mustflow 2.38.0 → 2.58.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +3 -0
- package/dist/cli/commands/run/executor.js +16 -0
- package/dist/cli/commands/run/process-tree.js +6 -3
- package/dist/cli/commands/verify.js +3 -1
- package/dist/cli/lib/git-changes.js +11 -1
- package/dist/cli/lib/i18n.js +1 -1
- package/dist/cli/lib/local-index/index.js +8 -4
- package/dist/cli/lib/local-index/populate.js +17 -3
- package/dist/cli/lib/local-index/search-read-model.js +9 -7
- package/dist/cli/lib/local-index/search-text.js +2 -2
- package/dist/cli/lib/local-index/workflow-documents.js +17 -2
- package/dist/cli/lib/mustflow-read.js +14 -2
- package/dist/cli/lib/repo-map.js +16 -3
- package/dist/cli/lib/templates.js +8 -7
- package/dist/cli/lib/validation/constants.js +1 -1
- package/dist/core/active-run-locks.js +78 -20
- package/dist/core/change-classification.js +4 -0
- package/dist/core/command-contract-rules.js +1 -1
- package/dist/core/command-contract-validation.js +1 -1
- package/dist/core/command-cwd.js +13 -2
- package/dist/core/command-effects.js +22 -4
- package/dist/core/command-env.js +8 -6
- package/dist/core/command-preconditions.js +28 -2
- package/dist/core/completion-verdict.js +1 -1
- package/dist/core/line-endings.js +8 -4
- package/dist/core/safe-filesystem.js +9 -1
- package/dist/core/source-anchor-validation.js +7 -1
- package/dist/core/source-anchors.js +8 -2
- package/dist/core/verification-scheduler.js +8 -2
- package/package.json +1 -1
- package/templates/default/common/.mustflow/config/commands.toml +39 -15
- package/templates/default/i18n.toml +330 -1
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +302 -5
- package/templates/default/locales/en/.mustflow/skills/agent-eval-integrity-review/SKILL.md +160 -0
- package/templates/default/locales/en/.mustflow/skills/agent-execution-control-review/SKILL.md +163 -0
- package/templates/default/locales/en/.mustflow/skills/ai-generated-code-hardening/SKILL.md +49 -13
- package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +298 -0
- package/templates/default/locales/en/.mustflow/skills/api-misuse-resistance-review/SKILL.md +297 -0
- package/templates/default/locales/en/.mustflow/skills/api-request-performance-review/SKILL.md +189 -0
- package/templates/default/locales/en/.mustflow/skills/app-startup-performance-review/SKILL.md +309 -0
- package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +213 -0
- package/templates/default/locales/en/.mustflow/skills/business-rule-leakage-review/SKILL.md +295 -0
- package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +291 -0
- package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +297 -0
- package/templates/default/locales/en/.mustflow/skills/client-bundle-pruning-review/SKILL.md +160 -0
- package/templates/default/locales/en/.mustflow/skills/cloud-cost-guardrail-review/SKILL.md +321 -0
- package/templates/default/locales/en/.mustflow/skills/concurrency-invariant-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/core-web-vitals-field-review/SKILL.md +161 -0
- package/templates/default/locales/en/.mustflow/skills/credit-ledger-integrity-review/SKILL.md +156 -0
- package/templates/default/locales/en/.mustflow/skills/database-json-modeling-review/SKILL.md +171 -0
- package/templates/default/locales/en/.mustflow/skills/database-lock-contention-review/SKILL.md +192 -0
- package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +76 -34
- package/templates/default/locales/en/.mustflow/skills/database-query-bottleneck-review/SKILL.md +194 -0
- package/templates/default/locales/en/.mustflow/skills/deletion-lifecycle-review/SKILL.md +171 -0
- package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md +321 -0
- package/templates/default/locales/en/.mustflow/skills/desktop-auto-update-safety-review/SKILL.md +265 -0
- package/templates/default/locales/en/.mustflow/skills/desktop-background-process-stability-review/SKILL.md +318 -0
- package/templates/default/locales/en/.mustflow/skills/desktop-memory-footprint-review/SKILL.md +318 -0
- package/templates/default/locales/en/.mustflow/skills/error-message-integrity-review/SKILL.md +283 -0
- package/templates/default/locales/en/.mustflow/skills/failure-integrity-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/file-upload-security-review/SKILL.md +305 -0
- package/templates/default/locales/en/.mustflow/skills/frame-render-performance-review/SKILL.md +159 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-accessibility-tree-review/SKILL.md +202 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-localization-review/SKILL.md +202 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-state-ownership-review/SKILL.md +183 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-stress-layout-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/hot-path-performance-review/SKILL.md +159 -0
- package/templates/default/locales/en/.mustflow/skills/idempotency-integrity-review/SKILL.md +195 -0
- package/templates/default/locales/en/.mustflow/skills/image-delivery-performance-review/SKILL.md +161 -0
- package/templates/default/locales/en/.mustflow/skills/incident-triage-review/SKILL.md +185 -0
- package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/llm-response-latency-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/llm-service-ux-review/SKILL.md +2 -0
- package/templates/default/locales/en/.mustflow/skills/llm-token-cost-control-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/low-end-device-support-review/SKILL.md +340 -0
- package/templates/default/locales/en/.mustflow/skills/memory-lifetime-review/SKILL.md +169 -0
- package/templates/default/locales/en/.mustflow/skills/mobile-energy-efficiency-review/SKILL.md +329 -0
- package/templates/default/locales/en/.mustflow/skills/module-boundary-review/SKILL.md +278 -0
- package/templates/default/locales/en/.mustflow/skills/multi-agent-work-coordination/SKILL.md +1 -0
- package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +208 -0
- package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +158 -0
- package/templates/default/locales/en/.mustflow/skills/quadratic-scan-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/queue-processing-integrity-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/race-condition-review/SKILL.md +188 -0
- package/templates/default/locales/en/.mustflow/skills/rate-limit-integrity-review/SKILL.md +344 -0
- package/templates/default/locales/en/.mustflow/skills/retry-policy-integrity-review/SKILL.md +195 -0
- package/templates/default/locales/en/.mustflow/skills/routes.toml +330 -0
- package/templates/default/locales/en/.mustflow/skills/security-flow-review/SKILL.md +279 -0
- package/templates/default/locales/en/.mustflow/skills/testability-boundary-review/SKILL.md +295 -0
- package/templates/default/locales/en/.mustflow/skills/transaction-boundary-integrity-review/SKILL.md +196 -0
- package/templates/default/locales/en/.mustflow/skills/type-state-modeling-review/SKILL.md +179 -0
- package/templates/default/locales/en/.mustflow/skills/web-render-performance-review/SKILL.md +164 -0
- package/templates/default/manifest.toml +388 -2
package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md
ADDED
|
@@ -0,0 +1,321 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.deployment-rollout-safety-review
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 2
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: deployment-rollout-safety-review
|
|
9
|
+
description: Apply this skill when server, backend, worker, scheduler, queue consumer, cron, container, VM, serverless, migration, config, feature-flag, cache, deployment pipeline, canary, rollback, release envelope, image digest, deployment history, traffic rollback, health check, readiness/liveness/startup probe, graceful shutdown, artifact promotion, release observability, or post-deploy smoke behavior is created, changed, reviewed, or reported and the risk is whether a deployment can be rolled out, stopped, observed, or rolled back safely.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.deployment-rollout-safety-review
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- docs_validate_fast
|
|
23
|
+
- test_release
|
|
24
|
+
- mustflow_check
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
# Deployment Rollout Safety Review
|
|
28
|
+
|
|
29
|
+
<!-- mustflow-section: purpose -->
|
|
30
|
+
## Purpose
|
|
31
|
+
|
|
32
|
+
Review a server deployment as a runtime state transition, not as "the build passed".
|
|
33
|
+
|
|
34
|
+
Deployment failures usually come from changed ordering, config, data, cache, queues, rollback shape,
|
|
35
|
+
permissions, and observability. Rollback is not just restarting an older container. It is the older
|
|
36
|
+
release surviving today's data, config, cache, queue messages, external side effects, and traffic
|
|
37
|
+
state. This skill makes the agent prove that a wrong deploy has small blast radius, is detected
|
|
38
|
+
quickly, can be stopped quickly, and can be rolled back without inventing a recovery plan during the
|
|
39
|
+
incident.
|
|
40
|
+
|
|
41
|
+
<!-- mustflow-section: use-when -->
|
|
42
|
+
## Use When
|
|
43
|
+
|
|
44
|
+
- A change touches server deployment, backend runtime behavior, workers, schedulers, cron, queue
|
|
45
|
+
consumers, containers, VMs, serverless functions, Kubernetes manifests, process managers,
|
|
46
|
+
deployment pipelines, release gates, canaries, release envelopes, or rollback procedures.
|
|
47
|
+
- A change touches DB migration order, config or env vars, feature flags, cache keys, queue or topic
|
|
48
|
+
message formats, external API dependencies, storage paths, startup probes, readiness probes,
|
|
49
|
+
liveness probes, graceful shutdown, worker drain, deployment locks, or post-deploy smoke checks.
|
|
50
|
+
- A review needs to decide whether code, config, database, cache, queue, and scheduler changes can
|
|
51
|
+
coexist across old and new versions while traffic is still moving.
|
|
52
|
+
|
|
53
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
54
|
+
## Do Not Use When
|
|
55
|
+
|
|
56
|
+
- The task is primarily package publication, changelog, version metadata, or remote distribution
|
|
57
|
+
channel behavior; use `release-publish-change` first.
|
|
58
|
+
- The task is primarily database migration design, schema compatibility, or data backfill behavior;
|
|
59
|
+
use `database-migration-change` first, then use this skill for the deploy sequence around it.
|
|
60
|
+
- The task is primarily queue correctness or retry semantics inside worker code; use
|
|
61
|
+
`queue-processing-integrity-review` or `retry-policy-integrity-review` first, then use this skill
|
|
62
|
+
for deploy-time drain and compatibility.
|
|
63
|
+
- The task is only incident diagnosis after the deploy has already failed; use
|
|
64
|
+
`incident-triage-review` first and return here only when changing the rollout guardrail.
|
|
65
|
+
|
|
66
|
+
<!-- mustflow-section: required-inputs -->
|
|
67
|
+
## Required Inputs
|
|
68
|
+
|
|
69
|
+
- Deployment resource ledger: every affected API route, web process, worker, scheduler, cron,
|
|
70
|
+
queue consumer, queue or topic, DB table or column, cache key, object-store path, external API,
|
|
71
|
+
environment variable, secret, permission, and feature flag.
|
|
72
|
+
- Artifact identity: commit SHA, image tag or digest, config version, migration version, and feature
|
|
73
|
+
flag state that operators will see in logs and dashboards.
|
|
74
|
+
- Release envelope: `release_id`, image digest, chart or manifest revision, values or config hash,
|
|
75
|
+
ConfigMap or Secret version, DB migration range, feature flag snapshot, traffic weight, deployer,
|
|
76
|
+
and deployment time when those concepts exist in the target platform.
|
|
77
|
+
- Deployment model: environment order, artifact promotion path, rolling/blue-green/canary strategy,
|
|
78
|
+
traffic rollback path, old-version retention, deployment history retention, deployment
|
|
79
|
+
concurrency, and deployment lock owner.
|
|
80
|
+
- Compatibility model: old code with old data, old code with new data, new code with old data, new
|
|
81
|
+
code with new data, N-1 message compatibility, cache key version, and rollback survivability.
|
|
82
|
+
- Runtime control model: startup/liveness/readiness probes, graceful shutdown behavior, load
|
|
83
|
+
balancer connection draining, worker drain, cron duplicate guard, kill switch, safe flag defaults,
|
|
84
|
+
automatic stop conditions, synthetic transactions, and post-deploy observation window.
|
|
85
|
+
|
|
86
|
+
<!-- mustflow-section: preconditions -->
|
|
87
|
+
## Preconditions
|
|
88
|
+
|
|
89
|
+
- The deployment or rollout surface is in scope for the current task, or the remaining deployment
|
|
90
|
+
risk is explicitly being reviewed.
|
|
91
|
+
- The affected runtime resources can be identified from code, config, docs, manifests, tests, or the
|
|
92
|
+
user's report. If they cannot, report the missing resource ledger as a finding.
|
|
93
|
+
- The repository command contract has been checked; live deployment, production shell, migration,
|
|
94
|
+
cloud, and cluster commands remain out of scope unless a configured intent permits them.
|
|
95
|
+
|
|
96
|
+
<!-- mustflow-section: allowed-edits -->
|
|
97
|
+
## Allowed Edits
|
|
98
|
+
|
|
99
|
+
- Add or update deploy runbooks, release checklists, pipeline metadata, smoke tests, probe tests,
|
|
100
|
+
config validation, feature-flag defaults, rollback notes, canary gates, and deployment safety
|
|
101
|
+
tests when they match the repository style.
|
|
102
|
+
- Add local code guards for startup config validation, readiness separation, shutdown handling,
|
|
103
|
+
worker drain, cache-key versioning, and deployment attribution when the task scope includes the
|
|
104
|
+
affected runtime code.
|
|
105
|
+
- Do not run raw live deployment, production shell, migration, cluster, or cloud commands unless a
|
|
106
|
+
configured mustflow command intent explicitly permits them.
|
|
107
|
+
- Do not start long-running servers, watchers, dashboards, or background deployment helpers.
|
|
108
|
+
|
|
109
|
+
<!-- mustflow-section: procedure -->
|
|
110
|
+
## Procedure
|
|
111
|
+
|
|
112
|
+
1. Build the deployment resource ledger.
|
|
113
|
+
List the actual runtime resources touched by the change. Include reads and writes separately:
|
|
114
|
+
API endpoints, workers, DB columns, cache keys, storage prefixes, queue messages, cron jobs,
|
|
115
|
+
external APIs, permissions, config, and feature flags. If the ledger is unknown, report that the
|
|
116
|
+
deployment blast radius is unknown instead of guessing.
|
|
117
|
+
|
|
118
|
+
2. Build the release envelope.
|
|
119
|
+
Rollback needs more than an image tag. Bind image digest, chart or manifest revision, values
|
|
120
|
+
file hash, ConfigMap name or version, Secret version, migration range, feature flag snapshot,
|
|
121
|
+
ingress or router weight, deployer, and deployment time under one `release_id` when the platform
|
|
122
|
+
exposes those facts. If only a mutable tag such as `latest` identifies production, report that
|
|
123
|
+
rollback identity is not reproducible.
|
|
124
|
+
|
|
125
|
+
3. Separate artifact promotion from environment rebuilds.
|
|
126
|
+
Verify whether staging and production receive the same artifact identity. Prefer promoting one
|
|
127
|
+
built artifact over rebuilding per environment. If per-environment rebuild is unavoidable, name
|
|
128
|
+
the drift risk and require commit SHA, dependency lock, image digest, and build input evidence.
|
|
129
|
+
Treat image tags as human labels and image digests as the rollback proof.
|
|
130
|
+
|
|
131
|
+
4. Preserve rollback history and warm capacity.
|
|
132
|
+
For platform-managed rollbacks, check whether old revisions, ReplicaSets, Helm release history,
|
|
133
|
+
blue/green environments, or rollout controller history are retained long enough to be useful.
|
|
134
|
+
Do not treat a rollback path as safe if the old version is immediately scaled to zero, cold, or
|
|
135
|
+
deleted. Prefer traffic rollback to an already-warm old version before rebuilding or pulling a
|
|
136
|
+
replacement during an incident.
|
|
137
|
+
|
|
138
|
+
5. Split deploy order from migration order.
|
|
139
|
+
For DB changes, check expand/migrate/read-write/switch/contract sequencing. New code must tolerate
|
|
140
|
+
old data, old code must tolerate expanded schema or new data, and contraction must wait until old
|
|
141
|
+
code is impossible. Check migration lock timeout, batch size, retryability, partial progress
|
|
142
|
+
markers, rollback preview evidence, point-in-time recovery practice, database config backup, and
|
|
143
|
+
rollback limits. Treat destructive rollback SQL as a data-loss risk, not a recovery guarantee.
|
|
144
|
+
|
|
145
|
+
6. Treat config changes as code changes.
|
|
146
|
+
Diff config and environment variables. Require startup validation for missing, misspelled, empty,
|
|
147
|
+
malformed, or incompatible values. A service should fail fast before accepting traffic when a
|
|
148
|
+
required setting is unsafe. Prefer versioned or immutable config names over in-place config
|
|
149
|
+
mutation, and name whether env-var, mounted-file, or subpath-style config updates require pod or
|
|
150
|
+
process restart.
|
|
151
|
+
|
|
152
|
+
7. Separate startup, liveness, and readiness.
|
|
153
|
+
Startup should protect slow boots, liveness should detect stuck processes, and readiness should
|
|
154
|
+
gate whether the instance can serve real dependencies. Do not count "process is running" as
|
|
155
|
+
deployment readiness. Keep liveness conservative enough that overload or long GC pauses do not
|
|
156
|
+
turn a recoverable incident into a restart loop.
|
|
157
|
+
|
|
158
|
+
8. Check graceful shutdown before rolling traffic.
|
|
159
|
+
Verify SIGTERM or platform shutdown handling for in-flight requests, DB transactions, uploads,
|
|
160
|
+
payment or webhook callbacks, and streaming responses. The app shutdown timeout must be shorter
|
|
161
|
+
than load balancer connection draining.
|
|
162
|
+
|
|
163
|
+
9. Drain workers deliberately.
|
|
164
|
+
Queue workers need a stop-accepting-new-work phase, a current-work completion or checkpoint phase,
|
|
165
|
+
and an idempotent retry path for interrupted work. Ack, delete, offset commit, and visibility
|
|
166
|
+
timeout behavior must match the shutdown path. Rollback should name consumer pause, in-flight
|
|
167
|
+
work completion, idempotency-key checks, and dead-letter or quarantine inspection for worker and
|
|
168
|
+
scheduler surfaces.
|
|
169
|
+
|
|
170
|
+
10. Prove message compatibility.
|
|
171
|
+
Producers and consumers are rarely deployed at the exact same instant. Message format changes need
|
|
172
|
+
N-1 message compatibility, tolerant readers, versioned fields, defaults for missing data, and a
|
|
173
|
+
plan for queued old messages. Unknown event types should not crash old consumers; require
|
|
174
|
+
quarantine, dead-letter, or ignore policy that preserves investigation evidence.
|
|
175
|
+
|
|
176
|
+
11. Design external side effects as compensation.
|
|
177
|
+
Emails, payment authorizations, third-party webhooks, provider state, and object-storage writes
|
|
178
|
+
do not disappear when code rolls back. Require outbox, idempotency key, state machine,
|
|
179
|
+
reconciliation, or compensation notes for side effects that cannot be undone by reverting code.
|
|
180
|
+
|
|
181
|
+
12. Keep API compatibility wider than the deploy window.
|
|
182
|
+
Server versions and clients do not change at the same instant. Check N-1 and N+1 compatibility
|
|
183
|
+
for request fields, response fields, enum values, error codes, API versions, and mobile or SDK
|
|
184
|
+
clients. Removing fields, narrowing enums, or adding required inputs can make rollback fail even
|
|
185
|
+
when the old container starts.
|
|
186
|
+
|
|
187
|
+
13. Add a kill switch, not just a flag.
|
|
188
|
+
Feature flags that only select a new path are not enough. Require a fast disable path, a safe
|
|
189
|
+
default when flag lookup fails, and an owner who can flip it during the observation window.
|
|
190
|
+
|
|
191
|
+
14. Define the canary cohort.
|
|
192
|
+
Percent-only canaries can hide the exact risky traffic. Name which users, tenants, regions,
|
|
193
|
+
routes, worker partitions, queues, payment methods, or dependency paths receive the new version.
|
|
194
|
+
Prefer a cohort that exercises the changed behavior without making the blast radius vague.
|
|
195
|
+
|
|
196
|
+
15. Measure canaries by version and by user harm.
|
|
197
|
+
A small canary can disappear in global averages. Require metrics split by service version,
|
|
198
|
+
release id, route, cohort, or worker partition where safe. Prefer user-impact signals such as
|
|
199
|
+
5xx, p95 or p99 latency, login failure, payment failure, order failure, queue backlog, or retry
|
|
200
|
+
explosion over CPU-only rollback triggers.
|
|
201
|
+
|
|
202
|
+
16. Make automatic stop conditions numeric.
|
|
203
|
+
Before rollout, define stop or rollback thresholds for error rate, p95 or p99 latency, login or
|
|
204
|
+
payment failure, queue backlog, retry rate, dependency timeout, and saturation. "Watch it" is not
|
|
205
|
+
a stop condition.
|
|
206
|
+
|
|
207
|
+
17. Verify read and write paths separately.
|
|
208
|
+
A read-only health check can pass while writes are broken. Add or identify smoke checks and
|
|
209
|
+
synthetic transactions that cover the changed read path, changed write path, and visible business
|
|
210
|
+
result without corrupting production data.
|
|
211
|
+
|
|
212
|
+
18. Preserve release attribution in logs and telemetry.
|
|
213
|
+
Deployment logs and runtime logs should expose commit SHA, image tag or digest, config version,
|
|
214
|
+
chart or manifest revision, config version, migration version, feature flag state, deployment
|
|
215
|
+
environment, deployment id, service version, and instance. Log format changes must not silently
|
|
216
|
+
break alerts, dashboards, or search queries.
|
|
217
|
+
|
|
218
|
+
19. Version cache keys and narrow invalidation.
|
|
219
|
+
Cache changes need cache key versioning or compatibility. Avoid blanket flushes unless the cold
|
|
220
|
+
DB load has been budgeted. Prefer narrow, gradual invalidation with fallback behavior named.
|
|
221
|
+
Old code must not deserialize new cache payloads without a compatibility plan.
|
|
222
|
+
|
|
223
|
+
20. Guard scheduler duplication.
|
|
224
|
+
Cron and scheduled jobs can overlap during rolling deploys. Check singleton locks, leader
|
|
225
|
+
election, idempotency keys, deployment locks, and duplicate execution behavior for old and new
|
|
226
|
+
versions.
|
|
227
|
+
|
|
228
|
+
21. Treat CRDs and operators as schema rollouts.
|
|
229
|
+
Custom resources, operators, storage versions, conversion strategies, and controller downgrade
|
|
230
|
+
behavior can block rollback even when application pods are healthy. When those surfaces change,
|
|
231
|
+
require stored-object migration, old-client compatibility, and operator downgrade notes.
|
|
232
|
+
|
|
233
|
+
22. Use deployment locks per service and environment.
|
|
234
|
+
Two deploys, migrations, or production commands against the same service/environment need an
|
|
235
|
+
explicit conflict rule. Name the lock scope and the operator-visible owner.
|
|
236
|
+
|
|
237
|
+
23. Make production commands boring.
|
|
238
|
+
Any production command touched by the change should have dry-run output, bounded target scope,
|
|
239
|
+
explicit confirmation or ticket reference, and refusal behavior for ambiguous environment,
|
|
240
|
+
tenant, region, or time range.
|
|
241
|
+
|
|
242
|
+
24. Reserve post-deploy observation time.
|
|
243
|
+
Deployment is not done when traffic flips. Require a post-deploy observation window with owners
|
|
244
|
+
available, synthetic transaction results, dashboards, logs, queue backlog, dependency health, and
|
|
245
|
+
stop-condition status checked.
|
|
246
|
+
|
|
247
|
+
<!-- mustflow-section: postconditions -->
|
|
248
|
+
## Postconditions
|
|
249
|
+
|
|
250
|
+
- Deployment resources, rollout order, stop conditions, rollback limits, and manual deployment
|
|
251
|
+
boundaries are explicit.
|
|
252
|
+
- Any missing resource ledger, missing configured verification, or production-only check is reported
|
|
253
|
+
instead of treated as complete.
|
|
254
|
+
- Template, route, i18n, package, docs, and tests remain synchronized when this skill is edited or
|
|
255
|
+
installed.
|
|
256
|
+
|
|
257
|
+
## Review Checklist
|
|
258
|
+
|
|
259
|
+
- Deployment resource ledger is complete enough to name the blast radius.
|
|
260
|
+
- Release envelope binds image digest, config, Secret, migration, flag, traffic, deployer, and time
|
|
261
|
+
under a stable release identity where those platform concepts exist.
|
|
262
|
+
- Same artifact is promoted across environments or rebuild drift is explicitly controlled.
|
|
263
|
+
- Rollback history is retained, the old version can stay warm when needed, and traffic rollback is
|
|
264
|
+
separated from rebuilding or repulling code.
|
|
265
|
+
- DB migration, code deploy, data backfill, cache, queue, and rollback order are separated.
|
|
266
|
+
- Required config is validated at startup and deployment config diff is inspectable.
|
|
267
|
+
- Startup, liveness, and readiness probes answer different questions.
|
|
268
|
+
- Graceful shutdown, load balancer connection draining, worker drain, and interrupted work retry are
|
|
269
|
+
compatible.
|
|
270
|
+
- Queue messages, API payloads, and cache keys survive old/new producer, consumer, server, and
|
|
271
|
+
client overlap.
|
|
272
|
+
- External side effects have idempotency, reconciliation, or compensation instead of rollback
|
|
273
|
+
overclaim.
|
|
274
|
+
- Feature flag lookup failure chooses the safe default and a kill switch can stop the change.
|
|
275
|
+
- Canary cohort, version-split telemetry, and automatic stop condition are concrete, numeric, and
|
|
276
|
+
tied to the changed flow.
|
|
277
|
+
- Read smoke, write smoke, synthetic transaction, deployment logs, and post-deploy metrics are
|
|
278
|
+
defined before rollout.
|
|
279
|
+
- Rollback notes say what code rollback cannot undo, especially migrations, cache, messages,
|
|
280
|
+
external side effects, and user-visible data.
|
|
281
|
+
|
|
282
|
+
<!-- mustflow-section: verification -->
|
|
283
|
+
## Verification
|
|
284
|
+
|
|
285
|
+
Prefer the narrowest configured mustflow command intent that covers the changed surface:
|
|
286
|
+
|
|
287
|
+
- `mf run test_related` for local tests around config validation, probes, shutdown, queue drain,
|
|
288
|
+
cache key behavior, migration compatibility, or smoke-check code.
|
|
289
|
+
- `mf run build` or `mf run lint` when deployment metadata, generated code, or compile-time config
|
|
290
|
+
surfaces changed.
|
|
291
|
+
- `mf run docs_validate_fast` when runbooks, skills, or deployment docs changed.
|
|
292
|
+
- `mf run test_release` when package/template/release surfaces changed.
|
|
293
|
+
- `mf run mustflow_check` before finishing broad mustflow-owned changes.
|
|
294
|
+
|
|
295
|
+
Do not replace missing deploy safety proof with an unrelated full test suite. Report the missing
|
|
296
|
+
configured intent or manual production verification boundary.
|
|
297
|
+
|
|
298
|
+
<!-- mustflow-section: failure-handling -->
|
|
299
|
+
## Failure Handling
|
|
300
|
+
|
|
301
|
+
- If strict mustflow validation says the skill is not listed, update both the prose trigger and the
|
|
302
|
+
route table row in `.mustflow/skills/INDEX.md`, then sync the template copy.
|
|
303
|
+
- If validation says required section ids are missing, add the standard mustflow-section markers and
|
|
304
|
+
headings before changing command contracts or tests.
|
|
305
|
+
- If a deployment-safety check cannot be executed locally, record the manual boundary and the
|
|
306
|
+
production evidence that must be collected during the observation window.
|
|
307
|
+
- If rollback is unsafe because DB, cache, queue, external side effects, or user-visible data moved
|
|
308
|
+
forward, report roll-forward or mitigation work instead of claiming code rollback is sufficient.
|
|
309
|
+
|
|
310
|
+
<!-- mustflow-section: output-format -->
|
|
311
|
+
## Output Format
|
|
312
|
+
|
|
313
|
+
When reporting a review or change, include:
|
|
314
|
+
|
|
315
|
+
- Skills used.
|
|
316
|
+
- Deployment resources touched.
|
|
317
|
+
- Rollout and rollback risks found or guarded.
|
|
318
|
+
- Config, migration, cache, queue, probe, shutdown, canary, and observation decisions.
|
|
319
|
+
- Verification commands run and their result.
|
|
320
|
+
- Remaining manual deployment checks, especially production-only smoke, canary, and observation
|
|
321
|
+
steps that cannot be executed locally.
|
package/templates/default/locales/en/.mustflow/skills/desktop-auto-update-safety-review/SKILL.md
ADDED
|
@@ -0,0 +1,265 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.desktop-auto-update-safety-review
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: desktop-auto-update-safety-review
|
|
9
|
+
description: Apply this skill when desktop app automatic update behavior, Electron autoUpdater or electron-builder feeds, Squirrel.Windows first-run handling, Sparkle appcasts, Tauri updater configuration, macOS signed and notarized updates, Windows installers, Linux desktop packages, update metadata, latest.yml/latest.json/appcast.xml pointers, CDN caching, staged rollout percentages, alpha/beta/stable channels, update kill switches, artifact immutability, signatures, hash verification, signing-key custody, key rotation, certificate expiry, notarization gates, single-flight update checks, quit-and-install timing, old-version upgrade paths, rollback-forward fixes, updater telemetry, crash gates, or installed-app update smoke tests are created, changed, reviewed, or reported.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.desktop-auto-update-safety-review
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- docs_validate_fast
|
|
23
|
+
- test_release
|
|
24
|
+
- mustflow_check
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
# Desktop Auto Update Safety Review
|
|
28
|
+
|
|
29
|
+
<!-- mustflow-section: purpose -->
|
|
30
|
+
## Purpose
|
|
31
|
+
|
|
32
|
+
Review desktop automatic updates as a remote code-execution supply chain, not a convenience button.
|
|
33
|
+
|
|
34
|
+
The review question is not "does the new version download?" It is "can old installed clients
|
|
35
|
+
discover, verify, stage, apply, relaunch, observe, stop, and recover from an update without mixing
|
|
36
|
+
metadata, artifacts, signatures, channels, rollout cohorts, permissions, local data, or user work?"
|
|
37
|
+
|
|
38
|
+
<!-- mustflow-section: use-when -->
|
|
39
|
+
## Use When
|
|
40
|
+
|
|
41
|
+
- Electron `autoUpdater`, electron-builder update feeds, Squirrel.Windows, NSIS, MSIX, Sparkle,
|
|
42
|
+
Tauri updater, macOS appcasts, Windows installers, Linux desktop packages, updater endpoints,
|
|
43
|
+
release channels, or desktop installer metadata are created, changed, reviewed, or reported.
|
|
44
|
+
- Code or docs touch update states such as check, download, verify, stage, apply, relaunch, rollback,
|
|
45
|
+
resume, retry, cancel, or post-relaunch health.
|
|
46
|
+
- Release work touches immutable installer artifacts, `.sig`, `.blockmap`, `.yml`, `.json`,
|
|
47
|
+
`latest.yml`, `latest.json`, appcast XML, CDN cache policy, hashes, signatures, or channel
|
|
48
|
+
pointers that installed clients consume.
|
|
49
|
+
- A desktop updater needs staged rollout, deterministic canary buckets, alpha/beta/stable channel
|
|
50
|
+
separation, kill switch, remote disable policy, crash gate, update telemetry, or emergency
|
|
51
|
+
forward-fix behavior.
|
|
52
|
+
- A desktop update path depends on code signing, notarization, certificate expiry, signing-key
|
|
53
|
+
custody, key rotation, clean-machine install tests, old-version upgrade tests, migration
|
|
54
|
+
compatibility, or installed-app smoke tests.
|
|
55
|
+
|
|
56
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
57
|
+
## Do Not Use When
|
|
58
|
+
|
|
59
|
+
- The task is only publishing a package, tag, registry version, GitHub Release, or generic release
|
|
60
|
+
asset without installed desktop updater behavior; use `release-publish-change`.
|
|
61
|
+
- The task is only server, container, backend, worker, migration, feature-flag, or traffic rollout
|
|
62
|
+
safety; use `deployment-rollout-safety-review`.
|
|
63
|
+
- The task is only background process crash recovery, leases, service supervision, sleep/resume, or
|
|
64
|
+
safe mode; use `desktop-background-process-stability-review`.
|
|
65
|
+
- The task is only Tauri command permissions, capabilities, sidecars, opener, shell, CSP, or updater
|
|
66
|
+
endpoint trust inside a Tauri app; use `tauri-code-change` first, then return here for update
|
|
67
|
+
rollout and distribution behavior.
|
|
68
|
+
- The task is only release notes wording without updater metadata, installed app behavior, or
|
|
69
|
+
release-channel claims; use `release-notes-authoring`.
|
|
70
|
+
|
|
71
|
+
<!-- mustflow-section: required-inputs -->
|
|
72
|
+
## Required Inputs
|
|
73
|
+
|
|
74
|
+
- Updater stack ledger: framework, installer type, updater library, OS targets, install scope,
|
|
75
|
+
channel, feed URL, metadata format, signing model, update staging location, relaunch path, and
|
|
76
|
+
old-version support window.
|
|
77
|
+
- State-machine ledger: check, download, verify, stage, apply, relaunch, first-run-after-update,
|
|
78
|
+
rollback or forward-fix, cancellation, retry, and failure states with user-visible outcomes.
|
|
79
|
+
- Artifact ledger: immutable artifact names, platform assets, signatures, blockmaps or delta files,
|
|
80
|
+
hashes, sizes, metadata pointers, CDN cache policy, upload order, and remote publication status.
|
|
81
|
+
- Trust ledger: code signing, notarization, updater signature, signing-key storage, key rotation,
|
|
82
|
+
certificate expiry gate, TLS expectations, metadata signing, and hash verification.
|
|
83
|
+
- Rollout ledger: channel policy, staged percentage, deterministic bucket key, kill switch,
|
|
84
|
+
per-version deny or pause policy, OS or architecture gating, crash gate, and manual approval gate.
|
|
85
|
+
- Installed-client ledger: oldest supported versions, skipped-version upgrade paths, data migration
|
|
86
|
+
compatibility, first-run locks, single-flight update checks, quit-and-install timing, user work
|
|
87
|
+
preservation, and clean-machine test matrix.
|
|
88
|
+
- Observability ledger: check count, download start, download success, verification failure,
|
|
89
|
+
install start, install success, relaunch success, post-relaunch heartbeat, crash-free sessions,
|
|
90
|
+
update error codes, channel, version, OS, architecture, and cohort.
|
|
91
|
+
|
|
92
|
+
<!-- mustflow-section: preconditions -->
|
|
93
|
+
## Preconditions
|
|
94
|
+
|
|
95
|
+
- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
|
|
96
|
+
- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
|
|
97
|
+
current scope.
|
|
98
|
+
- Remote publication, live channel pointer changes, signing-key access, installer execution,
|
|
99
|
+
destructive asset deletion, yanking, or production kill-switch flips remain out of scope unless
|
|
100
|
+
explicitly authorized by the repository and host command contract.
|
|
101
|
+
- If only static repository evidence is available, report installed-app, clean-machine, remote CDN,
|
|
102
|
+
signing, notarization, and update-smoke checks as manual or missing instead of implying they ran.
|
|
103
|
+
|
|
104
|
+
<!-- mustflow-section: allowed-edits -->
|
|
105
|
+
## Allowed Edits
|
|
106
|
+
|
|
107
|
+
- Add or tighten update state machines, single-flight guards, staged rollout policy, deterministic
|
|
108
|
+
cohorting, kill-switch handling, remote updater policy, channel separation, signature and hash
|
|
109
|
+
checks, artifact upload ordering, cache headers, installed-client compatibility guards,
|
|
110
|
+
quit-and-install safety, migration idempotency notes, update telemetry, crash gates, and focused
|
|
111
|
+
tests or docs.
|
|
112
|
+
- Update release checklists, updater runbooks, package metadata, template skills, installer docs,
|
|
113
|
+
test assertions, and release-sensitive fixtures that encode the desktop auto-update contract.
|
|
114
|
+
- Do not overwrite an existing versioned artifact, reuse a broken version number as the fix, move a
|
|
115
|
+
stable channel to a beta feed, relax signature verification, store signing private keys on the
|
|
116
|
+
release server, or call an update complete from download completion alone.
|
|
117
|
+
- Do not run raw installer, updater, signing, notarization, CDN, release, or OS lifecycle commands
|
|
118
|
+
outside configured command intents.
|
|
119
|
+
|
|
120
|
+
<!-- mustflow-section: procedure -->
|
|
121
|
+
## Procedure
|
|
122
|
+
|
|
123
|
+
1. Define the updater as a state machine.
|
|
124
|
+
- Separate check, download, verify, stage, apply, relaunch, and post-relaunch health.
|
|
125
|
+
- Log or return stage-specific errors instead of a single "update failed" bucket.
|
|
126
|
+
- Preserve cancellation and retry behavior without corrupting staged files.
|
|
127
|
+
2. Separate immutable artifacts from mutable pointers.
|
|
128
|
+
- Treat versioned installers, signatures, blockmaps, and platform assets as immutable.
|
|
129
|
+
- Change only the latest pointer, channel metadata, or staged rollout policy after all referenced
|
|
130
|
+
assets are uploaded and independently downloadable.
|
|
131
|
+
- Report any flow that overwrites `app-1.2.3`-style artifacts or edits a published version in
|
|
132
|
+
place.
|
|
133
|
+
3. Enforce artifact-before-metadata ordering.
|
|
134
|
+
- Upload installers, `.sig`, `.blockmap`, `.yml`, `.json`, appcast, and platform assets before
|
|
135
|
+
changing `latest.yml`, `latest.json`, `appcast.xml`, or equivalent client-visible pointers.
|
|
136
|
+
- Give metadata short TTL or revalidation and give immutable artifacts long cache when safe.
|
|
137
|
+
- Treat mismatched metadata hash, size, signature, or URL as a live update-channel incident.
|
|
138
|
+
4. Require trust verification.
|
|
139
|
+
- Verify code signing, notarization where applicable, updater signatures, file hashes, file sizes,
|
|
140
|
+
channel identity, and expected platform target before applying.
|
|
141
|
+
- Keep signing private keys off the release server and practice key rotation before an incident.
|
|
142
|
+
- Make certificate expiry, notarization failure, missing signature, or entitlement drift fail the
|
|
143
|
+
release gate before users see the update.
|
|
144
|
+
5. Keep channels physically and logically separate.
|
|
145
|
+
- Separate alpha, beta, stable, canary, and enterprise channels by feed, metadata, or explicit
|
|
146
|
+
policy; do not rely only on version suffixes.
|
|
147
|
+
- Verify stable clients cannot accidentally consume beta or alpha metadata.
|
|
148
|
+
- Treat channel movement as a public release contract.
|
|
149
|
+
6. Roll out by deterministic cohorts.
|
|
150
|
+
- Prefer install id, device id, account id, or another stable privacy-safe bucket key over
|
|
151
|
+
per-request randomness.
|
|
152
|
+
- Use staged rollout percentages with clear progression and stop rules.
|
|
153
|
+
- Add jitter and backoff so app start, network reconnect, or periodic checks do not stampede the
|
|
154
|
+
update server.
|
|
155
|
+
7. Add server-side stop controls.
|
|
156
|
+
- Provide a kill switch or "no update" response for bad versions, OS targets, architectures,
|
|
157
|
+
cohorts, or channels without requiring a new app update.
|
|
158
|
+
- Preserve user-intentional pause, enterprise policy, and admin-managed update controls when the
|
|
159
|
+
product supports them.
|
|
160
|
+
- Do not make a broken updater fixable only by shipping another update through the broken path.
|
|
161
|
+
8. Prevent duplicate update work.
|
|
162
|
+
- Guard update checks and downloads with a single-flight or mutex path.
|
|
163
|
+
- Handle app startup, menu-click, timer, network-reconnect, and background-triggered checks
|
|
164
|
+
converging on the same update state.
|
|
165
|
+
- Include Squirrel.Windows first-run or installer lock timing when the Windows stack can hold
|
|
166
|
+
files immediately after installation.
|
|
167
|
+
9. Apply only when user work is safe.
|
|
168
|
+
- Gate quit-and-install, relaunch, or helper replacement on saved work, drained background tasks,
|
|
169
|
+
paused sync, and platform-specific quit events.
|
|
170
|
+
- Treat `before-quit-for-update`, preshutdown, app exit, and renderer close events as distinct
|
|
171
|
+
from ordinary shutdown when the framework exposes them.
|
|
172
|
+
- Report any forced restart path that can lose unsaved documents, recordings, uploads, database
|
|
173
|
+
sessions, or long local jobs.
|
|
174
|
+
10. Test installed upgrade paths, not development mode.
|
|
175
|
+
- Prefer packaged, signed, installed-app update tests from older versions, clean users, clean
|
|
176
|
+
machines or VMs, and the install scopes users actually have.
|
|
177
|
+
- Include skipped-version paths from active old versions, not only previous-version to latest.
|
|
178
|
+
- Cover Windows user-wide versus machine-wide installs, macOS Intel versus Apple Silicon,
|
|
179
|
+
Gatekeeper, quarantine, app translocation, read-only mounts, and Linux package formats when
|
|
180
|
+
those targets exist.
|
|
181
|
+
11. Make migrations update-safe.
|
|
182
|
+
- Support old data with new code, new data with old code when rollback or forward-fix overlap can
|
|
183
|
+
happen, and users who skip several app versions.
|
|
184
|
+
- Make local migrations idempotent with completion markers and partial-failure recovery.
|
|
185
|
+
- Prefer forward-fix with a higher version over attempting to repair a broken release by
|
|
186
|
+
republishing the same version.
|
|
187
|
+
12. Keep old artifacts long enough.
|
|
188
|
+
- Retain full installers, deltas, signatures, metadata, and migration bridges needed by active
|
|
189
|
+
old clients.
|
|
190
|
+
- Do not delete old artifacts solely to reduce storage without checking active-version telemetry
|
|
191
|
+
and upgrade path coverage.
|
|
192
|
+
13. Observe real update success.
|
|
193
|
+
- Count check, download, verify, install, relaunch, and post-relaunch heartbeat separately.
|
|
194
|
+
- Treat download completion as incomplete; success is the new version running and healthy after
|
|
195
|
+
relaunch.
|
|
196
|
+
- Split telemetry by version, channel, OS, architecture, cohort, installer type, and error code
|
|
197
|
+
while preserving privacy and redaction rules.
|
|
198
|
+
14. Stop rollout automatically when harm appears.
|
|
199
|
+
- Define crash-free, verification-failure, install-failure, relaunch-failure, and support-ticket
|
|
200
|
+
thresholds that pause rollout or return "no update".
|
|
201
|
+
- Require operator-visible release id, channel, version, cohort, and artifact identity in update
|
|
202
|
+
logs or metrics.
|
|
203
|
+
15. Report what cannot be proven locally.
|
|
204
|
+
- Name missing updater-smoke, clean-machine, signing, notarization, CDN-cache, staged-rollout,
|
|
205
|
+
crash-gate, or remote-feed verification instead of replacing it with unrelated unit tests.
|
|
206
|
+
|
|
207
|
+
<!-- mustflow-section: postconditions -->
|
|
208
|
+
## Postconditions
|
|
209
|
+
|
|
210
|
+
- Update state machine, immutable artifact policy, metadata pointer order, signatures, hashes,
|
|
211
|
+
key custody, certificate gates, channel separation, staged rollout, deterministic bucket, kill
|
|
212
|
+
switch, single-flight checks, first-run locks, quit-and-install safety, installed upgrade matrix,
|
|
213
|
+
migration compatibility, old artifact retention, update telemetry, crash gates, and manual remote
|
|
214
|
+
verification boundaries are explicit.
|
|
215
|
+
- Mutable artifact overwrite, metadata-before-artifact publication, long-lived latest-pointer cache,
|
|
216
|
+
missing signatures, release-server private keys, unpracticed key rotation, expired certificate
|
|
217
|
+
surprise, random per-request canary, no kill switch, duplicate downloads, forced restart data loss,
|
|
218
|
+
development-mode-only update testing, same-version republish recovery, old artifact deletion, and
|
|
219
|
+
download-complete-as-success claims are fixed or reported.
|
|
220
|
+
- Desktop updater safety claims are backed by configured tests, package or template checks, static
|
|
221
|
+
release evidence, installed-app smoke evidence, or clearly labeled as manual-only or missing.
|
|
222
|
+
|
|
223
|
+
<!-- mustflow-section: verification -->
|
|
224
|
+
## Verification
|
|
225
|
+
|
|
226
|
+
Use configured oneshot command intents when available:
|
|
227
|
+
|
|
228
|
+
- `changes_status`
|
|
229
|
+
- `changes_diff_summary`
|
|
230
|
+
- `lint`
|
|
231
|
+
- `build`
|
|
232
|
+
- `test_related`
|
|
233
|
+
- `test`
|
|
234
|
+
- `docs_validate_fast`
|
|
235
|
+
- `test_release`
|
|
236
|
+
- `mustflow_check`
|
|
237
|
+
|
|
238
|
+
Prefer configured updater-smoke, package-inspection, signature, notarization, CDN, staged-rollout,
|
|
239
|
+
install-smoke, or release-verification intents when the command contract exposes them. Do not infer
|
|
240
|
+
raw signing, installer, CDN, release, updater, or OS commands from project files.
|
|
241
|
+
|
|
242
|
+
<!-- mustflow-section: failure-handling -->
|
|
243
|
+
## Failure Handling
|
|
244
|
+
|
|
245
|
+
- If metadata references missing artifacts, stale hashes, bad signatures, wrong channels, or broken
|
|
246
|
+
cache headers, treat the update channel as potentially live-broken and stop publication claims.
|
|
247
|
+
- If an update was already visible to clients, prefer a new higher-version forward fix, kill switch,
|
|
248
|
+
or paused rollout over overwriting the same version.
|
|
249
|
+
- If verification cannot run because signing keys, notarization, CDN, clean VMs, old installers, or
|
|
250
|
+
remote feeds are unavailable, report the exact missing evidence.
|
|
251
|
+
- If automatic update safety conflicts with user data safety, signature security, enterprise policy,
|
|
252
|
+
least privilege, or rollback compatibility, keep the safer behavior and report the tradeoff.
|
|
253
|
+
|
|
254
|
+
<!-- mustflow-section: output-format -->
|
|
255
|
+
## Output Format
|
|
256
|
+
|
|
257
|
+
- Desktop auto-update boundary reviewed
|
|
258
|
+
- Updater stack, state machine, artifact, trust, rollout, installed-client, migration, telemetry, and
|
|
259
|
+
kill-switch findings
|
|
260
|
+
- Auto-update safety fixes made or recommended
|
|
261
|
+
- Evidence level: configured-test evidence, package/release evidence, installed-app smoke evidence,
|
|
262
|
+
static updater risk, manual-only, missing, or not applicable
|
|
263
|
+
- Command intents run
|
|
264
|
+
- Skipped updater diagnostics and reasons
|
|
265
|
+
- Remaining desktop auto-update risk
|