mustflow 2.39.1 → 2.58.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (92) hide show
  1. package/dist/cli/commands/run/executor.js +16 -0
  2. package/dist/cli/commands/run/process-tree.js +6 -3
  3. package/dist/cli/commands/verify.js +3 -1
  4. package/dist/cli/lib/git-changes.js +11 -1
  5. package/dist/cli/lib/i18n.js +1 -1
  6. package/dist/cli/lib/local-index/index.js +8 -4
  7. package/dist/cli/lib/local-index/populate.js +17 -3
  8. package/dist/cli/lib/local-index/search-read-model.js +9 -7
  9. package/dist/cli/lib/local-index/search-text.js +2 -2
  10. package/dist/cli/lib/local-index/workflow-documents.js +17 -2
  11. package/dist/cli/lib/mustflow-read.js +14 -2
  12. package/dist/cli/lib/repo-map.js +16 -3
  13. package/dist/cli/lib/templates.js +8 -7
  14. package/dist/cli/lib/validation/constants.js +1 -1
  15. package/dist/core/active-run-locks.js +78 -20
  16. package/dist/core/change-classification.js +4 -0
  17. package/dist/core/command-contract-rules.js +1 -1
  18. package/dist/core/command-contract-validation.js +1 -1
  19. package/dist/core/command-cwd.js +13 -2
  20. package/dist/core/command-effects.js +22 -4
  21. package/dist/core/command-env.js +8 -6
  22. package/dist/core/command-preconditions.js +28 -2
  23. package/dist/core/completion-verdict.js +1 -1
  24. package/dist/core/line-endings.js +8 -4
  25. package/dist/core/safe-filesystem.js +9 -1
  26. package/dist/core/source-anchor-validation.js +7 -1
  27. package/dist/core/source-anchors.js +8 -2
  28. package/dist/core/verification-scheduler.js +8 -2
  29. package/package.json +1 -1
  30. package/templates/default/i18n.toml +330 -1
  31. package/templates/default/locales/en/.mustflow/skills/INDEX.md +302 -5
  32. package/templates/default/locales/en/.mustflow/skills/agent-eval-integrity-review/SKILL.md +160 -0
  33. package/templates/default/locales/en/.mustflow/skills/agent-execution-control-review/SKILL.md +163 -0
  34. package/templates/default/locales/en/.mustflow/skills/ai-generated-code-hardening/SKILL.md +49 -13
  35. package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +298 -0
  36. package/templates/default/locales/en/.mustflow/skills/api-misuse-resistance-review/SKILL.md +297 -0
  37. package/templates/default/locales/en/.mustflow/skills/api-request-performance-review/SKILL.md +189 -0
  38. package/templates/default/locales/en/.mustflow/skills/app-startup-performance-review/SKILL.md +309 -0
  39. package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +213 -0
  40. package/templates/default/locales/en/.mustflow/skills/business-rule-leakage-review/SKILL.md +295 -0
  41. package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +291 -0
  42. package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +297 -0
  43. package/templates/default/locales/en/.mustflow/skills/client-bundle-pruning-review/SKILL.md +160 -0
  44. package/templates/default/locales/en/.mustflow/skills/cloud-cost-guardrail-review/SKILL.md +321 -0
  45. package/templates/default/locales/en/.mustflow/skills/concurrency-invariant-review/SKILL.md +193 -0
  46. package/templates/default/locales/en/.mustflow/skills/core-web-vitals-field-review/SKILL.md +161 -0
  47. package/templates/default/locales/en/.mustflow/skills/credit-ledger-integrity-review/SKILL.md +156 -0
  48. package/templates/default/locales/en/.mustflow/skills/database-json-modeling-review/SKILL.md +171 -0
  49. package/templates/default/locales/en/.mustflow/skills/database-lock-contention-review/SKILL.md +192 -0
  50. package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +76 -34
  51. package/templates/default/locales/en/.mustflow/skills/database-query-bottleneck-review/SKILL.md +194 -0
  52. package/templates/default/locales/en/.mustflow/skills/deletion-lifecycle-review/SKILL.md +171 -0
  53. package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md +321 -0
  54. package/templates/default/locales/en/.mustflow/skills/desktop-auto-update-safety-review/SKILL.md +265 -0
  55. package/templates/default/locales/en/.mustflow/skills/desktop-background-process-stability-review/SKILL.md +318 -0
  56. package/templates/default/locales/en/.mustflow/skills/desktop-memory-footprint-review/SKILL.md +318 -0
  57. package/templates/default/locales/en/.mustflow/skills/error-message-integrity-review/SKILL.md +283 -0
  58. package/templates/default/locales/en/.mustflow/skills/failure-integrity-review/SKILL.md +193 -0
  59. package/templates/default/locales/en/.mustflow/skills/file-upload-security-review/SKILL.md +305 -0
  60. package/templates/default/locales/en/.mustflow/skills/frame-render-performance-review/SKILL.md +159 -0
  61. package/templates/default/locales/en/.mustflow/skills/frontend-accessibility-tree-review/SKILL.md +202 -0
  62. package/templates/default/locales/en/.mustflow/skills/frontend-localization-review/SKILL.md +202 -0
  63. package/templates/default/locales/en/.mustflow/skills/frontend-state-ownership-review/SKILL.md +183 -0
  64. package/templates/default/locales/en/.mustflow/skills/frontend-stress-layout-review/SKILL.md +193 -0
  65. package/templates/default/locales/en/.mustflow/skills/hot-path-performance-review/SKILL.md +159 -0
  66. package/templates/default/locales/en/.mustflow/skills/idempotency-integrity-review/SKILL.md +195 -0
  67. package/templates/default/locales/en/.mustflow/skills/image-delivery-performance-review/SKILL.md +161 -0
  68. package/templates/default/locales/en/.mustflow/skills/incident-triage-review/SKILL.md +185 -0
  69. package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +155 -0
  70. package/templates/default/locales/en/.mustflow/skills/llm-response-latency-review/SKILL.md +155 -0
  71. package/templates/default/locales/en/.mustflow/skills/llm-service-ux-review/SKILL.md +2 -0
  72. package/templates/default/locales/en/.mustflow/skills/llm-token-cost-control-review/SKILL.md +155 -0
  73. package/templates/default/locales/en/.mustflow/skills/low-end-device-support-review/SKILL.md +340 -0
  74. package/templates/default/locales/en/.mustflow/skills/memory-lifetime-review/SKILL.md +169 -0
  75. package/templates/default/locales/en/.mustflow/skills/mobile-energy-efficiency-review/SKILL.md +329 -0
  76. package/templates/default/locales/en/.mustflow/skills/module-boundary-review/SKILL.md +278 -0
  77. package/templates/default/locales/en/.mustflow/skills/multi-agent-work-coordination/SKILL.md +1 -0
  78. package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +208 -0
  79. package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +155 -0
  80. package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +158 -0
  81. package/templates/default/locales/en/.mustflow/skills/quadratic-scan-review/SKILL.md +155 -0
  82. package/templates/default/locales/en/.mustflow/skills/queue-processing-integrity-review/SKILL.md +193 -0
  83. package/templates/default/locales/en/.mustflow/skills/race-condition-review/SKILL.md +188 -0
  84. package/templates/default/locales/en/.mustflow/skills/rate-limit-integrity-review/SKILL.md +344 -0
  85. package/templates/default/locales/en/.mustflow/skills/retry-policy-integrity-review/SKILL.md +195 -0
  86. package/templates/default/locales/en/.mustflow/skills/routes.toml +330 -0
  87. package/templates/default/locales/en/.mustflow/skills/security-flow-review/SKILL.md +279 -0
  88. package/templates/default/locales/en/.mustflow/skills/testability-boundary-review/SKILL.md +295 -0
  89. package/templates/default/locales/en/.mustflow/skills/transaction-boundary-integrity-review/SKILL.md +196 -0
  90. package/templates/default/locales/en/.mustflow/skills/type-state-modeling-review/SKILL.md +179 -0
  91. package/templates/default/locales/en/.mustflow/skills/web-render-performance-review/SKILL.md +164 -0
  92. package/templates/default/manifest.toml +386 -1
@@ -156,6 +156,204 @@ route_type = "adjunct"
156
156
  priority = 74
157
157
  applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change"]
158
158
 
159
+ [routes."module-boundary-review"]
160
+ category = "general_code"
161
+ route_type = "adjunct"
162
+ priority = 70
163
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change"]
164
+
165
+ [routes."change-blast-radius-review"]
166
+ category = "general_code"
167
+ route_type = "adjunct"
168
+ priority = 75
169
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "package_metadata_change"]
170
+
171
+ [routes."business-rule-leakage-review"]
172
+ category = "general_code"
173
+ route_type = "adjunct"
174
+ priority = 79
175
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change"]
176
+
177
+ [routes."payment-integrity-review"]
178
+ category = "general_code"
179
+ route_type = "adjunct"
180
+ priority = 80
181
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change", "package_metadata_change", "release_risk"]
182
+
183
+ [routes."credit-ledger-integrity-review"]
184
+ category = "general_code"
185
+ route_type = "adjunct"
186
+ priority = 81
187
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change", "package_metadata_change", "release_risk"]
188
+
189
+ [routes."api-misuse-resistance-review"]
190
+ category = "general_code"
191
+ route_type = "adjunct"
192
+ priority = 69
193
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "docs_change", "package_metadata_change"]
194
+
195
+ [routes."error-message-integrity-review"]
196
+ category = "general_code"
197
+ route_type = "adjunct"
198
+ priority = 68
199
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "security_change", "privacy_change", "docs_change", "package_metadata_change"]
200
+
201
+ [routes."memory-lifetime-review"]
202
+ category = "general_code"
203
+ route_type = "adjunct"
204
+ priority = 73
205
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "performance_change", "ui_change", "security_change", "privacy_change", "data_change"]
206
+
207
+ [routes."desktop-memory-footprint-review"]
208
+ category = "general_code"
209
+ route_type = "adjunct"
210
+ priority = 74
211
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "ui_change", "docs_change", "package_metadata_change", "release_risk"]
212
+
213
+ [routes."hot-path-performance-review"]
214
+ category = "general_code"
215
+ route_type = "adjunct"
216
+ priority = 72
217
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "performance_change", "ui_change", "data_change"]
218
+
219
+ [routes."api-request-performance-review"]
220
+ category = "general_code"
221
+ route_type = "adjunct"
222
+ priority = 73
223
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "docs_change"]
224
+
225
+ [routes."app-startup-performance-review"]
226
+ category = "general_code"
227
+ route_type = "adjunct"
228
+ priority = 79
229
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "ui_change", "docs_change", "package_metadata_change", "release_risk"]
230
+
231
+ [routes."desktop-background-process-stability-review"]
232
+ category = "general_code"
233
+ route_type = "adjunct"
234
+ priority = 81
235
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "ui_change", "docs_change", "package_metadata_change", "release_risk"]
236
+
237
+ [routes."desktop-auto-update-safety-review"]
238
+ category = "general_code"
239
+ route_type = "adjunct"
240
+ priority = 82
241
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "ui_change", "docs_change", "package_metadata_change", "release_risk"]
242
+
243
+ [routes."low-end-device-support-review"]
244
+ category = "general_code"
245
+ route_type = "adjunct"
246
+ priority = 80
247
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "ui_change", "docs_change", "package_metadata_change", "release_risk"]
248
+
249
+ [routes."mobile-energy-efficiency-review"]
250
+ category = "general_code"
251
+ route_type = "adjunct"
252
+ priority = 78
253
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "ui_change", "docs_change", "package_metadata_change", "release_risk"]
254
+
255
+ [routes."cache-integrity-review"]
256
+ category = "general_code"
257
+ route_type = "adjunct"
258
+ priority = 74
259
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change"]
260
+
261
+ [routes."quadratic-scan-review"]
262
+ category = "general_code"
263
+ route_type = "adjunct"
264
+ priority = 71
265
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "performance_change", "ui_change", "data_change"]
266
+
267
+ [routes."type-state-modeling-review"]
268
+ category = "general_code"
269
+ route_type = "adjunct"
270
+ priority = 75
271
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "data_change", "security_change", "privacy_change"]
272
+
273
+ [routes."race-condition-review"]
274
+ category = "general_code"
275
+ route_type = "adjunct"
276
+ priority = 77
277
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change"]
278
+
279
+ [routes."concurrency-invariant-review"]
280
+ category = "general_code"
281
+ route_type = "adjunct"
282
+ priority = 76
283
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change"]
284
+
285
+ [routes."failure-integrity-review"]
286
+ category = "general_code"
287
+ route_type = "adjunct"
288
+ priority = 78
289
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "data_change", "security_change", "privacy_change"]
290
+
291
+ [routes."backend-log-evidence-review"]
292
+ category = "general_code"
293
+ route_type = "adjunct"
294
+ priority = 79
295
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "docs_change", "package_metadata_change", "release_risk"]
296
+
297
+ [routes."observability-debuggability-review"]
298
+ category = "general_code"
299
+ route_type = "adjunct"
300
+ priority = 78
301
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change", "package_metadata_change", "release_risk"]
302
+
303
+ [routes."incident-triage-review"]
304
+ category = "general_code"
305
+ route_type = "adjunct"
306
+ priority = 77
307
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change", "package_metadata_change", "release_risk"]
308
+
309
+ [routes."deployment-rollout-safety-review"]
310
+ category = "general_code"
311
+ route_type = "adjunct"
312
+ priority = 78
313
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change", "package_metadata_change", "release_risk"]
314
+
315
+ [routes."cloud-cost-guardrail-review"]
316
+ category = "general_code"
317
+ route_type = "adjunct"
318
+ priority = 77
319
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change", "package_metadata_change", "release_risk"]
320
+
321
+ [routes."rate-limit-integrity-review"]
322
+ category = "general_code"
323
+ route_type = "adjunct"
324
+ priority = 79
325
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change", "package_metadata_change", "release_risk"]
326
+
327
+ [routes."idempotency-integrity-review"]
328
+ category = "general_code"
329
+ route_type = "adjunct"
330
+ priority = 80
331
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change", "package_metadata_change", "release_risk"]
332
+
333
+ [routes."retry-policy-integrity-review"]
334
+ category = "general_code"
335
+ route_type = "adjunct"
336
+ priority = 79
337
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change", "package_metadata_change", "release_risk"]
338
+
339
+ [routes."queue-processing-integrity-review"]
340
+ category = "general_code"
341
+ route_type = "adjunct"
342
+ priority = 79
343
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change", "package_metadata_change", "release_risk"]
344
+
345
+ [routes."transaction-boundary-integrity-review"]
346
+ category = "general_code"
347
+ route_type = "adjunct"
348
+ priority = 79
349
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change", "migration_change", "docs_change", "package_metadata_change"]
350
+
351
+ [routes."testability-boundary-review"]
352
+ category = "general_code"
353
+ route_type = "adjunct"
354
+ priority = 74
355
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "public_api_change", "performance_change", "security_change", "privacy_change", "data_change"]
356
+
159
357
  [routes."clarifying-question-gate"]
160
358
  category = "general_code"
161
359
  route_type = "adjunct"
@@ -294,6 +492,42 @@ route_type = "primary"
294
492
  priority = 65
295
493
  applies_to_reasons = ["ui_change", "product_change"]
296
494
 
495
+ [routes."prompt-contract-quality-review"]
496
+ category = "general_code"
497
+ route_type = "primary"
498
+ priority = 66
499
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "docs_change", "public_api_change", "data_change", "security_change", "privacy_change", "package_metadata_change", "release_risk"]
500
+
501
+ [routes."llm-hallucination-control-review"]
502
+ category = "general_code"
503
+ route_type = "primary"
504
+ priority = 67
505
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "docs_change", "public_api_change", "data_change", "security_change", "privacy_change", "package_metadata_change", "release_risk"]
506
+
507
+ [routes."llm-token-cost-control-review"]
508
+ category = "general_code"
509
+ route_type = "primary"
510
+ priority = 68
511
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "docs_change", "public_api_change", "data_change", "performance_change", "security_change", "privacy_change", "package_metadata_change", "release_risk"]
512
+
513
+ [routes."llm-response-latency-review"]
514
+ category = "general_code"
515
+ route_type = "primary"
516
+ priority = 69
517
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "docs_change", "public_api_change", "data_change", "performance_change", "security_change", "privacy_change", "package_metadata_change", "release_risk"]
518
+
519
+ [routes."agent-execution-control-review"]
520
+ category = "general_code"
521
+ route_type = "primary"
522
+ priority = 70
523
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "docs_change", "public_api_change", "data_change", "performance_change", "security_change", "privacy_change", "package_metadata_change", "release_risk"]
524
+
525
+ [routes."agent-eval-integrity-review"]
526
+ category = "general_code"
527
+ route_type = "primary"
528
+ priority = 71
529
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "test_change", "docs_change", "public_api_change", "data_change", "performance_change", "security_change", "privacy_change", "package_metadata_change", "release_risk"]
530
+
297
531
  [routes."diff-risk-review"]
298
532
  category = "general_code"
299
533
  route_type = "adjunct"
@@ -330,6 +564,30 @@ route_type = "primary"
330
564
  priority = 82
331
565
  applies_to_reasons = ["code_change", "data_change", "migration_change", "public_api_change", "test_change", "docs_change", "security_change"]
332
566
 
567
+ [routes."database-query-bottleneck-review"]
568
+ category = "data_external"
569
+ route_type = "adjunct"
570
+ priority = 67
571
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "data_change", "performance_change", "test_change", "docs_change"]
572
+
573
+ [routes."database-json-modeling-review"]
574
+ category = "data_external"
575
+ route_type = "adjunct"
576
+ priority = 69
577
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "data_change", "performance_change", "migration_change", "test_change", "docs_change", "security_change", "privacy_change"]
578
+
579
+ [routes."deletion-lifecycle-review"]
580
+ category = "data_external"
581
+ route_type = "adjunct"
582
+ priority = 70
583
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "data_change", "performance_change", "migration_change", "test_change", "docs_change", "security_change", "privacy_change"]
584
+
585
+ [routes."database-lock-contention-review"]
586
+ category = "data_external"
587
+ route_type = "adjunct"
588
+ priority = 68
589
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "data_change", "performance_change", "migration_change", "test_change", "docs_change"]
590
+
333
591
  [routes."sqlite-code-change"]
334
592
  category = "data_external"
335
593
  route_type = "primary"
@@ -456,6 +714,24 @@ route_type = "primary"
456
714
  priority = 85
457
715
  applies_to_reasons = ["code_change", "security_change", "privacy_change", "public_api_change"]
458
716
 
717
+ [routes."api-access-control-review"]
718
+ category = "security_privacy"
719
+ route_type = "adjunct"
720
+ priority = 77
721
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "public_api_change", "security_change", "privacy_change", "data_change", "test_change", "docs_change", "package_metadata_change", "release_risk"]
722
+
723
+ [routes."file-upload-security-review"]
724
+ category = "security_privacy"
725
+ route_type = "adjunct"
726
+ priority = 78
727
+ applies_to_reasons = ["unknown_change", "code_change", "behavior_change", "public_api_change", "security_change", "privacy_change", "data_change", "test_change", "docs_change", "package_metadata_change", "release_risk"]
728
+
729
+ [routes."security-flow-review"]
730
+ category = "security_privacy"
731
+ route_type = "adjunct"
732
+ priority = 76
733
+ applies_to_reasons = ["code_change", "behavior_change", "public_api_change", "security_change", "privacy_change", "data_change", "test_change", "package_metadata_change", "release_risk"]
734
+
459
735
  [routes."security-regression-tests"]
460
736
  category = "security_privacy"
461
737
  route_type = "adjunct"
@@ -504,6 +780,60 @@ route_type = "adjunct"
504
780
  priority = 60
505
781
  applies_to_reasons = ["migration_change"]
506
782
 
783
+ [routes."web-render-performance-review"]
784
+ category = "ui_assets"
785
+ route_type = "adjunct"
786
+ priority = 79
787
+ applies_to_reasons = ["ui_change", "performance_change", "behavior_change", "code_change", "web_asset_change"]
788
+
789
+ [routes."core-web-vitals-field-review"]
790
+ category = "ui_assets"
791
+ route_type = "adjunct"
792
+ priority = 81
793
+ applies_to_reasons = ["ui_change", "performance_change", "behavior_change", "code_change", "web_asset_change", "docs_change", "release_risk"]
794
+
795
+ [routes."image-delivery-performance-review"]
796
+ category = "ui_assets"
797
+ route_type = "adjunct"
798
+ priority = 82
799
+ applies_to_reasons = ["ui_change", "performance_change", "behavior_change", "code_change", "web_asset_change", "security_change", "privacy_change"]
800
+
801
+ [routes."client-bundle-pruning-review"]
802
+ category = "ui_assets"
803
+ route_type = "adjunct"
804
+ priority = 80
805
+ applies_to_reasons = ["ui_change", "performance_change", "behavior_change", "code_change", "package_metadata_change", "web_asset_change"]
806
+
807
+ [routes."frame-render-performance-review"]
808
+ category = "ui_assets"
809
+ route_type = "adjunct"
810
+ priority = 81
811
+ applies_to_reasons = ["ui_change", "performance_change", "behavior_change", "code_change", "web_asset_change"]
812
+
813
+ [routes."frontend-state-ownership-review"]
814
+ category = "ui_assets"
815
+ route_type = "adjunct"
816
+ priority = 80
817
+ applies_to_reasons = ["ui_change", "behavior_change", "code_change", "performance_change", "data_change", "test_change", "public_api_change"]
818
+
819
+ [routes."frontend-stress-layout-review"]
820
+ category = "ui_assets"
821
+ route_type = "adjunct"
822
+ priority = 80
823
+ applies_to_reasons = ["ui_change", "behavior_change", "code_change", "performance_change", "web_asset_change", "test_change", "docs_change"]
824
+
825
+ [routes."frontend-accessibility-tree-review"]
826
+ category = "ui_assets"
827
+ route_type = "adjunct"
828
+ priority = 82
829
+ applies_to_reasons = ["ui_change", "behavior_change", "code_change", "test_change", "docs_change", "web_asset_change"]
830
+
831
+ [routes."frontend-localization-review"]
832
+ category = "ui_assets"
833
+ route_type = "adjunct"
834
+ priority = 84
835
+ applies_to_reasons = ["ui_change", "behavior_change", "code_change", "test_change", "docs_change", "i18n_change", "web_asset_change"]
836
+
507
837
  [routes."frontend-render-stability"]
508
838
  category = "ui_assets"
509
839
  route_type = "primary"
@@ -0,0 +1,279 @@
1
+ ---
2
+ mustflow_doc: skill.security-flow-review
3
+ locale: en
4
+ canonical: true
5
+ revision: 1
6
+ lifecycle: mustflow-owned
7
+ authority: procedure
8
+ name: security-flow-review
9
+ description: Apply this skill when code is created, changed, reviewed, or reported and security review needs source-to-sink tracing across authorization, object ownership, tenant scoping, IDOR or BOLA risk, mass assignment, admin-only surfaces, cache keys, exports, injection-like inputs, ORM raw paths, SSRF, file upload and extraction, path traversal, XSS, CSRF, OAuth, reset tokens, JWTs, cookies, cryptography, logs, fail-open error handling, async jobs, race conditions, or supply-chain and CI/CD paths.
10
+ metadata:
11
+ mustflow_schema: "1"
12
+ mustflow_kind: procedure
13
+ pack_id: mustflow.core
14
+ skill_id: mustflow.core.security-flow-review
15
+ command_intents:
16
+ - changes_status
17
+ - changes_diff_summary
18
+ - lint
19
+ - build
20
+ - test_related
21
+ - test
22
+ - docs_validate_fast
23
+ - test_release
24
+ - mustflow_check
25
+ ---
26
+
27
+ # Security Flow Review
28
+
29
+ <!-- mustflow-section: purpose -->
30
+ ## Purpose
31
+
32
+ Review security risk by following values, actors, resource identities, state changes, and trust
33
+ boundaries to the actual data sink. Do not stop at dangerous keywords, route guards, or scanner
34
+ labels.
35
+
36
+ The review question is not "does this file contain `eval`, `exec`, or raw SQL?" It is "where did
37
+ this value come from, which actor may use it, which resource or tenant does it touch, which state
38
+ changes, and where can data or authority leak?"
39
+
40
+ <!-- mustflow-section: use-when -->
41
+ ## Use When
42
+
43
+ - Code review, implementation, or report work touches routes, handlers, services, repositories,
44
+ resolvers, jobs, workers, admin tools, exports, imports, caches, files, external fetchers,
45
+ OAuth callbacks, tokens, cookies, logs, CI workflows, package metadata, or dependency execution.
46
+ - A feature accepts an identifier, URL, filename, path, HTML, Markdown, sort key, filter, field list,
47
+ status, role, price, entitlement, tenant id, organization id, user id, or client-provided state.
48
+ - The suspected issue may be BOLA, IDOR, missing authorization, tenant leak, mass assignment,
49
+ injection, SSRF, path traversal, file upload abuse, XSS, CSRF, token misuse, fail-open behavior,
50
+ duplicate side effect, or supply-chain trust drift.
51
+ - A scanner, checklist, or reviewer mentions a security label but the real source, sink, actor,
52
+ resource, and failing permission path still need to be verified from the code.
53
+
54
+ <!-- mustflow-section: do-not-use-when -->
55
+ ## Do Not Use When
56
+
57
+ - The task changes an authentication or authorization model and needs implementation guidance; use
58
+ `auth-permission-change` as the primary skill and this skill only for cross-surface review.
59
+ - The task needs security or privacy disclosure review across logs, docs, retention, AI records, or
60
+ packaged artifacts; use `security-privacy-review`.
61
+ - The task needs concrete abuse-case tests after a boundary is understood; use
62
+ `security-regression-tests` for that part.
63
+ - The task is only dependency freshness or version selection; use `dependency-reality-check` or
64
+ `version-freshness-check`.
65
+ - The task asks for penetration testing, live attack traffic, exploit development, credential
66
+ guessing, or unsafe payload collection. Stay within local code review and defensive evidence.
67
+
68
+ <!-- mustflow-section: required-inputs -->
69
+ ## Required Inputs
70
+
71
+ - User goal, current diff or target files, and the security claim being reviewed.
72
+ - Source-to-sink map: untrusted input, trusted context, transformations, authorization decisions,
73
+ persistence, external calls, rendering, logs, cache keys, queue payloads, and returned data.
74
+ - Actor and resource map: principal, tenant, owner, organization, workspace, team, role, capability,
75
+ service account, admin scope, and target resource id.
76
+ - Read and write surfaces: list, detail, count, export, download, search, stats, update, delete,
77
+ approve, invite, upload, webhook, callback, job, and admin paths.
78
+ - Framework or platform escape hatches: raw query APIs, shell wrappers, HTML escape bypasses, file
79
+ APIs, URL fetchers, parser options, cache behavior, token libraries, and CI/package lifecycle hooks.
80
+ - Existing tests, denial cases, scanner findings, security docs, command intent entries, and any
81
+ missing context that blocks a confident conclusion.
82
+
83
+ <!-- mustflow-section: preconditions -->
84
+ ## Preconditions
85
+
86
+ - The task matches the Use When conditions and does not match the Do Not Use When exclusions.
87
+ - Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
88
+ current scope.
89
+ - Required inputs are available, or missing actor, resource, source, sink, tenant, or test evidence
90
+ can be reported without guessing.
91
+ - If the review identifies a concrete auth, cache, file, command, path, dependency, failure,
92
+ concurrency, or regression-test problem, also use the narrower skill before editing that part.
93
+
94
+ <!-- mustflow-section: allowed-edits -->
95
+ ## Allowed Edits
96
+
97
+ - Tighten server-side ownership checks, tenant-scoped queries, allowlisted updates, cache-key
98
+ dimensions, URL and path validation, parser or renderer boundaries, upload and extraction limits,
99
+ token validation, cookie flags, fail-closed error handling, queue revalidation, idempotency, and
100
+ focused tests directly tied to the reviewed flow.
101
+ - Add small policy, mapper, validator, sanitizer, encoder, adapter, or result-mapping code only when
102
+ it names the security boundary and reduces duplicated or caller-owned security decisions.
103
+ - Update directly synchronized docs, templates, fixtures, or route metadata when the public security
104
+ contract changes.
105
+ - Do not add broad scanners, offensive payload corpora, live external probes, dependency installs,
106
+ or unrelated hardening work under this skill.
107
+
108
+ <!-- mustflow-section: procedure -->
109
+ ## Procedure
110
+
111
+ 1. Start at the real sink.
112
+ - For reads, identify the query, cache lookup, file read, search index, export builder, download
113
+ signer, API response, rendered page, or log record where data leaves the system.
114
+ - For writes, identify the database mutation, state transition, queue message, external call,
115
+ file write, package artifact, CI action, or admin operation where authority changes the system.
116
+ 2. Trace the source-to-sink path.
117
+ - Mark every value as trusted server context, authenticated identity, repository data, provider
118
+ data, user input, query string, path parameter, body field, header, cookie, token claim, file
119
+ metadata, or CI/package metadata.
120
+ - Do not treat framework validation, TypeScript types, generated clients, route placement, or a
121
+ hidden frontend button as proof that the sink is safe.
122
+ 3. Separate authentication from authorization.
123
+ - `isAuthenticated`, a session, an API key, or a valid JWT answers who is calling.
124
+ - Ask whether this actor may perform this action on this resource in this tenant right now.
125
+ 4. Treat every resource identifier as an IDOR or BOLA candidate.
126
+ - Review path ids, UUIDs, slugs, file keys, invoice ids, team ids, project ids, and nested member
127
+ ids as attacker-controllable unless the server derives them from trusted context.
128
+ - UUID is a long address, not a lock.
129
+ 5. Compare list, detail, count, export, search, and download scopes.
130
+ - If `findMany` filters by actor or tenant but `findOne`, `count`, `exportCsv`, `bulkDownload`,
131
+ `searchUsers`, or `analytics` does not, report the mismatch before celebrating the route guard.
132
+ 6. Review state-changing operations more strictly than reads.
133
+ - For update, delete, approve, refund, invite, transfer, publish, purge, and role-change flows,
134
+ name actor, resource, allowed state, target state, amount, limit, and audit expectation.
135
+ - Reject direct assignment such as `status = req.body.status` when status transitions have policy.
136
+ 7. Reject mass assignment at the boundary.
137
+ - Flag `Object.assign(entity, body)`, `Model.create(input)`, `User.update(req.body)`, DTO-to-model
138
+ blind copies, GraphQL input passthrough, and ORM update data built from raw request bodies.
139
+ - Privileged fields such as `role`, `ownerId`, `tenantId`, `isPaid`, `plan`, `price`, `status`,
140
+ `quota`, and `isAdmin` should be derived or allowlisted.
141
+ 8. Slow down on admin-only and internal surfaces.
142
+ - Frontend-only admin screens, support tools, debug routes, backoffice actions, impersonation,
143
+ ops endpoints, and internal RPC still need server-side authorization, reason, audit, and scope.
144
+ 9. Check tenant and permission dimensions in caches.
145
+ - Cache keys for private or policy-shaped data need user, tenant, organization, role, permission,
146
+ locale, experiment, filter, and data-version dimensions when those change the result.
147
+ - Shared caches, CDN caches, SSR caches, fetch caches, Redis keys, and hydration data can freeze a
148
+ security bug and serve it to the wrong viewer.
149
+ 10. Treat sort, filter, field, include, expand, group, and query language as input sinks.
150
+ - Parameterized `WHERE` clauses do not save `ORDER BY ${sort}`, raw ORM fragments, Mongo filters,
151
+ Elasticsearch query DSL, GraphQL field selection, LDAP, XPath, or filesystem path composition.
152
+ - Validate against a static allowlist for grammar positions, not by escaping arbitrary strings.
153
+ 11. Look past obvious command execution calls.
154
+ - Image conversion, PDF generation, archive tools, video processing, git wrappers, kubectl
155
+ wrappers, antivirus scans, backups, and package scripts may invoke a shell or executable.
156
+ - Keep user filenames, URLs, formats, and options out of shell syntax; prefer argv arrays and
157
+ static command maps.
158
+ 12. Review every server-side URL fetch as an SSRF candidate.
159
+ - Webhook tests, image proxies, OG previews, PDF renderers, RSS imports, S3 URL imports, OAuth
160
+ metadata, XML parsers, and storage-copy features fetch on behalf of the user.
161
+ - Check scheme allowlists, redirect policy, DNS re-resolution, localhost, private network,
162
+ link-local metadata, credential forwarding, timeout, and response size.
163
+ 13. Review file upload by what happens after upload.
164
+ - Check preview, download, conversion, thumbnailing, admin review, metadata extraction, content
165
+ sniffing, storage path, executable web root, signed URL generation, and authorization on read.
166
+ - SVG, HTML, PDF, DOCX, archive, and image metadata paths need different rules than extension
167
+ checks alone.
168
+ 14. For archives, check Zip Slip and decompression bombs together.
169
+ - Normalize each archive entry and prove the final path stays inside the target directory.
170
+ - Bound extracted file count, total bytes, nested archives, compression ratio, and processing time.
171
+ 15. Check path traversal beyond download routes.
172
+ - Locale files, templates, themes, attachments, logs, static proxies, backup restore, plugin
173
+ loaders, model loaders, and generated state all need real-path containment after symlinks and
174
+ normalization.
175
+ 16. Trace browser-code execution contexts.
176
+ - XSS can enter through Markdown, rich text, translations, email templates, chart labels, admin
177
+ dashboards, CSV exports, hydration data, JSON-in-script blocks, and framework escape hatches.
178
+ - Identify the output domain first: HTML text, HTML attribute, URL, JavaScript string, CSS, JSON,
179
+ Markdown, CSV, XML, or log line.
180
+ 17. Review CSRF whenever browsers send credentials automatically.
181
+ - Cookie-authenticated state changes need method discipline, SameSite posture, origin or CSRF
182
+ token checks, content-type handling, and CORS credential boundaries.
183
+ 18. Review OAuth, SSO, reset, magic-link, JWT, and cookie trust.
184
+ - OAuth needs `state`, `nonce`, exact redirect binding, PKCE when applicable, and safe account
185
+ linking.
186
+ - Reset and magic-link tokens need randomness, one-time use, short TTL, safe storage, session
187
+ revocation, and protection from link previews and logs.
188
+ - JWT validation needs issuer, audience, expiry, not-before, key rotation, stale claim handling,
189
+ tenant claim distrust, and current server-side permission for important actions.
190
+ - Cookies need `HttpOnly`, `Secure`, `SameSite`, domain, path, lifetime, refresh rotation, and
191
+ server-side logout or revocation when tokens are durable.
192
+ 19. Reject homegrown cryptography and weak token generation.
193
+ - Watch for custom ciphers, fixed IVs, ECB, nonce reuse, unauthenticated encryption, unsalted or
194
+ fast password hashes, predictable tokens, and non-cryptographic randomness.
195
+ 20. Review logs in both directions.
196
+ - Too much logging leaks tokens, sessions, reset links, API keys, prompts, personal data,
197
+ payment data, private filenames, provider payloads, and internal notes.
198
+ - Too little logging hides login failures, denied access, admin changes, token refreshes,
199
+ payment failures, webhook failures, and permission changes.
200
+ 21. Search for fail-open error handling.
201
+ - `try { checkPermission() } catch { allow() }`, default-allow policies, empty catches, fallback
202
+ owners, auth-service-down pass-through, and default public cache entries are security bugs in
203
+ normal clothes.
204
+ 22. Recheck asynchronous and queued work at execution time.
205
+ - Queue payloads, exports, file conversions, email sends, payment refunds, invitations, and
206
+ permission changes need actor, tenant, resource, state, and permission revalidation when the
207
+ worker runs, not only when the job was enqueued.
208
+ 23. Review race conditions where money, inventory, entitlement, coupons, seats, roles, or invites
209
+ can be used twice.
210
+ - Look for transaction boundaries, unique constraints, row locks, idempotency keys, action
211
+ ledgers, outbox or inbox records, and reconciliation for unknown external outcomes.
212
+ 24. Review supply-chain and CI/CD paths as code execution.
213
+ - Dependency manifests, lockfiles, postinstall scripts, codegen, Docker base images, GitHub
214
+ Actions permissions, workflow triggers, artifact upload, CI secrets, package publish identity,
215
+ Terraform modules, Helm charts, and deployment scripts can execute or leak authority.
216
+ 25. Convert the finding into the smallest defensive action.
217
+ - Fix the owner closest to the sink when the boundary is clear.
218
+ - If evidence is incomplete, report the exact unverified source, sink, actor, resource, tenant,
219
+ state, or test gap instead of making a broad security claim.
220
+
221
+ <!-- mustflow-section: postconditions -->
222
+ ## Postconditions
223
+
224
+ - The reviewed flow names source, sink, actor, resource, tenant or owner, trust boundary, state
225
+ change, and data disclosure path when those apply.
226
+ - Authentication, authorization, object ownership, tenant scoping, and admin scope are not collapsed
227
+ into one route guard claim.
228
+ - Input sinks are classified by grammar or output domain rather than by generic "sanitize input"
229
+ wording.
230
+ - Security-sensitive caches, workers, queues, logs, tokens, files, browser renderers, and CI/CD paths
231
+ are either checked or explicitly reported as outside the current evidence.
232
+ - Any concrete security bug fix has denial-case or invariant evidence, or the missing test surface is
233
+ reported.
234
+
235
+ <!-- mustflow-section: verification -->
236
+ ## Verification
237
+
238
+ Use configured oneshot command intents when available:
239
+
240
+ - `changes_status`
241
+ - `changes_diff_summary`
242
+ - `lint`
243
+ - `build`
244
+ - `test_related`
245
+ - `test`
246
+ - `docs_validate_fast`
247
+ - `test_release`
248
+ - `mustflow_check`
249
+
250
+ Prefer the narrowest configured test intent that proves the reviewed defensive boundary. Use
251
+ `security-regression-tests` when adding or proposing abuse-case tests.
252
+
253
+ <!-- mustflow-section: failure-handling -->
254
+ ## Failure Handling
255
+
256
+ - If actor, tenant, resource, source, or sink evidence is missing, report the missing link and avoid
257
+ claiming the flow is safe.
258
+ - If a sensitive value appears in logs, diffs, fixtures, screenshots, command output, or final
259
+ reports, stop repeating it and use `secret-exposure-response` when it may be a real secret.
260
+ - If the fix would require a broad authorization model change, switch to `auth-permission-change`
261
+ before editing that scope.
262
+ - If scanner output names a class without a reproducible source-to-sink path, treat it as a lead and
263
+ either prove the path or report it as unverified.
264
+ - If verification requires live scanners, external systems, credentials, production data, or unsafe
265
+ traffic, skip that path and report the remaining risk.
266
+
267
+ <!-- mustflow-section: output-format -->
268
+ ## Output Format
269
+
270
+ - Security flow reviewed
271
+ - Source, sink, actor, resource, tenant or owner, and state-change map
272
+ - Authorization and ownership notes
273
+ - Input, file, network, browser, token, cookie, crypto, log, fail-open, async, race, cache, and
274
+ supply-chain findings when relevant
275
+ - Fixes made or recommendation
276
+ - Tests, denial cases, or invariant evidence
277
+ - Command intents run
278
+ - Skipped checks and reasons
279
+ - Remaining security-flow risk