mustflow 2.38.0 → 2.58.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (94) hide show
  1. package/README.md +3 -0
  2. package/dist/cli/commands/run/executor.js +16 -0
  3. package/dist/cli/commands/run/process-tree.js +6 -3
  4. package/dist/cli/commands/verify.js +3 -1
  5. package/dist/cli/lib/git-changes.js +11 -1
  6. package/dist/cli/lib/i18n.js +1 -1
  7. package/dist/cli/lib/local-index/index.js +8 -4
  8. package/dist/cli/lib/local-index/populate.js +17 -3
  9. package/dist/cli/lib/local-index/search-read-model.js +9 -7
  10. package/dist/cli/lib/local-index/search-text.js +2 -2
  11. package/dist/cli/lib/local-index/workflow-documents.js +17 -2
  12. package/dist/cli/lib/mustflow-read.js +14 -2
  13. package/dist/cli/lib/repo-map.js +16 -3
  14. package/dist/cli/lib/templates.js +8 -7
  15. package/dist/cli/lib/validation/constants.js +1 -1
  16. package/dist/core/active-run-locks.js +78 -20
  17. package/dist/core/change-classification.js +4 -0
  18. package/dist/core/command-contract-rules.js +1 -1
  19. package/dist/core/command-contract-validation.js +1 -1
  20. package/dist/core/command-cwd.js +13 -2
  21. package/dist/core/command-effects.js +22 -4
  22. package/dist/core/command-env.js +8 -6
  23. package/dist/core/command-preconditions.js +28 -2
  24. package/dist/core/completion-verdict.js +1 -1
  25. package/dist/core/line-endings.js +8 -4
  26. package/dist/core/safe-filesystem.js +9 -1
  27. package/dist/core/source-anchor-validation.js +7 -1
  28. package/dist/core/source-anchors.js +8 -2
  29. package/dist/core/verification-scheduler.js +8 -2
  30. package/package.json +1 -1
  31. package/templates/default/common/.mustflow/config/commands.toml +39 -15
  32. package/templates/default/i18n.toml +330 -1
  33. package/templates/default/locales/en/.mustflow/skills/INDEX.md +302 -5
  34. package/templates/default/locales/en/.mustflow/skills/agent-eval-integrity-review/SKILL.md +160 -0
  35. package/templates/default/locales/en/.mustflow/skills/agent-execution-control-review/SKILL.md +163 -0
  36. package/templates/default/locales/en/.mustflow/skills/ai-generated-code-hardening/SKILL.md +49 -13
  37. package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +298 -0
  38. package/templates/default/locales/en/.mustflow/skills/api-misuse-resistance-review/SKILL.md +297 -0
  39. package/templates/default/locales/en/.mustflow/skills/api-request-performance-review/SKILL.md +189 -0
  40. package/templates/default/locales/en/.mustflow/skills/app-startup-performance-review/SKILL.md +309 -0
  41. package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +213 -0
  42. package/templates/default/locales/en/.mustflow/skills/business-rule-leakage-review/SKILL.md +295 -0
  43. package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +291 -0
  44. package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +297 -0
  45. package/templates/default/locales/en/.mustflow/skills/client-bundle-pruning-review/SKILL.md +160 -0
  46. package/templates/default/locales/en/.mustflow/skills/cloud-cost-guardrail-review/SKILL.md +321 -0
  47. package/templates/default/locales/en/.mustflow/skills/concurrency-invariant-review/SKILL.md +193 -0
  48. package/templates/default/locales/en/.mustflow/skills/core-web-vitals-field-review/SKILL.md +161 -0
  49. package/templates/default/locales/en/.mustflow/skills/credit-ledger-integrity-review/SKILL.md +156 -0
  50. package/templates/default/locales/en/.mustflow/skills/database-json-modeling-review/SKILL.md +171 -0
  51. package/templates/default/locales/en/.mustflow/skills/database-lock-contention-review/SKILL.md +192 -0
  52. package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +76 -34
  53. package/templates/default/locales/en/.mustflow/skills/database-query-bottleneck-review/SKILL.md +194 -0
  54. package/templates/default/locales/en/.mustflow/skills/deletion-lifecycle-review/SKILL.md +171 -0
  55. package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md +321 -0
  56. package/templates/default/locales/en/.mustflow/skills/desktop-auto-update-safety-review/SKILL.md +265 -0
  57. package/templates/default/locales/en/.mustflow/skills/desktop-background-process-stability-review/SKILL.md +318 -0
  58. package/templates/default/locales/en/.mustflow/skills/desktop-memory-footprint-review/SKILL.md +318 -0
  59. package/templates/default/locales/en/.mustflow/skills/error-message-integrity-review/SKILL.md +283 -0
  60. package/templates/default/locales/en/.mustflow/skills/failure-integrity-review/SKILL.md +193 -0
  61. package/templates/default/locales/en/.mustflow/skills/file-upload-security-review/SKILL.md +305 -0
  62. package/templates/default/locales/en/.mustflow/skills/frame-render-performance-review/SKILL.md +159 -0
  63. package/templates/default/locales/en/.mustflow/skills/frontend-accessibility-tree-review/SKILL.md +202 -0
  64. package/templates/default/locales/en/.mustflow/skills/frontend-localization-review/SKILL.md +202 -0
  65. package/templates/default/locales/en/.mustflow/skills/frontend-state-ownership-review/SKILL.md +183 -0
  66. package/templates/default/locales/en/.mustflow/skills/frontend-stress-layout-review/SKILL.md +193 -0
  67. package/templates/default/locales/en/.mustflow/skills/hot-path-performance-review/SKILL.md +159 -0
  68. package/templates/default/locales/en/.mustflow/skills/idempotency-integrity-review/SKILL.md +195 -0
  69. package/templates/default/locales/en/.mustflow/skills/image-delivery-performance-review/SKILL.md +161 -0
  70. package/templates/default/locales/en/.mustflow/skills/incident-triage-review/SKILL.md +185 -0
  71. package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +155 -0
  72. package/templates/default/locales/en/.mustflow/skills/llm-response-latency-review/SKILL.md +155 -0
  73. package/templates/default/locales/en/.mustflow/skills/llm-service-ux-review/SKILL.md +2 -0
  74. package/templates/default/locales/en/.mustflow/skills/llm-token-cost-control-review/SKILL.md +155 -0
  75. package/templates/default/locales/en/.mustflow/skills/low-end-device-support-review/SKILL.md +340 -0
  76. package/templates/default/locales/en/.mustflow/skills/memory-lifetime-review/SKILL.md +169 -0
  77. package/templates/default/locales/en/.mustflow/skills/mobile-energy-efficiency-review/SKILL.md +329 -0
  78. package/templates/default/locales/en/.mustflow/skills/module-boundary-review/SKILL.md +278 -0
  79. package/templates/default/locales/en/.mustflow/skills/multi-agent-work-coordination/SKILL.md +1 -0
  80. package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +208 -0
  81. package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +155 -0
  82. package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +158 -0
  83. package/templates/default/locales/en/.mustflow/skills/quadratic-scan-review/SKILL.md +155 -0
  84. package/templates/default/locales/en/.mustflow/skills/queue-processing-integrity-review/SKILL.md +193 -0
  85. package/templates/default/locales/en/.mustflow/skills/race-condition-review/SKILL.md +188 -0
  86. package/templates/default/locales/en/.mustflow/skills/rate-limit-integrity-review/SKILL.md +344 -0
  87. package/templates/default/locales/en/.mustflow/skills/retry-policy-integrity-review/SKILL.md +195 -0
  88. package/templates/default/locales/en/.mustflow/skills/routes.toml +330 -0
  89. package/templates/default/locales/en/.mustflow/skills/security-flow-review/SKILL.md +279 -0
  90. package/templates/default/locales/en/.mustflow/skills/testability-boundary-review/SKILL.md +295 -0
  91. package/templates/default/locales/en/.mustflow/skills/transaction-boundary-integrity-review/SKILL.md +196 -0
  92. package/templates/default/locales/en/.mustflow/skills/type-state-modeling-review/SKILL.md +179 -0
  93. package/templates/default/locales/en/.mustflow/skills/web-render-performance-review/SKILL.md +164 -0
  94. package/templates/default/manifest.toml +388 -2
@@ -0,0 +1,318 @@
1
+ ---
2
+ mustflow_doc: skill.desktop-background-process-stability-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: desktop-background-process-stability-review
9
+ description: Apply this skill when Windows services, macOS LaunchDaemon or LaunchAgent jobs, Linux systemd units, Electron main or utility processes, WebView helpers, tray apps, sync workers, local daemons, auto-start helpers, updaters, desktop background jobs, or cross-session desktop processes need stability review for crash recovery, durable checkpoints, single-instance and data-directory locks, OS supervisor configuration, restart backoff, health checks, heartbeats, leases, idempotent jobs, atomic file writes, shutdown and preshutdown handling, exit-code semantics, UI and worker process separation, service Session 0 isolation, launchd daemon versus agent choice, systemd restart limits, sleep/resume, monotonic time, IPC authorization, environment and working-directory determinism, least privilege, startup logging, crash reporting, update safety, lifecycle tests, and safe mode.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.desktop-background-process-stability-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ ---
26
+
27
+ # Desktop Background Process Stability Review
28
+
29
+ <!-- mustflow-section: purpose -->
30
+ ## Purpose
31
+
32
+ Review desktop background processes as recoverable local systems, not immortal processes.
33
+
34
+ The review question is not "how do we keep this process alive forever?" It is "when this service,
35
+ agent, helper, worker, tray process, or sync daemon dies, restarts, races another instance, loses
36
+ network, resumes from sleep, or updates mid-job, what durable evidence prevents data loss,
37
+ duplicate side effects, privilege confusion, or silent stuck work?"
38
+
39
+ <!-- mustflow-section: use-when -->
40
+ ## Use When
41
+
42
+ - Windows services, service helpers, SCM failure actions, preshutdown handlers, service SIDs,
43
+ Session 0 boundaries, scheduled tasks, tray apps, auto-start entries, or user-session helpers are
44
+ created, changed, reviewed, or reported.
45
+ - macOS LaunchDaemons, LaunchAgents, login items, app helpers, background items, agent versus daemon
46
+ placement, launchd restart behavior, per-user state, or fork/daemonize behavior is involved.
47
+ - Linux desktop services, systemd user units, system units, restart policies, start-rate limits,
48
+ working directories, sandboxing, or service environment are involved.
49
+ - Electron, Tauri, WebView, native desktop, .NET, JVM, Python, Rust, C++, Go, Node, or shell-backed
50
+ apps run main-process, utility-process, child-process, updater, sync, indexing, notification,
51
+ tray, plugin, or background work outside the visible UI lifecycle.
52
+ - Code touches durable checkpoints, local queues, job leases, single-instance locks, data-directory
53
+ locks, IPC, crash reporting, heartbeat records, sleep/resume handling, network reachability,
54
+ monotonic timers, atomic settings writes, exit codes, update drain, rollback, or safe mode.
55
+
56
+ <!-- mustflow-section: do-not-use-when -->
57
+ ## Do Not Use When
58
+
59
+ - The task is only installed app startup from process launch to first frame or fully usable state;
60
+ use `app-startup-performance-review`.
61
+ - The task is only memory residency, renderer count, hidden windows, decoded media, caches, or
62
+ after-close memory; use `desktop-memory-footprint-review`.
63
+ - The task is only queue acknowledgement, offsets, DLQ, prefetch, redelivery, or broker semantics;
64
+ use `queue-processing-integrity-review`.
65
+ - The task is only duplicate external requests or business-command replay; use
66
+ `idempotency-integrity-review`.
67
+ - The task is only generic failure handling that can make the system falsely report success; use
68
+ `failure-integrity-review`.
69
+ - The task is only backend or server deployment rollout, probes, canaries, or rollback; use
70
+ `deployment-rollout-safety-review`.
71
+
72
+ <!-- mustflow-section: required-inputs -->
73
+ ## Required Inputs
74
+
75
+ - Process ledger: process role, platform, supervisor, user session, privilege level, data directory,
76
+ account or profile scope, autostart path, UI relationship, updater relationship, and shutdown
77
+ owner.
78
+ - Recovery ledger: durable checkpoint, last safe offset, job table, local queue, lease fields,
79
+ startup recovery flow, stale-lock cleanup, partial-write handling, and corruption response.
80
+ - Instance ledger: app single-instance lock, user-session lock, data-directory lock, account lock,
81
+ updater/helper lock, lock acquisition timing, stale lock detection, and cross-elevation or
82
+ cross-session behavior.
83
+ - Supervisor ledger: Windows SCM, scheduled task, launchd daemon or agent, systemd user or system
84
+ unit, restart policy, backoff, start-rate limit, manual stop behavior, safe mode trigger, and
85
+ environment or working-directory contract.
86
+ - Health ledger: PID check, event-loop progress, IPC response, database or file lock check, queue
87
+ progress, heartbeat fields, last progress time, current job id, processed offset, last success,
88
+ last error code, and stuck-work classification.
89
+ - Lifecycle ledger: normal stop, crash, kill, logout, shutdown, preshutdown, sleep, resume, network
90
+ loss, VPN change, disk full, permission loss, clock jump, antivirus file lock, update, rollback,
91
+ and first-start-after-update behavior.
92
+ - Security ledger: IPC ACL, local token, origin or caller verification, schema version, request size
93
+ limit, request timeout, least privilege, writable paths, service SID, sandboxing, secret storage,
94
+ and crash/log redaction.
95
+ - Existing tests, telemetry, crash reports, logs, package or installer surfaces, synchronized docs or
96
+ templates, and configured command-intent evidence.
97
+
98
+ <!-- mustflow-section: preconditions -->
99
+ ## Preconditions
100
+
101
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
102
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
103
+ current scope.
104
+ - Required process, supervisor, recovery, and lifecycle evidence is available from current files,
105
+ diffs, docs, configured outputs, user-provided evidence, or can be reported as missing without
106
+ guessing.
107
+ - Treat OS documentation, installer manifests, service plist or unit files, registry entries,
108
+ autostart entries, and package scripts as contract surfaces when the change depends on them.
109
+ - If the change touches money, privacy, security, migrations, queue semantics, file corruption, or
110
+ cloud sync, also use the narrower matching skill when its trigger is present.
111
+
112
+ <!-- mustflow-section: allowed-edits -->
113
+ ## Allowed Edits
114
+
115
+ - Add or tighten durable checkpoints, local job states, leases, startup recovery, stale-lock cleanup,
116
+ single-instance locks, data-directory locks, idempotency keys, atomic file writes, fsync/rename
117
+ write paths, exit-code classification, health probes, progress heartbeats, restart backoff,
118
+ safe-mode thresholds, lifecycle handlers, sleep/resume recovery, IPC authorization, explicit
119
+ environment setup, least-privilege configuration, early logging, crash reporter metadata, and
120
+ focused lifecycle tests.
121
+ - Separate UI process lifecycle from worker process lifecycle when the visible app, tray app,
122
+ renderer, helper, or worker currently owns unrelated shutdown or recovery behavior.
123
+ - Prefer OS supervisors such as Windows SCM, launchd, and systemd over hand-rolled infinite monitor
124
+ loops when the platform already owns restart and lifecycle policy.
125
+ - Do not add a watchdog, autostart entry, restart policy, or hidden process solely to hide crashes.
126
+ - Do not rely on shutdown hooks as the primary persistence path.
127
+ - Do not broaden privileges, writable paths, IPC trust, or background execution scope to make
128
+ recovery easier.
129
+ - Do not start raw services, background processes, profilers, OS lifecycle tests, login item changes,
130
+ installer changes, or system configuration outside the configured command contract.
131
+
132
+ <!-- mustflow-section: procedure -->
133
+ ## Procedure
134
+
135
+ 1. Define the process boundary.
136
+ - Name each background process, helper, renderer, service, agent, updater, tray app, and worker.
137
+ - Record the owner of data, UI, IPC, update, crash reporting, and shutdown for each role.
138
+ - Reject "the app is running" as a sufficient invariant when visible UI and background work have
139
+ different lifecycles.
140
+ 2. Treat process death as normal.
141
+ - Identify what state is safe after crash, kill, logout, shutdown, update, or power loss.
142
+ - Move essential progress from memory-only state into durable checkpoints, local job records,
143
+ append-only logs, or recoverable files.
144
+ - Report any path whose only recovery story is "the process should not die."
145
+ 3. Make startup recovery explicit.
146
+ - On process start, recover leased jobs, stale locks, partial files, local queues, pending sync
147
+ records, interrupted migrations, and previous crash metadata before accepting new work.
148
+ - Keep recovery bounded and observable; a restart that immediately re-enters the same corrupted
149
+ state is a crash loop, not resilience.
150
+ 4. Separate process single-instance from resource ownership.
151
+ - Acquire app or process single-instance locks before opening databases, queues, files, IPC
152
+ sockets, network sessions, or updater resources.
153
+ - Also review locks by data directory, profile id, account id, device id, and privilege/session
154
+ boundary.
155
+ - Do not assume one desktop session, one elevation level, or one helper binary means one writer.
156
+ 5. Model jobs with leases and terminal states.
157
+ - Prefer `pending`, `leased`, `done`, and `failed` or equivalent explicit states over one
158
+ "processing" boolean.
159
+ - Include `job_id`, `dedupe_key`, `attempt`, `lease_until`, `completed_at`, and failure reason
160
+ when repeated work or restart recovery can happen.
161
+ - Recover expired leases and keep in-flight side effects idempotent.
162
+ 6. Make writes crash-safe.
163
+ - For settings, checkpoints, queues, indexes, tokens, and manifests, prefer write-temp,
164
+ flush, fsync, and atomic rename or the repository's equivalent safe-write helper.
165
+ - Ensure a crash leaves either the old version or the new version, not a half-written JSON, TOML,
166
+ database, index, or checkpoint.
167
+ 7. Persist during normal operation.
168
+ - Treat shutdown hooks, preshutdown callbacks, signal handlers, and app quit events as best-effort
169
+ cleanup, not the only moment progress is saved.
170
+ - Keep long cleanup out of direct service control handlers unless the platform contract supports
171
+ reporting progress safely.
172
+ 8. Use the OS supervisor deliberately.
173
+ - For Windows, review SCM failure actions, delayed auto-start, service SID, preshutdown, and
174
+ Session 0 isolation.
175
+ - For macOS, choose LaunchDaemon for system-wide work and LaunchAgent for per-user work, and do
176
+ not daemonize under launchd.
177
+ - For Linux, review systemd user versus system units, restart policy, start-rate limits, working
178
+ directory, environment, and sandboxing.
179
+ 9. Add restart discipline.
180
+ - Automatic restart needs backoff, max attempts, failure classification, and safe mode.
181
+ - Preserve a user-intentional stop separately from crash recovery so scheduled restarts do not
182
+ surprise users after they explicitly stopped the background process.
183
+ - Detect crash loops and stop consuming CPU, battery, network, and trust.
184
+ 10. Replace PID checks with progress checks.
185
+ - A live PID only proves a process exists.
186
+ - Prefer health that proves event-loop turns, IPC responses, local storage access, queue progress,
187
+ last successful sync, last progress time, and bounded latency.
188
+ - Separate alive, ready, progressing, degraded, and blocked states when the UI or supervisor uses
189
+ the result.
190
+ 11. Make heartbeats useful.
191
+ - Heartbeats should include progress evidence, such as `last_progress_at`, `current_job_id`,
192
+ `processed_offset`, `last_successful_sync_at`, `last_error_code`, process start id, build
193
+ version, and attempt.
194
+ - Avoid `last_seen_at` alone when a tight loop, deadlock, or stuck queue can keep updating it.
195
+ 12. Keep UI and background lifecycle separate.
196
+ - Closing a window, hiding a tray icon, renderer crash, UI reload, or WebView crash should not
197
+ silently kill durable background work unless that is the explicit product contract.
198
+ - A worker crash should be visible to the UI as degraded or recovering, not hidden behind stale
199
+ status text.
200
+ 13. Respect desktop platform boundaries.
201
+ - Do not show UI directly from a Windows service running in Session 0; communicate with a
202
+ user-session process through authorized IPC.
203
+ - Do not put per-user macOS camera, clipboard, notification, home-directory, or UI-like work into
204
+ a system daemon when a LaunchAgent is the proper boundary.
205
+ - Do not solve network availability through boot ordering alone.
206
+ 14. Treat sleep and resume as first-class failures.
207
+ - On resume, suspect sockets, DNS, VPN, file handles, timers, leases, auth sessions, and
208
+ reachability.
209
+ - Revalidate network and storage before resuming queued work.
210
+ - Keep stale in-memory timers from making lease or timeout decisions after a long sleep.
211
+ 15. Use monotonic time for durations.
212
+ - Measure timeouts, lease intervals, heartbeat gaps, retry delay, and crash-loop windows with a
213
+ monotonic clock or equivalent elapsed-time source.
214
+ - Use wall-clock timestamps only for user-visible time and audit records that need calendar time.
215
+ 16. Harden IPC.
216
+ - Treat localhost ports, named pipes, Unix sockets, custom protocols, shared memory, and
217
+ renderer-to-main messages as local attack surfaces.
218
+ - Add ACLs, caller tokens, origin checks, message schema versions, request size limits, per-request
219
+ timeouts, and safe error handling where applicable.
220
+ 17. Make environment deterministic.
221
+ - Use absolute executable paths, explicit working directories, explicit data directories, and
222
+ bounded environment variables.
223
+ - Do not depend on a shell PATH, current directory, inherited locale, inherited HOME, or interactive
224
+ user environment unless the contract states that requirement.
225
+ 18. Reduce privilege and write scope.
226
+ - Run background work with the least privilege that can do the job.
227
+ - Limit writable directories to data, logs, crash dumps, and update staging paths that are actually
228
+ needed.
229
+ - Keep elevated helpers small, IPC-gated, audited, and unable to execute arbitrary UI commands.
230
+ 19. Capture earliest failure evidence.
231
+ - Initialize crash reporting and stdout or stderr capture before creating renderers, workers, IPC,
232
+ or long startup work.
233
+ - Include app version, channel, OS, architecture, process role, process start id, job id, safe
234
+ account hash, feature flags, exit reason, and supervisor restart reason when the repository has
235
+ safe observability patterns.
236
+ - Redact secrets, tokens, paths, raw account identifiers, and user content.
237
+ 20. Make updates restart-safe.
238
+ - Before updating, drain or shorten leases, persist checkpoints, pause risky queue consumers, and
239
+ keep rollback or previous-version compatibility evidence.
240
+ - Make migrations and helper registration re-entrant.
241
+ - Do not delete the old executable, helper, service definition, or data compatibility path before
242
+ the new version proves healthy.
243
+ 21. Add real lifecycle tests or explicit manual gaps.
244
+ - Prefer tests or probes for double start, stale lock, expired lease recovery, atomic write crash
245
+ boundary, IPC denial, user stop versus crash restart, sleep/resume handling, update interruption,
246
+ corrupted local file, disk full, permission denial, and safe-mode entry.
247
+ - If OS-level lifecycle tests are not configured intents, report them as manual-only evidence gaps.
248
+ 22. Define safe mode.
249
+ - After repeated crashes or startup failures, disable risky plugins, queue consumption, sync loops,
250
+ GPU-heavy features, recent migrations, or aggressive background work.
251
+ - Keep enough diagnostics for repair, and avoid a crash loop that consumes CPU, battery, network,
252
+ or user trust.
253
+
254
+ <!-- mustflow-section: postconditions -->
255
+ ## Postconditions
256
+
257
+ - Process roles, durable state, startup recovery, instance locks, supervisor policy, restart backoff,
258
+ health checks, progress heartbeats, job leases, atomic writes, shutdown behavior, exit-code
259
+ semantics, UI and worker lifecycle, platform boundaries, sleep/resume, monotonic time, IPC,
260
+ environment, privilege, logging, crash reporting, update safety, lifecycle tests, and safe mode are
261
+ explicit.
262
+ - Memory-only state, late single-instance locks, PID-only health checks, `last_seen_at`-only
263
+ heartbeats, one "processing" boolean, non-atomic local files, shutdown-only persistence, hand-rolled
264
+ monitor loops, unbounded restart loops, user-stop/restart confusion, service UI from Session 0,
265
+ daemon/agent mismatch, daemonizing under launchd, boot-order network assumptions, wall-clock lease
266
+ timers, trusted local IPC, inherited PATH or working directory dependence, overprivileged helpers,
267
+ missing early logs, uninitialized crash reporter gaps, one-shot migrations, and no-op safe mode are
268
+ fixed or reported.
269
+ - Desktop background stability claims are backed by configured tests, static-review evidence,
270
+ telemetry or crash evidence, or labeled as manual-only or missing.
271
+
272
+ <!-- mustflow-section: verification -->
273
+ ## Verification
274
+
275
+ Use configured oneshot command intents when available:
276
+
277
+ - `changes_status`
278
+ - `changes_diff_summary`
279
+ - `lint`
280
+ - `build`
281
+ - `test_related`
282
+ - `test`
283
+ - `docs_validate_fast`
284
+ - `test_release`
285
+ - `mustflow_check`
286
+
287
+ Prefer the narrowest configured test, build, docs, release, or mustflow intent that covers the
288
+ changed process, supervisor, template, installer, IPC, file-write, queue, or lifecycle surface. Do
289
+ not infer raw service starts, launchd loads, systemd starts, installer changes, login item edits,
290
+ sleep/resume automation, crash reporter dashboards, or OS lifecycle harnesses outside the command
291
+ contract.
292
+
293
+ <!-- mustflow-section: failure-handling -->
294
+ ## Failure Handling
295
+
296
+ - If a configured command fails, preserve the failing intent, failing assertion or output tail, and
297
+ the lifecycle invariant it exercised before editing again.
298
+ - If only static evidence is available, report that OS-supervisor, sleep/resume, update, and
299
+ crash-loop behavior still need manual or platform harness validation.
300
+ - If safe repair requires installer changes, service registration changes, updater design, privilege
301
+ changes, OS lifecycle harnesses, migration policy, or product decisions outside scope, report that
302
+ boundary instead of inventing commands.
303
+ - If process stability conflicts with data safety, user intent, security, privacy, least privilege,
304
+ update rollback, or battery life, keep the safer behavior and report the tradeoff.
305
+
306
+ <!-- mustflow-section: output-format -->
307
+ ## Output Format
308
+
309
+ - Desktop background process stability boundary reviewed
310
+ - Process, recovery, instance-lock, supervisor, restart, health, heartbeat, lease, atomic-write,
311
+ shutdown, platform, power, time, IPC, environment, privilege, logging, crash, update, lifecycle-test,
312
+ and safe-mode findings
313
+ - Stability fixes made or recommended
314
+ - Evidence level: configured-test evidence, static desktop-process risk, telemetry/crash evidence,
315
+ manual-only, missing, or not applicable
316
+ - Command intents run
317
+ - Skipped desktop lifecycle diagnostics and reasons
318
+ - Remaining desktop background process stability risk
@@ -0,0 +1,318 @@
1
+ ---
2
+ mustflow_doc: skill.desktop-memory-footprint-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: desktop-memory-footprint-review
9
+ description: Apply this skill when Windows, macOS, Linux, Electron, WebView, WPF, WinUI, Win32, Qt, Java Swing or JavaFX, .NET, JVM, Rust, C++, Python, or other desktop app code needs memory-footprint review for working set versus private memory, RSS, dirty pages, live set, peak and after-close memory, UI and data virtualization, renderer and window count, module loading, image decode size, OS-discardable caches, memory-mapped files, `madvise`, `EmptyWorkingSet`, .NET LOH and `ArrayPool<T>`, WPF visual trees, GDI or USER handles, detached DOM nodes, hidden windows or tabs, string deduplication, large buffer capacity, struct padding, object graph shape, undo history, inactive views, low-memory signals, and scenario-level memory budgets.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.desktop-memory-footprint-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ ---
26
+
27
+ # Desktop Memory Footprint Review
28
+
29
+ <!-- mustflow-section: purpose -->
30
+ ## Purpose
31
+
32
+ Review desktop app memory as a scenario-level footprint problem across UI objects, data residency,
33
+ native handles, renderer processes, decoded media, caches, mapped files, heap live sets, and
34
+ after-close cleanup.
35
+
36
+ The review question is not "can GC run more often?" It is "which screens, files, windows, renderers,
37
+ decoded assets, caches, handles, buffers, strings, and history entries remain resident, private,
38
+ dirty, or expensive after the user no longer needs them?"
39
+
40
+ <!-- mustflow-section: use-when -->
41
+ ## Use When
42
+
43
+ - Windows, macOS, Linux, Electron, WebView, WPF, WinUI, Win32, Qt, Java Swing, JavaFX, .NET, JVM,
44
+ Rust, C++, Python, or other desktop app code is created, changed, reviewed, or reported with
45
+ memory use, working set, RSS, private bytes, dirty memory, live set, heap growth, GPU memory,
46
+ native handles, renderer process, hidden window, tab, large file, image, cache, undo history, or
47
+ after-close memory risk.
48
+ - Code touches large lists, tables, trees, CSV or log viewers, binary viewers, image viewers, note
49
+ apps, chat apps, design tools, document editors, preview panes, hidden tabs, background windows,
50
+ file loading, memory maps, caches, pooled buffers, strings, object models, visual templates,
51
+ event listeners, WebViews, Electron `BrowserWindow`, preload scripts, `require()` graphs, native
52
+ GDI or USER objects, or low-memory handling.
53
+ - A final report claims a desktop path is memory optimized, leak-free, lightweight, safe for large
54
+ files, safe for long-running sessions, safe after closing tabs or windows, or validated by Task
55
+ Manager, Activity Monitor, Chrome DevTools, JFR, dotnet counters, heap snapshots, or platform
56
+ memory tools.
57
+
58
+ <!-- mustflow-section: do-not-use-when -->
59
+ ## Do Not Use When
60
+
61
+ - The task is only about retained-reference leaks, setup and cleanup symmetry, listeners, timers,
62
+ streams, workers, or native handle release ownership; use `memory-lifetime-review`.
63
+ - The task is only about generic hot-path latency, throughput, allocation churn, GC pressure, or
64
+ cost multipliers with no desktop app memory surface; use `performance-budget-check`.
65
+ - The task is only installed app startup from process launch to first frame or fully usable state;
66
+ use `app-startup-performance-review`.
67
+ - The task is only low-end or constrained-device policy across mobile or installed app capability
68
+ budgets; use `low-end-device-support-review`.
69
+ - The task is only browser page rendering, INP, DOM frame work, CSS layout, paint, or compositing;
70
+ use `frame-render-performance-review`.
71
+
72
+ <!-- mustflow-section: required-inputs -->
73
+ ## Required Inputs
74
+
75
+ - Scenario ledger: app type, platform, runtime, process model, target device class, user scenario,
76
+ baseline state, peak state, steady state, after-close state, and what user action should release
77
+ memory.
78
+ - Measurement ledger: working set, RSS, private bytes, dirty memory, live set after full collection,
79
+ heap snapshot, allocation sampling, detached DOM evidence, renderer memory, native handle count,
80
+ GPU texture memory, page faults, memory pressure event, or an explicit static-only boundary.
81
+ - UI residency ledger: list, table, tree, virtualized control, data model, visual tree, template,
82
+ row container recycling, offscreen view, hidden tab, hidden window, preview pane, WebView,
83
+ renderer process, iframe, DOM node, event listener, and teardown behavior.
84
+ - Data residency ledger: full file load, streaming parser, memory-mapped file, mapped window,
85
+ `madvise` or OS-discardable range, parsed row model, sort index, filter index, search index,
86
+ undo history, diff model, document snapshot, and after-close release point.
87
+ - Cache ledger: cache owner, cache item cost, total cost limit, count limit, eviction, weak or
88
+ discardable behavior, decoded image bytes, GPU texture size, parsed object cost, font or renderer
89
+ cache, and low-memory response.
90
+ - Runtime ledger: Electron `BrowserWindow`, preload and `require()` graph, WPF virtualization,
91
+ WPF visual tree, Qt `canFetchMore()` and `fetchMore()` or lazy model loading, .NET LOH,
92
+ `ArrayPool<T>`, GDI or USER
93
+ handles, JVM live set, Java string deduplication, Rust or C++ buffer capacity, struct padding,
94
+ and native resource ownership.
95
+ - Existing tests, profiler traces, telemetry, build outputs, package surfaces, synchronized docs or
96
+ templates, and configured command-intent evidence.
97
+
98
+ <!-- mustflow-section: preconditions -->
99
+ ## Preconditions
100
+
101
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
102
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
103
+ current scope.
104
+ - Required memory evidence is available from current files, diffs, docs, configured outputs,
105
+ user-provided evidence, or can be reported as missing without guessing.
106
+ - Treat Task Manager working set, Activity Monitor, RSS, and one-off heap-used snapshots as partial
107
+ evidence. Do not equate lower resident pages with lower owned memory without private, dirty, live
108
+ set, after-close, or retainer evidence.
109
+ - If the change touches privacy, security, payment, persistence, migrations, crash reporting,
110
+ telemetry, or data recovery, also use the narrower matching skill when its trigger is present.
111
+
112
+ <!-- mustflow-section: allowed-edits -->
113
+ ## Allowed Edits
114
+
115
+ - Add or tighten UI virtualization, data virtualization, container recycling, lazy model fetch,
116
+ renderer or window disposal, feature-entry module loading, image downsampling, cache cost limits,
117
+ discardable cache behavior, streaming or memory-mapped file access, mapped-range release hints,
118
+ low-memory handlers, after-close cleanup, undo compaction, object-shape flattening, string or
119
+ symbol tables, pooled-buffer scope, native handle release, and focused tests.
120
+ - Replace full UI object creation, full file reads, eager renderer creation, hidden window retention,
121
+ original-size bitmap retention, unbounded dictionaries, per-item visual templates, whole-document
122
+ undo snapshots, and long-lived large buffer capacity when the repository evidence supports it.
123
+ - Do not call working-set trimming APIs such as `EmptyWorkingSet` merely to make Task Manager look
124
+ better.
125
+ - Do not add a "clear cache" button as the primary memory policy when the app can release memory
126
+ automatically by scenario, pressure, close, or eviction.
127
+ - Do not trade correctness, user data recovery, undo semantics, accessibility, security, privacy,
128
+ crash diagnostics, or platform lifecycle safety for lower memory numbers.
129
+ - Do not start raw profilers, device tools, dashboards, browser sessions, app launches, or
130
+ platform-specific measurement workflows outside the configured command contract.
131
+
132
+ <!-- mustflow-section: procedure -->
133
+ ## Procedure
134
+
135
+ 1. Define scenario budgets before optimizing.
136
+ - Prefer scenario budgets such as first launch, empty document, open small file, open large file,
137
+ scroll many rows, preview many images, open many tabs, close all tabs, and idle after close.
138
+ - Track peak, steady-state, and after-close memory separately.
139
+ - If no budget exists, report the missing product memory contract instead of claiming complete
140
+ optimization from a small cleanup.
141
+ 2. Choose the right memory number.
142
+ - Distinguish working set or RSS from private committed memory, dirty pages, live heap after full
143
+ collection, mapped file pages, GPU resources, renderer processes, and native handles.
144
+ - Treat page faults and memory mapping as reasons resident memory may move without ownership
145
+ changing.
146
+ - Reject "working set went down" as proof when the change only forces paging and the next user
147
+ interaction faults pages back in.
148
+ 3. Separate UI virtualization from data virtualization.
149
+ - UI virtualization reduces visible containers and visual objects.
150
+ - Data virtualization reduces resident source rows, parsed objects, sort indexes, and filter
151
+ indexes.
152
+ - A million-row view that keeps a million parsed rows in memory is not fixed by virtualizing
153
+ only row controls.
154
+ 4. Virtualize lists, tables, and trees.
155
+ - Ensure large views create only visible containers plus a bounded buffer.
156
+ - Enable container recycling where the framework supports it.
157
+ - Avoid per-row buttons, text objects, checkboxes, handlers, and layout objects for offscreen
158
+ rows.
159
+ 5. Count expanded visual objects.
160
+ - In WPF, WinUI, Qt, JavaFX, WebView, or custom UI frameworks, inspect expanded templates and
161
+ repeated visual trees, not only component count.
162
+ - A single friendly-looking template multiplied by thousands of rows can create the real memory
163
+ footprint.
164
+ 6. Control Electron and WebView process count.
165
+ - Treat each `BrowserWindow`, WebView, iframe, preload script, and renderer as a memory owner.
166
+ - Prefer stateful navigation or view reuse only when it does not keep hidden DOM, JS heap, GPU
167
+ textures, and renderer caches alive.
168
+ - Destroy closed windows when fast reopen can be served by persisted state rather than a hidden
169
+ renderer.
170
+ 7. Defer desktop modules by journey.
171
+ - Do not load PDF engines, spell checkers, AI models, export libraries, ZIP libraries, markdown
172
+ renderers, plugin hosts, or full font and theme packs at app start when a feature entry can
173
+ load them.
174
+ - In Electron and Node-like runtimes, inspect preload and `require()` graphs for modules that
175
+ survive only because startup imported them.
176
+ 8. Decode media to displayed size.
177
+ - Judge images by decoded pixel bytes, not file size.
178
+ - Downsample large images for thumbnails, previews, chat cells, notes, and document sidebars.
179
+ - Bound decoded bitmap caches and GPU texture caches by cost, not only item count.
180
+ 9. Make caches discardable by cost.
181
+ - Store only rebuildable values in memory caches.
182
+ - Use byte, texture, DOM node, parsed-object, or renderer cost when deciding eviction.
183
+ - Prefer OS-discardable, weak, pressure-aware, or cost-limited caches where the platform supports
184
+ them, such as `NSCache` with `countLimit` and `totalCostLimit`.
185
+ - Avoid global `Map`, `Dictionary`, or static cache structures that never evict.
186
+ 10. Stream or map large files.
187
+ - Avoid full `readAll`, `read()`, `ReadAllBytes`, `json.load`, or equivalent APIs on growing
188
+ logs, CSVs, database dumps, binary files, and media.
189
+ - Prefer streaming, chunked parsing, paging, or memory-mapped files with bounded windows.
190
+ - For mapped files, remember that address-space visibility is not the same as resident physical
191
+ RAM.
192
+ 11. Release mapped or inactive ranges deliberately.
193
+ - Where supported, use OS hints such as `madvise`-style discard for ranges the app can reread.
194
+ - Keep this as a paging and residency tool, not as a substitute for shrinking live object graphs.
195
+ 12. Handle .NET large objects carefully.
196
+ - Treat arrays near or above the 85,000 byte LOH threshold as Gen 2 and fragmentation risks.
197
+ - Use `ArrayPool<T>` for short-lived buffers only when ownership is tight and return timing is
198
+ provable.
199
+ - Do not return pooled buffers while another async operation, native API, or consumer may still
200
+ use them.
201
+ 13. Keep native handles in the memory review.
202
+ - Track GDI, USER, bitmap, brush, font, pen, region, cursor, icon, file, socket, and OS handle
203
+ counts where applicable.
204
+ - Pair native create and destroy functions and test repeated open, draw, print, capture, tray,
205
+ and close paths.
206
+ 14. Find detached UI trees.
207
+ - For Electron, WebView, browser-based UI, and hybrid apps, inspect detached DOM nodes, event
208
+ listeners, console-retained objects, devtools artifacts, and JS references from stores,
209
+ callbacks, promises, and logs.
210
+ - Separate measurement artifacts from app leaks when DevTools or a console binding retains the
211
+ object.
212
+ 15. Shrink duplicate strings and symbols.
213
+ - Repeated JSON field names, log levels, file paths, status strings, tags, categories, and table
214
+ cell text can dominate live heap.
215
+ - Use enums, symbol ids, intern tables, shared dictionaries, or JVM string deduplication where
216
+ the runtime and workload justify it.
217
+ 16. Watch live set after cleanup.
218
+ - For JVM and similar runtimes, inspect live set after old or full collection across repeated
219
+ open, close, search, tab, and file workflows.
220
+ - A staircase increase after every close is a leak or retention problem even when current heap
221
+ use looks temporarily low.
222
+ 17. Shrink large buffer capacity explicitly.
223
+ - In Rust, C++, and similar runtimes, `clear()` usually preserves capacity.
224
+ - After one-time large operations, use an explicit shrink, replacement, or bounded reusable
225
+ buffer policy when retaining capacity hurts later scenarios.
226
+ 18. Reduce padding and pointer forests in bulk models.
227
+ - For millions of rows, render nodes, cells, or document spans, review struct field order,
228
+ alignment padding, object headers, boxed metadata, and pointer-heavy object graphs.
229
+ - Prefer columnar arrays, struct-of-arrays, shared style tables, integer ids, compact enums, and
230
+ pooled strings where the product model supports it.
231
+ 19. Store history as deltas.
232
+ - Avoid undo stacks made of full document snapshots.
233
+ - Prefer operation logs, field-level patches, tile diffs, rope or piece-table structures, and
234
+ bounded checkpoints when the product needs undo or diff.
235
+ 20. Degrade inactive views.
236
+ - When tabs, documents, previews, canvases, images, search results, WebViews, and GPU textures
237
+ become inactive, release or downgrade backing stores by tier.
238
+ - Keep enough state to restore the view, not necessarily the whole rendered surface.
239
+ 21. Make low-memory handling real.
240
+ - On memory pressure, release thumbnail caches, decoded images, inactive document caches,
241
+ hidden WebViews, search index caches, parsed previews, GPU textures, and large temporary
242
+ buffers in a defined order.
243
+ - Log or expose bounded reason and outcome evidence where the repository already has a safe
244
+ observability pattern.
245
+ 22. Prove after-close behavior.
246
+ - Repeat open, load, scroll, search, preview, close, reopen, and idle transitions.
247
+ - Prefer tests or probes that assert row container count, model page count, cache total cost,
248
+ native handle count, renderer count, hidden window count, pool checkout count, undo memory
249
+ budget, or after-close state.
250
+ - If heap snapshots, allocation sampling, JFR, dotnet counters, Instruments, Windows tools,
251
+ Chrome DevTools, or platform profilers are not configured intents, report them as manual-only
252
+ evidence gaps.
253
+
254
+ <!-- mustflow-section: postconditions -->
255
+ ## Postconditions
256
+
257
+ - Scenario budget, measurement metric, UI virtualization, data virtualization, visual tree count,
258
+ renderer or window count, module loading, decoded media, cache cost, mapped files, inactive
259
+ ranges, LOH or pooled buffers, native handles, detached UI trees, duplicate strings, live set,
260
+ buffer capacity, object graph shape, undo strategy, inactive views, low-memory handling, and
261
+ after-close behavior are explicit.
262
+ - Full UI object creation, UI-only virtualization, hidden renderer retention, eager feature modules,
263
+ original-size thumbnails, item-count-only caches, full file reads, mapped ranges held forever,
264
+ working-set trimming theater, unsafe pooled buffer return, GDI or USER handle leaks, detached DOM
265
+ retention, console measurement artifacts, duplicate strings, live-set staircases, cleared-but-huge
266
+ buffers, padded bulk structs, pointer-heavy row models, whole-document undo snapshots, inactive
267
+ tabs kept fully rendered, and no-op low-memory handlers are fixed or reported.
268
+ - Desktop memory claims are backed by configured tests, profiler or telemetry evidence,
269
+ static-review evidence, or labeled as manual-only or missing.
270
+
271
+ <!-- mustflow-section: verification -->
272
+ ## Verification
273
+
274
+ Use configured oneshot command intents when available:
275
+
276
+ - `changes_status`
277
+ - `changes_diff_summary`
278
+ - `lint`
279
+ - `build`
280
+ - `test_related`
281
+ - `test`
282
+ - `docs_validate_fast`
283
+ - `test_release`
284
+ - `mustflow_check`
285
+
286
+ Prefer the narrowest configured test, build, docs, release, or mustflow intent that covers the
287
+ changed desktop memory surface and synchronized template surfaces. Do not infer raw heap snapshots,
288
+ JFR, dotnet counters, Chrome DevTools, Windows Performance tools, Instruments, Activity Monitor,
289
+ Task Manager, app launchers, or platform profilers outside the command contract.
290
+
291
+ <!-- mustflow-section: failure-handling -->
292
+ ## Failure Handling
293
+
294
+ - If a configured command fails, preserve the failing intent, failing assertion or output tail, and
295
+ the memory invariant it exercised before editing again.
296
+ - If the metric is only working set, RSS, or a single live heap value, report the evidence boundary
297
+ before claiming memory was reduced.
298
+ - If scenario budgets are missing, report that desktop memory fitness cannot be fully judged yet
299
+ instead of treating isolated GC, cache, or object-count changes as complete.
300
+ - If safe repair requires product changes to undo semantics, document recovery, renderer
301
+ architecture, plugin policy, native resource ownership, profiler setup, or OS-specific behavior
302
+ outside scope, report the boundary instead of inventing commands.
303
+ - If memory reduction conflicts with correctness, persistence, undo, accessibility, crash
304
+ diagnostics, privacy, security, or user trust, keep the safer behavior and report the tradeoff.
305
+
306
+ <!-- mustflow-section: output-format -->
307
+ ## Output Format
308
+
309
+ - Desktop memory footprint boundary reviewed
310
+ - Scenario budget, measurement metric, UI/data virtualization, renderer/window, module loading,
311
+ media, cache, file, runtime, native handle, UI retention, string, data model, history, inactive
312
+ view, memory-pressure, and after-close findings
313
+ - Desktop memory fixes made or recommended
314
+ - Evidence level: measured, configured-test evidence, static desktop-memory risk, manual-only,
315
+ missing, or not applicable
316
+ - Command intents run
317
+ - Skipped desktop memory diagnostics and reasons
318
+ - Remaining desktop memory footprint risk