mustflow 2.38.0 → 2.58.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +3 -0
- package/dist/cli/commands/run/executor.js +16 -0
- package/dist/cli/commands/run/process-tree.js +6 -3
- package/dist/cli/commands/verify.js +3 -1
- package/dist/cli/lib/git-changes.js +11 -1
- package/dist/cli/lib/i18n.js +1 -1
- package/dist/cli/lib/local-index/index.js +8 -4
- package/dist/cli/lib/local-index/populate.js +17 -3
- package/dist/cli/lib/local-index/search-read-model.js +9 -7
- package/dist/cli/lib/local-index/search-text.js +2 -2
- package/dist/cli/lib/local-index/workflow-documents.js +17 -2
- package/dist/cli/lib/mustflow-read.js +14 -2
- package/dist/cli/lib/repo-map.js +16 -3
- package/dist/cli/lib/templates.js +8 -7
- package/dist/cli/lib/validation/constants.js +1 -1
- package/dist/core/active-run-locks.js +78 -20
- package/dist/core/change-classification.js +4 -0
- package/dist/core/command-contract-rules.js +1 -1
- package/dist/core/command-contract-validation.js +1 -1
- package/dist/core/command-cwd.js +13 -2
- package/dist/core/command-effects.js +22 -4
- package/dist/core/command-env.js +8 -6
- package/dist/core/command-preconditions.js +28 -2
- package/dist/core/completion-verdict.js +1 -1
- package/dist/core/line-endings.js +8 -4
- package/dist/core/safe-filesystem.js +9 -1
- package/dist/core/source-anchor-validation.js +7 -1
- package/dist/core/source-anchors.js +8 -2
- package/dist/core/verification-scheduler.js +8 -2
- package/package.json +1 -1
- package/templates/default/common/.mustflow/config/commands.toml +39 -15
- package/templates/default/i18n.toml +330 -1
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +302 -5
- package/templates/default/locales/en/.mustflow/skills/agent-eval-integrity-review/SKILL.md +160 -0
- package/templates/default/locales/en/.mustflow/skills/agent-execution-control-review/SKILL.md +163 -0
- package/templates/default/locales/en/.mustflow/skills/ai-generated-code-hardening/SKILL.md +49 -13
- package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +298 -0
- package/templates/default/locales/en/.mustflow/skills/api-misuse-resistance-review/SKILL.md +297 -0
- package/templates/default/locales/en/.mustflow/skills/api-request-performance-review/SKILL.md +189 -0
- package/templates/default/locales/en/.mustflow/skills/app-startup-performance-review/SKILL.md +309 -0
- package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +213 -0
- package/templates/default/locales/en/.mustflow/skills/business-rule-leakage-review/SKILL.md +295 -0
- package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +291 -0
- package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +297 -0
- package/templates/default/locales/en/.mustflow/skills/client-bundle-pruning-review/SKILL.md +160 -0
- package/templates/default/locales/en/.mustflow/skills/cloud-cost-guardrail-review/SKILL.md +321 -0
- package/templates/default/locales/en/.mustflow/skills/concurrency-invariant-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/core-web-vitals-field-review/SKILL.md +161 -0
- package/templates/default/locales/en/.mustflow/skills/credit-ledger-integrity-review/SKILL.md +156 -0
- package/templates/default/locales/en/.mustflow/skills/database-json-modeling-review/SKILL.md +171 -0
- package/templates/default/locales/en/.mustflow/skills/database-lock-contention-review/SKILL.md +192 -0
- package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +76 -34
- package/templates/default/locales/en/.mustflow/skills/database-query-bottleneck-review/SKILL.md +194 -0
- package/templates/default/locales/en/.mustflow/skills/deletion-lifecycle-review/SKILL.md +171 -0
- package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md +321 -0
- package/templates/default/locales/en/.mustflow/skills/desktop-auto-update-safety-review/SKILL.md +265 -0
- package/templates/default/locales/en/.mustflow/skills/desktop-background-process-stability-review/SKILL.md +318 -0
- package/templates/default/locales/en/.mustflow/skills/desktop-memory-footprint-review/SKILL.md +318 -0
- package/templates/default/locales/en/.mustflow/skills/error-message-integrity-review/SKILL.md +283 -0
- package/templates/default/locales/en/.mustflow/skills/failure-integrity-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/file-upload-security-review/SKILL.md +305 -0
- package/templates/default/locales/en/.mustflow/skills/frame-render-performance-review/SKILL.md +159 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-accessibility-tree-review/SKILL.md +202 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-localization-review/SKILL.md +202 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-state-ownership-review/SKILL.md +183 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-stress-layout-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/hot-path-performance-review/SKILL.md +159 -0
- package/templates/default/locales/en/.mustflow/skills/idempotency-integrity-review/SKILL.md +195 -0
- package/templates/default/locales/en/.mustflow/skills/image-delivery-performance-review/SKILL.md +161 -0
- package/templates/default/locales/en/.mustflow/skills/incident-triage-review/SKILL.md +185 -0
- package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/llm-response-latency-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/llm-service-ux-review/SKILL.md +2 -0
- package/templates/default/locales/en/.mustflow/skills/llm-token-cost-control-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/low-end-device-support-review/SKILL.md +340 -0
- package/templates/default/locales/en/.mustflow/skills/memory-lifetime-review/SKILL.md +169 -0
- package/templates/default/locales/en/.mustflow/skills/mobile-energy-efficiency-review/SKILL.md +329 -0
- package/templates/default/locales/en/.mustflow/skills/module-boundary-review/SKILL.md +278 -0
- package/templates/default/locales/en/.mustflow/skills/multi-agent-work-coordination/SKILL.md +1 -0
- package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +208 -0
- package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +158 -0
- package/templates/default/locales/en/.mustflow/skills/quadratic-scan-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/queue-processing-integrity-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/race-condition-review/SKILL.md +188 -0
- package/templates/default/locales/en/.mustflow/skills/rate-limit-integrity-review/SKILL.md +344 -0
- package/templates/default/locales/en/.mustflow/skills/retry-policy-integrity-review/SKILL.md +195 -0
- package/templates/default/locales/en/.mustflow/skills/routes.toml +330 -0
- package/templates/default/locales/en/.mustflow/skills/security-flow-review/SKILL.md +279 -0
- package/templates/default/locales/en/.mustflow/skills/testability-boundary-review/SKILL.md +295 -0
- package/templates/default/locales/en/.mustflow/skills/transaction-boundary-integrity-review/SKILL.md +196 -0
- package/templates/default/locales/en/.mustflow/skills/type-state-modeling-review/SKILL.md +179 -0
- package/templates/default/locales/en/.mustflow/skills/web-render-performance-review/SKILL.md +164 -0
- package/templates/default/manifest.toml +388 -2
|
@@ -156,6 +156,204 @@ route_type = "adjunct"
|
|
|
156
156
|
priority = 74
|
|
157
157
|
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change"]
|
|
158
158
|
|
|
159
|
+
[routes."module-boundary-review"]
|
|
160
|
+
category = "general_code"
|
|
161
|
+
route_type = "adjunct"
|
|
162
|
+
priority = 70
|
|
163
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change"]
|
|
164
|
+
|
|
165
|
+
[routes."change-blast-radius-review"]
|
|
166
|
+
category = "general_code"
|
|
167
|
+
route_type = "adjunct"
|
|
168
|
+
priority = 75
|
|
169
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "package_metadata_change"]
|
|
170
|
+
|
|
171
|
+
[routes."business-rule-leakage-review"]
|
|
172
|
+
category = "general_code"
|
|
173
|
+
route_type = "adjunct"
|
|
174
|
+
priority = 79
|
|
175
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change"]
|
|
176
|
+
|
|
177
|
+
[routes."payment-integrity-review"]
|
|
178
|
+
category = "general_code"
|
|
179
|
+
route_type = "adjunct"
|
|
180
|
+
priority = 80
|
|
181
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change", "package_metadata_change", "release_risk"]
|
|
182
|
+
|
|
183
|
+
[routes."credit-ledger-integrity-review"]
|
|
184
|
+
category = "general_code"
|
|
185
|
+
route_type = "adjunct"
|
|
186
|
+
priority = 81
|
|
187
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change", "package_metadata_change", "release_risk"]
|
|
188
|
+
|
|
189
|
+
[routes."api-misuse-resistance-review"]
|
|
190
|
+
category = "general_code"
|
|
191
|
+
route_type = "adjunct"
|
|
192
|
+
priority = 69
|
|
193
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "docs_change", "package_metadata_change"]
|
|
194
|
+
|
|
195
|
+
[routes."error-message-integrity-review"]
|
|
196
|
+
category = "general_code"
|
|
197
|
+
route_type = "adjunct"
|
|
198
|
+
priority = 68
|
|
199
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "security_change", "privacy_change", "docs_change", "package_metadata_change"]
|
|
200
|
+
|
|
201
|
+
[routes."memory-lifetime-review"]
|
|
202
|
+
category = "general_code"
|
|
203
|
+
route_type = "adjunct"
|
|
204
|
+
priority = 73
|
|
205
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "performance_change", "ui_change", "security_change", "privacy_change", "data_change"]
|
|
206
|
+
|
|
207
|
+
[routes."desktop-memory-footprint-review"]
|
|
208
|
+
category = "general_code"
|
|
209
|
+
route_type = "adjunct"
|
|
210
|
+
priority = 74
|
|
211
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "ui_change", "docs_change", "package_metadata_change", "release_risk"]
|
|
212
|
+
|
|
213
|
+
[routes."hot-path-performance-review"]
|
|
214
|
+
category = "general_code"
|
|
215
|
+
route_type = "adjunct"
|
|
216
|
+
priority = 72
|
|
217
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "performance_change", "ui_change", "data_change"]
|
|
218
|
+
|
|
219
|
+
[routes."api-request-performance-review"]
|
|
220
|
+
category = "general_code"
|
|
221
|
+
route_type = "adjunct"
|
|
222
|
+
priority = 73
|
|
223
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "docs_change"]
|
|
224
|
+
|
|
225
|
+
[routes."app-startup-performance-review"]
|
|
226
|
+
category = "general_code"
|
|
227
|
+
route_type = "adjunct"
|
|
228
|
+
priority = 79
|
|
229
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "ui_change", "docs_change", "package_metadata_change", "release_risk"]
|
|
230
|
+
|
|
231
|
+
[routes."desktop-background-process-stability-review"]
|
|
232
|
+
category = "general_code"
|
|
233
|
+
route_type = "adjunct"
|
|
234
|
+
priority = 81
|
|
235
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "ui_change", "docs_change", "package_metadata_change", "release_risk"]
|
|
236
|
+
|
|
237
|
+
[routes."desktop-auto-update-safety-review"]
|
|
238
|
+
category = "general_code"
|
|
239
|
+
route_type = "adjunct"
|
|
240
|
+
priority = 82
|
|
241
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "ui_change", "docs_change", "package_metadata_change", "release_risk"]
|
|
242
|
+
|
|
243
|
+
[routes."low-end-device-support-review"]
|
|
244
|
+
category = "general_code"
|
|
245
|
+
route_type = "adjunct"
|
|
246
|
+
priority = 80
|
|
247
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "ui_change", "docs_change", "package_metadata_change", "release_risk"]
|
|
248
|
+
|
|
249
|
+
[routes."mobile-energy-efficiency-review"]
|
|
250
|
+
category = "general_code"
|
|
251
|
+
route_type = "adjunct"
|
|
252
|
+
priority = 78
|
|
253
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "ui_change", "docs_change", "package_metadata_change", "release_risk"]
|
|
254
|
+
|
|
255
|
+
[routes."cache-integrity-review"]
|
|
256
|
+
category = "general_code"
|
|
257
|
+
route_type = "adjunct"
|
|
258
|
+
priority = 74
|
|
259
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change"]
|
|
260
|
+
|
|
261
|
+
[routes."quadratic-scan-review"]
|
|
262
|
+
category = "general_code"
|
|
263
|
+
route_type = "adjunct"
|
|
264
|
+
priority = 71
|
|
265
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "performance_change", "ui_change", "data_change"]
|
|
266
|
+
|
|
267
|
+
[routes."type-state-modeling-review"]
|
|
268
|
+
category = "general_code"
|
|
269
|
+
route_type = "adjunct"
|
|
270
|
+
priority = 75
|
|
271
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "data_change", "security_change", "privacy_change"]
|
|
272
|
+
|
|
273
|
+
[routes."race-condition-review"]
|
|
274
|
+
category = "general_code"
|
|
275
|
+
route_type = "adjunct"
|
|
276
|
+
priority = 77
|
|
277
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change"]
|
|
278
|
+
|
|
279
|
+
[routes."concurrency-invariant-review"]
|
|
280
|
+
category = "general_code"
|
|
281
|
+
route_type = "adjunct"
|
|
282
|
+
priority = 76
|
|
283
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change"]
|
|
284
|
+
|
|
285
|
+
[routes."failure-integrity-review"]
|
|
286
|
+
category = "general_code"
|
|
287
|
+
route_type = "adjunct"
|
|
288
|
+
priority = 78
|
|
289
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "data_change", "security_change", "privacy_change"]
|
|
290
|
+
|
|
291
|
+
[routes."backend-log-evidence-review"]
|
|
292
|
+
category = "general_code"
|
|
293
|
+
route_type = "adjunct"
|
|
294
|
+
priority = 79
|
|
295
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "docs_change", "package_metadata_change", "release_risk"]
|
|
296
|
+
|
|
297
|
+
[routes."observability-debuggability-review"]
|
|
298
|
+
category = "general_code"
|
|
299
|
+
route_type = "adjunct"
|
|
300
|
+
priority = 78
|
|
301
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change", "package_metadata_change", "release_risk"]
|
|
302
|
+
|
|
303
|
+
[routes."incident-triage-review"]
|
|
304
|
+
category = "general_code"
|
|
305
|
+
route_type = "adjunct"
|
|
306
|
+
priority = 77
|
|
307
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change", "package_metadata_change", "release_risk"]
|
|
308
|
+
|
|
309
|
+
[routes."deployment-rollout-safety-review"]
|
|
310
|
+
category = "general_code"
|
|
311
|
+
route_type = "adjunct"
|
|
312
|
+
priority = 78
|
|
313
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change", "package_metadata_change", "release_risk"]
|
|
314
|
+
|
|
315
|
+
[routes."cloud-cost-guardrail-review"]
|
|
316
|
+
category = "general_code"
|
|
317
|
+
route_type = "adjunct"
|
|
318
|
+
priority = 77
|
|
319
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change", "package_metadata_change", "release_risk"]
|
|
320
|
+
|
|
321
|
+
[routes."rate-limit-integrity-review"]
|
|
322
|
+
category = "general_code"
|
|
323
|
+
route_type = "adjunct"
|
|
324
|
+
priority = 79
|
|
325
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change", "package_metadata_change", "release_risk"]
|
|
326
|
+
|
|
327
|
+
[routes."idempotency-integrity-review"]
|
|
328
|
+
category = "general_code"
|
|
329
|
+
route_type = "adjunct"
|
|
330
|
+
priority = 80
|
|
331
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change", "package_metadata_change", "release_risk"]
|
|
332
|
+
|
|
333
|
+
[routes."retry-policy-integrity-review"]
|
|
334
|
+
category = "general_code"
|
|
335
|
+
route_type = "adjunct"
|
|
336
|
+
priority = 79
|
|
337
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change", "package_metadata_change", "release_risk"]
|
|
338
|
+
|
|
339
|
+
[routes."queue-processing-integrity-review"]
|
|
340
|
+
category = "general_code"
|
|
341
|
+
route_type = "adjunct"
|
|
342
|
+
priority = 79
|
|
343
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change", "package_metadata_change", "release_risk"]
|
|
344
|
+
|
|
345
|
+
[routes."transaction-boundary-integrity-review"]
|
|
346
|
+
category = "general_code"
|
|
347
|
+
route_type = "adjunct"
|
|
348
|
+
priority = 79
|
|
349
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change", "package_metadata_change"]
|
|
350
|
+
|
|
351
|
+
[routes."testability-boundary-review"]
|
|
352
|
+
category = "general_code"
|
|
353
|
+
route_type = "adjunct"
|
|
354
|
+
priority = 74
|
|
355
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change"]
|
|
356
|
+
|
|
159
357
|
[routes."clarifying-question-gate"]
|
|
160
358
|
category = "general_code"
|
|
161
359
|
route_type = "adjunct"
|
|
@@ -294,6 +492,42 @@ route_type = "primary"
|
|
|
294
492
|
priority = 65
|
|
295
493
|
applies_to_reasons = ["ui_change", "product_change"]
|
|
296
494
|
|
|
495
|
+
[routes."prompt-contract-quality-review"]
|
|
496
|
+
category = "general_code"
|
|
497
|
+
route_type = "primary"
|
|
498
|
+
priority = 66
|
|
499
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "docs_change", "public_api_change", "data_change", "security_change", "privacy_change", "package_metadata_change", "release_risk"]
|
|
500
|
+
|
|
501
|
+
[routes."llm-hallucination-control-review"]
|
|
502
|
+
category = "general_code"
|
|
503
|
+
route_type = "primary"
|
|
504
|
+
priority = 67
|
|
505
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "docs_change", "public_api_change", "data_change", "security_change", "privacy_change", "package_metadata_change", "release_risk"]
|
|
506
|
+
|
|
507
|
+
[routes."llm-token-cost-control-review"]
|
|
508
|
+
category = "general_code"
|
|
509
|
+
route_type = "primary"
|
|
510
|
+
priority = 68
|
|
511
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "docs_change", "public_api_change", "data_change", "performance_change", "security_change", "privacy_change", "package_metadata_change", "release_risk"]
|
|
512
|
+
|
|
513
|
+
[routes."llm-response-latency-review"]
|
|
514
|
+
category = "general_code"
|
|
515
|
+
route_type = "primary"
|
|
516
|
+
priority = 69
|
|
517
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "docs_change", "public_api_change", "data_change", "performance_change", "security_change", "privacy_change", "package_metadata_change", "release_risk"]
|
|
518
|
+
|
|
519
|
+
[routes."agent-execution-control-review"]
|
|
520
|
+
category = "general_code"
|
|
521
|
+
route_type = "primary"
|
|
522
|
+
priority = 70
|
|
523
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "docs_change", "public_api_change", "data_change", "performance_change", "security_change", "privacy_change", "package_metadata_change", "release_risk"]
|
|
524
|
+
|
|
525
|
+
[routes."agent-eval-integrity-review"]
|
|
526
|
+
category = "general_code"
|
|
527
|
+
route_type = "primary"
|
|
528
|
+
priority = 71
|
|
529
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "docs_change", "public_api_change", "data_change", "performance_change", "security_change", "privacy_change", "package_metadata_change", "release_risk"]
|
|
530
|
+
|
|
297
531
|
[routes."diff-risk-review"]
|
|
298
532
|
category = "general_code"
|
|
299
533
|
route_type = "adjunct"
|
|
@@ -330,6 +564,30 @@ route_type = "primary"
|
|
|
330
564
|
priority = 82
|
|
331
565
|
applies_to_reasons = ["code_change", "data_change", "migration_change", "public_api_change", "test_change", "docs_change", "security_change"]
|
|
332
566
|
|
|
567
|
+
[routes."database-query-bottleneck-review"]
|
|
568
|
+
category = "data_external"
|
|
569
|
+
route_type = "adjunct"
|
|
570
|
+
priority = 67
|
|
571
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "data_change", "performance_change", "test_change", "docs_change"]
|
|
572
|
+
|
|
573
|
+
[routes."database-json-modeling-review"]
|
|
574
|
+
category = "data_external"
|
|
575
|
+
route_type = "adjunct"
|
|
576
|
+
priority = 69
|
|
577
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "data_change", "performance_change", "migration_change", "test_change", "docs_change", "security_change", "privacy_change"]
|
|
578
|
+
|
|
579
|
+
[routes."deletion-lifecycle-review"]
|
|
580
|
+
category = "data_external"
|
|
581
|
+
route_type = "adjunct"
|
|
582
|
+
priority = 70
|
|
583
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "data_change", "performance_change", "migration_change", "test_change", "docs_change", "security_change", "privacy_change"]
|
|
584
|
+
|
|
585
|
+
[routes."database-lock-contention-review"]
|
|
586
|
+
category = "data_external"
|
|
587
|
+
route_type = "adjunct"
|
|
588
|
+
priority = 68
|
|
589
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "data_change", "performance_change", "migration_change", "test_change", "docs_change"]
|
|
590
|
+
|
|
333
591
|
[routes."sqlite-code-change"]
|
|
334
592
|
category = "data_external"
|
|
335
593
|
route_type = "primary"
|
|
@@ -456,6 +714,24 @@ route_type = "primary"
|
|
|
456
714
|
priority = 85
|
|
457
715
|
applies_to_reasons = ["code_change", "security_change", "privacy_change", "public_api_change"]
|
|
458
716
|
|
|
717
|
+
[routes."api-access-control-review"]
|
|
718
|
+
category = "security_privacy"
|
|
719
|
+
route_type = "adjunct"
|
|
720
|
+
priority = 77
|
|
721
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "public_api_change", "security_change", "privacy_change", "data_change", "test_change", "docs_change", "package_metadata_change", "release_risk"]
|
|
722
|
+
|
|
723
|
+
[routes."file-upload-security-review"]
|
|
724
|
+
category = "security_privacy"
|
|
725
|
+
route_type = "adjunct"
|
|
726
|
+
priority = 78
|
|
727
|
+
applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "public_api_change", "security_change", "privacy_change", "data_change", "test_change", "docs_change", "package_metadata_change", "release_risk"]
|
|
728
|
+
|
|
729
|
+
[routes."security-flow-review"]
|
|
730
|
+
category = "security_privacy"
|
|
731
|
+
route_type = "adjunct"
|
|
732
|
+
priority = 76
|
|
733
|
+
applies_to_reasons = ["code_change", "behavior_change", "public_api_change", "security_change", "privacy_change", "data_change", "test_change", "package_metadata_change", "release_risk"]
|
|
734
|
+
|
|
459
735
|
[routes."security-regression-tests"]
|
|
460
736
|
category = "security_privacy"
|
|
461
737
|
route_type = "adjunct"
|
|
@@ -504,6 +780,60 @@ route_type = "adjunct"
|
|
|
504
780
|
priority = 60
|
|
505
781
|
applies_to_reasons = ["migration_change"]
|
|
506
782
|
|
|
783
|
+
[routes."web-render-performance-review"]
|
|
784
|
+
category = "ui_assets"
|
|
785
|
+
route_type = "adjunct"
|
|
786
|
+
priority = 79
|
|
787
|
+
applies_to_reasons = ["ui_change", "performance_change", "behavior_change", "code_change", "web_asset_change"]
|
|
788
|
+
|
|
789
|
+
[routes."core-web-vitals-field-review"]
|
|
790
|
+
category = "ui_assets"
|
|
791
|
+
route_type = "adjunct"
|
|
792
|
+
priority = 81
|
|
793
|
+
applies_to_reasons = ["ui_change", "performance_change", "behavior_change", "code_change", "web_asset_change", "docs_change", "release_risk"]
|
|
794
|
+
|
|
795
|
+
[routes."image-delivery-performance-review"]
|
|
796
|
+
category = "ui_assets"
|
|
797
|
+
route_type = "adjunct"
|
|
798
|
+
priority = 82
|
|
799
|
+
applies_to_reasons = ["ui_change", "performance_change", "behavior_change", "code_change", "web_asset_change", "security_change", "privacy_change"]
|
|
800
|
+
|
|
801
|
+
[routes."client-bundle-pruning-review"]
|
|
802
|
+
category = "ui_assets"
|
|
803
|
+
route_type = "adjunct"
|
|
804
|
+
priority = 80
|
|
805
|
+
applies_to_reasons = ["ui_change", "performance_change", "behavior_change", "code_change", "package_metadata_change", "web_asset_change"]
|
|
806
|
+
|
|
807
|
+
[routes."frame-render-performance-review"]
|
|
808
|
+
category = "ui_assets"
|
|
809
|
+
route_type = "adjunct"
|
|
810
|
+
priority = 81
|
|
811
|
+
applies_to_reasons = ["ui_change", "performance_change", "behavior_change", "code_change", "web_asset_change"]
|
|
812
|
+
|
|
813
|
+
[routes."frontend-state-ownership-review"]
|
|
814
|
+
category = "ui_assets"
|
|
815
|
+
route_type = "adjunct"
|
|
816
|
+
priority = 80
|
|
817
|
+
applies_to_reasons = ["ui_change", "behavior_change", "code_change", "performance_change", "data_change", "test_change", "public_api_change"]
|
|
818
|
+
|
|
819
|
+
[routes."frontend-stress-layout-review"]
|
|
820
|
+
category = "ui_assets"
|
|
821
|
+
route_type = "adjunct"
|
|
822
|
+
priority = 80
|
|
823
|
+
applies_to_reasons = ["ui_change", "behavior_change", "code_change", "performance_change", "web_asset_change", "test_change", "docs_change"]
|
|
824
|
+
|
|
825
|
+
[routes."frontend-accessibility-tree-review"]
|
|
826
|
+
category = "ui_assets"
|
|
827
|
+
route_type = "adjunct"
|
|
828
|
+
priority = 82
|
|
829
|
+
applies_to_reasons = ["ui_change", "behavior_change", "code_change", "test_change", "docs_change", "web_asset_change"]
|
|
830
|
+
|
|
831
|
+
[routes."frontend-localization-review"]
|
|
832
|
+
category = "ui_assets"
|
|
833
|
+
route_type = "adjunct"
|
|
834
|
+
priority = 84
|
|
835
|
+
applies_to_reasons = ["ui_change", "behavior_change", "code_change", "test_change", "docs_change", "i18n_change", "web_asset_change"]
|
|
836
|
+
|
|
507
837
|
[routes."frontend-render-stability"]
|
|
508
838
|
category = "ui_assets"
|
|
509
839
|
route_type = "primary"
|
|
@@ -0,0 +1,279 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.security-flow-review
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: security-flow-review
|
|
9
|
+
description: Apply this skill when code is created, changed, reviewed, or reported and security review needs source-to-sink tracing across authorization, object ownership, tenant scoping, IDOR or BOLA risk, mass assignment, admin-only surfaces, cache keys, exports, injection-like inputs, ORM raw paths, SSRF, file upload and extraction, path traversal, XSS, CSRF, OAuth, reset tokens, JWTs, cookies, cryptography, logs, fail-open error handling, async jobs, race conditions, or supply-chain and CI/CD paths.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.security-flow-review
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- docs_validate_fast
|
|
23
|
+
- test_release
|
|
24
|
+
- mustflow_check
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
# Security Flow Review
|
|
28
|
+
|
|
29
|
+
<!-- mustflow-section: purpose -->
|
|
30
|
+
## Purpose
|
|
31
|
+
|
|
32
|
+
Review security risk by following values, actors, resource identities, state changes, and trust
|
|
33
|
+
boundaries to the actual data sink. Do not stop at dangerous keywords, route guards, or scanner
|
|
34
|
+
labels.
|
|
35
|
+
|
|
36
|
+
The review question is not "does this file contain `eval`, `exec`, or raw SQL?" It is "where did
|
|
37
|
+
this value come from, which actor may use it, which resource or tenant does it touch, which state
|
|
38
|
+
changes, and where can data or authority leak?"
|
|
39
|
+
|
|
40
|
+
<!-- mustflow-section: use-when -->
|
|
41
|
+
## Use When
|
|
42
|
+
|
|
43
|
+
- Code review, implementation, or report work touches routes, handlers, services, repositories,
|
|
44
|
+
resolvers, jobs, workers, admin tools, exports, imports, caches, files, external fetchers,
|
|
45
|
+
OAuth callbacks, tokens, cookies, logs, CI workflows, package metadata, or dependency execution.
|
|
46
|
+
- A feature accepts an identifier, URL, filename, path, HTML, Markdown, sort key, filter, field list,
|
|
47
|
+
status, role, price, entitlement, tenant id, organization id, user id, or client-provided state.
|
|
48
|
+
- The suspected issue may be BOLA, IDOR, missing authorization, tenant leak, mass assignment,
|
|
49
|
+
injection, SSRF, path traversal, file upload abuse, XSS, CSRF, token misuse, fail-open behavior,
|
|
50
|
+
duplicate side effect, or supply-chain trust drift.
|
|
51
|
+
- A scanner, checklist, or reviewer mentions a security label but the real source, sink, actor,
|
|
52
|
+
resource, and failing permission path still need to be verified from the code.
|
|
53
|
+
|
|
54
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
55
|
+
## Do Not Use When
|
|
56
|
+
|
|
57
|
+
- The task changes an authentication or authorization model and needs implementation guidance; use
|
|
58
|
+
`auth-permission-change` as the primary skill and this skill only for cross-surface review.
|
|
59
|
+
- The task needs security or privacy disclosure review across logs, docs, retention, AI records, or
|
|
60
|
+
packaged artifacts; use `security-privacy-review`.
|
|
61
|
+
- The task needs concrete abuse-case tests after a boundary is understood; use
|
|
62
|
+
`security-regression-tests` for that part.
|
|
63
|
+
- The task is only dependency freshness or version selection; use `dependency-reality-check` or
|
|
64
|
+
`version-freshness-check`.
|
|
65
|
+
- The task asks for penetration testing, live attack traffic, exploit development, credential
|
|
66
|
+
guessing, or unsafe payload collection. Stay within local code review and defensive evidence.
|
|
67
|
+
|
|
68
|
+
<!-- mustflow-section: required-inputs -->
|
|
69
|
+
## Required Inputs
|
|
70
|
+
|
|
71
|
+
- User goal, current diff or target files, and the security claim being reviewed.
|
|
72
|
+
- Source-to-sink map: untrusted input, trusted context, transformations, authorization decisions,
|
|
73
|
+
persistence, external calls, rendering, logs, cache keys, queue payloads, and returned data.
|
|
74
|
+
- Actor and resource map: principal, tenant, owner, organization, workspace, team, role, capability,
|
|
75
|
+
service account, admin scope, and target resource id.
|
|
76
|
+
- Read and write surfaces: list, detail, count, export, download, search, stats, update, delete,
|
|
77
|
+
approve, invite, upload, webhook, callback, job, and admin paths.
|
|
78
|
+
- Framework or platform escape hatches: raw query APIs, shell wrappers, HTML escape bypasses, file
|
|
79
|
+
APIs, URL fetchers, parser options, cache behavior, token libraries, and CI/package lifecycle hooks.
|
|
80
|
+
- Existing tests, denial cases, scanner findings, security docs, command intent entries, and any
|
|
81
|
+
missing context that blocks a confident conclusion.
|
|
82
|
+
|
|
83
|
+
<!-- mustflow-section: preconditions -->
|
|
84
|
+
## Preconditions
|
|
85
|
+
|
|
86
|
+
- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
|
|
87
|
+
- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
|
|
88
|
+
current scope.
|
|
89
|
+
- Required inputs are available, or missing actor, resource, source, sink, tenant, or test evidence
|
|
90
|
+
can be reported without guessing.
|
|
91
|
+
- If the review identifies a concrete auth, cache, file, command, path, dependency, failure,
|
|
92
|
+
concurrency, or regression-test problem, also use the narrower skill before editing that part.
|
|
93
|
+
|
|
94
|
+
<!-- mustflow-section: allowed-edits -->
|
|
95
|
+
## Allowed Edits
|
|
96
|
+
|
|
97
|
+
- Tighten server-side ownership checks, tenant-scoped queries, allowlisted updates, cache-key
|
|
98
|
+
dimensions, URL and path validation, parser or renderer boundaries, upload and extraction limits,
|
|
99
|
+
token validation, cookie flags, fail-closed error handling, queue revalidation, idempotency, and
|
|
100
|
+
focused tests directly tied to the reviewed flow.
|
|
101
|
+
- Add small policy, mapper, validator, sanitizer, encoder, adapter, or result-mapping code only when
|
|
102
|
+
it names the security boundary and reduces duplicated or caller-owned security decisions.
|
|
103
|
+
- Update directly synchronized docs, templates, fixtures, or route metadata when the public security
|
|
104
|
+
contract changes.
|
|
105
|
+
- Do not add broad scanners, offensive payload corpora, live external probes, dependency installs,
|
|
106
|
+
or unrelated hardening work under this skill.
|
|
107
|
+
|
|
108
|
+
<!-- mustflow-section: procedure -->
|
|
109
|
+
## Procedure
|
|
110
|
+
|
|
111
|
+
1. Start at the real sink.
|
|
112
|
+
- For reads, identify the query, cache lookup, file read, search index, export builder, download
|
|
113
|
+
signer, API response, rendered page, or log record where data leaves the system.
|
|
114
|
+
- For writes, identify the database mutation, state transition, queue message, external call,
|
|
115
|
+
file write, package artifact, CI action, or admin operation where authority changes the system.
|
|
116
|
+
2. Trace the source-to-sink path.
|
|
117
|
+
- Mark every value as trusted server context, authenticated identity, repository data, provider
|
|
118
|
+
data, user input, query string, path parameter, body field, header, cookie, token claim, file
|
|
119
|
+
metadata, or CI/package metadata.
|
|
120
|
+
- Do not treat framework validation, TypeScript types, generated clients, route placement, or a
|
|
121
|
+
hidden frontend button as proof that the sink is safe.
|
|
122
|
+
3. Separate authentication from authorization.
|
|
123
|
+
- `isAuthenticated`, a session, an API key, or a valid JWT answers who is calling.
|
|
124
|
+
- Ask whether this actor may perform this action on this resource in this tenant right now.
|
|
125
|
+
4. Treat every resource identifier as an IDOR or BOLA candidate.
|
|
126
|
+
- Review path ids, UUIDs, slugs, file keys, invoice ids, team ids, project ids, and nested member
|
|
127
|
+
ids as attacker-controllable unless the server derives them from trusted context.
|
|
128
|
+
- UUID is a long address, not a lock.
|
|
129
|
+
5. Compare list, detail, count, export, search, and download scopes.
|
|
130
|
+
- If `findMany` filters by actor or tenant but `findOne`, `count`, `exportCsv`, `bulkDownload`,
|
|
131
|
+
`searchUsers`, or `analytics` does not, report the mismatch before celebrating the route guard.
|
|
132
|
+
6. Review state-changing operations more strictly than reads.
|
|
133
|
+
- For update, delete, approve, refund, invite, transfer, publish, purge, and role-change flows,
|
|
134
|
+
name actor, resource, allowed state, target state, amount, limit, and audit expectation.
|
|
135
|
+
- Reject direct assignment such as `status = req.body.status` when status transitions have policy.
|
|
136
|
+
7. Reject mass assignment at the boundary.
|
|
137
|
+
- Flag `Object.assign(entity, body)`, `Model.create(input)`, `User.update(req.body)`, DTO-to-model
|
|
138
|
+
blind copies, GraphQL input passthrough, and ORM update data built from raw request bodies.
|
|
139
|
+
- Privileged fields such as `role`, `ownerId`, `tenantId`, `isPaid`, `plan`, `price`, `status`,
|
|
140
|
+
`quota`, and `isAdmin` should be derived or allowlisted.
|
|
141
|
+
8. Slow down on admin-only and internal surfaces.
|
|
142
|
+
- Frontend-only admin screens, support tools, debug routes, backoffice actions, impersonation,
|
|
143
|
+
ops endpoints, and internal RPC still need server-side authorization, reason, audit, and scope.
|
|
144
|
+
9. Check tenant and permission dimensions in caches.
|
|
145
|
+
- Cache keys for private or policy-shaped data need user, tenant, organization, role, permission,
|
|
146
|
+
locale, experiment, filter, and data-version dimensions when those change the result.
|
|
147
|
+
- Shared caches, CDN caches, SSR caches, fetch caches, Redis keys, and hydration data can freeze a
|
|
148
|
+
security bug and serve it to the wrong viewer.
|
|
149
|
+
10. Treat sort, filter, field, include, expand, group, and query language as input sinks.
|
|
150
|
+
- Parameterized `WHERE` clauses do not save `ORDER BY ${sort}`, raw ORM fragments, Mongo filters,
|
|
151
|
+
Elasticsearch query DSL, GraphQL field selection, LDAP, XPath, or filesystem path composition.
|
|
152
|
+
- Validate against a static allowlist for grammar positions, not by escaping arbitrary strings.
|
|
153
|
+
11. Look past obvious command execution calls.
|
|
154
|
+
- Image conversion, PDF generation, archive tools, video processing, git wrappers, kubectl
|
|
155
|
+
wrappers, antivirus scans, backups, and package scripts may invoke a shell or executable.
|
|
156
|
+
- Keep user filenames, URLs, formats, and options out of shell syntax; prefer argv arrays and
|
|
157
|
+
static command maps.
|
|
158
|
+
12. Review every server-side URL fetch as an SSRF candidate.
|
|
159
|
+
- Webhook tests, image proxies, OG previews, PDF renderers, RSS imports, S3 URL imports, OAuth
|
|
160
|
+
metadata, XML parsers, and storage-copy features fetch on behalf of the user.
|
|
161
|
+
- Check scheme allowlists, redirect policy, DNS re-resolution, localhost, private network,
|
|
162
|
+
link-local metadata, credential forwarding, timeout, and response size.
|
|
163
|
+
13. Review file upload by what happens after upload.
|
|
164
|
+
- Check preview, download, conversion, thumbnailing, admin review, metadata extraction, content
|
|
165
|
+
sniffing, storage path, executable web root, signed URL generation, and authorization on read.
|
|
166
|
+
- SVG, HTML, PDF, DOCX, archive, and image metadata paths need different rules than extension
|
|
167
|
+
checks alone.
|
|
168
|
+
14. For archives, check Zip Slip and decompression bombs together.
|
|
169
|
+
- Normalize each archive entry and prove the final path stays inside the target directory.
|
|
170
|
+
- Bound extracted file count, total bytes, nested archives, compression ratio, and processing time.
|
|
171
|
+
15. Check path traversal beyond download routes.
|
|
172
|
+
- Locale files, templates, themes, attachments, logs, static proxies, backup restore, plugin
|
|
173
|
+
loaders, model loaders, and generated state all need real-path containment after symlinks and
|
|
174
|
+
normalization.
|
|
175
|
+
16. Trace browser-code execution contexts.
|
|
176
|
+
- XSS can enter through Markdown, rich text, translations, email templates, chart labels, admin
|
|
177
|
+
dashboards, CSV exports, hydration data, JSON-in-script blocks, and framework escape hatches.
|
|
178
|
+
- Identify the output domain first: HTML text, HTML attribute, URL, JavaScript string, CSS, JSON,
|
|
179
|
+
Markdown, CSV, XML, or log line.
|
|
180
|
+
17. Review CSRF whenever browsers send credentials automatically.
|
|
181
|
+
- Cookie-authenticated state changes need method discipline, SameSite posture, origin or CSRF
|
|
182
|
+
token checks, content-type handling, and CORS credential boundaries.
|
|
183
|
+
18. Review OAuth, SSO, reset, magic-link, JWT, and cookie trust.
|
|
184
|
+
- OAuth needs `state`, `nonce`, exact redirect binding, PKCE when applicable, and safe account
|
|
185
|
+
linking.
|
|
186
|
+
- Reset and magic-link tokens need randomness, one-time use, short TTL, safe storage, session
|
|
187
|
+
revocation, and protection from link previews and logs.
|
|
188
|
+
- JWT validation needs issuer, audience, expiry, not-before, key rotation, stale claim handling,
|
|
189
|
+
tenant claim distrust, and current server-side permission for important actions.
|
|
190
|
+
- Cookies need `HttpOnly`, `Secure`, `SameSite`, domain, path, lifetime, refresh rotation, and
|
|
191
|
+
server-side logout or revocation when tokens are durable.
|
|
192
|
+
19. Reject homegrown cryptography and weak token generation.
|
|
193
|
+
- Watch for custom ciphers, fixed IVs, ECB, nonce reuse, unauthenticated encryption, unsalted or
|
|
194
|
+
fast password hashes, predictable tokens, and non-cryptographic randomness.
|
|
195
|
+
20. Review logs in both directions.
|
|
196
|
+
- Too much logging leaks tokens, sessions, reset links, API keys, prompts, personal data,
|
|
197
|
+
payment data, private filenames, provider payloads, and internal notes.
|
|
198
|
+
- Too little logging hides login failures, denied access, admin changes, token refreshes,
|
|
199
|
+
payment failures, webhook failures, and permission changes.
|
|
200
|
+
21. Search for fail-open error handling.
|
|
201
|
+
- `try { checkPermission() } catch { allow() }`, default-allow policies, empty catches, fallback
|
|
202
|
+
owners, auth-service-down pass-through, and default public cache entries are security bugs in
|
|
203
|
+
normal clothes.
|
|
204
|
+
22. Recheck asynchronous and queued work at execution time.
|
|
205
|
+
- Queue payloads, exports, file conversions, email sends, payment refunds, invitations, and
|
|
206
|
+
permission changes need actor, tenant, resource, state, and permission revalidation when the
|
|
207
|
+
worker runs, not only when the job was enqueued.
|
|
208
|
+
23. Review race conditions where money, inventory, entitlement, coupons, seats, roles, or invites
|
|
209
|
+
can be used twice.
|
|
210
|
+
- Look for transaction boundaries, unique constraints, row locks, idempotency keys, action
|
|
211
|
+
ledgers, outbox or inbox records, and reconciliation for unknown external outcomes.
|
|
212
|
+
24. Review supply-chain and CI/CD paths as code execution.
|
|
213
|
+
- Dependency manifests, lockfiles, postinstall scripts, codegen, Docker base images, GitHub
|
|
214
|
+
Actions permissions, workflow triggers, artifact upload, CI secrets, package publish identity,
|
|
215
|
+
Terraform modules, Helm charts, and deployment scripts can execute or leak authority.
|
|
216
|
+
25. Convert the finding into the smallest defensive action.
|
|
217
|
+
- Fix the owner closest to the sink when the boundary is clear.
|
|
218
|
+
- If evidence is incomplete, report the exact unverified source, sink, actor, resource, tenant,
|
|
219
|
+
state, or test gap instead of making a broad security claim.
|
|
220
|
+
|
|
221
|
+
<!-- mustflow-section: postconditions -->
|
|
222
|
+
## Postconditions
|
|
223
|
+
|
|
224
|
+
- The reviewed flow names source, sink, actor, resource, tenant or owner, trust boundary, state
|
|
225
|
+
change, and data disclosure path when those apply.
|
|
226
|
+
- Authentication, authorization, object ownership, tenant scoping, and admin scope are not collapsed
|
|
227
|
+
into one route guard claim.
|
|
228
|
+
- Input sinks are classified by grammar or output domain rather than by generic "sanitize input"
|
|
229
|
+
wording.
|
|
230
|
+
- Security-sensitive caches, workers, queues, logs, tokens, files, browser renderers, and CI/CD paths
|
|
231
|
+
are either checked or explicitly reported as outside the current evidence.
|
|
232
|
+
- Any concrete security bug fix has denial-case or invariant evidence, or the missing test surface is
|
|
233
|
+
reported.
|
|
234
|
+
|
|
235
|
+
<!-- mustflow-section: verification -->
|
|
236
|
+
## Verification
|
|
237
|
+
|
|
238
|
+
Use configured oneshot command intents when available:
|
|
239
|
+
|
|
240
|
+
- `changes_status`
|
|
241
|
+
- `changes_diff_summary`
|
|
242
|
+
- `lint`
|
|
243
|
+
- `build`
|
|
244
|
+
- `test_related`
|
|
245
|
+
- `test`
|
|
246
|
+
- `docs_validate_fast`
|
|
247
|
+
- `test_release`
|
|
248
|
+
- `mustflow_check`
|
|
249
|
+
|
|
250
|
+
Prefer the narrowest configured test intent that proves the reviewed defensive boundary. Use
|
|
251
|
+
`security-regression-tests` when adding or proposing abuse-case tests.
|
|
252
|
+
|
|
253
|
+
<!-- mustflow-section: failure-handling -->
|
|
254
|
+
## Failure Handling
|
|
255
|
+
|
|
256
|
+
- If actor, tenant, resource, source, or sink evidence is missing, report the missing link and avoid
|
|
257
|
+
claiming the flow is safe.
|
|
258
|
+
- If a sensitive value appears in logs, diffs, fixtures, screenshots, command output, or final
|
|
259
|
+
reports, stop repeating it and use `secret-exposure-response` when it may be a real secret.
|
|
260
|
+
- If the fix would require a broad authorization model change, switch to `auth-permission-change`
|
|
261
|
+
before editing that scope.
|
|
262
|
+
- If scanner output names a class without a reproducible source-to-sink path, treat it as a lead and
|
|
263
|
+
either prove the path or report it as unverified.
|
|
264
|
+
- If verification requires live scanners, external systems, credentials, production data, or unsafe
|
|
265
|
+
traffic, skip that path and report the remaining risk.
|
|
266
|
+
|
|
267
|
+
<!-- mustflow-section: output-format -->
|
|
268
|
+
## Output Format
|
|
269
|
+
|
|
270
|
+
- Security flow reviewed
|
|
271
|
+
- Source, sink, actor, resource, tenant or owner, and state-change map
|
|
272
|
+
- Authorization and ownership notes
|
|
273
|
+
- Input, file, network, browser, token, cookie, crypto, log, fail-open, async, race, cache, and
|
|
274
|
+
supply-chain findings when relevant
|
|
275
|
+
- Fixes made or recommendation
|
|
276
|
+
- Tests, denial cases, or invariant evidence
|
|
277
|
+
- Command intents run
|
|
278
|
+
- Skipped checks and reasons
|
|
279
|
+
- Remaining security-flow risk
|