
|
## Cascade And Specificity Policy
|
|
@@ -96,6 +103,7 @@ Preserve cascade order, specificity discipline, resilient responsive layout, des
|
|
|
96
103
|
- Do not use IDs as styling weight. IDs are for anchors, form/ARIA relationships, or JavaScript hooks.
|
|
97
104
|
- Do not write DOM-path selectors that break when markup gains or loses a wrapper.
|
|
98
105
|
- Use low-specificity contextual selectors for rich text or CMS areas. Prefer patterns that keep specificity easy to override.
|
|
106
|
+
- Use `:where` for low-specificity grouping and `@layer` for order. Do not use `:is` or `:has` to smuggle in heavy selectors when a class boundary would be clearer.
|
|
99
107
|
- Do not add global overrides for local component problems when component-scoped styling or tokens can solve the issue.
|
|
100
108
|
- New `!important` requires an explicit exception for immutable third-party/legacy markup, third-party inline style override, urgent accessibility protection, or equivalent narrow reason.
|
|
101
109
|
|
|
@@ -107,6 +115,7 @@ Preserve cascade order, specificity discipline, resilient responsive layout, des
|
|
|
107
115
|
- Prefer min-height, padding, and line-height over fixed height for text-containing controls.
|
|
108
116
|
- Prefer content-based layout, flex/grid, `minmax`, wrapping, and `clamp` over breakpoint patching.
|
|
109
117
|
- Avoid `100vw` except for deliberate full-bleed designs; otherwise prefer normal containing-block width.
|
|
118
|
+
- Avoid `100vh` for mobile app shells when browser chrome can change the visual viewport. Choose `dvh`, `svh`, or a layout-owned min-height intentionally.
|
|
110
119
|
- Avoid absolute positioning for normal document flow. Use it only for overlays, decorative placement, controls anchored to known boxes, or measured geometry.
|
|
111
120
|
|
|
112
121
|
<!-- mustflow-section: token-accessibility-policy -->
|
|
@@ -151,6 +160,7 @@ Reject the change when:
|
|
|
151
160
|
- It uses fixed width for containers or fixed height for text-containing UI.
|
|
152
161
|
- It hides layout bugs with `overflow: hidden`.
|
|
153
162
|
- It adds unsized media, embeds, ads, or lazy content that can shift layout.
|
|
163
|
+
- It uses `content-visibility` without an intrinsic-size fallback or on content that must be immediately reachable.
|
|
154
164
|
- It hardcodes raw component colors, spacing, font sizes, radius, or shadows without an exception.
|
|
155
165
|
- It removes focus styling, creates hover-only affordances, or clips the focus indicator.
|
|
156
166
|
- It adds motion without reduced-motion behavior.
|