mustflow 2.38.0 → 2.58.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +3 -0
- package/dist/cli/commands/run/executor.js +16 -0
- package/dist/cli/commands/run/process-tree.js +6 -3
- package/dist/cli/commands/verify.js +3 -1
- package/dist/cli/lib/git-changes.js +11 -1
- package/dist/cli/lib/i18n.js +1 -1
- package/dist/cli/lib/local-index/index.js +8 -4
- package/dist/cli/lib/local-index/populate.js +17 -3
- package/dist/cli/lib/local-index/search-read-model.js +9 -7
- package/dist/cli/lib/local-index/search-text.js +2 -2
- package/dist/cli/lib/local-index/workflow-documents.js +17 -2
- package/dist/cli/lib/mustflow-read.js +14 -2
- package/dist/cli/lib/repo-map.js +16 -3
- package/dist/cli/lib/templates.js +8 -7
- package/dist/cli/lib/validation/constants.js +1 -1
- package/dist/core/active-run-locks.js +78 -20
- package/dist/core/change-classification.js +4 -0
- package/dist/core/command-contract-rules.js +1 -1
- package/dist/core/command-contract-validation.js +1 -1
- package/dist/core/command-cwd.js +13 -2
- package/dist/core/command-effects.js +22 -4
- package/dist/core/command-env.js +8 -6
- package/dist/core/command-preconditions.js +28 -2
- package/dist/core/completion-verdict.js +1 -1
- package/dist/core/line-endings.js +8 -4
- package/dist/core/safe-filesystem.js +9 -1
- package/dist/core/source-anchor-validation.js +7 -1
- package/dist/core/source-anchors.js +8 -2
- package/dist/core/verification-scheduler.js +8 -2
- package/package.json +1 -1
- package/templates/default/common/.mustflow/config/commands.toml +39 -15
- package/templates/default/i18n.toml +330 -1
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +302 -5
- package/templates/default/locales/en/.mustflow/skills/agent-eval-integrity-review/SKILL.md +160 -0
- package/templates/default/locales/en/.mustflow/skills/agent-execution-control-review/SKILL.md +163 -0
- package/templates/default/locales/en/.mustflow/skills/ai-generated-code-hardening/SKILL.md +49 -13
- package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +298 -0
- package/templates/default/locales/en/.mustflow/skills/api-misuse-resistance-review/SKILL.md +297 -0
- package/templates/default/locales/en/.mustflow/skills/api-request-performance-review/SKILL.md +189 -0
- package/templates/default/locales/en/.mustflow/skills/app-startup-performance-review/SKILL.md +309 -0
- package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +213 -0
- package/templates/default/locales/en/.mustflow/skills/business-rule-leakage-review/SKILL.md +295 -0
- package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +291 -0
- package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +297 -0
- package/templates/default/locales/en/.mustflow/skills/client-bundle-pruning-review/SKILL.md +160 -0
- package/templates/default/locales/en/.mustflow/skills/cloud-cost-guardrail-review/SKILL.md +321 -0
- package/templates/default/locales/en/.mustflow/skills/concurrency-invariant-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/core-web-vitals-field-review/SKILL.md +161 -0
- package/templates/default/locales/en/.mustflow/skills/credit-ledger-integrity-review/SKILL.md +156 -0
- package/templates/default/locales/en/.mustflow/skills/database-json-modeling-review/SKILL.md +171 -0
- package/templates/default/locales/en/.mustflow/skills/database-lock-contention-review/SKILL.md +192 -0
- package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +76 -34
- package/templates/default/locales/en/.mustflow/skills/database-query-bottleneck-review/SKILL.md +194 -0
- package/templates/default/locales/en/.mustflow/skills/deletion-lifecycle-review/SKILL.md +171 -0
- package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md +321 -0
- package/templates/default/locales/en/.mustflow/skills/desktop-auto-update-safety-review/SKILL.md +265 -0
- package/templates/default/locales/en/.mustflow/skills/desktop-background-process-stability-review/SKILL.md +318 -0
- package/templates/default/locales/en/.mustflow/skills/desktop-memory-footprint-review/SKILL.md +318 -0
- package/templates/default/locales/en/.mustflow/skills/error-message-integrity-review/SKILL.md +283 -0
- package/templates/default/locales/en/.mustflow/skills/failure-integrity-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/file-upload-security-review/SKILL.md +305 -0
- package/templates/default/locales/en/.mustflow/skills/frame-render-performance-review/SKILL.md +159 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-accessibility-tree-review/SKILL.md +202 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-localization-review/SKILL.md +202 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-state-ownership-review/SKILL.md +183 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-stress-layout-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/hot-path-performance-review/SKILL.md +159 -0
- package/templates/default/locales/en/.mustflow/skills/idempotency-integrity-review/SKILL.md +195 -0
- package/templates/default/locales/en/.mustflow/skills/image-delivery-performance-review/SKILL.md +161 -0
- package/templates/default/locales/en/.mustflow/skills/incident-triage-review/SKILL.md +185 -0
- package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/llm-response-latency-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/llm-service-ux-review/SKILL.md +2 -0
- package/templates/default/locales/en/.mustflow/skills/llm-token-cost-control-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/low-end-device-support-review/SKILL.md +340 -0
- package/templates/default/locales/en/.mustflow/skills/memory-lifetime-review/SKILL.md +169 -0
- package/templates/default/locales/en/.mustflow/skills/mobile-energy-efficiency-review/SKILL.md +329 -0
- package/templates/default/locales/en/.mustflow/skills/module-boundary-review/SKILL.md +278 -0
- package/templates/default/locales/en/.mustflow/skills/multi-agent-work-coordination/SKILL.md +1 -0
- package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +208 -0
- package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +158 -0
- package/templates/default/locales/en/.mustflow/skills/quadratic-scan-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/queue-processing-integrity-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/race-condition-review/SKILL.md +188 -0
- package/templates/default/locales/en/.mustflow/skills/rate-limit-integrity-review/SKILL.md +344 -0
- package/templates/default/locales/en/.mustflow/skills/retry-policy-integrity-review/SKILL.md +195 -0
- package/templates/default/locales/en/.mustflow/skills/routes.toml +330 -0
- package/templates/default/locales/en/.mustflow/skills/security-flow-review/SKILL.md +279 -0
- package/templates/default/locales/en/.mustflow/skills/testability-boundary-review/SKILL.md +295 -0
- package/templates/default/locales/en/.mustflow/skills/transaction-boundary-integrity-review/SKILL.md +196 -0
- package/templates/default/locales/en/.mustflow/skills/type-state-modeling-review/SKILL.md +179 -0
- package/templates/default/locales/en/.mustflow/skills/web-render-performance-review/SKILL.md +164 -0
- package/templates/default/manifest.toml +388 -2
|
@@ -0,0 +1,318 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.desktop-background-process-stability-review
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: desktop-background-process-stability-review
|
|
9
|
+
description: Apply this skill when Windows services, macOS LaunchDaemon or LaunchAgent jobs, Linux systemd units, Electron main or utility processes, WebView helpers, tray apps, sync workers, local daemons, auto-start helpers, updaters, desktop background jobs, or cross-session desktop processes need stability review for crash recovery, durable checkpoints, single-instance and data-directory locks, OS supervisor configuration, restart backoff, health checks, heartbeats, leases, idempotent jobs, atomic file writes, shutdown and preshutdown handling, exit-code semantics, UI and worker process separation, service Session 0 isolation, launchd daemon versus agent choice, systemd restart limits, sleep/resume, monotonic time, IPC authorization, environment and working-directory determinism, least privilege, startup logging, crash reporting, update safety, lifecycle tests, and safe mode.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.desktop-background-process-stability-review
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- docs_validate_fast
|
|
23
|
+
- test_release
|
|
24
|
+
- mustflow_check
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
# Desktop Background Process Stability Review
|
|
28
|
+
|
|
29
|
+
<!-- mustflow-section: purpose -->
|
|
30
|
+
## Purpose
|
|
31
|
+
|
|
32
|
+
Review desktop background processes as recoverable local systems, not immortal processes.
|
|
33
|
+
|
|
34
|
+
The review question is not "how do we keep this process alive forever?" It is "when this service,
|
|
35
|
+
agent, helper, worker, tray process, or sync daemon dies, restarts, races another instance, loses
|
|
36
|
+
network, resumes from sleep, or updates mid-job, what durable evidence prevents data loss,
|
|
37
|
+
duplicate side effects, privilege confusion, or silent stuck work?"
|
|
38
|
+
|
|
39
|
+
<!-- mustflow-section: use-when -->
|
|
40
|
+
## Use When
|
|
41
|
+
|
|
42
|
+
- Windows services, service helpers, SCM failure actions, preshutdown handlers, service SIDs,
|
|
43
|
+
Session 0 boundaries, scheduled tasks, tray apps, auto-start entries, or user-session helpers are
|
|
44
|
+
created, changed, reviewed, or reported.
|
|
45
|
+
- macOS LaunchDaemons, LaunchAgents, login items, app helpers, background items, agent versus daemon
|
|
46
|
+
placement, launchd restart behavior, per-user state, or fork/daemonize behavior is involved.
|
|
47
|
+
- Linux desktop services, systemd user units, system units, restart policies, start-rate limits,
|
|
48
|
+
working directories, sandboxing, or service environment are involved.
|
|
49
|
+
- Electron, Tauri, WebView, native desktop, .NET, JVM, Python, Rust, C++, Go, Node, or shell-backed
|
|
50
|
+
apps run main-process, utility-process, child-process, updater, sync, indexing, notification,
|
|
51
|
+
tray, plugin, or background work outside the visible UI lifecycle.
|
|
52
|
+
- Code touches durable checkpoints, local queues, job leases, single-instance locks, data-directory
|
|
53
|
+
locks, IPC, crash reporting, heartbeat records, sleep/resume handling, network reachability,
|
|
54
|
+
monotonic timers, atomic settings writes, exit codes, update drain, rollback, or safe mode.
|
|
55
|
+
|
|
56
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
57
|
+
## Do Not Use When
|
|
58
|
+
|
|
59
|
+
- The task is only installed app startup from process launch to first frame or fully usable state;
|
|
60
|
+
use `app-startup-performance-review`.
|
|
61
|
+
- The task is only memory residency, renderer count, hidden windows, decoded media, caches, or
|
|
62
|
+
after-close memory; use `desktop-memory-footprint-review`.
|
|
63
|
+
- The task is only queue acknowledgement, offsets, DLQ, prefetch, redelivery, or broker semantics;
|
|
64
|
+
use `queue-processing-integrity-review`.
|
|
65
|
+
- The task is only duplicate external requests or business-command replay; use
|
|
66
|
+
`idempotency-integrity-review`.
|
|
67
|
+
- The task is only generic failure handling that can make the system falsely report success; use
|
|
68
|
+
`failure-integrity-review`.
|
|
69
|
+
- The task is only backend or server deployment rollout, probes, canaries, or rollback; use
|
|
70
|
+
`deployment-rollout-safety-review`.
|
|
71
|
+
|
|
72
|
+
<!-- mustflow-section: required-inputs -->
|
|
73
|
+
## Required Inputs
|
|
74
|
+
|
|
75
|
+
- Process ledger: process role, platform, supervisor, user session, privilege level, data directory,
|
|
76
|
+
account or profile scope, autostart path, UI relationship, updater relationship, and shutdown
|
|
77
|
+
owner.
|
|
78
|
+
- Recovery ledger: durable checkpoint, last safe offset, job table, local queue, lease fields,
|
|
79
|
+
startup recovery flow, stale-lock cleanup, partial-write handling, and corruption response.
|
|
80
|
+
- Instance ledger: app single-instance lock, user-session lock, data-directory lock, account lock,
|
|
81
|
+
updater/helper lock, lock acquisition timing, stale lock detection, and cross-elevation or
|
|
82
|
+
cross-session behavior.
|
|
83
|
+
- Supervisor ledger: Windows SCM, scheduled task, launchd daemon or agent, systemd user or system
|
|
84
|
+
unit, restart policy, backoff, start-rate limit, manual stop behavior, safe mode trigger, and
|
|
85
|
+
environment or working-directory contract.
|
|
86
|
+
- Health ledger: PID check, event-loop progress, IPC response, database or file lock check, queue
|
|
87
|
+
progress, heartbeat fields, last progress time, current job id, processed offset, last success,
|
|
88
|
+
last error code, and stuck-work classification.
|
|
89
|
+
- Lifecycle ledger: normal stop, crash, kill, logout, shutdown, preshutdown, sleep, resume, network
|
|
90
|
+
loss, VPN change, disk full, permission loss, clock jump, antivirus file lock, update, rollback,
|
|
91
|
+
and first-start-after-update behavior.
|
|
92
|
+
- Security ledger: IPC ACL, local token, origin or caller verification, schema version, request size
|
|
93
|
+
limit, request timeout, least privilege, writable paths, service SID, sandboxing, secret storage,
|
|
94
|
+
and crash/log redaction.
|
|
95
|
+
- Existing tests, telemetry, crash reports, logs, package or installer surfaces, synchronized docs or
|
|
96
|
+
templates, and configured command-intent evidence.
|
|
97
|
+
|
|
98
|
+
<!-- mustflow-section: preconditions -->
|
|
99
|
+
## Preconditions
|
|
100
|
+
|
|
101
|
+
- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
|
|
102
|
+
- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
|
|
103
|
+
current scope.
|
|
104
|
+
- Required process, supervisor, recovery, and lifecycle evidence is available from current files,
|
|
105
|
+
diffs, docs, configured outputs, user-provided evidence, or can be reported as missing without
|
|
106
|
+
guessing.
|
|
107
|
+
- Treat OS documentation, installer manifests, service plist or unit files, registry entries,
|
|
108
|
+
autostart entries, and package scripts as contract surfaces when the change depends on them.
|
|
109
|
+
- If the change touches money, privacy, security, migrations, queue semantics, file corruption, or
|
|
110
|
+
cloud sync, also use the narrower matching skill when its trigger is present.
|
|
111
|
+
|
|
112
|
+
<!-- mustflow-section: allowed-edits -->
|
|
113
|
+
## Allowed Edits
|
|
114
|
+
|
|
115
|
+
- Add or tighten durable checkpoints, local job states, leases, startup recovery, stale-lock cleanup,
|
|
116
|
+
single-instance locks, data-directory locks, idempotency keys, atomic file writes, fsync/rename
|
|
117
|
+
write paths, exit-code classification, health probes, progress heartbeats, restart backoff,
|
|
118
|
+
safe-mode thresholds, lifecycle handlers, sleep/resume recovery, IPC authorization, explicit
|
|
119
|
+
environment setup, least-privilege configuration, early logging, crash reporter metadata, and
|
|
120
|
+
focused lifecycle tests.
|
|
121
|
+
- Separate UI process lifecycle from worker process lifecycle when the visible app, tray app,
|
|
122
|
+
renderer, helper, or worker currently owns unrelated shutdown or recovery behavior.
|
|
123
|
+
- Prefer OS supervisors such as Windows SCM, launchd, and systemd over hand-rolled infinite monitor
|
|
124
|
+
loops when the platform already owns restart and lifecycle policy.
|
|
125
|
+
- Do not add a watchdog, autostart entry, restart policy, or hidden process solely to hide crashes.
|
|
126
|
+
- Do not rely on shutdown hooks as the primary persistence path.
|
|
127
|
+
- Do not broaden privileges, writable paths, IPC trust, or background execution scope to make
|
|
128
|
+
recovery easier.
|
|
129
|
+
- Do not start raw services, background processes, profilers, OS lifecycle tests, login item changes,
|
|
130
|
+
installer changes, or system configuration outside the configured command contract.
|
|
131
|
+
|
|
132
|
+
<!-- mustflow-section: procedure -->
|
|
133
|
+
## Procedure
|
|
134
|
+
|
|
135
|
+
1. Define the process boundary.
|
|
136
|
+
- Name each background process, helper, renderer, service, agent, updater, tray app, and worker.
|
|
137
|
+
- Record the owner of data, UI, IPC, update, crash reporting, and shutdown for each role.
|
|
138
|
+
- Reject "the app is running" as a sufficient invariant when visible UI and background work have
|
|
139
|
+
different lifecycles.
|
|
140
|
+
2. Treat process death as normal.
|
|
141
|
+
- Identify what state is safe after crash, kill, logout, shutdown, update, or power loss.
|
|
142
|
+
- Move essential progress from memory-only state into durable checkpoints, local job records,
|
|
143
|
+
append-only logs, or recoverable files.
|
|
144
|
+
- Report any path whose only recovery story is "the process should not die."
|
|
145
|
+
3. Make startup recovery explicit.
|
|
146
|
+
- On process start, recover leased jobs, stale locks, partial files, local queues, pending sync
|
|
147
|
+
records, interrupted migrations, and previous crash metadata before accepting new work.
|
|
148
|
+
- Keep recovery bounded and observable; a restart that immediately re-enters the same corrupted
|
|
149
|
+
state is a crash loop, not resilience.
|
|
150
|
+
4. Separate process single-instance from resource ownership.
|
|
151
|
+
- Acquire app or process single-instance locks before opening databases, queues, files, IPC
|
|
152
|
+
sockets, network sessions, or updater resources.
|
|
153
|
+
- Also review locks by data directory, profile id, account id, device id, and privilege/session
|
|
154
|
+
boundary.
|
|
155
|
+
- Do not assume one desktop session, one elevation level, or one helper binary means one writer.
|
|
156
|
+
5. Model jobs with leases and terminal states.
|
|
157
|
+
- Prefer `pending`, `leased`, `done`, and `failed` or equivalent explicit states over one
|
|
158
|
+
"processing" boolean.
|
|
159
|
+
- Include `job_id`, `dedupe_key`, `attempt`, `lease_until`, `completed_at`, and failure reason
|
|
160
|
+
when repeated work or restart recovery can happen.
|
|
161
|
+
- Recover expired leases and keep in-flight side effects idempotent.
|
|
162
|
+
6. Make writes crash-safe.
|
|
163
|
+
- For settings, checkpoints, queues, indexes, tokens, and manifests, prefer write-temp,
|
|
164
|
+
flush, fsync, and atomic rename or the repository's equivalent safe-write helper.
|
|
165
|
+
- Ensure a crash leaves either the old version or the new version, not a half-written JSON, TOML,
|
|
166
|
+
database, index, or checkpoint.
|
|
167
|
+
7. Persist during normal operation.
|
|
168
|
+
- Treat shutdown hooks, preshutdown callbacks, signal handlers, and app quit events as best-effort
|
|
169
|
+
cleanup, not the only moment progress is saved.
|
|
170
|
+
- Keep long cleanup out of direct service control handlers unless the platform contract supports
|
|
171
|
+
reporting progress safely.
|
|
172
|
+
8. Use the OS supervisor deliberately.
|
|
173
|
+
- For Windows, review SCM failure actions, delayed auto-start, service SID, preshutdown, and
|
|
174
|
+
Session 0 isolation.
|
|
175
|
+
- For macOS, choose LaunchDaemon for system-wide work and LaunchAgent for per-user work, and do
|
|
176
|
+
not daemonize under launchd.
|
|
177
|
+
- For Linux, review systemd user versus system units, restart policy, start-rate limits, working
|
|
178
|
+
directory, environment, and sandboxing.
|
|
179
|
+
9. Add restart discipline.
|
|
180
|
+
- Automatic restart needs backoff, max attempts, failure classification, and safe mode.
|
|
181
|
+
- Preserve a user-intentional stop separately from crash recovery so scheduled restarts do not
|
|
182
|
+
surprise users after they explicitly stopped the background process.
|
|
183
|
+
- Detect crash loops and stop consuming CPU, battery, network, and trust.
|
|
184
|
+
10. Replace PID checks with progress checks.
|
|
185
|
+
- A live PID only proves a process exists.
|
|
186
|
+
- Prefer health that proves event-loop turns, IPC responses, local storage access, queue progress,
|
|
187
|
+
last successful sync, last progress time, and bounded latency.
|
|
188
|
+
- Separate alive, ready, progressing, degraded, and blocked states when the UI or supervisor uses
|
|
189
|
+
the result.
|
|
190
|
+
11. Make heartbeats useful.
|
|
191
|
+
- Heartbeats should include progress evidence, such as `last_progress_at`, `current_job_id`,
|
|
192
|
+
`processed_offset`, `last_successful_sync_at`, `last_error_code`, process start id, build
|
|
193
|
+
version, and attempt.
|
|
194
|
+
- Avoid `last_seen_at` alone when a tight loop, deadlock, or stuck queue can keep updating it.
|
|
195
|
+
12. Keep UI and background lifecycle separate.
|
|
196
|
+
- Closing a window, hiding a tray icon, renderer crash, UI reload, or WebView crash should not
|
|
197
|
+
silently kill durable background work unless that is the explicit product contract.
|
|
198
|
+
- A worker crash should be visible to the UI as degraded or recovering, not hidden behind stale
|
|
199
|
+
status text.
|
|
200
|
+
13. Respect desktop platform boundaries.
|
|
201
|
+
- Do not show UI directly from a Windows service running in Session 0; communicate with a
|
|
202
|
+
user-session process through authorized IPC.
|
|
203
|
+
- Do not put per-user macOS camera, clipboard, notification, home-directory, or UI-like work into
|
|
204
|
+
a system daemon when a LaunchAgent is the proper boundary.
|
|
205
|
+
- Do not solve network availability through boot ordering alone.
|
|
206
|
+
14. Treat sleep and resume as first-class failures.
|
|
207
|
+
- On resume, suspect sockets, DNS, VPN, file handles, timers, leases, auth sessions, and
|
|
208
|
+
reachability.
|
|
209
|
+
- Revalidate network and storage before resuming queued work.
|
|
210
|
+
- Keep stale in-memory timers from making lease or timeout decisions after a long sleep.
|
|
211
|
+
15. Use monotonic time for durations.
|
|
212
|
+
- Measure timeouts, lease intervals, heartbeat gaps, retry delay, and crash-loop windows with a
|
|
213
|
+
monotonic clock or equivalent elapsed-time source.
|
|
214
|
+
- Use wall-clock timestamps only for user-visible time and audit records that need calendar time.
|
|
215
|
+
16. Harden IPC.
|
|
216
|
+
- Treat localhost ports, named pipes, Unix sockets, custom protocols, shared memory, and
|
|
217
|
+
renderer-to-main messages as local attack surfaces.
|
|
218
|
+
- Add ACLs, caller tokens, origin checks, message schema versions, request size limits, per-request
|
|
219
|
+
timeouts, and safe error handling where applicable.
|
|
220
|
+
17. Make environment deterministic.
|
|
221
|
+
- Use absolute executable paths, explicit working directories, explicit data directories, and
|
|
222
|
+
bounded environment variables.
|
|
223
|
+
- Do not depend on a shell PATH, current directory, inherited locale, inherited HOME, or interactive
|
|
224
|
+
user environment unless the contract states that requirement.
|
|
225
|
+
18. Reduce privilege and write scope.
|
|
226
|
+
- Run background work with the least privilege that can do the job.
|
|
227
|
+
- Limit writable directories to data, logs, crash dumps, and update staging paths that are actually
|
|
228
|
+
needed.
|
|
229
|
+
- Keep elevated helpers small, IPC-gated, audited, and unable to execute arbitrary UI commands.
|
|
230
|
+
19. Capture earliest failure evidence.
|
|
231
|
+
- Initialize crash reporting and stdout or stderr capture before creating renderers, workers, IPC,
|
|
232
|
+
or long startup work.
|
|
233
|
+
- Include app version, channel, OS, architecture, process role, process start id, job id, safe
|
|
234
|
+
account hash, feature flags, exit reason, and supervisor restart reason when the repository has
|
|
235
|
+
safe observability patterns.
|
|
236
|
+
- Redact secrets, tokens, paths, raw account identifiers, and user content.
|
|
237
|
+
20. Make updates restart-safe.
|
|
238
|
+
- Before updating, drain or shorten leases, persist checkpoints, pause risky queue consumers, and
|
|
239
|
+
keep rollback or previous-version compatibility evidence.
|
|
240
|
+
- Make migrations and helper registration re-entrant.
|
|
241
|
+
- Do not delete the old executable, helper, service definition, or data compatibility path before
|
|
242
|
+
the new version proves healthy.
|
|
243
|
+
21. Add real lifecycle tests or explicit manual gaps.
|
|
244
|
+
- Prefer tests or probes for double start, stale lock, expired lease recovery, atomic write crash
|
|
245
|
+
boundary, IPC denial, user stop versus crash restart, sleep/resume handling, update interruption,
|
|
246
|
+
corrupted local file, disk full, permission denial, and safe-mode entry.
|
|
247
|
+
- If OS-level lifecycle tests are not configured intents, report them as manual-only evidence gaps.
|
|
248
|
+
22. Define safe mode.
|
|
249
|
+
- After repeated crashes or startup failures, disable risky plugins, queue consumption, sync loops,
|
|
250
|
+
GPU-heavy features, recent migrations, or aggressive background work.
|
|
251
|
+
- Keep enough diagnostics for repair, and avoid a crash loop that consumes CPU, battery, network,
|
|
252
|
+
or user trust.
|
|
253
|
+
|
|
254
|
+
<!-- mustflow-section: postconditions -->
|
|
255
|
+
## Postconditions
|
|
256
|
+
|
|
257
|
+
- Process roles, durable state, startup recovery, instance locks, supervisor policy, restart backoff,
|
|
258
|
+
health checks, progress heartbeats, job leases, atomic writes, shutdown behavior, exit-code
|
|
259
|
+
semantics, UI and worker lifecycle, platform boundaries, sleep/resume, monotonic time, IPC,
|
|
260
|
+
environment, privilege, logging, crash reporting, update safety, lifecycle tests, and safe mode are
|
|
261
|
+
explicit.
|
|
262
|
+
- Memory-only state, late single-instance locks, PID-only health checks, `last_seen_at`-only
|
|
263
|
+
heartbeats, one "processing" boolean, non-atomic local files, shutdown-only persistence, hand-rolled
|
|
264
|
+
monitor loops, unbounded restart loops, user-stop/restart confusion, service UI from Session 0,
|
|
265
|
+
daemon/agent mismatch, daemonizing under launchd, boot-order network assumptions, wall-clock lease
|
|
266
|
+
timers, trusted local IPC, inherited PATH or working directory dependence, overprivileged helpers,
|
|
267
|
+
missing early logs, uninitialized crash reporter gaps, one-shot migrations, and no-op safe mode are
|
|
268
|
+
fixed or reported.
|
|
269
|
+
- Desktop background stability claims are backed by configured tests, static-review evidence,
|
|
270
|
+
telemetry or crash evidence, or labeled as manual-only or missing.
|
|
271
|
+
|
|
272
|
+
<!-- mustflow-section: verification -->
|
|
273
|
+
## Verification
|
|
274
|
+
|
|
275
|
+
Use configured oneshot command intents when available:
|
|
276
|
+
|
|
277
|
+
- `changes_status`
|
|
278
|
+
- `changes_diff_summary`
|
|
279
|
+
- `lint`
|
|
280
|
+
- `build`
|
|
281
|
+
- `test_related`
|
|
282
|
+
- `test`
|
|
283
|
+
- `docs_validate_fast`
|
|
284
|
+
- `test_release`
|
|
285
|
+
- `mustflow_check`
|
|
286
|
+
|
|
287
|
+
Prefer the narrowest configured test, build, docs, release, or mustflow intent that covers the
|
|
288
|
+
changed process, supervisor, template, installer, IPC, file-write, queue, or lifecycle surface. Do
|
|
289
|
+
not infer raw service starts, launchd loads, systemd starts, installer changes, login item edits,
|
|
290
|
+
sleep/resume automation, crash reporter dashboards, or OS lifecycle harnesses outside the command
|
|
291
|
+
contract.
|
|
292
|
+
|
|
293
|
+
<!-- mustflow-section: failure-handling -->
|
|
294
|
+
## Failure Handling
|
|
295
|
+
|
|
296
|
+
- If a configured command fails, preserve the failing intent, failing assertion or output tail, and
|
|
297
|
+
the lifecycle invariant it exercised before editing again.
|
|
298
|
+
- If only static evidence is available, report that OS-supervisor, sleep/resume, update, and
|
|
299
|
+
crash-loop behavior still need manual or platform harness validation.
|
|
300
|
+
- If safe repair requires installer changes, service registration changes, updater design, privilege
|
|
301
|
+
changes, OS lifecycle harnesses, migration policy, or product decisions outside scope, report that
|
|
302
|
+
boundary instead of inventing commands.
|
|
303
|
+
- If process stability conflicts with data safety, user intent, security, privacy, least privilege,
|
|
304
|
+
update rollback, or battery life, keep the safer behavior and report the tradeoff.
|
|
305
|
+
|
|
306
|
+
<!-- mustflow-section: output-format -->
|
|
307
|
+
## Output Format
|
|
308
|
+
|
|
309
|
+
- Desktop background process stability boundary reviewed
|
|
310
|
+
- Process, recovery, instance-lock, supervisor, restart, health, heartbeat, lease, atomic-write,
|
|
311
|
+
shutdown, platform, power, time, IPC, environment, privilege, logging, crash, update, lifecycle-test,
|
|
312
|
+
and safe-mode findings
|
|
313
|
+
- Stability fixes made or recommended
|
|
314
|
+
- Evidence level: configured-test evidence, static desktop-process risk, telemetry/crash evidence,
|
|
315
|
+
manual-only, missing, or not applicable
|
|
316
|
+
- Command intents run
|
|
317
|
+
- Skipped desktop lifecycle diagnostics and reasons
|
|
318
|
+
- Remaining desktop background process stability risk
|
package/templates/default/locales/en/.mustflow/skills/desktop-memory-footprint-review/SKILL.md
ADDED
|
@@ -0,0 +1,318 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.desktop-memory-footprint-review
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: desktop-memory-footprint-review
|
|
9
|
+
description: Apply this skill when Windows, macOS, Linux, Electron, WebView, WPF, WinUI, Win32, Qt, Java Swing or JavaFX, .NET, JVM, Rust, C++, Python, or other desktop app code needs memory-footprint review for working set versus private memory, RSS, dirty pages, live set, peak and after-close memory, UI and data virtualization, renderer and window count, module loading, image decode size, OS-discardable caches, memory-mapped files, `madvise`, `EmptyWorkingSet`, .NET LOH and `ArrayPool<T>`, WPF visual trees, GDI or USER handles, detached DOM nodes, hidden windows or tabs, string deduplication, large buffer capacity, struct padding, object graph shape, undo history, inactive views, low-memory signals, and scenario-level memory budgets.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.desktop-memory-footprint-review
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- docs_validate_fast
|
|
23
|
+
- test_release
|
|
24
|
+
- mustflow_check
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
# Desktop Memory Footprint Review
|
|
28
|
+
|
|
29
|
+
<!-- mustflow-section: purpose -->
|
|
30
|
+
## Purpose
|
|
31
|
+
|
|
32
|
+
Review desktop app memory as a scenario-level footprint problem across UI objects, data residency,
|
|
33
|
+
native handles, renderer processes, decoded media, caches, mapped files, heap live sets, and
|
|
34
|
+
after-close cleanup.
|
|
35
|
+
|
|
36
|
+
The review question is not "can GC run more often?" It is "which screens, files, windows, renderers,
|
|
37
|
+
decoded assets, caches, handles, buffers, strings, and history entries remain resident, private,
|
|
38
|
+
dirty, or expensive after the user no longer needs them?"
|
|
39
|
+
|
|
40
|
+
<!-- mustflow-section: use-when -->
|
|
41
|
+
## Use When
|
|
42
|
+
|
|
43
|
+
- Windows, macOS, Linux, Electron, WebView, WPF, WinUI, Win32, Qt, Java Swing, JavaFX, .NET, JVM,
|
|
44
|
+
Rust, C++, Python, or other desktop app code is created, changed, reviewed, or reported with
|
|
45
|
+
memory use, working set, RSS, private bytes, dirty memory, live set, heap growth, GPU memory,
|
|
46
|
+
native handles, renderer process, hidden window, tab, large file, image, cache, undo history, or
|
|
47
|
+
after-close memory risk.
|
|
48
|
+
- Code touches large lists, tables, trees, CSV or log viewers, binary viewers, image viewers, note
|
|
49
|
+
apps, chat apps, design tools, document editors, preview panes, hidden tabs, background windows,
|
|
50
|
+
file loading, memory maps, caches, pooled buffers, strings, object models, visual templates,
|
|
51
|
+
event listeners, WebViews, Electron `BrowserWindow`, preload scripts, `require()` graphs, native
|
|
52
|
+
GDI or USER objects, or low-memory handling.
|
|
53
|
+
- A final report claims a desktop path is memory optimized, leak-free, lightweight, safe for large
|
|
54
|
+
files, safe for long-running sessions, safe after closing tabs or windows, or validated by Task
|
|
55
|
+
Manager, Activity Monitor, Chrome DevTools, JFR, dotnet counters, heap snapshots, or platform
|
|
56
|
+
memory tools.
|
|
57
|
+
|
|
58
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
59
|
+
## Do Not Use When
|
|
60
|
+
|
|
61
|
+
- The task is only about retained-reference leaks, setup and cleanup symmetry, listeners, timers,
|
|
62
|
+
streams, workers, or native handle release ownership; use `memory-lifetime-review`.
|
|
63
|
+
- The task is only about generic hot-path latency, throughput, allocation churn, GC pressure, or
|
|
64
|
+
cost multipliers with no desktop app memory surface; use `performance-budget-check`.
|
|
65
|
+
- The task is only installed app startup from process launch to first frame or fully usable state;
|
|
66
|
+
use `app-startup-performance-review`.
|
|
67
|
+
- The task is only low-end or constrained-device policy across mobile or installed app capability
|
|
68
|
+
budgets; use `low-end-device-support-review`.
|
|
69
|
+
- The task is only browser page rendering, INP, DOM frame work, CSS layout, paint, or compositing;
|
|
70
|
+
use `frame-render-performance-review`.
|
|
71
|
+
|
|
72
|
+
<!-- mustflow-section: required-inputs -->
|
|
73
|
+
## Required Inputs
|
|
74
|
+
|
|
75
|
+
- Scenario ledger: app type, platform, runtime, process model, target device class, user scenario,
|
|
76
|
+
baseline state, peak state, steady state, after-close state, and what user action should release
|
|
77
|
+
memory.
|
|
78
|
+
- Measurement ledger: working set, RSS, private bytes, dirty memory, live set after full collection,
|
|
79
|
+
heap snapshot, allocation sampling, detached DOM evidence, renderer memory, native handle count,
|
|
80
|
+
GPU texture memory, page faults, memory pressure event, or an explicit static-only boundary.
|
|
81
|
+
- UI residency ledger: list, table, tree, virtualized control, data model, visual tree, template,
|
|
82
|
+
row container recycling, offscreen view, hidden tab, hidden window, preview pane, WebView,
|
|
83
|
+
renderer process, iframe, DOM node, event listener, and teardown behavior.
|
|
84
|
+
- Data residency ledger: full file load, streaming parser, memory-mapped file, mapped window,
|
|
85
|
+
`madvise` or OS-discardable range, parsed row model, sort index, filter index, search index,
|
|
86
|
+
undo history, diff model, document snapshot, and after-close release point.
|
|
87
|
+
- Cache ledger: cache owner, cache item cost, total cost limit, count limit, eviction, weak or
|
|
88
|
+
discardable behavior, decoded image bytes, GPU texture size, parsed object cost, font or renderer
|
|
89
|
+
cache, and low-memory response.
|
|
90
|
+
- Runtime ledger: Electron `BrowserWindow`, preload and `require()` graph, WPF virtualization,
|
|
91
|
+
WPF visual tree, Qt `canFetchMore()` and `fetchMore()` or lazy model loading, .NET LOH,
|
|
92
|
+
`ArrayPool<T>`, GDI or USER
|
|
93
|
+
handles, JVM live set, Java string deduplication, Rust or C++ buffer capacity, struct padding,
|
|
94
|
+
and native resource ownership.
|
|
95
|
+
- Existing tests, profiler traces, telemetry, build outputs, package surfaces, synchronized docs or
|
|
96
|
+
templates, and configured command-intent evidence.
|
|
97
|
+
|
|
98
|
+
<!-- mustflow-section: preconditions -->
|
|
99
|
+
## Preconditions
|
|
100
|
+
|
|
101
|
+
- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
|
|
102
|
+
- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
|
|
103
|
+
current scope.
|
|
104
|
+
- Required memory evidence is available from current files, diffs, docs, configured outputs,
|
|
105
|
+
user-provided evidence, or can be reported as missing without guessing.
|
|
106
|
+
- Treat Task Manager working set, Activity Monitor, RSS, and one-off heap-used snapshots as partial
|
|
107
|
+
evidence. Do not equate lower resident pages with lower owned memory without private, dirty, live
|
|
108
|
+
set, after-close, or retainer evidence.
|
|
109
|
+
- If the change touches privacy, security, payment, persistence, migrations, crash reporting,
|
|
110
|
+
telemetry, or data recovery, also use the narrower matching skill when its trigger is present.
|
|
111
|
+
|
|
112
|
+
<!-- mustflow-section: allowed-edits -->
|
|
113
|
+
## Allowed Edits
|
|
114
|
+
|
|
115
|
+
- Add or tighten UI virtualization, data virtualization, container recycling, lazy model fetch,
|
|
116
|
+
renderer or window disposal, feature-entry module loading, image downsampling, cache cost limits,
|
|
117
|
+
discardable cache behavior, streaming or memory-mapped file access, mapped-range release hints,
|
|
118
|
+
low-memory handlers, after-close cleanup, undo compaction, object-shape flattening, string or
|
|
119
|
+
symbol tables, pooled-buffer scope, native handle release, and focused tests.
|
|
120
|
+
- Replace full UI object creation, full file reads, eager renderer creation, hidden window retention,
|
|
121
|
+
original-size bitmap retention, unbounded dictionaries, per-item visual templates, whole-document
|
|
122
|
+
undo snapshots, and long-lived large buffer capacity when the repository evidence supports it.
|
|
123
|
+
- Do not call working-set trimming APIs such as `EmptyWorkingSet` merely to make Task Manager look
|
|
124
|
+
better.
|
|
125
|
+
- Do not add a "clear cache" button as the primary memory policy when the app can release memory
|
|
126
|
+
automatically by scenario, pressure, close, or eviction.
|
|
127
|
+
- Do not trade correctness, user data recovery, undo semantics, accessibility, security, privacy,
|
|
128
|
+
crash diagnostics, or platform lifecycle safety for lower memory numbers.
|
|
129
|
+
- Do not start raw profilers, device tools, dashboards, browser sessions, app launches, or
|
|
130
|
+
platform-specific measurement workflows outside the configured command contract.
|
|
131
|
+
|
|
132
|
+
<!-- mustflow-section: procedure -->
|
|
133
|
+
## Procedure
|
|
134
|
+
|
|
135
|
+
1. Define scenario budgets before optimizing.
|
|
136
|
+
- Prefer scenario budgets such as first launch, empty document, open small file, open large file,
|
|
137
|
+
scroll many rows, preview many images, open many tabs, close all tabs, and idle after close.
|
|
138
|
+
- Track peak, steady-state, and after-close memory separately.
|
|
139
|
+
- If no budget exists, report the missing product memory contract instead of claiming complete
|
|
140
|
+
optimization from a small cleanup.
|
|
141
|
+
2. Choose the right memory number.
|
|
142
|
+
- Distinguish working set or RSS from private committed memory, dirty pages, live heap after full
|
|
143
|
+
collection, mapped file pages, GPU resources, renderer processes, and native handles.
|
|
144
|
+
- Treat page faults and memory mapping as reasons resident memory may move without ownership
|
|
145
|
+
changing.
|
|
146
|
+
- Reject "working set went down" as proof when the change only forces paging and the next user
|
|
147
|
+
interaction faults pages back in.
|
|
148
|
+
3. Separate UI virtualization from data virtualization.
|
|
149
|
+
- UI virtualization reduces visible containers and visual objects.
|
|
150
|
+
- Data virtualization reduces resident source rows, parsed objects, sort indexes, and filter
|
|
151
|
+
indexes.
|
|
152
|
+
- A million-row view that keeps a million parsed rows in memory is not fixed by virtualizing
|
|
153
|
+
only row controls.
|
|
154
|
+
4. Virtualize lists, tables, and trees.
|
|
155
|
+
- Ensure large views create only visible containers plus a bounded buffer.
|
|
156
|
+
- Enable container recycling where the framework supports it.
|
|
157
|
+
- Avoid per-row buttons, text objects, checkboxes, handlers, and layout objects for offscreen
|
|
158
|
+
rows.
|
|
159
|
+
5. Count expanded visual objects.
|
|
160
|
+
- In WPF, WinUI, Qt, JavaFX, WebView, or custom UI frameworks, inspect expanded templates and
|
|
161
|
+
repeated visual trees, not only component count.
|
|
162
|
+
- A single friendly-looking template multiplied by thousands of rows can create the real memory
|
|
163
|
+
footprint.
|
|
164
|
+
6. Control Electron and WebView process count.
|
|
165
|
+
- Treat each `BrowserWindow`, WebView, iframe, preload script, and renderer as a memory owner.
|
|
166
|
+
- Prefer stateful navigation or view reuse only when it does not keep hidden DOM, JS heap, GPU
|
|
167
|
+
textures, and renderer caches alive.
|
|
168
|
+
- Destroy closed windows when fast reopen can be served by persisted state rather than a hidden
|
|
169
|
+
renderer.
|
|
170
|
+
7. Defer desktop modules by journey.
|
|
171
|
+
- Do not load PDF engines, spell checkers, AI models, export libraries, ZIP libraries, markdown
|
|
172
|
+
renderers, plugin hosts, or full font and theme packs at app start when a feature entry can
|
|
173
|
+
load them.
|
|
174
|
+
- In Electron and Node-like runtimes, inspect preload and `require()` graphs for modules that
|
|
175
|
+
survive only because startup imported them.
|
|
176
|
+
8. Decode media to displayed size.
|
|
177
|
+
- Judge images by decoded pixel bytes, not file size.
|
|
178
|
+
- Downsample large images for thumbnails, previews, chat cells, notes, and document sidebars.
|
|
179
|
+
- Bound decoded bitmap caches and GPU texture caches by cost, not only item count.
|
|
180
|
+
9. Make caches discardable by cost.
|
|
181
|
+
- Store only rebuildable values in memory caches.
|
|
182
|
+
- Use byte, texture, DOM node, parsed-object, or renderer cost when deciding eviction.
|
|
183
|
+
- Prefer OS-discardable, weak, pressure-aware, or cost-limited caches where the platform supports
|
|
184
|
+
them, such as `NSCache` with `countLimit` and `totalCostLimit`.
|
|
185
|
+
- Avoid global `Map`, `Dictionary`, or static cache structures that never evict.
|
|
186
|
+
10. Stream or map large files.
|
|
187
|
+
- Avoid full `readAll`, `read()`, `ReadAllBytes`, `json.load`, or equivalent APIs on growing
|
|
188
|
+
logs, CSVs, database dumps, binary files, and media.
|
|
189
|
+
- Prefer streaming, chunked parsing, paging, or memory-mapped files with bounded windows.
|
|
190
|
+
- For mapped files, remember that address-space visibility is not the same as resident physical
|
|
191
|
+
RAM.
|
|
192
|
+
11. Release mapped or inactive ranges deliberately.
|
|
193
|
+
- Where supported, use OS hints such as `madvise`-style discard for ranges the app can reread.
|
|
194
|
+
- Keep this as a paging and residency tool, not as a substitute for shrinking live object graphs.
|
|
195
|
+
12. Handle .NET large objects carefully.
|
|
196
|
+
- Treat arrays near or above the 85,000 byte LOH threshold as Gen 2 and fragmentation risks.
|
|
197
|
+
- Use `ArrayPool<T>` for short-lived buffers only when ownership is tight and return timing is
|
|
198
|
+
provable.
|
|
199
|
+
- Do not return pooled buffers while another async operation, native API, or consumer may still
|
|
200
|
+
use them.
|
|
201
|
+
13. Keep native handles in the memory review.
|
|
202
|
+
- Track GDI, USER, bitmap, brush, font, pen, region, cursor, icon, file, socket, and OS handle
|
|
203
|
+
counts where applicable.
|
|
204
|
+
- Pair native create and destroy functions and test repeated open, draw, print, capture, tray,
|
|
205
|
+
and close paths.
|
|
206
|
+
14. Find detached UI trees.
|
|
207
|
+
- For Electron, WebView, browser-based UI, and hybrid apps, inspect detached DOM nodes, event
|
|
208
|
+
listeners, console-retained objects, devtools artifacts, and JS references from stores,
|
|
209
|
+
callbacks, promises, and logs.
|
|
210
|
+
- Separate measurement artifacts from app leaks when DevTools or a console binding retains the
|
|
211
|
+
object.
|
|
212
|
+
15. Shrink duplicate strings and symbols.
|
|
213
|
+
- Repeated JSON field names, log levels, file paths, status strings, tags, categories, and table
|
|
214
|
+
cell text can dominate live heap.
|
|
215
|
+
- Use enums, symbol ids, intern tables, shared dictionaries, or JVM string deduplication where
|
|
216
|
+
the runtime and workload justify it.
|
|
217
|
+
16. Watch live set after cleanup.
|
|
218
|
+
- For JVM and similar runtimes, inspect live set after old or full collection across repeated
|
|
219
|
+
open, close, search, tab, and file workflows.
|
|
220
|
+
- A staircase increase after every close is a leak or retention problem even when current heap
|
|
221
|
+
use looks temporarily low.
|
|
222
|
+
17. Shrink large buffer capacity explicitly.
|
|
223
|
+
- In Rust, C++, and similar runtimes, `clear()` usually preserves capacity.
|
|
224
|
+
- After one-time large operations, use an explicit shrink, replacement, or bounded reusable
|
|
225
|
+
buffer policy when retaining capacity hurts later scenarios.
|
|
226
|
+
18. Reduce padding and pointer forests in bulk models.
|
|
227
|
+
- For millions of rows, render nodes, cells, or document spans, review struct field order,
|
|
228
|
+
alignment padding, object headers, boxed metadata, and pointer-heavy object graphs.
|
|
229
|
+
- Prefer columnar arrays, struct-of-arrays, shared style tables, integer ids, compact enums, and
|
|
230
|
+
pooled strings where the product model supports it.
|
|
231
|
+
19. Store history as deltas.
|
|
232
|
+
- Avoid undo stacks made of full document snapshots.
|
|
233
|
+
- Prefer operation logs, field-level patches, tile diffs, rope or piece-table structures, and
|
|
234
|
+
bounded checkpoints when the product needs undo or diff.
|
|
235
|
+
20. Degrade inactive views.
|
|
236
|
+
- When tabs, documents, previews, canvases, images, search results, WebViews, and GPU textures
|
|
237
|
+
become inactive, release or downgrade backing stores by tier.
|
|
238
|
+
- Keep enough state to restore the view, not necessarily the whole rendered surface.
|
|
239
|
+
21. Make low-memory handling real.
|
|
240
|
+
- On memory pressure, release thumbnail caches, decoded images, inactive document caches,
|
|
241
|
+
hidden WebViews, search index caches, parsed previews, GPU textures, and large temporary
|
|
242
|
+
buffers in a defined order.
|
|
243
|
+
- Log or expose bounded reason and outcome evidence where the repository already has a safe
|
|
244
|
+
observability pattern.
|
|
245
|
+
22. Prove after-close behavior.
|
|
246
|
+
- Repeat open, load, scroll, search, preview, close, reopen, and idle transitions.
|
|
247
|
+
- Prefer tests or probes that assert row container count, model page count, cache total cost,
|
|
248
|
+
native handle count, renderer count, hidden window count, pool checkout count, undo memory
|
|
249
|
+
budget, or after-close state.
|
|
250
|
+
- If heap snapshots, allocation sampling, JFR, dotnet counters, Instruments, Windows tools,
|
|
251
|
+
Chrome DevTools, or platform profilers are not configured intents, report them as manual-only
|
|
252
|
+
evidence gaps.
|
|
253
|
+
|
|
254
|
+
<!-- mustflow-section: postconditions -->
|
|
255
|
+
## Postconditions
|
|
256
|
+
|
|
257
|
+
- Scenario budget, measurement metric, UI virtualization, data virtualization, visual tree count,
|
|
258
|
+
renderer or window count, module loading, decoded media, cache cost, mapped files, inactive
|
|
259
|
+
ranges, LOH or pooled buffers, native handles, detached UI trees, duplicate strings, live set,
|
|
260
|
+
buffer capacity, object graph shape, undo strategy, inactive views, low-memory handling, and
|
|
261
|
+
after-close behavior are explicit.
|
|
262
|
+
- Full UI object creation, UI-only virtualization, hidden renderer retention, eager feature modules,
|
|
263
|
+
original-size thumbnails, item-count-only caches, full file reads, mapped ranges held forever,
|
|
264
|
+
working-set trimming theater, unsafe pooled buffer return, GDI or USER handle leaks, detached DOM
|
|
265
|
+
retention, console measurement artifacts, duplicate strings, live-set staircases, cleared-but-huge
|
|
266
|
+
buffers, padded bulk structs, pointer-heavy row models, whole-document undo snapshots, inactive
|
|
267
|
+
tabs kept fully rendered, and no-op low-memory handlers are fixed or reported.
|
|
268
|
+
- Desktop memory claims are backed by configured tests, profiler or telemetry evidence,
|
|
269
|
+
static-review evidence, or labeled as manual-only or missing.
|
|
270
|
+
|
|
271
|
+
<!-- mustflow-section: verification -->
|
|
272
|
+
## Verification
|
|
273
|
+
|
|
274
|
+
Use configured oneshot command intents when available:
|
|
275
|
+
|
|
276
|
+
- `changes_status`
|
|
277
|
+
- `changes_diff_summary`
|
|
278
|
+
- `lint`
|
|
279
|
+
- `build`
|
|
280
|
+
- `test_related`
|
|
281
|
+
- `test`
|
|
282
|
+
- `docs_validate_fast`
|
|
283
|
+
- `test_release`
|
|
284
|
+
- `mustflow_check`
|
|
285
|
+
|
|
286
|
+
Prefer the narrowest configured test, build, docs, release, or mustflow intent that covers the
|
|
287
|
+
changed desktop memory surface and synchronized template surfaces. Do not infer raw heap snapshots,
|
|
288
|
+
JFR, dotnet counters, Chrome DevTools, Windows Performance tools, Instruments, Activity Monitor,
|
|
289
|
+
Task Manager, app launchers, or platform profilers outside the command contract.
|
|
290
|
+
|
|
291
|
+
<!-- mustflow-section: failure-handling -->
|
|
292
|
+
## Failure Handling
|
|
293
|
+
|
|
294
|
+
- If a configured command fails, preserve the failing intent, failing assertion or output tail, and
|
|
295
|
+
the memory invariant it exercised before editing again.
|
|
296
|
+
- If the metric is only working set, RSS, or a single live heap value, report the evidence boundary
|
|
297
|
+
before claiming memory was reduced.
|
|
298
|
+
- If scenario budgets are missing, report that desktop memory fitness cannot be fully judged yet
|
|
299
|
+
instead of treating isolated GC, cache, or object-count changes as complete.
|
|
300
|
+
- If safe repair requires product changes to undo semantics, document recovery, renderer
|
|
301
|
+
architecture, plugin policy, native resource ownership, profiler setup, or OS-specific behavior
|
|
302
|
+
outside scope, report the boundary instead of inventing commands.
|
|
303
|
+
- If memory reduction conflicts with correctness, persistence, undo, accessibility, crash
|
|
304
|
+
diagnostics, privacy, security, or user trust, keep the safer behavior and report the tradeoff.
|
|
305
|
+
|
|
306
|
+
<!-- mustflow-section: output-format -->
|
|
307
|
+
## Output Format
|
|
308
|
+
|
|
309
|
+
- Desktop memory footprint boundary reviewed
|
|
310
|
+
- Scenario budget, measurement metric, UI/data virtualization, renderer/window, module loading,
|
|
311
|
+
media, cache, file, runtime, native handle, UI retention, string, data model, history, inactive
|
|
312
|
+
view, memory-pressure, and after-close findings
|
|
313
|
+
- Desktop memory fixes made or recommended
|
|
314
|
+
- Evidence level: measured, configured-test evidence, static desktop-memory risk, manual-only,
|
|
315
|
+
missing, or not applicable
|
|
316
|
+
- Command intents run
|
|
317
|
+
- Skipped desktop memory diagnostics and reasons
|
|
318
|
+
- Remaining desktop memory footprint risk
|