mustflow 2.38.0 → 2.58.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (94) hide show
  1. package/README.md +3 -0
  2. package/dist/cli/commands/run/executor.js +16 -0
  3. package/dist/cli/commands/run/process-tree.js +6 -3
  4. package/dist/cli/commands/verify.js +3 -1
  5. package/dist/cli/lib/git-changes.js +11 -1
  6. package/dist/cli/lib/i18n.js +1 -1
  7. package/dist/cli/lib/local-index/index.js +8 -4
  8. package/dist/cli/lib/local-index/populate.js +17 -3
  9. package/dist/cli/lib/local-index/search-read-model.js +9 -7
  10. package/dist/cli/lib/local-index/search-text.js +2 -2
  11. package/dist/cli/lib/local-index/workflow-documents.js +17 -2
  12. package/dist/cli/lib/mustflow-read.js +14 -2
  13. package/dist/cli/lib/repo-map.js +16 -3
  14. package/dist/cli/lib/templates.js +8 -7
  15. package/dist/cli/lib/validation/constants.js +1 -1
  16. package/dist/core/active-run-locks.js +78 -20
  17. package/dist/core/change-classification.js +4 -0
  18. package/dist/core/command-contract-rules.js +1 -1
  19. package/dist/core/command-contract-validation.js +1 -1
  20. package/dist/core/command-cwd.js +13 -2
  21. package/dist/core/command-effects.js +22 -4
  22. package/dist/core/command-env.js +8 -6
  23. package/dist/core/command-preconditions.js +28 -2
  24. package/dist/core/completion-verdict.js +1 -1
  25. package/dist/core/line-endings.js +8 -4
  26. package/dist/core/safe-filesystem.js +9 -1
  27. package/dist/core/source-anchor-validation.js +7 -1
  28. package/dist/core/source-anchors.js +8 -2
  29. package/dist/core/verification-scheduler.js +8 -2
  30. package/package.json +1 -1
  31. package/templates/default/common/.mustflow/config/commands.toml +39 -15
  32. package/templates/default/i18n.toml +330 -1
  33. package/templates/default/locales/en/.mustflow/skills/INDEX.md +302 -5
  34. package/templates/default/locales/en/.mustflow/skills/agent-eval-integrity-review/SKILL.md +160 -0
  35. package/templates/default/locales/en/.mustflow/skills/agent-execution-control-review/SKILL.md +163 -0
  36. package/templates/default/locales/en/.mustflow/skills/ai-generated-code-hardening/SKILL.md +49 -13
  37. package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +298 -0
  38. package/templates/default/locales/en/.mustflow/skills/api-misuse-resistance-review/SKILL.md +297 -0
  39. package/templates/default/locales/en/.mustflow/skills/api-request-performance-review/SKILL.md +189 -0
  40. package/templates/default/locales/en/.mustflow/skills/app-startup-performance-review/SKILL.md +309 -0
  41. package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +213 -0
  42. package/templates/default/locales/en/.mustflow/skills/business-rule-leakage-review/SKILL.md +295 -0
  43. package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +291 -0
  44. package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +297 -0
  45. package/templates/default/locales/en/.mustflow/skills/client-bundle-pruning-review/SKILL.md +160 -0
  46. package/templates/default/locales/en/.mustflow/skills/cloud-cost-guardrail-review/SKILL.md +321 -0
  47. package/templates/default/locales/en/.mustflow/skills/concurrency-invariant-review/SKILL.md +193 -0
  48. package/templates/default/locales/en/.mustflow/skills/core-web-vitals-field-review/SKILL.md +161 -0
  49. package/templates/default/locales/en/.mustflow/skills/credit-ledger-integrity-review/SKILL.md +156 -0
  50. package/templates/default/locales/en/.mustflow/skills/database-json-modeling-review/SKILL.md +171 -0
  51. package/templates/default/locales/en/.mustflow/skills/database-lock-contention-review/SKILL.md +192 -0
  52. package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +76 -34
  53. package/templates/default/locales/en/.mustflow/skills/database-query-bottleneck-review/SKILL.md +194 -0
  54. package/templates/default/locales/en/.mustflow/skills/deletion-lifecycle-review/SKILL.md +171 -0
  55. package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md +321 -0
  56. package/templates/default/locales/en/.mustflow/skills/desktop-auto-update-safety-review/SKILL.md +265 -0
  57. package/templates/default/locales/en/.mustflow/skills/desktop-background-process-stability-review/SKILL.md +318 -0
  58. package/templates/default/locales/en/.mustflow/skills/desktop-memory-footprint-review/SKILL.md +318 -0
  59. package/templates/default/locales/en/.mustflow/skills/error-message-integrity-review/SKILL.md +283 -0
  60. package/templates/default/locales/en/.mustflow/skills/failure-integrity-review/SKILL.md +193 -0
  61. package/templates/default/locales/en/.mustflow/skills/file-upload-security-review/SKILL.md +305 -0
  62. package/templates/default/locales/en/.mustflow/skills/frame-render-performance-review/SKILL.md +159 -0
  63. package/templates/default/locales/en/.mustflow/skills/frontend-accessibility-tree-review/SKILL.md +202 -0
  64. package/templates/default/locales/en/.mustflow/skills/frontend-localization-review/SKILL.md +202 -0
  65. package/templates/default/locales/en/.mustflow/skills/frontend-state-ownership-review/SKILL.md +183 -0
  66. package/templates/default/locales/en/.mustflow/skills/frontend-stress-layout-review/SKILL.md +193 -0
  67. package/templates/default/locales/en/.mustflow/skills/hot-path-performance-review/SKILL.md +159 -0
  68. package/templates/default/locales/en/.mustflow/skills/idempotency-integrity-review/SKILL.md +195 -0
  69. package/templates/default/locales/en/.mustflow/skills/image-delivery-performance-review/SKILL.md +161 -0
  70. package/templates/default/locales/en/.mustflow/skills/incident-triage-review/SKILL.md +185 -0
  71. package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +155 -0
  72. package/templates/default/locales/en/.mustflow/skills/llm-response-latency-review/SKILL.md +155 -0
  73. package/templates/default/locales/en/.mustflow/skills/llm-service-ux-review/SKILL.md +2 -0
  74. package/templates/default/locales/en/.mustflow/skills/llm-token-cost-control-review/SKILL.md +155 -0
  75. package/templates/default/locales/en/.mustflow/skills/low-end-device-support-review/SKILL.md +340 -0
  76. package/templates/default/locales/en/.mustflow/skills/memory-lifetime-review/SKILL.md +169 -0
  77. package/templates/default/locales/en/.mustflow/skills/mobile-energy-efficiency-review/SKILL.md +329 -0
  78. package/templates/default/locales/en/.mustflow/skills/module-boundary-review/SKILL.md +278 -0
  79. package/templates/default/locales/en/.mustflow/skills/multi-agent-work-coordination/SKILL.md +1 -0
  80. package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +208 -0
  81. package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +155 -0
  82. package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +158 -0
  83. package/templates/default/locales/en/.mustflow/skills/quadratic-scan-review/SKILL.md +155 -0
  84. package/templates/default/locales/en/.mustflow/skills/queue-processing-integrity-review/SKILL.md +193 -0
  85. package/templates/default/locales/en/.mustflow/skills/race-condition-review/SKILL.md +188 -0
  86. package/templates/default/locales/en/.mustflow/skills/rate-limit-integrity-review/SKILL.md +344 -0
  87. package/templates/default/locales/en/.mustflow/skills/retry-policy-integrity-review/SKILL.md +195 -0
  88. package/templates/default/locales/en/.mustflow/skills/routes.toml +330 -0
  89. package/templates/default/locales/en/.mustflow/skills/security-flow-review/SKILL.md +279 -0
  90. package/templates/default/locales/en/.mustflow/skills/testability-boundary-review/SKILL.md +295 -0
  91. package/templates/default/locales/en/.mustflow/skills/transaction-boundary-integrity-review/SKILL.md +196 -0
  92. package/templates/default/locales/en/.mustflow/skills/type-state-modeling-review/SKILL.md +179 -0
  93. package/templates/default/locales/en/.mustflow/skills/web-render-performance-review/SKILL.md +164 -0
  94. package/templates/default/manifest.toml +388 -2
@@ -0,0 +1,329 @@
1
+ ---
2
+ mustflow_doc: skill.mobile-energy-efficiency-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: mobile-energy-efficiency-review
9
+ description: Apply this skill when Android, iOS, React Native, Flutter, Tauri mobile, or other mobile app code is created, changed, reviewed, or reported and battery, energy, background work, wake locks, exact alarms, push or WebSocket behavior, polling, networking, cellular use, location, sensors, Bluetooth, rendering, animation, timers, disk I/O, Compose recomposition, Low Power Mode, Battery Saver, or platform energy diagnostics need review for whether the app wakes the phone, radio, GPS, sensors, GPU, CPU, or storage only when the user value justifies it.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.mobile-energy-efficiency-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ ---
26
+
27
+ # Mobile Energy Efficiency Review
28
+
29
+ <!-- mustflow-section: purpose -->
30
+ ## Purpose
31
+
32
+ Review mobile battery use as wakeup, radio, sensor, location, rendering, timer, and I/O pressure,
33
+ not as a generic CPU speed problem.
34
+
35
+ The review question is not "is this code fast?" It is "does this app avoid waking the phone,
36
+ cellular radio, GPS, sensors, GPU, CPU, and storage when the screen is not asking for it, and does
37
+ it degrade correctly under mobile OS power policy?"
38
+
39
+ <!-- mustflow-section: use-when -->
40
+ ## Use When
41
+
42
+ - Android, iOS, React Native, Flutter, Tauri mobile, Kotlin Multiplatform, native mobile SDK, or
43
+ hybrid mobile app code creates, changes, reviews, or reports background work, scheduled work,
44
+ foreground services, WorkManager, JobScheduler, BackgroundTasks, `beginBackgroundTask`, wake
45
+ locks, exact alarms, push notifications, WebSockets, polling, network sync, uploads, downloads,
46
+ prefetch, retries, offline sync, cellular behavior, Low Data Mode, Battery Saver, Low Power Mode,
47
+ location, geofencing, route tracking, sensors, Bluetooth, BLE scanning, rendering, animation,
48
+ spinners, timers, disk writes, Compose recomposition, image decoding, or cache behavior.
49
+ - A final report claims a mobile path is battery-friendly, background-safe, Doze-safe,
50
+ App-Standby-safe, low-power-aware, network-efficient, location-efficient, render-efficient,
51
+ sensor-efficient, or safe for app-store or Play quality expectations.
52
+ - A bug report mentions battery drain, hot phone, background drain, high energy impact, excessive
53
+ wakeups, excessive wake locks, poor standby life, runaway GPS, constant network activity, cellular
54
+ drain, UI jank plus battery drain, or the app staying active after the user leaves.
55
+
56
+ <!-- mustflow-section: do-not-use-when -->
57
+ ## Do Not Use When
58
+
59
+ - The task is purely web Core Web Vitals, browser rendering, bundle size, first render, or DOM
60
+ frame work outside a packaged mobile app; use the matching web performance skill first.
61
+ - The task is primarily memory ownership, listener cleanup, native handle lifetime, or retained
62
+ Activity or View references; use `memory-lifetime-review` first and this skill only for energy
63
+ consequences.
64
+ - The task is primarily API rate limiting, backend cost control, retry amplification, or cloud
65
+ spend; use the relevant backend, rate-limit, retry, or cost skill first.
66
+ - The operation is a pure local calculation with no mobile runtime, wakeup, background, network,
67
+ location, sensor, UI, timer, storage, or platform power-mode implication.
68
+
69
+ <!-- mustflow-section: required-inputs -->
70
+ ## Required Inputs
71
+
72
+ - Energy evidence ledger: Android Vitals, Power Profiler, Macrobenchmark power metric, system
73
+ tracing, Xcode Organizer, MetricKit, Instruments Power Profiler, device logs, battery-drain
74
+ reports, or an explicit note that only static evidence is available.
75
+ - User-value ledger: screen or feature, foreground versus background state, user-visible outcome,
76
+ freshness requirement, completion requirement, acceptable delay, cancellation behavior, and
77
+ whether the work can be batched, deferred, or skipped.
78
+ - Background work ledger: coroutine, thread, async task, WorkManager, JobScheduler, foreground
79
+ service, exact alarm, push, BackgroundTasks, `beginBackgroundTask`, app lifecycle callback,
80
+ queue, retry, and expiration handling.
81
+ - Wakeup and radio ledger: polling, push, WebSocket, network callback, sync cadence, batch size,
82
+ request count, upload/download size, cellular versus Wi-Fi, expensive or constrained network
83
+ policy, retry policy, and offline behavior.
84
+ - Location, sensor, and Bluetooth ledger: requested accuracy, update interval, max delay,
85
+ geofence responsiveness, background permission, one-shot versus continuous location, motion
86
+ update interval, observer lifecycle, BLE scan and notification policy.
87
+ - Rendering and UI ledger: offscreen work, background animations, overdraw, opacity, blur, shadow,
88
+ frame rate, infinite loader, Compose stability, recomposition triggers, image decode, list cell
89
+ effects, and reduced motion or low-power behavior.
90
+ - Timer and storage ledger: repeated timer, tolerance, invalidation, dispatch source, file write
91
+ frequency, database batching, cache persistence, autosave cadence, and app-state flush behavior.
92
+ - Platform power-mode ledger: Android Doze, App Standby, Battery Saver, iOS Low Power Mode, Low
93
+ Data Mode, background execution entitlement, permission policy, store policy, and user-visible
94
+ fallback.
95
+ - Observability and test evidence: metrics, logs, traces, counters, wakeup counts, job outcome
96
+ events, timeout or expiration logs, power-mode tests, lifecycle tests, fake-clock tests, and
97
+ configured command intents.
98
+
99
+ <!-- mustflow-section: preconditions -->
100
+ ## Preconditions
101
+
102
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
103
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
104
+ current scope.
105
+ - Required energy, user-value, background, wakeup, radio, location, sensor, rendering, timer,
106
+ storage, power-mode, observability, and test evidence is available, or missing evidence can be
107
+ reported without guessing.
108
+ - Existing mobile lifecycle, background task, networking, location, sensor, rendering, timer,
109
+ storage, telemetry, and test patterns have been searched before adding new shapes.
110
+ - If the feature affects money, safety, medical, navigation, authentication, permissions, privacy,
111
+ or legal retention, also apply the relevant security, privacy, payment, data, or failure skill.
112
+
113
+ <!-- mustflow-section: allowed-edits -->
114
+ ## Allowed Edits
115
+
116
+ - Add or tighten lifecycle cancellation, WorkManager or JobScheduler constraints, BackgroundTasks
117
+ usage, wake lock timeout and release paths, exact alarm justification, push priority, network
118
+ batching, callback-based network state, cellular and constrained-network policy, location
119
+ accuracy and interval, geofence responsiveness, background-location stop behavior, sensor or BLE
120
+ stop behavior, render throttling, animation stop, frame-rate lowering, timer tolerance, disk I/O
121
+ batching, low-power degradation, observability, and focused tests.
122
+ - Replace unbounded background services, always-on WebSockets, frequent polling, exact alarms for
123
+ non-user-critical work, wake locks without timeout and release, continuous GPS for coarse needs,
124
+ always-on sensors, duplicate BLE scans, offscreen animations, overdraw-heavy UI, infinite loaders,
125
+ zero-tolerance timers, and per-keystroke disk writes when in scope.
126
+ - Do not add live device tests, store-console actions, production telemetry queries, background
127
+ workers, local servers, platform dashboards, or raw mobile build commands outside the configured
128
+ command contract.
129
+ - Do not treat a battery fix as proof of memory safety, privacy compliance, permission safety,
130
+ backend rate limiting, offline sync correctness, or UI performance without matching evidence.
131
+
132
+ <!-- mustflow-section: procedure -->
133
+ ## Procedure
134
+
135
+ 1. Start with measurement or mark static-only evidence.
136
+ - Prefer current platform evidence such as Android Vitals, Power Profiler, Macrobenchmark power
137
+ metric, system tracing, Xcode Organizer, MetricKit, or Instruments Power Profiler.
138
+ - If only code review is available, say so. Do not invent battery savings from intuition.
139
+ - Treat older or lightly maintained diagnostic tools as optional context, not the only proof.
140
+ 2. Classify the user value and urgency.
141
+ - Name whether the work is visible foreground work, user-started completion work, silent sync,
142
+ prefetch, telemetry, upload, notification, navigation, safety, or convenience.
143
+ - Screen-visible work can often be cancelled when the screen disappears.
144
+ - User-started completion work can finish briefly in the background.
145
+ - Silent convenience work should usually wait, batch, or be skipped under power pressure.
146
+ 3. Split foreground tasks from durable background work.
147
+ - Use ordinary coroutine, thread, async task, or lifecycle-scoped work for visible-only work.
148
+ - Use Android WorkManager, JobScheduler, or iOS BackgroundTasks-style scheduling for work that
149
+ must finish after the user leaves and can tolerate OS scheduling.
150
+ - Do not treat a background worker as a license to run immediately or forever.
151
+ 4. Reject unbounded Android background services.
152
+ - A long-running background Service or foreground service should have a user-visible reason,
153
+ platform permission basis, notification behavior, stop condition, and fallback.
154
+ - Assume Android background limits, foreground-service restrictions, Doze, and App Standby can
155
+ delay or stop work.
156
+ - If the product needs exact real-time work, name the user-visible reason and platform policy
157
+ evidence.
158
+ 5. Design for Doze and App Standby.
159
+ - Network, jobs, alarms, wake locks, and background work can be delayed or suppressed by the OS.
160
+ - Replace "run every N seconds/minutes exactly" with retryable, resumable, batched work unless
161
+ there is a true user-facing deadline.
162
+ - Persist enough progress to resume after delay, process death, or maintenance-window execution.
163
+ 6. Treat exact alarms as scarce.
164
+ - Standard alarms can be delayed under power policy.
165
+ - Allow-while-idle or exact-while-idle alarms should be reserved for genuinely user-critical
166
+ deadlines such as alarm, calendar, safety, or payment-deadline behavior.
167
+ - Report missing platform permission, throttling, fallback, and user-visible justification.
168
+ 7. Treat wake locks as emergency medicine.
169
+ - Prefer platform-managed work APIs before manual wake locks.
170
+ - If a wake lock remains, require a timeout, shortest possible scope, `try/finally` or
171
+ equivalent release, cancellation release, exception release, and observability for acquire and
172
+ release.
173
+ - Do not hold wake locks across network calls without tight timeout and cancellation policy.
174
+ 8. Prefer shared push over app-owned always-on sockets.
175
+ - For mobile notifications and server-triggered wakeups, prefer platform push channels such as
176
+ FCM or APNs when the feature fits.
177
+ - Use high-priority push only when it leads to user-visible, time-sensitive behavior.
178
+ - Do not keep WebSocket, MQTT, or polling connections alive in the background for speculative
179
+ prefetch or invisible freshness.
180
+ 9. Batch network work.
181
+ - Prefer fewer larger transactions over many tiny wakeups when freshness allows it.
182
+ - Coalesce sync, telemetry, uploads, and refreshes instead of firing each event immediately.
183
+ - Respect expensive, constrained, metered, Low Data Mode, roaming, poor-signal, and offline
184
+ conditions.
185
+ - Use connectivity callbacks instead of periodic "are we online?" polling.
186
+ 10. Put constraints on heavy sync.
187
+ - For Android scheduled work, consider unmetered network, charging, idle, battery-not-low, and
188
+ storage-not-low constraints when the work is not urgent.
189
+ - For iOS networking, decide whether constrained or expensive network access is allowed and
190
+ whether the request should wait for connectivity.
191
+ - Report product requirements that conflict with battery-friendly constraints.
192
+ 11. Lower location accuracy first.
193
+ - Do not use high accuracy or GPS for coarse place lookup, nearby content, analytics, or
194
+ personalization unless the feature proves it needs it.
195
+ - Prefer balanced, low-power, no-power, reduced-accuracy, or last-known strategies where safe.
196
+ - Treat background location permission as a high-risk energy and privacy surface.
197
+ 12. Stop one-shot location after one shot.
198
+ - Use one-time location APIs when only one coordinate is needed.
199
+ - If continuous updates are used, stop them when the feature completes, screen disappears, or
200
+ accuracy is good enough.
201
+ - On iOS, pair background location enablement with automatic pauses, appropriate activity type,
202
+ explicit stop, and restoring background updates to false when no longer needed.
203
+ 13. Batch and slow continuous location.
204
+ - Use the longest acceptable interval for background updates.
205
+ - Use max update delay or deferred update behavior when batch delivery still satisfies product
206
+ value.
207
+ - For geofences, avoid instant responsiveness unless the user-facing feature needs it.
208
+ 14. Stop sensors and BLE when done.
209
+ - Motion, orientation, accelerometer, gyroscope, magnetometer, camera, microphone, and BLE scan
210
+ work should have clear start and stop ownership.
211
+ - Increase sensor update intervals to the lowest useful frequency.
212
+ - Stop BLE scan after finding the target, avoid duplicate discovery unless needed, and prefer
213
+ notification/subscription over polling for value changes.
214
+ 15. Stop invisible UI work.
215
+ - When the app backgrounds or a screen disappears, stop animations, progress UI, timers, image
216
+ work, layout loops, and screen-only state updates that no user can see.
217
+ - Keep durable state changes separate from decorative or visual progress.
218
+ - Do not let a spinner, shimmer, Lottie animation, or progress timer run forever behind another
219
+ screen or in background.
220
+ 16. Reduce pixels and frames.
221
+ - Check Android overdraw, duplicated backgrounds, translucent overlays, nested cards, wrapper
222
+ views, blur, shadows, and large invalidated regions.
223
+ - On iOS, treat opacity, translucent blur, shadows, and high frame rate as costs that must be
224
+ justified by the screen.
225
+ - Lower frame rate for menus, settings, static feeds, loading decoration, and non-interactive
226
+ surfaces where the platform and UI stack support it.
227
+ 17. Make Compose and declarative UI stable.
228
+ - Stable models let Compose or similar declarative UI skip work; unstable mutable models can
229
+ cause needless recomposition.
230
+ - Avoid passing mutable lists, changing lambdas, large state bags, or module-boundary types that
231
+ the UI runtime cannot prove stable.
232
+ - Track recomposition evidence before claiming the UI is energy-efficient.
233
+ 18. Give timers slack.
234
+ - Repeating timers wake the CPU. Invalidate them when the screen or task ends.
235
+ - Use timer tolerance, coalescing, debouncing, dispatch sources, lifecycle-aware flows, or
236
+ platform schedulers when exact ticks are not needed.
237
+ - Avoid 1-second or sub-second timers for decorative UI, polling, autosave, or progress that
238
+ can be event-driven.
239
+ 19. Batch disk I/O.
240
+ - Write only when data changed.
241
+ - Coalesce autosave, cache persistence, telemetry, and app-state writes.
242
+ - Avoid rewriting large JSON or preference blobs on every keystroke, scroll event, or sensor
243
+ sample; use a database or append/merge strategy when partial updates are frequent.
244
+ 20. React to Low Power Mode and Battery Saver as product states.
245
+ - Define which animation, sync, backup, location, prefetch, ML inference, image decode, and
246
+ background behavior is disabled, delayed, or simplified.
247
+ - Preserve user-critical and safety-critical behavior explicitly.
248
+ - Make the degraded path observable and testable.
249
+ 21. Keep energy telemetry useful and low-risk.
250
+ - Log job reason, lifecycle state, power mode, network class, constraint decision, location mode,
251
+ wake lock scope, push priority, background expiration, retry count, and stop reason where safe.
252
+ - Keep metrics labels bounded; do not label by user id, raw URL, coordinate, BLE device address,
253
+ payload, or trace id.
254
+ - Include both "started" and "stopped" or "expired" evidence for background work, sensors,
255
+ location, BLE, timers, and wake locks.
256
+ 22. Test the ugly edges.
257
+ - Cover backgrounding, screen disappear, cancellation, process death resume, Doze or standby
258
+ simulation when configured, Battery Saver or Low Power Mode policy, constrained network,
259
+ offline-to-online callback, location permission downgrade, sensor stop, BLE scan stop, timer
260
+ invalidation, wake lock release on exception, and background-task expiration.
261
+ - If device, emulator, Xcode, Android Studio, store-console, or production telemetry evidence is
262
+ not configured, report that boundary as manual-only instead of approving battery behavior.
263
+
264
+ <!-- mustflow-section: postconditions -->
265
+ ## Postconditions
266
+
267
+ - Measurement status, user value, foreground versus background boundary, OS scheduling, Doze or
268
+ App Standby behavior, exact alarm use, wake lock scope, push versus socket choice, network
269
+ batching, cellular constraints, location accuracy and duration, geofence responsiveness, sensor
270
+ and BLE lifecycle, invisible UI work, overdraw and effects, frame rate, Compose stability, timer
271
+ tolerance, disk I/O batching, Low Power Mode or Battery Saver behavior, telemetry, and tests are
272
+ explicit.
273
+ - Unbounded background services, exact periodic sync fantasies, wake locks without timeout, high
274
+ priority push for invisible prefetch, constant WebSocket background connections, polling,
275
+ cellular-as-Wi-Fi assumptions, high-accuracy location by default, forgotten continuous location,
276
+ instant geofence marketing, background location left enabled, unclosed sensors, endless BLE scan,
277
+ offscreen animation, overdraw, excessive blur or shadow, high FPS decoration, infinite loaders,
278
+ unstable Compose models, zero-tolerance timers, per-keystroke disk writes, and low-power blindness
279
+ are fixed or reported.
280
+ - Mobile energy claims are backed by configured tests, platform diagnostic evidence, static review
281
+ evidence, or labeled as manual-only or missing.
282
+
283
+ <!-- mustflow-section: verification -->
284
+ ## Verification
285
+
286
+ Use configured oneshot command intents when available:
287
+
288
+ - `changes_status`
289
+ - `changes_diff_summary`
290
+ - `lint`
291
+ - `build`
292
+ - `test_related`
293
+ - `test`
294
+ - `docs_validate_fast`
295
+ - `test_release`
296
+ - `mustflow_check`
297
+
298
+ Prefer the narrowest configured test, build, docs, release, or mustflow intent that covers the
299
+ changed mobile energy policy and synchronized template surfaces. Do not infer raw Android Studio,
300
+ Xcode, emulator, device, store-console, telemetry, background-service, or platform-dashboard checks
301
+ outside the command contract.
302
+
303
+ <!-- mustflow-section: failure-handling -->
304
+ ## Failure Handling
305
+
306
+ - If a configured command fails, preserve the failing intent, failing assertion or output tail, and
307
+ the energy invariant it exercised before editing again.
308
+ - If the user value or urgency cannot be named, report that the energy tradeoff is not reviewable
309
+ yet.
310
+ - If platform power behavior cannot be tested locally, complete available static and unit evidence
311
+ and report missing device, emulator, profiler, or production telemetry evidence.
312
+ - If safe repair requires product requirement changes, native permission policy, store policy,
313
+ platform entitlement, device lab testing, production telemetry, or OS-specific implementation
314
+ outside the current scope, report the missing boundary instead of inventing commands.
315
+
316
+ <!-- mustflow-section: output-format -->
317
+ ## Output Format
318
+
319
+ - Mobile energy boundary reviewed
320
+ - Measurement status, user value, background work, OS scheduling, exact alarm, wake lock, push or
321
+ socket, network batching, cellular or constrained network, location, geofence, sensor, BLE, UI
322
+ rendering, animation, frame rate, Compose or declarative UI stability, timer, disk I/O, low-power
323
+ mode, telemetry, and test findings
324
+ - Mobile energy fixes made or recommended
325
+ - Evidence level: configured-test evidence, platform diagnostic evidence, static review risk,
326
+ manual-only, missing, or not applicable
327
+ - Command intents run
328
+ - Skipped mobile energy diagnostics and reasons
329
+ - Remaining mobile energy risk
@@ -0,0 +1,278 @@
1
+ ---
2
+ mustflow_doc: skill.module-boundary-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: module-boundary-review
9
+ description: Apply this skill when code is created, changed, reviewed, or reported and module separation, cohesion, coupling, data ownership, rule ownership, failure ownership, import direction, circular dependency, DTO leakage, shared/common/utils growth, mock-heavy tests, repeated policy conditions, enum interpretation, repository business logic, anemic domain, domain-to-I/O leakage, transaction boundary mismatch, event naming, public API bloat, caller sequencing, premature reuse, co-change history, bug/fix distance, config ownership, log responsibility, exception translation, cache invalidation ownership, repeated authorization checks, frontend/backend policy leakage, time policy, batch or worker bypass, or temporary-code accumulation can make a change spread beyond its real owner.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.module-boundary-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ ---
26
+
27
+ # Module Boundary Review
28
+
29
+ <!-- mustflow-section: purpose -->
30
+ ## Purpose
31
+
32
+ Review module separation by tracing change spread, ownership, and ignorance boundaries rather than
33
+ folder names, layer names, or file labels.
34
+
35
+ The review question is not "which folder should this file live in?" It is "when this rule changes,
36
+ who must change, who owns the data, who owns the failure, and who should not need to know?"
37
+
38
+ <!-- mustflow-section: use-when -->
39
+ ## Use When
40
+
41
+ - Code creates, changes, reviews, or reports module boundaries, package boundaries, folder splits,
42
+ services, repositories, validators, mappers, helpers, shared utilities, DTOs, domain models,
43
+ policies, use cases, workers, batches, events, caches, permissions, config reads, or public module
44
+ APIs.
45
+ - A change touches several folders, layers, or modules for one reason, or several differently named
46
+ files repeatedly change together.
47
+ - A review claims that layering, clean architecture, DDD, modular monolith, feature folders,
48
+ repositories, services, shared utilities, events, DTOs, or frontend/backend separation is clean.
49
+ - The suspected issue is not a large service split yet, but a local module boundary that leaks
50
+ business rules, data shape, failure handling, sequencing, or ownership to neighbors.
51
+
52
+ <!-- mustflow-section: do-not-use-when -->
53
+ ## Do Not Use When
54
+
55
+ - The task designs or reviews service ownership, team ownership, cross-service data ownership,
56
+ deployment units, queues, large modular-monolith boundaries, or operational recovery; use
57
+ `service-boundary-architecture`.
58
+ - The task asks for an architecture review before choosing a refactor or abstraction; use
59
+ `architecture-deepening-review` first and this skill only for module-leak evidence.
60
+ - The task is implementing a new feature where early data flow and failure model decisions dominate;
61
+ use `structure-first-engineering` first and this skill as an adjunct when module ownership is the
62
+ sharpest risk.
63
+ - The task is only a behavior-preserving move or rename with known behavior evidence; use
64
+ `behavior-preserving-refactor`.
65
+ - The only concern is a single pattern such as adapter, facade, strategy, state machine, dependency
66
+ injection, result type, or composition over inheritance; use that narrower pattern skill.
67
+
68
+ <!-- mustflow-section: required-inputs -->
69
+ ## Required Inputs
70
+
71
+ - Change reason: the policy, feature, bug, data shape, failure path, or operational behavior that
72
+ caused the edit.
73
+ - Changed-file spread: folders, modules, layers, packages, tests, generated files, templates, and
74
+ docs touched by the same reason.
75
+ - Co-change evidence when available: recent commits, PRs, repeated paired files, or local diff
76
+ history showing files that usually move together.
77
+ - Module graph evidence: imports, exports, public APIs, call sites, dependency direction, cycles,
78
+ shared helpers, DTO flow, and configuration reads.
79
+ - Ownership evidence: source of truth for data, owner of policy decisions, owner of failure handling,
80
+ owner of cache invalidation, owner of time and config interpretation, and owner of authorization.
81
+ - Test evidence: number and kind of mocks, pure-domain tests, integration tests, worker or batch
82
+ entry tests, and whether callers need to know internal call order.
83
+ - Relevant command-intent contract entries for tests, builds, docs, release checks, and mustflow
84
+ validation.
85
+
86
+ <!-- mustflow-section: preconditions -->
87
+ ## Preconditions
88
+
89
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
90
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
91
+ current scope.
92
+ - Required inputs are available, or missing ownership, import, co-change, test, or failure evidence
93
+ can be reported without guessing.
94
+ - If the review finds security, privacy, cache, concurrency, database, API, or failure-integrity
95
+ risk, also use the relevant narrower skill before editing that part.
96
+
97
+ <!-- mustflow-section: allowed-edits -->
98
+ ## Allowed Edits
99
+
100
+ - Move or tighten policy ownership, DTO boundaries, mapper boundaries, module public APIs, import
101
+ direction, config injection, exception translation, cache invalidation ownership, authorization
102
+ checks, event facts, worker entrypoints, and tests directly tied to the reviewed module boundary.
103
+ - Add small facades, use-case functions, policy objects, pure domain helpers, adapters, or result
104
+ mappings only when they reduce caller knowledge, co-change spread, duplicate rules, or mock cost.
105
+ - Add focused tests that prove the boundary contract, such as one policy owner, caller order hidden
106
+ inside a module, batch and online paths using the same use case, or frontend receiving a decision
107
+ instead of reconstructing backend state.
108
+ - Do not split files, introduce layers, rename modules, or create broad shared helpers only because
109
+ the current folder looks untidy.
110
+ - Do not move behavior across a public contract, database owner, event contract, or permission
111
+ boundary without preserving compatibility or reporting the migration risk.
112
+
113
+ <!-- mustflow-section: procedure -->
114
+ ## Procedure
115
+
116
+ 1. Start with change spread, not folder names.
117
+ - Name the single reason for the change.
118
+ - Count how many modules, folders, layers, tests, docs, and templates changed for that one reason.
119
+ - If one policy edit forces controller, service, repository, mapper, utility, constants, worker,
120
+ and UI edits together, treat the module boundary as suspect.
121
+ 2. Group by reason to change.
122
+ - Files with different names but the same change reason are one module candidate.
123
+ - `UserService`, `UserValidator`, `UserMapper`, `UserPolicy`, and `UserHelper` changing together is
124
+ evidence of sliced roles, not necessarily separated modules.
125
+ 3. Check import direction.
126
+ - Infrastructure or low-level modules should not know high-level business use case names unless
127
+ the repository intentionally uses that inversion.
128
+ - Treat lower layers importing policy names such as plan, checkout, approval, permission, or
129
+ subscription as evidence that the policy leaked downward.
130
+ 4. Treat cycles as boundary failure until proven harmless.
131
+ - If A imports B and B imports A, identify the missing concept, ownership decision, event, port, or
132
+ data-flow direction.
133
+ - Do not accept "they need each other" without naming the invariant that forces the cycle.
134
+ 5. Trace DTO infection.
135
+ - API response DTOs, request DTOs, ORM rows, provider payloads, and UI view models should not
136
+ become domain, repository, batch, worker, or event models by default.
137
+ - Convert at the boundary and keep internal decision shapes separate from external transport shapes.
138
+ 6. Audit `common`, `shared`, `utils`, and `helpers`.
139
+ - Low-level pure tools can be shared. Business rules in shared folders are usually ownerless
140
+ policy.
141
+ - If a shared helper imports domain words or changes with one product rule, move ownership closer
142
+ to the domain that owns the rule.
143
+ 7. Check module responsibility by verbs, not names.
144
+ - A noun-named module that calculates unrelated coupons, points, email, inventory, admin alerts,
145
+ and audit behavior is hiding a process, not a bounded responsibility.
146
+ - A module deleted from the system should remove a coherent business capability, not random
147
+ features from several flows.
148
+ 8. Use tests as boundary sensors.
149
+ - If one module's core rule test needs many mocks, the module probably knows too many external
150
+ facts or mixes decision logic with orchestration.
151
+ - Prefer pure rule tests for the owner and smaller integration tests for adapters and delivery.
152
+ 9. Find repeated policy conditions.
153
+ - Repeated `isPremium`, `status === PAID`, `plan === ENTERPRISE`, owner checks, feature flags, or
154
+ time-window branches across modules mean the policy has no single owner.
155
+ - Move interpretation to a policy object, domain method, use case, state machine, capability
156
+ result, or other local pattern that callers can ask instead of reimplement.
157
+ 10. Check enum spread.
158
+ - Sharing a status value may be fine. Sharing every interpretation of that status across modules
159
+ is not.
160
+ - Refundability, notification behavior, inventory restoration, permission, and UI action
161
+ visibility should have named owners, not scattered enum branches.
162
+ 11. Check repository language.
163
+ - Repository names such as `findRefundableOrders`, `findUsersEligibleForPromotion`, or
164
+ `saveWithAuditAndNotify` usually mean persistence is making business decisions.
165
+ - Repositories may expose data queries, but policy eligibility and side-effect orchestration need
166
+ an owner above persistence unless the local architecture explicitly says otherwise.
167
+ 12. Check anemic and overpowered domain shapes.
168
+ - A domain object with only fields while services own every decision is a sign that rules moved
169
+ away from the data that explains them.
170
+ - A domain object that sends email, opens transactions, calls HTTP, invalidates Redis, or reads
171
+ process environment knows too much about the outside world.
172
+ 13. Check transaction boundaries against module boundaries.
173
+ - If one use case must transactionally mutate many owners, decide which facts are truly one
174
+ consistency boundary and which can move through outbox, event, worker, or reconciliation.
175
+ - Do not hide a cross-owner consistency problem behind a single large service method.
176
+ 14. Check event language.
177
+ - Events should describe domain facts such as `OrderPaid`, `SubscriptionCancelled`, or
178
+ `RefundApproved`, not storage mechanics such as `UserTableUpdated` or `OrderRowInserted`.
179
+ - A technical event name often exposes another module's internals instead of publishing a useful
180
+ fact.
181
+ 15. Check public module API size and caller sequencing.
182
+ - Too many exported functions can mean internals are on display.
183
+ - If callers must call `create`, then `apply`, then `reserve`, then `mark`, the module has handed
184
+ out an assembly manual instead of owning the sequence.
185
+ 16. Check reuse claims.
186
+ - "Used in many places" is not enough reason to extract a common helper.
187
+ - Reuse is safe only when the callers change for the same reason. Similar code from different
188
+ business contexts may need duplication until the shared concept is real.
189
+ 17. Check history, not only the current diff.
190
+ - Recent commits and repeated PR pairings can reveal true module candidates better than folder
191
+ names.
192
+ - If a file repeatedly receives temporary exceptions in the same direction, name the missing
193
+ concept instead of adding another branch.
194
+ 18. Compare bug location with fix location.
195
+ - If the symptom appears in one module but the fix belongs in an unrelated utility, policy, or
196
+ mapper, the responsibility line may be bent.
197
+ 19. Check config, time, and logging responsibility.
198
+ - Raw `process.env`, feature flag, remote config, clock, timezone, locale, and date parsing should
199
+ usually be read at the edge and injected as explicit values.
200
+ - Logs that mention another module's job, such as payment code logging welcome-email failure, are
201
+ strong ownership evidence.
202
+ 20. Translate exceptions at boundaries.
203
+ - Database, provider, filesystem, framework, and payment errors should not leak through every
204
+ layer unchanged.
205
+ - Convert external failure dialect into the receiving module's language while preserving safe
206
+ diagnostic causes.
207
+ 21. Check cache invalidation, authorization, frontend policy, and alternate entrypoints.
208
+ - Cache invalidation belongs near the data owner, not scattered across random callers.
209
+ - Authorization checks repeated in controllers should move to one use-case entry, policy, or
210
+ capability boundary.
211
+ - Frontend code should receive allowed actions or decisions when possible, not reconstruct
212
+ backend policy from internal statuses.
213
+ - Batch, cron, worker, and admin tools should use the same use case or policy owner as online
214
+ requests instead of bypassing validations, events, logs, and permissions.
215
+ 22. Decide the smallest response.
216
+ - If evidence is strong and the edit is in scope, make the smallest boundary fix.
217
+ - If the fix would be broad, report the module boundary risk and the first safe split point.
218
+ - If evidence is weak, leave the structure alone and report the missing co-change or ownership
219
+ evidence.
220
+
221
+ <!-- mustflow-section: postconditions -->
222
+ ## Postconditions
223
+
224
+ - The changed reason, changed-file spread, co-change evidence, data owner, policy owner, failure
225
+ owner, and public module surface are explicit or reported as missing.
226
+ - Import direction, cycles, DTO spread, shared helper ownership, repository policy leakage, domain
227
+ I/O leakage, transaction mismatch, event naming, caller sequencing, duplicated policy, and alternate
228
+ entrypoints are fixed or reported where relevant.
229
+ - Any new abstraction hides a named responsibility and reduces caller knowledge, change spread, or
230
+ test mock cost.
231
+ - Behavior, public contracts, permissions, data ownership, and failure semantics remain intact or
232
+ are reported as risks.
233
+
234
+ <!-- mustflow-section: verification -->
235
+ ## Verification
236
+
237
+ Use configured oneshot command intents when available:
238
+
239
+ - `changes_status`
240
+ - `changes_diff_summary`
241
+ - `lint`
242
+ - `build`
243
+ - `test_related`
244
+ - `test`
245
+ - `docs_validate_fast`
246
+ - `test_release`
247
+ - `mustflow_check`
248
+
249
+ Prefer the narrowest configured test, build, docs, release, or mustflow intent that covers the changed
250
+ module boundary. Use release or docs checks when templates, public docs, package metadata, public APIs,
251
+ schemas, generated clients, or install surfaces change.
252
+
253
+ <!-- mustflow-section: failure-handling -->
254
+ ## Failure Handling
255
+
256
+ - If ownership cannot be identified, report the missing owner instead of creating a vague shared
257
+ helper or new layer.
258
+ - If changing the boundary would require broad moves, public API migration, database ownership
259
+ migration, or cross-team decisions, stop at the risk report and name the first safe follow-up.
260
+ - If tests require many mocks after the change, revisit the boundary before weakening assertions.
261
+ - If a configured command fails, preserve the failing intent and use `failure-triage` before making
262
+ unrelated edits.
263
+
264
+ <!-- mustflow-section: output-format -->
265
+ ## Output Format
266
+
267
+ - Module boundary reviewed
268
+ - Change reason and changed-file spread
269
+ - Co-change, import direction, cycle, DTO, shared helper, public API, caller sequencing, and test mock
270
+ evidence
271
+ - Data owner, policy owner, failure owner, cache invalidation owner, config/time owner, and
272
+ authorization owner where relevant
273
+ - Boundary fixes made or recommended
274
+ - Evidence level: current diff, local source evidence, history evidence, configured-test evidence,
275
+ missing, or not applicable
276
+ - Command intents run
277
+ - Skipped diagnostics and reasons
278
+ - Remaining module-boundary risk
@@ -54,6 +54,7 @@ Do not use this skill when:
54
54
  - one agent is doing a small linear task
55
55
  - the user only asks for a normal code change, review, or test run
56
56
  - the requested work is a production automation runtime rather than repository coordination
57
+ - the requested work designs an LLM product agent's planner, executor, verifier, tool gates, approval or interrupt state, durable resume behavior, loop budgets, handoffs, guardrails, or trace outcome evaluation; use `agent-execution-control-review`
57
58
  - the repository or host instructions forbid starting workers or long-running processes
58
59
 
59
60
  <!-- mustflow-section: required-inputs -->