mustflow 2.39.1 → 2.58.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli/commands/run/executor.js +16 -0
- package/dist/cli/commands/run/process-tree.js +6 -3
- package/dist/cli/commands/verify.js +3 -1
- package/dist/cli/lib/git-changes.js +11 -1
- package/dist/cli/lib/i18n.js +1 -1
- package/dist/cli/lib/local-index/index.js +8 -4
- package/dist/cli/lib/local-index/populate.js +17 -3
- package/dist/cli/lib/local-index/search-read-model.js +9 -7
- package/dist/cli/lib/local-index/search-text.js +2 -2
- package/dist/cli/lib/local-index/workflow-documents.js +17 -2
- package/dist/cli/lib/mustflow-read.js +14 -2
- package/dist/cli/lib/repo-map.js +16 -3
- package/dist/cli/lib/templates.js +8 -7
- package/dist/cli/lib/validation/constants.js +1 -1
- package/dist/core/active-run-locks.js +78 -20
- package/dist/core/change-classification.js +4 -0
- package/dist/core/command-contract-rules.js +1 -1
- package/dist/core/command-contract-validation.js +1 -1
- package/dist/core/command-cwd.js +13 -2
- package/dist/core/command-effects.js +22 -4
- package/dist/core/command-env.js +8 -6
- package/dist/core/command-preconditions.js +28 -2
- package/dist/core/completion-verdict.js +1 -1
- package/dist/core/line-endings.js +8 -4
- package/dist/core/safe-filesystem.js +9 -1
- package/dist/core/source-anchor-validation.js +7 -1
- package/dist/core/source-anchors.js +8 -2
- package/dist/core/verification-scheduler.js +8 -2
- package/package.json +1 -1
- package/templates/default/i18n.toml +330 -1
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +302 -5
- package/templates/default/locales/en/.mustflow/skills/agent-eval-integrity-review/SKILL.md +160 -0
- package/templates/default/locales/en/.mustflow/skills/agent-execution-control-review/SKILL.md +163 -0
- package/templates/default/locales/en/.mustflow/skills/ai-generated-code-hardening/SKILL.md +49 -13
- package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +298 -0
- package/templates/default/locales/en/.mustflow/skills/api-misuse-resistance-review/SKILL.md +297 -0
- package/templates/default/locales/en/.mustflow/skills/api-request-performance-review/SKILL.md +189 -0
- package/templates/default/locales/en/.mustflow/skills/app-startup-performance-review/SKILL.md +309 -0
- package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +213 -0
- package/templates/default/locales/en/.mustflow/skills/business-rule-leakage-review/SKILL.md +295 -0
- package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +291 -0
- package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +297 -0
- package/templates/default/locales/en/.mustflow/skills/client-bundle-pruning-review/SKILL.md +160 -0
- package/templates/default/locales/en/.mustflow/skills/cloud-cost-guardrail-review/SKILL.md +321 -0
- package/templates/default/locales/en/.mustflow/skills/concurrency-invariant-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/core-web-vitals-field-review/SKILL.md +161 -0
- package/templates/default/locales/en/.mustflow/skills/credit-ledger-integrity-review/SKILL.md +156 -0
- package/templates/default/locales/en/.mustflow/skills/database-json-modeling-review/SKILL.md +171 -0
- package/templates/default/locales/en/.mustflow/skills/database-lock-contention-review/SKILL.md +192 -0
- package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +76 -34
- package/templates/default/locales/en/.mustflow/skills/database-query-bottleneck-review/SKILL.md +194 -0
- package/templates/default/locales/en/.mustflow/skills/deletion-lifecycle-review/SKILL.md +171 -0
- package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md +321 -0
- package/templates/default/locales/en/.mustflow/skills/desktop-auto-update-safety-review/SKILL.md +265 -0
- package/templates/default/locales/en/.mustflow/skills/desktop-background-process-stability-review/SKILL.md +318 -0
- package/templates/default/locales/en/.mustflow/skills/desktop-memory-footprint-review/SKILL.md +318 -0
- package/templates/default/locales/en/.mustflow/skills/error-message-integrity-review/SKILL.md +283 -0
- package/templates/default/locales/en/.mustflow/skills/failure-integrity-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/file-upload-security-review/SKILL.md +305 -0
- package/templates/default/locales/en/.mustflow/skills/frame-render-performance-review/SKILL.md +159 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-accessibility-tree-review/SKILL.md +202 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-localization-review/SKILL.md +202 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-state-ownership-review/SKILL.md +183 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-stress-layout-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/hot-path-performance-review/SKILL.md +159 -0
- package/templates/default/locales/en/.mustflow/skills/idempotency-integrity-review/SKILL.md +195 -0
- package/templates/default/locales/en/.mustflow/skills/image-delivery-performance-review/SKILL.md +161 -0
- package/templates/default/locales/en/.mustflow/skills/incident-triage-review/SKILL.md +185 -0
- package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/llm-response-latency-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/llm-service-ux-review/SKILL.md +2 -0
- package/templates/default/locales/en/.mustflow/skills/llm-token-cost-control-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/low-end-device-support-review/SKILL.md +340 -0
- package/templates/default/locales/en/.mustflow/skills/memory-lifetime-review/SKILL.md +169 -0
- package/templates/default/locales/en/.mustflow/skills/mobile-energy-efficiency-review/SKILL.md +329 -0
- package/templates/default/locales/en/.mustflow/skills/module-boundary-review/SKILL.md +278 -0
- package/templates/default/locales/en/.mustflow/skills/multi-agent-work-coordination/SKILL.md +1 -0
- package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +208 -0
- package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +158 -0
- package/templates/default/locales/en/.mustflow/skills/quadratic-scan-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/queue-processing-integrity-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/race-condition-review/SKILL.md +188 -0
- package/templates/default/locales/en/.mustflow/skills/rate-limit-integrity-review/SKILL.md +344 -0
- package/templates/default/locales/en/.mustflow/skills/retry-policy-integrity-review/SKILL.md +195 -0
- package/templates/default/locales/en/.mustflow/skills/routes.toml +330 -0
- package/templates/default/locales/en/.mustflow/skills/security-flow-review/SKILL.md +279 -0
- package/templates/default/locales/en/.mustflow/skills/testability-boundary-review/SKILL.md +295 -0
- package/templates/default/locales/en/.mustflow/skills/transaction-boundary-integrity-review/SKILL.md +196 -0
- package/templates/default/locales/en/.mustflow/skills/type-state-modeling-review/SKILL.md +179 -0
- package/templates/default/locales/en/.mustflow/skills/web-render-performance-review/SKILL.md +164 -0
- package/templates/default/manifest.toml +386 -1
|
@@ -0,0 +1,344 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.rate-limit-integrity-review
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: rate-limit-integrity-review
|
|
9
|
+
description: Apply this skill when code is created, changed, reviewed, or reported and rate limits, throttling, quotas, API usage limits, request costs, token buckets, leaky buckets, fixed windows, sliding windows, GCRA, Redis counters, edge or gateway limits, per-tenant or per-user limits, 429 responses, Retry-After, RateLimit headers, shadow enforcement, operator resets, async enqueue limits, or concurrency limits need review for protected-resource fit, key design, atomic counting, layered enforcement, client contract, and abuse or overload safety.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.rate-limit-integrity-review
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- docs_validate_fast
|
|
23
|
+
- test_release
|
|
24
|
+
- mustflow_check
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
# Rate Limit Integrity Review
|
|
28
|
+
|
|
29
|
+
<!-- mustflow-section: purpose -->
|
|
30
|
+
## Purpose
|
|
31
|
+
|
|
32
|
+
Review rate limiting as protection for a named scarce resource, not as an algorithm decoration.
|
|
33
|
+
|
|
34
|
+
The review question is not "did we add a limiter?" It is "does this policy protect the real thing
|
|
35
|
+
that gets exhausted, with the right key, cost, layer, storage atomicity, fail mode, response
|
|
36
|
+
contract, observability, and operator escape hatch?"
|
|
37
|
+
|
|
38
|
+
<!-- mustflow-section: use-when -->
|
|
39
|
+
## Use When
|
|
40
|
+
|
|
41
|
+
- Code creates, changes, reviews, or reports rate limits, throttling, quotas, request budgets,
|
|
42
|
+
abuse limits, API usage limits, request cost weights, token bucket, leaky bucket, fixed window,
|
|
43
|
+
sliding window counter, sliding window log, GCRA, Redis counter, Lua or EVAL counter update,
|
|
44
|
+
CDN or WAF limit, gateway limit, service-level limit, database bottleneck limit, external API
|
|
45
|
+
protection, per-tenant limit, per-user limit, per-api-key limit, route-group limit, or IP limit.
|
|
46
|
+
- A public or internal API emits or depends on 429 responses, `Retry-After`, `RateLimit`,
|
|
47
|
+
`RateLimit-Policy`, legacy `X-RateLimit-*` headers, retry hints, blocked-decision caches,
|
|
48
|
+
shadow mode, enforcement ramp, policy IDs, or operator lookup and reset tools.
|
|
49
|
+
- Async jobs, queues, webhooks, batch endpoints, expensive exports, search, login, signup, OTP,
|
|
50
|
+
payment, email, SMS, AI, third-party API, or database-heavy paths can be overloaded by request
|
|
51
|
+
count, request cost, concurrency, retries, cache misses, or one noisy actor.
|
|
52
|
+
- A final report claims an API is rate-limited, protected from abuse, quota-safe, retry-friendly,
|
|
53
|
+
fair by tenant, protected at the edge, globally limited, or safe under load.
|
|
54
|
+
|
|
55
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
56
|
+
## Do Not Use When
|
|
57
|
+
|
|
58
|
+
- The task is primarily retry amplification, backoff, `Retry-After` consumption by a caller, or
|
|
59
|
+
SDK retry behavior; use `retry-policy-integrity-review` first and this skill for the server-side
|
|
60
|
+
limit policy and response contract.
|
|
61
|
+
- The task is primarily duplicate business intent, idempotency keys, replay, or unknown side-effect
|
|
62
|
+
outcomes; use `idempotency-integrity-review` first and this skill for quota burning and limiter
|
|
63
|
+
keys.
|
|
64
|
+
- The task is primarily API naming, DTO shape, pagination, versioning, or caller ergonomics; use
|
|
65
|
+
`api-misuse-resistance-review` first and this skill for rate-limit contract details.
|
|
66
|
+
- The task is primarily cloud bill control rather than runtime overload or abuse control; use
|
|
67
|
+
`cloud-cost-guardrail-review` first and this skill only for per-request quota mechanics.
|
|
68
|
+
- The operation is a pure local calculation with no shared resource, external dependency, abuse
|
|
69
|
+
surface, fairness requirement, or caller-visible limit.
|
|
70
|
+
|
|
71
|
+
<!-- mustflow-section: required-inputs -->
|
|
72
|
+
## Required Inputs
|
|
73
|
+
|
|
74
|
+
- Protected resource ledger: DB, cache, queue, worker pool, external API, login or OTP channel,
|
|
75
|
+
payment provider, email or SMS provider, search backend, AI quota, tenant fairness budget,
|
|
76
|
+
account-security surface, or public API availability.
|
|
77
|
+
- Cost-weighted request ledger: route template, method, actor, tenant, API key, user, IP or IP
|
|
78
|
+
prefix, feature, request body size, requested page size, batch size, export size, cache hit or
|
|
79
|
+
miss, async job fan-out, provider call count, and per-request cost.
|
|
80
|
+
- Layer model: CDN, WAF, load balancer, gateway, service, route group, worker, queue producer,
|
|
81
|
+
queue consumer, database, Redis, external provider, local fuse, and central or global limiter.
|
|
82
|
+
- Key model: tenant, account, API key, user, route template, method, route group, resource id, IP
|
|
83
|
+
prefix, region, environment, plan tier, feature flag, and whether missing, empty, duplicate, or
|
|
84
|
+
conflicting identity headers are denied, normalized, or ignored.
|
|
85
|
+
- Algorithm and storage model: fixed window, token bucket, leaky bucket, sliding window counter,
|
|
86
|
+
sliding window log, GCRA, Redis key shape, TTL, storage time source, counter cardinality, atomic
|
|
87
|
+
operation, Redis Cluster hash slot or hash tag, local cache, and clock-skew behavior.
|
|
88
|
+
- Failure mode model: fail open or fail closed per policy, Redis or storage outage behavior,
|
|
89
|
+
already-blocked cache behavior, allow-decision cache avoidance, shadow mode, ramp, bypass,
|
|
90
|
+
rollback, and operator reset scope.
|
|
91
|
+
- Response contract: 429 status, `Retry-After`, `RateLimit`, `RateLimit-Policy`, legacy header
|
|
92
|
+
compatibility, machine-readable error code, retryable classification, reset or wait semantics,
|
|
93
|
+
jitter or backoff guidance, and information-disclosure boundary.
|
|
94
|
+
- Observability and operator evidence: policy id, key hash or safe key, layer, quota, remaining
|
|
95
|
+
budget where safe, reset, request cost, route template, actor or tenant safe id, shadow decision,
|
|
96
|
+
block reason, metric cardinality, lookup tool, reset tool, audit log, and tests.
|
|
97
|
+
|
|
98
|
+
<!-- mustflow-section: preconditions -->
|
|
99
|
+
## Preconditions
|
|
100
|
+
|
|
101
|
+
- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
|
|
102
|
+
- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
|
|
103
|
+
current scope.
|
|
104
|
+
- Required protected-resource, cost, layer, key, algorithm, storage, fail-mode, response,
|
|
105
|
+
observability, and operator evidence is available, or missing evidence can be reported without
|
|
106
|
+
guessing.
|
|
107
|
+
- Existing local limiter, quota, plan-tier, API error, retry, Redis, cache, observability,
|
|
108
|
+
operator-tool, and abuse-defense patterns have been searched before adding new shapes.
|
|
109
|
+
- If limits affect money, credits, permissions, auth, personal data, provider state, queue
|
|
110
|
+
settlement, or durable business state, also apply the relevant payment, credit, security,
|
|
111
|
+
idempotency, queue, transaction, or failure skill.
|
|
112
|
+
|
|
113
|
+
<!-- mustflow-section: allowed-edits -->
|
|
114
|
+
## Allowed Edits
|
|
115
|
+
|
|
116
|
+
- Add or tighten protected-resource definitions, cost weights, per-key policy, layered limit
|
|
117
|
+
placement, route-template keys, atomic counter updates, TTLs, storage-time use, fail-open or
|
|
118
|
+
fail-closed policy, blocked-decision cache, shadow mode, 429 response shape, observability,
|
|
119
|
+
operator lookup or reset behavior, and focused tests.
|
|
120
|
+
- Replace raw URL keys, IP-only limits, request-count-only limits, non-atomic Redis read-modify-write
|
|
121
|
+
counters, app-server clock resets, missing TTLs, allow-decision caches, hidden fail-open behavior,
|
|
122
|
+
unlimited queue enqueue, and misleading `X-RateLimit-*` assumptions when they are in scope.
|
|
123
|
+
- Do not add live provider calls, load tests, dashboards, WAF rules, CDN settings, cluster changes,
|
|
124
|
+
background workers, local servers, or raw Redis operations outside the configured command contract.
|
|
125
|
+
- Do not treat rate limiting as authorization, fraud prevention, exact cost accounting, idempotency,
|
|
126
|
+
retry safety, queue backpressure, or concurrency control without the matching evidence.
|
|
127
|
+
|
|
128
|
+
<!-- mustflow-section: procedure -->
|
|
129
|
+
## Procedure
|
|
130
|
+
|
|
131
|
+
1. Do not choose the algorithm first.
|
|
132
|
+
- Name the protected resource before discussing fixed window, token bucket, sliding window,
|
|
133
|
+
GCRA, or Redis.
|
|
134
|
+
- A DB-heavy report endpoint, login OTP provider, public API tenant budget, and expensive AI call
|
|
135
|
+
usually need different keys, costs, layers, and fail modes.
|
|
136
|
+
- If the protected resource is unknown, report that the limiter cannot be judged yet.
|
|
137
|
+
2. Count cost, not only requests.
|
|
138
|
+
- One request can be one cheap cache hit or thousands of DB rows, provider calls, queued jobs,
|
|
139
|
+
emails, tokens, or export bytes.
|
|
140
|
+
- Add request cost weights for batch size, page size, body size, expensive route group, cache
|
|
141
|
+
miss, async fan-out, provider action, AI token use, or report size where the resource cost
|
|
142
|
+
differs materially.
|
|
143
|
+
- Keep cost units simple enough for operators to explain.
|
|
144
|
+
3. Place limits in layers deliberately.
|
|
145
|
+
- CDN and WAF limits are good for blunt IP, bot, path, and geographic pressure.
|
|
146
|
+
- Gateway limits are good for API key, tenant, plan, route group, and coarse global budgets.
|
|
147
|
+
- Service limits are good for user, feature, resource, business rule, and request cost.
|
|
148
|
+
- Dependency-protection limits are good near DB, Redis, queue, worker, and external provider
|
|
149
|
+
bottlenecks.
|
|
150
|
+
- Layered limits should not all count the same thing unless that duplication is intentional.
|
|
151
|
+
4. Design keys as policy, not plumbing.
|
|
152
|
+
- Avoid IP-only keys for authenticated APIs; NAT, mobile networks, and shared offices make IP a
|
|
153
|
+
bad user identity.
|
|
154
|
+
- Include tenant, account, API key, user, route group, method, route template, plan tier, and
|
|
155
|
+
resource id only when each dimension changes fairness or protected-resource pressure.
|
|
156
|
+
- Use route templates such as `/orders/{id}` instead of raw URLs so one actor cannot create
|
|
157
|
+
unbounded limiter keys through path values.
|
|
158
|
+
- Define missing, empty, duplicate, conflicting, or spoofable identity headers. A limiter that
|
|
159
|
+
silently falls back to IP may become a bypass or collateral-damage machine.
|
|
160
|
+
5. Review algorithm fit.
|
|
161
|
+
- Fixed window is simple but allows a boundary burst: a caller can spend almost two windows of
|
|
162
|
+
quota around the reset edge.
|
|
163
|
+
- Token bucket handles burst plus steady rate and is a good default when short bursts are
|
|
164
|
+
acceptable.
|
|
165
|
+
- Sliding window counter smooths boundary effects with lower storage than exact logs.
|
|
166
|
+
- Sliding window log is accurate but costly; reserve it for low-volume, high-risk paths where
|
|
167
|
+
exact decisions justify per-request storage.
|
|
168
|
+
- GCRA or equivalent virtual-schedule limiters can be compact and precise, but only if the local
|
|
169
|
+
team understands the timestamp math and test cases.
|
|
170
|
+
6. Make counter storage atomic.
|
|
171
|
+
- Redis operation atomicity matters. Split read, compare, increment, and expire steps can allow
|
|
172
|
+
more requests than the policy says or leave keys without expiry.
|
|
173
|
+
- Use one atomic operation pattern for the decision and update, such as a single Redis script or
|
|
174
|
+
an equivalent repository-supported primitive.
|
|
175
|
+
- `INCR` plus `EXPIRE` needs a safe first-write and failure path; do not leave counters immortal
|
|
176
|
+
if the expire step is skipped.
|
|
177
|
+
- In Redis Cluster, multi-key checks need keys in the same hash slot or a deliberate hash tag.
|
|
178
|
+
Otherwise "global plus per-key" policy may fail only after production sharding.
|
|
179
|
+
7. Use storage time, not app server time.
|
|
180
|
+
- Multiple app servers with skewed clocks can disagree about reset time and token refill.
|
|
181
|
+
- Prefer Redis, database, or central storage time where the storage primitive supports it.
|
|
182
|
+
- If app time is unavoidable, clamp skew and test reset-boundary behavior.
|
|
183
|
+
8. Separate local fuses from global limits.
|
|
184
|
+
- Local limits are not global limits. One process-local bucket multiplied by many pods is a
|
|
185
|
+
rough fuse, not a tenant quota.
|
|
186
|
+
- Use local fuses for emergency self-protection, CPU protection, and storage-outage fallback.
|
|
187
|
+
- Use central or coordinated counters for user, tenant, account, API key, or paid-plan budgets.
|
|
188
|
+
- Edge limits are not precise global counters; treat CDN or WAF limits as approximate layers
|
|
189
|
+
unless the provider contract proves global precision for the chosen key and window.
|
|
190
|
+
9. Choose fail open or fail closed per policy.
|
|
191
|
+
- Cheap public reads may fail open with a local fuse when the limiter store is down.
|
|
192
|
+
- Login, signup, OTP, payment, provider-spend, admin, expensive export, AI, and abuse-sensitive
|
|
193
|
+
actions often need fail closed or degraded mode.
|
|
194
|
+
- Name the user-visible behavior, operator alert, and rollback path for limiter-store outage.
|
|
195
|
+
10. Count failed responses intentionally.
|
|
196
|
+
- Counting only successful responses can let attackers hammer validation, auth, login, search,
|
|
197
|
+
and not-found paths for free.
|
|
198
|
+
- Counting every failure can punish normal callers during provider outages or reveal whether a
|
|
199
|
+
target exists through quota differences.
|
|
200
|
+
- Decide by route and failure class: validation, auth denial, not found, provider timeout,
|
|
201
|
+
business conflict, 5xx, and cancelled requests may deserve different counting.
|
|
202
|
+
11. Separate rate limits from concurrency limits.
|
|
203
|
+
- Rate limit controls how many operations enter over time.
|
|
204
|
+
- Concurrency limit controls how many operations run at once.
|
|
205
|
+
- Slow expensive jobs can obey a request rate and still exhaust DB connections, workers, or
|
|
206
|
+
provider slots. Add a semaphore, queue depth, pool, worker concurrency, or bulkhead when the
|
|
207
|
+
protected resource is simultaneous work.
|
|
208
|
+
12. Make 429 useful but not leaky.
|
|
209
|
+
- Emit a machine-readable error code and `Retry-After` when a well-behaved client can wait.
|
|
210
|
+
- If `Retry-After` and `RateLimit` hints disagree, `Retry-After` should govern immediate client
|
|
211
|
+
behavior.
|
|
212
|
+
- Standards-track `RateLimit` and `RateLimit-Policy` headers may coexist with legacy
|
|
213
|
+
`X-RateLimit-*`, but do not assume every client or proxy gives legacy headers the same
|
|
214
|
+
meaning.
|
|
215
|
+
- Do not reveal exact internal capacity, shard counts, provider quotas, attack thresholds, or
|
|
216
|
+
sensitive account state in public responses.
|
|
217
|
+
- During active abuse, silent drop, generic denial, or coarser hints can be safer than a perfect
|
|
218
|
+
quota tutorial for the attacker.
|
|
219
|
+
13. Add jitter and client backoff guidance.
|
|
220
|
+
- If many clients get the same reset timestamp, they may all retry at once.
|
|
221
|
+
- Add jitter to server-side refill or client guidance where the contract supports it.
|
|
222
|
+
- Clamp untrusted `Retry-After` dates or provider reset values before passing them downstream.
|
|
223
|
+
14. Manage counter cardinality and TTL.
|
|
224
|
+
- Every counter needs a TTL or lifecycle. Missing TTL turns rate limiting into unbounded storage
|
|
225
|
+
growth.
|
|
226
|
+
- Raw URL, request body, user agent, trace id, email, or unbounded resource id in keys can
|
|
227
|
+
create key explosions or sensitive storage.
|
|
228
|
+
- Cache already-blocked decisions briefly when it reduces Redis pressure, but do not cache allow
|
|
229
|
+
decisions unless the policy explicitly tolerates overshoot.
|
|
230
|
+
15. Roll out enforcement safely.
|
|
231
|
+
- Use shadow mode before blocking when policy impact is uncertain.
|
|
232
|
+
- Compare shadow decisions with actual traffic, tenant, route group, plan tier, failure class,
|
|
233
|
+
and support signals.
|
|
234
|
+
- Ramp enforcement by route, actor type, plan, tenant, or percentage, with a fast disable path.
|
|
235
|
+
16. Make logs and metrics answer the policy question.
|
|
236
|
+
- 429 logs should include policy id, layer, route template, method, safe actor or tenant id,
|
|
237
|
+
key hash, request cost, quota, reset or wait, remaining budget when safe, decision, shadow or
|
|
238
|
+
enforce mode, and reason.
|
|
239
|
+
- Metrics should use bounded labels: policy id, route template, layer, decision, plan, and
|
|
240
|
+
result class. Put high-cardinality keys in logs or traces.
|
|
241
|
+
- Log both blocks and surprising allows, such as limiter-store fail-open or shadow-mode would
|
|
242
|
+
block.
|
|
243
|
+
17. Provide operator lookup and reset.
|
|
244
|
+
- Operators need to answer: which policy blocked this actor, why, until when, and what safe
|
|
245
|
+
reset or override exists?
|
|
246
|
+
- Reset by scoped policy and key, not raw Redis `DEL` against guessed patterns.
|
|
247
|
+
- Audit every reset, override, bypass, and policy change with actor, reason, scope, expiry, and
|
|
248
|
+
before or after evidence.
|
|
249
|
+
18. Burn tokens before enqueueing async work.
|
|
250
|
+
- A queue does not protect the producer side if unlimited jobs can be enqueued.
|
|
251
|
+
- Burn request or cost tokens before enqueue for expensive async work, then use concurrency
|
|
252
|
+
limits at execution.
|
|
253
|
+
- Decide whether retries, redeliveries, deduped messages, and cancelled jobs spend quota.
|
|
254
|
+
19. Decide whether cached hits count.
|
|
255
|
+
- CDN-cached hits may not touch the protected origin resource, so origin-protection limits may
|
|
256
|
+
not count them.
|
|
257
|
+
- Business quotas, paid API limits, abuse limits, or fairness budgets may count cached CDN hits
|
|
258
|
+
because the caller still consumed a product allowance.
|
|
259
|
+
- Name which resource each layer protects before counting or ignoring cached responses.
|
|
260
|
+
20. Keep boundaries honest.
|
|
261
|
+
- Rate limit is not authorization. A caller who should not access a resource must be denied
|
|
262
|
+
before or independently of quota.
|
|
263
|
+
- Rate limit is not a hard cost-control ceiling; provider bills, retries, async fan-out, logs,
|
|
264
|
+
egress, and queues can spend money outside the request counter.
|
|
265
|
+
- Rate limit is not proof of idempotency, bot defense, fraud prevention, fairness, or overload
|
|
266
|
+
safety unless the matching evidence exists.
|
|
267
|
+
21. Test the ugly edges.
|
|
268
|
+
- Cover boundary burst, concurrent calls at the quota edge, missing TTL, Redis or store outage,
|
|
269
|
+
fail-open or fail-closed behavior, missing or duplicate identity headers, route-template key
|
|
270
|
+
normalization, request cost weights, shadow-to-enforce switch, 429 response shape,
|
|
271
|
+
`Retry-After`, storage time, hash tag or cluster key constraints, and operator reset audit.
|
|
272
|
+
- If deterministic timing tests are hard, use fake clocks, injected storage time, or repository
|
|
273
|
+
test helpers already present in the project.
|
|
274
|
+
- If load, CDN, WAF, provider, or Redis Cluster evidence is not configured, report that boundary
|
|
275
|
+
as manual-only instead of approving it from local unit tests.
|
|
276
|
+
|
|
277
|
+
<!-- mustflow-section: postconditions -->
|
|
278
|
+
## Postconditions
|
|
279
|
+
|
|
280
|
+
- Protected resource, cost model, layer placement, key design, algorithm, storage atomicity, TTL,
|
|
281
|
+
time source, local versus global scope, fail-open or fail-closed policy, failed-response counting,
|
|
282
|
+
concurrency limit needs, response contract, jitter, blocked cache, shadow rollout, observability,
|
|
283
|
+
operator lookup and reset, async enqueue quota, cached-hit policy, and authorization or cost
|
|
284
|
+
boundaries are explicit.
|
|
285
|
+
- IP-only authenticated limits, raw URL keys, fixed-window boundary bursts, non-atomic Redis
|
|
286
|
+
counters, missing TTLs, app-clock reset drift, process-local "global" quotas, approximate edge
|
|
287
|
+
limits treated as precise, hidden fail-open behavior, free failed requests, rate/concurrency
|
|
288
|
+
confusion, unhelpful 429s, capacity-leaking headers, synchronized retries, allow-decision caches,
|
|
289
|
+
unbounded shadow enforcement, missing policy id logs, unsafe raw Redis resets, unlimited async
|
|
290
|
+
enqueue, cached-hit ambiguity, and rate-limit-as-authorization claims are fixed or reported.
|
|
291
|
+
- Rate-limit-safety claims are backed by configured tests, storage or framework evidence matched
|
|
292
|
+
to current code, API contract evidence, operational evidence, static review evidence, or labeled
|
|
293
|
+
as manual-only or missing.
|
|
294
|
+
|
|
295
|
+
<!-- mustflow-section: verification -->
|
|
296
|
+
## Verification
|
|
297
|
+
|
|
298
|
+
Use configured oneshot command intents when available:
|
|
299
|
+
|
|
300
|
+
- `changes_status`
|
|
301
|
+
- `changes_diff_summary`
|
|
302
|
+
- `lint`
|
|
303
|
+
- `build`
|
|
304
|
+
- `test_related`
|
|
305
|
+
- `test`
|
|
306
|
+
- `docs_validate_fast`
|
|
307
|
+
- `test_release`
|
|
308
|
+
- `mustflow_check`
|
|
309
|
+
|
|
310
|
+
Prefer the narrowest configured test, build, docs, release, or mustflow intent that covers the
|
|
311
|
+
changed rate-limit policy and synchronized template surfaces. Do not infer raw load tests, live
|
|
312
|
+
provider calls, CDN or WAF changes, Redis Cluster checks, local servers, queue workers, browser
|
|
313
|
+
sessions, chaos tests, or manual dashboards outside the command contract.
|
|
314
|
+
|
|
315
|
+
<!-- mustflow-section: failure-handling -->
|
|
316
|
+
## Failure Handling
|
|
317
|
+
|
|
318
|
+
- If a configured command fails, preserve the failing intent, failing assertion or output tail, and
|
|
319
|
+
the rate-limit invariant it exercised before editing again.
|
|
320
|
+
- If the protected resource cannot be named, report that the limit policy is not reviewable yet.
|
|
321
|
+
- If key identity is spoofable, missing, or ambiguous, report the bypass or collateral-damage risk
|
|
322
|
+
before tuning quotas.
|
|
323
|
+
- If safe repair requires WAF or CDN configuration, provider quota changes, Redis Cluster topology,
|
|
324
|
+
load testing, production traffic replay, operator dashboard work, billing controls, or live
|
|
325
|
+
integration proof outside the current scope, complete local verification and report the missing
|
|
326
|
+
operational evidence.
|
|
327
|
+
- If deterministic limiter proof is not configured, complete available verification and report the
|
|
328
|
+
missing manual, integration, or load evidence.
|
|
329
|
+
|
|
330
|
+
<!-- mustflow-section: output-format -->
|
|
331
|
+
## Output Format
|
|
332
|
+
|
|
333
|
+
- Rate-limit policy boundary reviewed
|
|
334
|
+
- Protected resource, cost model, layer model, key model, algorithm and storage model, atomicity,
|
|
335
|
+
TTL, time source, local or global scope, fail mode, failed-response counting, concurrency limit,
|
|
336
|
+
response contract, jitter, blocked-decision cache, shadow rollout, observability, operator reset,
|
|
337
|
+
async enqueue quota, cached-hit policy, authorization and cost-control boundary, and test evidence
|
|
338
|
+
findings
|
|
339
|
+
- Rate-limit fixes made or recommended
|
|
340
|
+
- Evidence level: configured-test evidence, storage or framework evidence, API contract evidence,
|
|
341
|
+
operational evidence, static review risk, manual-only, missing, or not applicable
|
|
342
|
+
- Command intents run
|
|
343
|
+
- Skipped rate-limit diagnostics and reasons
|
|
344
|
+
- Remaining rate-limit-integrity risk
|
|
@@ -0,0 +1,195 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.retry-policy-integrity-review
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: retry-policy-integrity-review
|
|
9
|
+
description: Apply this skill when code is created, changed, reviewed, or reported and retry loops, SDK or client retry configs, backoff, jitter, timeout, deadline, Retry-After, retry predicates, layered retries, circuit breakers, bulkheads, token buckets, queue redelivery, broker retries, cancellation-aware sleeps, or retry observability can amplify failure, duplicate side effects, hide permanent errors, exhaust pools, or overload dependencies.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.retry-policy-integrity-review
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- docs_validate_fast
|
|
23
|
+
- test_release
|
|
24
|
+
- mustflow_check
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
# Retry Policy Integrity Review
|
|
28
|
+
|
|
29
|
+
<!-- mustflow-section: purpose -->
|
|
30
|
+
## Purpose
|
|
31
|
+
|
|
32
|
+
Review retries as failure amplification control, not as "try again because something failed."
|
|
33
|
+
|
|
34
|
+
The review question is not "does this code retry?" It is "when the dependency is slow, down, rate-limited, partially successful, or overloaded, does this retry policy reduce harm or multiply the outage across attempts, layers, pools, locks, queues, and side effects?"
|
|
35
|
+
|
|
36
|
+
<!-- mustflow-section: use-when -->
|
|
37
|
+
## Use When
|
|
38
|
+
|
|
39
|
+
- Code creates, changes, reviews, or reports retry loops, SDK retry options, client retry middleware, `while true`, `for (;;)`, recursive retry, `maxAttempts`, `maxRetries`, `maxElapsedTime`, `deadline`, `timeout`, `sleep`, `delay`, backoff, jitter, `Retry-After`, circuit breaker, bulkhead, token bucket, rate limiter, or cancellation-aware retry behavior.
|
|
40
|
+
- HTTP, database, Redis, queue, stream, object storage, payment, email, notification, file upload, webhook, scheduler, batch, worker, or provider calls can be repeated after failure, timeout, cancellation, rate limit, lock conflict, transaction retry, or redelivery.
|
|
41
|
+
- A workflow has retries in more than one layer, such as caller retry plus service retry plus SDK retry plus load balancer retry plus queue redelivery plus broker retry.
|
|
42
|
+
- A review or final report claims a path is resilient, retry-safe, backoff-protected, rate-limit-aware, idempotent, transient-only, bounded, cancellation-safe, or protected by a circuit breaker, bulkhead, pool, timeout, or queue retry policy.
|
|
43
|
+
|
|
44
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
45
|
+
## Do Not Use When
|
|
46
|
+
|
|
47
|
+
- The task is primarily duplicate business intent, webhook replay, queue redelivery, batch rerun, or timeout recovery that can move the same logical operation twice; use `idempotency-integrity-review` first and this skill for the retry budget and policy mechanics.
|
|
48
|
+
- The task is primarily broker settlement, ack, nack, delete, offset commit, visibility timeout, DLQ, consumer loss, or producer confirmation; use `queue-processing-integrity-review` first and this skill for application-level retry overlap.
|
|
49
|
+
- The task is primarily swallowed exceptions, false success, missing timeout honesty, cancellation swallowing, fallback defaults, or public error shape; use `failure-integrity-review` first and this skill for bounded retry behavior.
|
|
50
|
+
- The task is primarily read-decision-write atomicity, transaction isolation, after-commit ordering, or transaction retry semantics; use `transaction-boundary-integrity-review` first and this skill for retry placement and budget.
|
|
51
|
+
- The operation is a pure local calculation with no fallible dependency, wait, side effect, shared pool, cancellation source, or retry loop.
|
|
52
|
+
|
|
53
|
+
<!-- mustflow-section: required-inputs -->
|
|
54
|
+
## Required Inputs
|
|
55
|
+
|
|
56
|
+
- Retry surface: each retry loop, SDK retry configuration, middleware, queue redelivery policy, broker retry, load balancer retry, database retry, transaction retry, circuit breaker, bulkhead, token bucket, and wrapper around the changed path.
|
|
57
|
+
- Layered retry ledger: caller, API handler, service, SDK, driver, proxy, load balancer, queue, worker, scheduler, and provider retries with per-layer max attempts and elapsed-time budget.
|
|
58
|
+
- Attempt budget: max attempts, max elapsed time, per-attempt timeout, total deadline, cancellation signal, sleep behavior, and whether DNS, TLS, connection checkout, pool wait, request body upload, response streaming, and response parsing are inside the budget.
|
|
59
|
+
- Retry predicate: exception types, status codes, provider errors, timeout classes, rate-limit responses, transient versus permanent failure, unknown outcome, cancellation, validation errors, authorization errors, and programmer bugs.
|
|
60
|
+
- Side-effect and idempotency ledger: logical operation, idempotency key, key scope, request body hash, conditional write, transaction boundary, lock boundary, provider call, stream or upload body replayability, queue ack or commit, and committed response boundary.
|
|
61
|
+
- Backoff and jitter policy: fixed sleep, exponential backoff, cap, jitter type, `Retry-After` parsing, clock skew, maximum delay, per-key backoff, global backoff, and reset after success.
|
|
62
|
+
- Overload and throttling evidence: pool sizes, concurrency limit, bulkhead, token bucket, circuit breaker state, retry queue size, rate-limit budget, per-tenant or per-key fairness, and dependency-specific limits.
|
|
63
|
+
- Observability and test evidence: attempt logs, per-attempt spans, retry metrics, retry exhaustion metrics, `Retry-After` values, request id, correlation id, cancellation tests, permanent-failure tests, timeout-budget tests, and configured command intents.
|
|
64
|
+
|
|
65
|
+
<!-- mustflow-section: preconditions -->
|
|
66
|
+
## Preconditions
|
|
67
|
+
|
|
68
|
+
- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
|
|
69
|
+
- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the current scope.
|
|
70
|
+
- Required retry surface, layered retry ledger, attempt budget, retry predicate, side-effect ledger, backoff, throttling, observability, and test evidence is available, or missing evidence can be reported without guessing.
|
|
71
|
+
- Existing local retry, timeout, backoff, idempotency, queue redelivery, circuit breaker, bulkhead, cancellation, logging, and metrics patterns have been searched before adding new shapes.
|
|
72
|
+
- If repeated attempts move money, credits, permissions, inventory, personal data, provider state, queue settlement, or durable business state, also apply the relevant payment, credit, security, idempotency, queue, transaction, or failure skill.
|
|
73
|
+
|
|
74
|
+
<!-- mustflow-section: allowed-edits -->
|
|
75
|
+
## Allowed Edits
|
|
76
|
+
|
|
77
|
+
- Add or tighten bounded attempts, total deadline, per-attempt timeout, cancellation propagation, exponential backoff with jitter, `Retry-After` handling, retry predicates, dependency-specific policy, idempotency key reuse, safe body replay checks, and focused retry tests.
|
|
78
|
+
- Remove or bound infinite retry loops, nested retry multiplication, broad catch-and-retry branches, fixed sleeps that synchronize callers, retries inside transactions or locks, and retry wrappers that erase diagnostic cause, status code, retry-after, or request id.
|
|
79
|
+
- Move retry policy to a caller-owned or dependency-owned boundary when local architecture requires one source of truth instead of several hidden layers.
|
|
80
|
+
- Add observability for attempts, final exhaustion, cancellation, retry-after, delay, dependency name, operation name, request id, safe business key, and retry decision.
|
|
81
|
+
- Do not add live provider calls, load tests, local servers, queue workers, watchers, or manual dashboards outside the configured command contract.
|
|
82
|
+
- Do not treat a retry policy as proof of idempotency, queue safety, transaction safety, circuit-breaker safety, or overload protection without the matching evidence.
|
|
83
|
+
|
|
84
|
+
<!-- mustflow-section: procedure -->
|
|
85
|
+
## Procedure
|
|
86
|
+
|
|
87
|
+
1. Count the retry layers before judging one loop.
|
|
88
|
+
- Build the chain from caller to dependency: UI, API gateway, handler, service, repository, SDK, driver, proxy, queue, worker, and provider.
|
|
89
|
+
- Multiply the attempts. Three layers with three attempts each can turn one user action into 27 dependency calls.
|
|
90
|
+
- Treat SDK defaults as real retries until current code or documentation proves they are disabled or bounded.
|
|
91
|
+
2. Check for infinite or open-ended retry.
|
|
92
|
+
- Search around `while true`, `for (;;)`, recursive retry, `retryUntilSuccess`, `do while`, `catch` followed by sleep, and framework retry annotations.
|
|
93
|
+
- Require both max attempts and max elapsed time when the path can hold a request, worker, connection, lock, transaction, or queue slot.
|
|
94
|
+
- A capped backoff without a stop condition is still an infinite retry with nicer pacing.
|
|
95
|
+
3. Separate per-attempt timeout from total deadline.
|
|
96
|
+
- A 3 second per-attempt timeout with 5 attempts can exceed the caller's useful deadline.
|
|
97
|
+
- Include DNS lookup, TCP connect, TLS handshake, connection pool wait, request body upload, response header wait, response streaming, and response parsing in the budget where the client supports it.
|
|
98
|
+
- If the caller cancels, retry sleep and in-flight attempts should stop.
|
|
99
|
+
4. Review retry predicates.
|
|
100
|
+
- Retry transient dependency failures, rate limits, and specific timeout classes only when the operation is safe to repeat.
|
|
101
|
+
- Do not retry validation errors, authorization failures, not-found errors that mean permanent absence, payload errors, deterministic constraint violations, cancellation, or programmer bugs.
|
|
102
|
+
- Broad `catch (Exception)`, `catch (error)`, or equivalent retry can turn bad input and bugs into traffic storms.
|
|
103
|
+
5. Treat unknown outcomes as dangerous.
|
|
104
|
+
- A timeout after sending a request is not proof that the provider did nothing.
|
|
105
|
+
- Before retrying payment, email, shipment, entitlement, file creation, external object creation, or any non-idempotent provider command, require idempotency, provider lookup, reconciliation, or a reported unknown-outcome risk.
|
|
106
|
+
6. Check idempotency key reuse.
|
|
107
|
+
- A new key per attempt defeats provider idempotency.
|
|
108
|
+
- A key that is not bound to actor, tenant, operation type, target resource, and payload fingerprint can replay the wrong operation.
|
|
109
|
+
- Conditional idempotency should be explicit for POST, PATCH, webhook, queue, batch, and scheduler retries, not only for "unsafe" HTTP verbs.
|
|
110
|
+
7. Keep retries out of transactions and locks unless deliberately bounded.
|
|
111
|
+
- Retrying while holding a DB transaction, row lock, mutex, semaphore, distributed lock, or advisory lock can hold scarce resources while waiting.
|
|
112
|
+
- If the retry is a transaction retry, retry the whole transaction from a clean start and verify side effects happen after commit or through an outbox.
|
|
113
|
+
- If the retry is inside a lock, name why the lock must be held and prove the wait is short and bounded.
|
|
114
|
+
8. Check pool and concurrency pressure.
|
|
115
|
+
- Retrying after timeouts can keep sockets, DB connections, workers, threads, or queue in-flight slots occupied longer than the original call.
|
|
116
|
+
- Bound concurrent retries with a bulkhead, semaphore, worker pool, token bucket, or dependency-specific limiter sized to downstream capacity.
|
|
117
|
+
- Avoid unbounded `Promise.all`, goroutine, task, or thread fan-out wrapped in retry.
|
|
118
|
+
9. Review backoff and jitter.
|
|
119
|
+
- Fixed sleeps synchronize clients and create waves.
|
|
120
|
+
- Exponential backoff needs jitter and a cap, but the cap does not replace max attempts or max elapsed time.
|
|
121
|
+
- Respect `Retry-After` for 429 and 503 when trusted, parse both seconds and dates if the stack requires it, clamp unreasonable values, and record the decision.
|
|
122
|
+
10. Separate global and per-key throttling.
|
|
123
|
+
- A global token bucket can let one noisy tenant spend the whole retry budget.
|
|
124
|
+
- A per-key backoff can protect one hot resource while allowing unrelated traffic to continue.
|
|
125
|
+
- Reset per-key failure counters after a confirmed success; stale failure counters can punish healthy traffic long after recovery.
|
|
126
|
+
11. Order resilience tools deliberately.
|
|
127
|
+
- Timeout, retry, circuit breaker, bulkhead, token bucket, and fallback are not interchangeable.
|
|
128
|
+
- Prefer a clear order such as acquire bulkhead capacity, enforce total deadline, attempt with per-attempt timeout, classify error, apply retry budget and backoff, and let circuit breaker observe final or configured per-attempt outcomes according to local policy.
|
|
129
|
+
- A circuit breaker outside a retry loop sees one final failure; inside it sees every failed attempt. Pick intentionally.
|
|
130
|
+
12. Preserve error identity through wrappers.
|
|
131
|
+
- Retry wrappers should keep cause, status code, retry-after, provider error code, request id, correlation id, attempt count, and final exhaustion reason.
|
|
132
|
+
- Do not replace every exhausted retry with a generic "failed" error that hides whether the caller should retry, fix input, wait, or open an incident.
|
|
133
|
+
13. Check committed responses and streaming bodies.
|
|
134
|
+
- Once a response is committed to a client, retrying the next side effect can create server truth that the caller cannot observe.
|
|
135
|
+
- Request or upload bodies may not be replayable after the first attempt unless buffered safely and within memory limits.
|
|
136
|
+
- Streaming downloads, uploads, and partial writes need explicit resume, restart, or no-retry policy.
|
|
137
|
+
14. Review queue and broker overlap.
|
|
138
|
+
- Application retry plus broker redelivery plus DLQ retry can multiply attempts and delay poison-message isolation.
|
|
139
|
+
- Ack, delete, commit, side effect, and retry ordering should be explicit so a retry does not both duplicate work and hide failure from the broker.
|
|
140
|
+
- Treat broker retry count and app retry count as one combined budget when possible.
|
|
141
|
+
15. Review dependency-specific configuration.
|
|
142
|
+
- HTTP, DB, Redis, object storage, message brokers, payment providers, email services, search services, and caches have different safe retry status codes, timeout fields, request replay rules, and rate-limit headers.
|
|
143
|
+
- Avoid one generic retry helper for every dependency unless the dependency policy is injected or selected explicitly.
|
|
144
|
+
16. Require retry observability.
|
|
145
|
+
- Logs should distinguish attempt, delay, status, dependency, operation, retryable decision, final exhaustion, cancellation, and safe request identity.
|
|
146
|
+
- Metrics should expose attempts_total, retry_exhausted_total, retry_delay, retry_after_used, cancellation, circuit-open decisions, and dependency-specific labels with bounded cardinality.
|
|
147
|
+
- A single final error log after all retries is often too late to explain an incident.
|
|
148
|
+
17. Require tests beyond "two failures then success."
|
|
149
|
+
- Good tests cover permanent failure not retried, max attempts, max elapsed time, total deadline, cancellation during sleep, retry-after parsing and clamping, jitter boundedness, idempotency key reuse, unknown outcome, pool or concurrency limit, and wrapper cause preservation.
|
|
150
|
+
- If deterministic timing tests are hard, use fake clocks, injected sleeper, injected retry policy, or local test helpers already present in the repository.
|
|
151
|
+
- If configured integration evidence is missing, report static risk and the missing manual or integration proof instead of approving the retry path.
|
|
152
|
+
|
|
153
|
+
<!-- mustflow-section: postconditions -->
|
|
154
|
+
## Postconditions
|
|
155
|
+
|
|
156
|
+
- Retry layers, attempt multiplication, max attempts, max elapsed time, per-attempt timeout, total deadline, retry predicate, backoff, jitter, `Retry-After`, cancellation behavior, side-effect replay safety, idempotency key reuse, transaction or lock placement, pool pressure, throttling, circuit-breaker ordering, wrapper diagnostics, queue overlap, dependency policy, observability, and retry tests are explicit.
|
|
157
|
+
- Infinite retry, broad catch-and-retry, permanent-error retry, unknown-outcome replay, new idempotency key per attempt, fixed-sleep herd behavior, retry inside long transaction or lock, pool exhaustion, app-plus-broker retry multiplication, stale failure counters, wrapper cause loss, committed-response retry, non-replayable body retry, cancellation-ignoring sleep, and missing retry metrics are fixed or reported.
|
|
158
|
+
- Retry-safety claims are backed by configured tests, dependency or framework evidence matched to current code, schema or idempotency evidence, static review evidence, or labeled as manual-only or missing.
|
|
159
|
+
|
|
160
|
+
<!-- mustflow-section: verification -->
|
|
161
|
+
## Verification
|
|
162
|
+
|
|
163
|
+
Use configured oneshot command intents when available:
|
|
164
|
+
|
|
165
|
+
- `changes_status`
|
|
166
|
+
- `changes_diff_summary`
|
|
167
|
+
- `lint`
|
|
168
|
+
- `build`
|
|
169
|
+
- `test_related`
|
|
170
|
+
- `test`
|
|
171
|
+
- `docs_validate_fast`
|
|
172
|
+
- `test_release`
|
|
173
|
+
- `mustflow_check`
|
|
174
|
+
|
|
175
|
+
Prefer the narrowest configured test, build, docs, release, or mustflow intent that covers the changed retry policy and synchronized template surfaces. Do not infer raw load tests, live dependency calls, queue servers, local watchers, browser sessions, chaos tests, or manual dashboards outside the command contract.
|
|
176
|
+
|
|
177
|
+
<!-- mustflow-section: failure-handling -->
|
|
178
|
+
## Failure Handling
|
|
179
|
+
|
|
180
|
+
- If a configured command fails, preserve the failing intent, failing assertion or output tail, and the retry invariant it exercised before editing again.
|
|
181
|
+
- If retry layers cannot be enumerated, report that the path is not reviewable for retry amplification yet.
|
|
182
|
+
- If the retry predicate cannot distinguish transient from permanent failure, report the missing classification instead of accepting a broad retry.
|
|
183
|
+
- If safe repair requires provider idempotency, durable operation records, queue or broker configuration, circuit-breaker architecture, dependency-specific client policy, fake-clock test infrastructure, load testing, or integration replay outside the current scope, report the missing boundary.
|
|
184
|
+
- If deterministic retry proof is not configured, complete available verification and report the missing manual or integration evidence.
|
|
185
|
+
|
|
186
|
+
<!-- mustflow-section: output-format -->
|
|
187
|
+
## Output Format
|
|
188
|
+
|
|
189
|
+
- Retry policy boundary reviewed
|
|
190
|
+
- Retry surface, layered retry ledger, attempt budget, timeout and deadline, retry predicate, unknown outcome, side-effect and idempotency key, transaction or lock placement, pool and concurrency pressure, backoff and jitter, `Retry-After`, global or per-key throttling, resilience-tool ordering, wrapper diagnostics, committed response or streaming body, queue or broker overlap, dependency policy, observability, and test evidence findings
|
|
191
|
+
- Retry-policy fixes made or recommended
|
|
192
|
+
- Evidence level: configured-test evidence, dependency or framework evidence, schema or idempotency evidence, static review risk, manual-only, missing, or not applicable
|
|
193
|
+
- Command intents run
|
|
194
|
+
- Skipped retry diagnostics and reasons
|
|
195
|
+
- Remaining retry-policy-integrity risk
|