mustflow 2.38.0 → 2.58.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +3 -0
- package/dist/cli/commands/run/executor.js +16 -0
- package/dist/cli/commands/run/process-tree.js +6 -3
- package/dist/cli/commands/verify.js +3 -1
- package/dist/cli/lib/git-changes.js +11 -1
- package/dist/cli/lib/i18n.js +1 -1
- package/dist/cli/lib/local-index/index.js +8 -4
- package/dist/cli/lib/local-index/populate.js +17 -3
- package/dist/cli/lib/local-index/search-read-model.js +9 -7
- package/dist/cli/lib/local-index/search-text.js +2 -2
- package/dist/cli/lib/local-index/workflow-documents.js +17 -2
- package/dist/cli/lib/mustflow-read.js +14 -2
- package/dist/cli/lib/repo-map.js +16 -3
- package/dist/cli/lib/templates.js +8 -7
- package/dist/cli/lib/validation/constants.js +1 -1
- package/dist/core/active-run-locks.js +78 -20
- package/dist/core/change-classification.js +4 -0
- package/dist/core/command-contract-rules.js +1 -1
- package/dist/core/command-contract-validation.js +1 -1
- package/dist/core/command-cwd.js +13 -2
- package/dist/core/command-effects.js +22 -4
- package/dist/core/command-env.js +8 -6
- package/dist/core/command-preconditions.js +28 -2
- package/dist/core/completion-verdict.js +1 -1
- package/dist/core/line-endings.js +8 -4
- package/dist/core/safe-filesystem.js +9 -1
- package/dist/core/source-anchor-validation.js +7 -1
- package/dist/core/source-anchors.js +8 -2
- package/dist/core/verification-scheduler.js +8 -2
- package/package.json +1 -1
- package/templates/default/common/.mustflow/config/commands.toml +39 -15
- package/templates/default/i18n.toml +330 -1
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +302 -5
- package/templates/default/locales/en/.mustflow/skills/agent-eval-integrity-review/SKILL.md +160 -0
- package/templates/default/locales/en/.mustflow/skills/agent-execution-control-review/SKILL.md +163 -0
- package/templates/default/locales/en/.mustflow/skills/ai-generated-code-hardening/SKILL.md +49 -13
- package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +298 -0
- package/templates/default/locales/en/.mustflow/skills/api-misuse-resistance-review/SKILL.md +297 -0
- package/templates/default/locales/en/.mustflow/skills/api-request-performance-review/SKILL.md +189 -0
- package/templates/default/locales/en/.mustflow/skills/app-startup-performance-review/SKILL.md +309 -0
- package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +213 -0
- package/templates/default/locales/en/.mustflow/skills/business-rule-leakage-review/SKILL.md +295 -0
- package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +291 -0
- package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +297 -0
- package/templates/default/locales/en/.mustflow/skills/client-bundle-pruning-review/SKILL.md +160 -0
- package/templates/default/locales/en/.mustflow/skills/cloud-cost-guardrail-review/SKILL.md +321 -0
- package/templates/default/locales/en/.mustflow/skills/concurrency-invariant-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/core-web-vitals-field-review/SKILL.md +161 -0
- package/templates/default/locales/en/.mustflow/skills/credit-ledger-integrity-review/SKILL.md +156 -0
- package/templates/default/locales/en/.mustflow/skills/database-json-modeling-review/SKILL.md +171 -0
- package/templates/default/locales/en/.mustflow/skills/database-lock-contention-review/SKILL.md +192 -0
- package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +76 -34
- package/templates/default/locales/en/.mustflow/skills/database-query-bottleneck-review/SKILL.md +194 -0
- package/templates/default/locales/en/.mustflow/skills/deletion-lifecycle-review/SKILL.md +171 -0
- package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md +321 -0
- package/templates/default/locales/en/.mustflow/skills/desktop-auto-update-safety-review/SKILL.md +265 -0
- package/templates/default/locales/en/.mustflow/skills/desktop-background-process-stability-review/SKILL.md +318 -0
- package/templates/default/locales/en/.mustflow/skills/desktop-memory-footprint-review/SKILL.md +318 -0
- package/templates/default/locales/en/.mustflow/skills/error-message-integrity-review/SKILL.md +283 -0
- package/templates/default/locales/en/.mustflow/skills/failure-integrity-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/file-upload-security-review/SKILL.md +305 -0
- package/templates/default/locales/en/.mustflow/skills/frame-render-performance-review/SKILL.md +159 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-accessibility-tree-review/SKILL.md +202 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-localization-review/SKILL.md +202 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-state-ownership-review/SKILL.md +183 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-stress-layout-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/hot-path-performance-review/SKILL.md +159 -0
- package/templates/default/locales/en/.mustflow/skills/idempotency-integrity-review/SKILL.md +195 -0
- package/templates/default/locales/en/.mustflow/skills/image-delivery-performance-review/SKILL.md +161 -0
- package/templates/default/locales/en/.mustflow/skills/incident-triage-review/SKILL.md +185 -0
- package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/llm-response-latency-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/llm-service-ux-review/SKILL.md +2 -0
- package/templates/default/locales/en/.mustflow/skills/llm-token-cost-control-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/low-end-device-support-review/SKILL.md +340 -0
- package/templates/default/locales/en/.mustflow/skills/memory-lifetime-review/SKILL.md +169 -0
- package/templates/default/locales/en/.mustflow/skills/mobile-energy-efficiency-review/SKILL.md +329 -0
- package/templates/default/locales/en/.mustflow/skills/module-boundary-review/SKILL.md +278 -0
- package/templates/default/locales/en/.mustflow/skills/multi-agent-work-coordination/SKILL.md +1 -0
- package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +208 -0
- package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +158 -0
- package/templates/default/locales/en/.mustflow/skills/quadratic-scan-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/queue-processing-integrity-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/race-condition-review/SKILL.md +188 -0
- package/templates/default/locales/en/.mustflow/skills/rate-limit-integrity-review/SKILL.md +344 -0
- package/templates/default/locales/en/.mustflow/skills/retry-policy-integrity-review/SKILL.md +195 -0
- package/templates/default/locales/en/.mustflow/skills/routes.toml +330 -0
- package/templates/default/locales/en/.mustflow/skills/security-flow-review/SKILL.md +279 -0
- package/templates/default/locales/en/.mustflow/skills/testability-boundary-review/SKILL.md +295 -0
- package/templates/default/locales/en/.mustflow/skills/transaction-boundary-integrity-review/SKILL.md +196 -0
- package/templates/default/locales/en/.mustflow/skills/type-state-modeling-review/SKILL.md +179 -0
- package/templates/default/locales/en/.mustflow/skills/web-render-performance-review/SKILL.md +164 -0
- package/templates/default/manifest.toml +388 -2
|
@@ -0,0 +1,283 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.error-message-integrity-review
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: error-message-integrity-review
|
|
9
|
+
description: Apply this skill when code is created, changed, reviewed, or reported and error messages, error codes, validation errors, parse errors, API or CLI error envelopes, public user-facing errors, logs, structured diagnostics, exception wrapping, provider errors, retryability, idempotency errors, queue or batch failures, partial failures, permission errors, conflict errors, impossible-state errors, security redaction, support-facing IDs, monitoring fields, or troubleshooting text need review for actionability, recoverability, observability, stable contracts, and safe disclosure.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.error-message-integrity-review
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- test_audit
|
|
23
|
+
- docs_validate_fast
|
|
24
|
+
- test_release
|
|
25
|
+
- mustflow_check
|
|
26
|
+
---
|
|
27
|
+
|
|
28
|
+
# Error Message Integrity Review
|
|
29
|
+
|
|
30
|
+
<!-- mustflow-section: purpose -->
|
|
31
|
+
## Purpose
|
|
32
|
+
|
|
33
|
+
Review error messages as recovery and evidence contracts, not as friendly prose.
|
|
34
|
+
|
|
35
|
+
The review question is not "does this sound nice?" It is "when this fails, can the user, caller,
|
|
36
|
+
operator, support person, monitoring rule, or future developer know what action failed, why it was
|
|
37
|
+
rejected, what was expected, what actually happened, whether retry is safe, where to look, and what
|
|
38
|
+
must not be leaked?"
|
|
39
|
+
|
|
40
|
+
<!-- mustflow-section: use-when -->
|
|
41
|
+
## Use When
|
|
42
|
+
|
|
43
|
+
- Code review, implementation, or refactor work touches error text, error codes, exception classes,
|
|
44
|
+
validation messages, parse errors, API error envelopes, CLI errors, queue or batch job errors,
|
|
45
|
+
webhook failures, provider errors, retry behavior, idempotency errors, conflict errors, logs,
|
|
46
|
+
structured diagnostics, support codes, user-facing messages, docs examples, or tests that assert
|
|
47
|
+
failure output.
|
|
48
|
+
- A change adds or modifies `throw`, `catch`, error wrapping, logging, redaction, public error
|
|
49
|
+
mapping, provider response mapping, status codes, retry flags, error-code enums, validation
|
|
50
|
+
aggregation, or troubleshooting guidance.
|
|
51
|
+
- A review needs to decide whether to use `failure-integrity-review`, `security-privacy-review`,
|
|
52
|
+
`api-contract-change`, `cli-output-contract-review`, `result-option`, `test-design-guard`,
|
|
53
|
+
`business-rule-leakage-review`, or `backend-reliability-change`.
|
|
54
|
+
|
|
55
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
56
|
+
## Do Not Use When
|
|
57
|
+
|
|
58
|
+
- The main issue is whether failure leaves false success or partial state; use
|
|
59
|
+
`failure-integrity-review` first.
|
|
60
|
+
- The main issue is API schema, status, or response compatibility; use `api-contract-change` first
|
|
61
|
+
and this skill for the error content contract.
|
|
62
|
+
- The main issue is CLI stdout/stderr, exit code, JSON, JSONL, help text, or automation output; use
|
|
63
|
+
`cli-output-contract-review` first and this skill for error content quality.
|
|
64
|
+
- The main issue is secret, personal data, or disclosure risk with no changed error surface; use
|
|
65
|
+
`security-privacy-review`.
|
|
66
|
+
- The change only adjusts private debug wording that is not emitted, logged, tested, documented, or
|
|
67
|
+
consumed by humans or automation.
|
|
68
|
+
|
|
69
|
+
<!-- mustflow-section: required-inputs -->
|
|
70
|
+
## Required Inputs
|
|
71
|
+
|
|
72
|
+
- User goal, current diff or target files, and every changed error surface.
|
|
73
|
+
- Error audience ledger: end user, API caller, CLI user, support agent, operator, queue worker,
|
|
74
|
+
dashboard, monitoring rule, developer log, provider dashboard, or test fixture.
|
|
75
|
+
- Error contract ledger: stable code, message, HTTP status or exit code, machine fields, retryable
|
|
76
|
+
flag, cause, support ID, request ID, correlation ID, provider code, and documentation link.
|
|
77
|
+
- Disclosure ledger: public versus internal message, safe identifiers, sensitive values, masking,
|
|
78
|
+
raw provider payloads, stack traces, SQL, environment values, tokens, personal data, and secrets.
|
|
79
|
+
- Recovery ledger: expected value, actual value, failed operation, reason, next action, retry policy,
|
|
80
|
+
idempotency state, partial failure state, and escalation path.
|
|
81
|
+
- Relevant command-intent contract entries for tests, lint, build, docs, release, and mustflow checks.
|
|
82
|
+
|
|
83
|
+
<!-- mustflow-section: preconditions -->
|
|
84
|
+
## Preconditions
|
|
85
|
+
|
|
86
|
+
- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
|
|
87
|
+
- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
|
|
88
|
+
current scope.
|
|
89
|
+
- Required inputs are available, or missing audience, contract, disclosure, or recovery evidence can
|
|
90
|
+
be reported without guessing.
|
|
91
|
+
- If the review finds concrete false-success, security, API, CLI, result-type, backend reliability,
|
|
92
|
+
or business-rule risk, use the narrower skill before editing that part.
|
|
93
|
+
|
|
94
|
+
<!-- mustflow-section: allowed-edits -->
|
|
95
|
+
## Allowed Edits
|
|
96
|
+
|
|
97
|
+
- Add or tighten stable error codes, expected and actual fields, failed-operation context, reason,
|
|
98
|
+
safe identifiers, retryability, idempotency metadata, provider metadata, parse position, range
|
|
99
|
+
details, conflict details, partial-failure summaries, structured log fields, public/internal error
|
|
100
|
+
mapping, and focused tests.
|
|
101
|
+
- Preserve causes while redacting public responses and unsafe logs.
|
|
102
|
+
- Split public user messages from internal diagnostic messages when one string cannot safely serve
|
|
103
|
+
both audiences.
|
|
104
|
+
- Update docs, fixtures, API examples, CLI tests, support text, or dashboards that depend on the
|
|
105
|
+
same error contract.
|
|
106
|
+
- Do not add raw secrets, personal data, full provider payloads, stack traces, SQL, environment
|
|
107
|
+
values, internal hostnames, hidden reasoning, or exploit hints to public or broadly retained
|
|
108
|
+
messages.
|
|
109
|
+
|
|
110
|
+
<!-- mustflow-section: procedure -->
|
|
111
|
+
## Procedure
|
|
112
|
+
|
|
113
|
+
1. Reject empty failure labels.
|
|
114
|
+
- Messages like `"failed"`, `"invalid value"`, `"bad request"`, `"upload failed"`, and
|
|
115
|
+
`"something went wrong"` are usually evidence-free.
|
|
116
|
+
- Name the failed operation, the reason, and the condition that would have succeeded.
|
|
117
|
+
2. Require `expected` and `actual` when a value is rejected.
|
|
118
|
+
- Prefer "expected status to be one of [draft, published], got archived" over "invalid status".
|
|
119
|
+
- Use machine fields as well as readable text when the output has structured form.
|
|
120
|
+
3. Put the failed action in the message.
|
|
121
|
+
- "user not found" is weaker than "cannot create invoice because user 123 was not found".
|
|
122
|
+
- Include operation context such as invoice creation, webhook parsing, migration application, or
|
|
123
|
+
provider synchronization.
|
|
124
|
+
4. Explain cause, not only result.
|
|
125
|
+
- "upload rejected because file size 28MB exceeds limit 20MB" is actionable.
|
|
126
|
+
- "upload failed" repeats what the caller already knows.
|
|
127
|
+
5. Add human-readable work context.
|
|
128
|
+
- Prefer context such as "while syncing Stripe customer", "while parsing webhook payload", or
|
|
129
|
+
"while applying migration 202406_add_plan_id".
|
|
130
|
+
- Function names alone rarely explain the failed business or operational action.
|
|
131
|
+
6. Split public and internal messages.
|
|
132
|
+
- Public messages should be safe and user-actionable.
|
|
133
|
+
- Internal logs should keep diagnostic fields such as provider, providerCode, status, requestId,
|
|
134
|
+
operation, attempt, duration, and cause.
|
|
135
|
+
7. Redact sensitive values.
|
|
136
|
+
- Treat email, phone, token, session, card, address, personal identifiers, request bodies, SQL,
|
|
137
|
+
secrets, and credentials as unsafe unless a narrow redaction policy says otherwise.
|
|
138
|
+
- Mask, hash, truncate, or omit values according to the local privacy rule.
|
|
139
|
+
8. Keep safe identifiers.
|
|
140
|
+
- Removing sensitive data does not mean removing all evidence.
|
|
141
|
+
- Preserve safe identifiers such as userId, orderId, requestId, jobId, tenantId, provider,
|
|
142
|
+
providerRequestId, fileId, and operation name when useful.
|
|
143
|
+
9. Expose retryability deliberately.
|
|
144
|
+
- A timeout can be retryable; validation failure usually is not.
|
|
145
|
+
- Queue, batch, webhook, payment, provider, and external API errors should expose retryable,
|
|
146
|
+
attempt, maxAttempts, nextRunAt, or deadLetter state when relevant.
|
|
147
|
+
10. Stop abusing "try again later".
|
|
148
|
+
- If the user can fix input, say what to fix.
|
|
149
|
+
- If the user cannot fix it, provide a safe request or support ID and make sure internal logs can
|
|
150
|
+
find the failure.
|
|
151
|
+
11. Separate stable error codes from messages.
|
|
152
|
+
- Messages may change; codes should remain stable for search, docs, support macros, monitoring,
|
|
153
|
+
API clients, dashboards, and tests.
|
|
154
|
+
- Prefer domain codes such as `PAYMENT_CARD_DECLINED`, `USER_EMAIL_ALREADY_EXISTS`, and
|
|
155
|
+
`WEBHOOK_SIGNATURE_INVALID` over only `BAD_REQUEST` or `INTERNAL_ERROR`.
|
|
156
|
+
12. Avoid overbroad error code buckets.
|
|
157
|
+
- HTTP status and CLI exit code categories are not enough.
|
|
158
|
+
- A domain error code should name the actual failure class.
|
|
159
|
+
13. Choose validation aggregation intentionally.
|
|
160
|
+
- Form validation can report multiple field errors at once.
|
|
161
|
+
- Authentication, authorization, account discovery, and security-sensitive validation may need
|
|
162
|
+
intentionally vague or single-error output to avoid giving attackers hints.
|
|
163
|
+
14. Put location in parse errors.
|
|
164
|
+
- JSON, CSV, SQL, regex, config, markdown, and template parse errors should include line,
|
|
165
|
+
column, byte offset, field path, or nearby token when safe.
|
|
166
|
+
- "parse failed" is not enough for recovery.
|
|
167
|
+
15. Put bounds in range errors.
|
|
168
|
+
- Include current value and allowed range: "max 100 items allowed, got 143".
|
|
169
|
+
- For durations, sizes, counts, quotas, price limits, and attempts, include units.
|
|
170
|
+
16. Include time basis in time errors.
|
|
171
|
+
- "expired" is too thin.
|
|
172
|
+
- Include relevant timestamps, timezone or UTC basis, server time, and clock-skew context when
|
|
173
|
+
safe and useful.
|
|
174
|
+
17. Preserve provider diagnostics in structured form.
|
|
175
|
+
- Wrap external errors into local domain errors without losing provider, providerCode, status,
|
|
176
|
+
requestId, retryability, and sanitized response category.
|
|
177
|
+
- Do not dump raw provider payloads into public responses or broad logs.
|
|
178
|
+
18. Preserve original causes.
|
|
179
|
+
- `catch (e) { throw new Error("failed") }` destroys evidence.
|
|
180
|
+
- Link causes, suppressed errors, or structured cause fields so stack, category, and provider
|
|
181
|
+
context survive safely.
|
|
182
|
+
19. Control template string composition.
|
|
183
|
+
- Ad hoc `"Invalid " + field + " for " + thing` messages often become unsearchable, broken, or
|
|
184
|
+
inconsistent.
|
|
185
|
+
- Prefer named error constructors, controlled templates, and structured fields.
|
|
186
|
+
20. Structure logs for machines.
|
|
187
|
+
- Keep human text, but put `error_code`, `user_id`, `order_id`, `tenant_id`, `provider`,
|
|
188
|
+
`retryable`, `attempt`, `duration_ms`, and `request_id` in fields.
|
|
189
|
+
- Do not make operations parse prose with regular expressions.
|
|
190
|
+
21. Keep user messages free of internal jargon.
|
|
191
|
+
- Users usually do not need to see internal system names, buckets, regions, class names, or
|
|
192
|
+
provider implementation details.
|
|
193
|
+
- Internal logs may need those details after redaction.
|
|
194
|
+
22. Make permission errors intentionally safe.
|
|
195
|
+
- Sometimes "not found" is safer than "forbidden" because it avoids confirming resource
|
|
196
|
+
existence.
|
|
197
|
+
- Decide disclosure policy for authentication, authorization, ownership, tenant, and account
|
|
198
|
+
discovery errors.
|
|
199
|
+
23. Ban vague impossible-state text.
|
|
200
|
+
- "this should never happen" does not help.
|
|
201
|
+
- Name the broken invariant: "expected exactly one active subscription for user 123, found 2".
|
|
202
|
+
24. Name concurrency conflict facts.
|
|
203
|
+
- "conflict" is weak.
|
|
204
|
+
- Include version, idempotency key, lock owner, reservation id, stock unit, or expected/current
|
|
205
|
+
state when safe: "version conflict: expected document version 17, got 19".
|
|
206
|
+
25. Include idempotency history.
|
|
207
|
+
- "duplicate request" is not enough in payment and order flows.
|
|
208
|
+
- Include key, prior operation, prior resource, and prior status when safe.
|
|
209
|
+
26. Put attempts in job and queue errors.
|
|
210
|
+
- "job failed on attempt 3 of 5; next retry at ..." tells operators whether to wait or act.
|
|
211
|
+
- Include dead-letter state when the job will not retry.
|
|
212
|
+
27. Represent partial failure honestly.
|
|
213
|
+
- For bulk work, say how many succeeded and failed.
|
|
214
|
+
- Include failed item identifiers when safe, or a retrievable failure report id.
|
|
215
|
+
28. Test error contracts.
|
|
216
|
+
- Avoid over-snapshotting prose, but test stable error codes, expected and actual fields,
|
|
217
|
+
retryable, redaction, parse location, provider metadata, and support IDs where consumers rely
|
|
218
|
+
on them.
|
|
219
|
+
29. Ask the 30-second action question.
|
|
220
|
+
- What can the receiver do in the next 30 seconds?
|
|
221
|
+
- Fix input, request permission, retry, wait, inspect request ID, search provider dashboard,
|
|
222
|
+
send support code, or stop and escalate should be clear.
|
|
223
|
+
30. Check architecture ownership.
|
|
224
|
+
- Error quality depends on error type, code taxonomy, public/internal mapping, logging fields,
|
|
225
|
+
redaction, retry policy, docs, monitoring, and tests.
|
|
226
|
+
- If every call site invents messages, add or recommend a shared error boundary instead of
|
|
227
|
+
polishing one string.
|
|
228
|
+
|
|
229
|
+
<!-- mustflow-section: postconditions -->
|
|
230
|
+
## Postconditions
|
|
231
|
+
|
|
232
|
+
- The failed operation, reason, expected value, actual value, and next safe action are explicit when
|
|
233
|
+
they can be safely disclosed.
|
|
234
|
+
- Public and internal error surfaces are separated where disclosure or debugging needs differ.
|
|
235
|
+
- Stable error codes and machine fields exist for consumers that need search, monitoring, support,
|
|
236
|
+
API handling, CLI automation, dashboards, or documentation.
|
|
237
|
+
- Sensitive values are redacted while safe identifiers and correlation fields remain available.
|
|
238
|
+
- Causes, retryability, idempotency, provider details, parse location, range bounds, time basis,
|
|
239
|
+
conflict facts, attempts, and partial failure state are preserved where relevant.
|
|
240
|
+
|
|
241
|
+
<!-- mustflow-section: verification -->
|
|
242
|
+
## Verification
|
|
243
|
+
|
|
244
|
+
Use configured oneshot command intents when available:
|
|
245
|
+
|
|
246
|
+
- `changes_status`
|
|
247
|
+
- `changes_diff_summary`
|
|
248
|
+
- `lint`
|
|
249
|
+
- `build`
|
|
250
|
+
- `test_related`
|
|
251
|
+
- `test`
|
|
252
|
+
- `test_audit`
|
|
253
|
+
- `docs_validate_fast`
|
|
254
|
+
- `test_release`
|
|
255
|
+
- `mustflow_check`
|
|
256
|
+
|
|
257
|
+
Prefer tests that assert stable codes, structured fields, redaction, retryability, cause preservation,
|
|
258
|
+
and contract shape instead of full prose snapshots unless the repository already treats prose as a
|
|
259
|
+
public contract.
|
|
260
|
+
|
|
261
|
+
<!-- mustflow-section: failure-handling -->
|
|
262
|
+
## Failure Handling
|
|
263
|
+
|
|
264
|
+
- If the audience, disclosure policy, retry policy, or code taxonomy is unknown, report the missing
|
|
265
|
+
contract rather than inventing one silently.
|
|
266
|
+
- If improving the message would expose sensitive data, choose safe identifiers and internal
|
|
267
|
+
diagnostics instead.
|
|
268
|
+
- If a command fails, use `failure-triage` before further edits.
|
|
269
|
+
|
|
270
|
+
<!-- mustflow-section: output-format -->
|
|
271
|
+
## Output Format
|
|
272
|
+
|
|
273
|
+
- Error message integrity reviewed
|
|
274
|
+
- Error surfaces and audiences
|
|
275
|
+
- Error code and message contract
|
|
276
|
+
- Expected, actual, operation, cause, retryability, idempotency, provider, parse, range, time,
|
|
277
|
+
conflict, attempt, or partial-failure findings
|
|
278
|
+
- Public/internal split and redaction notes
|
|
279
|
+
- Fixes made or recommendation
|
|
280
|
+
- Tests or behavior evidence
|
|
281
|
+
- Command intents run
|
|
282
|
+
- Skipped checks and reasons
|
|
283
|
+
- Remaining error-message integrity risk
|
|
@@ -0,0 +1,193 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.failure-integrity-review
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: failure-integrity-review
|
|
9
|
+
description: Apply this skill when code is created, changed, reviewed, or reported and exception or failure handling can make the system lie about success, state, data, money, permissions, locks, queues, logs, metrics, or user-visible results, including broad catch blocks, swallowed exceptions, log-and-continue paths, return null/false/empty defaults, finally masking, unsafe retry, missing timeout, cancellation swallowing, async task failures, queue ack/nack, lost causes, raw internal errors, partial state changes, transaction rollback, lock/resource cleanup, parsing defaults, fail-open authorization, unsafe cache fallback, fallback defaults, stable error codes, and missing failure-path observability.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.failure-integrity-review
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- docs_validate_fast
|
|
23
|
+
- test_release
|
|
24
|
+
- mustflow_check
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
# Failure Integrity Review
|
|
28
|
+
|
|
29
|
+
<!-- mustflow-section: purpose -->
|
|
30
|
+
## Purpose
|
|
31
|
+
|
|
32
|
+
Review failure handling by asking what lie the system tells after something fails.
|
|
33
|
+
|
|
34
|
+
The question is not whether a `try`/`catch` exists. The stronger question is whether a failed step can leave data, state, money, permissions, locks, queues, logs, metrics, or user-visible responses pretending the operation succeeded. Good failure handling makes failure honest, bounded, observable, and recoverable.
|
|
35
|
+
|
|
36
|
+
<!-- mustflow-section: use-when -->
|
|
37
|
+
## Use When
|
|
38
|
+
|
|
39
|
+
- Code creates, changes, reviews, or reports exception handling, `catch`, `finally`, `retry`, `timeout`, `fallback`, `rollback`, `ack`, `nack`, `close`, `cancel`, `ignore`, `default`, `return null`, `return false`, empty collections, or `log.error` paths.
|
|
40
|
+
- A workflow has multiple steps where one step can fail after another step changed internal state, external state, a transaction, a queue, a cache, a lock, a file, a payment, an entitlement, or a user-visible result.
|
|
41
|
+
- Code handles external APIs, databases, files, streams, locks, queues, async tasks, cancellation, parsing, validation, authentication, authorization, cache fallback, payment, inventory, email, notification, or admin operations.
|
|
42
|
+
- Public API, CLI, UI, queue, or webhook boundaries expose error codes, messages, statuses, responses, acknowledgements, logs, metrics, trace ids, request ids, or incident evidence.
|
|
43
|
+
- A review or final report claims a path is safe, handled, resilient, graceful, retried, rolled back, logged, observable, idempotent, or successful despite possible failures.
|
|
44
|
+
|
|
45
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
46
|
+
## Do Not Use When
|
|
47
|
+
|
|
48
|
+
- The task only models expected failures, meaningful absence, `null`, `undefined`, boolean flags, or public error envelopes as typed values; use `result-option` first and this skill only for swallowed failures, partial state, or operational honesty.
|
|
49
|
+
- The task only changes backend retries, idempotency, queues, caches, health checks, provider calls, or outbox/inbox behavior; use `backend-reliability-change` first and this skill as an adjunct for failure truthfulness.
|
|
50
|
+
- The task only changes object lifetime or resource cleanup; use `memory-lifetime-review` first and this skill only when cleanup failure can hide the original failure or leave false success.
|
|
51
|
+
- The task only changes authorization, personal data, secret logging, or fail-closed policy; use `security-privacy-review` first and this skill only for error-path integrity around that boundary.
|
|
52
|
+
- The task is a pure calculation with no fallible dependency, side effect, status, observable response, or failure branch.
|
|
53
|
+
|
|
54
|
+
<!-- mustflow-section: required-inputs -->
|
|
55
|
+
## Required Inputs
|
|
56
|
+
|
|
57
|
+
- Failure surface: exception type, error value, rejected promise, timeout, cancellation, parse failure, validation failure, provider response, queue delivery failure, transaction failure, lock failure, cleanup failure, or fallback trigger.
|
|
58
|
+
- Truth surface: what the caller, user, operator, queue, database, cache, ledger, metric, audit log, or downstream service will believe after the failure.
|
|
59
|
+
- State-change ledger: every mutation, external call, enqueue, publish, ack, lock acquire, file write, cache write, status change, response send, and metric/log emission before and after each fallible step.
|
|
60
|
+
- Error classification: expected rejection, validation error, permission denial, transient dependency failure, permanent dependency failure, unknown outcome, programmer bug, corrupted data, or cancellation.
|
|
61
|
+
- Boundary rules: transaction rollback, compensation, idempotency, retry budget, timeout, fallback safety, fail-open or fail-closed behavior, public error code, safe message, cause preservation, redaction, and observability.
|
|
62
|
+
- Relevant command-intent contract entries for tests, builds, docs, release checks, and mustflow validation.
|
|
63
|
+
|
|
64
|
+
<!-- mustflow-section: preconditions -->
|
|
65
|
+
## Preconditions
|
|
66
|
+
|
|
67
|
+
- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
|
|
68
|
+
- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the current scope.
|
|
69
|
+
- Required inputs are available, or missing failure, state, rollback, idempotency, timeout, fallback, redaction, or observability facts can be reported without guessing.
|
|
70
|
+
- Existing local patterns for typed errors, result values, transaction wrappers, idempotency, retries, queue consumers, cancellation, cleanup, logging, metrics, and public error envelopes have been searched before adding new shapes.
|
|
71
|
+
- If the failure path crosses money, entitlement, authorization, personal data, external providers, or durable events, also apply the relevant backend, security, database, API, state-machine, or result skill.
|
|
72
|
+
|
|
73
|
+
<!-- mustflow-section: allowed-edits -->
|
|
74
|
+
## Allowed Edits
|
|
75
|
+
|
|
76
|
+
- Replace swallowed exceptions, log-and-continue paths, and fake success returns with explicit failure propagation, typed error values, rollback, compensation, fail-closed behavior, or honest degraded responses.
|
|
77
|
+
- Split error categories and public error mapping when different failures need different caller behavior, retry behavior, monitoring, or user-visible status.
|
|
78
|
+
- Preserve original causes while keeping raw stack traces, SQL, provider payloads, secrets, tokens, request bodies, and personal data out of public responses and unsafe logs.
|
|
79
|
+
- Add or tighten timeout, retry budget, backoff, jitter, idempotency, cancellation propagation, queue ack/nack, dead-letter, lock release, resource cleanup, and failure-path observability tied to the changed surface.
|
|
80
|
+
- Add focused tests for representative failure branches, partial-step failures, retry exhaustion, timeout, cancellation, rollback, cleanup, fallback, stable error codes, and false-success prevention.
|
|
81
|
+
- Do not fix failure handling with arbitrary sleeps, broad catch-all branches, default values, comments that say "should not happen", or logs that cannot drive operator action.
|
|
82
|
+
|
|
83
|
+
<!-- mustflow-section: procedure -->
|
|
84
|
+
## Procedure
|
|
85
|
+
|
|
86
|
+
1. Ask the lie question first. If this step fails, what will the user, caller, database, cache, queue, ledger, metric, log, or operator believe happened?
|
|
87
|
+
2. Classify every caught failure.
|
|
88
|
+
- Avoid one broad `catch (Exception)`, `catch (error)`, or equivalent path that erases file-not-found, permission denied, timeout, validation, corrupted data, dependency failure, and programmer bugs into the same behavior.
|
|
89
|
+
- Separate expected rejection, transient dependency failure, permanent dependency failure, unknown outcome, cancellation, and bug because each needs different propagation, retry, and monitoring.
|
|
90
|
+
3. Reject log-and-continue fake success.
|
|
91
|
+
- A caught error followed by `return success`, `return null`, `return false`, `return []`, or continuing to the next side effect usually turns failure into a false fact.
|
|
92
|
+
- Distinguish "no data" from "failed to load data", "not sent" from "sent", and "not applied" from "applied".
|
|
93
|
+
4. Review `finally` and cleanup masking.
|
|
94
|
+
- Cleanup must run, but cleanup failure should not hide the original failure without preserving it as primary cause or suppressed context.
|
|
95
|
+
- Check file close, stream close, transaction end, lock release, temp-file cleanup, and connection release paths.
|
|
96
|
+
5. Preserve diagnostic identity without leaking secrets.
|
|
97
|
+
- Logs should include safe identifiers such as request id, order id, file id, provider name, retry count, state, operation name, and result class when useful.
|
|
98
|
+
- Do not log passwords, tokens, session cookies, payment details, full request bodies, raw provider payloads, personal data, or full exception graphs unless a narrow redacted retention rule exists.
|
|
99
|
+
6. Check transaction honesty.
|
|
100
|
+
- Catching inside a transaction and returning normally can commit partial failure.
|
|
101
|
+
- Fail by throwing or returning an error that forces rollback, or explicitly roll back before converting the error.
|
|
102
|
+
- If only part of the workflow can be atomic, name the compensation, reconciliation, or manual recovery path.
|
|
103
|
+
7. Check external side-effect ordering.
|
|
104
|
+
- If internal state says "paid", "sent", "saved", "processed", "approved", or "complete", verify the corresponding external or durable side effect is actually known to have happened.
|
|
105
|
+
- Unknown provider outcomes need reconciliation before repeating money, entitlement, inventory, or privacy-impacting actions.
|
|
106
|
+
8. Review retry and timeout behavior.
|
|
107
|
+
- A network timeout often means "unknown outcome", not "safe failure".
|
|
108
|
+
- Retry only when the operation is idempotent or guarded by durable idempotency. Add bounded attempts, timeout, backoff, jitter, and stop conditions.
|
|
109
|
+
- Missing timeout means failure may never become an exception; check thread, connection, worker, and pool exhaustion risk.
|
|
110
|
+
9. Preserve cancellation semantics.
|
|
111
|
+
- `InterruptedException`, `CancellationException`, `AbortError`, cancelled promises, context cancellation, and stop signals are control flow from above, not ordinary failures.
|
|
112
|
+
- Restore interrupt status, rethrow, return a cancellation result, or propagate the cancellation according to local style.
|
|
113
|
+
10. Check async failure ownership.
|
|
114
|
+
- For `Promise`, `Future`, `Task`, coroutine, goroutine, thread, event handler, and background job paths, ask who observes the failure.
|
|
115
|
+
- Avoid fire-and-forget work unless failure is deliberately logged, counted, bounded, and safe to lose.
|
|
116
|
+
11. Review queue and event acknowledgement.
|
|
117
|
+
- Ack after failure drops work. Blind nack on every failure can poison the queue.
|
|
118
|
+
- Define retry count, visibility timeout, dead-letter behavior, idempotent consumer state, duplicate handling, and safe operator evidence.
|
|
119
|
+
12. Preserve causes when converting errors.
|
|
120
|
+
- Wrapping an error should retain the cause or equivalent diagnostic context.
|
|
121
|
+
- Public errors should expose stable safe codes and messages, while internal logs or traces retain the raw cause under privacy rules.
|
|
122
|
+
13. Separate public and internal error shapes.
|
|
123
|
+
- Do not leak `NullPointerException`, SQL syntax, S3 access errors, stack traces, filesystem paths, storage keys, or provider payloads through public APIs.
|
|
124
|
+
- Do not make clients branch on free-form text. Public failure contracts need stable machine-readable codes.
|
|
125
|
+
14. Separate business rejections from system failures.
|
|
126
|
+
- Insufficient balance, invalid input, duplicate request, and permission denial are not the same as Redis down, DB unavailable, provider timeout, corrupted data, or programmer bugs.
|
|
127
|
+
- Map input validation to client-correctable errors and system failure to server/dependency errors.
|
|
128
|
+
15. Trace partial state after every fallible line.
|
|
129
|
+
- After setting `PROCESSING`, writing a DB row, reserving inventory, acquiring a lock, opening a file, sending a response, or publishing an event, ask where state lands if the next line fails.
|
|
130
|
+
- Close states explicitly as failed, rolled back, pending reconciliation, or unknown instead of leaving them stuck in-progress.
|
|
131
|
+
16. Check locks and resources from the acquisition line.
|
|
132
|
+
- The release guarantee should start immediately after `lock()`, semaphore acquire, distributed lock acquire, file lock, advisory lock, connection checkout, file open, stream open, temp file create, or cursor open.
|
|
133
|
+
- Normal-only `close()` paths are failure bugs. Use the local equivalent of scoped resource management.
|
|
134
|
+
17. Review parsing and default values.
|
|
135
|
+
- A dangerous default value is usually worse than a loud failure for money, quantity, date, role, permission, or policy inputs.
|
|
136
|
+
- Missing JSON fields, malformed dates, unknown time zones, missing prices, missing quantities, and invalid permissions should not silently become `0`, current time, free, public, allowed, or empty.
|
|
137
|
+
- Defaults are safe only when the wrong value has bounded harmless impact.
|
|
138
|
+
18. Check fail-open paths.
|
|
139
|
+
- Authentication, authorization, payment, entitlement, rate limit, destructive admin, and privacy decisions should normally fail closed.
|
|
140
|
+
- Recommendation, analytics, email, and non-critical display features may degrade only when the fallback cannot change protected state or mislead the user.
|
|
141
|
+
19. Review cache and fallback truth.
|
|
142
|
+
- Cache failure is a performance problem only when cache data is disposable. If cache stores sessions, permissions, rate limits, inventory, idempotency, or deduplication, failure is a correctness boundary.
|
|
143
|
+
- Fallback must be a safe degraded value, not a convenient default that can sell for zero, grant access, hide missing data, or mark work complete.
|
|
144
|
+
20. Require failure-path evidence.
|
|
145
|
+
- Tests should cover DB save failure, external timeout, second-step failure, retry exhaustion, cancellation, malformed input, queue consumer failure, rollback, cleanup, and stable public error code where relevant.
|
|
146
|
+
- Metrics should expose retry exhaustion, fallback activation, dead-letter insert, compensation failure, unknown provider outcome, and data inconsistency when those states matter.
|
|
147
|
+
21. Report missing evidence honestly. If the repository lacks configured integration, provider, queue, database, chaos, or load checks, complete available verification and name the remaining manual evidence gap.
|
|
148
|
+
|
|
149
|
+
<!-- mustflow-section: postconditions -->
|
|
150
|
+
## Postconditions
|
|
151
|
+
|
|
152
|
+
- Failure paths no longer produce false success, false completion, false empty data, false authorization, false delivery, or false durable state.
|
|
153
|
+
- Expected rejection, transient failure, permanent failure, unknown outcome, cancellation, bug, and corrupted data are separated where they affect behavior.
|
|
154
|
+
- Transactions, external side effects, retries, timeouts, queues, locks, resources, parsing defaults, fallbacks, and public error shapes are checked where relevant.
|
|
155
|
+
- Logs, metrics, traces, and audit records provide safe incident evidence without leaking sensitive data.
|
|
156
|
+
- Focused tests or configured verification cover the highest-risk failure branch when feasible.
|
|
157
|
+
|
|
158
|
+
<!-- mustflow-section: verification -->
|
|
159
|
+
## Verification
|
|
160
|
+
|
|
161
|
+
Use configured oneshot command intents when available:
|
|
162
|
+
|
|
163
|
+
- `changes_status`
|
|
164
|
+
- `changes_diff_summary`
|
|
165
|
+
- `lint`
|
|
166
|
+
- `build`
|
|
167
|
+
- `test_related`
|
|
168
|
+
- `test`
|
|
169
|
+
- `docs_validate_fast`
|
|
170
|
+
- `test_release`
|
|
171
|
+
- `mustflow_check`
|
|
172
|
+
|
|
173
|
+
Prefer the narrowest configured test, build, docs, release, or mustflow intent that proves false-success prevention and changed failure contracts. Do not infer raw provider, database, queue, load, chaos, server, watcher, or manual incident commands outside the command contract.
|
|
174
|
+
|
|
175
|
+
<!-- mustflow-section: failure-handling -->
|
|
176
|
+
## Failure Handling
|
|
177
|
+
|
|
178
|
+
- If a configured command fails, preserve the failing intent, failing assertion or output tail, and the failure contract it exercised before editing again.
|
|
179
|
+
- If the failure outcome cannot be classified, report the missing domain or operational decision instead of hiding it behind a catch-all branch.
|
|
180
|
+
- If fixing failure integrity requires a transaction boundary, idempotency store, outbox, dead-letter queue, reconciliation job, stable error catalog, or monitoring pipeline outside the current scope, report the missing durable boundary.
|
|
181
|
+
- If deterministic failure proof is not configured, report the missing manual evidence and complete the configured checks that are available.
|
|
182
|
+
|
|
183
|
+
<!-- mustflow-section: output-format -->
|
|
184
|
+
## Output Format
|
|
185
|
+
|
|
186
|
+
- Failure surface and lie checked
|
|
187
|
+
- Error categories and boundaries reviewed
|
|
188
|
+
- False success, swallowed exception, null/false/empty default, finally masking, transaction, side-effect ordering, retry/timeout, cancellation, async ownership, queue ack/nack, cause preservation, public/internal error shape, partial state, lock/resource cleanup, parsing default, fail-open, cache/fallback, and observability checks where relevant
|
|
189
|
+
- Failure-integrity fixes made or recommended
|
|
190
|
+
- Tests or verification evidence
|
|
191
|
+
- Command intents run
|
|
192
|
+
- Skipped failure diagnostics and reasons
|
|
193
|
+
- Remaining failure-integrity risk
|