mustflow 2.38.0 → 2.58.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (94) hide show
  1. package/README.md +3 -0
  2. package/dist/cli/commands/run/executor.js +16 -0
  3. package/dist/cli/commands/run/process-tree.js +6 -3
  4. package/dist/cli/commands/verify.js +3 -1
  5. package/dist/cli/lib/git-changes.js +11 -1
  6. package/dist/cli/lib/i18n.js +1 -1
  7. package/dist/cli/lib/local-index/index.js +8 -4
  8. package/dist/cli/lib/local-index/populate.js +17 -3
  9. package/dist/cli/lib/local-index/search-read-model.js +9 -7
  10. package/dist/cli/lib/local-index/search-text.js +2 -2
  11. package/dist/cli/lib/local-index/workflow-documents.js +17 -2
  12. package/dist/cli/lib/mustflow-read.js +14 -2
  13. package/dist/cli/lib/repo-map.js +16 -3
  14. package/dist/cli/lib/templates.js +8 -7
  15. package/dist/cli/lib/validation/constants.js +1 -1
  16. package/dist/core/active-run-locks.js +78 -20
  17. package/dist/core/change-classification.js +4 -0
  18. package/dist/core/command-contract-rules.js +1 -1
  19. package/dist/core/command-contract-validation.js +1 -1
  20. package/dist/core/command-cwd.js +13 -2
  21. package/dist/core/command-effects.js +22 -4
  22. package/dist/core/command-env.js +8 -6
  23. package/dist/core/command-preconditions.js +28 -2
  24. package/dist/core/completion-verdict.js +1 -1
  25. package/dist/core/line-endings.js +8 -4
  26. package/dist/core/safe-filesystem.js +9 -1
  27. package/dist/core/source-anchor-validation.js +7 -1
  28. package/dist/core/source-anchors.js +8 -2
  29. package/dist/core/verification-scheduler.js +8 -2
  30. package/package.json +1 -1
  31. package/templates/default/common/.mustflow/config/commands.toml +39 -15
  32. package/templates/default/i18n.toml +330 -1
  33. package/templates/default/locales/en/.mustflow/skills/INDEX.md +302 -5
  34. package/templates/default/locales/en/.mustflow/skills/agent-eval-integrity-review/SKILL.md +160 -0
  35. package/templates/default/locales/en/.mustflow/skills/agent-execution-control-review/SKILL.md +163 -0
  36. package/templates/default/locales/en/.mustflow/skills/ai-generated-code-hardening/SKILL.md +49 -13
  37. package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +298 -0
  38. package/templates/default/locales/en/.mustflow/skills/api-misuse-resistance-review/SKILL.md +297 -0
  39. package/templates/default/locales/en/.mustflow/skills/api-request-performance-review/SKILL.md +189 -0
  40. package/templates/default/locales/en/.mustflow/skills/app-startup-performance-review/SKILL.md +309 -0
  41. package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +213 -0
  42. package/templates/default/locales/en/.mustflow/skills/business-rule-leakage-review/SKILL.md +295 -0
  43. package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +291 -0
  44. package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +297 -0
  45. package/templates/default/locales/en/.mustflow/skills/client-bundle-pruning-review/SKILL.md +160 -0
  46. package/templates/default/locales/en/.mustflow/skills/cloud-cost-guardrail-review/SKILL.md +321 -0
  47. package/templates/default/locales/en/.mustflow/skills/concurrency-invariant-review/SKILL.md +193 -0
  48. package/templates/default/locales/en/.mustflow/skills/core-web-vitals-field-review/SKILL.md +161 -0
  49. package/templates/default/locales/en/.mustflow/skills/credit-ledger-integrity-review/SKILL.md +156 -0
  50. package/templates/default/locales/en/.mustflow/skills/database-json-modeling-review/SKILL.md +171 -0
  51. package/templates/default/locales/en/.mustflow/skills/database-lock-contention-review/SKILL.md +192 -0
  52. package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +76 -34
  53. package/templates/default/locales/en/.mustflow/skills/database-query-bottleneck-review/SKILL.md +194 -0
  54. package/templates/default/locales/en/.mustflow/skills/deletion-lifecycle-review/SKILL.md +171 -0
  55. package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md +321 -0
  56. package/templates/default/locales/en/.mustflow/skills/desktop-auto-update-safety-review/SKILL.md +265 -0
  57. package/templates/default/locales/en/.mustflow/skills/desktop-background-process-stability-review/SKILL.md +318 -0
  58. package/templates/default/locales/en/.mustflow/skills/desktop-memory-footprint-review/SKILL.md +318 -0
  59. package/templates/default/locales/en/.mustflow/skills/error-message-integrity-review/SKILL.md +283 -0
  60. package/templates/default/locales/en/.mustflow/skills/failure-integrity-review/SKILL.md +193 -0
  61. package/templates/default/locales/en/.mustflow/skills/file-upload-security-review/SKILL.md +305 -0
  62. package/templates/default/locales/en/.mustflow/skills/frame-render-performance-review/SKILL.md +159 -0
  63. package/templates/default/locales/en/.mustflow/skills/frontend-accessibility-tree-review/SKILL.md +202 -0
  64. package/templates/default/locales/en/.mustflow/skills/frontend-localization-review/SKILL.md +202 -0
  65. package/templates/default/locales/en/.mustflow/skills/frontend-state-ownership-review/SKILL.md +183 -0
  66. package/templates/default/locales/en/.mustflow/skills/frontend-stress-layout-review/SKILL.md +193 -0
  67. package/templates/default/locales/en/.mustflow/skills/hot-path-performance-review/SKILL.md +159 -0
  68. package/templates/default/locales/en/.mustflow/skills/idempotency-integrity-review/SKILL.md +195 -0
  69. package/templates/default/locales/en/.mustflow/skills/image-delivery-performance-review/SKILL.md +161 -0
  70. package/templates/default/locales/en/.mustflow/skills/incident-triage-review/SKILL.md +185 -0
  71. package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +155 -0
  72. package/templates/default/locales/en/.mustflow/skills/llm-response-latency-review/SKILL.md +155 -0
  73. package/templates/default/locales/en/.mustflow/skills/llm-service-ux-review/SKILL.md +2 -0
  74. package/templates/default/locales/en/.mustflow/skills/llm-token-cost-control-review/SKILL.md +155 -0
  75. package/templates/default/locales/en/.mustflow/skills/low-end-device-support-review/SKILL.md +340 -0
  76. package/templates/default/locales/en/.mustflow/skills/memory-lifetime-review/SKILL.md +169 -0
  77. package/templates/default/locales/en/.mustflow/skills/mobile-energy-efficiency-review/SKILL.md +329 -0
  78. package/templates/default/locales/en/.mustflow/skills/module-boundary-review/SKILL.md +278 -0
  79. package/templates/default/locales/en/.mustflow/skills/multi-agent-work-coordination/SKILL.md +1 -0
  80. package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +208 -0
  81. package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +155 -0
  82. package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +158 -0
  83. package/templates/default/locales/en/.mustflow/skills/quadratic-scan-review/SKILL.md +155 -0
  84. package/templates/default/locales/en/.mustflow/skills/queue-processing-integrity-review/SKILL.md +193 -0
  85. package/templates/default/locales/en/.mustflow/skills/race-condition-review/SKILL.md +188 -0
  86. package/templates/default/locales/en/.mustflow/skills/rate-limit-integrity-review/SKILL.md +344 -0
  87. package/templates/default/locales/en/.mustflow/skills/retry-policy-integrity-review/SKILL.md +195 -0
  88. package/templates/default/locales/en/.mustflow/skills/routes.toml +330 -0
  89. package/templates/default/locales/en/.mustflow/skills/security-flow-review/SKILL.md +279 -0
  90. package/templates/default/locales/en/.mustflow/skills/testability-boundary-review/SKILL.md +295 -0
  91. package/templates/default/locales/en/.mustflow/skills/transaction-boundary-integrity-review/SKILL.md +196 -0
  92. package/templates/default/locales/en/.mustflow/skills/type-state-modeling-review/SKILL.md +179 -0
  93. package/templates/default/locales/en/.mustflow/skills/web-render-performance-review/SKILL.md +164 -0
  94. package/templates/default/manifest.toml +388 -2
@@ -0,0 +1,321 @@
1
+ ---
2
+ mustflow_doc: skill.deployment-rollout-safety-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 2
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: deployment-rollout-safety-review
9
+ description: Apply this skill when server, backend, worker, scheduler, queue consumer, cron, container, VM, serverless, migration, config, feature-flag, cache, deployment pipeline, canary, rollback, release envelope, image digest, deployment history, traffic rollback, health check, readiness/liveness/startup probe, graceful shutdown, artifact promotion, release observability, or post-deploy smoke behavior is created, changed, reviewed, or reported and the risk is whether a deployment can be rolled out, stopped, observed, or rolled back safely.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.deployment-rollout-safety-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ ---
26
+
27
+ # Deployment Rollout Safety Review
28
+
29
+ <!-- mustflow-section: purpose -->
30
+ ## Purpose
31
+
32
+ Review a server deployment as a runtime state transition, not as "the build passed".
33
+
34
+ Deployment failures usually come from changed ordering, config, data, cache, queues, rollback shape,
35
+ permissions, and observability. Rollback is not just restarting an older container. It is the older
36
+ release surviving today's data, config, cache, queue messages, external side effects, and traffic
37
+ state. This skill makes the agent prove that a wrong deploy has small blast radius, is detected
38
+ quickly, can be stopped quickly, and can be rolled back without inventing a recovery plan during the
39
+ incident.
40
+
41
+ <!-- mustflow-section: use-when -->
42
+ ## Use When
43
+
44
+ - A change touches server deployment, backend runtime behavior, workers, schedulers, cron, queue
45
+ consumers, containers, VMs, serverless functions, Kubernetes manifests, process managers,
46
+ deployment pipelines, release gates, canaries, release envelopes, or rollback procedures.
47
+ - A change touches DB migration order, config or env vars, feature flags, cache keys, queue or topic
48
+ message formats, external API dependencies, storage paths, startup probes, readiness probes,
49
+ liveness probes, graceful shutdown, worker drain, deployment locks, or post-deploy smoke checks.
50
+ - A review needs to decide whether code, config, database, cache, queue, and scheduler changes can
51
+ coexist across old and new versions while traffic is still moving.
52
+
53
+ <!-- mustflow-section: do-not-use-when -->
54
+ ## Do Not Use When
55
+
56
+ - The task is primarily package publication, changelog, version metadata, or remote distribution
57
+ channel behavior; use `release-publish-change` first.
58
+ - The task is primarily database migration design, schema compatibility, or data backfill behavior;
59
+ use `database-migration-change` first, then use this skill for the deploy sequence around it.
60
+ - The task is primarily queue correctness or retry semantics inside worker code; use
61
+ `queue-processing-integrity-review` or `retry-policy-integrity-review` first, then use this skill
62
+ for deploy-time drain and compatibility.
63
+ - The task is only incident diagnosis after the deploy has already failed; use
64
+ `incident-triage-review` first and return here only when changing the rollout guardrail.
65
+
66
+ <!-- mustflow-section: required-inputs -->
67
+ ## Required Inputs
68
+
69
+ - Deployment resource ledger: every affected API route, web process, worker, scheduler, cron,
70
+ queue consumer, queue or topic, DB table or column, cache key, object-store path, external API,
71
+ environment variable, secret, permission, and feature flag.
72
+ - Artifact identity: commit SHA, image tag or digest, config version, migration version, and feature
73
+ flag state that operators will see in logs and dashboards.
74
+ - Release envelope: `release_id`, image digest, chart or manifest revision, values or config hash,
75
+ ConfigMap or Secret version, DB migration range, feature flag snapshot, traffic weight, deployer,
76
+ and deployment time when those concepts exist in the target platform.
77
+ - Deployment model: environment order, artifact promotion path, rolling/blue-green/canary strategy,
78
+ traffic rollback path, old-version retention, deployment history retention, deployment
79
+ concurrency, and deployment lock owner.
80
+ - Compatibility model: old code with old data, old code with new data, new code with old data, new
81
+ code with new data, N-1 message compatibility, cache key version, and rollback survivability.
82
+ - Runtime control model: startup/liveness/readiness probes, graceful shutdown behavior, load
83
+ balancer connection draining, worker drain, cron duplicate guard, kill switch, safe flag defaults,
84
+ automatic stop conditions, synthetic transactions, and post-deploy observation window.
85
+
86
+ <!-- mustflow-section: preconditions -->
87
+ ## Preconditions
88
+
89
+ - The deployment or rollout surface is in scope for the current task, or the remaining deployment
90
+ risk is explicitly being reviewed.
91
+ - The affected runtime resources can be identified from code, config, docs, manifests, tests, or the
92
+ user's report. If they cannot, report the missing resource ledger as a finding.
93
+ - The repository command contract has been checked; live deployment, production shell, migration,
94
+ cloud, and cluster commands remain out of scope unless a configured intent permits them.
95
+
96
+ <!-- mustflow-section: allowed-edits -->
97
+ ## Allowed Edits
98
+
99
+ - Add or update deploy runbooks, release checklists, pipeline metadata, smoke tests, probe tests,
100
+ config validation, feature-flag defaults, rollback notes, canary gates, and deployment safety
101
+ tests when they match the repository style.
102
+ - Add local code guards for startup config validation, readiness separation, shutdown handling,
103
+ worker drain, cache-key versioning, and deployment attribution when the task scope includes the
104
+ affected runtime code.
105
+ - Do not run raw live deployment, production shell, migration, cluster, or cloud commands unless a
106
+ configured mustflow command intent explicitly permits them.
107
+ - Do not start long-running servers, watchers, dashboards, or background deployment helpers.
108
+
109
+ <!-- mustflow-section: procedure -->
110
+ ## Procedure
111
+
112
+ 1. Build the deployment resource ledger.
113
+ List the actual runtime resources touched by the change. Include reads and writes separately:
114
+ API endpoints, workers, DB columns, cache keys, storage prefixes, queue messages, cron jobs,
115
+ external APIs, permissions, config, and feature flags. If the ledger is unknown, report that the
116
+ deployment blast radius is unknown instead of guessing.
117
+
118
+ 2. Build the release envelope.
119
+ Rollback needs more than an image tag. Bind image digest, chart or manifest revision, values
120
+ file hash, ConfigMap name or version, Secret version, migration range, feature flag snapshot,
121
+ ingress or router weight, deployer, and deployment time under one `release_id` when the platform
122
+ exposes those facts. If only a mutable tag such as `latest` identifies production, report that
123
+ rollback identity is not reproducible.
124
+
125
+ 3. Separate artifact promotion from environment rebuilds.
126
+ Verify whether staging and production receive the same artifact identity. Prefer promoting one
127
+ built artifact over rebuilding per environment. If per-environment rebuild is unavoidable, name
128
+ the drift risk and require commit SHA, dependency lock, image digest, and build input evidence.
129
+ Treat image tags as human labels and image digests as the rollback proof.
130
+
131
+ 4. Preserve rollback history and warm capacity.
132
+ For platform-managed rollbacks, check whether old revisions, ReplicaSets, Helm release history,
133
+ blue/green environments, or rollout controller history are retained long enough to be useful.
134
+ Do not treat a rollback path as safe if the old version is immediately scaled to zero, cold, or
135
+ deleted. Prefer traffic rollback to an already-warm old version before rebuilding or pulling a
136
+ replacement during an incident.
137
+
138
+ 5. Split deploy order from migration order.
139
+ For DB changes, check expand/migrate/read-write/switch/contract sequencing. New code must tolerate
140
+ old data, old code must tolerate expanded schema or new data, and contraction must wait until old
141
+ code is impossible. Check migration lock timeout, batch size, retryability, partial progress
142
+ markers, rollback preview evidence, point-in-time recovery practice, database config backup, and
143
+ rollback limits. Treat destructive rollback SQL as a data-loss risk, not a recovery guarantee.
144
+
145
+ 6. Treat config changes as code changes.
146
+ Diff config and environment variables. Require startup validation for missing, misspelled, empty,
147
+ malformed, or incompatible values. A service should fail fast before accepting traffic when a
148
+ required setting is unsafe. Prefer versioned or immutable config names over in-place config
149
+ mutation, and name whether env-var, mounted-file, or subpath-style config updates require pod or
150
+ process restart.
151
+
152
+ 7. Separate startup, liveness, and readiness.
153
+ Startup should protect slow boots, liveness should detect stuck processes, and readiness should
154
+ gate whether the instance can serve real dependencies. Do not count "process is running" as
155
+ deployment readiness. Keep liveness conservative enough that overload or long GC pauses do not
156
+ turn a recoverable incident into a restart loop.
157
+
158
+ 8. Check graceful shutdown before rolling traffic.
159
+ Verify SIGTERM or platform shutdown handling for in-flight requests, DB transactions, uploads,
160
+ payment or webhook callbacks, and streaming responses. The app shutdown timeout must be shorter
161
+ than load balancer connection draining.
162
+
163
+ 9. Drain workers deliberately.
164
+ Queue workers need a stop-accepting-new-work phase, a current-work completion or checkpoint phase,
165
+ and an idempotent retry path for interrupted work. Ack, delete, offset commit, and visibility
166
+ timeout behavior must match the shutdown path. Rollback should name consumer pause, in-flight
167
+ work completion, idempotency-key checks, and dead-letter or quarantine inspection for worker and
168
+ scheduler surfaces.
169
+
170
+ 10. Prove message compatibility.
171
+ Producers and consumers are rarely deployed at the exact same instant. Message format changes need
172
+ N-1 message compatibility, tolerant readers, versioned fields, defaults for missing data, and a
173
+ plan for queued old messages. Unknown event types should not crash old consumers; require
174
+ quarantine, dead-letter, or ignore policy that preserves investigation evidence.
175
+
176
+ 11. Design external side effects as compensation.
177
+ Emails, payment authorizations, third-party webhooks, provider state, and object-storage writes
178
+ do not disappear when code rolls back. Require outbox, idempotency key, state machine,
179
+ reconciliation, or compensation notes for side effects that cannot be undone by reverting code.
180
+
181
+ 12. Keep API compatibility wider than the deploy window.
182
+ Server versions and clients do not change at the same instant. Check N-1 and N+1 compatibility
183
+ for request fields, response fields, enum values, error codes, API versions, and mobile or SDK
184
+ clients. Removing fields, narrowing enums, or adding required inputs can make rollback fail even
185
+ when the old container starts.
186
+
187
+ 13. Add a kill switch, not just a flag.
188
+ Feature flags that only select a new path are not enough. Require a fast disable path, a safe
189
+ default when flag lookup fails, and an owner who can flip it during the observation window.
190
+
191
+ 14. Define the canary cohort.
192
+ Percent-only canaries can hide the exact risky traffic. Name which users, tenants, regions,
193
+ routes, worker partitions, queues, payment methods, or dependency paths receive the new version.
194
+ Prefer a cohort that exercises the changed behavior without making the blast radius vague.
195
+
196
+ 15. Measure canaries by version and by user harm.
197
+ A small canary can disappear in global averages. Require metrics split by service version,
198
+ release id, route, cohort, or worker partition where safe. Prefer user-impact signals such as
199
+ 5xx, p95 or p99 latency, login failure, payment failure, order failure, queue backlog, or retry
200
+ explosion over CPU-only rollback triggers.
201
+
202
+ 16. Make automatic stop conditions numeric.
203
+ Before rollout, define stop or rollback thresholds for error rate, p95 or p99 latency, login or
204
+ payment failure, queue backlog, retry rate, dependency timeout, and saturation. "Watch it" is not
205
+ a stop condition.
206
+
207
+ 17. Verify read and write paths separately.
208
+ A read-only health check can pass while writes are broken. Add or identify smoke checks and
209
+ synthetic transactions that cover the changed read path, changed write path, and visible business
210
+ result without corrupting production data.
211
+
212
+ 18. Preserve release attribution in logs and telemetry.
213
+ Deployment logs and runtime logs should expose commit SHA, image tag or digest, config version,
214
+ chart or manifest revision, config version, migration version, feature flag state, deployment
215
+ environment, deployment id, service version, and instance. Log format changes must not silently
216
+ break alerts, dashboards, or search queries.
217
+
218
+ 19. Version cache keys and narrow invalidation.
219
+ Cache changes need cache key versioning or compatibility. Avoid blanket flushes unless the cold
220
+ DB load has been budgeted. Prefer narrow, gradual invalidation with fallback behavior named.
221
+ Old code must not deserialize new cache payloads without a compatibility plan.
222
+
223
+ 20. Guard scheduler duplication.
224
+ Cron and scheduled jobs can overlap during rolling deploys. Check singleton locks, leader
225
+ election, idempotency keys, deployment locks, and duplicate execution behavior for old and new
226
+ versions.
227
+
228
+ 21. Treat CRDs and operators as schema rollouts.
229
+ Custom resources, operators, storage versions, conversion strategies, and controller downgrade
230
+ behavior can block rollback even when application pods are healthy. When those surfaces change,
231
+ require stored-object migration, old-client compatibility, and operator downgrade notes.
232
+
233
+ 22. Use deployment locks per service and environment.
234
+ Two deploys, migrations, or production commands against the same service/environment need an
235
+ explicit conflict rule. Name the lock scope and the operator-visible owner.
236
+
237
+ 23. Make production commands boring.
238
+ Any production command touched by the change should have dry-run output, bounded target scope,
239
+ explicit confirmation or ticket reference, and refusal behavior for ambiguous environment,
240
+ tenant, region, or time range.
241
+
242
+ 24. Reserve post-deploy observation time.
243
+ Deployment is not done when traffic flips. Require a post-deploy observation window with owners
244
+ available, synthetic transaction results, dashboards, logs, queue backlog, dependency health, and
245
+ stop-condition status checked.
246
+
247
+ <!-- mustflow-section: postconditions -->
248
+ ## Postconditions
249
+
250
+ - Deployment resources, rollout order, stop conditions, rollback limits, and manual deployment
251
+ boundaries are explicit.
252
+ - Any missing resource ledger, missing configured verification, or production-only check is reported
253
+ instead of treated as complete.
254
+ - Template, route, i18n, package, docs, and tests remain synchronized when this skill is edited or
255
+ installed.
256
+
257
+ ## Review Checklist
258
+
259
+ - Deployment resource ledger is complete enough to name the blast radius.
260
+ - Release envelope binds image digest, config, Secret, migration, flag, traffic, deployer, and time
261
+ under a stable release identity where those platform concepts exist.
262
+ - Same artifact is promoted across environments or rebuild drift is explicitly controlled.
263
+ - Rollback history is retained, the old version can stay warm when needed, and traffic rollback is
264
+ separated from rebuilding or repulling code.
265
+ - DB migration, code deploy, data backfill, cache, queue, and rollback order are separated.
266
+ - Required config is validated at startup and deployment config diff is inspectable.
267
+ - Startup, liveness, and readiness probes answer different questions.
268
+ - Graceful shutdown, load balancer connection draining, worker drain, and interrupted work retry are
269
+ compatible.
270
+ - Queue messages, API payloads, and cache keys survive old/new producer, consumer, server, and
271
+ client overlap.
272
+ - External side effects have idempotency, reconciliation, or compensation instead of rollback
273
+ overclaim.
274
+ - Feature flag lookup failure chooses the safe default and a kill switch can stop the change.
275
+ - Canary cohort, version-split telemetry, and automatic stop condition are concrete, numeric, and
276
+ tied to the changed flow.
277
+ - Read smoke, write smoke, synthetic transaction, deployment logs, and post-deploy metrics are
278
+ defined before rollout.
279
+ - Rollback notes say what code rollback cannot undo, especially migrations, cache, messages,
280
+ external side effects, and user-visible data.
281
+
282
+ <!-- mustflow-section: verification -->
283
+ ## Verification
284
+
285
+ Prefer the narrowest configured mustflow command intent that covers the changed surface:
286
+
287
+ - `mf run test_related` for local tests around config validation, probes, shutdown, queue drain,
288
+ cache key behavior, migration compatibility, or smoke-check code.
289
+ - `mf run build` or `mf run lint` when deployment metadata, generated code, or compile-time config
290
+ surfaces changed.
291
+ - `mf run docs_validate_fast` when runbooks, skills, or deployment docs changed.
292
+ - `mf run test_release` when package/template/release surfaces changed.
293
+ - `mf run mustflow_check` before finishing broad mustflow-owned changes.
294
+
295
+ Do not replace missing deploy safety proof with an unrelated full test suite. Report the missing
296
+ configured intent or manual production verification boundary.
297
+
298
+ <!-- mustflow-section: failure-handling -->
299
+ ## Failure Handling
300
+
301
+ - If strict mustflow validation says the skill is not listed, update both the prose trigger and the
302
+ route table row in `.mustflow/skills/INDEX.md`, then sync the template copy.
303
+ - If validation says required section ids are missing, add the standard mustflow-section markers and
304
+ headings before changing command contracts or tests.
305
+ - If a deployment-safety check cannot be executed locally, record the manual boundary and the
306
+ production evidence that must be collected during the observation window.
307
+ - If rollback is unsafe because DB, cache, queue, external side effects, or user-visible data moved
308
+ forward, report roll-forward or mitigation work instead of claiming code rollback is sufficient.
309
+
310
+ <!-- mustflow-section: output-format -->
311
+ ## Output Format
312
+
313
+ When reporting a review or change, include:
314
+
315
+ - Skills used.
316
+ - Deployment resources touched.
317
+ - Rollout and rollback risks found or guarded.
318
+ - Config, migration, cache, queue, probe, shutdown, canary, and observation decisions.
319
+ - Verification commands run and their result.
320
+ - Remaining manual deployment checks, especially production-only smoke, canary, and observation
321
+ steps that cannot be executed locally.
@@ -0,0 +1,265 @@
1
+ ---
2
+ mustflow_doc: skill.desktop-auto-update-safety-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: desktop-auto-update-safety-review
9
+ description: Apply this skill when desktop app automatic update behavior, Electron autoUpdater or electron-builder feeds, Squirrel.Windows first-run handling, Sparkle appcasts, Tauri updater configuration, macOS signed and notarized updates, Windows installers, Linux desktop packages, update metadata, latest.yml/latest.json/appcast.xml pointers, CDN caching, staged rollout percentages, alpha/beta/stable channels, update kill switches, artifact immutability, signatures, hash verification, signing-key custody, key rotation, certificate expiry, notarization gates, single-flight update checks, quit-and-install timing, old-version upgrade paths, rollback-forward fixes, updater telemetry, crash gates, or installed-app update smoke tests are created, changed, reviewed, or reported.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.desktop-auto-update-safety-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ ---
26
+
27
+ # Desktop Auto Update Safety Review
28
+
29
+ <!-- mustflow-section: purpose -->
30
+ ## Purpose
31
+
32
+ Review desktop automatic updates as a remote code-execution supply chain, not a convenience button.
33
+
34
+ The review question is not "does the new version download?" It is "can old installed clients
35
+ discover, verify, stage, apply, relaunch, observe, stop, and recover from an update without mixing
36
+ metadata, artifacts, signatures, channels, rollout cohorts, permissions, local data, or user work?"
37
+
38
+ <!-- mustflow-section: use-when -->
39
+ ## Use When
40
+
41
+ - Electron `autoUpdater`, electron-builder update feeds, Squirrel.Windows, NSIS, MSIX, Sparkle,
42
+ Tauri updater, macOS appcasts, Windows installers, Linux desktop packages, updater endpoints,
43
+ release channels, or desktop installer metadata are created, changed, reviewed, or reported.
44
+ - Code or docs touch update states such as check, download, verify, stage, apply, relaunch, rollback,
45
+ resume, retry, cancel, or post-relaunch health.
46
+ - Release work touches immutable installer artifacts, `.sig`, `.blockmap`, `.yml`, `.json`,
47
+ `latest.yml`, `latest.json`, appcast XML, CDN cache policy, hashes, signatures, or channel
48
+ pointers that installed clients consume.
49
+ - A desktop updater needs staged rollout, deterministic canary buckets, alpha/beta/stable channel
50
+ separation, kill switch, remote disable policy, crash gate, update telemetry, or emergency
51
+ forward-fix behavior.
52
+ - A desktop update path depends on code signing, notarization, certificate expiry, signing-key
53
+ custody, key rotation, clean-machine install tests, old-version upgrade tests, migration
54
+ compatibility, or installed-app smoke tests.
55
+
56
+ <!-- mustflow-section: do-not-use-when -->
57
+ ## Do Not Use When
58
+
59
+ - The task is only publishing a package, tag, registry version, GitHub Release, or generic release
60
+ asset without installed desktop updater behavior; use `release-publish-change`.
61
+ - The task is only server, container, backend, worker, migration, feature-flag, or traffic rollout
62
+ safety; use `deployment-rollout-safety-review`.
63
+ - The task is only background process crash recovery, leases, service supervision, sleep/resume, or
64
+ safe mode; use `desktop-background-process-stability-review`.
65
+ - The task is only Tauri command permissions, capabilities, sidecars, opener, shell, CSP, or updater
66
+ endpoint trust inside a Tauri app; use `tauri-code-change` first, then return here for update
67
+ rollout and distribution behavior.
68
+ - The task is only release notes wording without updater metadata, installed app behavior, or
69
+ release-channel claims; use `release-notes-authoring`.
70
+
71
+ <!-- mustflow-section: required-inputs -->
72
+ ## Required Inputs
73
+
74
+ - Updater stack ledger: framework, installer type, updater library, OS targets, install scope,
75
+ channel, feed URL, metadata format, signing model, update staging location, relaunch path, and
76
+ old-version support window.
77
+ - State-machine ledger: check, download, verify, stage, apply, relaunch, first-run-after-update,
78
+ rollback or forward-fix, cancellation, retry, and failure states with user-visible outcomes.
79
+ - Artifact ledger: immutable artifact names, platform assets, signatures, blockmaps or delta files,
80
+ hashes, sizes, metadata pointers, CDN cache policy, upload order, and remote publication status.
81
+ - Trust ledger: code signing, notarization, updater signature, signing-key storage, key rotation,
82
+ certificate expiry gate, TLS expectations, metadata signing, and hash verification.
83
+ - Rollout ledger: channel policy, staged percentage, deterministic bucket key, kill switch,
84
+ per-version deny or pause policy, OS or architecture gating, crash gate, and manual approval gate.
85
+ - Installed-client ledger: oldest supported versions, skipped-version upgrade paths, data migration
86
+ compatibility, first-run locks, single-flight update checks, quit-and-install timing, user work
87
+ preservation, and clean-machine test matrix.
88
+ - Observability ledger: check count, download start, download success, verification failure,
89
+ install start, install success, relaunch success, post-relaunch heartbeat, crash-free sessions,
90
+ update error codes, channel, version, OS, architecture, and cohort.
91
+
92
+ <!-- mustflow-section: preconditions -->
93
+ ## Preconditions
94
+
95
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
96
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
97
+ current scope.
98
+ - Remote publication, live channel pointer changes, signing-key access, installer execution,
99
+ destructive asset deletion, yanking, or production kill-switch flips remain out of scope unless
100
+ explicitly authorized by the repository and host command contract.
101
+ - If only static repository evidence is available, report installed-app, clean-machine, remote CDN,
102
+ signing, notarization, and update-smoke checks as manual or missing instead of implying they ran.
103
+
104
+ <!-- mustflow-section: allowed-edits -->
105
+ ## Allowed Edits
106
+
107
+ - Add or tighten update state machines, single-flight guards, staged rollout policy, deterministic
108
+ cohorting, kill-switch handling, remote updater policy, channel separation, signature and hash
109
+ checks, artifact upload ordering, cache headers, installed-client compatibility guards,
110
+ quit-and-install safety, migration idempotency notes, update telemetry, crash gates, and focused
111
+ tests or docs.
112
+ - Update release checklists, updater runbooks, package metadata, template skills, installer docs,
113
+ test assertions, and release-sensitive fixtures that encode the desktop auto-update contract.
114
+ - Do not overwrite an existing versioned artifact, reuse a broken version number as the fix, move a
115
+ stable channel to a beta feed, relax signature verification, store signing private keys on the
116
+ release server, or call an update complete from download completion alone.
117
+ - Do not run raw installer, updater, signing, notarization, CDN, release, or OS lifecycle commands
118
+ outside configured command intents.
119
+
120
+ <!-- mustflow-section: procedure -->
121
+ ## Procedure
122
+
123
+ 1. Define the updater as a state machine.
124
+ - Separate check, download, verify, stage, apply, relaunch, and post-relaunch health.
125
+ - Log or return stage-specific errors instead of a single "update failed" bucket.
126
+ - Preserve cancellation and retry behavior without corrupting staged files.
127
+ 2. Separate immutable artifacts from mutable pointers.
128
+ - Treat versioned installers, signatures, blockmaps, and platform assets as immutable.
129
+ - Change only the latest pointer, channel metadata, or staged rollout policy after all referenced
130
+ assets are uploaded and independently downloadable.
131
+ - Report any flow that overwrites `app-1.2.3`-style artifacts or edits a published version in
132
+ place.
133
+ 3. Enforce artifact-before-metadata ordering.
134
+ - Upload installers, `.sig`, `.blockmap`, `.yml`, `.json`, appcast, and platform assets before
135
+ changing `latest.yml`, `latest.json`, `appcast.xml`, or equivalent client-visible pointers.
136
+ - Give metadata short TTL or revalidation and give immutable artifacts long cache when safe.
137
+ - Treat mismatched metadata hash, size, signature, or URL as a live update-channel incident.
138
+ 4. Require trust verification.
139
+ - Verify code signing, notarization where applicable, updater signatures, file hashes, file sizes,
140
+ channel identity, and expected platform target before applying.
141
+ - Keep signing private keys off the release server and practice key rotation before an incident.
142
+ - Make certificate expiry, notarization failure, missing signature, or entitlement drift fail the
143
+ release gate before users see the update.
144
+ 5. Keep channels physically and logically separate.
145
+ - Separate alpha, beta, stable, canary, and enterprise channels by feed, metadata, or explicit
146
+ policy; do not rely only on version suffixes.
147
+ - Verify stable clients cannot accidentally consume beta or alpha metadata.
148
+ - Treat channel movement as a public release contract.
149
+ 6. Roll out by deterministic cohorts.
150
+ - Prefer install id, device id, account id, or another stable privacy-safe bucket key over
151
+ per-request randomness.
152
+ - Use staged rollout percentages with clear progression and stop rules.
153
+ - Add jitter and backoff so app start, network reconnect, or periodic checks do not stampede the
154
+ update server.
155
+ 7. Add server-side stop controls.
156
+ - Provide a kill switch or "no update" response for bad versions, OS targets, architectures,
157
+ cohorts, or channels without requiring a new app update.
158
+ - Preserve user-intentional pause, enterprise policy, and admin-managed update controls when the
159
+ product supports them.
160
+ - Do not make a broken updater fixable only by shipping another update through the broken path.
161
+ 8. Prevent duplicate update work.
162
+ - Guard update checks and downloads with a single-flight or mutex path.
163
+ - Handle app startup, menu-click, timer, network-reconnect, and background-triggered checks
164
+ converging on the same update state.
165
+ - Include Squirrel.Windows first-run or installer lock timing when the Windows stack can hold
166
+ files immediately after installation.
167
+ 9. Apply only when user work is safe.
168
+ - Gate quit-and-install, relaunch, or helper replacement on saved work, drained background tasks,
169
+ paused sync, and platform-specific quit events.
170
+ - Treat `before-quit-for-update`, preshutdown, app exit, and renderer close events as distinct
171
+ from ordinary shutdown when the framework exposes them.
172
+ - Report any forced restart path that can lose unsaved documents, recordings, uploads, database
173
+ sessions, or long local jobs.
174
+ 10. Test installed upgrade paths, not development mode.
175
+ - Prefer packaged, signed, installed-app update tests from older versions, clean users, clean
176
+ machines or VMs, and the install scopes users actually have.
177
+ - Include skipped-version paths from active old versions, not only previous-version to latest.
178
+ - Cover Windows user-wide versus machine-wide installs, macOS Intel versus Apple Silicon,
179
+ Gatekeeper, quarantine, app translocation, read-only mounts, and Linux package formats when
180
+ those targets exist.
181
+ 11. Make migrations update-safe.
182
+ - Support old data with new code, new data with old code when rollback or forward-fix overlap can
183
+ happen, and users who skip several app versions.
184
+ - Make local migrations idempotent with completion markers and partial-failure recovery.
185
+ - Prefer forward-fix with a higher version over attempting to repair a broken release by
186
+ republishing the same version.
187
+ 12. Keep old artifacts long enough.
188
+ - Retain full installers, deltas, signatures, metadata, and migration bridges needed by active
189
+ old clients.
190
+ - Do not delete old artifacts solely to reduce storage without checking active-version telemetry
191
+ and upgrade path coverage.
192
+ 13. Observe real update success.
193
+ - Count check, download, verify, install, relaunch, and post-relaunch heartbeat separately.
194
+ - Treat download completion as incomplete; success is the new version running and healthy after
195
+ relaunch.
196
+ - Split telemetry by version, channel, OS, architecture, cohort, installer type, and error code
197
+ while preserving privacy and redaction rules.
198
+ 14. Stop rollout automatically when harm appears.
199
+ - Define crash-free, verification-failure, install-failure, relaunch-failure, and support-ticket
200
+ thresholds that pause rollout or return "no update".
201
+ - Require operator-visible release id, channel, version, cohort, and artifact identity in update
202
+ logs or metrics.
203
+ 15. Report what cannot be proven locally.
204
+ - Name missing updater-smoke, clean-machine, signing, notarization, CDN-cache, staged-rollout,
205
+ crash-gate, or remote-feed verification instead of replacing it with unrelated unit tests.
206
+
207
+ <!-- mustflow-section: postconditions -->
208
+ ## Postconditions
209
+
210
+ - Update state machine, immutable artifact policy, metadata pointer order, signatures, hashes,
211
+ key custody, certificate gates, channel separation, staged rollout, deterministic bucket, kill
212
+ switch, single-flight checks, first-run locks, quit-and-install safety, installed upgrade matrix,
213
+ migration compatibility, old artifact retention, update telemetry, crash gates, and manual remote
214
+ verification boundaries are explicit.
215
+ - Mutable artifact overwrite, metadata-before-artifact publication, long-lived latest-pointer cache,
216
+ missing signatures, release-server private keys, unpracticed key rotation, expired certificate
217
+ surprise, random per-request canary, no kill switch, duplicate downloads, forced restart data loss,
218
+ development-mode-only update testing, same-version republish recovery, old artifact deletion, and
219
+ download-complete-as-success claims are fixed or reported.
220
+ - Desktop updater safety claims are backed by configured tests, package or template checks, static
221
+ release evidence, installed-app smoke evidence, or clearly labeled as manual-only or missing.
222
+
223
+ <!-- mustflow-section: verification -->
224
+ ## Verification
225
+
226
+ Use configured oneshot command intents when available:
227
+
228
+ - `changes_status`
229
+ - `changes_diff_summary`
230
+ - `lint`
231
+ - `build`
232
+ - `test_related`
233
+ - `test`
234
+ - `docs_validate_fast`
235
+ - `test_release`
236
+ - `mustflow_check`
237
+
238
+ Prefer configured updater-smoke, package-inspection, signature, notarization, CDN, staged-rollout,
239
+ install-smoke, or release-verification intents when the command contract exposes them. Do not infer
240
+ raw signing, installer, CDN, release, updater, or OS commands from project files.
241
+
242
+ <!-- mustflow-section: failure-handling -->
243
+ ## Failure Handling
244
+
245
+ - If metadata references missing artifacts, stale hashes, bad signatures, wrong channels, or broken
246
+ cache headers, treat the update channel as potentially live-broken and stop publication claims.
247
+ - If an update was already visible to clients, prefer a new higher-version forward fix, kill switch,
248
+ or paused rollout over overwriting the same version.
249
+ - If verification cannot run because signing keys, notarization, CDN, clean VMs, old installers, or
250
+ remote feeds are unavailable, report the exact missing evidence.
251
+ - If automatic update safety conflicts with user data safety, signature security, enterprise policy,
252
+ least privilege, or rollback compatibility, keep the safer behavior and report the tradeoff.
253
+
254
+ <!-- mustflow-section: output-format -->
255
+ ## Output Format
256
+
257
+ - Desktop auto-update boundary reviewed
258
+ - Updater stack, state machine, artifact, trust, rollout, installed-client, migration, telemetry, and
259
+ kill-switch findings
260
+ - Auto-update safety fixes made or recommended
261
+ - Evidence level: configured-test evidence, package/release evidence, installed-app smoke evidence,
262
+ static updater risk, manual-only, missing, or not applicable
263
+ - Command intents run
264
+ - Skipped updater diagnostics and reasons
265
+ - Remaining desktop auto-update risk