mustflow 2.32.0 → 2.38.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli/commands/api/actions.js +55 -0
- package/dist/cli/commands/api/report-runner.js +62 -0
- package/dist/cli/commands/api/serve.js +149 -0
- package/dist/cli/commands/api/workspace-recommendations.js +13 -0
- package/dist/cli/commands/api.js +15 -275
- package/dist/cli/lib/local-index/search-read-model.js +44 -7
- package/dist/cli/lib/validation/frontmatter.js +75 -0
- package/dist/cli/lib/validation/index.js +4 -86
- package/dist/cli/lib/validation/safe-read.js +13 -0
- package/dist/core/active-run-locks.js +110 -10
- package/dist/core/run-performance-history.js +14 -1
- package/dist/core/validation-ratchet.js +1 -1
- package/package.json +1 -1
- package/templates/default/i18n.toml +61 -19
- package/templates/default/locales/en/.mustflow/docs/agent-workflow.md +15 -7
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +21 -8
- package/templates/default/locales/en/.mustflow/skills/adapter-boundary/SKILL.md +9 -2
- package/templates/default/locales/en/.mustflow/skills/ai-generated-code-hardening/SKILL.md +249 -0
- package/templates/default/locales/en/.mustflow/skills/api-contract-change/SKILL.md +16 -11
- package/templates/default/locales/en/.mustflow/skills/auth-permission-change/SKILL.md +11 -4
- package/templates/default/locales/en/.mustflow/skills/backend-reliability-change/SKILL.md +289 -0
- package/templates/default/locales/en/.mustflow/skills/css-code-change/SKILL.md +24 -14
- package/templates/default/locales/en/.mustflow/skills/dependency-upgrade-review/SKILL.md +18 -7
- package/templates/default/locales/en/.mustflow/skills/frontend-render-stability/SKILL.md +144 -0
- package/templates/default/locales/en/.mustflow/skills/go-code-change/SKILL.md +70 -18
- package/templates/default/locales/en/.mustflow/skills/html-code-change/SKILL.md +20 -13
- package/templates/default/locales/en/.mustflow/skills/http-delivery-streaming/SKILL.md +205 -0
- package/templates/default/locales/en/.mustflow/skills/performance-budget-check/SKILL.md +9 -7
- package/templates/default/locales/en/.mustflow/skills/powershell-code-change/SKILL.md +158 -0
- package/templates/default/locales/en/.mustflow/skills/proactive-risk-surfacing/SKILL.md +198 -0
- package/templates/default/locales/en/.mustflow/skills/python-code-change/SKILL.md +27 -11
- package/templates/default/locales/en/.mustflow/skills/routes.toml +43 -1
- package/templates/default/locales/en/.mustflow/skills/rust-code-change/SKILL.md +41 -17
- package/templates/default/locales/en/.mustflow/skills/service-boundary-architecture/SKILL.md +167 -0
- package/templates/default/locales/en/.mustflow/skills/tailwind-code-change/SKILL.md +37 -23
- package/templates/default/locales/en/.mustflow/skills/tauri-code-change/SKILL.md +27 -10
- package/templates/default/locales/en/.mustflow/skills/typescript-code-change/SKILL.md +22 -4
- package/templates/default/locales/en/.mustflow/skills/unocss-code-change/SKILL.md +34 -15
- package/templates/default/locales/en/.mustflow/skills/version-freshness-check/SKILL.md +29 -5
- package/templates/default/locales/en/AGENTS.md +3 -2
- package/templates/default/locales/ko/.mustflow/docs/agent-workflow.md +13 -8
- package/templates/default/locales/ko/AGENTS.md +2 -2
- package/templates/default/manifest.toml +44 -1
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.dependency-upgrade-review
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 3
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: dependency-upgrade-review
|
|
9
|
-
description: Apply this skill when dependency versions, lockfiles, package manager metadata, security advisory fixes, generated dependency outputs, runtime engine constraints, peer dependency contracts, framework plugins, CI actions, Docker base images, or toolchain versions are upgraded, downgraded, pinned, widened, regenerated, reviewed, or reported.
|
|
9
|
+
description: Apply this skill when dependency versions, lockfiles, package manager metadata, security advisory fixes, generated dependency outputs, runtime engine constraints, Python runtime support, peer dependency contracts, framework plugins, TypeScript compiler tracks, CI actions, Docker base images, or toolchain versions are upgraded, downgraded, pinned, widened, regenerated, reviewed, or reported.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -39,6 +39,8 @@ Review dependency upgrades as runtime, build, security, package, and generated-o
|
|
|
39
39
|
- A security advisory, vulnerability scanner, Dependabot, Renovate, package audit, language audit, CI action update, Docker base image update, framework plugin update, formatter/linter/bundler update, ORM update, code generator update, protobuf/OpenAPI generator update, or toolchain update is reviewed or applied.
|
|
40
40
|
- A task claims a dependency change is "only patch", "only devDependency", "safe minor", "security-only", "transitive only", "lockfile only", or "no runtime change".
|
|
41
41
|
- A dependency update touches installation, publish output, generated clients, SDKs, native binaries, browser bundles, serverless or edge runtime, ESM/CJS/module format, Python markers, Go module graph, Cargo features, JVM dependency mediation, .NET target frameworks, Ruby/PHP/Swift lockfiles, Docker images, or CI actions.
|
|
42
|
+
- A Python runtime support floor, CI matrix, container image, `requires-python`, standard-library feature expectation, or security-default expectation changes as part of an upgrade.
|
|
43
|
+
- A TypeScript upgrade touches TypeScript 6 transition deprecations, TypeScript 7 native preview, `@typescript/native-preview`, `tsgo`, compiler API consumers, declaration emit, framework typecheck wrappers, or editor language-service behavior.
|
|
42
44
|
|
|
43
45
|
<!-- mustflow-section: do-not-use-when -->
|
|
44
46
|
## Do Not Use When
|
|
@@ -92,11 +94,15 @@ Review dependency upgrades as runtime, build, security, package, and generated-o
|
|
|
92
94
|
9. Review the lockfile as a graph, not a blob. Check direct and transitive replacements, newly introduced packages, removed packages, optional/platform packages, source URLs, integrity or checksum changes, peer resolution, engine requirements, native prebuilds, and postinstall or lifecycle scripts.
|
|
93
95
|
10. Review runtime boundaries that dependency upgrades commonly break: ESM/CJS and package `type`, `exports` and conditional exports, browser/node/edge conditions, Node engine support, Python dependency markers and extras, Go module path changes, Cargo feature unification, native builds, SSR/client split, WebView/native split, and generated client or SDK types.
|
|
94
96
|
11. Treat framework, plugin, code generator, formatter, linter, bundler, ORM, protobuf, OpenAPI, GraphQL, database driver, and test-runner upgrades as behavior changes when their output, config schema, plugin API, CLI flags, or generated code can change.
|
|
95
|
-
12. For
|
|
96
|
-
13. For
|
|
97
|
-
14.
|
|
98
|
-
15.
|
|
99
|
-
16.
|
|
97
|
+
12. For Python runtime upgrades, treat `requires-python`, CI matrices, base images, dependency markers, wheels, packaging output, standard-library API availability, and security-default changes as one compatibility contract. Review version-gated standard-library usage and changed defaults before assuming the upgrade is only a dependency resolution change.
|
|
98
|
+
13. For Python upgrades that adopt newer standard-library behavior, call out affected paths such as archive extraction, subprocess handling, async lifecycle, import/resource loading, typing surfaces, data-class shapes, and diagnostic flags. Keep fallbacks or compatibility wording when the repository still supports older interpreters.
|
|
99
|
+
14. For TypeScript upgrades, classify the compiler track explicitly: stable `typescript` and `tsc`, TypeScript 6 transition release, TypeScript 7 native preview via `@typescript/native-preview` and `tsgo`, editor extension preview, or framework-owned wrapper. Do not treat a native preview package as a stable replacement for the `typescript` package unless the repository policy says so.
|
|
100
|
+
15. For TypeScript 6, review deprecations as future TypeScript 7 removals. For TypeScript 7 native preview, review unsupported compiler API, transformer, language-service plugin, watch/incremental, declaration emit, framework wrapper, and generated-output risks before changing dependency declarations or scripts.
|
|
101
|
+
16. For new dependencies introduced by the upgrade, invoke the `dependency-reality-check` decision path: license, maintainer risk, provenance, lifecycle scripts, binary downloads, package age, transitive size, supply-chain risk, and replacement path.
|
|
102
|
+
17. For Docker base images and CI actions, review them as dependencies. Check image/action source, version pinning policy, digest use when required, runtime version changes, security patch reason, cache impact, and deployment smoke coverage.
|
|
103
|
+
18. Synchronize dependent surfaces: generated code, snapshots, mocks, fixtures, examples, SDK clients, OpenAPI or GraphQL artifacts, README install guidance, migration docs, changelog, Docker/CI docs, and package publish metadata.
|
|
104
|
+
19. Select verification from the command contract based on risk. Patch and narrow transitive changes can use focused checks when they cover the touched path; major, framework, runtime-engine, generated-output, security-sensitive, Docker, CI-action, Python runtime, or TypeScript compiler-track updates need broader checks.
|
|
105
|
+
20. Report skipped checks explicitly. If the command contract lacks a dependency graph, package verification, Python runtime matrix, TypeScript declaration, or compiler-comparison intent, do not invent raw package-manager commands; report the missing configured intent.
|
|
100
106
|
|
|
101
107
|
<!-- mustflow-section: postconditions -->
|
|
102
108
|
## Postconditions
|
|
@@ -105,6 +111,8 @@ Review dependency upgrades as runtime, build, security, package, and generated-o
|
|
|
105
111
|
- The lockfile and declaration files agree.
|
|
106
112
|
- Direct and transitive changes are understood, not hidden behind lockfile volume.
|
|
107
113
|
- Runtime engine, peer dependency, optional/platform package, feature, module-format, generated-output, and publish-surface risks are classified.
|
|
114
|
+
- Python runtime upgrades classify standard-library availability, changed defaults, packaging output, and security-behavior impact.
|
|
115
|
+
- TypeScript compiler-track changes distinguish stable compiler upgrades from native-preview comparison work.
|
|
108
116
|
- Security fixes are narrow unless the user explicitly accepted a broader modernization.
|
|
109
117
|
- Tests and scanners were not weakened to pass the upgrade.
|
|
110
118
|
|
|
@@ -134,6 +142,7 @@ Prefer the narrowest configured intent that proves the actual upgraded dependenc
|
|
|
134
142
|
- If tests fail after an upgrade, do not delete tests, skip tests, loosen assertions, lower coverage, disable scanners, or widen permissions unless the behavior contract intentionally changed and the report says so.
|
|
135
143
|
- If a security upgrade requires broad modernization, split the minimum patch from the modernization when possible.
|
|
136
144
|
- If generated output changes, regenerate from the official generator path and explain the generated diff. Do not hand-edit generated dependency output.
|
|
145
|
+
- If TypeScript 7 native preview is introduced, keep stable TypeScript verification unless the repository explicitly adopts the preview path and all compiler API, framework wrapper, declaration, and generated-output risks are covered.
|
|
137
146
|
- If configured verification is missing, report the missing command intent instead of inferring a package-manager command.
|
|
138
147
|
|
|
139
148
|
<!-- mustflow-section: output-format -->
|
|
@@ -144,6 +153,8 @@ Prefer the narrowest configured intent that proves the actual upgraded dependenc
|
|
|
144
153
|
- Direct and transitive graph changes
|
|
145
154
|
- Compatibility classification: patch, minor, major, pre-1.0, security, toolchain, generated-output, Docker, or CI action
|
|
146
155
|
- Runtime, peer, engine, module, feature, platform, generated-output, and publish-surface risks
|
|
156
|
+
- Python runtime, standard-library, packaging, and changed-default risks when relevant
|
|
157
|
+
- TypeScript compiler-track and native-preview risks when relevant
|
|
147
158
|
- Security advisory and fixed-range notes when relevant
|
|
148
159
|
- Surfaces synchronized
|
|
149
160
|
- Command intents run
|
|
@@ -0,0 +1,144 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.frontend-render-stability
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 2
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: frontend-render-stability
|
|
9
|
+
description: Apply this skill when frontend navigation flicker, theme flash, hydration flash, blank initial render, unstable loading shell, route transition jank, BFCache breakage, browser-native navigation regression, or first-paint instability is reported, created, edited, reviewed, or verified.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.frontend-render-stability
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- docs_validate_fast
|
|
22
|
+
- mustflow_check
|
|
23
|
+
---
|
|
24
|
+
|
|
25
|
+
# Frontend Render Stability
|
|
26
|
+
|
|
27
|
+
<!-- mustflow-section: purpose -->
|
|
28
|
+
## Purpose
|
|
29
|
+
|
|
30
|
+
Diagnose and fix visible frontend instability by proving which layer flashes first: document navigation, theme or CSS application, hydration, first-render data, loading layout, font or media loading, or view-transition behavior.
|
|
31
|
+
|
|
32
|
+
This skill is symptom-first. It is not an Astro, SvelteKit, CSS, or performance checklist by itself. Use it to decide the root cause order, then activate the narrower framework, markup, CSS, UI, or performance skill before editing that surface.
|
|
33
|
+
|
|
34
|
+
<!-- mustflow-section: use-when -->
|
|
35
|
+
## Use When
|
|
36
|
+
|
|
37
|
+
- A user reports page flicker, theme flash, flash of unstyled content, dark-mode flash, blank page before content, hydration flash, route transition jank, state loss across navigation, layout shift during loading, or slow first visible render.
|
|
38
|
+
- A change adds, removes, or reviews client-side routing, view transitions, prefetching, shared layouts, persistent shells, early theme initialization, root HTML templates, hydration boundaries, skeletons, font loading, or first-render data flow.
|
|
39
|
+
- An Astro, SvelteKit, React, Vue, or other frontend app needs evidence that navigation keeps the common UI and theme stable instead of replacing the whole document unnecessarily.
|
|
40
|
+
- Browser-only state, local storage, cookies, media queries, locale, time, randomness, or async client effects affect initial HTML, hydration, or theme selection.
|
|
41
|
+
- A change may replace browser-native navigation, form submission, history, scrolling, focus restoration, BFCache eligibility, event delivery, or image/font loading with JavaScript behavior.
|
|
42
|
+
|
|
43
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
44
|
+
## Do Not Use When
|
|
45
|
+
|
|
46
|
+
- The task is ordinary visual polish with no navigation, first-paint, hydration, loading, or route-transition symptom; use `ui-quality-gate` or `css-code-change`.
|
|
47
|
+
- The task is only framework-specific routing, content, or data behavior with no visible instability; use the matching framework skill.
|
|
48
|
+
- The change is purely backend performance, database latency, or queue throughput with no browser render impact; use `performance-budget-check`.
|
|
49
|
+
- A configured browser, visual, or performance verification intent is missing. Do not invent ad hoc dev-server, watcher, or browser-session steps inside this skill; report the missing intent.
|
|
50
|
+
|
|
51
|
+
<!-- mustflow-section: required-inputs -->
|
|
52
|
+
## Required Inputs
|
|
53
|
+
|
|
54
|
+
- Symptom description, affected routes, whether it happens on first load, client-side navigation, hard reload, theme toggle, slow network, reduced motion, or reduced data.
|
|
55
|
+
- App framework, version signals, root HTML or layout files, route/link components, router configuration, root CSS, theme initialization, font loading, and affected components.
|
|
56
|
+
- Evidence from current files or allowed verification showing whether navigation requests a new document, whether the shared shell persists, and when theme and CSS are applied.
|
|
57
|
+
- Data-loading ownership for above-the-fold content: SSR or static data, route load function, streamed data, client effect, store initialization, or browser-only fetch.
|
|
58
|
+
- Native browser contracts affected by the change: anchors, forms, history, scroll restoration, focus, BFCache, HTTP cache, service worker, preload hints, passive event listeners, Pointer Events, ResizeObserver, IntersectionObserver, or abortable requests.
|
|
59
|
+
- Configured verification intents and any project-approved visual, browser, or build checks.
|
|
60
|
+
|
|
61
|
+
<!-- mustflow-section: preconditions -->
|
|
62
|
+
## Preconditions
|
|
63
|
+
|
|
64
|
+
- Higher-priority instructions and the command contract have been checked.
|
|
65
|
+
- The symptom is tied to a visible render, navigation, first-paint, or loading behavior, not only subjective animation preference.
|
|
66
|
+
- Framework-specific API names and browser features are verified against project dependencies or current official documentation before relying on them in code or durable docs.
|
|
67
|
+
- Any external advice, snippets, or AI output is treated as input, not authority.
|
|
68
|
+
|
|
69
|
+
<!-- mustflow-section: allowed-edits -->
|
|
70
|
+
## Allowed Edits
|
|
71
|
+
|
|
72
|
+
- Root HTML templates, app shells, layouts, route links, router configuration, early theme scripts, root CSS, theme tokens, font and media loading hints, skeleton or loading state layout, hydration boundaries, route data loaders, and tests or docs directly tied to render stability.
|
|
73
|
+
- Browser-native behavior restoration such as semantic links/forms, reserved media geometry, `fetchpriority` where appropriate, passive event listeners, abortable stale requests, focus restoration, BFCache-safe lifecycle handling, and reduced JavaScript work before first paint.
|
|
74
|
+
- Framework-specific edits only after using the matching skill, such as `astro-code-change`, `svelte-code-change`, `html-code-change`, `css-code-change`, or `ui-quality-gate`.
|
|
75
|
+
- Keep fixes local to the proven instability layer. Do not migrate frameworks, disable SSR, convert the app to an SPA, add a client router, add animation libraries, or broaden preload behavior without evidence and a reported tradeoff.
|
|
76
|
+
|
|
77
|
+
<!-- mustflow-section: procedure -->
|
|
78
|
+
## Procedure
|
|
79
|
+
|
|
80
|
+
1. Classify the symptom by phase: hard reload, same-document navigation, cross-document navigation, first paint, hydration, data arrival, loading placeholder, font swap, media load, theme toggle, or view-transition animation.
|
|
81
|
+
2. Prove or rule out a full document reload before optimizing animation. Inspect link behavior and router configuration first. In browser evidence, a new `document` request during an internal navigation usually means the shared shell, CSS, and theme are being replaced.
|
|
82
|
+
3. If full reload is not intended, inspect the framework-native navigation path before adding custom JavaScript:
|
|
83
|
+
- Astro: check whether `<ClientRouter />` is intentionally present, whether links opt out with `data-astro-reload`, whether persistent shared UI needs `transition:persist`, whether `astro:before-swap` or `astro:after-swap` must preserve theme state, and whether prefetch policy is bounded.
|
|
84
|
+
- SvelteKit: check whether internal links or GET forms are using normal SvelteKit navigation, whether `data-sveltekit-reload`, `rel="external"`, or direct `window.location` forces a reload, whether `data-sveltekit-preload-data` or `data-sveltekit-preload-code` is appropriate, and whether `onNavigate` view-transition work can finish quickly.
|
|
85
|
+
- Other frameworks: use their native router, layout persistence, and preload primitives before adding a second navigation layer.
|
|
86
|
+
4. If the symptom is a theme or color flash, inspect first-paint ordering. Theme state that changes global colors must be applied on `document.documentElement` before first paint when possible, with `color-scheme`, root `html, body` backgrounds, and CSS tokens matching the same state. Do not rely on component mount or a late store subscription for initial theme.
|
|
87
|
+
5. If CSP is active, check the framework's supported nonce, hash, or template mechanism before adding inline early scripts. Do not weaken CSP just to hide a flash.
|
|
88
|
+
6. If hydration flashes or mismatches appear, compare server-rendered markup with first client state. Remove time, randomness, locale, timezone, viewport, localStorage, and browser-only values from SSR-visible initial markup unless they are serialized or guarded with an intentional placeholder.
|
|
89
|
+
7. If above-the-fold content appears blank until client effects run, move first-render data to the framework's route loader, server data, static generation, or serialized initial data when that matches secrecy and freshness rules. Use client effects for enhancement, subscriptions, and browser-only work, not required initial page data.
|
|
90
|
+
8. If a client effect fetches required first-screen data, check whether it can move to server/static/route data. When it must stay client-side, abort stale requests, ignore obsolete responses, and keep the previous stable shell until the new result is ready.
|
|
91
|
+
9. If loading UI shifts layout, reserve final geometry for skeletons, images, videos, embeds, ads, fonts, and lazy content. Loading states should preserve the app shell and task context rather than replacing the page with an unrelated blank screen.
|
|
92
|
+
10. For LCP media, avoid accidental lazy loading, reserve dimensions, and use project-approved priority hints only for the actual first-viewport candidate. Do not preload every hero-like asset.
|
|
93
|
+
11. Check whether JavaScript replaced a browser-native contract. Prefer anchors for navigation, forms for form submission, CSS for simple states, native scroll behavior where acceptable, Pointer Events over duplicate mouse/touch stacks, passive listeners for scroll-blocking inputs, and observers over polling.
|
|
94
|
+
12. Preserve BFCache and history behavior where possible. Avoid unconditional `unload` handlers, global synchronous storage work during navigation, and stale global state that assumes every navigation creates a fresh document.
|
|
95
|
+
13. If view transitions are used, treat motion as progressive enhancement. Keep names unique where required, avoid duplicate rendered `view-transition-name` values, respect reduced motion, and disable or narrow transitions that conceal content state changes or stall navigation.
|
|
96
|
+
14. Check font and CSS delivery only after document reload, theme order, hydration, and data timing are understood. Use project-approved font loading, preloads, `font-display`, and root background policies without bypassing existing asset strategy.
|
|
97
|
+
15. Choose the narrowest configured verification intents that cover the changed layer. If a real browser, visual diff, network-panel, throttled-load, BFCache, or INP check would be required but no configured one-shot intent exists, report that gap instead of claiming visual proof.
|
|
98
|
+
|
|
99
|
+
<!-- mustflow-section: postconditions -->
|
|
100
|
+
## Postconditions
|
|
101
|
+
|
|
102
|
+
- The report names the proven or most likely instability layer and the layers ruled out.
|
|
103
|
+
- Navigation behavior is intentional: full document reload is either removed, preserved with a reason, or reported as an unresolved product decision.
|
|
104
|
+
- Theme, CSS, font, hydration, data, loading, and transition changes preserve accessibility, reduced motion, state ownership, and framework boundaries.
|
|
105
|
+
- Native browser contracts are preserved, restored, or explicitly traded off with a reason.
|
|
106
|
+
- Any framework-specific changes have used the matching framework skill.
|
|
107
|
+
- Visual verification is current and explicit, or the missing configured visual/browser intent is reported.
|
|
108
|
+
|
|
109
|
+
<!-- mustflow-section: verification -->
|
|
110
|
+
## Verification
|
|
111
|
+
|
|
112
|
+
Use configured oneshot command intents when available:
|
|
113
|
+
|
|
114
|
+
- `changes_status`
|
|
115
|
+
- `changes_diff_summary`
|
|
116
|
+
- `lint`
|
|
117
|
+
- `build`
|
|
118
|
+
- `test_related`
|
|
119
|
+
- `docs_validate_fast`
|
|
120
|
+
- `mustflow_check`
|
|
121
|
+
|
|
122
|
+
Use broader configured tests only when route behavior, SSR/client boundaries, public docs, templates, or shared UI contracts change. Use visual or browser verification only through configured one-shot intents or an explicit user-approved workflow.
|
|
123
|
+
|
|
124
|
+
<!-- mustflow-section: failure-handling -->
|
|
125
|
+
## Failure Handling
|
|
126
|
+
|
|
127
|
+
- If the symptom cannot be reproduced from current evidence, report the reproduction gap and avoid adding speculative router, animation, or preload code.
|
|
128
|
+
- If the fix would require a new router, SSR disablement, framework migration, CSP weakening, global preload policy, or development server workflow, stop and report the architectural or command-contract decision needed.
|
|
129
|
+
- If JavaScript is fighting browser defaults, remove the unnecessary ownership first before adding more lifecycle hooks, timers, polling, or global state.
|
|
130
|
+
- If official framework docs conflict with snippets or older advice, follow the current project version and official docs, then report the source-freshness boundary.
|
|
131
|
+
- If verification fails after a render-stability change, use `failure-triage` before broadening the fix.
|
|
132
|
+
- If the route is stable but visual polish remains, hand off to `ui-quality-gate` or `css-code-change` instead of expanding this skill.
|
|
133
|
+
|
|
134
|
+
<!-- mustflow-section: output-format -->
|
|
135
|
+
## Output Format
|
|
136
|
+
|
|
137
|
+
- Symptom and affected phase
|
|
138
|
+
- Evidence inspected
|
|
139
|
+
- Instability layer found or ruled out
|
|
140
|
+
- Framework-specific skills used
|
|
141
|
+
- Files changed
|
|
142
|
+
- Command intents run
|
|
143
|
+
- Skipped visual or browser checks and reason
|
|
144
|
+
- Remaining render-stability risk
|
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.go-code-change
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 3
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: go-code-change
|
|
9
|
-
description: Apply this skill when Go source, modules, package APIs, interfaces, errors, goroutines, channels, context propagation, tests, or generated code boundaries are created or changed.
|
|
9
|
+
description: Apply this skill when Go source, modules, package APIs, interfaces, errors, goroutines, channels, context propagation, HTTP clients or servers, reverse proxies, JSON encoding, filesystem roots, network addresses, runtime limits, benchmarks, tests, tools, or generated code boundaries are created or changed.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -28,13 +28,14 @@ metadata:
|
|
|
28
28
|
<!-- mustflow-section: purpose -->
|
|
29
29
|
## Purpose
|
|
30
30
|
|
|
31
|
-
Preserve Go package, module, API, error, context, concurrency, and test boundaries without adding needless abstraction.
|
|
31
|
+
Preserve Go package, module, API, error, context, concurrency, runtime, HTTP, JSON, filesystem, and test boundaries without adding needless abstraction.
|
|
32
32
|
|
|
33
33
|
<!-- mustflow-section: use-when -->
|
|
34
34
|
## Use When
|
|
35
35
|
|
|
36
|
-
- `.go`, `go.mod`, `go.sum`, `go.work`, build tags, generated code, public package API, tests, benchmarks, goroutines, channels,
|
|
37
|
-
- The task touches interfaces, error wrapping, package structure, concurrency ownership, or module dependencies.
|
|
36
|
+
- `.go`, `go.mod`, `go.sum`, `go.work`, build tags, generated code, public package API, tests, benchmarks, goroutines, channels, context propagation, HTTP clients or servers, reverse proxies, JSON encoding, filesystem access, network addresses, runtime tuning, tools, or module dependencies change.
|
|
37
|
+
- The task touches interfaces, error wrapping, package structure, concurrency ownership, cancellation, timeout policy, memory limits, race-sensitive code, benchmark measurement, or module dependencies.
|
|
38
|
+
- Code or docs use Go-version-gated features such as expression operands to `new`, `errors.AsType`, `sync.WaitGroup.Go`, `testing/synctest`, `testing.B.Loop`, `os.Root` or `os.OpenInRoot`, `omitzero`, `go.mod` `tool`, `go fix` modernizers, `encoding/json/v2`, experimental `GOEXPERIMENT` features, or newer runtime defaults.
|
|
38
39
|
|
|
39
40
|
<!-- mustflow-section: do-not-use-when -->
|
|
40
41
|
## Do Not Use When
|
|
@@ -48,6 +49,8 @@ Preserve Go package, module, API, error, context, concurrency, and test boundari
|
|
|
48
49
|
- `go.mod`, `go.sum`, `go.work`, build tooling, lint config, and CI hints.
|
|
49
50
|
- All files in the changed package, including `_test.go`, build-tagged files, examples, and generated-file markers.
|
|
50
51
|
- The public API surface when exported identifiers, errors, or package paths change.
|
|
52
|
+
- Runtime and deployment context when the change touches HTTP, goroutines, timers, memory, `GOMAXPROCS`, cgroups, race detection, PGO, profiling, or container behavior.
|
|
53
|
+
- Minimum supported Go version, `go` directive, `toolchain` directive, `GOEXPERIMENT`, and whether the feature is stable, experimental, or repository-pinned.
|
|
51
54
|
- Configured verification intents.
|
|
52
55
|
|
|
53
56
|
<!-- mustflow-section: preconditions -->
|
|
@@ -56,6 +59,7 @@ Preserve Go package, module, API, error, context, concurrency, and test boundari
|
|
|
56
59
|
- Inspect the whole package before adding names or methods.
|
|
57
60
|
- Determine whether the change affects exported API, concurrency ownership, or dependency graph.
|
|
58
61
|
- Identify generated files and avoid direct edits unless explicitly requested.
|
|
62
|
+
- If a Go release, "latest Go", standard-library feature, runtime default, experimental package, or toolchain claim is written durably, use `version-freshness-check` and official Go sources.
|
|
59
63
|
|
|
60
64
|
<!-- mustflow-section: allowed-edits -->
|
|
61
65
|
## Allowed Edits
|
|
@@ -66,13 +70,19 @@ Preserve Go package, module, API, error, context, concurrency, and test boundari
|
|
|
66
70
|
- Preserve context propagation across API and goroutine boundaries.
|
|
67
71
|
- Return actionable errors and wrap causes when callers need `errors.Is` or `errors.As`.
|
|
68
72
|
- Add table-driven tests when they clarify behavior.
|
|
73
|
+
- Keep runtime and deployment tuning close to the process owner; do not hide memory, CPU, timeout, or profiling policy in unrelated helpers.
|
|
69
74
|
|
|
70
75
|
<!-- mustflow-section: procedure -->
|
|
71
76
|
## Procedure
|
|
72
77
|
|
|
73
78
|
1. Read module files, package files, tests, build tags, and generated-code markers.
|
|
74
|
-
2. Classify the change as package API, internal implementation, dependency, error behavior, context flow, concurrency, or test-only.
|
|
75
|
-
3. Check
|
|
79
|
+
2. Classify the change as package API, internal implementation, dependency, error behavior, context flow, concurrency, HTTP or proxy behavior, JSON encoding, filesystem safety, runtime or deployment behavior, benchmark, tooling, or test-only.
|
|
80
|
+
3. Check the Go version contract before using newer syntax or APIs:
|
|
81
|
+
- treat the `go` directive as a language and module compatibility switch, not decoration;
|
|
82
|
+
- do not use `new(expr)`, `errors.AsType`, `sync.WaitGroup.Go`, `testing/synctest`, `testing.B.Loop`, `os.Root`, `os.OpenInRoot`, `omitzero`, `go.mod` `tool`, `go fix` modernizers, `encoding/json/v2`, or any `GOEXPERIMENT` feature unless the repository's supported Go version and build path allow it;
|
|
83
|
+
- distinguish stable standard-library APIs from experimental APIs that require `GOEXPERIMENT`;
|
|
84
|
+
- when `go.mod` or `go.work` changes, report language-version, module-graph, toolchain, and downstream support impact.
|
|
85
|
+
4. Check package boundaries before adding a package or interface:
|
|
76
86
|
- reject shared bucket packages named `common`, `util`, `types`, `interfaces`, `api`, or `models` unless the repository already has a specific local convention with a narrower meaning;
|
|
77
87
|
- put an interface in the package that consumes the methods, not in the package that merely implements them;
|
|
78
88
|
- create an interface only after a real consumer needs that exact method set;
|
|
@@ -80,41 +90,79 @@ Preserve Go package, module, API, error, context, concurrency, and test boundari
|
|
|
80
90
|
- reject provider-side interfaces that exist only for mocks;
|
|
81
91
|
- reject provider constructors that return interfaces by default; prefer concrete exported types such as `*Client`, `*Store`, or `*Service`;
|
|
82
92
|
- verify that a package split reduces a real dependency direction problem or creates a coherent capability instead of hiding imports.
|
|
83
|
-
|
|
93
|
+
5. If exported identifiers or package paths change, classify the public API impact:
|
|
84
94
|
- treat exported functions, variables, constants, types, methods, struct fields, interfaces, interface method sets, sentinel errors, typed errors, module path, package import path, and minimum Go version as contracts;
|
|
85
95
|
- assume exported symbols in a v1+ module are public API unless the package is internal or local evidence proves otherwise;
|
|
86
96
|
- do not remove, rename, or change exported signatures, exported field types, exported interface methods, or observable error behavior without an explicit breaking-change plan;
|
|
87
97
|
- adding a method to an exported interface is breaking for external implementations even when adding a method to a concrete type would be safe.
|
|
88
|
-
|
|
98
|
+
6. Preserve error contracts:
|
|
89
99
|
- use `errors.Is` and `errors.As` semantics as observable API when documented or already tested;
|
|
90
100
|
- do not compare error strings;
|
|
91
101
|
- do not expose dependency sentinel or typed errors through wrapping unless the package intentionally supports them as API;
|
|
92
102
|
- treat a change between observable wrapping and non-observable formatting as API-sensitive;
|
|
103
|
+
- use `errors.AsType` only when the supported Go version allows it and the shorter form preserves the same typed-error contract;
|
|
93
104
|
- add tests for documented sentinel or typed errors when the error behavior changes.
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
105
|
+
7. If goroutines or channels change, name the owner, stop condition, cancellation path, wait path, error path, close responsibility, and test synchronization.
|
|
106
|
+
8. Choose the right goroutine primitive:
|
|
107
|
+
- use `sync.WaitGroup.Go` only for tasks that do not return errors and must not panic;
|
|
108
|
+
- use an errgroup-style boundary when work needs error propagation, context cancellation, or concurrency limits;
|
|
109
|
+
- do not hand-roll `WaitGroup` plus error channel plus cancellation plus semaphore unless the local code already owns that exact pattern and tests cover it;
|
|
110
|
+
- treat buffered-channel semaphores as semantic backpressure, not just a performance knob; changing capacity can change ordering and pressure;
|
|
111
|
+
- treat `TryLock` as suspicious unless skipping the work is genuinely correct and observable.
|
|
112
|
+
9. Reject fire-and-forget goroutines unless they are owned by a long-lived object with a shutdown path, joined before return, managed by a group with a wait path, or explicitly documented as safely detached.
|
|
113
|
+
10. Preserve context propagation:
|
|
97
114
|
- request-scoped functions accept `ctx` first and pass it down;
|
|
98
115
|
- do not store request context in structs;
|
|
99
116
|
- do not pass nil context;
|
|
100
117
|
- do not introduce `context.Background()` inside request or operation depth unless it is a true process root with a documented owner;
|
|
101
118
|
- derived contexts must release their cancel function on every path;
|
|
119
|
+
- use cancellation causes when callers or logs need to distinguish shutdown, rate limit, dependency timeout, parent cancellation, and explicit abort;
|
|
120
|
+
- use `context.WithoutCancel` only for short bounded cleanup such as audit or log flush work; add a fresh timeout or wait boundary because it does not inherit cancellation or deadline;
|
|
121
|
+
- when `context.AfterFunc` bridges a context-unaware API, design the stop function and completion wait separately because stopping does not wait for an already-running callback;
|
|
102
122
|
- blocking sends, receives, waits, retry loops, worker loops, and external calls must observe cancellation or be proven non-blocking.
|
|
103
|
-
|
|
123
|
+
11. Preserve channel ownership:
|
|
104
124
|
- the sender that knows all sends are complete closes the channel;
|
|
105
125
|
- receivers do not close borrowed input channels;
|
|
106
126
|
- multiple senders require a coordinator that closes only after all senders finish;
|
|
107
127
|
- cancellable pipelines must avoid permanently blocking upstream goroutines when downstream stops early.
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
128
|
+
12. Keep timeout policy at request, command, API, or operation boundaries. Do not hide arbitrary sleeps or timeouts in reusable helpers unless that helper explicitly owns the policy.
|
|
129
|
+
13. Check HTTP and proxy defaults:
|
|
130
|
+
- set deliberate `http.Client` and `http.Server` timeouts for network-facing code; zero timeout means no limit in important cases;
|
|
131
|
+
- reuse clients and transports instead of creating them per request;
|
|
132
|
+
- prefer reverse-proxy rewrite hooks over deprecated or unsafe director-style mutation when the supported Go version allows it;
|
|
133
|
+
- keep hop-by-hop header, forwarded-host, scheme, cancellation, streaming, and error-mapping behavior explicit.
|
|
134
|
+
14. Keep JSON contracts honest:
|
|
135
|
+
- choose `omitempty` versus `omitzero` deliberately, especially for `time.Time`, numeric zero, boolean false, and optional fields;
|
|
136
|
+
- use `SetEscapeHTML(false)` only when the JSON is not embedded into HTML and callers expect raw `<`, `>`, or `&`;
|
|
137
|
+
- treat `encoding/json/v2` and `jsontext` as experimental unless the repository explicitly opts into the relevant experiment and migration tests.
|
|
138
|
+
15. Check filesystem and network address helpers:
|
|
139
|
+
- use traversal-resistant root APIs when accepting user-controlled relative paths and the supported Go version provides them;
|
|
140
|
+
- do not treat `filepath.Join` plus prefix checks as sufficient against symlinks and TOCTOU;
|
|
141
|
+
- prefer `net/netip` for comparable IP addresses and map keys when supported;
|
|
142
|
+
- use `net.JoinHostPort` instead of string formatting for host and port assembly so IPv6 works.
|
|
143
|
+
16. Check runtime and deployment behavior when relevant:
|
|
144
|
+
- set `GOMEMLIMIT` or `debug.SetMemoryLimit` before tuning `GOGC` for container memory pressure, leaving headroom for non-Go memory such as cgo, mmap, and the kernel;
|
|
145
|
+
- question manual `GOMAXPROCS` pins in containers on Go versions with container-aware defaults;
|
|
146
|
+
- use PGO only with representative profiles and keep `default.pgo` ownership clear;
|
|
147
|
+
- treat goroutine leak profiling, SIMD, JSON v2, and other experiments as opt-in evidence-gathering, not default production assumptions;
|
|
148
|
+
- remember that `-race` only finds races on executed paths and carries significant overhead.
|
|
149
|
+
17. Keep tests and benchmarks deterministic:
|
|
150
|
+
- do not use elapsed real time to wait for goroutine progress; use explicit synchronization, owned lifecycle waits, fake time, `testing/synctest` when supported, or the repository's established concurrency test helper;
|
|
151
|
+
- prefer `testing.B.Loop` for new benchmarks when the supported Go version allows it, and keep setup, cleanup, allocation measurement, and compiler optimization boundaries honest.
|
|
152
|
+
18. Keep Go tools and modernization explicit:
|
|
153
|
+
- prefer the `tool` directive over `tools.go` pinning only when the repository's supported Go version allows it;
|
|
154
|
+
- use `go fix` modernizers as reviewed migrations, not silent drive-by rewrites;
|
|
155
|
+
- prefer standard-library helpers such as `min`, `max`, `clear`, `slices`, `maps`, and `cmp` over new local utility packages when the supported Go version allows them.
|
|
156
|
+
19. If dependency metadata changes, keep module files and dependent tests synchronized. Do not raise the `go` directive, add toolchain requirements, change module path, or introduce direct dependencies unless the task requires it and the final report calls out the support impact.
|
|
157
|
+
20. Choose configured verification intents that cover formatting, tests, race-sensitive behavior, lint, API drift, module drift, docs, and release metadata when available.
|
|
112
158
|
|
|
113
159
|
<!-- mustflow-section: postconditions -->
|
|
114
160
|
## Postconditions
|
|
115
161
|
|
|
116
162
|
- Package ownership and exported API impact are clear.
|
|
117
163
|
- Context, goroutine, channel, and error ownership are explicit.
|
|
164
|
+
- Go-version-gated syntax, standard-library APIs, runtime defaults, experiments, and module metadata are compatible with the repository's supported Go version.
|
|
165
|
+
- HTTP timeout, proxy, JSON, filesystem, network address, runtime, test-time, benchmark, and tool decisions are explicit where touched.
|
|
118
166
|
- Tests cover the changed behavior without sleeps as synchronization.
|
|
119
167
|
- Module drift is reported when dependency verification cannot run.
|
|
120
168
|
|
|
@@ -130,7 +178,7 @@ Use configured oneshot command intents when available:
|
|
|
130
178
|
- `docs_validate_fast`
|
|
131
179
|
- `mustflow_check`
|
|
132
180
|
|
|
133
|
-
For concurrency-sensitive changes, report whether a configured race or equivalent verification intent exists.
|
|
181
|
+
For concurrency-sensitive changes, report whether a configured race or equivalent verification intent exists. For Go-version-gated features, report whether the repository has a configured matrix, build, or test path for the selected Go version.
|
|
134
182
|
|
|
135
183
|
<!-- mustflow-section: failure-handling -->
|
|
136
184
|
## Failure Handling
|
|
@@ -140,6 +188,9 @@ For concurrency-sensitive changes, report whether a configured race or equivalen
|
|
|
140
188
|
- If a provider-side interface appears only for mocking, delete it or move a minimal interface to the consumer.
|
|
141
189
|
- If tests need sleeps for concurrency, prefer deterministic synchronization or report the gap.
|
|
142
190
|
- If a goroutine has no owner, stop condition, wait path, cancellation path, or error path, do not add it.
|
|
191
|
+
- If a newer Go feature is useful but the repository's `go` directive or CI matrix is lower, keep a fallback, defer the change, or report the required version bump instead of sneaking in the feature.
|
|
192
|
+
- If HTTP clients, servers, or proxies have no timeout or cancellation boundary, stop and make the missing policy explicit before calling the path production-ready.
|
|
193
|
+
- If JSON tag changes alter omitted fields, zero values, HTML escaping, or experimental JSON behavior, treat the change as an API contract risk.
|
|
143
194
|
- If a public error stops satisfying documented `errors.Is` or `errors.As` checks, restore the contract or report the breaking-change requirement.
|
|
144
195
|
- If wrapping would expose a dependency error as public API, keep the dependency error internal or document the intentional contract.
|
|
145
196
|
- If a generated file must change but no generator intent exists, report the missing command contract.
|
|
@@ -150,6 +201,7 @@ For concurrency-sensitive changes, report whether a configured race or equivalen
|
|
|
150
201
|
- Boundary checked
|
|
151
202
|
- Package and API impact
|
|
152
203
|
- Context/concurrency/error notes
|
|
204
|
+
- Go version, runtime, HTTP, JSON, filesystem, benchmark, and tool notes when relevant
|
|
153
205
|
- Files changed
|
|
154
206
|
- Command intents run
|
|
155
207
|
- Skipped checks and reasons
|
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
mustflow_doc: skill.html-code-change
|
|
3
3
|
locale: en
|
|
4
4
|
canonical: true
|
|
5
|
-
revision:
|
|
5
|
+
revision: 3
|
|
6
6
|
lifecycle: mustflow-owned
|
|
7
7
|
authority: procedure
|
|
8
8
|
name: html-code-change
|
|
9
|
-
description: Apply this skill when HTML, templates, JSX or component markup, forms, controls, dialogs, navigation, tables, media, metadata, SEO head content, or structured data are created or changed.
|
|
9
|
+
description: Apply this skill when HTML, templates, JSX or component markup, native forms, controls, popovers, dialogs, navigation, tables, media, metadata, SEO head content, or structured data are created or changed.
|
|
10
10
|
metadata:
|
|
11
11
|
mustflow_schema: "1"
|
|
12
12
|
mustflow_kind: procedure
|
|
@@ -34,7 +34,7 @@ Preserve semantic structure, native controls, keyboard access, focus behavior, f
|
|
|
34
34
|
## Use When
|
|
35
35
|
|
|
36
36
|
- `.html`, JSX, TSX, Vue, Svelte, Astro, or template markup changes.
|
|
37
|
-
- The task touches layout landmarks, headings, forms, buttons, links, dialogs, menus, tabs, accordions, custom selects, composite widgets, tables, media, metadata, canonical links, Open Graph, robots, hreflang, viewport, or JSON-LD.
|
|
37
|
+
- The task touches layout landmarks, headings, forms, buttons, links, popovers, dialogs, menus, tabs, accordions, custom selects, composite widgets, tables, media, metadata, canonical links, Open Graph, robots, hreflang, viewport, or JSON-LD.
|
|
38
38
|
|
|
39
39
|
<!-- mustflow-section: do-not-use-when -->
|
|
40
40
|
## Do Not Use When
|
|
@@ -48,6 +48,7 @@ Preserve semantic structure, native controls, keyboard access, focus behavior, f
|
|
|
48
48
|
- Existing page layout, document shell, head/SEO helpers, metadata builders, canonical URL helpers, sitemap or robots config, form components, interactive control components, and tests.
|
|
49
49
|
- Target framework conventions for rendering, routing, hydration, and metadata.
|
|
50
50
|
- Visible page content, H1 or primary title, main entity, locale, indexing intent, and data sources for title, description, image, author, date, price, rating, availability, and FAQ content when metadata changes.
|
|
51
|
+
- Browser-native behavior expected from the markup: navigation, form submission, validation, autocomplete, input modality, popover behavior, dialog focus, inert background handling, media sizing, lazy loading, and history integration.
|
|
51
52
|
- Accessibility and validation tooling declared in the command contract.
|
|
52
53
|
|
|
53
54
|
<!-- mustflow-section: preconditions -->
|
|
@@ -63,6 +64,7 @@ Preserve semantic structure, native controls, keyboard access, focus behavior, f
|
|
|
63
64
|
|
|
64
65
|
- Use semantic landmarks, headings, native links, native buttons, and native form controls where possible.
|
|
65
66
|
- Connect labels, help text, error text, required state, autocomplete, and input type explicitly.
|
|
67
|
+
- Use native validation, input modes, popovers, dialogs, details/summary, and inert behavior when they fit the intended interaction and browser target.
|
|
66
68
|
- Keep metadata and structured data consistent with visible page content.
|
|
67
69
|
- Add ARIA only when native semantics cannot express the control and the required role, state, keyboard, and focus behavior are implemented.
|
|
68
70
|
|
|
@@ -77,16 +79,19 @@ Preserve semantic structure, native controls, keyboard access, focus behavior, f
|
|
|
77
79
|
6. Reject clickable `div` or `span` controls, clickable icons without buttons, anchors without `href`, links used as buttons, nested interactive controls, positive `tabindex`, focusable `aria-hidden` content, and focus outline removal without a replacement focus style.
|
|
78
80
|
7. Use ARIA only when native HTML cannot express the needed semantics. Validate the role is legal for the element, the accessible name exists, required states are present, visual and ARIA states stay synchronized, keyboard behavior matches the widget pattern, and focus behavior is explicit.
|
|
79
81
|
8. For custom legacy button-like elements that cannot be replaced, require `role`, focusability, Enter activation, Space activation, Space scroll prevention, pointer activation, duplicate-event prevention, and visible focus. Use native buttons instead whenever possible.
|
|
80
|
-
9. For
|
|
81
|
-
10. For
|
|
82
|
-
11.
|
|
83
|
-
12. For
|
|
84
|
-
13.
|
|
85
|
-
14. For
|
|
86
|
-
15.
|
|
87
|
-
16.
|
|
88
|
-
17.
|
|
89
|
-
18.
|
|
82
|
+
9. For popovers, prefer the native popover pattern for lightweight anchored disclosure, teaching UI, picker panels, or menus that do not need modal focus trapping. Verify trigger ownership, light-dismiss behavior, focus behavior, accessible name, and fallback or browser target.
|
|
83
|
+
10. For dialogs, prefer native dialog when the project can support it. Otherwise implement focus entry, Tab and Shift+Tab containment, Escape behavior, inert or unreachable background content, visible close or cancel control, focus return, and an accessible name.
|
|
84
|
+
11. Do not use dialog for every overlay. Use popover for non-modal transient UI, details/summary for simple disclosure, and dialog for modal tasks or interruptions that require focus containment.
|
|
85
|
+
12. For tabs, use tablist, tab, and tabpanel semantics only for a real tabbed interface. Require one active tab, panel linkage, roving tabindex, arrow key movement, Home and End where expected, and Enter or Space activation when activation is manual.
|
|
86
|
+
13. For menus, do not use ARIA menu roles for ordinary site navigation. Site navigation is a nav landmark with links. Use ARIA menu patterns only for application-style action menus with a button trigger, expanded state, focus strategy, Escape close behavior, and focus return.
|
|
87
|
+
14. For forms, verify visible label association, help association, error association, required text, native required state, autocomplete, `inputmode`, `enterkeyhint`, validation timing, invalid state, error summary behavior, and submission behavior.
|
|
88
|
+
15. Prefer native constraint validation for simple required, type, length, pattern, range, and step rules. Add custom validation only for business rules, cross-field rules, async validation, or localized error ownership the native browser cannot express.
|
|
89
|
+
16. Use placeholder, title, aria-label, color, icon, or toast-only feedback only as supplementary affordances, not as the only label, required indicator, or error explanation.
|
|
90
|
+
17. For metadata, read visible content and the metadata generation path first. Keep title, description, canonical, Open Graph, Twitter or X card data, robots, hreflang, and JSON-LD aligned with visible content, locale, URL, and indexing intent.
|
|
91
|
+
18. Structured data must describe content visible on the same page. Do not invent ratings, reviews, FAQ items, authors, prices, availability, dates, organizations, product properties, or claims not backed by the page data source.
|
|
92
|
+
19. Ensure every HTML page has a valid non-empty language and responsive viewport that does not disable zoom. Mixed-language passages should identify their language when needed.
|
|
93
|
+
20. Keep inline script and style minimal; move behavior and styling to the existing project layers unless the framework requires an inline boundary.
|
|
94
|
+
21. Choose configured verification intents that cover markup validity, lint, build, accessibility, route rendering, metadata, and docs when available.
|
|
90
95
|
|
|
91
96
|
<!-- mustflow-section: form-accessibility -->
|
|
92
97
|
## Form Accessibility Rules
|
|
@@ -101,6 +106,7 @@ Preserve semantic structure, native controls, keyboard access, focus behavior, f
|
|
|
101
106
|
- Multiple submit errors should use an error summary near the top of the form or page when the project pattern supports it. Summary items should link to invalid fields, and inline errors should remain next to fields.
|
|
102
107
|
- Use alert or live regions only for dynamic validation or submit feedback that should be announced. Do not spam alerts on every keystroke or place interactive controls inside alerts.
|
|
103
108
|
- Inputs collecting information about the current user should use appropriate autocomplete tokens. Do not blindly disable autocomplete on login, checkout, contact, signup, or account forms.
|
|
109
|
+
- Use `type`, `inputmode`, `autocomplete`, `enterkeyhint`, `min`, `max`, `step`, `minlength`, `maxlength`, and `pattern` as contracts for keyboards, password managers, autofill, and native validation. Do not replace them with JavaScript-only parsing when the browser can enforce the basic rule.
|
|
104
110
|
|
|
105
111
|
<!-- mustflow-section: metadata-policy -->
|
|
106
112
|
## Metadata And Structured Data Rules
|
|
@@ -123,6 +129,7 @@ Reject or revise the patch when any of these appear without strong justification
|
|
|
123
129
|
- New `div` or `span` interaction where a native link, button, or form control would work.
|
|
124
130
|
- Anchors without `href`, buttons implemented as links, links implemented as buttons, nested interactive controls, clickable icons without native controls, or site navigation using ARIA menu roles.
|
|
125
131
|
- Custom controls without complete accessible name, role, state, keyboard, focus, and hidden-content behavior.
|
|
132
|
+
- Popovers, dialogs, or overlays that replace native behavior without trigger, focus, light-dismiss, inert, or fallback review.
|
|
126
133
|
- Positive `tabindex`, hidden content that remains tabbable, focusable `aria-hidden` content, or invisible focus.
|
|
127
134
|
- Form controls without visible labels, placeholder-only labels, disconnected help or error text, color-only required or error state, premature `aria-invalid`, or autocomplete removed without reason.
|
|
128
135
|
- Metadata or JSON-LD that contradicts visible content, fabricates facts, points canonical or social URL at the wrong page, disables zoom, omits page language, or accidentally noindexes a public page.
|