mustflow 2.39.1 → 2.58.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (92) hide show
  1. package/dist/cli/commands/run/executor.js +16 -0
  2. package/dist/cli/commands/run/process-tree.js +6 -3
  3. package/dist/cli/commands/verify.js +3 -1
  4. package/dist/cli/lib/git-changes.js +11 -1
  5. package/dist/cli/lib/i18n.js +1 -1
  6. package/dist/cli/lib/local-index/index.js +8 -4
  7. package/dist/cli/lib/local-index/populate.js +17 -3
  8. package/dist/cli/lib/local-index/search-read-model.js +9 -7
  9. package/dist/cli/lib/local-index/search-text.js +2 -2
  10. package/dist/cli/lib/local-index/workflow-documents.js +17 -2
  11. package/dist/cli/lib/mustflow-read.js +14 -2
  12. package/dist/cli/lib/repo-map.js +16 -3
  13. package/dist/cli/lib/templates.js +8 -7
  14. package/dist/cli/lib/validation/constants.js +1 -1
  15. package/dist/core/active-run-locks.js +78 -20
  16. package/dist/core/change-classification.js +4 -0
  17. package/dist/core/command-contract-rules.js +1 -1
  18. package/dist/core/command-contract-validation.js +1 -1
  19. package/dist/core/command-cwd.js +13 -2
  20. package/dist/core/command-effects.js +22 -4
  21. package/dist/core/command-env.js +8 -6
  22. package/dist/core/command-preconditions.js +28 -2
  23. package/dist/core/completion-verdict.js +1 -1
  24. package/dist/core/line-endings.js +8 -4
  25. package/dist/core/safe-filesystem.js +9 -1
  26. package/dist/core/source-anchor-validation.js +7 -1
  27. package/dist/core/source-anchors.js +8 -2
  28. package/dist/core/verification-scheduler.js +8 -2
  29. package/package.json +1 -1
  30. package/templates/default/i18n.toml +330 -1
  31. package/templates/default/locales/en/.mustflow/skills/INDEX.md +302 -5
  32. package/templates/default/locales/en/.mustflow/skills/agent-eval-integrity-review/SKILL.md +160 -0
  33. package/templates/default/locales/en/.mustflow/skills/agent-execution-control-review/SKILL.md +163 -0
  34. package/templates/default/locales/en/.mustflow/skills/ai-generated-code-hardening/SKILL.md +49 -13
  35. package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +298 -0
  36. package/templates/default/locales/en/.mustflow/skills/api-misuse-resistance-review/SKILL.md +297 -0
  37. package/templates/default/locales/en/.mustflow/skills/api-request-performance-review/SKILL.md +189 -0
  38. package/templates/default/locales/en/.mustflow/skills/app-startup-performance-review/SKILL.md +309 -0
  39. package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +213 -0
  40. package/templates/default/locales/en/.mustflow/skills/business-rule-leakage-review/SKILL.md +295 -0
  41. package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +291 -0
  42. package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +297 -0
  43. package/templates/default/locales/en/.mustflow/skills/client-bundle-pruning-review/SKILL.md +160 -0
  44. package/templates/default/locales/en/.mustflow/skills/cloud-cost-guardrail-review/SKILL.md +321 -0
  45. package/templates/default/locales/en/.mustflow/skills/concurrency-invariant-review/SKILL.md +193 -0
  46. package/templates/default/locales/en/.mustflow/skills/core-web-vitals-field-review/SKILL.md +161 -0
  47. package/templates/default/locales/en/.mustflow/skills/credit-ledger-integrity-review/SKILL.md +156 -0
  48. package/templates/default/locales/en/.mustflow/skills/database-json-modeling-review/SKILL.md +171 -0
  49. package/templates/default/locales/en/.mustflow/skills/database-lock-contention-review/SKILL.md +192 -0
  50. package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +76 -34
  51. package/templates/default/locales/en/.mustflow/skills/database-query-bottleneck-review/SKILL.md +194 -0
  52. package/templates/default/locales/en/.mustflow/skills/deletion-lifecycle-review/SKILL.md +171 -0
  53. package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md +321 -0
  54. package/templates/default/locales/en/.mustflow/skills/desktop-auto-update-safety-review/SKILL.md +265 -0
  55. package/templates/default/locales/en/.mustflow/skills/desktop-background-process-stability-review/SKILL.md +318 -0
  56. package/templates/default/locales/en/.mustflow/skills/desktop-memory-footprint-review/SKILL.md +318 -0
  57. package/templates/default/locales/en/.mustflow/skills/error-message-integrity-review/SKILL.md +283 -0
  58. package/templates/default/locales/en/.mustflow/skills/failure-integrity-review/SKILL.md +193 -0
  59. package/templates/default/locales/en/.mustflow/skills/file-upload-security-review/SKILL.md +305 -0
  60. package/templates/default/locales/en/.mustflow/skills/frame-render-performance-review/SKILL.md +159 -0
  61. package/templates/default/locales/en/.mustflow/skills/frontend-accessibility-tree-review/SKILL.md +202 -0
  62. package/templates/default/locales/en/.mustflow/skills/frontend-localization-review/SKILL.md +202 -0
  63. package/templates/default/locales/en/.mustflow/skills/frontend-state-ownership-review/SKILL.md +183 -0
  64. package/templates/default/locales/en/.mustflow/skills/frontend-stress-layout-review/SKILL.md +193 -0
  65. package/templates/default/locales/en/.mustflow/skills/hot-path-performance-review/SKILL.md +159 -0
  66. package/templates/default/locales/en/.mustflow/skills/idempotency-integrity-review/SKILL.md +195 -0
  67. package/templates/default/locales/en/.mustflow/skills/image-delivery-performance-review/SKILL.md +161 -0
  68. package/templates/default/locales/en/.mustflow/skills/incident-triage-review/SKILL.md +185 -0
  69. package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +155 -0
  70. package/templates/default/locales/en/.mustflow/skills/llm-response-latency-review/SKILL.md +155 -0
  71. package/templates/default/locales/en/.mustflow/skills/llm-service-ux-review/SKILL.md +2 -0
  72. package/templates/default/locales/en/.mustflow/skills/llm-token-cost-control-review/SKILL.md +155 -0
  73. package/templates/default/locales/en/.mustflow/skills/low-end-device-support-review/SKILL.md +340 -0
  74. package/templates/default/locales/en/.mustflow/skills/memory-lifetime-review/SKILL.md +169 -0
  75. package/templates/default/locales/en/.mustflow/skills/mobile-energy-efficiency-review/SKILL.md +329 -0
  76. package/templates/default/locales/en/.mustflow/skills/module-boundary-review/SKILL.md +278 -0
  77. package/templates/default/locales/en/.mustflow/skills/multi-agent-work-coordination/SKILL.md +1 -0
  78. package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +208 -0
  79. package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +155 -0
  80. package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +158 -0
  81. package/templates/default/locales/en/.mustflow/skills/quadratic-scan-review/SKILL.md +155 -0
  82. package/templates/default/locales/en/.mustflow/skills/queue-processing-integrity-review/SKILL.md +193 -0
  83. package/templates/default/locales/en/.mustflow/skills/race-condition-review/SKILL.md +188 -0
  84. package/templates/default/locales/en/.mustflow/skills/rate-limit-integrity-review/SKILL.md +344 -0
  85. package/templates/default/locales/en/.mustflow/skills/retry-policy-integrity-review/SKILL.md +195 -0
  86. package/templates/default/locales/en/.mustflow/skills/routes.toml +330 -0
  87. package/templates/default/locales/en/.mustflow/skills/security-flow-review/SKILL.md +279 -0
  88. package/templates/default/locales/en/.mustflow/skills/testability-boundary-review/SKILL.md +295 -0
  89. package/templates/default/locales/en/.mustflow/skills/transaction-boundary-integrity-review/SKILL.md +196 -0
  90. package/templates/default/locales/en/.mustflow/skills/type-state-modeling-review/SKILL.md +179 -0
  91. package/templates/default/locales/en/.mustflow/skills/web-render-performance-review/SKILL.md +164 -0
  92. package/templates/default/manifest.toml +386 -1
@@ -0,0 +1,344 @@
1
+ ---
2
+ mustflow_doc: skill.rate-limit-integrity-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: rate-limit-integrity-review
9
+ description: Apply this skill when code is created, changed, reviewed, or reported and rate limits, throttling, quotas, API usage limits, request costs, token buckets, leaky buckets, fixed windows, sliding windows, GCRA, Redis counters, edge or gateway limits, per-tenant or per-user limits, 429 responses, Retry-After, RateLimit headers, shadow enforcement, operator resets, async enqueue limits, or concurrency limits need review for protected-resource fit, key design, atomic counting, layered enforcement, client contract, and abuse or overload safety.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.rate-limit-integrity-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ ---
26
+
27
+ # Rate Limit Integrity Review
28
+
29
+ <!-- mustflow-section: purpose -->
30
+ ## Purpose
31
+
32
+ Review rate limiting as protection for a named scarce resource, not as an algorithm decoration.
33
+
34
+ The review question is not "did we add a limiter?" It is "does this policy protect the real thing
35
+ that gets exhausted, with the right key, cost, layer, storage atomicity, fail mode, response
36
+ contract, observability, and operator escape hatch?"
37
+
38
+ <!-- mustflow-section: use-when -->
39
+ ## Use When
40
+
41
+ - Code creates, changes, reviews, or reports rate limits, throttling, quotas, request budgets,
42
+ abuse limits, API usage limits, request cost weights, token bucket, leaky bucket, fixed window,
43
+ sliding window counter, sliding window log, GCRA, Redis counter, Lua or EVAL counter update,
44
+ CDN or WAF limit, gateway limit, service-level limit, database bottleneck limit, external API
45
+ protection, per-tenant limit, per-user limit, per-api-key limit, route-group limit, or IP limit.
46
+ - A public or internal API emits or depends on 429 responses, `Retry-After`, `RateLimit`,
47
+ `RateLimit-Policy`, legacy `X-RateLimit-*` headers, retry hints, blocked-decision caches,
48
+ shadow mode, enforcement ramp, policy IDs, or operator lookup and reset tools.
49
+ - Async jobs, queues, webhooks, batch endpoints, expensive exports, search, login, signup, OTP,
50
+ payment, email, SMS, AI, third-party API, or database-heavy paths can be overloaded by request
51
+ count, request cost, concurrency, retries, cache misses, or one noisy actor.
52
+ - A final report claims an API is rate-limited, protected from abuse, quota-safe, retry-friendly,
53
+ fair by tenant, protected at the edge, globally limited, or safe under load.
54
+
55
+ <!-- mustflow-section: do-not-use-when -->
56
+ ## Do Not Use When
57
+
58
+ - The task is primarily retry amplification, backoff, `Retry-After` consumption by a caller, or
59
+ SDK retry behavior; use `retry-policy-integrity-review` first and this skill for the server-side
60
+ limit policy and response contract.
61
+ - The task is primarily duplicate business intent, idempotency keys, replay, or unknown side-effect
62
+ outcomes; use `idempotency-integrity-review` first and this skill for quota burning and limiter
63
+ keys.
64
+ - The task is primarily API naming, DTO shape, pagination, versioning, or caller ergonomics; use
65
+ `api-misuse-resistance-review` first and this skill for rate-limit contract details.
66
+ - The task is primarily cloud bill control rather than runtime overload or abuse control; use
67
+ `cloud-cost-guardrail-review` first and this skill only for per-request quota mechanics.
68
+ - The operation is a pure local calculation with no shared resource, external dependency, abuse
69
+ surface, fairness requirement, or caller-visible limit.
70
+
71
+ <!-- mustflow-section: required-inputs -->
72
+ ## Required Inputs
73
+
74
+ - Protected resource ledger: DB, cache, queue, worker pool, external API, login or OTP channel,
75
+ payment provider, email or SMS provider, search backend, AI quota, tenant fairness budget,
76
+ account-security surface, or public API availability.
77
+ - Cost-weighted request ledger: route template, method, actor, tenant, API key, user, IP or IP
78
+ prefix, feature, request body size, requested page size, batch size, export size, cache hit or
79
+ miss, async job fan-out, provider call count, and per-request cost.
80
+ - Layer model: CDN, WAF, load balancer, gateway, service, route group, worker, queue producer,
81
+ queue consumer, database, Redis, external provider, local fuse, and central or global limiter.
82
+ - Key model: tenant, account, API key, user, route template, method, route group, resource id, IP
83
+ prefix, region, environment, plan tier, feature flag, and whether missing, empty, duplicate, or
84
+ conflicting identity headers are denied, normalized, or ignored.
85
+ - Algorithm and storage model: fixed window, token bucket, leaky bucket, sliding window counter,
86
+ sliding window log, GCRA, Redis key shape, TTL, storage time source, counter cardinality, atomic
87
+ operation, Redis Cluster hash slot or hash tag, local cache, and clock-skew behavior.
88
+ - Failure mode model: fail open or fail closed per policy, Redis or storage outage behavior,
89
+ already-blocked cache behavior, allow-decision cache avoidance, shadow mode, ramp, bypass,
90
+ rollback, and operator reset scope.
91
+ - Response contract: 429 status, `Retry-After`, `RateLimit`, `RateLimit-Policy`, legacy header
92
+ compatibility, machine-readable error code, retryable classification, reset or wait semantics,
93
+ jitter or backoff guidance, and information-disclosure boundary.
94
+ - Observability and operator evidence: policy id, key hash or safe key, layer, quota, remaining
95
+ budget where safe, reset, request cost, route template, actor or tenant safe id, shadow decision,
96
+ block reason, metric cardinality, lookup tool, reset tool, audit log, and tests.
97
+
98
+ <!-- mustflow-section: preconditions -->
99
+ ## Preconditions
100
+
101
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
102
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
103
+ current scope.
104
+ - Required protected-resource, cost, layer, key, algorithm, storage, fail-mode, response,
105
+ observability, and operator evidence is available, or missing evidence can be reported without
106
+ guessing.
107
+ - Existing local limiter, quota, plan-tier, API error, retry, Redis, cache, observability,
108
+ operator-tool, and abuse-defense patterns have been searched before adding new shapes.
109
+ - If limits affect money, credits, permissions, auth, personal data, provider state, queue
110
+ settlement, or durable business state, also apply the relevant payment, credit, security,
111
+ idempotency, queue, transaction, or failure skill.
112
+
113
+ <!-- mustflow-section: allowed-edits -->
114
+ ## Allowed Edits
115
+
116
+ - Add or tighten protected-resource definitions, cost weights, per-key policy, layered limit
117
+ placement, route-template keys, atomic counter updates, TTLs, storage-time use, fail-open or
118
+ fail-closed policy, blocked-decision cache, shadow mode, 429 response shape, observability,
119
+ operator lookup or reset behavior, and focused tests.
120
+ - Replace raw URL keys, IP-only limits, request-count-only limits, non-atomic Redis read-modify-write
121
+ counters, app-server clock resets, missing TTLs, allow-decision caches, hidden fail-open behavior,
122
+ unlimited queue enqueue, and misleading `X-RateLimit-*` assumptions when they are in scope.
123
+ - Do not add live provider calls, load tests, dashboards, WAF rules, CDN settings, cluster changes,
124
+ background workers, local servers, or raw Redis operations outside the configured command contract.
125
+ - Do not treat rate limiting as authorization, fraud prevention, exact cost accounting, idempotency,
126
+ retry safety, queue backpressure, or concurrency control without the matching evidence.
127
+
128
+ <!-- mustflow-section: procedure -->
129
+ ## Procedure
130
+
131
+ 1. Do not choose the algorithm first.
132
+ - Name the protected resource before discussing fixed window, token bucket, sliding window,
133
+ GCRA, or Redis.
134
+ - A DB-heavy report endpoint, login OTP provider, public API tenant budget, and expensive AI call
135
+ usually need different keys, costs, layers, and fail modes.
136
+ - If the protected resource is unknown, report that the limiter cannot be judged yet.
137
+ 2. Count cost, not only requests.
138
+ - One request can be one cheap cache hit or thousands of DB rows, provider calls, queued jobs,
139
+ emails, tokens, or export bytes.
140
+ - Add request cost weights for batch size, page size, body size, expensive route group, cache
141
+ miss, async fan-out, provider action, AI token use, or report size where the resource cost
142
+ differs materially.
143
+ - Keep cost units simple enough for operators to explain.
144
+ 3. Place limits in layers deliberately.
145
+ - CDN and WAF limits are good for blunt IP, bot, path, and geographic pressure.
146
+ - Gateway limits are good for API key, tenant, plan, route group, and coarse global budgets.
147
+ - Service limits are good for user, feature, resource, business rule, and request cost.
148
+ - Dependency-protection limits are good near DB, Redis, queue, worker, and external provider
149
+ bottlenecks.
150
+ - Layered limits should not all count the same thing unless that duplication is intentional.
151
+ 4. Design keys as policy, not plumbing.
152
+ - Avoid IP-only keys for authenticated APIs; NAT, mobile networks, and shared offices make IP a
153
+ bad user identity.
154
+ - Include tenant, account, API key, user, route group, method, route template, plan tier, and
155
+ resource id only when each dimension changes fairness or protected-resource pressure.
156
+ - Use route templates such as `/orders/{id}` instead of raw URLs so one actor cannot create
157
+ unbounded limiter keys through path values.
158
+ - Define missing, empty, duplicate, conflicting, or spoofable identity headers. A limiter that
159
+ silently falls back to IP may become a bypass or collateral-damage machine.
160
+ 5. Review algorithm fit.
161
+ - Fixed window is simple but allows a boundary burst: a caller can spend almost two windows of
162
+ quota around the reset edge.
163
+ - Token bucket handles burst plus steady rate and is a good default when short bursts are
164
+ acceptable.
165
+ - Sliding window counter smooths boundary effects with lower storage than exact logs.
166
+ - Sliding window log is accurate but costly; reserve it for low-volume, high-risk paths where
167
+ exact decisions justify per-request storage.
168
+ - GCRA or equivalent virtual-schedule limiters can be compact and precise, but only if the local
169
+ team understands the timestamp math and test cases.
170
+ 6. Make counter storage atomic.
171
+ - Redis operation atomicity matters. Split read, compare, increment, and expire steps can allow
172
+ more requests than the policy says or leave keys without expiry.
173
+ - Use one atomic operation pattern for the decision and update, such as a single Redis script or
174
+ an equivalent repository-supported primitive.
175
+ - `INCR` plus `EXPIRE` needs a safe first-write and failure path; do not leave counters immortal
176
+ if the expire step is skipped.
177
+ - In Redis Cluster, multi-key checks need keys in the same hash slot or a deliberate hash tag.
178
+ Otherwise "global plus per-key" policy may fail only after production sharding.
179
+ 7. Use storage time, not app server time.
180
+ - Multiple app servers with skewed clocks can disagree about reset time and token refill.
181
+ - Prefer Redis, database, or central storage time where the storage primitive supports it.
182
+ - If app time is unavoidable, clamp skew and test reset-boundary behavior.
183
+ 8. Separate local fuses from global limits.
184
+ - Local limits are not global limits. One process-local bucket multiplied by many pods is a
185
+ rough fuse, not a tenant quota.
186
+ - Use local fuses for emergency self-protection, CPU protection, and storage-outage fallback.
187
+ - Use central or coordinated counters for user, tenant, account, API key, or paid-plan budgets.
188
+ - Edge limits are not precise global counters; treat CDN or WAF limits as approximate layers
189
+ unless the provider contract proves global precision for the chosen key and window.
190
+ 9. Choose fail open or fail closed per policy.
191
+ - Cheap public reads may fail open with a local fuse when the limiter store is down.
192
+ - Login, signup, OTP, payment, provider-spend, admin, expensive export, AI, and abuse-sensitive
193
+ actions often need fail closed or degraded mode.
194
+ - Name the user-visible behavior, operator alert, and rollback path for limiter-store outage.
195
+ 10. Count failed responses intentionally.
196
+ - Counting only successful responses can let attackers hammer validation, auth, login, search,
197
+ and not-found paths for free.
198
+ - Counting every failure can punish normal callers during provider outages or reveal whether a
199
+ target exists through quota differences.
200
+ - Decide by route and failure class: validation, auth denial, not found, provider timeout,
201
+ business conflict, 5xx, and cancelled requests may deserve different counting.
202
+ 11. Separate rate limits from concurrency limits.
203
+ - Rate limit controls how many operations enter over time.
204
+ - Concurrency limit controls how many operations run at once.
205
+ - Slow expensive jobs can obey a request rate and still exhaust DB connections, workers, or
206
+ provider slots. Add a semaphore, queue depth, pool, worker concurrency, or bulkhead when the
207
+ protected resource is simultaneous work.
208
+ 12. Make 429 useful but not leaky.
209
+ - Emit a machine-readable error code and `Retry-After` when a well-behaved client can wait.
210
+ - If `Retry-After` and `RateLimit` hints disagree, `Retry-After` should govern immediate client
211
+ behavior.
212
+ - Standards-track `RateLimit` and `RateLimit-Policy` headers may coexist with legacy
213
+ `X-RateLimit-*`, but do not assume every client or proxy gives legacy headers the same
214
+ meaning.
215
+ - Do not reveal exact internal capacity, shard counts, provider quotas, attack thresholds, or
216
+ sensitive account state in public responses.
217
+ - During active abuse, silent drop, generic denial, or coarser hints can be safer than a perfect
218
+ quota tutorial for the attacker.
219
+ 13. Add jitter and client backoff guidance.
220
+ - If many clients get the same reset timestamp, they may all retry at once.
221
+ - Add jitter to server-side refill or client guidance where the contract supports it.
222
+ - Clamp untrusted `Retry-After` dates or provider reset values before passing them downstream.
223
+ 14. Manage counter cardinality and TTL.
224
+ - Every counter needs a TTL or lifecycle. Missing TTL turns rate limiting into unbounded storage
225
+ growth.
226
+ - Raw URL, request body, user agent, trace id, email, or unbounded resource id in keys can
227
+ create key explosions or sensitive storage.
228
+ - Cache already-blocked decisions briefly when it reduces Redis pressure, but do not cache allow
229
+ decisions unless the policy explicitly tolerates overshoot.
230
+ 15. Roll out enforcement safely.
231
+ - Use shadow mode before blocking when policy impact is uncertain.
232
+ - Compare shadow decisions with actual traffic, tenant, route group, plan tier, failure class,
233
+ and support signals.
234
+ - Ramp enforcement by route, actor type, plan, tenant, or percentage, with a fast disable path.
235
+ 16. Make logs and metrics answer the policy question.
236
+ - 429 logs should include policy id, layer, route template, method, safe actor or tenant id,
237
+ key hash, request cost, quota, reset or wait, remaining budget when safe, decision, shadow or
238
+ enforce mode, and reason.
239
+ - Metrics should use bounded labels: policy id, route template, layer, decision, plan, and
240
+ result class. Put high-cardinality keys in logs or traces.
241
+ - Log both blocks and surprising allows, such as limiter-store fail-open or shadow-mode would
242
+ block.
243
+ 17. Provide operator lookup and reset.
244
+ - Operators need to answer: which policy blocked this actor, why, until when, and what safe
245
+ reset or override exists?
246
+ - Reset by scoped policy and key, not raw Redis `DEL` against guessed patterns.
247
+ - Audit every reset, override, bypass, and policy change with actor, reason, scope, expiry, and
248
+ before or after evidence.
249
+ 18. Burn tokens before enqueueing async work.
250
+ - A queue does not protect the producer side if unlimited jobs can be enqueued.
251
+ - Burn request or cost tokens before enqueue for expensive async work, then use concurrency
252
+ limits at execution.
253
+ - Decide whether retries, redeliveries, deduped messages, and cancelled jobs spend quota.
254
+ 19. Decide whether cached hits count.
255
+ - CDN-cached hits may not touch the protected origin resource, so origin-protection limits may
256
+ not count them.
257
+ - Business quotas, paid API limits, abuse limits, or fairness budgets may count cached CDN hits
258
+ because the caller still consumed a product allowance.
259
+ - Name which resource each layer protects before counting or ignoring cached responses.
260
+ 20. Keep boundaries honest.
261
+ - Rate limit is not authorization. A caller who should not access a resource must be denied
262
+ before or independently of quota.
263
+ - Rate limit is not a hard cost-control ceiling; provider bills, retries, async fan-out, logs,
264
+ egress, and queues can spend money outside the request counter.
265
+ - Rate limit is not proof of idempotency, bot defense, fraud prevention, fairness, or overload
266
+ safety unless the matching evidence exists.
267
+ 21. Test the ugly edges.
268
+ - Cover boundary burst, concurrent calls at the quota edge, missing TTL, Redis or store outage,
269
+ fail-open or fail-closed behavior, missing or duplicate identity headers, route-template key
270
+ normalization, request cost weights, shadow-to-enforce switch, 429 response shape,
271
+ `Retry-After`, storage time, hash tag or cluster key constraints, and operator reset audit.
272
+ - If deterministic timing tests are hard, use fake clocks, injected storage time, or repository
273
+ test helpers already present in the project.
274
+ - If load, CDN, WAF, provider, or Redis Cluster evidence is not configured, report that boundary
275
+ as manual-only instead of approving it from local unit tests.
276
+
277
+ <!-- mustflow-section: postconditions -->
278
+ ## Postconditions
279
+
280
+ - Protected resource, cost model, layer placement, key design, algorithm, storage atomicity, TTL,
281
+ time source, local versus global scope, fail-open or fail-closed policy, failed-response counting,
282
+ concurrency limit needs, response contract, jitter, blocked cache, shadow rollout, observability,
283
+ operator lookup and reset, async enqueue quota, cached-hit policy, and authorization or cost
284
+ boundaries are explicit.
285
+ - IP-only authenticated limits, raw URL keys, fixed-window boundary bursts, non-atomic Redis
286
+ counters, missing TTLs, app-clock reset drift, process-local "global" quotas, approximate edge
287
+ limits treated as precise, hidden fail-open behavior, free failed requests, rate/concurrency
288
+ confusion, unhelpful 429s, capacity-leaking headers, synchronized retries, allow-decision caches,
289
+ unbounded shadow enforcement, missing policy id logs, unsafe raw Redis resets, unlimited async
290
+ enqueue, cached-hit ambiguity, and rate-limit-as-authorization claims are fixed or reported.
291
+ - Rate-limit-safety claims are backed by configured tests, storage or framework evidence matched
292
+ to current code, API contract evidence, operational evidence, static review evidence, or labeled
293
+ as manual-only or missing.
294
+
295
+ <!-- mustflow-section: verification -->
296
+ ## Verification
297
+
298
+ Use configured oneshot command intents when available:
299
+
300
+ - `changes_status`
301
+ - `changes_diff_summary`
302
+ - `lint`
303
+ - `build`
304
+ - `test_related`
305
+ - `test`
306
+ - `docs_validate_fast`
307
+ - `test_release`
308
+ - `mustflow_check`
309
+
310
+ Prefer the narrowest configured test, build, docs, release, or mustflow intent that covers the
311
+ changed rate-limit policy and synchronized template surfaces. Do not infer raw load tests, live
312
+ provider calls, CDN or WAF changes, Redis Cluster checks, local servers, queue workers, browser
313
+ sessions, chaos tests, or manual dashboards outside the command contract.
314
+
315
+ <!-- mustflow-section: failure-handling -->
316
+ ## Failure Handling
317
+
318
+ - If a configured command fails, preserve the failing intent, failing assertion or output tail, and
319
+ the rate-limit invariant it exercised before editing again.
320
+ - If the protected resource cannot be named, report that the limit policy is not reviewable yet.
321
+ - If key identity is spoofable, missing, or ambiguous, report the bypass or collateral-damage risk
322
+ before tuning quotas.
323
+ - If safe repair requires WAF or CDN configuration, provider quota changes, Redis Cluster topology,
324
+ load testing, production traffic replay, operator dashboard work, billing controls, or live
325
+ integration proof outside the current scope, complete local verification and report the missing
326
+ operational evidence.
327
+ - If deterministic limiter proof is not configured, complete available verification and report the
328
+ missing manual, integration, or load evidence.
329
+
330
+ <!-- mustflow-section: output-format -->
331
+ ## Output Format
332
+
333
+ - Rate-limit policy boundary reviewed
334
+ - Protected resource, cost model, layer model, key model, algorithm and storage model, atomicity,
335
+ TTL, time source, local or global scope, fail mode, failed-response counting, concurrency limit,
336
+ response contract, jitter, blocked-decision cache, shadow rollout, observability, operator reset,
337
+ async enqueue quota, cached-hit policy, authorization and cost-control boundary, and test evidence
338
+ findings
339
+ - Rate-limit fixes made or recommended
340
+ - Evidence level: configured-test evidence, storage or framework evidence, API contract evidence,
341
+ operational evidence, static review risk, manual-only, missing, or not applicable
342
+ - Command intents run
343
+ - Skipped rate-limit diagnostics and reasons
344
+ - Remaining rate-limit-integrity risk
@@ -0,0 +1,195 @@
1
+ ---
2
+ mustflow_doc: skill.retry-policy-integrity-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: retry-policy-integrity-review
9
+ description: Apply this skill when code is created, changed, reviewed, or reported and retry loops, SDK or client retry configs, backoff, jitter, timeout, deadline, Retry-After, retry predicates, layered retries, circuit breakers, bulkheads, token buckets, queue redelivery, broker retries, cancellation-aware sleeps, or retry observability can amplify failure, duplicate side effects, hide permanent errors, exhaust pools, or overload dependencies.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.retry-policy-integrity-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ ---
26
+
27
+ # Retry Policy Integrity Review
28
+
29
+ <!-- mustflow-section: purpose -->
30
+ ## Purpose
31
+
32
+ Review retries as failure amplification control, not as "try again because something failed."
33
+
34
+ The review question is not "does this code retry?" It is "when the dependency is slow, down, rate-limited, partially successful, or overloaded, does this retry policy reduce harm or multiply the outage across attempts, layers, pools, locks, queues, and side effects?"
35
+
36
+ <!-- mustflow-section: use-when -->
37
+ ## Use When
38
+
39
+ - Code creates, changes, reviews, or reports retry loops, SDK retry options, client retry middleware, `while true`, `for (;;)`, recursive retry, `maxAttempts`, `maxRetries`, `maxElapsedTime`, `deadline`, `timeout`, `sleep`, `delay`, backoff, jitter, `Retry-After`, circuit breaker, bulkhead, token bucket, rate limiter, or cancellation-aware retry behavior.
40
+ - HTTP, database, Redis, queue, stream, object storage, payment, email, notification, file upload, webhook, scheduler, batch, worker, or provider calls can be repeated after failure, timeout, cancellation, rate limit, lock conflict, transaction retry, or redelivery.
41
+ - A workflow has retries in more than one layer, such as caller retry plus service retry plus SDK retry plus load balancer retry plus queue redelivery plus broker retry.
42
+ - A review or final report claims a path is resilient, retry-safe, backoff-protected, rate-limit-aware, idempotent, transient-only, bounded, cancellation-safe, or protected by a circuit breaker, bulkhead, pool, timeout, or queue retry policy.
43
+
44
+ <!-- mustflow-section: do-not-use-when -->
45
+ ## Do Not Use When
46
+
47
+ - The task is primarily duplicate business intent, webhook replay, queue redelivery, batch rerun, or timeout recovery that can move the same logical operation twice; use `idempotency-integrity-review` first and this skill for the retry budget and policy mechanics.
48
+ - The task is primarily broker settlement, ack, nack, delete, offset commit, visibility timeout, DLQ, consumer loss, or producer confirmation; use `queue-processing-integrity-review` first and this skill for application-level retry overlap.
49
+ - The task is primarily swallowed exceptions, false success, missing timeout honesty, cancellation swallowing, fallback defaults, or public error shape; use `failure-integrity-review` first and this skill for bounded retry behavior.
50
+ - The task is primarily read-decision-write atomicity, transaction isolation, after-commit ordering, or transaction retry semantics; use `transaction-boundary-integrity-review` first and this skill for retry placement and budget.
51
+ - The operation is a pure local calculation with no fallible dependency, wait, side effect, shared pool, cancellation source, or retry loop.
52
+
53
+ <!-- mustflow-section: required-inputs -->
54
+ ## Required Inputs
55
+
56
+ - Retry surface: each retry loop, SDK retry configuration, middleware, queue redelivery policy, broker retry, load balancer retry, database retry, transaction retry, circuit breaker, bulkhead, token bucket, and wrapper around the changed path.
57
+ - Layered retry ledger: caller, API handler, service, SDK, driver, proxy, load balancer, queue, worker, scheduler, and provider retries with per-layer max attempts and elapsed-time budget.
58
+ - Attempt budget: max attempts, max elapsed time, per-attempt timeout, total deadline, cancellation signal, sleep behavior, and whether DNS, TLS, connection checkout, pool wait, request body upload, response streaming, and response parsing are inside the budget.
59
+ - Retry predicate: exception types, status codes, provider errors, timeout classes, rate-limit responses, transient versus permanent failure, unknown outcome, cancellation, validation errors, authorization errors, and programmer bugs.
60
+ - Side-effect and idempotency ledger: logical operation, idempotency key, key scope, request body hash, conditional write, transaction boundary, lock boundary, provider call, stream or upload body replayability, queue ack or commit, and committed response boundary.
61
+ - Backoff and jitter policy: fixed sleep, exponential backoff, cap, jitter type, `Retry-After` parsing, clock skew, maximum delay, per-key backoff, global backoff, and reset after success.
62
+ - Overload and throttling evidence: pool sizes, concurrency limit, bulkhead, token bucket, circuit breaker state, retry queue size, rate-limit budget, per-tenant or per-key fairness, and dependency-specific limits.
63
+ - Observability and test evidence: attempt logs, per-attempt spans, retry metrics, retry exhaustion metrics, `Retry-After` values, request id, correlation id, cancellation tests, permanent-failure tests, timeout-budget tests, and configured command intents.
64
+
65
+ <!-- mustflow-section: preconditions -->
66
+ ## Preconditions
67
+
68
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
69
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the current scope.
70
+ - Required retry surface, layered retry ledger, attempt budget, retry predicate, side-effect ledger, backoff, throttling, observability, and test evidence is available, or missing evidence can be reported without guessing.
71
+ - Existing local retry, timeout, backoff, idempotency, queue redelivery, circuit breaker, bulkhead, cancellation, logging, and metrics patterns have been searched before adding new shapes.
72
+ - If repeated attempts move money, credits, permissions, inventory, personal data, provider state, queue settlement, or durable business state, also apply the relevant payment, credit, security, idempotency, queue, transaction, or failure skill.
73
+
74
+ <!-- mustflow-section: allowed-edits -->
75
+ ## Allowed Edits
76
+
77
+ - Add or tighten bounded attempts, total deadline, per-attempt timeout, cancellation propagation, exponential backoff with jitter, `Retry-After` handling, retry predicates, dependency-specific policy, idempotency key reuse, safe body replay checks, and focused retry tests.
78
+ - Remove or bound infinite retry loops, nested retry multiplication, broad catch-and-retry branches, fixed sleeps that synchronize callers, retries inside transactions or locks, and retry wrappers that erase diagnostic cause, status code, retry-after, or request id.
79
+ - Move retry policy to a caller-owned or dependency-owned boundary when local architecture requires one source of truth instead of several hidden layers.
80
+ - Add observability for attempts, final exhaustion, cancellation, retry-after, delay, dependency name, operation name, request id, safe business key, and retry decision.
81
+ - Do not add live provider calls, load tests, local servers, queue workers, watchers, or manual dashboards outside the configured command contract.
82
+ - Do not treat a retry policy as proof of idempotency, queue safety, transaction safety, circuit-breaker safety, or overload protection without the matching evidence.
83
+
84
+ <!-- mustflow-section: procedure -->
85
+ ## Procedure
86
+
87
+ 1. Count the retry layers before judging one loop.
88
+ - Build the chain from caller to dependency: UI, API gateway, handler, service, repository, SDK, driver, proxy, queue, worker, and provider.
89
+ - Multiply the attempts. Three layers with three attempts each can turn one user action into 27 dependency calls.
90
+ - Treat SDK defaults as real retries until current code or documentation proves they are disabled or bounded.
91
+ 2. Check for infinite or open-ended retry.
92
+ - Search around `while true`, `for (;;)`, recursive retry, `retryUntilSuccess`, `do while`, `catch` followed by sleep, and framework retry annotations.
93
+ - Require both max attempts and max elapsed time when the path can hold a request, worker, connection, lock, transaction, or queue slot.
94
+ - A capped backoff without a stop condition is still an infinite retry with nicer pacing.
95
+ 3. Separate per-attempt timeout from total deadline.
96
+ - A 3 second per-attempt timeout with 5 attempts can exceed the caller's useful deadline.
97
+ - Include DNS lookup, TCP connect, TLS handshake, connection pool wait, request body upload, response header wait, response streaming, and response parsing in the budget where the client supports it.
98
+ - If the caller cancels, retry sleep and in-flight attempts should stop.
99
+ 4. Review retry predicates.
100
+ - Retry transient dependency failures, rate limits, and specific timeout classes only when the operation is safe to repeat.
101
+ - Do not retry validation errors, authorization failures, not-found errors that mean permanent absence, payload errors, deterministic constraint violations, cancellation, or programmer bugs.
102
+ - Broad `catch (Exception)`, `catch (error)`, or equivalent retry can turn bad input and bugs into traffic storms.
103
+ 5. Treat unknown outcomes as dangerous.
104
+ - A timeout after sending a request is not proof that the provider did nothing.
105
+ - Before retrying payment, email, shipment, entitlement, file creation, external object creation, or any non-idempotent provider command, require idempotency, provider lookup, reconciliation, or a reported unknown-outcome risk.
106
+ 6. Check idempotency key reuse.
107
+ - A new key per attempt defeats provider idempotency.
108
+ - A key that is not bound to actor, tenant, operation type, target resource, and payload fingerprint can replay the wrong operation.
109
+ - Conditional idempotency should be explicit for POST, PATCH, webhook, queue, batch, and scheduler retries, not only for "unsafe" HTTP verbs.
110
+ 7. Keep retries out of transactions and locks unless deliberately bounded.
111
+ - Retrying while holding a DB transaction, row lock, mutex, semaphore, distributed lock, or advisory lock can hold scarce resources while waiting.
112
+ - If the retry is a transaction retry, retry the whole transaction from a clean start and verify side effects happen after commit or through an outbox.
113
+ - If the retry is inside a lock, name why the lock must be held and prove the wait is short and bounded.
114
+ 8. Check pool and concurrency pressure.
115
+ - Retrying after timeouts can keep sockets, DB connections, workers, threads, or queue in-flight slots occupied longer than the original call.
116
+ - Bound concurrent retries with a bulkhead, semaphore, worker pool, token bucket, or dependency-specific limiter sized to downstream capacity.
117
+ - Avoid unbounded `Promise.all`, goroutine, task, or thread fan-out wrapped in retry.
118
+ 9. Review backoff and jitter.
119
+ - Fixed sleeps synchronize clients and create waves.
120
+ - Exponential backoff needs jitter and a cap, but the cap does not replace max attempts or max elapsed time.
121
+ - Respect `Retry-After` for 429 and 503 when trusted, parse both seconds and dates if the stack requires it, clamp unreasonable values, and record the decision.
122
+ 10. Separate global and per-key throttling.
123
+ - A global token bucket can let one noisy tenant spend the whole retry budget.
124
+ - A per-key backoff can protect one hot resource while allowing unrelated traffic to continue.
125
+ - Reset per-key failure counters after a confirmed success; stale failure counters can punish healthy traffic long after recovery.
126
+ 11. Order resilience tools deliberately.
127
+ - Timeout, retry, circuit breaker, bulkhead, token bucket, and fallback are not interchangeable.
128
+ - Prefer a clear order such as acquire bulkhead capacity, enforce total deadline, attempt with per-attempt timeout, classify error, apply retry budget and backoff, and let circuit breaker observe final or configured per-attempt outcomes according to local policy.
129
+ - A circuit breaker outside a retry loop sees one final failure; inside it sees every failed attempt. Pick intentionally.
130
+ 12. Preserve error identity through wrappers.
131
+ - Retry wrappers should keep cause, status code, retry-after, provider error code, request id, correlation id, attempt count, and final exhaustion reason.
132
+ - Do not replace every exhausted retry with a generic "failed" error that hides whether the caller should retry, fix input, wait, or open an incident.
133
+ 13. Check committed responses and streaming bodies.
134
+ - Once a response is committed to a client, retrying the next side effect can create server truth that the caller cannot observe.
135
+ - Request or upload bodies may not be replayable after the first attempt unless buffered safely and within memory limits.
136
+ - Streaming downloads, uploads, and partial writes need explicit resume, restart, or no-retry policy.
137
+ 14. Review queue and broker overlap.
138
+ - Application retry plus broker redelivery plus DLQ retry can multiply attempts and delay poison-message isolation.
139
+ - Ack, delete, commit, side effect, and retry ordering should be explicit so a retry does not both duplicate work and hide failure from the broker.
140
+ - Treat broker retry count and app retry count as one combined budget when possible.
141
+ 15. Review dependency-specific configuration.
142
+ - HTTP, DB, Redis, object storage, message brokers, payment providers, email services, search services, and caches have different safe retry status codes, timeout fields, request replay rules, and rate-limit headers.
143
+ - Avoid one generic retry helper for every dependency unless the dependency policy is injected or selected explicitly.
144
+ 16. Require retry observability.
145
+ - Logs should distinguish attempt, delay, status, dependency, operation, retryable decision, final exhaustion, cancellation, and safe request identity.
146
+ - Metrics should expose attempts_total, retry_exhausted_total, retry_delay, retry_after_used, cancellation, circuit-open decisions, and dependency-specific labels with bounded cardinality.
147
+ - A single final error log after all retries is often too late to explain an incident.
148
+ 17. Require tests beyond "two failures then success."
149
+ - Good tests cover permanent failure not retried, max attempts, max elapsed time, total deadline, cancellation during sleep, retry-after parsing and clamping, jitter boundedness, idempotency key reuse, unknown outcome, pool or concurrency limit, and wrapper cause preservation.
150
+ - If deterministic timing tests are hard, use fake clocks, injected sleeper, injected retry policy, or local test helpers already present in the repository.
151
+ - If configured integration evidence is missing, report static risk and the missing manual or integration proof instead of approving the retry path.
152
+
153
+ <!-- mustflow-section: postconditions -->
154
+ ## Postconditions
155
+
156
+ - Retry layers, attempt multiplication, max attempts, max elapsed time, per-attempt timeout, total deadline, retry predicate, backoff, jitter, `Retry-After`, cancellation behavior, side-effect replay safety, idempotency key reuse, transaction or lock placement, pool pressure, throttling, circuit-breaker ordering, wrapper diagnostics, queue overlap, dependency policy, observability, and retry tests are explicit.
157
+ - Infinite retry, broad catch-and-retry, permanent-error retry, unknown-outcome replay, new idempotency key per attempt, fixed-sleep herd behavior, retry inside long transaction or lock, pool exhaustion, app-plus-broker retry multiplication, stale failure counters, wrapper cause loss, committed-response retry, non-replayable body retry, cancellation-ignoring sleep, and missing retry metrics are fixed or reported.
158
+ - Retry-safety claims are backed by configured tests, dependency or framework evidence matched to current code, schema or idempotency evidence, static review evidence, or labeled as manual-only or missing.
159
+
160
+ <!-- mustflow-section: verification -->
161
+ ## Verification
162
+
163
+ Use configured oneshot command intents when available:
164
+
165
+ - `changes_status`
166
+ - `changes_diff_summary`
167
+ - `lint`
168
+ - `build`
169
+ - `test_related`
170
+ - `test`
171
+ - `docs_validate_fast`
172
+ - `test_release`
173
+ - `mustflow_check`
174
+
175
+ Prefer the narrowest configured test, build, docs, release, or mustflow intent that covers the changed retry policy and synchronized template surfaces. Do not infer raw load tests, live dependency calls, queue servers, local watchers, browser sessions, chaos tests, or manual dashboards outside the command contract.
176
+
177
+ <!-- mustflow-section: failure-handling -->
178
+ ## Failure Handling
179
+
180
+ - If a configured command fails, preserve the failing intent, failing assertion or output tail, and the retry invariant it exercised before editing again.
181
+ - If retry layers cannot be enumerated, report that the path is not reviewable for retry amplification yet.
182
+ - If the retry predicate cannot distinguish transient from permanent failure, report the missing classification instead of accepting a broad retry.
183
+ - If safe repair requires provider idempotency, durable operation records, queue or broker configuration, circuit-breaker architecture, dependency-specific client policy, fake-clock test infrastructure, load testing, or integration replay outside the current scope, report the missing boundary.
184
+ - If deterministic retry proof is not configured, complete available verification and report the missing manual or integration evidence.
185
+
186
+ <!-- mustflow-section: output-format -->
187
+ ## Output Format
188
+
189
+ - Retry policy boundary reviewed
190
+ - Retry surface, layered retry ledger, attempt budget, timeout and deadline, retry predicate, unknown outcome, side-effect and idempotency key, transaction or lock placement, pool and concurrency pressure, backoff and jitter, `Retry-After`, global or per-key throttling, resilience-tool ordering, wrapper diagnostics, committed response or streaming body, queue or broker overlap, dependency policy, observability, and test evidence findings
191
+ - Retry-policy fixes made or recommended
192
+ - Evidence level: configured-test evidence, dependency or framework evidence, schema or idempotency evidence, static review risk, manual-only, missing, or not applicable
193
+ - Command intents run
194
+ - Skipped retry diagnostics and reasons
195
+ - Remaining retry-policy-integrity risk